CHECK failure: false in PaintController.cpp |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6385726324473856 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false in PaintController.cpp blink::PaintController::CheckUnderInvalidation blink::PaintController::ProcessNewItem Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6385726324473856 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2017
Assigning to concern owner from Predator results -- Regression information is not available. The result is the blame information. Author: rch@chromium.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src/+/82d89abc03ea6fd6b9258f0e57be0290b33d7eb1 Time: Fri Feb 28 18:25:34 2014 The CL last changed line 783 of file logging.cc, which is stack frame 1. Author: chrishtr@chromium.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src/+/7a25d907698e89274bebe3cabf8865bff2b63384 Time: Wed Sep 10 16:29:19 2014 The CL last changed line 199 of file BoxPainter.cpp, which is stack frame 6. @rch -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Jun 22 2017
The CL of mine that you linked to is from 2014, so I'm pretty skeptical that it's the cause here.
,
Jun 22 2017
,
Jun 26 2017
I can reproduce with the provided testcase.
,
Jun 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7f008cf28fc67b1be4726b9ed0366401ca43ce63 commit 7f008cf28fc67b1be4726b9ed0366401ca43ce63 Author: Chris Harrelson <chrishtr@chromium.org> Date: Tue Jun 27 16:13:10 2017 Invalidate the entire GraphicsLayer's display list if subpixel accumulation changed. A GraphicsLayer's subpixel accumulation is baked into its display list, so it needs to be re-recorded if the subpixel accumulation changes. Bug: 735886 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I70ae1419f352fbdebbbd094643d239aa982de12a Reviewed-on: https://chromium-review.googlesource.com/549092 Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> Commit-Queue: Chris Harrelson <chrishtr@chromium.org> Cr-Commit-Position: refs/heads/master@{#482642} [modify] https://crrev.com/7f008cf28fc67b1be4726b9ed0366401ca43ce63/third_party/WebKit/Source/core/layout/compositing/CompositedLayerMapping.cpp [modify] https://crrev.com/7f008cf28fc67b1be4726b9ed0366401ca43ce63/third_party/WebKit/Source/core/layout/compositing/CompositedLayerMappingTest.cpp
,
Jun 27 2017
,
Jul 14 2017
ClusterFuzz testcase 6385726324473856 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Jul 17 2017
Is this ClusterFuzz gettign confused about ToT?
,
Jul 21 2017
ClusterFuzz is still getting this crash (from the crash stats section). I also redo'ed the fixed task, and ClusterFuzz confirms that it still reproduces the crash on 488486 (on the bottom-most of the page). I can also reproduce it locally by checking out to the latest origin/master and running `/google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 638572632447385 --current`. I hope these help.
,
Jul 21 2017
Reopening based on c#10.
,
Jul 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/19be417882946a9816e6678aef0cecf8ddb0e9d8 commit 19be417882946a9816e6678aef0cecf8ddb0e9d8 Author: Chris Harrelson <chrishtr@chromium.org> Date: Mon Jul 24 23:58:28 2017 Avoid paint under-invalidation false positives on subpixel accumulation change. https://chromium-review.googlesource.com/c/549092/ invalidatse contents on subpixel accumulation changes, but only for non-direct compositing reasons. This is on purpose, to preserve a fast-path for script-animated transform of composited layers. This CL avoids false-positives from the above. Bug: 735886 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I3fba6de23a550ff323e015e714b2bb742a9e8401 Reviewed-on: https://chromium-review.googlesource.com/583568 Commit-Queue: Chris Harrelson <chrishtr@chromium.org> Reviewed-by: Walter Korman <wkorman@chromium.org> Cr-Commit-Position: refs/heads/master@{#489149} [modify] https://crrev.com/19be417882946a9816e6678aef0cecf8ddb0e9d8/third_party/WebKit/Source/core/layout/compositing/CompositedLayerMapping.cpp [modify] https://crrev.com/19be417882946a9816e6678aef0cecf8ddb0e9d8/third_party/WebKit/Source/core/layout/compositing/CompositedLayerMappingTest.cpp
,
Jul 25 2017
,
Jul 25 2017
ClusterFuzz has detected this issue as fixed in range 489104:489179. Detailed report: https://clusterfuzz.com/testcase?key=6385726324473856 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false in PaintController.cpp blink::PaintController::CheckUnderInvalidation blink::PaintController::ProcessNewItem Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=489104:489179 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6385726324473856 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ClusterFuzz
, Jun 22 2017