[LayoutNG] Uninitialized value in blink::InlineFlowBox |
||||||
Issue descriptionThe following build: https://luci-logdog.appspot.com/v/?s=chromium%2Fbb%2Fchromium.webkit%2FWebKit_Linux_Trusty_MSAN%2F1769%2F%2B%2Frecipes%2Fsteps%2Fwebkit_layout_tests%2F0%2Fstdout emitted the following MSan output: 05:25:49.713 538 ==1==WARNING: MemorySanitizer: use-of-uninitialized-value 05:25:49.713 538 #0 0xeb19110 in blink::InlineBox::DeleteLine() third_party/WebKit/Source/core/layout/line/InlineBox.cpp:198:7 05:25:49.714 538 #1 0xeb226fc in blink::InlineFlowBox::DeleteLine() third_party/WebKit/Source/core/layout/line/InlineFlowBox.cpp:226:12 05:25:49.714 538 #2 0xeb56888 in blink::LineBoxList::DeleteLineBoxTree() third_party/WebKit/Source/core/layout/line/LineBoxList.cpp:65:11 05:25:49.714 538 #3 0x14440980 in blink::NGInlineNode::CopyFragmentDataToLayoutBox(blink::NGConstraintSpace const&, blink::NGLayoutResult*) third_party/WebKit/Source/core/layout/ng/inline/ng_inline_node.cc:421:15 05:25:49.714 538 #4 0x1444010c in blink::NGInlineNode::Layout(blink::NGConstraintSpace*, blink::NGBreakToken*) third_party/WebKit/Source/core/layout/ng/inline/ng_inline_node.cc:346:3 05:25:49.714 538 #5 0xebe1937 in blink::NGLayoutInputNode::Layout(blink::NGConstraintSpace*, blink::NGBreakToken*) third_party/WebKit/Source/core/layout/ng/ng_layout_input_node.cc:81:45 05:25:49.714 538 #6 0xec0220c in blink::NGBlockLayoutAlgorithm::Layout() third_party/WebKit/Source/core/layout/ng/ng_block_layout_algorithm.cc:261:17 05:25:49.714 538 #7 0xebc674c in LayoutWithAlgorithm third_party/WebKit/Source/core/layout/ng/ng_block_node.cc:43:8 05:25:49.714 538 #8 0xebc674c in blink::NGBlockNode::Layout(blink::NGConstraintSpace*, blink::NGBreakToken*) third_party/WebKit/Source/core/layout/ng/ng_block_node.cc:136:0 05:25:49.714 538 #9 0xebe193e in blink::NGLayoutInputNode::Layout(blink::NGConstraintSpace*, blink::NGBreakToken*) third_party/WebKit/Source/core/layout/ng/ng_layout_input_node.cc:82:44 05:25:49.714 538 #10 0xec0220c in blink::NGBlockLayoutAlgorithm::Layout() third_party/WebKit/Source/core/layout/ng/ng_block_layout_algorithm.cc:261:17 05:25:49.714 538 #11 0xebc674c in LayoutWithAlgorithm third_party/WebKit/Source/core/layout/ng/ng_block_node.cc:43:8 05:25:49.714 538 #12 0xebc674c in blink::NGBlockNode::Layout(blink::NGConstraintSpace*, blink::NGBreakToken*) third_party/WebKit/Source/core/layout/ng/ng_block_node.cc:136:0 05:25:49.714 538 #13 0xebe193e in blink::NGLayoutInputNode::Layout(blink::NGConstraintSpace*, blink::NGBreakToken*) third_party/WebKit/Source/core/layout/ng/ng_layout_input_node.cc:82:44 05:25:49.714 538 #14 0xec0220c in blink::NGBlockLayoutAlgorithm::Layout() third_party/WebKit/Source/core/layout/ng/ng_block_layout_algorithm.cc:261:17 05:25:49.714 538 #15 0xebc674c in LayoutWithAlgorithm third_party/WebKit/Source/core/layout/ng/ng_block_node.cc:43:8 05:25:49.714 538 #16 0xebc674c in blink::NGBlockNode::Layout(blink::NGConstraintSpace*, blink::NGBreakToken*) third_party/WebKit/Source/core/layout/ng/ng_block_node.cc:136:0 05:25:49.714 538 #17 0xebc393d in blink::LayoutNGBlockFlow::UpdateBlockLayout(bool) third_party/WebKit/Source/core/layout/ng/layout_ng_block_flow.cc:27:25 05:25:49.714 538 #18 0xe50f6c6 in blink::LayoutBlock::UpdateLayout() third_party/WebKit/Source/core/layout/LayoutBlock.cpp:429:3 05:25:49.714 538 #19 0xe558e53 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:747:11 05:25:49.714 538 #20 0xe55a24d in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:810:7 05:25:49.714 538 #21 0xe554982 in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1515:5 05:25:49.714 538 #22 0xe549c66 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:555:5 05:25:49.714 538 #23 0xe547be4 in blink::LayoutBlockFlow::UpdateBlockLayout(bool) third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:436:5 05:25:49.714 538 #24 0xe50f6c6 in blink::LayoutBlock::UpdateLayout() third_party/WebKit/Source/core/layout/LayoutBlock.cpp:429:3 05:25:49.714 538 #25 0xea28fda in LayoutContent third_party/WebKit/Source/core/layout/LayoutView.cpp:224:20 05:25:49.714 538 #26 0xea28fda in blink::LayoutView::UpdateLayout() third_party/WebKit/Source/core/layout/LayoutView.cpp:316:0 05:25:49.714 538 #27 0xd936bff in blink::LocalFrameView::PerformLayout(bool) third_party/WebKit/Source/core/frame/LocalFrameView.cpp:1084:22 05:25:49.714 538 #28 0xd92ada8 in blink::LocalFrameView::UpdateLayout() third_party/WebKit/Source/core/frame/LocalFrameView.cpp:1267:10 05:25:49.714 538 #29 0xcfca7e5 in blink::Document::ImplicitClose() third_party/WebKit/Source/core/dom/Document.cpp:3130:15 05:25:49.714 538 #30 0xcfc9540 in blink::Document::CheckCompleted() third_party/WebKit/Source/core/dom/Document.cpp:3187:5 05:25:49.714 538 #31 0xed48120 in blink::FrameLoader::FinishedParsing() third_party/WebKit/Source/core/loader/FrameLoader.cpp:446:26 05:25:49.714 538 #32 0xd00713b in blink::Document::FinishedParsing() third_party/WebKit/Source/core/dom/Document.cpp:5615:21 05:25:49.714 538 #33 0xe087b19 in end third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:958:18 05:25:49.714 538 #34 0xe087b19 in AttemptToRunDeferredScriptsAndEnd third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:970:0 05:25:49.714 538 #35 0xe087b19 in blink::HTMLDocumentParser::PrepareToStopParsing() third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:258:0 05:25:49.714 538 #36 0xe09338f in blink::HTMLDocumentParser::ProcessTokenizedChunkFromBackgroundParser(std::__1::unique_ptr<blink::HTMLDocumentParser::TokenizedChunk, std::__1::default_delete<blink::HTMLDocumentParser::TokenizedChunk> >) third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:589:7 05:25:49.714 538 #37 0xe089c5a in blink::HTMLDocumentParser::PumpPendingSpeculations() third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:637:9 05:25:49.714 538 #38 0xc2a2616 in Run base/callback.h:80:12 05:25:49.714 538 #39 0xc2a2616 in operator() third_party/WebKit/Source/platform/wtf/Functional.h:223:0 05:25:49.714 538 #40 0xc2a2616 in blink::TaskHandle::Runner::Run(blink::TaskHandle const&) third_party/WebKit/Source/platform/WebTaskRunner.cpp:75:0 05:25:49.714 538 #41 0x6bd5ccd in Run base/callback.h:91:12 05:25:49.715 538 #42 0x6bd5ccd in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:59:0 05:25:49.715 538 #43 0xc84b852 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:531:19 05:25:49.715 538 #44 0xc841a6a in blink::scheduler::TaskQueueManager::DoWork(bool) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:329:13 05:25:49.715 538 #45 0x6bd5ccd in Run base/callback.h:91:12 05:25:49.715 538 #46 0x6bd5ccd in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:59:0 05:25:49.715 538 #47 0x698ef03 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:422:19 05:25:49.715 538 #48 0x6990a47 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:433:5 05:25:49.715 538 #49 0x6991a46 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:540:13 05:25:49.715 538 #50 0x699e49a in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:31 05:25:49.715 538 #51 0x6a2fe58 in base::RunLoop::Run() base/run_loop.cc:111:14 05:25:49.715 538 #52 0x108022ee in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:219:23 05:25:49.715 538 #53 0x4632392 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:336:14 05:25:49.715 538 #54 0x4634fd8 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:415:12 05:25:49.715 538 #55 0x46383ce in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:696:12 05:25:49.715 538 #56 0xb3ea201 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:469:29 05:25:49.715 538 #57 0x15627ee in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 05:25:49.715 538 #58 0x4a83ff in main content/shell/app/shell_main.cc:48:10 05:25:49.715 538 #59 0x7fa9a2d55f44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287:0 05:25:49.715 538 #60 0x43ca9d in _start ??:0:0 05:25:49.715 538 05:25:49.715 538 Uninitialized value was created by a heap deallocation 05:25:49.715 538 #0 0x45a289 in __interceptor_free ??:0:0 05:25:49.715 538 #1 0xd203bc0 in blink::Node::DetachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/Node.cpp:1045:24 05:25:49.715 538 #2 0xcf03e1c in blink::ContainerNode::DetachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:943:9 05:25:49.715 538 #3 0xd0a009f in blink::Element::DetachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/Element.cpp:1872:18 05:25:49.715 538 #4 0xcf010bb in blink::ContainerNode::RemoveBetween(blink::Node*, blink::Node*, blink::Node&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:695:15 05:25:49.715 538 #5 0xcefd7eb in blink::ContainerNode::RemoveChild(blink::Node*, blink::ExceptionState&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:676:5 05:25:49.715 538 #6 0xd1f8c83 in blink::Node::removeChild(blink::Node*, blink::ExceptionState&) third_party/WebKit/Source/core/dom/Node.cpp:461:35 05:25:49.715 538 #7 0xb814122 in removeChildMethod ./out/Release/gen/blink/bindings/core/v8/V8Node.cpp:690:24 05:25:49.715 538 #8 0xb814122 in blink::V8Node::removeChildMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) ./out/Release/gen/blink/bindings/core/v8/V8Node.cpp:888:0 05:25:49.715 538 #9 0x183bd6e in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) v8/src/api-arguments.cc:25:3 05:25:49.715 538 #10 0x1b4481a in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:112:36 05:25:49.715 538 #11 0x1b4093d in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:142:5 05:25:49.715 538 #12 0x3d70de3 in v8::internal::Simulator::DoRuntimeCall(v8::internal::Instruction*) v8/src/arm64/simulator-arm64.cc:635:11 05:25:49.715 538 #13 0x3d6fd12 in ExecuteInstruction v8/src/arm64/simulator-arm64.h:846:5 05:25:49.715 538 #14 0x3d6fd12 in v8::internal::Simulator::Run() v8/src/arm64/simulator-arm64.cc:454:0 05:25:49.715 538 #15 0x3d6c7d8 in CheckPCSComplianceAndRun v8/src/arm64/simulator-arm64.cc:255:3 05:25:49.715 538 #16 0x3d6c7d8 in v8::internal::Simulator::CallVoid(unsigned char*, v8::internal::Simulator::CallArgument*) v8/src/arm64/simulator-arm64.cc:167:0 05:25:49.715 538 #17 0x3d6d79c in CallInt64 v8/src/arm64/simulator-arm64.cc:174:3 05:25:49.715 538 #18 0x3d6d79c in v8::internal::Simulator::CallJS(unsigned char*, v8::internal::Object*, v8::internal::Object*, v8::internal::Object*, long, v8::internal::Object***) v8/src/arm64/simulator-arm64.cc:199:0 05:25:49.715 538 #19 0x291a703 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling) v8/src/execution.cc:145:13 05:25:49.715 538 #20 0x291972b in CallInternal v8/src/execution.cc:181:10 05:25:49.715 538 #21 0x291972b in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:191:0 05:25:49.715 538 #22 0x18713dc in v8::Script::Run(v8::Local<v8::Context>) v8/src/api.cc:2065:7 05:25:49.715 538 #23 0xb6666d5 in blink::V8ScriptRunner::RunCompiledScript(v8::Isolate*, v8::Local<v8::Script>, blink::ExecutionContext*) third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:574:22 05:25:49.715 538 #24 0x12ec15b8 in blink::ScriptController::ExecuteScriptAndReturnValue(v8::Local<v8::Context>, blink::ScriptSourceCode const&, blink::AccessControlStatus) third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:135:10 05:25:49.715 538 05:25:49.715 538 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/b/s/w/ir/out/Release/content_shell+0xeb19110) 05:25:49.715 538 Exiting and also this related MSan output: 05:25:51.044 13810 ==1==WARNING: MemorySanitizer: use-of-uninitialized-value 05:25:51.044 13810 #0 0xeb17aae in operator* third_party/WebKit/Source/platform/heap/Member.h:83:34 05:25:51.044 13810 #1 0xeb17aae in GetTreeScope third_party/WebKit/Source/core/dom/Node.h:560:0 05:25:51.044 13810 #2 0xeb17aae in GetDocument third_party/WebKit/Source/core/dom/Node.h:556:0 05:25:51.044 13810 #3 0xeb17aae in GetDocument third_party/WebKit/Source/core/layout/LayoutObject.h:925:0 05:25:51.044 13810 #4 0xeb17aae in DocumentBeingDestroyed third_party/WebKit/Source/core/layout/LayoutObject.h:2667:0 05:25:51.044 13810 #5 0xeb17aae in DocumentBeingDestroyed third_party/WebKit/Source/core/layout/api/LineLayoutItem.h:291:0 05:25:51.044 13810 #6 0xeb17aae in blink::InlineBox::Destroy() third_party/WebKit/Source/core/layout/line/InlineBox.cpp:65:0 05:25:51.044 13810 #7 0xeb226fc in blink::InlineFlowBox::DeleteLine() third_party/WebKit/Source/core/layout/line/InlineFlowBox.cpp:226:12 05:25:51.044 13810 #8 0xeb56888 in blink::LineBoxList::DeleteLineBoxTree() third_party/WebKit/Source/core/layout/line/LineBoxList.cpp:65:11 05:25:51.044 13810 #9 0xe7fd46c in blink::LayoutInline::SplitFlow(blink::LayoutObject*, blink::LayoutBlockFlow*, blink::LayoutObject*, blink::LayoutBoxModelObject*) third_party/WebKit/Source/core/layout/LayoutInline.cpp:499:10 05:25:51.044 13810 #10 0xe7fc1cf in blink::LayoutInline::AddChildIgnoringContinuation(blink::LayoutObject*, blink::LayoutObject*) third_party/WebKit/Source/core/layout/LayoutInline.cpp:370:5 05:25:51.044 13810 #11 0xd177c09 in blink::LayoutTreeBuilderForElement::CreateLayoutObject() third_party/WebKit/Source/core/dom/LayoutTreeBuilder.cpp:144:25 05:25:51.044 13810 #12 0xd09ceb6 in CreateLayoutObjectIfNeeded third_party/WebKit/Source/core/dom/LayoutTreeBuilder.h:91:7 05:25:51.044 13810 #13 0xd09ceb6 in blink::Element::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/Element.cpp:1800:0 05:25:51.044 13810 #14 0xd3dbba6 in blink::V0InsertionPoint::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/V0InsertionPoint.cpp:117:14 05:25:51.044 13810 #15 0xcf03a1a in blink::ContainerNode::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:923:14 05:25:51.044 13810 #16 0xd325297 in blink::ShadowRoot::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/ShadowRoot.cpp:205:21 05:25:51.044 13810 #17 0xd105c04 in blink::ElementShadow::Attach(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/ElementShadow.cpp:120:13 05:25:51.044 13810 #18 0xd09d55f in blink::Element::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/Element.cpp:1825:13 05:25:51.044 13810 #19 0xdd789cb in blink::HTMLPlugInElement::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/html/HTMLPlugInElement.cpp:182:26 05:25:51.044 13810 #20 0xd0a9a00 in blink::Element::RebuildLayoutTree(blink::WhitespaceAttacher&) third_party/WebKit/Source/core/dom/Element.cpp:2127:5 05:25:51.044 13810 #21 0xcf0d6c9 in blink::ContainerNode::RebuildChildrenLayoutTrees(blink::WhitespaceAttacher&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:1500:5 05:25:51.044 13810 #22 0xd0a9f51 in blink::Element::RebuildLayoutTree(blink::WhitespaceAttacher&) third_party/WebKit/Source/core/dom/Element.cpp:2152:5 05:25:51.044 13810 #23 0xcf0d6c9 in blink::ContainerNode::RebuildChildrenLayoutTrees(blink::WhitespaceAttacher&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:1500:5 05:25:51.044 13810 #24 0xd0a9f51 in blink::Element::RebuildLayoutTree(blink::WhitespaceAttacher&) third_party/WebKit/Source/core/dom/Element.cpp:2152:5 05:25:51.044 13810 #25 0xcfb441d in blink::Document::UpdateStyle() third_party/WebKit/Source/core/dom/Document.cpp:2183:25 05:25:51.044 13810 #26 0xcf9dbdc in blink::Document::UpdateStyleAndLayoutTree() third_party/WebKit/Source/core/dom/Document.cpp:2092:3 05:25:51.044 13810 #27 0xd9658d2 in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursiveInternal() third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3428:26 05:25:51.044 13810 #28 0xd95d8bc in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursive() third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3407:3 05:25:51.044 13810 #29 0xd9591dd in blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3147:3 05:25:51.044 13810 #30 0xef3427c in blink::PageAnimator::UpdateAllLifecyclePhases(blink::LocalFrame&) third_party/WebKit/Source/core/page/PageAnimator.cpp:100:9 05:25:51.044 13810 #31 0xfbe4b23 in blink::WebViewImpl::UpdateAllLifecyclePhases() third_party/WebKit/Source/web/WebViewImpl.cpp:2024:3 05:25:51.044 13810 #32 0x110e5b6c in test_runner::WebWidgetTestClient::AnimateNow() content/shell/test_runner/web_widget_test_client.cc:53:17 05:25:51.044 13810 #33 0x6bd5ccd in Run base/callback.h:91:12 05:25:51.044 13810 #34 0x6bd5ccd in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:59:0 05:25:51.045 13810 #35 0xc84b852 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:531:19 05:25:51.045 13810 #36 0xc841a6a in blink::scheduler::TaskQueueManager::DoWork(bool) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:329:13 05:25:51.045 13810 #37 0x6bd5ccd in Run base/callback.h:91:12 05:25:51.045 13810 #38 0x6bd5ccd in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:59:0 05:25:51.045 13810 #39 0x698ef03 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:422:19 05:25:51.045 13810 #40 0x6990a47 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:433:5 05:25:51.045 13810 #41 0x6991a46 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:540:13 05:25:51.045 13810 #42 0x699e49a in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:31 05:25:51.045 13810 #43 0x6a2fe58 in base::RunLoop::Run() base/run_loop.cc:111:14 05:25:51.045 13810 #44 0x108022ee in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:219:23 05:25:51.045 13810 #45 0x4632392 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:336:14 05:25:51.045 13810 #46 0x4634fd8 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:415:12 05:25:51.045 13810 #47 0x46383ce in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:696:12 05:25:51.045 13810 #48 0xb3ea201 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:469:29 05:25:51.045 13810 #49 0x15627ee in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 05:25:51.045 13810 #50 0x4a83ff in main content/shell/app/shell_main.cc:48:10 05:25:51.045 13810 #51 0x7f7a31f64f44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287:0 05:25:51.045 13810 #52 0x43ca9d in _start ??:0:0 05:25:51.045 13810 05:25:51.045 13810 Uninitialized value was stored to memory at 05:25:51.045 13810 #0 0x12f6db27 in Length third_party/WebKit/Source/platform/Length.h:95:5 05:25:51.045 13810 #1 0x12f6db27 in LengthSize third_party/WebKit/Source/platform/LengthSize.h:29:0 05:25:51.045 13810 #2 0x12f6db27 in blink::ComputedStyleBase::StyleSurroundData::StyleSurroundData(blink::ComputedStyleBase::StyleSurroundData const&) ./out/Release/gen/blink/core/ComputedStyleBase.cpp:1370:0 05:25:51.045 13810 #3 0xcd902b2 in Copy ./out/Release/gen/blink/core/ComputedStyleBase.h:5201:27 05:25:51.045 13810 #4 0xcd902b2 in blink::DataRef<blink::ComputedStyleBase::StyleSurroundData>::Access() third_party/WebKit/Source/core/style/DataRef.h:44:0 05:25:51.045 13810 #5 0xe840e77 in blink::ComputedStyleBase::SetPaddingTop(blink::Length&&) ./out/Release/gen/blink/core/ComputedStyleBase.h:2958:22 05:25:51.045 13810 #6 0x13001be2 in blink::StyleBuilderFunctions::applyValueCSSPropertyPaddingTop(blink::StyleResolverState&, blink::CSSValue const&) ./out/Release/gen/blink/core/StyleBuilderFunctions.cpp:2819:18 05:25:51.045 13810 #7 0xce8bde2 in blink::StyleBuilder::ApplyProperty(blink::CSSPropertyID, blink::StyleResolverState&, blink::CSSValue const&) third_party/WebKit/Source/core/css/resolver/StyleBuilderCustom.cpp:163:3 05:25:51.045 13810 #8 0xce102f6 in void blink::StyleResolver::ApplyProperties<(blink::CSSPropertyPriority)3, (blink::StyleResolver::ShouldUpdateNeedsApplyPass)0>(blink::StyleResolverState&, blink::StylePropertySet const*, bool, bool, blink::StyleResolver::NeedsApplyPass&, blink::PropertyWhitelistType) third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:1643:5 05:25:51.045 13810 #9 0xcde2d24 in void blink::StyleResolver::ApplyMatchedProperties<(blink::CSSPropertyPriority)3, (blink::StyleResolver::ShouldUpdateNeedsApplyPass)0>(blink::StyleResolverState&, blink::MatchedPropertiesRange const&, bool, bool, blink::StyleResolver::NeedsApplyPass&) third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:1682:5 05:25:51.045 13810 #10 0xcdedc27 in blink::StyleResolver::ApplyMatchedStandardProperties(blink::StyleResolverState&, blink::MatchResult const&, blink::StyleResolver::CacheSuccess const&, blink::StyleResolver::NeedsApplyPass&) third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:1949:3 05:25:51.045 13810 #11 0xcdd598e in blink::StyleResolver::ApplyMatchedPropertiesAndCustomPropertyAnimations(blink::StyleResolverState&, blink::MatchResult const&, blink::Element const*) third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:1733:5 05:25:51.045 13810 #12 0xcdd1eee in blink::StyleResolver::StyleForElement(blink::Element*, blink::ComputedStyle const*, blink::ComputedStyle const*, blink::StyleSharingBehavior, blink::RuleMatchingBehavior) third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:755:5 05:25:51.045 13810 #13 0xd0a0f1f in OriginalStyleForLayoutObject third_party/WebKit/Source/core/dom/Element.cpp:1928:46 05:25:51.045 13810 #14 0xd0a0f1f in blink::Element::StyleForLayoutObject() third_party/WebKit/Source/core/dom/Element.cpp:1905:0 05:25:51.045 13810 #15 0xd176346 in blink::LayoutTreeBuilderForElement::Style() const third_party/WebKit/Source/core/dom/LayoutTreeBuilder.cpp:104:21 05:25:51.045 13810 #16 0xd1760d6 in blink::LayoutTreeBuilderForElement::ShouldCreateLayoutObject() const third_party/WebKit/Source/core/dom/LayoutTreeBuilder.cpp:99:38 05:25:51.045 13810 #17 0xd09ce93 in CreateLayoutObjectIfNeeded third_party/WebKit/Source/core/dom/LayoutTreeBuilder.h:90:9 05:25:51.045 13810 #18 0xd09ce93 in blink::Element::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/Element.cpp:1800:0 05:25:51.045 13810 #19 0xd3dbba6 in blink::V0InsertionPoint::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/V0InsertionPoint.cpp:117:14 05:25:51.045 13810 #20 0xcf03a1a in blink::ContainerNode::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:923:14 05:25:51.045 13810 #21 0xd325297 in blink::ShadowRoot::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/ShadowRoot.cpp:205:21 05:25:51.045 13810 #22 0xd105c04 in blink::ElementShadow::Attach(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/ElementShadow.cpp:120:13 05:25:51.046 13810 #23 0xd09d55f in blink::Element::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/Element.cpp:1825:13 05:25:51.046 13810 #24 0xdd789cb in blink::HTMLPlugInElement::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/html/HTMLPlugInElement.cpp:182:26 05:25:51.046 13810 05:25:51.046 13810 Uninitialized value was stored to memory at 05:25:51.046 13810 #0 0x12f6c499 in Length third_party/WebKit/Source/platform/Length.h:95:5 05:25:51.046 13810 #1 0x12f6c499 in LengthSize third_party/WebKit/Source/platform/LengthSize.h:36:0 05:25:51.046 13810 #2 0x12f6c499 in blink::ComputedStyleBase::StyleSurroundData::StyleSurroundData() ./out/Release/gen/blink/core/ComputedStyleBase.cpp:1333:0 05:25:51.046 13810 #3 0x12f40a07 in Create ./out/Release/gen/blink/core/ComputedStyleBase.h:5198:27 05:25:51.046 13810 #4 0x12f40a07 in blink::DataRef<blink::ComputedStyleBase::StyleSurroundData>::Init() third_party/WebKit/Source/core/style/DataRef.h:50:0 05:25:51.046 13810 #5 0x12f3fb75 in blink::ComputedStyleBase::ComputedStyleBase() ./out/Release/gen/blink/core/ComputedStyleBase.cpp:86:18 05:25:51.046 13810 #6 0xf26c684 in ComputedStyle third_party/WebKit/Source/core/style/ComputedStyle.cpp:124:7 05:25:51.046 13810 #7 0xf26c684 in CreateInitialStyle third_party/WebKit/Source/core/style/ComputedStyle.cpp:95:0 05:25:51.046 13810 #8 0xf26c684 in blink::ComputedStyle::MutableInitialStyle() third_party/WebKit/Source/core/style/ComputedStyle.cpp:100:0 05:25:51.046 13810 #9 0xf26bbeb in InitialStyle third_party/WebKit/Source/core/style/ComputedStyle.h:205:55 05:25:51.046 13810 #10 0xf26bbeb in blink::ComputedStyle::Create() third_party/WebKit/Source/core/style/ComputedStyle.cpp:91:0 05:25:51.046 13810 #11 0xcdcd2a9 in blink::StyleResolver::InitialStyleForElement(blink::Document&) third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:1040:41 05:25:51.046 13810 #12 0xcdccd3f in blink::StyleResolver::StyleForViewport(blink::Document&) third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:554:42 05:25:51.046 13810 #13 0xcfbdcfd in blink::Document::Initialize() third_party/WebKit/Source/core/dom/Document.cpp:2542:26 05:25:51.046 13810 #14 0xd8b5331 in blink::LocalDOMWindow::InstallNewDocument(WTF::String const&, blink::DocumentInit const&, bool) third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp:342:14 05:25:51.046 13810 #15 0xecfd6cc in blink::DocumentLoader::InstallNewDocument(blink::DocumentInit const&, WTF::AtomicString const&, WTF::AtomicString const&, blink::DocumentLoader::InstallNewDocumentReason, blink::ParserSynchronizationPolicy, blink::KURL const&) third_party/WebKit/Source/core/loader/DocumentLoader.cpp:1074:45 05:25:51.046 13810 #16 0xecfcfd2 in blink::DocumentLoader::EnsureWriter(WTF::AtomicString const&, blink::KURL const&) third_party/WebKit/Source/core/loader/DocumentLoader.cpp:684:3 05:25:51.046 13810 #17 0xecf7e81 in blink::DocumentLoader::CommitData(char const*, unsigned long) third_party/WebKit/Source/core/loader/DocumentLoader.cpp:694:3 05:25:51.046 13810 #18 0xecf6b6d in blink::DocumentLoader::FinishedLoading(double) third_party/WebKit/Source/core/loader/DocumentLoader.cpp:452:7 05:25:51.046 13810 #19 0xecff858 in blink::DocumentLoader::MaybeLoadEmpty() third_party/WebKit/Source/core/loader/DocumentLoader.cpp:847:3 05:25:51.046 13810 #20 0xecffba9 in blink::DocumentLoader::StartLoading() third_party/WebKit/Source/core/loader/DocumentLoader.cpp:857:7 05:25:51.046 13810 #21 0xed450ad in blink::FrameLoader::Init() third_party/WebKit/Source/core/loader/FrameLoader.cpp:299:33 05:25:51.046 13810 #22 0xfba6886 in blink::WebLocalFrameImpl::InitializeCoreFrame(blink::Page&, blink::FrameOwner*, WTF::AtomicString const&) third_party/WebKit/Source/web/WebLocalFrameImpl.cpp:1670:11 05:25:51.046 13810 #23 0xfba422a in blink::WebLocalFrameImpl::CreateMainFrame(blink::WebView*, blink::WebFrameClient*, blink::InterfaceProvider*, blink::InterfaceRegistry*, blink::WebFrame*, blink::WebString const&, blink::WebSandboxFlags) third_party/WebKit/Source/web/WebLocalFrameImpl.cpp:1546:10 05:25:51.046 13810 #24 0x105f476d in content::RenderFrameImpl::CreateMainFrame(content::RenderViewImpl*, int, int, bool, content::ScreenInfo const&, content::CompositorDependencies*, blink::WebFrame*, content::FrameReplicationState const&) content/renderer/render_frame_impl.cc:995:30 05:25:51.046 13810 #25 0x10752958 in content::RenderViewImpl::Initialize(content::mojom::CreateViewParams const&, base::Callback<void (content::RenderWidget*, blink::WebNavigationPolicy, gfx::Rect const&), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) content/renderer/render_view_impl.cc:631:26 05:25:51.046 13810 05:25:51.046 13810 Uninitialized value was created by an allocation of 'ref.tmp3' in the stack frame of function '_ZN5blink17ComputedStyleBase17StyleSurroundDataC2Ev' 05:25:51.046 13810 #0 0x12f6b6f0 in blink::ComputedStyleBase::StyleSurroundData::StyleSurroundData() ./out/Release/gen/blink/core/ComputedStyleBase.cpp:1364:0 05:25:51.046 13810 05:25:51.046 13810 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/b/s/w/ir/out/Release/content_shell+0xeb17aae) 05:25:51.046 13810 Exiting Marking for blink triage.
,
Jul 5 2017
It's an uninit value not UAF. 05:25:49.713 538 ==1==WARNING: MemorySanitizer: use-of-uninitialized-value 05:25:49.715 538 Uninitialized value was created by a heap deallocation 05:25:49.715 538 #0 0x45a289 in __interceptor_free ??:0:0 05:25:49.715 538 #1 0xd203bc0 in blink::Node::DetachLayoutTree(blink::Node::AttachContext const&) Adding some people who've touched Node::DetachLayoutTree recently.
,
Jul 5 2017
,
Jul 5 2017
That's actually how MSan reports a use-after-free, note "created by a heap deallocation". AddressSanitizer may be able to provide a better report in this case.
,
Jul 6 2017
,
Jul 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7abbf5fc03febdc73af72ff2480a2f637220b208 commit 7abbf5fc03febdc73af72ff2480a2f637220b208 Author: Elly Fong-Jones <ellyjones@chromium.org> Date: Thu Jul 06 14:56:05 2017 webkit: skip flaky layout test under MSAN BUG= 739365 Change-Id: I7cf0de0c4307d6bd436f7b692aa44f5d82908add Reviewed-on: https://chromium-review.googlesource.com/561497 Commit-Queue: Elly Fong-Jones <ellyjones@chromium.org> Reviewed-by: Alexander Potapenko <glider@chromium.org> Cr-Commit-Position: refs/heads/master@{#484590} [modify] https://crrev.com/7abbf5fc03febdc73af72ff2480a2f637220b208/third_party/WebKit/LayoutTests/MSANExpectations
,
Jul 6 2017
,
Jul 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/981fa39e2dde70f5933ea2db88123582ab955632 commit 981fa39e2dde70f5933ea2db88123582ab955632 Author: kojii <kojii@chromium.org> Date: Sat Jul 08 08:01:55 2017 [LayoutNG] Set InlineBoxWrapper when copying fragments to LayoutBox This patch fixes to set InlineBoxWrapper when copying fragments to LayoutBox. To create InlineBox'es, NGInlineNode::CopyFragmentDataToLayoutBox() calls LayoutBlockFlow::ConstructLine(), but it does not set InlineBoxWrapper. LayoutBlockFlow::ComputeBlockDirectionPositionsForLine() sets InlineBoxWrapper but LayoutNG does not call this function. It does several other things, but SetInlineBoxWrapper() is the only thing needed for CopyFragmentDataToLayoutBox(). BUG=636993, 739365 Review-Url: https://codereview.chromium.org/2975663002 Cr-Commit-Position: refs/heads/master@{#485142} [modify] https://crrev.com/981fa39e2dde70f5933ea2db88123582ab955632/third_party/WebKit/LayoutTests/TestExpectations [modify] https://crrev.com/981fa39e2dde70f5933ea2db88123582ab955632/third_party/WebKit/Source/core/layout/ng/inline/ng_inline_node.cc
,
Jul 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/991ca91413b8a5694d8d0f83dbb47b9bab336397 commit 991ca91413b8a5694d8d0f83dbb47b9bab336397 Author: avi <avi@chromium.org> Date: Sun Jul 09 01:28:07 2017 Revert of [LayoutNG] Set InlineBoxWrapper when copying fragments to LayoutBox (patchset #3 id:40001 of https://codereview.chromium.org/2975663002/ ) Reason for revert: WebKit layout bots all started failing after this commit. webkit_tests webkit_tests Total tests: 66971 * Passed: 56304 (56144 expected, 160 unexpected) * Skipped: 9131 (9131 expected, 0 unexpected) * Failed: 1447 (1446 expected, >>>1 unexpected<<<) * Flaky: 89 (89 expected, 0 unexpected) Unexpected Failures: * virtual/layout_ng/fast/block/float/rubybase-children-moved-crash.html Original issue's description: > [LayoutNG] Set InlineBoxWrapper when copying fragments to LayoutBox > > This patch fixes to set InlineBoxWrapper when copying fragments to > LayoutBox. > > To create InlineBox'es, NGInlineNode::CopyFragmentDataToLayoutBox() > calls LayoutBlockFlow::ConstructLine(), but it does not set > InlineBoxWrapper. > > LayoutBlockFlow::ComputeBlockDirectionPositionsForLine() sets > InlineBoxWrapper but LayoutNG does not call this function. It does > several other things, but SetInlineBoxWrapper() is the only thing needed > for CopyFragmentDataToLayoutBox(). > > BUG=636993, 739365 > > Review-Url: https://codereview.chromium.org/2975663002 > Cr-Commit-Position: refs/heads/master@{#485142} > Committed: https://chromium.googlesource.com/chromium/src/+/981fa39e2dde70f5933ea2db88123582ab955632 TBR=eae@chromium.org,ikilpatrick@chromium.org,kojii@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=636993, 739365 Review-Url: https://codereview.chromium.org/2977483002 Cr-Commit-Position: refs/heads/master@{#485155} [modify] https://crrev.com/991ca91413b8a5694d8d0f83dbb47b9bab336397/third_party/WebKit/LayoutTests/TestExpectations [modify] https://crrev.com/991ca91413b8a5694d8d0f83dbb47b9bab336397/third_party/WebKit/Source/core/layout/ng/inline/ng_inline_node.cc
,
Jul 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b0ad7c5c03efbe8f725f85201c834389bf6a5b12 commit b0ad7c5c03efbe8f725f85201c834389bf6a5b12 Author: kojii <kojii@chromium.org> Date: Sun Jul 09 17:47:49 2017 [LayoutNG] Set InlineBoxWrapper when copying fragments to LayoutBox Re-land of r485142 due to one crash turned to flaky. This patch fixes to set InlineBoxWrapper when copying fragments to LayoutBox. To create InlineBox'es, NGInlineNode::CopyFragmentDataToLayoutBox() calls LayoutBlockFlow::ConstructLine(), but it does not set InlineBoxWrapper. LayoutBlockFlow::ComputeBlockDirectionPositionsForLine() sets InlineBoxWrapper but LayoutNG does not call this function. It does several other things, but SetInlineBoxWrapper() is the only thing needed for CopyFragmentDataToLayoutBox(). BUG=636993, 739365 Review-Url: https://codereview.chromium.org/2975663002 Cr-Commit-Position: refs/heads/master@{#485160} [modify] https://crrev.com/b0ad7c5c03efbe8f725f85201c834389bf6a5b12/third_party/WebKit/LayoutTests/TestExpectations [modify] https://crrev.com/b0ad7c5c03efbe8f725f85201c834389bf6a5b12/third_party/WebKit/Source/core/layout/ng/inline/ng_inline_node.cc
,
Jul 11 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by glider@chromium.org
, Jul 5 2017