New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 760904 link

Starred by 2 users
Status: Fixed
Owner:
r...@opera.com
NOT IN USE
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Regression



Sign in to add a comment

svg/as-image/svg-nested.html consistently crashing on WebKit Linux Trusty ASAN

Project Member Reported by hbos@chromium.org, Aug 31 2017 
svg/as-image/svg-nested.html consistently crashing on WebKit Linux Trusty ASAN

First crash
https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/4798

Reverting https://chromium-review.googlesource.com/c/chromium/src/+/644516 locally didn't fix it. Reverting other CLs in the first crash's blamelist made it timeout instead.

tkent@ can you take a look or triage?
Project Member

Comment 1 by bugdroid1@chromium.org, Aug 31 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7a0b317182f57793a288bbc61beafe540637cff0

commit 7a0b317182f57793a288bbc61beafe540637cff0
Author: Henrik Boström <hbos@chromium.org>
Date: Thu Aug 31 10:24:43 2017

Disable svg/as-image/svg-nested.html which crashes on WebKit Linux Trusy ASAN

NOTRY=True
TBR=tkent@chromium.org

Bug:  760904 
Change-Id: Idac8b396361dc7bf90a5b22c640836efee52b3bf
Reviewed-on: https://chromium-review.googlesource.com/645526
Reviewed-by: Henrik Boström <hbos@chromium.org>
Commit-Queue: Henrik Boström <hbos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#498804}
[modify] https://crrev.com/7a0b317182f57793a288bbc61beafe540637cff0/third_party/WebKit/LayoutTests/TestExpectations

Comment 2 by hbos@chromium.org, Aug 31 2017

Labels: -Sheriff-Chromium
With the disabling of the test I'm removing the sheriff label.

Comment 3 by tkent@chromium.org, Aug 31 2017

Components: Blink>SVG
Labels: -Type-Bug OS-Linux Type-Bug-Regression

Comment 4 by pdr@chromium.org, Aug 31 2017 

Here's the flakiness dashboard link:
https://test-results.appspot.com/dashboards/flakiness_dashboard.html#testType=webkit_layout_tests&tests=svg%2Fas-image%2Fsvg-nested.html

The regression range is:
https://chromium.googlesource.com/chromium/src/+log/d7725f2e0f1d9ecca1b72eee3ea5c00bf905cc53%5E..aec6acbb0b17d89bb592952efae312cbbb7c834f?pretty=fuller&n=

Unfortunately, none of those patches look likely.

The ASAN bot is just showing "STDOUT: #CRASHED - renderer" with no stacktrace.

Comment 5 by tkent@chromium.org, Aug 31 2017

Owner: r...@opera.com
I reproduced this locally with macOS ASAN.

* thread #29, name = 'Chrome_InProcRendererThread', stop reason = EXC_BAD_ACCESS (code=2, address=0x70000fc6ee80)
    frame #0: 0x000000010bec03dc Content Shell Framework`::RestoreParentTextDecorations() at ComputedStyle.cpp:1718 [opt]
   1715	}
   1716	
   1717	void ComputedStyle::RestoreParentTextDecorations(
-> 1718	    const ComputedStyle& parent_style) {
   1719	  SetHasSimpleUnderlineInternal(parent_style.HasSimpleUnderlineInternal());
   1720	  if (AppliedTextDecorationsInternal() !=
   1721	      parent_style.AppliedTextDecorationsInternal()) {
(lldb) bt
* thread #29, name = 'Chrome_InProcRendererThread', stop reason = EXC_BAD_ACCESS (code=2, address=0x70000fc6ee80)
  * frame #0: 0x000000010bec03dc Content Shell Framework`::RestoreParentTextDecorations() at ComputedStyle.cpp:1718 [opt]
    frame #1: 0x000000010a46ef25 Content Shell Framework`::AdjustComputedStyle() at StyleAdjuster.cpp:533 [opt]
    frame #2: 0x000000010a4b0eb3 Content Shell Framework`::StyleForElement() [inlined] AdjustComputedStyle at StyleResolver.cpp:543 [opt]
    frame #3: 0x000000010a4b0e72 Content Shell Framework`::StyleForElement() at StyleResolver.cpp:721 [opt]
    frame #4: 0x000000010a602324 Content Shell Framework`::StyleForLayoutObject() [inlined] OriginalStyleForLayoutObject at Element.cpp:1964 [opt]
    frame #5: 0x000000010a602305 Content Shell Framework`::StyleForLayoutObject() at Element.cpp:1937 [opt]
    frame #6: 0x000000010a65c01a Content Shell Framework`::Style() at LayoutTreeBuilder.cpp:104 [opt]
    frame #7: 0x000000010a65be77 Content Shell Framework`::ShouldCreateLayoutObject() at LayoutTreeBuilder.cpp:99 [opt]
    frame #8: 0x000000010a5fed4e Content Shell Framework`::AttachLayoutTree() [inlined] CreateLayoutObjectIfNeeded at LayoutTreeBuilder.h:90 [opt]
    frame #9: 0x000000010a5fed46 Content Shell Framework`::AttachLayoutTree() at Element.cpp:1818 [opt]
    frame #10: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #11: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #12: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #13: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #14: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #15: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #16: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #17: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #18: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #19: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #20: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #21: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #22: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #23: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #24: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #25: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #26: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #27: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #28: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #29: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #30: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #31: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #32: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #33: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #34: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #35: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #36: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #37: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #38: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #39: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
    frame #40: 0x000000010a52f475 Content Shell Framework`::AttachLayoutTree() at ContainerNode.cpp:920 [opt]
    frame #41: 0x000000010a5ff7fe Content Shell Framework`::AttachLayoutTree() at Element.cpp:1852 [opt]
     ......

9000+ AttachLayoutTree() in the stack.  Maybe stack overflow?

Comment 6 by r...@opera.com, Sep 1 2017 

The test is creating a dom tree with a depth of 50000 causing what I assume is a stack overflow in AttachLayoutTree. That's bound to cause stack overflow somewhere at some point. This may very well be [1] which moves AttachContext from ContainerNode to Element AttachLayoutTree as well as adding a local LayoutObject* stack variable. I think we should just remove the test.

[1] https://chromium.googlesource.com/chromium/src/+/3e112a3211482b35130baf32cf28e7d4a7705a95

Comment 7 by r...@opera.com, Sep 1 2017

Status: Started (was: Assigned)
https://chromium-review.googlesource.com/c/chromium/src/+/647536
Project Member

Comment 8 by bugdroid1@chromium.org, Sep 2 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/877259a2ec269beac7d9d88e973b535deedc0a2c

commit 877259a2ec269beac7d9d88e973b535deedc0a2c
Author: Rune Lillesveen <rune@opera.com>
Date: Sat Sep 02 07:28:34 2017

Removed svg/as-image/svg-nested.html

The test is creating a 50000 nodes deep tree which at some point causes
a stack overflow in one of the recursive methods traversing the DOM
tree. Removing test as it arbitrarily causes a stack overflow.

Bug:  760904 
Change-Id: Ib1b841a51cbe383bc630ca57b3dd07c8c859cee0
Reviewed-on: https://chromium-review.googlesource.com/647536
Reviewed-by: Philip Rogers <pdr@chromium.org>
Commit-Queue: Rune Lillesveen <rune@opera.com>
Cr-Commit-Position: refs/heads/master@{#499392}
[modify] https://crrev.com/877259a2ec269beac7d9d88e973b535deedc0a2c/third_party/WebKit/LayoutTests/NeverFixTests
[modify] https://crrev.com/877259a2ec269beac7d9d88e973b535deedc0a2c/third_party/WebKit/LayoutTests/TestExpectations
[delete] https://crrev.com/1b346d4b13a634576853f304bbc7e3a5e5fa57b6/third_party/WebKit/LayoutTests/svg/as-image/svg-nested-expected.txt
[delete] https://crrev.com/1b346d4b13a634576853f304bbc7e3a5e5fa57b6/third_party/WebKit/LayoutTests/svg/as-image/svg-nested.html

Comment 9 by r...@opera.com, Sep 2 2017

Status: Fixed (was: Started)

Sign in to add a comment