Predator and CL could not provide any possible suspects.

Using the code search for the file, “PaintController.cpp” assigning to concern owner for his recent work on this file.

wangxianzhu@ -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.


Thank You.

Lowering priority because the crash happens only when a internal flag is enabled.

Reduced test case attached. To reproduce, run content_shell with --enable-blink-features=PaintUnderInvalidationChecking. We miss invalidation when the <img>'s SVG filter changes.

fs, pdr, what's the correct path to trigger svg resource change invalidation for the test case?

Deleted: filter.html 375 bytes

filter.html 375 bytes View Download

Hmm, I think this is one of those semi-broken case... Invalidation for resources usually take place via the layout tree - which the filter isn't part of here (I'm assuming that removing the 'display: none' "fixes" it?)

It might work to do:

if (SVGElementProxySet* proxy_set = ElementProxySet())
  proxy_set->NotifiyContentChanged(GetTreeScope());

in SVGFilterElement::ChildrenChanged. (Modulo misspellings and typos...)

Yes, removing "display:none" "fixes" the bug, and calling NotifyContentChanged() does fix. However, I feel that there are also other failing cases, e.g. other SVG resources, descendant attribute change, descendant style change, etc. and I'm not familiar with the related code.

fs@opera.com can you take over this bug?

Other SVG resources will fail miserably without layout object (filters are "special" in that regard.) We should probably refactor this to be able to invalidate using the DOM-structure. I guess I can take care of it (now that it's a mere P3! ;-))

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc

commit d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc
Author: Fredrik Söderquist <fs@opera.com>
Date: Tue Oct 17 19:18:50 2017

Refactor <filter> invalidation to use the DOM structure

This changes the path used for invalidation of filter effects (SVGFE*)
from the layout tree to the DOM tree. This is done to allow invalidation
to work when the filter is not part of the layout tree. That change
will be done in a follow-up.

Also add casting helpers for SVGFilterPrimitiveStandardAttributes and
use it where applicable.

Bug:  773811 
Change-Id: I275534e59eb285c0cab805f6c09d00b1f725e4f4
Reviewed-on: https://chromium-review.googlesource.com/719837
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Reviewed-by: Philip Rogers <pdr@chromium.org>
Commit-Queue: Philip Rogers <pdr@chromium.org>
Commit-Queue: Fredrik Söderquist <fs@opera.com>
Cr-Commit-Position: refs/heads/master@{#509478}
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/LayoutTests/paint/invalidation/svg/feImage-target-add-to-document-expected.txt
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/LayoutTests/paint/invalidation/svg/feImage-target-reappend-to-document-expected.txt
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceFilter.cpp
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceFilter.h
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceFilterPrimitive.cpp
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceFilterPrimitive.h
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/Source/core/svg/SVGComponentTransferFunctionElement.cpp
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/Source/core/svg/SVGFEMergeNodeElement.cpp
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/Source/core/svg/SVGFilterElement.cpp
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/Source/core/svg/SVGFilterElement.h
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/Source/core/svg/SVGFilterPrimitiveStandardAttributes.cpp
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/Source/core/svg/SVGFilterPrimitiveStandardAttributes.h
[modify] https://crrev.com/d24c3eae77fa719ed69d129cce3b8dbfe1aec4bc/third_party/WebKit/Source/core/svg/graphics/filters/SVGFilterBuilder.cpp

ClusterFuzz has detected this issue as fixed in range 510178:510268.

Detailed report: https://clusterfuzz.com/testcase?key=5912508241281024

Fuzzer: mbarbella_js_mutation_layout
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false in PaintController.cpp
  blink::PaintController::EndSubsequence
  blink::PaintLayerPainter::PaintLayerContents
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=497182:497236
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=510178:510268

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5912508241281024

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5912508241281024 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2cd618735fb87636b100642cacbe8705b9ab3199

commit 2cd618735fb87636b100642cacbe8705b9ab3199
Author: Fredrik Söderquist <fs@opera.com>
Date: Fri Oct 20 10:28:43 2017

Handle invalidation of SVG filters that are not in the layout tree

If a <filter> was not in the layout tree, we could not invalidate it
because doing that required going through the LayoutObject of the
<filter>.
If the <filter> does not have a LayoutObject associated, then invalidate
through the proxy-set directly.

Bug:  773811 
Change-Id: I35612e3915a09b714b3aaa27e4b50ae344b6ff3f
Reviewed-on: https://chromium-review.googlesource.com/728001
Commit-Queue: Fredrik Söderquist <fs@opera.com>
Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org>
Reviewed-by: Philip Rogers <pdr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#510397}
[add] https://crrev.com/2cd618735fb87636b100642cacbe8705b9ab3199/third_party/WebKit/LayoutTests/paint/invalidation/filters/effect-reference-repaint-primitive-attr-mutation-expected.html
[add] https://crrev.com/2cd618735fb87636b100642cacbe8705b9ab3199/third_party/WebKit/LayoutTests/paint/invalidation/filters/effect-reference-repaint-primitive-attr-mutation-expected.txt
[add] https://crrev.com/2cd618735fb87636b100642cacbe8705b9ab3199/third_party/WebKit/LayoutTests/paint/invalidation/filters/effect-reference-repaint-primitive-attr-mutation.html
[add] https://crrev.com/2cd618735fb87636b100642cacbe8705b9ab3199/third_party/WebKit/LayoutTests/paint/invalidation/filters/effect-reference-repaint-primitive-attr-removal-expected.html
[add] https://crrev.com/2cd618735fb87636b100642cacbe8705b9ab3199/third_party/WebKit/LayoutTests/paint/invalidation/filters/effect-reference-repaint-primitive-attr-removal-expected.txt
[add] https://crrev.com/2cd618735fb87636b100642cacbe8705b9ab3199/third_party/WebKit/LayoutTests/paint/invalidation/filters/effect-reference-repaint-primitive-attr-removal.html
[add] https://crrev.com/2cd618735fb87636b100642cacbe8705b9ab3199/third_party/WebKit/LayoutTests/paint/invalidation/filters/effect-reference-repaint-primitive-removed-expected.html
[add] https://crrev.com/2cd618735fb87636b100642cacbe8705b9ab3199/third_party/WebKit/LayoutTests/paint/invalidation/filters/effect-reference-repaint-primitive-removed-expected.txt
[add] https://crrev.com/2cd618735fb87636b100642cacbe8705b9ab3199/third_party/WebKit/LayoutTests/paint/invalidation/filters/effect-reference-repaint-primitive-removed.html
[modify] https://crrev.com/2cd618735fb87636b100642cacbe8705b9ab3199/third_party/WebKit/Source/core/svg/SVGFilterElement.cpp