New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 778884 link

Starred by 2 users
Status: Fixed
Owner:
xlai@chromium.org
Last visit > 30 days ago
Closed: Nov 2017
Cc:
ajha@chromium.org
pbomm...@chromium.org
ranjitkan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

OffscreenCanvas: dimension change + commit crashes tab

Reported by acmesqua...@gmail.com, Oct 27 2017 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.18 Safari/537.36

Steps to reproduce the problem:
1. Transfer control to an OffscreenCanvas
2. commit()
3. In a different tick, change the OffscreenCanvas size then commit again.

What is the expected behavior?
"If image has different dimensions than the bitmap previously referenced as the placeholder canvas element's output bitmap, then this task will result in a change in the placeholder canvas element's intrinsic size, which can affect document layout."

What went wrong?
The tab crashes

Did this work before? No 

Does this work in other browsers? Yes

Chrome version: 63.0.3239.18  Channel: beta
OS Version: 
Flash Version:
offscreen_commit.js
201 bytes View Download

Comment 1 by ajha@chromium.org, Oct 27 2017

Cc: ajha@chromium.org
Labels: Needs-Feedback Needs-Triage-M63
Could you please attach any sample test page or hosted webpage for ease of reproduction to test and check this for regression. Also, please attach the crash id from chrome://crashes.

Comment 2 by acmesqua...@gmail.com, Oct 27 2017 

Running the code in the console is sufficient to reproduce.

Crash IDs:
7efde5440279f239
2c12bdc23fc5d494
e991b5b090f03a57
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 27 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "ajha@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by ranjitkan@chromium.org, Nov 1 2017

Cc: ranjitkan@chromium.org pbomm...@chromium.org
Labels: -Type-Bug M-63 Type-Bug-Regression
Owner: lethalantidote@chromium.org
Status: Assigned (was: Unconfirmed)
Received the following error when tried to execute the code by using the attached .js file. But as per the stack trace generated for the crash ID's provided:

Stack Trace:
============
CRASHED [SIGILL @ 0x0000556e0f9a0b79 ] MAGIC SIGNATURE THREAD
Stack Quality77%Show frame trust levels
0x0000556e0f9a0b79	(chrome -GraphicsLayer.cpp:396 )	blink::GraphicsLayer::RegisterContentsLayer(blink::WebLayer*)
0x0000556e0fe571ee	(chrome -HTMLCanvasElement.cpp:1503 )	non-virtual thunk to blink::HTMLCanvasElement::OnWebLayerReplaced()
0x0000556e0fe5a111	(chrome -SurfaceLayerBridge.cpp:138 )	blink::SurfaceLayerBridge::OnFirstSurfaceActivation(viz::SurfaceInfo const&)
0x0000556e0d067b3b	(chrome -offscreen_canvas_surface.mojom-blink.cc:350 )	blink::mojom::blink::OffscreenCanvasSurfaceClientStubDispatch::Accept(blink::mojom::blink::OffscreenCanvasSurfaceClient*, mojo::Message*)
0x0000556e0d4dc6cc	(chrome -multiplex_router.cc:875 )	mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*)
0x0000556e0d4dbeff	(chrome -multiplex_router.cc:599 )	mojo::internal::MultiplexRouter::Accept(mojo::Message*)
0x0000556e0d4d4298	(chrome -connector.cc:440 )	mojo::Connector::ReadSingleMessage(unsigned int*)
0x0000556e0d4d4921	(chrome -connector.cc:469 )	mojo::Connector::ReadAllAvailableMessages()
0x0000556e0c1ba9ff	(chrome -callback.h:92 )	base::MemoryPressureListener::Notify(base::MemoryPressureListener::MemoryPressureLevel)
0x0000556e0d4e5463	(chrome -callback.h:92 )	mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&)
0x0000556e0d402696	(chrome -callback.h:64 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x0000556e0d04899e	(chrome -task_queue_manager.cc:531 )	blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*)
0x0000556e0d046998	(chrome -task_queue_manager.cc:322 )	blink::scheduler::TaskQueueManager::DoWork(bool)
0x0000556e0d402696	(chrome -callback.h:64 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x0000556e0d41aef8	(chrome -message_loop.cc:392 )	base::MessageLoop::RunTask(base::PendingTask*)
0x0000556e0d41b511	(chrome -message_loop.cc:404 )	base::MessageLoop::DoWork()
0x0000556e0d41d774	(chrome -message_pump_default.cc:37 )	base::MessagePumpDefault::Run(base::MessagePump::Delegate*)
0x0000556e0d43c784	(chrome -run_loop.cc:118 )	<name omitted>
0x0000556e10b02385	(chrome -renderer_main.cc:220 )	content::RendererMain(content::MainFunctionParams const&)
0x0000556e0d130909	(chrome -content_main_runner.cc:358 )	content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*)
0x0000556e0d131c20	(chrome -content_main_runner.cc:710 )	content::ContentMainRunnerImpl::Run()
0x0000556e0d13acf0	(chrome -main.cc:469 )	service_manager::Main(service_manager::MainParams const&)
0x0000556e0d1305d1	(chrome -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const&)
0x0000556e0bb57d33	(chrome -chrome_main.cc:123 )	ChromeMain
0x00007fb69dc4982f	(libc-2.23.so + 0x0002082f )	
0x0000556e0bb57c8f	(chrome + 0x017a7c8f )	
0x0000556e0ba48fff	(chrome + 0x01698fff )	
0x00007fb6a42897ca	(ld-2.23.so + 0x000107ca )	
0x0000556e0ba48fff	(chrome + 0x01698fff )	
0x0000556e0ba49028	(chrome + 0x01699028 )	_start

Using code search suspecting the following change could be a possible culprit:

https://chromium.googlesource.com/chromium/src.git/+/2302d2015a29612979ec1990f9dd8491a2b07f3e

@ lethalantidote: Assigning to you, request you to please take a look into it. Below link gives in detail for the total number of instances in which the crash has occurred for associated builds on respective OS.

https://goto.google.com/cipvt

All instances reported on M63 are generated from Single client ID.

Can this be addressed.

Thanks.!
Error.png
125 KB View Download

Comment 5 by junov@chromium.org, Nov 1 2017

Owner: xlai@chromium.org

Comment 6 by xlai@chromium.org, Nov 1 2017

Status: Started (was: Assigned)
Project Member

Comment 7 by bugdroid1@chromium.org, Nov 3 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/01e76ff18b0db68f3d990c2b0bf7e29896e3739e

commit 01e76ff18b0db68f3d990c2b0bf7e29896e3739e
Author: xlai <xlai@chromium.org>
Date: Fri Nov 03 17:49:31 2017

Quick fix to OffscreenCanvas crash on dimension change

SurfaceLayerBridge's WebLayer is not replaced in the second commit() call in
OffscreenCanvas and therefore a registration to graphics layer set is not
needed.

Bug:  778884 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: Ie76f95176604bd3042032b1432dd799df8cdf3b0
Reviewed-on: https://chromium-review.googlesource.com/751290
Reviewed-by: Justin Novosad <junov@chromium.org>
Commit-Queue: Olivia Lai <xlai@chromium.org>
Cr-Commit-Position: refs/heads/master@{#513829}
[modify] https://crrev.com/01e76ff18b0db68f3d990c2b0bf7e29896e3739e/content/test/data/gpu/pixel_offscreenCanvas_2d_resize_on_worker.html
[modify] https://crrev.com/01e76ff18b0db68f3d990c2b0bf7e29896e3739e/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp
[modify] https://crrev.com/01e76ff18b0db68f3d990c2b0bf7e29896e3739e/third_party/WebKit/Source/platform/graphics/SurfaceLayerBridge.cpp

Comment 8 by xlai@chromium.org, Nov 3 2017

Status: Fixed (was: Started)

Sign in to add a comment