Issue 789263 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	shend@chromium.org
Closed:	Nov 2017
Cc:	style-bugs@google.com
Components:	Blink>CSS
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	2
Type:	Bug
Stability-Crash

FATAL:InspectorStyleSheet.cpp(277)] Check failed: start_offset < end_offset (0 vs. 0)

Project Member Reported by maxlg@google.com, Nov 28 2017

Issue description

Chrome Version: (copy from chrome://version)
Chromium	64.0.3279.0 (Developer Build) (64-bit)
Revision	879fb124ce96a93d0ea96947b14eeebbe3cec6c6-refs/heads/master@{#519432}
OS	Linux
JavaScript	V8 6.4.372
Flash	(Disabled)
User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3279.0 Safari/537.36
Command Line	./out/Default/chrome --flag-switches-begin --flag-switches-end
Executable Path	/usr/local/google/home/maxlg/Develop/gitRepo/chrome/chromium/src/out/Default/chrome
Profile Path	/usr/local/google/home/maxlg/.config/chromium/Default
Variations	AccountConsistencyVariations:DiceFixAuthErrors
AlternateComponentUrls:AlternateComponentUrls
AutofillFieldMetadata:Enabled
BackgroundVideoOptimizations:BackgroundOptimizationEnabled1sOrLessMediaSource
BookmarkInProductHelp:Enabled_1
BrowserScheduler:RedirectWithDefaultInitParams
CSSExternalScanner:Enabled_ScanAndPreload
CheckerImaging:CheckerImaging
CompositorImageAnimation:CompositorImageAnimation
DecoupleTranslateLanguage:Experiment
DelayNavigation:DelayNavigation
DisallowFetchForDocWrittenScriptsInMainFrame:DocumentWriteScriptBlockGroup_20161208_Launch
DynamicExpectCT:DynamicExpectCTEnabled
GuestViewCrossProcessFrames:Enabled
Html5ByDefault:Enabled
IncognitoWindowInProductHelp:Enabled
InstanceID:Enabled
KeepAliveRendererForKeepaliveRequests:Enabled
LazyParseCSS:Enabled
LoadingWithMojo:Enabled_Launch
MojoInputMessages:Enabled
NTPCaptureThumbnail:Enabled
NetDelayableH2AndQuicRequests:Yielding3
NewTabInProductHelp:Enabled_1
NoStatePrefetchRollout:NoStatePrefetchEnabled
OffMainThreadFetch:Enabled
PWAFullCodeCache:Enabled
PageRevisitInstrumentation:Enabled
PassiveDocumentEventListeners:Enabled
PassiveEventListenersDueToFling:Enabled
PermissionPromptUIViews:BlockPromptsEnabled
PersistentHistograms:EnabledOnDisk5
PreconnectMore:Enabled
QUIC:Enabled
ReportingAPI:ReportingEnabled
ResourceLoadScheduler:Enabled_bg_limit_8_4
S13nSafeBrowsingParallelUrlCheck:CanaryDev_Enabled
SafeBrowsingAdSamplerPerformance:AllAdSamples_NoReportsSent
SafeBrowsingAtRiskAccountFlagging:Enabled_Launch
SafeBrowsingScoutTransitionStudy:CanShowScoutOptInGroup2
SafeBrowsingThreatDomDetailsTagAttributes:AdIdentifiers
ServiceWorkerPaymentApps:Enabled
ServiceWorkerScriptFullCodeCache:Enabled
ServiceWorkerScriptStreaming:Enabled
SignInProcessIsolation:Enabled_50_20171026
SimpleCachePrefetchExperiment:Prefetch32K
SimpleCacheTrial:ExperimentYes
SocketReadIfReady:Enabled
SubresourceFilter:EnabledForPhishingSites
TLS13Variant:Experiment2V2
ThrottleDelayable:Enabled
TokenBinding:TokenBinding
TranslateRankerModel:Enforcement20170329
TranslateUserEvents:Enabled
UKM:Enabled
UseHeuristicLanguageModel:Experiment
UseMojoAudioOutputStreamFactory:UseMojoAudioOutputStreamFactory
V8AsmJSToWasm:AsmJsToWebAssembly
V8ContextSnapshot:Enabled
V8WasmTrapHandler:WasmTrapHandlerActive
VideoCaptureService:Enabled2
VoiceSearchOnLocalNtp:Enabled
VsyncAlignedInput:Enable
WebRTC‑LocalIPPermissionCheck:Enabled
WebRTC‑ProbingScreenshareBwe:1.0,2875,80,40,‑60,3
WheelScrollLatchingAndAsyncWheelEvents:Enabled
WorkStealingInScriptRunner:Enabled
YieldBetweenContentScriptRuns:Enabled



OS: (e.g. Win7, OSX 10.9.5, etc...)
Goobuntu

What steps will reproduce the problem?
(1) Open a blank page
(2) Open devtool -> performance
(3) Record
(4) Navigate to https://next.weekplan.net (Only happens to this page)
(5) Record for about 30s
(6) End recording
(7) Crashes

What is the expected result?

What happens instead?

Please use labels and text to provide additional information.



[1:1:1128/161048.869341:WARNING:internal_linux.cc(64)] Failed to read /proc/self/stat
[166314:166314:1128/161048.870365:WARNING:internal_linux.cc(64)] Failed to read /proc/self/stat
[1:1:1128/161049.034125:WARNING:internal_linux.cc(64)] Failed to read /proc/self/stat
[1:1:1128/161050.688815:WARNING:internal_linux.cc(64)] Failed to read /proc/self/stat
[1:1:1128/161050.976484:FATAL:InspectorStyleSheet.cpp(277)] Check failed: start_offset < end_offset (0 vs. 0)
#0 0x7fd1b2ce09dd base::debug::StackTrace::StackTrace()
#1 0x7fd1b2cdee0c base::debug::StackTrace::StackTrace()
#2 0x7fd1b2d668ca logging::LogMessage::~LogMessage()
#3 0x7fd1a1f96d2e blink::(anonymous namespace)::StyleSheetHandler::ObserveProperty()
#4 0x7fd1a163499d blink::CSSParserImpl::ConsumeDeclaration()
#5 0x7fd1a163433b blink::CSSParserImpl::SupportsDeclaration()
#6 0x7fd1a165be62 blink::CSSSupportsParser::ConsumeDeclarationCondition()
#7 0x7fd1a165c1a3 blink::CSSSupportsParser::ConsumeConditionInParenthesis()
#8 0x7fd1a165ba6d blink::CSSSupportsParser::ConsumeCondition()
#9 0x7fd1a165b971 blink::CSSSupportsParser::SupportsCondition()
#10 0x7fd1a163593b blink::CSSParserImpl::ConsumeSupportsRule()
#11 0x7fd1a1631e20 blink::CSSParserImpl::ConsumeAtRule()
#12 0x7fd1a1634e65 blink::CSSParserImpl::ConsumeRuleList<>()
#13 0x7fd1a1634c18 blink::CSSParserImpl::ParseStyleSheetForInspector()
#14 0x7fd1a162670d blink::CSSParser::ParseSheetForInspector()
#15 0x7fd1a1f8ceb1 blink::InspectorStyleSheet::InnerSetText()
#16 0x7fd1a1f8c9e5 blink::InspectorStyleSheet::InspectorStyleSheet()
#17 0x7fd1a1f8c840 blink::InspectorStyleSheet::Create()
#18 0x7fd1a1eb8feb blink::InspectorCSSAgent::BindStyleSheet()
#19 0x7fd1a1eb8c64 blink::InspectorCSSAgent::SetActiveStyleSheets()
#20 0x7fd1a1eb7fa2 blink::InspectorCSSAgent::UpdateActiveStyleSheets()
#21 0x7fd1a1eb7cfc blink::InspectorCSSAgent::WasEnabled()
#22 0x7fd1a1eb84c9 blink::InspectorCSSAgent::ResourceContentLoaded()
#23 0x7fd1a1ed68ee _ZN4base8internal13FunctorTraitsIMN5blink17InspectorCSSAgentEFvNSt3__110unique_ptrINS2_8protocol3CSS7Backend14EnableCallbackENS4_14default_deleteIS9_EEEEEvE6InvokeIRKNS2_10PersistentIS3_EEJSC_EEEvSE_OT_DpOT0_
#24 0x7fd1a1ed670f _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN5blink17InspectorCSSAgentEFvNSt3__110unique_ptrINS4_8protocol3CSS7Backend14EnableCallbackENS6_14default_deleteISB_EEEEEJRKNS4_10PersistentIS5_EESE_EEEvOT_DpOT0_
#25 0x7fd1a1ed65e6 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink17InspectorCSSAgentEFvNSt3__110unique_ptrINS3_8protocol3CSS7Backend14EnableCallbackENS5_14default_deleteISA_EEEEEJNS3_10PersistentIS4_EEN3WTF13PassedWrapperISD_EEEEEFvvEE7RunImplIRKSF_RKNS5_5tupleIJSH_SK_EEEJLm0ELm1EEEEvOT_OT0_NS5_16integer_sequenceImJXspT1_EEEE
#26 0x7fd1a1ed64cc _ZN4base8internal7InvokerINS0_9BindStateIMN5blink17InspectorCSSAgentEFvNSt3__110unique_ptrINS3_8protocol3CSS7Backend14EnableCallbackENS5_14default_deleteISA_EEEEEJNS3_10PersistentIS4_EEN3WTF13PassedWrapperISD_EEEEEFvvEE3RunEPNS0_13BindStateBaseE
#27 0x7fd1a11ba10d _ZNKR4base17RepeatingCallbackIFvvEE3RunEv
#28 0x7fd1a11ba0c5 WTF::ThreadCheckingCallbackWrapper<>::RunInternal()
#29 0x7fd1a11b8b79 WTF::ThreadCheckingCallbackWrapper<>::Run()
#30 0x7fd1a11b9b12 _ZN4base8internal13FunctorTraitsIMN3WTF29ThreadCheckingCallbackWrapperINS_17RepeatingCallbackIFvvEEES5_EEFvvEvE6InvokeIRKNSt3__110unique_ptrIS7_NSC_14default_deleteIS7_EEEEJEEEvS9_OT_DpOT0_
#31 0x7fd1a11b9a74 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN3WTF29ThreadCheckingCallbackWrapperINS_17RepeatingCallbackIFvvEEES7_EEFvvEJRKNSt3__110unique_ptrIS9_NSE_14default_deleteIS9_EEEEEEEvOT_DpOT0_
#32 0x7fd1a11b9a20 _ZN4base8internal7InvokerINS0_9BindStateIMN3WTF29ThreadCheckingCallbackWrapperINS_17RepeatingCallbackIFvvEEES6_EEFvvEJNSt3__110unique_ptrIS8_NSB_14default_deleteIS8_EEEEEEES6_E7RunImplIRKSA_RKNSB_5tupleIJSF_EEEJLm0EEEEvOT_OT0_NSB_16integer_sequenceImJXspT1_EEEE
#33 0x7fd1a11b996c _ZN4base8internal7InvokerINS0_9BindStateIMN3WTF29ThreadCheckingCallbackWrapperINS_17RepeatingCallbackIFvvEEES6_EEFvvEJNSt3__110unique_ptrIS8_NSB_14default_deleteIS8_EEEEEEES6_E3RunEPNS0_13BindStateBaseE
#34 0x7fd1a1711181 _ZNO4base17RepeatingCallbackIFvvEE3RunEv
#35 0x7fd1a170eaed _ZNO3WTF8FunctionIFvvEE3RunEv
#36 0x7fd1a1f7ea10 blink::InspectorResourceContentLoader::CheckDone()
#37 0x7fd1a1f7dfa4 blink::InspectorResourceContentLoader::ResourceFinished()
#38 0x7fd1a1f7df1d blink::InspectorResourceContentLoader::ResourceClient::ResourceFinished()
#39 0x7fd1a1f7e082 blink::InspectorResourceContentLoader::ResourceClient::NotifyFinished()
#40 0x7fd19fe8eddb blink::Resource::NotifyFinished()
#41 0x7fd19fe878f5 blink::RawResource::NotifyFinished()
#42 0x7fd19fe8fd16 blink::Resource::Finish()
#43 0x7fd19fea9442 blink::ResourceFetcher::HandleLoaderFinish()
#44 0x7fd19fecb196 blink::ResourceLoader::DidFinishLoading()
#45 0x7fd1ae59338b content::WebURLLoaderImpl::Context::OnCompletedRequest()
#46 0x7fd1ae593d0c content::WebURLLoaderImpl::RequestPeerImpl::OnCompletedRequest()
#47 0x7fd1ae56caa1 content::ResourceDispatcher::OnRequestComplete()
#48 0x7fd1ae587ca3 content::URLResponseBodyConsumer::NotifyCompletionIfAppropriate()
#49 0x7fd1ae587c24 content::URLResponseBodyConsumer::OnComplete()
#50 0x7fd1ae585232 content::URLLoaderClientImpl::OnComplete()
#51 0x7fd1ac255864 content::ThrottlingURLLoader::OnComplete()
#52 0x7fd1ac579183 content::mojom::URLLoaderClientStubDispatch::Accept()
#53 0x7fd1abf9cbb3 content::mojom::URLLoaderClientStub<>::Accept()
#54 0x7fd1b132825b mojo::InterfaceEndpointClient::HandleValidatedMessage()
#55 0x7fd1b1326d51 mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept()
#56 0x7fd1b13253cc mojo::FilterChain::Accept()
#57 0x7fd1b132ae91 mojo::InterfaceEndpointClient::HandleIncomingMessage()
#58 0x7fd1b1341937 mojo::internal::MultiplexRouter::ProcessIncomingMessage()
#59 0x7fd1b1340e4d mojo::internal::MultiplexRouter::Accept()
#60 0x7fd1b13253cc mojo::FilterChain::Accept()
#61 0x7fd1b1318b14 mojo::Connector::ReadSingleMessage()

Received signal 6
#0 0x7fd1b2ce09dd base::debug::StackTrace::StackTrace()
#1 0x7fd1b2cdee0c base::debug::StackTrace::StackTrace()
#2 0x7fd1b2ce0395 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7fd1b323b330 <unknown>
#4 0x7fd199eb0c37 gsignal
#5 0x7fd199eb4028 abort
#6 0x7fd1b2cdbe56 base::debug::(anonymous namespace)::DebugBreak()
#7 0x7fd1b2cdbe38 base::debug::BreakDebugger()
#8 0x7fd1b2d674eb logging::LogMessage::~LogMessage()
#9 0x7fd1a1f96d2e blink::(anonymous namespace)::StyleSheetHandler::ObserveProperty()
#10 0x7fd1a163499d blink::CSSParserImpl::ConsumeDeclaration()
#11 0x7fd1a163433b blink::CSSParserImpl::SupportsDeclaration()
#12 0x7fd1a165be62 blink::CSSSupportsParser::ConsumeDeclarationCondition()
#13 0x7fd1a165c1a3 blink::CSSSupportsParser::ConsumeConditionInParenthesis()
#14 0x7fd1a165ba6d blink::CSSSupportsParser::ConsumeCondition()
#15 0x7fd1a165b971 blink::CSSSupportsParser::SupportsCondition()
#16 0x7fd1a163593b blink::CSSParserImpl::ConsumeSupportsRule()
#17 0x7fd1a1631e20 blink::CSSParserImpl::ConsumeAtRule()
#18 0x7fd1a1634e65 blink::CSSParserImpl::ConsumeRuleList<>()
#19 0x7fd1a1634c18 blink::CSSParserImpl::ParseStyleSheetForInspector()
#20 0x7fd1a162670d blink::CSSParser::ParseSheetForInspector()
#21 0x7fd1a1f8ceb1 blink::InspectorStyleSheet::InnerSetText()
#22 0x7fd1a1f8c9e5 blink::InspectorStyleSheet::InspectorStyleSheet()
#23 0x7fd1a1f8c840 blink::InspectorStyleSheet::Create()
#24 0x7fd1a1eb8feb blink::InspectorCSSAgent::BindStyleSheet()
#25 0x7fd1a1eb8c64 blink::InspectorCSSAgent::SetActiveStyleSheets()
#26 0x7fd1a1eb7fa2 blink::InspectorCSSAgent::UpdateActiveStyleSheets()
#27 0x7fd1a1eb7cfc blink::InspectorCSSAgent::WasEnabled()
#28 0x7fd1a1eb84c9 blink::InspectorCSSAgent::ResourceContentLoaded()
#29 0x7fd1a1ed68ee _ZN4base8internal13FunctorTraitsIMN5blink17InspectorCSSAgentEFvNSt3__110unique_ptrINS2_8protocol3CSS7Backend14EnableCallbackENS4_14default_deleteIS9_EEEEEvE6InvokeIRKNS2_10PersistentIS3_EEJSC_EEEvSE_OT_DpOT0_
#30 0x7fd1a1ed670f _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN5blink17InspectorCSSAgentEFvNSt3__110unique_ptrINS4_8protocol3CSS7Backend14EnableCallbackENS6_14default_deleteISB_EEEEEJRKNS4_10PersistentIS5_EESE_EEEvOT_DpOT0_
#31 0x7fd1a1ed65e6 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink17InspectorCSSAgentEFvNSt3__110unique_ptrINS3_8protocol3CSS7Backend14EnableCallbackENS5_14default_deleteISA_EEEEEJNS3_10PersistentIS4_EEN3WTF13PassedWrapperISD_EEEEEFvvEE7RunImplIRKSF_RKNS5_5tupleIJSH_SK_EEEJLm0ELm1EEEEvOT_OT0_NS5_16integer_sequenceImJXspT1_EEEE
#32 0x7fd1a1ed64cc _ZN4base8internal7InvokerINS0_9BindStateIMN5blink17InspectorCSSAgentEFvNSt3__110unique_ptrINS3_8protocol3CSS7Backend14EnableCallbackENS5_14default_deleteISA_EEEEEJNS3_10PersistentIS4_EEN3WTF13PassedWrapperISD_EEEEEFvvEE3RunEPNS0_13BindStateBaseE
#33 0x7fd1a11ba10d _ZNKR4base17RepeatingCallbackIFvvEE3RunEv
#34 0x7fd1a11ba0c5 WTF::ThreadCheckingCallbackWrapper<>::RunInternal()
#35 0x7fd1a11b8b79 WTF::ThreadCheckingCallbackWrapper<>::Run()
#36 0x7fd1a11b9b12 _ZN4base8internal13FunctorTraitsIMN3WTF29ThreadCheckingCallbackWrapperINS_17RepeatingCallbackIFvvEEES5_EEFvvEvE6InvokeIRKNSt3__110unique_ptrIS7_NSC_14default_deleteIS7_EEEEJEEEvS9_OT_DpOT0_
#37 0x7fd1a11b9a74 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN3WTF29ThreadCheckingCallbackWrapperINS_17RepeatingCallbackIFvvEEES7_EEFvvEJRKNSt3__110unique_ptrIS9_NSE_14default_deleteIS9_EEEEEEEvOT_DpOT0_
#38 0x7fd1a11b9a20 _ZN4base8internal7InvokerINS0_9BindStateIMN3WTF29ThreadCheckingCallbackWrapperINS_17RepeatingCallbackIFvvEEES6_EEFvvEJNSt3__110unique_ptrIS8_NSB_14default_deleteIS8_EEEEEEES6_E7RunImplIRKSA_RKNSB_5tupleIJSF_EEEJLm0EEEEvOT_OT0_NSB_16integer_sequenceImJXspT1_EEEE
#39 0x7fd1a11b996c _ZN4base8internal7InvokerINS0_9BindStateIMN3WTF29ThreadCheckingCallbackWrapperINS_17RepeatingCallbackIFvvEEES6_EEFvvEJNSt3__110unique_ptrIS8_NSB_14default_deleteIS8_EEEEEEES6_E3RunEPNS0_13BindStateBaseE
#40 0x7fd1a1711181 _ZNO4base17RepeatingCallbackIFvvEE3RunEv
#41 0x7fd1a170eaed _ZNO3WTF8FunctionIFvvEE3RunEv
#42 0x7fd1a1f7ea10 blink::InspectorResourceContentLoader::CheckDone()
#43 0x7fd1a1f7dfa4 blink::InspectorResourceContentLoader::ResourceFinished()
#44 0x7fd1a1f7df1d blink::InspectorResourceContentLoader::ResourceClient::ResourceFinished()
#45 0x7fd1a1f7e082 blink::InspectorResourceContentLoader::ResourceClient::NotifyFinished()
#46 0x7fd19fe8eddb blink::Resource::NotifyFinished()
#47 0x7fd19fe878f5 blink::RawResource::NotifyFinished()
#48 0x7fd19fe8fd16 blink::Resource::Finish()
#49 0x7fd19fea9442 blink::ResourceFetcher::HandleLoaderFinish()
#50 0x7fd19fecb196 blink::ResourceLoader::DidFinishLoading()
#51 0x7fd1ae59338b content::WebURLLoaderImpl::Context::OnCompletedRequest()
#52 0x7fd1ae593d0c content::WebURLLoaderImpl::RequestPeerImpl::OnCompletedRequest()
#53 0x7fd1ae56caa1 content::ResourceDispatcher::OnRequestComplete()
#54 0x7fd1ae587ca3 content::URLResponseBodyConsumer::NotifyCompletionIfAppropriate()
#55 0x7fd1ae587c24 content::URLResponseBodyConsumer::OnComplete()
#56 0x7fd1ae585232 content::URLLoaderClientImpl::OnComplete()
#57 0x7fd1ac255864 content::ThrottlingURLLoader::OnComplete()
#58 0x7fd1ac579183 content::mojom::URLLoaderClientStubDispatch::Accept()
#59 0x7fd1abf9cbb3 content::mojom::URLLoaderClientStub<>::Accept()
#60 0x7fd1b132825b mojo::InterfaceEndpointClient::HandleValidatedMessage()
#61 0x7fd1b1326d51 mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept()
  r8: fffffffffffffed8  r9: fffffffffffffec8 r10: 0000000000000008 r11: 0000000000000202
 r12: 000055fc552d6000 r13: 00007ffe15739630 r14: 0000000000000000 r15: 0000000000000000
  di: 0000000000000001  si: 0000000000000001  bp: 00007ffe1572ad80  bx: 0000000000000000
  dx: 0000000000000006  ax: 0000000000000000  cx: 00007fd199eb0c37  sp: 00007ffe1572ac48
  ip: 00007fd199eb0c37 efl: 0000000000000202 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.


For graphics-related bugs, please copy/paste the contents of the about:gpu
page at the end of this report.

Comment 1 by nainar@chromium.org, Nov 29 2017

Labels: -Pri-3 Pri-2
Owner: shend@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by nainar@chromium.org, Nov 29 2017

Labels: Stability-Crash

Project Member

Comment 3 by bugdroid1@chromium.org, Nov 30 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eb0b9f4692a20a12e3a2adf5729f0455c1133f7d

commit eb0b9f4692a20a12e3a2adf5729f0455c1133f7d
Author: Darren Shen <shend@chromium.org>
Date: Thu Nov 30 00:20:37 2017

[css-parser] Fix crash when an @support rule is after a invalid rule.

When running with devtools, we crash in a case like:

   ** { }
   @supports (display: flex) { }

This is due to how the parser observer handles errors. The parser
observer records the offsets of where rules begin and end. Before
streaming parser, when we encountered an illegal selector, we simply
ignored the entire rule and not record its existence in the observer.

However, with streaming parser, we have to record as we parse the
selector. When we encounter an invalid rule, this leaves the observer
in an invalid state [1]. Normally, this is fine, because when we
parse the next rule, we would check if the observer is in an invalid
state and correct it [2]. This check is done whenever we see a
new rule header.

Unfortunately, when parsing @supports rules, we first parse the
condition (the "display: flex" bit in the example), without creating
a rule header. Normally, this is fine because the observer ignores
declarations when it's not part of a rule. But when the previous rule
is illegal, the observer is in an invalid state and thinks that the
"display: flex" is part of the previous rule [3]. Hence, it'll
actually trigger the observer to store the offset of this declaration.
Our code crashes because we assume that the observer ignores the
condition, so we pass a dummy (invalid) offset to the observer, which
triggers a DCHECK.

Our assumption that the observer should ignore the condition is
correct because we're only parsing the condition to test if it's
valid; it should never actually be observed [4]. Hence, the correct
action is to actually disable the observer when parsing the
condition, in case the observer accidentally observes the condition
because of the preceding illegal rule.

[1] Specifically, we would have a rule header with no rule body.
[2] We simply check if the previous rule had no body.
[3] The previous rule was never 'finished', so it thinks the
    declaration is part of that rule.
[4] It also corresponds to pre-streaming behaviour.

Bug:  789263 
Change-Id: I50b47a6eb45a20ff7a47690787a55bdeaea77ee2
Reviewed-on: https://chromium-review.googlesource.com/796230
Reviewed-by: nainar <nainar@chromium.org>
Commit-Queue: Darren Shen <shend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#520326}
[add] https://crrev.com/eb0b9f4692a20a12e3a2adf5729f0455c1133f7d/third_party/WebKit/LayoutTests/http/tests/devtools/elements/styles-4/supports-rule-after-invalid-selector-rule-crash-expected.txt
[add] https://crrev.com/eb0b9f4692a20a12e3a2adf5729f0455c1133f7d/third_party/WebKit/LayoutTests/http/tests/devtools/elements/styles-4/supports-rule-after-invalid-selector-rule-crash.html
[modify] https://crrev.com/eb0b9f4692a20a12e3a2adf5729f0455c1133f7d/third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp

Comment 4 by shend@chromium.org, Nov 30 2017

Status: Fixed (was: Assigned)

►

Issue 789263 link

Issue metadata

FATAL:InspectorStyleSheet.cpp(277)] Check failed: start_offset < end_offset (0 vs. 0)

Issue description

Comment 1 by nainar@chromium.org, Nov 29 2017

Comment 1 Deleted

Comment 2 by nainar@chromium.org, Nov 29 2017

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Nov 30 2017

Comment 3 Deleted

Comment 4 by shend@chromium.org, Nov 30 2017

Comment 4 Deleted

Sign in to add a comment