Issue 810894 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 810915
Owner:	----
Closed:	Feb 2018
Cc:	rjkroege@chromium.org style-bugs@google.com
Components:	Blink>CSS
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug
allpublic

paint crashes with perspective transform case

Project Member Reported by riajiang@chromium.org, Feb 9 2018

Issue description

For this test case, http://output.jsbin.com/dujemuzuwe, where we apply perspective transform to a div that contains an iframe. We can paint and target correctly in chrome stable 64.0.3282.119 (Official Build) (64-bit) linux build. But on TOT, it sometimes crashes immediately, sometimes loads correctly but crashes after clicking around. This is simply running chrome without any flags.

stacktrace:

==1==ERROR: AddressSanitizer: use-after-poison on address 0x7ecbf0630518 at pc 0x7f4ad9196e56 bp 0x7ffc6c5d22d0 sp 0x7ffc6c5d22c8
READ of size 8 at 0x7ecbf0630518 thread T0 (chrome)

    #0 0x7f4ad9196e55 in operator bool /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/platform/heap/Member.h:85:43
    #1 0x7f4ad9196e55 in blink::ComputePresentationAttributeStyle(blink::Element&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/PresentationAttributeStyle.cpp:172:0
    #2 0x7f4ad9045002 in blink::Element::UpdatePresentationAttributeStyle() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:4598:7
    #3 0x7f4ad8dc87da in PresentationAttributeStyle /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.h:1231:5
    #4 0x7f4ad8dc87da in blink::StyleResolver::MatchAllRules(blink::StyleResolverState&, blink::ElementRuleCollector&, bool) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:420:0
    #5 0x7f4ad8dcca3b in blink::StyleResolver::StyleForElement(blink::Element*, blink::ComputedStyle const*, blink::ComputedStyle const*, blink::RuleMatchingBehavior) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:652:5
    #6 0x7f4ad901944b in blink::Element::OriginalStyleForLayoutObject() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2004:46
    #7 0x7f4ad9d77a11 in blink::HTMLImageElement::CustomStyleForLayoutObject() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/html/HTMLImageElement.cpp:802:14
    #8 0x7f4ad901874b in blink::Element::StyleForLayoutObject() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:1973:46
    #9 0x7f4ad901e406 in blink::Element::RecalcStyleForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2208:53
    #10 0x7f4ad8e9bc02 in blink::ContainerNode::RecalcDescendantStylesForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1307:25
    #11 0x7f4ad901e6ca in RecalcShadowIncludingDescendantStylesForReattach /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2224:3
    #12 0x7f4ad901e6ca in blink::Element::RecalcStyleForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2213:0
    #13 0x7f4ad8e9bc02 in blink::ContainerNode::RecalcDescendantStylesForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1307:25
    #14 0x7f4ad901e6ca in RecalcShadowIncludingDescendantStylesForReattach /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2224:3
    #15 0x7f4ad901e6ca in blink::Element::RecalcStyleForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2213:0
    #16 0x7f4ad8e9bc02 in blink::ContainerNode::RecalcDescendantStylesForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1307:25
    #17 0x7f4ad901e6ca in RecalcShadowIncludingDescendantStylesForReattach /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2224:3
    #18 0x7f4ad901e6ca in blink::Element::RecalcStyleForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2213:0
    #19 0x7f4ad8e9bc02 in blink::ContainerNode::RecalcDescendantStylesForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1307:25
    #20 0x7f4ad901b575 in RecalcShadowIncludingDescendantStylesForReattach /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2224:3
    #21 0x7f4ad901b575 in blink::Element::RecalcOwnStyle(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2160:0
    #22 0x7f4ad9019d7d in blink::Element::RecalcStyle(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2049:16
    #23 0x7f4ad8e9b7f8 in blink::ContainerNode::RecalcDescendantStyles(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1299:18
    #24 0x7f4ad9019fcb in blink::Element::RecalcStyle(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2075:7
    #25 0x7f4ad8e9b7f8 in blink::ContainerNode::RecalcDescendantStyles(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1299:18
    #26 0x7f4ad9019fcb in blink::Element::RecalcStyle(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2075:7
    #27 0x7f4ad8f14628 in blink::Document::UpdateStyle() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Document.cpp:2301:25
    #28 0x7f4ad8f04d6c in blink::Document::UpdateStyleAndLayoutTree() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Document.cpp:2217:3
    #29 0x7f4ad9a8f295 in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursiveInternal() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3424:26
    #30 0x7f4ad9a8ff5b in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursiveInternal() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3466:17
    #31 0x7f4ad9a891d4 in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursive() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3403:3
    #32 0x7f4ad9a849e5 in blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3144:3
    #33 0x7f4ad9a84193 in blink::LocalFrameView::UpdateAllLifecyclePhases() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/frame/LocalFrameView.cpp:2965:39
    #34 0x7f4adb16a857 in blink::PageAnimator::UpdateAllLifecyclePhases(blink::LocalFrame&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/page/PageAnimator.cpp:100:9
    #35 0x7f4ad985d0bb in blink::WebViewImpl::UpdateLifecycle(blink::WebWidget::LifecycleUpdate) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/exported/WebViewImpl.cpp:1856:3
    #36 0x7f4ad9c0c89e in blink::WebViewFrameWidget::UpdateLifecycle(blink::WebWidget::LifecycleUpdate) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/frame/WebViewFrameWidget.cpp:74:21
    #37 0x7f4af1c8f037 in UpdateVisualState /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/renderer/render_widget.cc:1095:19
    #38 0x7f4af1c8f037 in non-virtual thunk to content::RenderWidget::UpdateVisualState(cc::LayerTreeHostClient::VisualStateUpdate) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/renderer/render_widget.cc:0:0
    #39 0x7f4aec147650 in cc::ProxyMain::BeginMainFrame(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../cc/trees/proxy_main.cc:223:21
    #40 0x7f4aec1422a0 in Invoke<base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:211:12
    #41 0x7f4aec1422a0 in void base::internal::InvokeHelper<true, void>::MakeItSo<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > >(void (cc::ProxyMain::*&&)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>&&, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >&&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:314:0
    #42 0x7f4aec141eda in RunImpl<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, 0, 1> /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:368:12
    #43 0x7f4aec141eda in base::internal::Invoker<base::internal::BindState<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, void ()>::RunOnce(base::internal::BindStateBase*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:336:0
    #44 0x7f4af944529f in Run /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/callback.h:65:12
    #45 0x7f4af944529f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/debug/task_annotator.cc:55:0
    #46 0x7f4ad391e496 in blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::Sequence::WorkType) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/platform/scheduler/base/thread_controller_impl.cc:162:21
    #47 0x7f4ad392433b in Invoke<const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> &, const blink::scheduler::internal::Sequence::WorkType &> /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:211:12
    #48 0x7f4ad392433b in MakeItSo<void (blink::scheduler::internal::ThreadControllerImpl::*const &)(blink::scheduler::internal::Sequence::WorkType), const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> &, const blink::scheduler::internal::Sequence::WorkType &> /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:314:0
    #49 0x7f4ad392433b in RunImpl<void (blink::scheduler::internal::ThreadControllerImpl::*const &)(blink::scheduler::internal::Sequence::WorkType), const std::__1::tuple<base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::Sequence::WorkType> &, 0, 1> /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:368:0
    #50 0x7f4ad392433b in base::internal::Invoker<base::internal::BindState<void (blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::Sequence::WorkType), base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::Sequence::WorkType>, void ()>::Run(base::internal::BindStateBase*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:350:0
    #51 0x7f4af944529f in Run /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/callback.h:65:12
    #52 0x7f4af944529f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/debug/task_annotator.cc:55:0
    #53 0x7f4af94f31a1 in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/incoming_task_queue.cc:124:19
    #54 0x7f4af9501f2c in base::MessageLoop::RunTask(base::PendingTask*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/message_loop.cc:395:25
    #55 0x7f4af9503178 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/message_loop.cc:407:5
    #56 0x7f4af9503ab6 in base::MessageLoop::DoWork() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/message_loop.cc:451:16
    #57 0x7f4af950aaf9 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/message_pump_default.cc:37:31
    #58 0x7f4af9500848 in base::MessageLoop::Run(bool) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/message_loop.cc:346:12
    #59 0x7f4af95ccfea in base::RunLoop::Run() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/run_loop.cc:133:14
    #60 0x7f4af1cd88a3 in content::RendererMain(content::MainFunctionParams const&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/renderer/renderer_main.cc:241:23
    #61 0x7f4af232f706 in content::RunZygote(content::ContentMainDelegate*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/app/content_main_runner.cc:352:14
    #62 0x7f4af2330a4b in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/app/content_main_runner.cc:431:12
    #63 0x7f4af2334139 in content::ContentMainRunnerImpl::Run() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/app/content_main_runner.cc:713:12
    #64 0x7f4af9ba3f0b in service_manager::Main(service_manager::MainParams const&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../services/service_manager/embedder/main.cc:456:29
    #65 0x7f4af232ee74 in content::ContentMain(content::ContentMainParams const&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/app/content_main.cc:19:10
    #66 0x55d693920f40 in ChromeMain /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../chrome/app/chrome_main.cc:144:12
    #67 0x7f4ac898a2b0 in __libc_start_main ??:0:0


Address 0x7ecbf0630518 is a wild pointer.
SUMMARY: AddressSanitizer: use-after-poison (/usr/local/google/home/riajiang/chromium/src/out/oxygencros/./libblink_core.so+0x494ae55) 
Shadow bytes around the buggy address:
  0x0fd9fe0be050: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd9fe0be060: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd9fe0be070: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd9fe0be080: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd9fe0be090: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0fd9fe0be0a0: f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd9fe0be0b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd9fe0be0c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd9fe0be0d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd9fe0be0e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd9fe0be0f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1==ABORTING

Comment 1 by schenney@chromium.org, Feb 9 2018

Components: -Blink>Paint Blink>CSS
Owner: ----

Comment 2 by riajiang@chromium.org, Feb 9 2018

Labels: Restrict-View-SecurityTeam
Mergedinto: 810915
Status: Duplicate (was: Untriaged)

Project Member

Comment 3 by sheriffbot@chromium.org, May 20 2018

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 810894 link

Issue metadata

paint crashes with perspective transform case

Issue description

Comment 1 by schenney@chromium.org, Feb 9 2018

Comment 1 Deleted

Comment 2 by riajiang@chromium.org, Feb 9 2018

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, May 20 2018

Comment 3 Deleted

Sign in to add a comment