3 content_unittests fail with invalid downcast on ubsan bots after https://chromium-review.googlesource.com/c/chromium/src/+/1042351 |
||
Issue descriptionStarted here: https://ci.chromium.org/buildbot/chromium.clang/ToTLinuxUBSanVptr/2809 swarming.summary RenderWidgetHostAsyncWheelEventsEnabledTest.InputEventRWHLatencyComponent RenderWidgetHostWheelScrollLatchingDisabledTest.InputEventRWHLatencyComponent RenderWidgetHostTest.InputEventRWHLatencyComponent [ RUN ] RenderWidgetHostAsyncWheelEventsEnabledTest.InputEventRWHLatencyComponent ../../content/browser/renderer_host/render_widget_host_unittest.cc:244:12: runtime error: downcast of address 0x16d204be5000 which does not point to an object of type 'content::MockInputRouter' 0x16d204be5000: note: object is of type 'content::InputRouterImpl' 00 00 00 00 d8 8d b2 15 00 00 00 00 38 8f b2 15 00 00 00 00 68 8f b2 15 00 00 00 00 98 8f b2 15 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'content::InputRouterImpl' #0 0x401e53c (/b/s/w/ir/out/Release/content_unittests+0x401e53c) #1 0x631ae05 (/b/s/w/ir/out/Release/content_unittests+0x631ae05) #2 0x631cd9b (/b/s/w/ir/out/Release/content_unittests+0x631cd9b) #3 0x631e702 (/b/s/w/ir/out/Release/content_unittests+0x631e702) #4 0x6335d77 (/b/s/w/ir/out/Release/content_unittests+0x6335d77) #5 0x6334c9a (/b/s/w/ir/out/Release/content_unittests+0x6334c9a) #6 0x9450c78 (/b/s/w/ir/out/Release/content_unittests+0x9450c78) #7 0x945d6c1 (/b/s/w/ir/out/Release/content_unittests+0x945d6c1) #8 0x945d4ee (/b/s/w/ir/out/Release/content_unittests+0x945d4ee) #9 0x554640b (/b/s/w/ir/out/Release/content_unittests+0x554640b) #10 0x7efe5598ff44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #11 0x2306029 (/b/s/w/ir/out/Release/content_unittests+0x2306029) [ RUN ] RenderWidgetHostWheelScrollLatchingDisabledTest.InputEventRWHLatencyComponent ../../content/browser/renderer_host/render_widget_host_unittest.cc:244:12: runtime error: downcast of address 0x07a741560000 which does not point to an object of type 'content::MockInputRouter' 0x07a741560000: note: object is of type 'content::InputRouterImpl' 00 00 00 00 d8 8d b2 15 00 00 00 00 38 8f b2 15 00 00 00 00 68 8f b2 15 00 00 00 00 98 8f b2 15 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'content::InputRouterImpl' #0 0x401e53c (/b/s/w/ir/out/Release/content_unittests+0x401e53c) #1 0x631ae05 (/b/s/w/ir/out/Release/content_unittests+0x631ae05) #2 0x631cd9b (/b/s/w/ir/out/Release/content_unittests+0x631cd9b) #3 0x631e702 (/b/s/w/ir/out/Release/content_unittests+0x631e702) #4 0x6335d77 (/b/s/w/ir/out/Release/content_unittests+0x6335d77) #5 0x6334c9a (/b/s/w/ir/out/Release/content_unittests+0x6334c9a) #6 0x9450c78 (/b/s/w/ir/out/Release/content_unittests+0x9450c78) #7 0x945d6c1 (/b/s/w/ir/out/Release/content_unittests+0x945d6c1) #8 0x945d4ee (/b/s/w/ir/out/Release/content_unittests+0x945d4ee) #9 0x554640b (/b/s/w/ir/out/Release/content_unittests+0x554640b) #10 0x7f2931e00f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #11 0x2306029 (/b/s/w/ir/out/Release/content_unittests+0x2306029) [ RUN ] RenderWidgetHostTest.InputEventRWHLatencyComponent ../../content/browser/renderer_host/render_widget_host_unittest.cc:244:12: runtime error: downcast of address 0x1e35f5a78000 which does not point to an object of type 'content::MockInputRouter' 0x1e35f5a78000: note: object is of type 'content::InputRouterImpl' 00 00 00 00 d8 8d b2 15 00 00 00 00 38 8f b2 15 00 00 00 00 68 8f b2 15 00 00 00 00 98 8f b2 15 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'content::InputRouterImpl' #0 0x401e53c (/b/s/w/ir/out/Release/content_unittests+0x401e53c) #1 0x631ae05 (/b/s/w/ir/out/Release/content_unittests+0x631ae05) #2 0x631cd9b (/b/s/w/ir/out/Release/content_unittests+0x631cd9b) #3 0x631e702 (/b/s/w/ir/out/Release/content_unittests+0x631e702) #4 0x6335d77 (/b/s/w/ir/out/Release/content_unittests+0x6335d77) #5 0x6334c9a (/b/s/w/ir/out/Release/content_unittests+0x6334c9a) #6 0x9450c78 (/b/s/w/ir/out/Release/content_unittests+0x9450c78) #7 0x945d6c1 (/b/s/w/ir/out/Release/content_unittests+0x945d6c1) #8 0x945d4ee (/b/s/w/ir/out/Release/content_unittests+0x945d4ee) #9 0x554640b (/b/s/w/ir/out/Release/content_unittests+0x554640b) #10 0x7f395b959f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #11 0x2306029 (/b/s/w/ir/out/Release/content_unittests+0x2306029)
,
Jun 7 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2eec314f52989e78e862da1675b0d095e9629197 commit 2eec314f52989e78e862da1675b0d095e9629197 Author: Xida Chen <xidachen@chromium.org> Date: Thu Jun 07 11:42:42 2018 Reland of: Make TouchActionFilter::allowed_touch_action_ optional The original CL was reverted because of multiple failures, this CL fixes them one by one and lists them here. The first patch set is exactly the same as the one that was reverted, so that it is easier to review. 1. crbug.com/845012 The original CL caused 3 tests to fail on multiple bots because of a illegal downcast from MockInputRouter to InputRouter. PS#3 should have that fixed. 2. crbug.com/845063, crbug.com/844858, crbug.com/845150 The problem is due to calling ResetTouchAction at GSE in cases that it should not. In a typical fling sequence, we have GSB, then a bunch of GSU, then a FlingStart, then another bunch of GSU, and then a GSE. If we have a in-flight fling and we start a second fling sequence before GSE of the first fling, then OnSetTouchAction is called for the second gesture sequence and that sets the |allowed_touch_action_|. After that, GSE of the first fling comes which resets the |allowed_touch_action_|. Then when the GSB of the second fling comes it doesn't have a valid touch action to start with which results in the crash. This is now fixed by using another member |scrolling_touch_action_|, which takes over the value in the |allowed_touch_action_| when there is a touch sequence end. So we reset the |allowed_touch_action_| at each touch sequence end, and if that is not the gesture sequence end, we will keep using the |scrolling_touch_action_| until the next TapDown. 3. crbug.com/845153 Tested this locally. The problem is JS injecting a touch event handler in the middle of gesture sequence. In my original CL, when we saw a touch event handler, we call ResetTouchAction(). If that happens in the middle of a gesture sequence, then allowed_touch_action_ has no value when subsequence gesture events comes which results in the crash. This is also solved by using the |scrolling_touch_action_| which will not be reset when JS inject a touch event handler. TBR=pdr@chromium.org, piman@chromium.org Bug: 845012 , 845063, 844858, 845153 , 845150 Change-Id: I4f1e1deff71db4587fb42c38f87ccb1cb7311cdc Reviewed-on: https://chromium-review.googlesource.com/1068204 Commit-Queue: Xida Chen <xidachen@chromium.org> Reviewed-by: Robert Flack <flackr@chromium.org> Reviewed-by: Dave Tapuska <dtapuska@chromium.org> Cr-Commit-Position: refs/heads/master@{#565233} [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/chrome/browser/password_manager/password_manager_browsertest.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/frame_host/cross_process_frame_connector.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/input/compositor_event_ack_browsertest.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/input/input_router.h [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/input/input_router_impl.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/input/input_router_impl.h [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/input/input_router_impl_unittest.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/input/touch_action_filter.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/input/touch_action_filter.h [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/input/touch_action_filter_unittest.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/input/touch_selection_controller_client_aura_browsertest.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/render_widget_host_input_event_router.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/render_widget_host_unittest.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/renderer_host/render_widget_host_view_aura_unittest.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/site_per_process_browsertest.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/browser/site_per_process_hit_test_browsertest.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/public/test/browser_test_utils.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/content/public/test/browser_test_utils.h [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/third_party/blink/public/platform/web_gesture_event.h [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/third_party/blink/renderer/core/exported/web_page_popup_impl.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/third_party/blink/renderer/core/input/touch_action_test.cc [modify] https://crrev.com/2eec314f52989e78e862da1675b0d095e9629197/third_party/blink/renderer/core/input/touch_event_manager.cc
,
Jun 7 2018
|
||
►
Sign in to add a comment |
||
Comment 1 by thakis@chromium.org
, May 20 2018