CHECK failure: paint_layer_.GetLayoutObject().GetDocument().Lifecycle().GetState() >= DocumentL |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4896301444235264 Fuzzer: miaubiz_svg_fuzzer Job Type: mac_asan_chrome Platform Id: mac Crash Type: CHECK failure Crash Address: Crash State: paint_layer_.GetLayoutObject().GetDocument().Lifecycle().GetState() >= DocumentL blink::PaintLayerPainter::PaintLayerContents blink::PaintLayerPainter::PaintSingleFragment Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=562111:562113 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4896301444235264 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 28 2018
,
May 28 2018
Predator could not provide any possible suspects. From the above provided regression range observing some changes related to fie 'paint_layer_painter.cc', hence suspecting the same https://chromium.googlesource.com/chromium/src/+/df8d1da7be3dec0b3ba6ba8d267fcd7e7ade3d55 wangxianzhu@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks!
,
May 31 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b92721ffcf7a29479e205c722c6d8e06228c9221 commit b92721ffcf7a29479e205c722c6d8e06228c9221 Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Thu May 31 16:20:00 2018 [PE] Avoid crash when updating filter which references a foreign object For now we update filters during PrePaint. If the filter reference a foreign object, we may enter PaintLayerPainter::PaintContents for the layer of foreign object without proper paint properties. Now skip painting in the case. crbug.com/848056 will track the solution for the root cause. Bug: 847019 ,846227,848056 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I5862268bc75d51526cafe3cd0fc5114bf0efa415 Reviewed-on: https://chromium-review.googlesource.com/1080147 Reviewed-by: Chris Harrelson <chrishtr@chromium.org> Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Commit-Position: refs/heads/master@{#563267} [add] https://crrev.com/b92721ffcf7a29479e205c722c6d8e06228c9221/third_party/WebKit/LayoutTests/paint/filters/feimage-circular-reference-foreign-object-crash.html [add] https://crrev.com/b92721ffcf7a29479e205c722c6d8e06228c9221/third_party/WebKit/LayoutTests/paint/filters/feimage-reference-foreign-object-crash.html [modify] https://crrev.com/b92721ffcf7a29479e205c722c6d8e06228c9221/third_party/blink/renderer/core/paint/paint_layer_painter.cc
,
Jun 1 2018
ClusterFuzz has detected this issue as fixed in range 563253:563267. Detailed report: https://clusterfuzz.com/testcase?key=4896301444235264 Fuzzer: miaubiz_svg_fuzzer Job Type: mac_asan_chrome Platform Id: mac Crash Type: CHECK failure Crash Address: Crash State: paint_layer_.GetLayoutObject().GetDocument().Lifecycle().GetState() >= DocumentL blink::PaintLayerPainter::PaintLayerContents blink::PaintLayerPainter::PaintSingleFragment Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=562111:562113 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=563253:563267 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4896301444235264 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 1 2018
ClusterFuzz testcase 4896301444235264 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/37ea3d17b12d523f53c435d83345c185732763b5 commit 37ea3d17b12d523f53c435d83345c185732763b5 Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Wed Jun 06 21:21:40 2018 [PE] Avoid crash when updating filter which references a foreign object For now we update filters during PrePaint. If the filter reference a foreign object, we may enter PaintLayerPainter::PaintContents for the layer of foreign object without proper paint properties. Now skip painting in the case. crbug.com/848056 will track the solution for the root cause. TBR=wangxianzhu@chromium.org (cherry picked from commit b92721ffcf7a29479e205c722c6d8e06228c9221) Bug: 847019 ,846227,848056 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I5862268bc75d51526cafe3cd0fc5114bf0efa415 Reviewed-on: https://chromium-review.googlesource.com/1080147 Reviewed-by: Chris Harrelson <chrishtr@chromium.org> Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#563267} Reviewed-on: https://chromium-review.googlesource.com/1089801 Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Commit-Position: refs/branch-heads/3440@{#222} Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733} [add] https://crrev.com/37ea3d17b12d523f53c435d83345c185732763b5/third_party/WebKit/LayoutTests/paint/filters/feimage-circular-reference-foreign-object-crash.html [add] https://crrev.com/37ea3d17b12d523f53c435d83345c185732763b5/third_party/WebKit/LayoutTests/paint/filters/feimage-reference-foreign-object-crash.html [modify] https://crrev.com/37ea3d17b12d523f53c435d83345c185732763b5/third_party/blink/renderer/core/paint/paint_layer_painter.cc |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, May 27 2018