Stack-overflow in blink::Element::DetachLayoutTree |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5495104174030848 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffd712b3b38 Crash State: blink::Element::DetachLayoutTree LazyReattachIfAttached blink::HTMLSlotElement::DetachLayoutTree Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=528926:528927 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5495104174030848 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 27 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/4f17bd28170e9cfb6b67bc1c37828ce99bc211d9 (Convert V0 UA shadow in <select>, <option>, <optgroup> to use V1). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 4 2018
This should be shadow dom v1 specific.
,
Jun 4 2018
,
Jun 4 2018
,
Jun 13 2018
Manually minimized the test case.
<!doctype html>
<select id="select1"><option id="option1"></option></select>
<script>
// trigger 1st style recalc
document.body.offsetTop;
// detach <select> and <option>
var select1 = document.getElementById('select1');
select1.remove();
var span1 = document.createElement('span');
var option1 = select1.firstChild;
option1.appendChild(span1);
// attach <option>
// => body-option-span
document.body.appendChild(option1);
// trigger 2nd style recalc
document.body.offsetTop;
// body-option-span-select
span1.appendChild(select1);
// Trigger detach for <option>
option1.innerHTML = '';
</script>
,
Jun 13 2018
And could reproduce with non-UA shadow root (with the same DOM tree structure).
<!doctype html>
<div id="div1"><div id="div2"></div></div>
<script>
const div1 = document.getElementById('div1');
const div2 = document.getElementById('div2');
div1.attachShadow({mode: 'open'}).innerHTML='<slot></slot>';
div2.attachShadow({mode: 'open'}).innerHTML='<slot></slot>';
document.body.offsetTop;
div1.remove();
const span = document.createElement('span');
div2.appendChild(span);
document.body.appendChild(div2);
document.body.offsetTop;
span.appendChild(div1);
div2.innerHTML = '';
</script>
,
Jun 15 2018
The test case in #c7 fails on today's stable (M67), and this is not a recent regression from enabling Incremental Shadow DOM. Tried bisect and reached at https://chromium.googlesource.com/chromium/src/+/27b6c9581a94a58d6342a3a425edcc4afa7a09b5 > Rewrite Shadow DOM v1 distribution engine on the top of a new slotchange concept > Hayato Ito <hayato@chromium.org> Fri Jun 16 08:57:30 2017
,
Jun 15 2018
P2 makes sense. Thank you for the investigation.
,
Jun 15 2018
Issue 852363 has been merged into this issue.
,
Jun 15 2018
,
Jun 15 2018
Issue 848687 has been merged into this issue.
,
Jun 15 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/233a440f297a09f626a35193fc0d1b3d981f5b5b commit 233a440f297a09f626a35193fc0d1b3d981f5b5b Author: Takayoshi Kochi <kochi@chromium.org> Date: Fri Jun 15 14:25:21 2018 Clear slot's assigned nodes when it's inserted and assigned nodes are dirty Between when a host element with its shadow root gets orphaned and when it gets connected again, its slot assignment can become dirty by some DOM mutation of its host children, but slots still hold stale assigned nodes. When a detached host child becomes an ancestor of the shadow host, unless those cached assigned nodes are cleared, it can make a cycle during DetachLayoutTree() traverses down to those cached nodes. See the case (cyclic-detach-crash2.html) for details. Bug: 847056 , 845770 Change-Id: I44d3c118c9810ad3847fa24d630b7ddb9f9d2e50 Reviewed-on: https://chromium-review.googlesource.com/1100718 Reviewed-by: Hayato Ito <hayato@chromium.org> Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Takayoshi Kochi <kochi@chromium.org> Cr-Commit-Position: refs/heads/master@{#567636} [modify] https://crrev.com/233a440f297a09f626a35193fc0d1b3d981f5b5b/third_party/WebKit/LayoutTests/shadow-dom/crashes/cyclic-detach-crash.html [add] https://crrev.com/233a440f297a09f626a35193fc0d1b3d981f5b5b/third_party/WebKit/LayoutTests/shadow-dom/crashes/cyclic-detach-crash2.html [modify] https://crrev.com/233a440f297a09f626a35193fc0d1b3d981f5b5b/third_party/blink/renderer/core/html/html_slot_element.cc [modify] https://crrev.com/233a440f297a09f626a35193fc0d1b3d981f5b5b/third_party/blink/renderer/core/html/html_slot_element.h
,
Jun 16 2018
ClusterFuzz has detected this issue as fixed in range 567635:567636. Detailed report: https://clusterfuzz.com/testcase?key=5495104174030848 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffd712b3b38 Crash State: blink::Element::DetachLayoutTree LazyReattachIfAttached blink::HTMLSlotElement::DetachLayoutTree Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=528926:528927 Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=567635:567636 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5495104174030848 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 16 2018
ClusterFuzz testcase 5495104174030848 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ClusterFuzz
, May 27 2018Labels: Test-Predator-Auto-Components