Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Looks a Shadow-DOM issue.

This can be same as:
https://bugs.chromium.org/p/chromium/issues/detail?id=846495

I will take this one.

kochi@, this is a P1, and can be a regression, so it would be nice to triage this surely.

+fergal, rakina, yosin,

cc-ing you, because you would be interested in DOM bugs.

This is in my P1 queue after  issue 847056  and  issue 848687 .
The clusterfuzz repro is working locally, but still not sure if they are
all same issue or not, I'm still investigating.  If anyone can help, it's
also appreciated.

When we talked last week you though they may all be symptoms of the same bug? If you think that's not true, I'm happy to take a look at one of them in parallel.

The hayato's one was different from this and ones in #c6.
If you could take a look it's appreciated.

Attaching a simpler repro case. The key seems to be the 0-ms timeout callback at the end. On content_shell with --run-web-tests it does not execute reliably and so the bug only reproduces sometimes. On a real browser it crashes consistently.

The very weird thing is adding

  function sleep(ms) {
      await new Promise(resolve => setTimeout(resolve, ms));
  }

to the test case prevents the crash. It is not necessary to even call it, it seems like just the presence of "await" stops the crash. I don't understand that but it seems like some kind of threading bug and maybe using await forces different threading semantics.

Deleted: repro-849025.html 1.1 KB

repro-849025.html 1.1 KB View Download

The bottom of the stack trace looks like

#94207 0x000000000b66ee44 in DetachLayoutTree() () at ../../third_party/blink/renderer/core/html/html_slot_element.cc:371
#94208 0x000000000a81f3ca in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/container_node.cc:989
#94209 0x000000000aadd16d in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/shadow_root.cc:190
#94210 0x000000000a981f36 in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/element.cc:2052
#94211 0x000000000b4b6685 in DetachLayoutTree() () at ../../third_party/blink/renderer/core/html/forms/html_select_element.cc:1997
#94212 0x000000000a81f3ca in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/container_node.cc:989
#94213 0x000000000aadd16d in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/shadow_root.cc:190
#94214 0x000000000a981f36 in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/element.cc:2052
#94215 0x000000000a88932a in LazyReattachIfAttached() () at ../../third_party/blink/renderer/core/dom/node.h:1044
#94216 0x000000000b66ee44 in DetachLayoutTree() () at ../../third_party/blink/renderer/core/html/html_slot_element.cc:371
#94217 0x000000000a81f3ca in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/container_node.cc:989
#94218 0x000000000a981fa9 in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/element.cc:2055
#94219 0x000000000a81f3ca in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/container_node.cc:989
#94220 0x000000000aadd16d in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/shadow_root.cc:190
#94221 0x000000000a981f36 in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/element.cc:2052
#94222 0x000000000a81f3ca in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/container_node.cc:989
#94223 0x000000000a981fa9 in DetachLayoutTree() () at ../../third_party/blink/renderer/core/dom/element.cc:2055
#94224 0x000000000a88932a in LazyReattachIfAttached() () at ../../third_party/blink/renderer/core/dom/node.h:1044
#94225 0x000000000aaea4a4 in RecalcAssignment() () at ../../third_party/blink/renderer/core/dom/slot_assignment.cc:258
#94226 0x000000000aaed3d7 in RecalcSlotAssignments() () at ../../third_party/blink/renderer/core/dom/slot_assignment_engine.cc:49
#94227 0x000000000a866243 in UpdateStyleAndLayoutTree() () at ../../third_party/blink/renderer/core/dom/document.cc:2107
#94228 0x000000000b0f9fc9 in UpdateStyleAndLayoutIfNeededRecursiveInternal() () at ../../third_party/blink/renderer/core/frame/local_frame_view.cc:3351
#94229 0x000000000b0ef5ea in UpdateStyleAndLayoutIfNeededRecursive() () at ../../third_party/blink/renderer/core/frame/local_frame_view.cc:3330
#94230 0x000000000b0e8850 in UpdateLifecyclePhasesInternal() () at ../../third_party/blink/renderer/core/frame/local_frame_view.cc:2968
#94231 0x000000000c3b19fc in UpdateAllLifecyclePhases() () at ../../third_party/blink/renderer/core/page/page_animator.cc:104
#94232 0x000000000ae5166d in UpdateLifecycle() () at ../../third_party/blink/renderer/core/exported/web_view_impl.cc:1777
#94233 0x000000000f4b5cf6 in content::RenderWidget::UpdateVisualState(cc::LayerTreeHostClient::VisualStateUpdate) () at ../../content/renderer/render_widget.cc:999
#94234 0x00000000088d8437 in DoBeginMainFrame() () at ../../cc/trees/single_thread_proxy.cc:766
#94235 0x00000000088d7278 in CompositeImmediately() () at ../../cc/trees/single_thread_proxy.cc:523
#94236 0x000000000e79f46b in SynchronouslyComposite() () at ../../content/renderer/gpu/render_widget_compositor.cc:1088
#94237 0x000000000e7a0742 in SynchronouslyCompositeNoRasterForTesting() () at ../../content/renderer/gpu/render_widget_compositor.cc:1054
#94238 0x000000000f91a190 in AnimateNow() () at ../../content/shell/test_runner/web_widget_test_client.cc:53
#94239 0x00000000063ed6cc in RunTask() () at ../../base/callback.h:96
#94240 0x00000000063ed6cc in RunTask() () at ../../base/debug/task_annotator.cc:101
#94241 0x000000000484de8e in DoWork() () at ../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166
#94242 0x00000000063ed6cc in RunTask() () at ../../base/callback.h:96
#94243 0x00000000063ed6cc in RunTask() () at ../../base/debug/task_annotator.cc:101
#94244 0x000000000642ba24 in RunTask() () at ../../base/message_loop/message_loop.cc:319
#94245 0x000000000642c367 in DeferOrRunPendingTask() () at ../../base/message_loop/message_loop.cc:329
#94246 0x000000000642cb8b in DoWork() () at ../../base/message_loop/message_loop.cc:373
#94247 0x0000000006436256 in Run() () at ../../base/message_loop/message_pump_default.cc:37
#94248 0x0000000006487470 in Run() () at ../../base/run_loop.cc:102
#94249 0x000000000f56f0d2 in RendererMain() () at ../../content/renderer/renderer_main.cc:218
#94250 0x0000000004b482a2 in RunZygote() () at ../../content/app/content_main_runner_impl.cc:567
#94251 0x0000000004b4c3a0 in Run() () at ../../content/app/content_main_runner_impl.cc:969
#94252 0x00000000097ffe8e in Main() () at ../../services/service_manager/embedder/main.cc:459
#94253 0x00000000032503a0 in content::ContentMain(content::ContentMainParams const&) () at ../../content/app/content_main.cc:19
#94254 0x0000000001f21627 in main() () at ../../content/shell/app/shell_main.cc:48

This is not a recent regression and happening on M67, lowering priority
and assign me back.

ClusterFuzz has detected this issue as fixed in range 567635:567636.

Detailed report: https://clusterfuzz.com/testcase?key=5771272416657408

Fuzzer: mbarbella_webcomponents
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffed6206f58
Crash State:
  HandleDynamicTypeCacheMiss
  __ubsan_handle_dynamic_type_cache_miss
  blink::HTMLSlotElement::DetachLayoutTree
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=543412:543415
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=567635:567636

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5771272416657408

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.