New issue
Advanced search Search tips

Issue 854221 link

Starred by 1 user
Status: Fixed
Owner:
bokan@chromium.org
Closed: Jun 2018
Cc:
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 836913



Sign in to add a comment

[BlinkGenPropertyTrees] page with oopif crashes on load

Project Member Reported by sahel@chromium.org, Jun 19 2018 
What steps will reproduce the problem?
(1)Run chrome with --enable-blink-gen-property-trees
(2)navigate to http://csreis.github.io/tests/cross-site-iframe-simple.html or any other page with oopif

What is the expected result?
The page should load without any problems.

What happens instead?
The page crashes instantly. Here is an example stack trace:

Received signal 11 SEGV_MAPERR 0000000001b8
#0 0x7f36b9859b5c base::debug::StackTrace::StackTrace()
#1 0x7f36b9859631 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f36ae30c0c0 <unknown>
#3 0x7f36b1798c43 blink::LocalFrameView::PaintTree()
#4 0x7f36b17960d6 blink::LocalFrameView::UpdateLifecyclePhasesInternal()
#5 0x7f36b1795ab7 blink::LocalFrameView::UpdateAllLifecyclePhases()
#6 0x7f36b1da8bce blink::PageAnimator::UpdateAllLifecyclePhases()
#7 0x7f36b17e9fd3 blink::WebFrameWidgetImpl::UpdateLifecycle()
#8 0x7f36b762ca62 content::RenderWidget::UpdateVisualState()
#9 0x7f36aaa80828 cc::ProxyMain::BeginMainFrame()
#10 0x7f36aaa7f0df _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIMN2cc9ProxyMainEFvNSt3__110unique_ptrINS4_28BeginMainFrameAndCommitStateENS6_14default_deleteIS8_EEEEENS_7WeakPtrIS5_EEJSB_EEEvOT_OT0_DpOT1_
#11 0x7f36aaa7efae _ZN4base8internal7InvokerINS0_9BindStateIMN2cc9ProxyMainEFvNSt3__110unique_ptrINS3_28BeginMainFrameAndCommitStateENS5_14default_deleteIS7_EEEEEJNS_7WeakPtrIS4_EENS0_13PassedWrapperISA_EEEEEFvvEE7RunOnceEPNS0_13BindStateBaseE
#12 0x7f36b9783f40 base::debug::TaskAnnotator::RunTask()
#13 0x7f36b00b666d base::sequence_manager::internal::ThreadControllerImpl::DoWork()
#14 0x7f36b00b8618 _ZN4base8internal7InvokerINS0_9BindStateIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS5_8WorkTypeEEJNS_7WeakPtrIS5_EES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#15 0x7f36b9783f40 base::debug::TaskAnnotator::RunTask()
#16 0x7f36b97afc76 base::internal::IncomingTaskQueue::RunTask()
#17 0x7f36b97b3a57 base::MessageLoop::RunTask()
#18 0x7f36b97b3e6a base::MessageLoop::DeferOrRunPendingTask()
#19 0x7f36b97b40fe base::MessageLoop::DoWork()
#20 0x7f36b97b6456 base::MessagePumpDefault::Run()
#21 0x7f36b97b3381 base::MessageLoop::Run()
#22 0x7f36b97e69b6 base::RunLoop::Run()
#23 0x7f36b763a0d5 content::RendererMain()
#24 0x7f36b7716115 content::RunZygote()
#25 0x7f36b7716a70 content::RunOtherNamedProcessTypeMain()
#26 0x7f36b7717740 content::ContentMainRunnerImpl::Run()
#27 0x7f36b9acb6bf service_manager::Main()
#28 0x7f36b77155a4 content::ContentMain()
#29 0x56225e1491b3 ChromeMain
#30 0x7f36ac18d2b1 __libc_start_main
#31 0x56225e14902a _start
  r8: 0000000000000346  r9: 000000000000000e r10: 0000000000000301 r11: 0000000000000700
 r12: 00007fffa4f55700 r13: 00003f881a8c2160 r14: 0000282d222d46d0 r15: 00003f881a8c1840
  di: 00003222b5841840  si: 00000000000000ab  bp: 00007fffa4f55740  bx: 0000000000000000
  dx: 0000000000000020  ax: 00003f881a8c1840  cx: c45a9a00b6a40300  sp: 00007fffa4f542e0
  ip: 00007f36b1798c43 efl: 0000000000010202 cgf: 002b000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 00000000000001b8
[end of stack trace]
Calling _exit(1). Core file will not be generated.
[1:7:0619/115240.716894:FATAL:tree_synchronizer.cc(81)] Check failed: layer->transform_tree_index() != TransformTree::kInvalidNodeId (-1 vs. -1)
#0 0x7f36b9859b5c base::debug::StackTrace::StackTrace()
#1 0x7f36b97a365b logging::LogMessage::~LogMessage()
#2 0x7f36aaa8c480 cc::PushLayerList<>()
#3 0x7f36aaa8b3e2 cc::SynchronizeTreesInternal<>()
#4 0x7f36aaa281c2 cc::LayerTreeHost::FinishCommitOnImplThread()
#5 0x7f36aaa7d6e9 cc::ProxyImpl::ScheduledActionCommit()
#6 0x7f36aa9d26b8 cc::Scheduler::ProcessScheduledActions()
#7 0x7f36aa9d319a cc::Scheduler::NotifyReadyToCommit()
#8 0x7f36aaa7a140 cc::ProxyImpl::NotifyReadyToCommitOnImpl()
#9 0x7f36b9783f40 base::debug::TaskAnnotator::RunTask()
#10 0x7f36b00b666d base::sequence_manager::internal::ThreadControllerImpl::DoWork()
#11 0x7f36b00b8618 _ZN4base8internal7InvokerINS0_9BindStateIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS5_8WorkTypeEEJNS_7WeakPtrIS5_EES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#12 0x7f36b9783f40 base::debug::TaskAnnotator::RunTask()
#13 0x7f36b97afc76 base::internal::IncomingTaskQueue::RunTask()
#14 0x7f36b97b3a57 base::MessageLoop::RunTask()
#15 0x7f36b97b3e6a base::MessageLoop::DeferOrRunPendingTask()
#16 0x7f36b97b40fe base::MessageLoop::DoWork()
#17 0x7f36b97b6456 base::MessagePumpDefault::Run()
#18 0x7f36b97b3381 base::MessageLoop::Run()
#19 0x7f36b97e69b6 base::RunLoop::Run()
#20 0x7f36b982425a base::Thread::Run()
#21 0x7f36b98247df base::Thread::ThreadMain()
#22 0x7f36b986ed5f base::(anonymous namespace)::ThreadFunc()
#23 0x7f36ae302494 start_thread
#24 0x7f36ac255a8f clone

Received signal 6
#0 0x7f36b9859b5c base::debug::StackTrace::StackTrace()
#1 0x7f36b9859631 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f36ae30c0c0 <unknown>
#3 0x7f36ac19ffcf gsignal
#4 0x7f36ac1a13fa abort
#5 0x7f36b9858435 base::debug::BreakDebugger()
#6 0x7f36b97a3a6a logging::LogMessage::~LogMessage()
#7 0x7f36aaa8c480 cc::PushLayerList<>()
#8 0x7f36aaa8b3e2 cc::SynchronizeTreesInternal<>()
#9 0x7f36aaa281c2 cc::LayerTreeHost::FinishCommitOnImplThread()
#10 0x7f36aaa7d6e9 cc::ProxyImpl::ScheduledActionCommit()
#11 0x7f36aa9d26b8 cc::Scheduler::ProcessScheduledActions()
#12 0x7f36aa9d319a cc::Scheduler::NotifyReadyToCommit()
#13 0x7f36aaa7a140 cc::ProxyImpl::NotifyReadyToCommitOnImpl()
#14 0x7f36b9783f40 base::debug::TaskAnnotator::RunTask()
#15 0x7f36b00b666d base::sequence_manager::internal::ThreadControllerImpl::DoWork()
#16 0x7f36b00b8618 _ZN4base8internal7InvokerINS0_9BindStateIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS5_8WorkTypeEEJNS_7WeakPtrIS5_EES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#17 0x7f36b9783f40 base::debug::TaskAnnotator::RunTask()
#18 0x7f36b97afc76 base::internal::IncomingTaskQueue::RunTask()
#19 0x7f36b97b3a57 base::MessageLoop::RunTask()
#20 0x7f36b97b3e6a base::MessageLoop::DeferOrRunPendingTask()
#21 0x7f36b97b40fe base::MessageLoop::DoWork()
#22 0x7f36b97b6456 base::MessagePumpDefault::Run()
#23 0x7f36b97b3381 base::MessageLoop::Run()
#24 0x7f36b97e69b6 base::RunLoop::Run()
#25 0x7f36b982425a base::Thread::Run()
#26 0x7f36b98247df base::Thread::ThreadMain()
#27 0x7f36b986ed5f base::(anonymous namespace)::ThreadFunc()
#28 0x7f36ae302494 start_thread
#29 0x7f36ac255a8f clone
  r8: 0000000000000000  r9: 00007f369b582350 r10: 0000000000000008 r11: 0000000000000246
 r12: 00007f369b582ac8 r13: 00007f369b582ab8 r14: 00007f369b582ac0 r15: 00007f369b5825e9
  di: 0000000000000002  si: 00007f369b582350  bp: 00007f369b582590  bx: 0000000000000006
  dx: 0000000000000000  ax: 0000000000000000  cx: 00007f36ac19ffcf  sp: 00007f369b5823c8
  ip: 00007f36ac19ffcf efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

Comment 1 by pdr@chromium.org, Jun 19 2018

Cc: -bokan@chromium.org
Owner: bokan@chromium.org
Status: Assigned (was: Untriaged)
This is due to CollectViewportLayersForLayerList. We need to early-out if the viewport layers do not exist.

Comment 2 by bokan@chromium.org, Jun 19 2018

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Jun 20 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/38da049a8213b072769f06642db109a29de70b6e

commit 38da049a8213b072769f06642db109a29de70b6e
Author: David Bokan <bokan@chromium.org>
Date: Wed Jun 20 22:09:33 2018

[BlinkGenPropertyTrees] Fix site isolation crash

A local root  OOPIF has its own lifecycle but doesn't have its own
visual viewport layers so we'd crash when trying to process them. Only
try to process viewport layers for blink-gen-property-trees when we're
in the main frame.

TEST=Open chrome with --enable-blink-gen-property-trees and open any
site with an out of process iframe. Pass if renderer doesn't crash.

Bug:  854221 
Change-Id: I423c90e5cbc7aa20be8541e8e7d89158233f774c
Reviewed-on: https://chromium-review.googlesource.com/1106668
Reviewed-by: Philip Rogers <pdr@chromium.org>
Commit-Queue: David Bokan <bokan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569042}
[modify] https://crrev.com/38da049a8213b072769f06642db109a29de70b6e/third_party/blink/renderer/core/frame/local_frame_view.cc

Comment 4 by bokan@chromium.org, Jun 20 2018

Status: Fixed (was: Started)

Sign in to add a comment