Issue metadata
Sign in to add a comment
|
CHECK failure: get_prototype_value in v8_object_constructor.cc |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6174853783355392 Fuzzer: ochang_domfuzzer Job Type: windows_asan_content_shell Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: get_prototype_value in v8_object_constructor.cc blink::V8ObjectConstructor::CreateInterfaceObject blink::V8PerContextData::ConstructorForTypeSlowCase Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=531299:531319 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6174853783355392 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 19
Reproduces since a long time. Fails around these lines: 97 v8::Local<v8::Value> prototype_value; 98 bool get_prototype_value = 99 interface_object->Get(context, V8AtomicString(isolate, "prototype")) 100 .ToLocal(&prototype_value); 101 CHECK(get_prototype_value); At that point, nothing is wrong. However, there is still a scheduled exception from a previous call into v8. It was generated here: #0 0x00007f14c3b70cc7 in v8::internal::Isolate::ScheduleThrow(v8::internal::Object*) #1 0x00007f14c30e0e2c in v8::Isolate::ThrowException(v8::Local<v8::Value>) #2 0x00007f14bdc64266 in blink::V8ThrowException::ThrowException(v8::Isolate*, v8::Local<v8::Value>) #3 0x00007f14bdc63d5c in blink::V8ThrowException::ThrowError(v8::Isolate*, WTF::String const&) #4 0x00007f14bfea4a94 in blink::(anonymous namespace)::ThrowScriptForbiddenException(v8::Isolate*) #5 0x00007f14bfea68a9 in blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) #6 0x00007f14c094d568 in blink::WebLocalFrameImpl::CallFunctionEvenIfScriptDisabled(v8::Local<v8::Function>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) #7 0x00007f14bb22e802 in test_runner::AccessibilityController::NotificationReceived(blink::WebAXObject const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) #8 0x00007f14bb30606e in test_runner::WebFrameTestClient::PostAccessibilityEvent(blink::WebAXObject const&, blink::WebAXEvent) #9 0x00000000016d37f5 in test_runner::WebFrameTestProxy<content::RenderFrameImpl, content::RenderFrameImpl::CreateParams>::PostAccessibilityEvent(blink::WebAXObject const&, blink::WebAXEvent) #10 0x00007f14bc718457 in blink::AXObjectCacheImpl::PostPlatformNotification(blink::AXObject*, blink::AXObjectCacheImpl::AXNotification) #11 0x00007f14bc719ab4 in blink::AXObjectCacheImpl::HandleScrollPositionChanged(blink::LayoutObject*) #12 0x00007f14c129de63 in blink::PaintLayerScrollableArea::UpdateScrollOffset(blink::FloatSize const&, blink::ScrollType) #13 0x00007f14be0d2ef1 in blink::ScrollableArea::ScrollOffsetChanged(blink::FloatSize const&, blink::ScrollType) #14 0x00007f14be0d2c7c in blink::ScrollableArea::SetScrollOffset(blink::FloatSize const&, blink::ScrollType, blink::ScrollBehavior) #15 0x00007f14c12a1a44 in blink::PaintLayerScrollableArea::ClampScrollOffsetAfterOverflowChange() #16 0x00007f14c12a03d4 in blink::PaintLayerScrollableArea::UpdateAfterLayout() #17 0x00007f14c127d519 in blink::PaintLayer::UpdateSizeAndScrollingAfterLayout() #18 0x00007f14c0df43c4 in blink::LayoutBox::UpdateAfterLayout() #19 0x00007f14c0da36eb in blink::LayoutBlock::UpdateAfterLayout() #20 0x00007f14c0db8985 in blink::LayoutBlockFlow::UpdateBlockLayout(bool) #21 0x00007f14c0da38d0 in blink::LayoutBlock::UpdateLayout() #22 0x00007f14c0dbd390 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) #23 0x00007f14c0dbd750 in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) #24 0x00007f14c0dbbbc9 in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) #25 0x00007f14c0db8c34 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) #26 0x00007f14c0db8627 in blink::LayoutBlockFlow::UpdateBlockLayout(bool) #27 0x00007f14c0da38d0 in blink::LayoutBlock::UpdateLayout() #28 0x00007f14c0dbd390 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) #29 0x00007f14c0dbd750 in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) #30 0x00007f14c0dbbbc9 in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) #31 0x00007f14c0db8c34 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) #32 0x00007f14c0db8627 in blink::LayoutBlockFlow::UpdateBlockLayout(bool) #33 0x00007f14c0da38d0 in blink::LayoutBlock::UpdateLayout() #34 0x00007f14c0dbd390 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) #35 0x00007f14c0dbd750 in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) #36 0x00007f14c0dbbbc9 in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) #37 0x00007f14c0db8c34 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) #38 0x00007f14c0db8627 in blink::LayoutBlockFlow::UpdateBlockLayout(bool) #39 0x00007f14c0f14c49 in blink::LayoutView::UpdateBlockLayout(bool) #40 0x00007f14c0da38d0 in blink::LayoutBlock::UpdateLayout() #41 0x00007f14c0f15494 in blink::LayoutView::UpdateLayout() #42 0x00007f14c08c845a in blink::LocalFrameView::PerformLayout(bool) #43 0x00007f14c08c4d8a in blink::LocalFrameView::UpdateLayout() #44 0x00007f14c0428bec in blink::Document::UpdateStyleAndLayout() #45 0x00007f14c0428995 in blink::Document::UpdateStyleAndLayoutIgnorePendingStylesheets(blink::Document::RunPostLayoutTasks) #46 0x00007f14c05c196f in blink::DeleteSelectionCommand::FixupWhitespace() #47 0x00007f14c05c3a66 in blink::DeleteSelectionCommand::DoApply(blink::EditingState*) #48 0x00007f14c05ae352 in blink::CompositeEditCommand::ApplyCommandToComposite(blink::EditCommand*, blink::EditingState*) #49 0x00007f14c05b0671 in blink::CompositeEditCommand::DeleteSelection(blink::EditingState*, blink::DeleteSelectionOptions const&) #50 0x00007f14c05e99e0 in blink::ReplaceSelectionCommand::InsertParagraphSeparatorIfNeeds(blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::ReplacementFragment const&, blink::EditingState*) #51 0x00007f14c05ea3e5 in blink::ReplaceSelectionCommand::DoApply(blink::EditingState*) #52 0x00007f14c05ae0a3 in blink::CompositeEditCommand::Apply() #53 0x00007f14c05d5a6e in blink::InsertCommands::ExecuteInsertFragment(blink::LocalFrame&, blink::DocumentFragment*) #54 0x00007f14c05d5f98 in blink::InsertCommands::ExecuteInsertHTML(blink::LocalFrame&, blink::Event*, blink::EditorCommandSource, WTF::String const&) #55 0x00007f14c05cb2b0 in blink::EditorCommand::Execute(WTF::String const&, blink::Event*) #56 0x00007f14c05c5196 in blink::Document::execCommand(WTF::String const&, bool, WTF::String const&, blink::ExceptionState&) #57 0x00007f14c1937c61 in blink::DocumentV8Internal::execCommandMethod(v8::FunctionCallbackInfo<v8::Value> const&) #58 0x00007f14c193714a in blink::V8Document::execCommandMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) #59 0x00007f14c322da33 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) #60 0x00007f14c322b870 in v8::internal::(anonymous namespace) #61 0x00007f14c3229ffc in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) #62 0x00007f14c3229bad in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) Frame #42 contains a ScriptForbiddenScope, but frame #7 calls out into v8. Not a v8 issue, setting component "Blink>Layout" for frame #7 and "Blink>Internals" for frame #42.
,
Jul 20
Unable to provide possible suspect using Predator, CL and Code Search. Could someone please look into the issue. Thank You...
,
Jul 23
Looks like something goes wrong when updating the scroll position
,
Aug 1
ClusterFuzz has detected this issue as fixed in range 579329:579330. Detailed report: https://clusterfuzz.com/testcase?key=6174853783355392 Fuzzer: ochang_domfuzzer Job Type: windows_asan_content_shell Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: get_prototype_value in v8_object_constructor.cc blink::V8ObjectConstructor::CreateInterfaceObject blink::V8PerContextData::ConstructorForTypeSlowCase Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=531299:531319 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=579329:579330 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6174853783355392 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 1
ClusterFuzz testcase 6174853783355392 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by kkaluri@chromium.org
, Jul 16