Failed DCHECK(style_) in LayoutTreeBuilderForElement
Reported by
ana...@yandex-team.ru,
Aug 10
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.70 YaBrowser/18.9.0.1983 (beta) Yowser/2.5 Safari/537.36 Steps to reproduce the problem: 1)Build chromium in Debug 2)Open html "Simple_page_with_content.html" (in attach) 3)Press button on page What is the expected behavior? Page not crash What went wrong? In debug build faild dcheck in function: LayoutTreeBuilderForElement::Style() https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/dom/layout_tree_builder.cc?type=cs&g=0&l=134 Did this work before? N/A Chrome version: 70.0.3517.0 Channel: n/a OS Version: 10.0 Flash Version: Shockwave Flash 30.0 r0 This is related with styles childs V0 shadow host. When we press button, the style for #options-popup change.#options-popup contains in Shadow Dom. But because we use tag <content>, we use old version shadow dom and have V0 insertion point.. So style coresponding to <content> object doesn't update. Was introduced that all styles changes should be calculate on RecalculateStyle stage. And when we do Relayout, all styles should be calculated, so this dcheck control this. But for V0 it is not true. So this objects (<options>) does not update theirs style. So dcheck failed. I attach few examples: 1)Simple_page_with_content.html - simple page for reproduce 2)Page.html with styles Page.css - for reproduce we should press button, chose one of options, and press putton again 3)Simple_Page_slot.html - analog page, butwith slots (v1 version) - it works fine!
,
Aug 10
In Release build it crashes page too with: "Received signal 11 SEGV_MAPERR 000000000038"
,
Aug 10
Rune would probably be interested in this.
,
Aug 10
,
Aug 13
,
Aug 13
,
Aug 13
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Aug 13
,
Aug 15
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a511c25561c7cf6453abb28746f7999caf9e9b8e commit a511c25561c7cf6453abb28746f7999caf9e9b8e Author: Rune Lillesveen <futhark@chromium.org> Date: Wed Aug 15 09:01:21 2018 Make sure we recalc for re-attach for v0 distributed nodes. Similarly to what we do for slot elements. When moving from a separate re-attach where computing style as part of AttachLayoutTree to RecalcStyle for re-attach we need to detect that we recalc style for distributed nodes for re-attach to SetNonAttachedStyle(). Since we can't really propagate the kReattach up from inside the shadow tree recalc to the shadow host when recalculating light tree children, we recalculate the distributed nodes from the insertion point when we are in a kReattach change. Bug: 873129 , 873279 Change-Id: I2364c5f1dce3a79e725d3cb94750f1cfb3e98221 Reviewed-on: https://chromium-review.googlesource.com/1172424 Commit-Queue: Rune Lillesveen <futhark@chromium.org> Reviewed-by: Anders Ruud <andruud@chromium.org> Cr-Commit-Position: refs/heads/master@{#583200} [add] https://crrev.com/a511c25561c7cf6453abb28746f7999caf9e9b8e/third_party/WebKit/LayoutTests/shadow-dom/v0/reattach-content-parent-crash.html [modify] https://crrev.com/a511c25561c7cf6453abb28746f7999caf9e9b8e/third_party/blink/renderer/core/dom/element.cc [modify] https://crrev.com/a511c25561c7cf6453abb28746f7999caf9e9b8e/third_party/blink/renderer/core/dom/v0_insertion_point.cc [modify] https://crrev.com/a511c25561c7cf6453abb28746f7999caf9e9b8e/third_party/blink/renderer/core/dom/v0_insertion_point.h [modify] https://crrev.com/a511c25561c7cf6453abb28746f7999caf9e9b8e/third_party/blink/renderer/core/html/html_slot_element.cc
,
Aug 15
,
Aug 16
ClusterFuzz testcase 4712432963158016 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by dtapu...@chromium.org
, Aug 10