[LayoutNG] NGAbstractInlineTextBox references deleted LayoutObject |
|||||||
Issue descriptionTo reproduce, build content_shell with asan, and run: out/asan/content_shell --run-web-tests --enable-blink-features=LayoutNG accessibility/press-works-on-text-fields.html The deleted layout object is a LayoutText which was deleted during WillBeDestroyed() of an ancestor LayoutNGBlockFlow. Then during destruction of the ancestor LayoutNGBlockFlow's, the NGPaintFragment tree is deleted, and the NGAbstractInlineTextBox associated with a node in the NGPaintFragment tree which is associated with the deleted LayoutText will access the deleted LayoutText in NGAbstractInlineTextBox::Detach(). TL;DR: How I found this: With https://chromium-review.googlesource.com/c/chromium/src/+/1123018 applied, many accessibility layout tests crash in LayoutNG mode. After some investigation, I found that the crashes are actually not caused by my CL. The root cause is that NGAbstractInlineTextBox references deleted LayoutObject (through line_layout_item_). The tests don't crash without my CL just because we are lucky in LayoutObject::GetNode() { return IsAnonymous() ? nullptr : node_; } that IsAnonymous() happens to be true and the function returns nullptr without crash even if the LayoutObject has been deleted. With my CL, IsAnonymous() happens to be false for the deleted LayoutObject and GetNode() returns a random pointer (e.g. 0xcdcdcdcdcdcd in debug mode) and later deref of the pointer causes crash. Filing this bug so that I can land my CL with the crashing tests added into FlagExpectations/enable-blink-features=LayoutNG.
,
Aug 17
https://chromium-review.googlesource.com/1123018 added 128 entries to FlagExpectations/enable-blink-features=LayoutNG.
,
Aug 17
wangxianzhu@, thanks for analysis! Discussed with kojii@ offline: Once kojii@'s patch[1] is landed. We'll call NGAbstractInlineTextBox::Detach() from LayoutText::DeleteInlineTextBox() instead of NGPaintFragment dtor. [1] http://crrev.com/c/1170726 [LayoutNG] Store NGPaintFragment in LayoutObject
,
Aug 20
Since the patch[1] is landed. I start working. Detaching NGAbstractInlineTextBox objects will be done in LayoutText::DeleteTextBoxes() and LayouText::SetFirstInlineFragment(nullptr). [1] http://crrev.com/c/1170726 [LayoutNG] Store NGPaintFragment in LayoutObject
,
Aug 20
Note: The CL[1], mentioned in #c0, revealed this issue is reverted by issue 875321 [1] http://crrev.com/c/1123018 [CI] Cleanup paint invalidation flags
,
Aug 20
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2a82d4ff6b6a721e2f6e2d8a2e86f66470fcc444 commit 2a82d4ff6b6a721e2f6e2d8a2e86f66470fcc444 Author: Yoshifumi Inoue <yosin@chromium.org> Date: Mon Aug 20 09:08:04 2018 Destroy paint fragment tree before destroying descendant layout objects This patch introduces |LayoutNGMixin::WillBeDestroyed()| and changes |LayoutBlockFlow::DeleteLineBoxTree()| to destroy paint fragment tree before destroying descendant layout objects to allow |NGPaintFragment| destructor can access its associated |LayoutObject|. Before this patch, |NGAbstrctInlineTextBox::WillDestroy()|, which is called from |NGPaintFragment| destructor, uses dead |LayoutText| == |NGPaintFragment| lives longer than |LayoutText|. After this patch, |LayoutText| lives longer than |NGPaintFragment|. Bug: 874588 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng Change-Id: Iade5c8a51a57da2e855a194caa098e90222a7804 Reviewed-on: https://chromium-review.googlesource.com/1180828 Reviewed-by: Koji Ishii <kojii@chromium.org> Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#584385} [modify] https://crrev.com/2a82d4ff6b6a721e2f6e2d8a2e86f66470fcc444/third_party/blink/renderer/core/layout/layout_block_flow.cc [modify] https://crrev.com/2a82d4ff6b6a721e2f6e2d8a2e86f66470fcc444/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.cc [modify] https://crrev.com/2a82d4ff6b6a721e2f6e2d8a2e86f66470fcc444/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.h
,
Aug 20
My patch in #c6 still causes this crash with CL[1]. Reverting... :-< [1] http://crrev.com/c/1123018 [CI] Cleanup paint invalidation flags
,
Aug 20
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5334ca5d01e6d5a6757e63ca017fb1097e948d17 commit 5334ca5d01e6d5a6757e63ca017fb1097e948d17 Author: Yoshifumi Inoue <yosin@chromium.org> Date: Mon Aug 20 09:50:42 2018 Revert "Destroy paint fragment tree before destroying descendant layout objects" This reverts commit 2a82d4ff6b6a721e2f6e2d8a2e86f66470fcc444. Reason for revert: This patch still causes the crash with the CL[1]. [1] [1] http://crrev.com/c/1123018 [CI] Cleanup paint invalidation flags Original change's description: > Destroy paint fragment tree before destroying descendant layout objects > > This patch introduces |LayoutNGMixin::WillBeDestroyed()| and changes > |LayoutBlockFlow::DeleteLineBoxTree()| to destroy paint fragment tree before > destroying descendant layout objects to allow |NGPaintFragment| destructor can > access its associated |LayoutObject|. > > Before this patch, |NGAbstrctInlineTextBox::WillDestroy()|, which is called from > |NGPaintFragment| destructor, uses dead |LayoutText| == |NGPaintFragment| lives > longer than |LayoutText|. > > After this patch, |LayoutText| lives longer than |NGPaintFragment|. > > Bug: 874588 > Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng > Change-Id: Iade5c8a51a57da2e855a194caa098e90222a7804 > Reviewed-on: https://chromium-review.googlesource.com/1180828 > Reviewed-by: Koji Ishii <kojii@chromium.org> > Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#584385} TBR=yosin@chromium.org,kojii@chromium.org Change-Id: I0fb21ceab9c1b30bbc9b2cc4d0081c04108a3db1 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 874588 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng Reviewed-on: https://chromium-review.googlesource.com/1180902 Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#584390} [modify] https://crrev.com/5334ca5d01e6d5a6757e63ca017fb1097e948d17/third_party/blink/renderer/core/layout/layout_block_flow.cc [modify] https://crrev.com/5334ca5d01e6d5a6757e63ca017fb1097e948d17/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.cc [modify] https://crrev.com/5334ca5d01e6d5a6757e63ca017fb1097e948d17/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.h
,
Aug 23
WIP patch: http://crrev.com/c/1186384 This patch requires cleanup.
,
Aug 27
Issue 875864 has been merged into this issue.
,
Aug 28
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7dd4e1613da75a36f2eb6f068eec70df063032c6 commit 7dd4e1613da75a36f2eb6f068eec70df063032c6 Author: Yoshifumi Inoue <yosin@chromium.org> Date: Tue Aug 28 11:53:01 2018 Make NGPaintFragment ref-counted This patch change |NGPaintFragmet| ref-counted instead of managed by |std::unique_ptr<T>| to resolve life time issue between |LayoutText| and |NGPaintFragment|. Before this patch, paint fragment can live longer than |LayoutText| and causes heap-use-after tree in |NGAbstractTextBox::WillDestroy()|. Bug: 874588 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng;luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel Change-Id: Id2b59d9d8b257e7cf67ad841cd2fe5ad312951b0 Reviewed-on: https://chromium-review.googlesource.com/1190625 Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Reviewed-by: Koji Ishii <kojii@chromium.org> Cr-Commit-Position: refs/heads/master@{#586658} [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/blink/renderer/core/layout/layout_inline.cc [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/blink/renderer/core/layout/layout_inline.h [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/blink/renderer/core/layout/layout_text.cc [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/blink/renderer/core/layout/layout_text.h [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.cc [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.h [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/blink/renderer/core/paint/ng/ng_box_fragment_painter.cc [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/blink/renderer/core/paint/ng/ng_box_fragment_painter.h [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/blink/renderer/core/paint/ng/ng_paint_fragment.cc [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/blink/renderer/core/paint/ng/ng_paint_fragment.h [modify] https://crrev.com/7dd4e1613da75a36f2eb6f068eec70df063032c6/third_party/blink/renderer/core/paint/ng/ng_paint_fragment_traversal_test.cc
,
Aug 28
,
Aug 28
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/15419aab28815da13595ee0e7c6d2de086decc4d commit 15419aab28815da13595ee0e7c6d2de086decc4d Author: Markus Heintz <markusheintz@chromium.org> Date: Tue Aug 28 14:14:52 2018 Revert "Make NGPaintFragment ref-counted" This reverts commit 7dd4e1613da75a36f2eb6f068eec70df063032c6. Reason for revert: Leak tests on Linux are failing since https://ci.chromium.org/buildbot/chromium.webkit/WebKit%20Linux%20Trusty%20Leak/23587 Original change's description: > Make NGPaintFragment ref-counted > > This patch change |NGPaintFragmet| ref-counted instead of managed by > |std::unique_ptr<T>| to resolve life time issue between |LayoutText| > and |NGPaintFragment|. > > Before this patch, paint fragment can live longer than |LayoutText| > and causes heap-use-after tree in |NGAbstractTextBox::WillDestroy()|. > > > Bug: 874588 > Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng;luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel > Change-Id: Id2b59d9d8b257e7cf67ad841cd2fe5ad312951b0 > Reviewed-on: https://chromium-review.googlesource.com/1190625 > Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> > Reviewed-by: Koji Ishii <kojii@chromium.org> > Cr-Commit-Position: refs/heads/master@{#586658} TBR=yosin@chromium.org,kojii@chromium.org Change-Id: I2eb89ec4cf7aaf773189437dfe76d76ef49544b9 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 874588 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng;luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel Reviewed-on: https://chromium-review.googlesource.com/1193864 Reviewed-by: Markus Heintz <markusheintz@chromium.org> Commit-Queue: Markus Heintz <markusheintz@chromium.org> Cr-Commit-Position: refs/heads/master@{#586681} [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/blink/renderer/core/layout/layout_inline.cc [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/blink/renderer/core/layout/layout_inline.h [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/blink/renderer/core/layout/layout_text.cc [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/blink/renderer/core/layout/layout_text.h [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.cc [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.h [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/blink/renderer/core/paint/ng/ng_box_fragment_painter.cc [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/blink/renderer/core/paint/ng/ng_box_fragment_painter.h [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/blink/renderer/core/paint/ng/ng_paint_fragment.cc [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/blink/renderer/core/paint/ng/ng_paint_fragment.h [modify] https://crrev.com/15419aab28815da13595ee0e7c6d2de086decc4d/third_party/blink/renderer/core/paint/ng/ng_paint_fragment_traversal_test.cc
,
Aug 29
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/94aba20d480b51a1b7bd1c05bd41f249106c3634 commit 94aba20d480b51a1b7bd1c05bd41f249106c3634 Author: Yoshifumi Inoue <yosin@chromium.org> Date: Wed Aug 29 11:46:30 2018 Make NGPaintFragment ref-counted This patch change |NGPaintFragmet| ref-counted instead of managed by |std::unique_ptr<T>| to resolve life time issue between |LayoutText| and |NGPaintFragment|. Before this patch, paint fragment can live longer than |LayoutText| and causes heap-use-after tree in |NGAbstractTextBox::WillDestroy()|. Bug: 874588 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng;luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel Change-Id: I2982f2099b6ab2ccdf20bf11fd5ddb07e59209dd Reviewed-on: https://chromium-review.googlesource.com/1193868 Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Commit-Queue: Koji Ishii <kojii@chromium.org> Reviewed-by: Koji Ishii <kojii@chromium.org> Cr-Commit-Position: refs/heads/master@{#587080} [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/layout/layout_box.cc [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/layout/layout_box.h [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/layout/layout_inline.cc [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/layout/layout_inline.h [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/layout/layout_text.cc [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/layout/layout_text.h [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.cc [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.h [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/paint/ng/ng_box_fragment_painter.cc [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/paint/ng/ng_box_fragment_painter.h [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/paint/ng/ng_paint_fragment.cc [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/paint/ng/ng_paint_fragment.h [modify] https://crrev.com/94aba20d480b51a1b7bd1c05bd41f249106c3634/third_party/blink/renderer/core/paint/ng/ng_paint_fragment_traversal_test.cc
,
Sep 12
📍 Pinpoint job started. https://pinpoint-dot-chromeperf.appspot.com/job/136f76ad640000
,
Sep 12
📍 Job complete. See results below. https://pinpoint-dot-chromeperf.appspot.com/job/136f76ad640000
,
Sep 12
📍 Pinpoint job started. https://pinpoint-dot-chromeperf.appspot.com/job/16ab5eb5640000
,
Sep 12
📍 Job complete. See results below. https://pinpoint-dot-chromeperf.appspot.com/job/16ab5eb5640000
,
Sep 12
📍 Pinpoint job started. https://pinpoint-dot-chromeperf.appspot.com/job/1713df4f640000
,
Sep 12
📍 Job complete. See results below. https://pinpoint-dot-chromeperf.appspot.com/job/1713df4f640000
,
Sep 18
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3d757b478829a8fb67d211f932d2a91af5a51ef5 commit 3d757b478829a8fb67d211f932d2a91af5a51ef5 Author: Yoshifumi Inoue <yosin@chromium.org> Date: Tue Sep 18 06:06:30 2018 Change NGPaintFragment::next_for_same_layout_object_ to raw pointer This patch makes |NGPaintFragment::next_for_same_layout_object_| to raw-pointer instead of |scoped_ref<NGPaintFragment>| to avoid leaf paint fragments to live longer than line box fragments for implementing reusing leaf paint fragments with marking dirty line box fragments. Bug: 874588 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng;luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel Change-Id: I55db486d0dda7e539445463e962ad0e3451dc782 Reviewed-on: https://chromium-review.googlesource.com/1226486 Reviewed-by: Koji Ishii <kojii@chromium.org> Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#591953} [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/layout/layout_block_flow.cc [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/layout/layout_block_flow.h [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/layout/layout_box.cc [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/layout/layout_box.h [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/layout/layout_inline.cc [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/layout/layout_inline.h [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/layout/layout_object_child_list.cc [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/layout/layout_text.cc [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/layout/layout_text.h [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.cc [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.h [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/paint/ng/ng_paint_fragment.cc [modify] https://crrev.com/3d757b478829a8fb67d211f932d2a91af5a51ef5/third_party/blink/renderer/core/paint/ng/ng_paint_fragment.h
,
Oct 24
Updating the crash behavior of the magic signature - blink::NGAbstractInlineTextBox::Detach, as the issue 875864 merged into this issue in C#11. Just to update the latest behavior of this issue in the latest channels: Still seeing 16 crashes from 6 clients so far on latest Stable - 70.0.3538.64 on Android OS. This crash is ranked as #35 in 'Renderer' Beta crashes. Crash data: 70.0.3538.64 7.27% 69 - Stable/Beta So far no crashes are observed on latest Dev and Canary channels. Link to the list of builds: ------------------------- https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27renderer%27+AND+expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ANGAbstractInlineTextBox%3A%3ADetach%27&engine=dremel#-propertyselector,-productname:1000,productversion:100,-magicsignature:50,-magicsignature2:50,-stablesignature:50,-magicsignaturesorted:50 Thanks!
,
Oct 24
It seems NGPaintFragment hold by NGAbstractInlineTextBox is destroyed. Let's make NGAbstractInlineTextBox to use scoped_ref<T> to hold NGPaintFragment to make sure NGPaintFragment not to destroyed until NGAbstractInlineTextBox is destroyed. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by wangxianzhu@chromium.org
, Aug 15Labels: Hotlist-LayoutNG