Issue 880551 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	yosin@chromium.org
Closed:	Sep 27
Cc:	hua...@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	2
Type:	----
Filed-Via-SoM

virtual/layout_ng/fast/block/float/float-append-child-crash.html and 1 other(s) in webkit_layout_tests failing on chromium.webkit/WebKit Linux Trusty ASAN

Project Member Reported by sheriff-...@appspot.gserviceaccount.com, Sep 4

Issue description

Filed by sheriff-o-matic@appspot.gserviceaccount.com on behalf of huangs@chromium.org

virtual/layout_ng/fast/block/float/float-append-child-crash.html and 1 other(s) in webkit_layout_tests failing on chromium.webkit/WebKit Linux Trusty ASAN

Builders failed on: 
- WebKit Linux Trusty ASAN: 
  https://ci.chromium.org/buildbot/chromium.webkit/WebKit%20Linux%20Trusty%20ASAN

Comment 1 by hua...@chromium.org, Sep 4

Owner: yosin@chromium.org

The broken tests are:

  layout_ng/fast/block/float/float-append-child-crash.html
  layout_ng/fast/block/float/float-not-removed-crash2.html

Stack track sample:

10:31:32.636 9038   =================================================================
10:31:32.636 9038   ==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00009d4d8 at pc 0x000011e3bf1d bp 0x7ffe72b9a250 sp 0x7ffe72b9a248
10:31:32.636 9038   READ of size 1 at 0x60c00009d4d8 thread T0 (content_shell)
10:31:32.636 9038       #0 0x11e3bf1c in MarkLineBoxDirty ./../../third_party/blink/renderer/core/paint/ng/ng_paint_fragment.cc:508:19
10:31:32.636 9038       #1 0x11e3bf1c in blink::NGPaintFragment::MarkLineBoxesDirtyFor(blink::LayoutObject const&) ./../../third_party/blink/renderer/core/paint/ng/ng_paint_fragment.cc:462:0
10:31:32.636 9038       #2 0x1166152e in blink::LayoutInline::DirtyLinesFromChangedChild(blink::LayoutObject*, blink::MarkingBehavior) ./../../third_party/blink/renderer/core/layout/layout_inline.cc:1483:5
10:31:32.636 9038       #3 0x117afd82 in blink::LayoutText::RemoveAndDestroyTextBoxes() ./../../third_party/blink/renderer/core/layout/layout_text.cc:219:17
10:31:32.636 9038       #4 0x117b0155 in blink::LayoutText::WillBeDestroyed() ./../../third_party/blink/renderer/core/layout/layout_text.cc:230:3
10:31:32.636 9038       #5 0x116d4d56 in blink::LayoutObject::Destroy() ./../../third_party/blink/renderer/core/layout/layout_object.cc:3292:3
10:31:32.636 9038       #6 0x116d4b9e in blink::LayoutObject::DestroyAndCleanupAnonymousWrappers() ./../../third_party/blink/renderer/core/layout/layout_object.cc:3286:17
10:31:32.636 9038       #7 0x102454fc in blink::Node::DetachLayoutTree(blink::Node::AttachContext const&) ./../../third_party/blink/renderer/core/dom/node.cc:1131:24
10:31:32.636 9038       #8 0x10000aa5 in blink::ContainerNode::DetachLayoutTree(blink::Node::AttachContext const&) ./../../third_party/blink/renderer/core/dom/container_node.cc:998:12
10:31:32.636 9038       #9 0x10164086 in blink::Element::DetachLayoutTree(blink::Node::AttachContext const&) ./../../third_party/blink/renderer/core/dom/element.cc:2238:18
10:31:32.636 9038       #10 0x10000aa5 in blink::ContainerNode::DetachLayoutTree(blink::Node::AttachContext const&) ./../../third_party/blink/renderer/core/dom/container_node.cc:998:12
10:31:32.636 9038       #11 0x10164086 in blink::Element::DetachLayoutTree(blink::Node::AttachContext const&) ./../../third_party/blink/renderer/core/dom/element.cc:2238:18
10:31:32.636 9038       #12 0xfffea87 in blink::ContainerNode::RemoveBetween(blink::Node*, blink::Node*, blink::Node&) ./../../third_party/blink/renderer/core/dom/container_node.cc:733:15
10:31:32.636 9038       #13 0xfffbdfb in blink::ContainerNode::RemoveChild(blink::Node*, blink::ExceptionState&) ./../../third_party/blink/renderer/core/dom/container_node.cc:709:7
10:31:32.636 9038       #14 0xfffb58a in blink::ContainerNode::ReplaceChild(blink::Node*, blink::Node*, blink::ExceptionState&) ./../../third_party/blink/renderer/core/dom/container_node.cc:577:25
10:31:32.636 9038       #15 0x105865a8 in blink::ReplaceChildrenWithFragment(blink::ContainerNode*, blink::DocumentFragment*, blink::ExceptionState&) ./../../third_party/blink/renderer/core/editing/serializers/serialization.cc:717:21
10:31:32.637 9038       #16 0x10179cde in blink::Element::SetInnerHTMLFromString(WTF::String const&, blink::ExceptionState&) ./../../third_party/blink/renderer/core/dom/element.cc:3505:7

Likely cause is

https://chromium-review.googlesource.com/c/chromium/src/+/1196723

Going to revert the CL.

Comment 2 by hua...@chromium.org, Sep 4

The revert CL has been committed:

https://chromium-review.googlesource.com/c/chromium/src/+/1205390

Comment 3 by markusheintz@chromium.org, Sep 6

Labels: -Sheriff-Chromium

Comment 4 by yosin@chromium.org, Sep 27

Status: Fixed (was: Available)

http://crrev.com/c/1226486 fixed this issue.

►

Issue 880551 link

Issue metadata

virtual/layout_ng/fast/block/float/float-append-child-crash.html and 1 other(s) in webkit_layout_tests failing on chromium.webkit/WebKit Linux Trusty ASAN

Issue description

Comment 1 by hua...@chromium.org, Sep 4

Comment 1 Deleted

Comment 2 by hua...@chromium.org, Sep 4

Comment 2 Deleted

Comment 3 by markusheintz@chromium.org, Sep 6

Comment 3 Deleted

Comment 4 by yosin@chromium.org, Sep 27

Comment 4 Deleted

Sign in to add a comment