Bug 84300

Created attachment 137801 [details] Patch

Ping?

Comment on attachment 137801 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=137801&action=review > Source/WebCore/ChangeLog:3 > + [chromium] Crash in RenderInline::clippedOverflowRectForRepaint for PrintPreview The [chromium] prefix makes it sound like this only happens in Chromium; that's unlikely.

I have only seen it reported for chromium but you're right. There is nothing chrome specific in there. Will remove the prefix and land. Thanks Simon.

Committed r114936: <http://trac.webkit.org/changeset/114936>

testcase from ClusterFuzz <script>if (window.layoutTestController) layoutTestController.waitUntilDone(); </script> <style> .c6 { visibility: hidden; opacity: 0.0; } .c11 { visibility: visible; } .c13[class^="c13"] { display: table;</style> <script> var nodes = Array(); function boom() { try { nodes[72] = document.createElement('q'); } catch(e) {} try { nodes[72].setAttribute('class', 'c6'); } catch(e) {} try { document.documentElement.appendChild(nodes[72]); } catch(e) {} try { nodes[75] = document.createElement('map'); } catch(e) {} try { nodes[76] = document.createElement('section'); } catch(e) {} try { nodes[88] = document.createElement('var'); } catch(e) {} try { nodes[88].setAttribute('class', 'c11'); } catch(e) {} try { nodes[72].appendChild(nodes[75]); } catch(e) {} setTimeout("try { nodes[75].setAttribute('class', 'c13'); } catch(e) {}", 3); try { nodes[72].appendChild(nodes[88]); } catch(e) {} try { nodes[88].appendChild(nodes[76]); } catch(e) {} } window.onload = boom; </script> > +----------------------------------------Debug Build Stacktrace----------------------------------------+ /mnt/scratch0/clusterfuzz/slave-bot/builds/symbolized/debug/asan-linux-debug-132190/DumpRenderTree ASAN:SIGSEGV ==32545== ERROR: AddressSanitizer crashed on unknown address 0x000000000034 (pc 0x00000adf1f4e sp 0x7fff26360180 bp 0x7fff26360250 T0) AddressSanitizer can not provide additional info. ABORTING #0 0xadf1f4e in WebCore::RenderObject::RenderObjectBitfields::hasColumns() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:988 #1 0xadf0bbd in WebCore::RenderObject::hasColumns() const third_party/WebKit/Source/WebCore/rendering/RenderObject.h:375 #2 0xb33a73b in WebCore::RenderInline::clippedOverflowRectForRepaint(WebCore::RenderBoxModelObject*) const third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:1037 #3 0xb36064a in WebCore::RenderLayer::computeRepaintRects(WebCore::IntPoint*) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:465 #4 0xb3647f3 in WebCore::RenderLayer::setHasVisibleContent(bool) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:629 #5 0xb5a34c8 in WebCore::RenderObjectChildList::insertChildNode(WebCore::RenderObject*, WebCore::RenderObject*, WebCore::RenderObject*, bool) third_party/WebKit/Source/WebCore/rendering/RenderObjectChildList.cpp:264 #6 0xb5420e0 in WebCore::RenderObject::addChild(WebCore::RenderObject*, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:306 #7 0xb321062 in WebCore::RenderInline::addChildIgnoringContinuation(WebCore::RenderObject*, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:313 #8 0xb3238e0 in WebCore::RenderInline::splitInlines(WebCore::RenderBlock*, WebCore::RenderBlock*, WebCore::RenderBlock*, WebCore::RenderObject*, WebCore::RenderBoxModelObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:338 #9 0xb322786 in WebCore::RenderInline::splitFlow(WebCore::RenderObject*, WebCore::RenderBlock*, WebCore::RenderObject*, WebCore::RenderBoxModelObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:452 #10 0xb320f9c in WebCore::RenderInline::addChildIgnoringContinuation(WebCore::RenderObject*, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:307 #11 0xb31f17b in WebCore::RenderInline::addChildToContinuation(WebCore::RenderObject*, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:492 #12 0xb31e45e in WebCore::RenderInline::addChild(WebCore::RenderObject*, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp:237 #13 0x21ac99b in WebCore::NodeRendererFactory::createRendererIfNeeded() third_party/WebKit/Source/WebCore/dom/NodeRenderingContext.cpp:399 #14 0x20b7bf2 in WebCore::Node::createRendererIfNeeded() third_party/WebKit/Source/WebCore/dom/Node.cpp:1427 #15 0x1f8c8d1 in WebCore::Element::attach() third_party/WebKit/Source/WebCore/dom/Element.cpp:956 #16 0x1fb0900 in WebCore::Node::reattach() third_party/WebKit/Source/WebCore/dom/Node.h:819 #17 0x1f8ef2f in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1074 #18 0x1f8fed2 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1151 #19 0x1f8fed2 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Element.cpp:1151 #20 0x1d126bf in WebCore::Document::recalcStyle(WebCore::Node::StyleChange) third_party/WebKit/Source/WebCore/dom/Document.cpp:1659 #21 0x1d14fea in WebCore::Document::updateStyleIfNeeded() third_party/WebKit/Source/WebCore/dom/Document.cpp:1717 #22 0x1cf1489 in WebCore::Document::styleRecalcTimerFired(WebCore::Timer<WebCore::Document>*) third_party/WebKit/Source/WebCore/dom/Document.cpp:1609 #23 0x1ec7409 in WebCore::Timer<WebCore::Document>::fired() third_party/WebKit/Source/WebCore/platform/Timer.h:100 #24 0x73e6825 in WebCore::ThreadTimers::sharedTimerFiredInternal() third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118 #25 0x73e5c69 in WebCore::ThreadTimers::sharedTimerFired() third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:94 #26 0xe258dcc in webkit_glue::WebKitPlatformSupportImpl::DoTimeout() ./webkit/glue/webkitplatformsupport_impl.h:148 #27 0xe25ea1a in base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>::Run(webkit_glue::WebKitPlatformSupportImpl*) ./base/bind_internal.h:132 #28 0xe25e683 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::MakeItSo(base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, webkit_glue::WebKitPlatformSupportImpl*) ./base/bind_internal.h:869 #29 0xe25e1ad in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (webkit_glue::WebKitPlatformSupportImpl::*)()>, void ()(webkit_glue::WebKitPlatformSupportImpl*), void ()(base::internal::UnretainedWrapper<webkit_glue::WebKitPlatformSupportImpl>)>, void ()(webkit_glue::WebKitPlatformSupportImpl*)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1170 #30 0x24c5df5 in base::Callback<void ()()>::Run() const ./base/callback.h:272 #31 0xf7adfe9 in base::Timer::RunScheduledTask() base/timer.cc:182 #32 0xf7aed61 in base::BaseTimerTaskInternal::Run() base/timer.cc:45 #33 0xf7b195a in base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>::Run(base::BaseTimerTaskInternal*) ./base/bind_internal.h:132 #34 0xf7b15c3 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*)>::MakeItSo(base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, base::BaseTimerTaskInternal*) ./base/bind_internal.h:869 #35 0xf7b11b6 in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (base::BaseTimerTaskInternal::*)()>, void ()(base::BaseTimerTaskInternal*), void ()(base::internal::OwnedWrapper<base::BaseTimerTaskInternal>)>, void ()(base::BaseTimerTaskInternal*)>::Run(base::internal::BindStateBase*) ./base/bind_internal.h:1170 #36 0x24c5df5 in base::Callback<void ()()>::Run() const ./base/callback.h:272 #37 0x25927d5 in MessageLoop::RunTask(base::PendingTask const&) base/message_loop.cc:459 #38 0x259418c in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop.cc:473 #39 0x25949be in MessageLoop::DoWork() base/message_loop.cc:647 #40 0x28a13b7 in base::MessagePumpGlib::RunWithDispatcher(base::MessagePump::Delegate*, base::MessagePumpDispatcher*) base/message_pump_glib.cc:210 #41 0x28a3b75 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_pump_glib.cc:299 #42 0x2590ffd in MessageLoop::RunInternal() base/message_loop.cc:418 #43 0x258e9a3 in MessageLoop::RunHandler() base/message_loop.cc:391 #44 0x258e891 in MessageLoop::Run() base/message_loop.cc:301 #45 0x1acb431 in webkit_support::RunMessageLoop() webkit/support/webkit_support.cc:449 #46 0x7703f7 in TestShell::waitTestFinished() third_party/WebKit/Tools/DumpRenderTree/chromium/TestShellLinux.cpp:75 #47 0x72bc57 in TestShell::runFileTest(TestParams const&) third_party/WebKit/Tools/DumpRenderTree/chromium/TestShell.cpp:270 #48 0x5da1e7 in runTest third_party/WebKit/Tools/DumpRenderTree/chromium/DumpRenderTree.cpp:129 #49 0x5d7c18 in main third_party/WebKit/Tools/DumpRenderTree/chromium/DumpRenderTree.cpp:279 #50 0x7f7d6c38ac4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258 Stats: 265M malloced (812M for red zones) by 1389743 calls Stats: 2M realloced by 4950 calls Stats: 263M freed by 1376153 calls Stats: 197M really freed by 1062565 calls Stats: 372M (95277 full pages) mmaped in 93 calls mmaps by size class: 9:360404; 10:8190; 11:4094; 12:1024; 13:1024; 14:1024; 15:768; 16:448; 17:32; 18:160; 19:8; 20:4; 21:24; mallocs by size class: 9:1350286; 10:17750; 11:9743; 12:3216; 13:2022; 14:2951; 15:2039; 16:1264; 17:37; 18:399; 19:5; 20:4; 21:27; frees by size class: 9:1337293; 10:17387; 11:9606; 12:3177; 13:1995; 14:2936; 15:2032; 16:1257; 17:35; 18:399; 19:5; 20:4; 21:27; rfrees by size class: 9:1033863; 10:12579; 11:7096; 12:2282; 13:1439; 14:2307; 15:1669; 16:957; 17:10; 18:346; 19:5; 20:1; 21:11; Stats: malloc large: 472 small slow: 7319 Also see similar https://bugs.webkit.org/show_bug.cgi?id=84774.