Bug 112958 - http://trac.webkit.org/changeset/146375 causing CrOS crashes
Summary: http://trac.webkit.org/changeset/146375 causing CrOS crashes
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Christian Biesinger
URL:
Keywords:
Depends on:
Blocks: 112740
  Show dependency treegraph
 
Reported: 2013-03-21 13:30 PDT by Peter Kasting
Modified: 2013-03-21 14:40 PDT (History)
6 users (show)

See Also:

Attachments
Patch (3.93 KB, patch)
2013-03-21 14:19 PDT, Christian Biesinger 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Kasting 2013-03-21 13:30:41 PDT 
After r146375, the ChromeOS downstream bots are having crashes.  Here's a relevant stack trace, from http://build.chromium.org/p/chromium.memory/builders/Linux%20Chromium%20OS%20ASAN%20Tests%20%283%29/builds/3900/steps/browser_tests/logs/stdio :

ASAN:SIGSEGV
=================================================================
==17658== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000002b5e33a sp 0x7fff74e37850 bp 0x7fff74e37870 T0)
AddressSanitizer can not provide additional info.
    #0 0x2b5e339 in treeScope /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Node.h:482:0
    #1 0x2b5e339 in documentInternal /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Node.h:786:0
    #2 0x2b5e339 in document /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Node.h:479:0
    #3 0x2b5e339 in document /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderObject.h:657:0
    #4 0x2b5e339 in WebCore::RenderDeprecatedFlexibleBox::RenderDeprecatedFlexibleBox(WebCore::Element*) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp:128:0
    #5 0x2b5e4fa in WebCore::RenderDeprecatedFlexibleBox::createAnonymous(WebCore::Document*) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp:143:0
    #6 0x2aed399 in WebCore::RenderBlock::createAnonymousWithParentRendererAndDisplay(WebCore::RenderObject const*, WebCore::EDisplay) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:8031:0
    #7 0xb1a0cbd in style /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderBlock.h:277:0
    #8 0xb1a0cbd in WebCore::RenderButton::addChild(WebCore::RenderObject*, WebCore::RenderObject*) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderButton.cpp:53:0
    #9 0x7cb68fb in WebCore::NodeRenderingContext::createRendererForElementIfNeeded() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/NodeRenderingContext.cpp:284:0
    #10 0x7c43da2 in createRendererIfNeeded /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1261:0
    #11 0x7c43da2 in WebCore::Element::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1270:0
    #12 0x7ba1760 in attachChildren /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.h:197:0
    #13 0x7ba1760 in WebCore::ContainerNode::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:826:0
    #14 0x7c440ce in WebCore::Element::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1284:0
    #15 0x5531d78 in WebCore::HTMLFormControlElement::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/html/HTMLFormControlElement.cpp:215:0
    #16 0x7ba1760 in attachChildren /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.h:197:0
    #17 0x7ba1760 in WebCore::ContainerNode::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:826:0
    #18 0x7c440ce in WebCore::Element::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1284:0
    #19 0x7ba1760 in attachChildren /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.h:197:0
    #20 0x7ba1760 in WebCore::ContainerNode::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:826:0
    #21 0x7c440ce in WebCore::Element::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1284:0
    #22 0x7c46693 in reattach /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Node.h:896:0
    #23 0x7c46693 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1395:0
    #24 0x7c46d8d in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1460:0
    #25 0x7c46d8d in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1460:0
    #26 0x7c46d8d in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1460:0
    #27 0x7c46d8d in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1460:0
    #28 0x7c46d8d in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1460:0
    #29 0x7bd13c2 in WebCore::Document::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Document.cpp:1870:0
    #30 0x7bd2a12 in updateStyleIfNeeded /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Document.cpp:1913:0
    #31 0x7bd2a12 in WebCore::Document::updateLayout() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Document.cpp:1944:0
    #32 0x7bd2cad in WebCore::Document::updateLayoutIgnorePendingStylesheets() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Document.cpp:1982:0
    #33 0x7c381d3 in WebCore::Element::offsetHeight() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:529:0
    #34 0x8648c2e in offsetHeightAttrGetterForMainWorld /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/gen/webcore/bindings/V8Element.cpp:207:0
    #35 0x8648c2e in WebCore::ElementV8Internal::offsetHeightAttrGetterCallbackForMainWorld(v8::Local<v8::String>, v8::AccessorInfo const&) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/gen/webcore/bindings/V8Element.cpp:212:0
    #36 0xa52a09d in v8::internal::JSObject::GetPropertyWithCallback(v8::internal::Object*, v8::internal::Object*, v8::internal::Name*) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../v8/src/objects.cc:344:0
    #37 0xa3e9bd2 in v8::internal::LoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::String>) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../v8/src/ic.cc:947:0
    #38 0xa3f8fd6 in v8::internal::LoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../v8/src/ic.cc:2061:0
    #39 0x7f104ab062ed in
==17658== ABORTING
Comment 1 Adam Barth 2013-03-21 13:44:00 PDT 
We should probably roll out r146375 while we investigate.
Comment 2 Christian Biesinger 2013-03-21 14:05:07 PDT 
We figured it out. For anonymous bitfields, m_node is set only after the constructor. Patch coming up.
Comment 3 Christian Biesinger 2013-03-21 14:19:42 PDT 
Created attachment 194336 [details]
Patch
Comment 4 WebKit Review Bot 2013-03-21 14:40:02 PDT 
Comment on attachment 194336 [details]
Patch

Clearing flags on attachment: 194336

Committed r146522: <http://trac.webkit.org/changeset/146522>
Comment 5 WebKit Review Bot 2013-03-21 14:40:06 PDT 
All reviewed patches have been landed.  Closing bug.