112958 – http://trac.webkit.org/changeset/146375 causing CrOS crashes

RESOLVED FIXED 112958

http://trac.webkit.org/changeset/146375 causing CrOS crashes

https://bugs.webkit.org/show_bug.cgi?id=112958

Summary http://trac.webkit.org/changeset/146375 causing CrOS crashes

Peter Kasting

Reported 2013-03-21 13:30:41 PDT

After r146375, the ChromeOS downstream bots are having crashes. Here's a relevant stack trace, from http://build.chromium.org/p/chromium.memory/builders/Linux%20Chromium%20OS%20ASAN%20Tests%20%283%29/builds/3900/steps/browser_tests/logs/stdio : ASAN:SIGSEGV ================================================================= ==17658== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000002b5e33a sp 0x7fff74e37850 bp 0x7fff74e37870 T0) AddressSanitizer can not provide additional info. #0 0x2b5e339 in treeScope /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Node.h:482:0 #1 0x2b5e339 in documentInternal /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Node.h:786:0 #2 0x2b5e339 in document /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Node.h:479:0 #3 0x2b5e339 in document /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderObject.h:657:0 #4 0x2b5e339 in WebCore::RenderDeprecatedFlexibleBox::RenderDeprecatedFlexibleBox(WebCore::Element*) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp:128:0 #5 0x2b5e4fa in WebCore::RenderDeprecatedFlexibleBox::createAnonymous(WebCore::Document*) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp:143:0 #6 0x2aed399 in WebCore::RenderBlock::createAnonymousWithParentRendererAndDisplay(WebCore::RenderObject const*, WebCore::EDisplay) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:8031:0 #7 0xb1a0cbd in style /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderBlock.h:277:0 #8 0xb1a0cbd in WebCore::RenderButton::addChild(WebCore::RenderObject*, WebCore::RenderObject*) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/rendering/RenderButton.cpp:53:0 #9 0x7cb68fb in WebCore::NodeRenderingContext::createRendererForElementIfNeeded() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/NodeRenderingContext.cpp:284:0 #10 0x7c43da2 in createRendererIfNeeded /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1261:0 #11 0x7c43da2 in WebCore::Element::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1270:0 #12 0x7ba1760 in attachChildren /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.h:197:0 #13 0x7ba1760 in WebCore::ContainerNode::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:826:0 #14 0x7c440ce in WebCore::Element::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1284:0 #15 0x5531d78 in WebCore::HTMLFormControlElement::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/html/HTMLFormControlElement.cpp:215:0 #16 0x7ba1760 in attachChildren /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.h:197:0 #17 0x7ba1760 in WebCore::ContainerNode::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:826:0 #18 0x7c440ce in WebCore::Element::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1284:0 #19 0x7ba1760 in attachChildren /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.h:197:0 #20 0x7ba1760 in WebCore::ContainerNode::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/ContainerNode.cpp:826:0 #21 0x7c440ce in WebCore::Element::attach() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1284:0 #22 0x7c46693 in reattach /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Node.h:896:0 #23 0x7c46693 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1395:0 #24 0x7c46d8d in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1460:0 #25 0x7c46d8d in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1460:0 #26 0x7c46d8d in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1460:0 #27 0x7c46d8d in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1460:0 #28 0x7c46d8d in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:1460:0 #29 0x7bd13c2 in WebCore::Document::recalcStyle(WebCore::Node::StyleChange) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Document.cpp:1870:0 #30 0x7bd2a12 in updateStyleIfNeeded /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Document.cpp:1913:0 #31 0x7bd2a12 in WebCore::Document::updateLayout() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Document.cpp:1944:0 #32 0x7bd2cad in WebCore::Document::updateLayoutIgnorePendingStylesheets() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Document.cpp:1982:0 #33 0x7c381d3 in WebCore::Element::offsetHeight() /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Element.cpp:529:0 #34 0x8648c2e in offsetHeightAttrGetterForMainWorld /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/gen/webcore/bindings/V8Element.cpp:207:0 #35 0x8648c2e in WebCore::ElementV8Internal::offsetHeightAttrGetterCallbackForMainWorld(v8::Local<v8::String>, v8::AccessorInfo const&) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/gen/webcore/bindings/V8Element.cpp:212:0 #36 0xa52a09d in v8::internal::JSObject::GetPropertyWithCallback(v8::internal::Object*, v8::internal::Object*, v8::internal::Name*) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../v8/src/objects.cc:344:0 #37 0xa3e9bd2 in v8::internal::LoadIC::Load(v8::internal::InlineCacheState, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::String>) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../v8/src/ic.cc:947:0 #38 0xa3f8fd6 in v8::internal::LoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) /mnt/data/b/build/slave/Linux_Chromium_OS_ASAN_Builder/build/src/out/Release/../../v8/src/ic.cc:2061:0 #39 0x7f104ab062ed in ==17658== ABORTING

Attachments
Patch (3.93 KB, patch) 2013-03-21 14:19 PDT, Christian Biesinger	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Adam Barth

Comment 1 2013-03-21 13:44:00 PDT

We should probably roll out r146375 while we investigate.

Christian Biesinger

Comment 2 2013-03-21 14:05:07 PDT

We figured it out. For anonymous bitfields, m_node is set only after the constructor. Patch coming up.

Christian Biesinger

Comment 3 2013-03-21 14:19:42 PDT

Created attachment 194336 [details] Patch

WebKit Review Bot

Comment 4 2013-03-21 14:40:02 PDT

Comment on attachment 194336 [details] Patch Clearing flags on attachment: 194336 Committed r146522: <http://trac.webkit.org/changeset/146522>

WebKit Review Bot

Comment 5 2013-03-21 14:40:06 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

Christian Biesinger

Reported

2013-03-21 13:30 PDT

Modified

2013-03-21 14:40 PDT History

CC List

6 users Show

URL

Keywords

Depends on

Blocks

112740

Dependencies

tree graph