Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2636153002:
Don't keep pointers to table sections when told to recalculate sections. (Closed)
|
Created:
3 years, 11 months ago by mstensho (USE GERRIT) Modified:
3 years, 10 months ago CC:
chromium-reviews, szager+layoutwatch_chromium.org, zoltan1, blink-reviews-layout_chromium.org, pdr+renderingwatchlist_chromium.org, eae+blinkwatch, leviw+renderwatch, jchaffraix+rendering, blink-reviews Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionDon't keep pointers to table sections when told to recalculate sections.
They may have been deleted.
We should ideally assert in header(), footer() and firstBody() in LayoutTable
that we're not waiting for a section recalc, but that's currently failing in one
trybot; see crbug.com/693212
This would have fixed the original use-after-free issue with bug 680224, but
before this CL landed, I found another fix that attacked the root cause instead.
Still no point in keeping potentially dead pointers around, though.
BUG=680224
Review-Url: https://codereview.chromium.org/2636153002
Cr-Commit-Position: refs/heads/master@{#451257}
Committed: https://chromium.googlesource.com/chromium/src/+/25993aa7c80d68de1a53bff157d02c8bc8ec3458
Patch Set 1 #Patch Set 2 : rebase master #Patch Set 3 : rebase master #Patch Set 4 : Disable one DCHECK that causes failures on the linux trybot. #Messages
Total messages: 52 (23 generated)
The CQ bit was checked by mstensho@opera.com to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: win_chromium_x64_rel_ng on master.tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_x64_...)
mstensho@opera.com changed reviewers: + dgrogan@chromium.org, eae@chromium.org
This is great, thank you.
LGTM
LGTM 2 We get an assertion failure in debug but a harmless (not use-afer-free) crash in release, right?
On 2017/01/17 16:00:22, dgrogan wrote: > LGTM 2 > > We get an assertion failure in debug but a harmless (not use-afer-free) crash in > release, right? No crash, just an assertion failure in debug.
The CQ bit was checked by eae@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by mstensho@opera.com
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by mstensho@opera.com
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
On 2017/01/18 11:17:18, commit-bot: I haz the power wrote: > Try jobs failed on following builders: > linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, > http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...) OK, looks like my new assertions fail here (and only here - no layout tests failing): =========== telemetry_perf_unittests (retry summary) telemetry_perf_unittests (retry summary) failures: benchmarks.system_health_smoke_test.SystemHealthBenchmarkSmokeTest.system_health.memory_desktop.browse:news:nytimes benchmarks.system_health_smoke_test.SystemHealthBenchmarkSmokeTest.system_health.memory_desktop.browse:news:reddit =========== I have no idea how to reproduce this locally.
I don't know how to reproduce locally either, but +wangxianzhu probably does :)
I don't know how to reproduce locally either, but +wangxianzhu probably does :)
On 2017/01/18 16:46:15, dgrogan wrote: > I don't know how to reproduce locally either, but +wangxianzhu probably does :) Based on the stack trace, this is related to frame throttling: FrameView::updateViewportIntersectionForSubtree() is called when there are dirty layouts. I'll file a bug add related people for discussion.
On 2017/01/18 17:05:37, Xianzhu wrote: > On 2017/01/18 16:46:15, dgrogan wrote: > > I don't know how to reproduce locally either, but +wangxianzhu probably does > :) > > Based on the stack trace, this is related to frame throttling: > FrameView::updateViewportIntersectionForSubtree() is called when there are dirty > layouts. I'll file a bug add related people for discussion. Thanks!
It seems that we need some time to fix the dirty layout issues. Should we land the setNeedsSectionRecalc() change first, and add the DCHECKs after we fix the dirty layout issue?
On 2017/01/18 22:45:53, Xianzhu wrote: > It seems that we need some time to fix the dirty layout issues. Should we land > the setNeedsSectionRecalc() change first, and add the DCHECKs after we fix the > dirty layout issue? Works for me. Or we can wait with landing this until that is fixed. There's no rush, because I have a different CL that fixes this bug completely (crash/assert-wise): https://codereview.chromium.org/2635143003/ So I removed the dependency on bug 682307.
Can anyone who can access the bug add me to its cc list?
Description was changed from ========== Don't keep pointers to table sections when told to recalculate sections. They may have been deleted. Assert in header(), footer() and firstBody() in LayoutTable that we're not waiting for a section recalc. This fixes the use-after-free issue with bug 680224, but now we get a (albeit way more harmless) assertion failure instead. BUG=680224 ========== to ========== Don't keep pointers to table sections when told to recalculate sections. They may have been deleted. Assert in header(), footer() and firstBody() in LayoutTable that we're not waiting for a section recalc. This fixes the use-after-free issue with bug 680224, but now we get a (albeit way more harmless) assertion failure instead. BUG=680224 ==========
On 2017/01/19 17:09:21, Xianzhu wrote: > Can anyone who can access the bug add me to its cc list? Ah, dgrogan did it some minutes ago. :) Sorry, I kind of thought you had some special privileges, since you added the blocker, but now I realize that you did it from the other bug.
On 2017/01/19 17:38:58, mstensho wrote: > On 2017/01/19 17:09:21, Xianzhu wrote: > > Can anyone who can access the bug add me to its cc list? > > Ah, dgrogan did it some minutes ago. :) Sorry, I kind of thought you had some > special privileges, since you added the blocker, but now I realize that you did > it from the other bug. Ping? We'd like to ghet this in asap!
On 2017/01/23 18:18:53, eae wrote: > On 2017/01/19 17:38:58, mstensho wrote: > > On 2017/01/19 17:09:21, Xianzhu wrote: > > > Can anyone who can access the bug add me to its cc list? > > > > Ah, dgrogan did it some minutes ago. :) Sorry, I kind of thought you had some > > special privileges, since you added the blocker, but now I realize that you > did > > it from the other bug. > > Ping? We'd like to ghet this in asap! Note that landing this isn't essential to fixing the bug anymore, as long as https://codereview.chromium.org/2635143003/ lands.
The CQ bit was checked by mstensho@opera.com to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
On 2017/01/18 22:45:53, Xianzhu wrote: > It seems that we need some time to fix the dirty layout issues. Should we land > the setNeedsSectionRecalc() change first, and add the DCHECKs after we fix the > dirty layout issue? I just confirmed that the DCHECKs are still failing. Maybe it's time to just land my CL without the DCHECKs?
On 2017/02/16 13:47:56, mstensho wrote: > On 2017/01/18 22:45:53, Xianzhu wrote: > > It seems that we need some time to fix the dirty layout issues. Should we land > > the setNeedsSectionRecalc() change first, and add the DCHECKs after we fix the > > dirty layout issue? > > I just confirmed that the DCHECKs are still failing. Maybe it's time to just > land my CL without the DCHECKs? SGTM.
Description was changed from ========== Don't keep pointers to table sections when told to recalculate sections. They may have been deleted. Assert in header(), footer() and firstBody() in LayoutTable that we're not waiting for a section recalc. This fixes the use-after-free issue with bug 680224, but now we get a (albeit way more harmless) assertion failure instead. BUG=680224 ========== to ========== Don't keep pointers to table sections when told to recalculate sections. They may have been deleted. We should ideally assert in header(), footer() and firstBody() in LayoutTable that we're not waiting for a section recalc, but that's currently failing in one trybot; see crbug.com/693212 This would have fixed the original use-after-free issue with bug 680224, but before this CL landed, I found another fix that attacked the root cause instead. Still no point in keeping potentially dead pointers around, though. BUG=680224 ==========
On 2017/02/16 16:45:35, Xianzhu wrote: > On 2017/02/16 13:47:56, mstensho wrote: > > On 2017/01/18 22:45:53, Xianzhu wrote: > > > It seems that we need some time to fix the dirty layout issues. Should we > land > > > the setNeedsSectionRecalc() change first, and add the DCHECKs after we fix > the > > > dirty layout issue? > > > > I just confirmed that the DCHECKs are still failing. Maybe it's time to just > > land my CL without the DCHECKs? > > SGTM. Okay, I'll try that. Actually, we probably only have to remove the DCHECK in header(), and keep the ones in firstBody() and footer(). I'll see how it goes.
The CQ bit was checked by mstensho@opera.com
The patchset sent to the CQ was uploaded after l-g-t-m from dgrogan@chromium.org, eae@chromium.org Link to the patchset: https://codereview.chromium.org/2636153002/#ps60001 (title: "Disable one DCHECK that causes failures on the linux trybot.")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: win_chromium_x64_rel_ng on master.tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_x64_...)
The CQ bit was checked by mstensho@opera.com
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 60001, "attempt_start_ts": 1487312901490000,
"parent_rev": "6b7e091709d04f852f7572556c8dc6c1e8790fbb", "commit_rev":
"25993aa7c80d68de1a53bff157d02c8bc8ec3458"}
Message was sent while issue was closed.
Description was changed from ========== Don't keep pointers to table sections when told to recalculate sections. They may have been deleted. We should ideally assert in header(), footer() and firstBody() in LayoutTable that we're not waiting for a section recalc, but that's currently failing in one trybot; see crbug.com/693212 This would have fixed the original use-after-free issue with bug 680224, but before this CL landed, I found another fix that attacked the root cause instead. Still no point in keeping potentially dead pointers around, though. BUG=680224 ========== to ========== Don't keep pointers to table sections when told to recalculate sections. They may have been deleted. We should ideally assert in header(), footer() and firstBody() in LayoutTable that we're not waiting for a section recalc, but that's currently failing in one trybot; see crbug.com/693212 This would have fixed the original use-after-free issue with bug 680224, but before this CL landed, I found another fix that attacked the root cause instead. Still no point in keeping potentially dead pointers around, though. BUG=680224 Review-Url: https://codereview.chromium.org/2636153002 Cr-Commit-Position: refs/heads/master@{#451257} Committed: https://chromium.googlesource.com/chromium/src/+/25993aa7c80d68de1a53bff157d0... ==========
Message was sent while issue was closed.
Committed patchset #4 (id:60001) as https://chromium.googlesource.com/chromium/src/+/25993aa7c80d68de1a53bff157d0... |
