Apparent browser crash during screen lock
Reported by
olofj@chromium.org,
Feb 27 2016
|
|||||||
Issue description
Chrome Version : 49.0.2623.59
OS Version: 7834.42.0
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 4.x:
IE 7/8/9:
What steps will reproduce the problem?
I locked my screen and walked away, and came back to an unlocked screen saying Chrome had crashed (with the yellow "restore" bar).
I didn't see any sign of crash in chrome://crashes, but syslog showed segfault in chrome process.
I filed feedback for this, report id with logs is 6801189496 (search for "olofj" to find it).
This was a build with the mojo FD leak fixed.
I'm mostly concerned by the fact that the screen goes into unlocked state when chrome restarts. I'd prefer to be logged out.
,
Feb 29 2016
Three very different stack signatures. In the same order as the crashes listed above: Thread 0 CRASHED [SIGSEGV @ 0x00000019 ] MAGIC SIGNATURE THREAD 0x00007f6f40f3106d (chrome -ast-value-factory.cc:266 ) v8::internal::AstValueFactory::Internalize 0x00007f6f40ecdcc9 (chrome -parser.cc:5035 ) v8::internal::Parser::ParseStatic 0x00007f6f40dd26c8 (chrome -compiler.cc:1284 ) v8::internal::Compiler::CompileScript 0x00007f6f4226c1af (chrome -api.cc:1783 ) v8::ScriptCompiler::CompileUnboundInternal 0x00007f6f4226c3c1 (chrome -api.cc:1829 ) v8::ScriptCompiler::Compile 0x00007f6f42f9f099 (chrome -V8ScriptRunner.cpp:138 ) blink::::compileAndProduceCache 0x00007f6f42f9eb92 (chrome -Functional.h:62 ) WTF::PartBoundFunctionImpl<4, WTF::FunctionWrapper<v8::MaybeLocal<v8::Script> (*)(blink::CachedMetadataHandler*, unsigned int, v8::ScriptCompiler::CompileOptions, blink::CachedMetadataHandler::CacheType, v8::Isolate*, v8::Local<v8::String>, v8::ScriptOrigin)>, v8::MaybeLocal<v8::Script>(blink::CachedMetadataHandler*, unsigned int, v8::ScriptCompiler::CompileOptions, blink::CachedMetadataHandler::CacheType, v8::Isolate*, v8::Local<v8::String>, v8::ScriptOrigin)>::operator() 0x00007f6f42f9ff1a (chrome -V8ScriptRunner.cpp:369 ) blink::V8ScriptRunner::compileScript 0x00007f6f42fa06c9 (chrome -V8ScriptRunner.cpp:333 ) blink::V8ScriptRunner::compileScript 0x00007f6f42f7949e (chrome -ScriptController.cpp:181 ) blink::ScriptController::executeScriptAndReturnValue 0x00007f6f42f7a1de (chrome -ScriptController.cpp:566 ) blink::ScriptController::evaluateScriptInMainWorld 0x00007f6f42f7a341 (chrome -ScriptController.cpp:539 ) blink::ScriptController::executeScriptInMainWorld 0x00007f6f42a1b0c6 (chrome -ScriptLoader.cpp:419 ) blink::ScriptLoader::executeScript 0x00007f6f42aa3002 (chrome -HTMLScriptRunner.cpp:156 ) blink::HTMLScriptRunner::executePendingScriptAndDispatchEvent 0x00007f6f42aa37b0 (chrome -HTMLScriptRunner.cpp:124 ) blink::HTMLScriptRunner::executeParsingBlockingScript 0x00007f6f42aa381f (chrome -HTMLScriptRunner.cpp:234 ) blink::HTMLScriptRunner::executeParsingBlockingScripts 0x00007f6f42a98496 (chrome -HTMLDocumentParser.cpp:330 ) blink::HTMLDocumentParser::runScriptsForPausedTreeBuilder 0x00007f6f40fc1a05 (chrome -HTMLDocumentParser.cpp:525 ) blink::HTMLDocumentParser::processParsedChunkFromBackgroundParser 0x00007f6f42a9bfd1 (chrome -HTMLDocumentParser.cpp:586 ) blink::HTMLDocumentParser::pumpPendingSpeculations 0x00007f6f42a9c3b9 (chrome -HTMLDocumentParser.cpp:319 ) blink::HTMLDocumentParser::resumeParsingAfterYield 0x00007f6f40c7cd3d (chrome -bind_internal.h:157 ) base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (*)(scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> >)>, void(scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> > > >, base::internal::TypeList<base::internal::UnwrapTraits<base::internal::PassedWrapper<scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> > > > >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> >)>, base::internal::TypeList<scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> > > >, void()>::Run 0x00007f6f40caa61c (chrome -callback.h:394 ) base::debug::TaskAnnotator::RunTask 0x00007f6f410e2702 (chrome -task_queue_manager.cc:264 ) scheduler::TaskQueueManager::DoWork 0x00007f6f40caa61c (chrome -callback.h:394 ) base::debug::TaskAnnotator::RunTask 0x00007f6f40c96030 (chrome -message_loop.cc:486 ) base::MessageLoop::DoWork 0x00007f6f40c967c8 (chrome -message_pump_default.cc:33 ) base::MessagePumpDefault::Run 0x00007f6f4151d5c8 (chrome -run_loop.cc:56 ) base::RunLoop::Run 0x00007f6f4150c908 (chrome -message_loop.cc:293 ) base::MessageLoop::Run 0x00007f6f43b01f3d (chrome -renderer_main.cc:233 ) content::RendererMain 0x00007f6f414c36cf (chrome -content_main_runner.cc:306 ) content::RunZygote 0x00007f6f414c3909 (chrome -content_main_runner.cc:787 ) content::ContentMainRunnerImpl::Run 0x00007f6f414c261a (chrome -content_main.cc:19 ) content::ContentMain 0x00007f6f41166d3e (chrome -chrome_main.cc:67 ) ChromeMain 0x00007f6f3e6f9fb5 (libc-2.19.so -libc-start.c:292 ) __libc_start_main 0x00007f6f41166b9f (chrome + 0x010beb9f ) 0x00007fff478379c7 Thread 0 CRASHED [SIGSEGV @ 0xfffffffffffff000 ] MAGIC SIGNATURE THREAD 0x00007fcc8b4f20bd (chrome -SkRegion.cpp:422 ) SkRegion::Oper 0x00007fcc8b4f2dca (chrome -SkRegion.cpp:1090 ) SkRegion::op 0x00007fcc8b52cb7f (chrome -SkRegion.h:258 ) cc::Region::Union 0x00007fcc8b5582e2 (chrome -invalidation_region.cc:30 ) cc::InvalidationRegion::Union 0x00007fcc8b532015 (chrome -picture_layer.cc:93 ) cc::PictureLayer::SetNeedsDisplayRect 0x00007fcc8b52b32e (chrome -layer.cc:706 ) ui::Layer::SendDamagedRects 0x00007fcc8b52ad9a (chrome -compositor.cc:421 ) ui::SendDamagedRectsRecursive 0x00007fcc8c66cf47 (chrome -single_thread_proxy.cc:795 ) cc::SingleThreadProxy::DoBeginMainFrame 0x00007fcc8c66d0ae (chrome -single_thread_proxy.cc:787 ) cc::SingleThreadProxy::BeginMainFrame 0x00007fcc8b49461c (chrome -callback.h:394 ) base::debug::TaskAnnotator::RunTask 0x00007fcc8b480030 (chrome -message_loop.cc:486 ) base::MessageLoop::DoWork 0x00007fcc8b476652 (chrome -message_pump_libevent.cc:229 ) base::MessagePumpLibevent::Run 0x00007fcc8bd075c8 (chrome -run_loop.cc:56 ) base::RunLoop::Run 0x00007fcc8f0e7104 (chrome -chrome_browser_main.cc:1793 ) ChromeBrowserMainParts::MainMessageLoopRun 0x00007fcc8df252da (chrome -browser_main_loop.cc:946 ) content::BrowserMainLoop::RunMainMessageLoopParts 0x00007fcc8dd877c4 (chrome -browser_main_runner.cc:237 ) content::BrowserMainRunnerImpl::Run 0x00007fcc8dd876a2 (chrome -browser_main.cc:44 ) content::BrowserMain 0x00007fcc8bcad909 (chrome -content_main_runner.cc:787 ) content::ContentMainRunnerImpl::Run 0x00007fcc8bcac61a (chrome -content_main.cc:19 ) content::ContentMain 0x00007fcc8b950d3e (chrome -chrome_main.cc:67 ) ChromeMain 0x00007fcc88ee3fb5 (libc-2.19.so -libc-start.c:292 ) __libc_start_main 0x00007fcc8b950b9f (chrome + 0x010beb9f ) 0x00007ffc75b18137 Thread 0 CRASHED [SIGSEGV @ 0x00000000 ] MAGIC SIGNATURE THREAD 0x00007f6f40e37b57 (chrome -objects-inl.h:1045 ) v8::internal::BodyDescriptorBase::IterateBodyImpl<v8::internal::StaticScavengeVisitor> 0x00007f6f40e2dea4 (chrome -objects-body-descriptors.h:129 ) v8::internal::FlexibleBodyVisitor<v8::internal::StaticScavengeVisitor, v8::internal::FlexibleBodyDescriptor<16>, int>::Visit 0x00007f6f40e308db (chrome -objects-visiting.h:246 ) v8::internal::Heap::DoScavenge 0x00007f6f40e36d7d (chrome -heap.cc:1718 ) v8::internal::Heap::Scavenge 0x00007f6f40e374b7 (chrome -heap.cc:1315 ) v8::internal::Heap::PerformGarbageCollection 0x00007f6f42362acb (chrome -heap.cc:1014 ) v8::internal::Heap::CollectGarbage 0x00007f6f42346029 (chrome -heap-inl.h:550 ) v8::internal::Heap::CollectGarbage 0x00007f6f40e14e60 (chrome -factory.cc:127 ) v8::internal::Factory::NewFixedArray 0x00007f6f40e864f4 (chrome -objects.cc:17064 ) v8::internal::JSObject::MigrateFastToSlow 0x00007f6f40e8afc5 (chrome -objects.cc:2823 ) v8::internal::JSObject::MigrateToMap 0x00007f6f40e8d2a1 (chrome -objects.cc:5530 ) v8::internal::JSObject::NormalizeProperties 0x00007f6f40e8fbaf (chrome -objects.cc:12607 ) v8::internal::Map::SetPrototype 0x00007f6f40e903d3 (chrome -objects.cc:12973 ) v8::internal::JSFunction::SetInitialMap 0x00007f6f40e1b181 (chrome -factory.cc:1294 ) v8::internal::Factory::NewFunction 0x00007f6f40da8e17 (chrome -api-natives.cc:491 ) v8::internal::::InstantiateFunction 0x00007f6f40daa1a0 (chrome -api-natives.cc:31 ) v8::internal::::ConfigureInstance 0x00007f6f42278b9f (chrome -api-natives.cc:223 ) v8::internal::::InstantiateObject 0x00007f6f42278e74 (chrome -api-natives.cc:367 ) v8::internal::ApiNatives::InstantiateObject 0x00007f6f4226cdd7 (chrome -api.cc:5620 ) v8::ObjectTemplate::NewInstance 0x00007f6f42270f6c (chrome -api.cc:5628 ) v8::ObjectTemplate::NewInstance 0x00007f6f43c5865d (chrome -core.cc:375 ) mojo::js::Core::GetModule 0x00007f6f43ad4862 (chrome -render_frame_impl.cc:2308 ) content::RenderFrameImpl::EnsureMojoBuiltinsAreAvailable 0x00007f6f4469e6d8 (chrome -module_system.cc:170 ) extensions::ModuleSystem::ModuleSystem 0x00007f6f4468dce5 (chrome -dispatcher.cc:270 ) extensions::Dispatcher::DidCreateScriptContext 0x00007f6f446925dc (chrome -extension_frame_helper.cc:139 ) extensions::ExtensionFrameHelper::DidCreateScriptContext 0x00007f6f43ad16dd (chrome -render_frame_impl.cc:3940 ) content::RenderFrameImpl::didCreateScriptContext 0x00007f6f42fa4406 (chrome -WindowProxy.cpp:265 ) blink::WindowProxy::initialize 0x00007f6f42fa44df (chrome -WindowProxy.cpp:213 ) blink::WindowProxy::initializeIfNeeded 0x00007f6f42f78ed7 (chrome -ScriptController.cpp:213 ) blink::ScriptController::windowProxy 0x00007f6f42f79ec9 (chrome -ScriptController.cpp:580 ) blink::ScriptController::executeScriptInIsolatedWorld 0x00007f6f425df0d2 (chrome -SuspendableScriptExecutor.cpp:75 ) blink::SuspendableScriptExecutor::executeAndDestroySelf 0x00007f6f425df1b8 (chrome -SuspendableScriptExecutor.cpp:57 ) blink::SuspendableScriptExecutor::run 0x00007f6f425a5c15 (chrome -WebLocalFrameImpl.cpp:929 ) blink::WebLocalFrameImpl::requestExecuteScriptInIsolatedWorld 0x00007f6f446a73b4 (chrome -script_injection.cc:273 ) extensions::ScriptInjection::InjectJs 0x00007f6f446a790b (chrome -script_injection.cc:221 ) extensions::ScriptInjection::Inject 0x00007f6f446a7abb (chrome -script_injection.cc:167 ) extensions::ScriptInjection::TryToInject 0x00007f6f446a8e57 (chrome -script_injection_manager.cc:389 ) extensions::ScriptInjectionManager::TryToInject 0x00007f6f446a9650 (chrome -script_injection_manager.cc:367 ) extensions::ScriptInjectionManager::InjectScripts 0x00007f6f446a985b (chrome -script_injection_manager.cc:333 ) extensions::ScriptInjectionManager::StartInjectScripts 0x00007f6f43ad21d9 (chrome -render_frame_impl.cc:3280 ) content::RenderFrameImpl::didCreateDocumentElement 0x00007f6f425cc085 (chrome -FrameLoaderClientImpl.cpp:178 ) blink::FrameLoaderClientImpl::documentElementAvailable 0x00007f6f42ae239a (chrome -HTMLConstructionSite.cpp:400 ) blink::HTMLConstructionSite::insertHTMLHtmlStartTagBeforeHTML 0x00007f6f40fd2fc0 (chrome -HTMLTreeBuilder.cpp:1082 ) blink::HTMLTreeBuilder::processStartTag 0x00007f6f40fd772a (chrome -HTMLTreeBuilder.cpp:417 ) blink::HTMLTreeBuilder::constructTree 0x00007f6f40fc189a (chrome -HTMLDocumentParser.cpp:734 ) blink::HTMLDocumentParser::processParsedChunkFromBackgroundParser 0x00007f6f42a9bfd1 (chrome -HTMLDocumentParser.cpp:586 ) blink::HTMLDocumentParser::pumpPendingSpeculations 0x00007f6f42a9c3b9 (chrome -HTMLDocumentParser.cpp:319 ) blink::HTMLDocumentParser::resumeParsingAfterYield 0x00007f6f40c7cd3d (chrome -bind_internal.h:157 ) base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (*)(scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> >)>, void(scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> > > >, base::internal::TypeList<base::internal::UnwrapTraits<base::internal::PassedWrapper<scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> > > > >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> >)>, base::internal::TypeList<scoped_ptr<blink::WebTaskRunner::Task, std::default_delete<blink::WebTaskRunner::Task> > > >, void()>::Run 0x00007f6f40caa61c (chrome -callback.h:394 ) base::debug::TaskAnnotator::RunTask 0x00007f6f410e2702 (chrome -task_queue_manager.cc:264 ) scheduler::TaskQueueManager::DoWork 0x00007f6f40caa61c (chrome -callback.h:394 ) base::debug::TaskAnnotator::RunTask 0x00007f6f40c96030 (chrome -message_loop.cc:486 ) base::MessageLoop::DoWork 0x00007f6f40c967c8 (chrome -message_pump_default.cc:33 ) base::MessagePumpDefault::Run 0x00007f6f4151d5c8 (chrome -run_loop.cc:56 ) base::RunLoop::Run 0x00007f6f4150c908 (chrome -message_loop.cc:293 ) base::MessageLoop::Run 0x00007f6f43b01f3d (chrome -renderer_main.cc:233 ) content::RendererMain 0x00007f6f414c36cf (chrome -content_main_runner.cc:306 ) content::RunZygote 0x00007f6f414c3909 (chrome -content_main_runner.cc:787 ) content::ContentMainRunnerImpl::Run 0x00007f6f414c261a (chrome -content_main.cc:19 ) content::ContentMain 0x00007f6f41166d3e (chrome -chrome_main.cc:67 ) ChromeMain 0x00007f6f3e6f9fb5 (libc-2.19.so -libc-start.c:292 ) __libc_start_main 0x00007f6f41166b9f (chrome + 0x010beb9f ) 0x00007fff478379c7
,
Feb 29 2016
Let's track the issue that the crash leads to unlock here. I'll make sure there are separate issues tracking the crashes themselves. dzhioev@ can you take a look?
,
Feb 29 2016
cc00f8d400000000 -> bug 518788 da1a1d7000000000 -> bug 590812 214d78d400000000 -> bug 590814
,
Mar 3 2016
any finding in the investigation of this issue?
,
Mar 4 2016
According to logs, somebody or something has unlocked the device 15 minutes before the crash happened: 2016-02-27T12:50:02.099123-08:00 INFO session_manager[1584]: [INFO:session_manager_impl.cc(483)] LockScreen() method called. 2016-02-27T12:50:03.898229-08:00 INFO session_manager[1584]: [INFO:session_manager_impl.cc(487)] HandleLockScreenShown() method called. <---- screen locked 2016-02-27T12:51:22.009294-08:00 INFO session_manager[1584]: [INFO:session_manager_impl.cc(483)] LockScreen() method called. <--- This was called by idle detector (noop as screen is locked) 2016-02-27T12:51:59.447850-08:00 INFO session_manager[1584]: [INFO:session_manager_impl.cc(493)] HandleLockScreenDismissed() method called. <---- screen unlocked 2016-02-27T13:04:37.480953-08:00 INFO kernel: [184263.166269] chrome[25718]: segfault at 19 ip 00007f6f40f3106d sp 00007fff47835ac0 error 4 in chrome[7f6f400a8000+60d4000] <----- crash Also I see from logs, that somebody interacted with the device after the device was unlocked (many "Saw user activity" in powerd logs). olofj@, could it be, that somebody has unlocked the device while you were away?
,
Mar 4 2016
No, nobody unlocked the device. I was using it on and off, walking away (I always lock manually when I do). I think I went to the bathroom, clearly remembering locking the device as I walked off. When I came back, I had the device unlocked, and the chrome window on the active desktop had the "chrome crashed, restore tabs" yellow banner/button up. So, yes, I probably locked and unlocked it at 12:51, but I also locked it before the crash, or even _at_ the crash. I hit ctrl-shift-l and walked away, didn't look that closely at it.
,
Mar 5 2016
The session manager didn't receive the last lock request, so I suspect you tried to lock shorty after the crash, when browser was unresponsive already and couldn't handle shortcuts, but the screen didn't went black yet. I can't find any other explanation. +session manager authors. Mattias, Dan, what do you think?
,
Mar 5 2016
s/authors/owners/ :-P Crashes are at https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_ChromeOS%27%20AND%20clientid%3D%27E8D2CBF75C5BA84209C921EE37F6B524%27&ignore_case=false I don't see a browser crash corresponding to 2016-02-27 13:04:37 PST, though. It seems likely to me that Chrome crashed while trying to lock the screen, too. Olof, can you check the chrome log file in /home/chronos/user/log (IIRC) spanning the crash to see if it ends with Chrome announcing that it's starting to lock the screen?
,
Mar 7 2016
Updating title since the logs don't indicate that the screen was locked when the crash happened.
,
Mar 7 2016
Re #9: This machine is not in devmode, so I can't get access to the raw files. I did upload a feedback report with the logs, but it seems it only contains the user log from after when Chrome restarted, not the one before it went down. First entry in there is from 0227/130445. /var/log/chrome doesn't contain anything from before the crash either, possibly due to the age of the logs by now (1 week).
,
Mar 7 2016
#11: file:///home/chronos/user/log
,
Mar 7 2016
#12: Same contents as /var/log/chrome, it seems -- or at least rolled at the same time, so no entries from before crash. :(
,
Mar 8 2016
Ah, that's weird. /var/log/chrome should have stuff that occurred when nobody was logged in (i.e. only at the login screen, I think), and /home/chronos/user/log (within your encrypted home dir) has everything that happened after you logged in, so it's strange if they're the same. Entirely possible that Chrome crashed before it logged anything about the lock request, though. If you go to chrome://crashes and click "Start uploading crashes", do you see more crashes show up eventually?
,
Mar 8 2016
Not from that day, just the three described above. I had a set of crashes later on (Monday), but those were unrelated as far as I can tell (random memory corruption).
,
Mar 8 2016
removing the stable blocker based on c#10 let's continue the investigation and depending on the outcome re consider for potential merge to M49
,
Mar 9 2016
to #9: > It seems likely to me that Chrome crashed while trying to lock the screen, too. If this has happened, we would have seen "LockScreen() method called." message in session manager logs. As far as I understand, that is how screen lock works: 1. User presses a screen lock shortcut. 2. chrome process calls session manager's org.chromium.SessionManagerInterface.LockScreen method. 3. session manager marks device as locked. At this moment it writes "LockScreen() method called." to a log. 4. session manager calls chrome process's org.chromium.LibCrosServiceInterface.LockScreen method. 5. chrome process starts to display the lock UI. So basically chrome doesn't do anything lock related until it called back from the session manager.
,
Mar 9 2016
To clarify, I meant that Chrome could've crashed while handling the accelerator or something similar.
,
May 18 2016
This seems to have stalled. Is this still happening? dzhioev@ has been pulled into other high-priority tasks. I'll need to find a new owner.
,
May 18 2016
I don't think that anything relevant was present in logs or crash reports, so I'm not sure that anything more can happen unless there are more details or a repro. It'd be possible to add yet another log message when Chrome first sees the lock shortcut to give us more data if/when this happens again, I guess.
,
May 18 2016
,
Jun 14 2016
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by olofj@chromium.org
, Feb 29 2016