New issue
Advanced search Search tips

Issue 592771 link

Starred by 1 user
Status: Duplicate
Merged: issue 582755
Owner:
e...@chromium.org
Closed: Mar 2016
Cc:
thestig@chromium.org
keishi@chromium.org
haraken@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Flaky memory errors reported in webkit_unittests WebFrameTests

Project Member Reported by benwells@chromium.org, Mar 7 2016 
Seem to have started in this build: 
https://build.chromium.org/p/chromium.memory/builders/Mac%20ASan%2064%20Tests%20%281%29/builds/12870

But the only change in that build was reverted, which didn't help at all.

Current theory is that something has changed in blink GC in an earlier build to cause the flaky errors.

Adding keishi@ as he made a change to the blink GC recently, although I have no idea if it is related.

Example output:
==27979==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000002bd50 at pc 0x00010e08d765 bp 0x7fff58e4fd50 sp 0x7fff58e4fd48
READ of size 8 at 0x61000002bd50 thread T0
    #0 0x10e08d764 in blink::PaintLayerScrollableArea::scrollbarsCanBeActive() const (in webkit_unit_tests) + 420
    #1 0x10977b061 in blink::ScrollAnimatorMac::updateScrollerStyle() (in webkit_unit_tests) + 273
    #2 0x7fff8ebf4f3d in +[NSScrollerImpPair _updateAllScrollerImpPairsForNewRecommendedScrollerStyle:] (in AppKit) + 400
    #3 0x7fff84b74e0b in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (in CoreFoundation) + 11
    #4 0x7fff84a6882c in _CFXNotificationPost (in CoreFoundation) + 2892
    #5 0x7fff8d4eadd9 in -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation) + 67
    #6 0x11181fef3 in 0x00047ef3 (in libclang_rt.asan_osx_dynamic.dylib) + 259
    #7 0x7fff8b9881ba in _dispatch_call_block_and_release (in libdispatch.dylib) + 11
    #8 0x7fff8b98528c in _dispatch_client_callout (in libdispatch.dylib) + 7
    #9 0x7fff8b98ceef in _dispatch_main_queue_callback_4CF (in libdispatch.dylib) + 332
    #10 0x7fff84b0d4f8 in __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ (in CoreFoundation) + 8
    #11 0x7fff84ac8713 in __CFRunLoopRun (in CoreFoundation) + 1635
    #12 0x7fff84ac7e74 in CFRunLoopRunSpecific (in CoreFoundation) + 308
    #13 0x7fff8ae53a0c in RunCurrentEventLoopInMode (in HIToolbox) + 225
    #14 0x7fff8ae53684 in ReceiveNextEventCommon (in HIToolbox) + 172
    #15 0x7fff8ae535bb in _BlockUntilNextEventMatchingListInModeWithFilter (in HIToolbox) + 64
    #16 0x7fff8e2de24d in _DPSNextEvent (in AppKit) + 1433
    #17 0x7fff8e2dd89a in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 121
    #18 0x7fff8e2d199b in -[NSApplication run] (in AppKit) + 552
    #19 0x10922b237 in base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) (in webkit_unit_tests) + 983
    #20 0x10922910b in base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) (in webkit_unit_tests) + 395
    #21 0x1092a5578 in base::RunLoop::Run() (in webkit_unit_tests) + 504
    #22 0x106daf386 in (anonymous namespace)::runHelper(base::TestSuite*) (in webkit_unit_tests) + 486
    #23 0x10937b44d in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback\u003Cint ()> const&, int, int, bool, base::Callback\u003Cvoid ()> const&) (in webkit_unit_tests) + 685
    #24 0x10937b0e0 in base::LaunchUnitTests(int, char**, base::Callback\u003Cint ()> const&) (in webkit_unit_tests) + 480
    #25 0x106daf0e7 in main (in webkit_unit_tests) + 423
    #26 0x106daef33 in start (in webkit_unit_tests) + 51
    #27 0x7  (\u003Cunknown module>)

0x61000002bd50 is located 16 bytes inside of 192-byte region [0x61000002bd40,0x61000002be00)
freed by thread T0 here:
    #0 0x1118209b9 in 0x000489b9 (in libclang_rt.asan_osx_dynamic.dylib) + 201
    #1 0x10e255db9 in blink::LayoutBlock::willBeDestroyed() (in webkit_unit_tests) + 1161
    #2 0x10e5547ab in blink::LayoutView::willBeDestroyed() (in webkit_unit_tests) + 59
    #3 0x10e4496d1 in blink::LayoutObject::destroy() (in webkit_unit_tests) + 65
    #4 0x10cbb6a89 in blink::Node::detach(blink::Node::AttachContext const&) (in webkit_unit_tests) + 265
    #5 0x10ca333ee in blink::ContainerNode::detach(blink::Node::AttachContext const&) (in webkit_unit_tests) + 414
    #6 0x10caa1820 in blink::Document::detach(blink::Node::AttachContext const&) (in webkit_unit_tests) + 2400
    #7 0x10dc2aeab in blink::LocalFrame::detach(blink::FrameDetachType) (in webkit_unit_tests) + 955
    #8 0x10df7ec28 in blink::Page::willBeDestroyed() (in webkit_unit_tests) + 248
    #9 0x10c63a2b4 in blink::WebViewImpl::close() (in webkit_unit_tests) + 532
    #10 0x107fd1395 in blink::FrameTestHelpers::WebViewHelper::~WebViewHelper() (in webkit_unit_tests) + 165
    #11 0x1082e9bc0 in blink::ParameterizedWebFrameTest_CharacterIndexAtPointWithPinchZoom_Test::TestBody() (in webkit_unit_tests) + 1392
    #12 0x1093bc53d in testing::Test::Run() (in webkit_unit_tests) + 765
    #13 0x1093bde55 in testing::TestInfo::Run() (in webkit_unit_tests) + 1045
    #14 0x1093bf0f3 in testing::TestCase::Run() (in webkit_unit_tests) + 1299
    #15 0x1093d0afa in testing::internal::UnitTestImpl::RunAllTests() (in webkit_unit_tests) + 2282
    #16 0x1093d0139 in testing::UnitTest::Run() (in webkit_unit_tests) + 409
    #17 0x1093846b8 in base::TestSuite::Run() (in webkit_unit_tests) + 664
    #18 0x106daf279 in (anonymous namespace)::runHelper(base::TestSuite*) (in webkit_unit_tests) + 217
    #19 0x10937b44d in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback\u003Cint ()> const&, int, int, bool, base::Callback\u003Cvoid ()> const&) (in webkit_unit_tests) + 685
    #20 0x10937b0e0 in base::LaunchUnitTests(int, char**, base::Callback\u003Cint ()> const&) (in webkit_unit_tests) + 480
    #21 0x106daf0e7 in main (in webkit_unit_tests) + 423
    #22 0x106daef33 in start (in webkit_unit_tests) + 51
    #23 0x7  (\u003Cunknown module>)

previously allocated by thread T0 here:
    #0 0x1118207f0 in 0x000487f0 (in libclang_rt.asan_osx_dynamic.dylib) + 192
    #1 0x10e0523f8 in blink::PaintLayer::operator new(unsigned long) (in webkit_unit_tests) + 8
    #2 0x10e33456d in blink::LayoutBoxModelObject::createLayer(blink::PaintLayerType) (in webkit_unit_tests) + 333
    #3 0x10e333421 in blink::LayoutBoxModelObject::styleDidChange(blink::StyleDifference, blink::ComputedStyle const*) (in webkit_unit_tests) + 1537
    #4 0x10e2e2a48 in blink::LayoutBox::styleDidChange(blink::StyleDifference, blink::ComputedStyle const*) (in webkit_unit_tests) + 264
    #5 0x10e257517 in blink::LayoutBlock::styleDidChange(blink::StyleDifference, blink::ComputedStyle const*) (in webkit_unit_tests) + 39
    #6 0x10e2a4e07 in blink::LayoutBlockFlow::styleDidChange(blink::StyleDifference, blink::ComputedStyle const*) (in webkit_unit_tests) + 55
    #7 0x10e43a385 in blink::LayoutObject::setStyle(WTF::PassRefPtr\u003Cblink::ComputedStyle>) (in webkit_unit_tests) + 3525
    #8 0x10caa0a87 in blink::Document::attach(blink::Node::AttachContext const&) (in webkit_unit_tests) + 407
    #9 0x10dc012b1 in blink::LocalDOMWindow::installNewDocument(WTF::String const&, blink::DocumentInit const&, bool) (in webkit_unit_tests) + 721
    #10 0x10dea53f8 in blink::DocumentLoader::createWriterFor(blink::DocumentInit const&, WTF::AtomicString const&, WTF::AtomicString const&, bool, blink::ParserSynchronizationPolicy) (in webkit_unit_tests) + 408
    #11 0x10dea4fa6 in blink::DocumentLoader::ensureWriter(WTF::AtomicString const&, blink::KURL const&) (in webkit_unit_tests) + 998
    #12 0x10dea0c11 in blink::DocumentLoader::commitData(char const*, unsigned long) (in webkit_unit_tests) + 225
    #13 0x10dea5997 in blink::DocumentLoader::processData(char const*, unsigned long) (in webkit_unit_tests) + 487
    #14 0x10dea560e in blink::DocumentLoader::dataReceived(blink::Resource*, char const*, unsigned long) (in webkit_unit_tests) + 302
    #15 0x10db1110e in blink::RawResource::appendData(char const*, unsigned long) (in webkit_unit_tests) + 734
    #16 0x10946e82b in WebURLLoaderMock::ServeAsynchronousRequest(blink::WebURLLoaderTestDelegate*, blink::WebURLResponse const&, blink::WebData const&, blink::WebURLError const&) (in webkit_unit_tests) + 779
    #17 0x109471905 in WebURLLoaderMockFactory::ServeAsynchronousRequests() (in webkit_unit_tests) + 1477
    #18 0x107fd29ae in blink::FrameTestHelpers::(anonymous namespace)::runServeAsyncRequestsTask(blink::FrameTestHelpers::TestWebFrameClient*) (in webkit_unit_tests) + 270
    #19 0x10f3c75ff in base::internal::Invoker\u003Cbase::IndexSequence\u003C0ul>, base::internal::BindState\u003Cbase::internal::RunnableAdapter\u003Cvoid (*)(scoped_ptr\u003Cblink::WebTaskRunner::Task, std::__1::default_delete\u003Cblink::WebTaskRunner::Task> >)>, void (scoped_ptr\u003Cblink::WebTaskRunner::Task, std::__1::default_delete\u003Cblink::WebTaskRunner::Task> >), base::internal::PassedWrapper\u003Cscoped_ptr\u003Cblink::WebTaskRunner::Task, std::__1::default_delete\u003Cblink::WebTaskRunner::Task> > > >, base::internal::InvokeHelper\u003Cfalse, void, base::internal::RunnableAdapter\u003Cvoid (*)(scoped_ptr\u003Cblink::WebTaskRunner::Task, std::__1::default_delete\u003Cblink::WebTaskRunner::Task> >)> >, void ()>::Run(base::internal::BindStateBase*) (in webkit_unit_tests) + 415
    #20 0x10924315c in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) (in webkit_unit_tests) + 748
    #21 0x10f3afcf4 in scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue*, scheduler::internal::TaskQueueImpl::Task*) (in webkit_unit_tests) + 1476
    #22 0x10f3ac9f8 in scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) (in webkit_unit_tests) + 872
    #23 0x10f3b194a in base::internal::Invoker\u003Cbase::IndexSequence\u003C0ul, 1ul, 2ul>, base::internal::BindState\u003Cbase::internal::RunnableAdapter\u003Cvoid (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, void (scheduler::TaskQueueManager*, base::TimeTicks, bool), base::WeakPtr\u003Cscheduler::TaskQueueManager>, base::TimeTicks, bool>, base::internal::InvokeHelper\u003Ctrue, void, base::internal::RunnableAdapter\u003Cvoid (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)> >, void ()>::Run(base::internal::BindStateBase*) (in webkit_unit_tests) + 506
    #24 0x10924315c in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) (in webkit_unit_tests) + 748
    #25 0x10927adb3 in base::MessageLoop::RunTask(base::PendingTask const&) (in webkit_unit_tests) + 947
    #26 0x10927b74c in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) (in webkit_unit_tests) + 124
    #27 0x10927c08c in base::MessageLoop::DoWork() (in webkit_unit_tests) + 1116
    #28 0x109229809 in base::MessagePumpCFRunLoopBase::RunWork() (in webkit_unit_tests) + 329
    #29 0x10926e669 in base::mac::CallWithEHFrame(void () block_pointer) (in webkit_unit_tests) + 9

Comment 1 by benwells@chromium.org, Mar 7 2016 

I'm reluctant to just disable these tests under ASAN as it looks like a real problem.

Comment 2 by benwells@chromium.org, Mar 7 2016 

Hmmm looks like keishi's change was just a UMA thing, so probably not the culprit....

keishi - any ideas who would be a good person to look at this?

Comment 3 by benwells@chromium.org, Mar 8 2016

Cc: haraken@chromium.org
+haraken who might have some ideas

Comment 4 by haraken@chromium.org, Mar 8 2016

Owner: e...@chromium.org
This looks like a use-after-free in LayoutObjects, not related to Oilpan (because the timing LayoutObject::destroy is called does not depend on Oilpan GCs).

Emil: Would you triage this in the layout team?
Project Member

Comment 6 by bugdroid1@chromium.org, Mar 8 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6536c52c05e9fec32516833e81621dac64fbbeff

commit 6536c52c05e9fec32516833e81621dac64fbbeff
Author: benwells <benwells@chromium.org>
Date: Tue Mar 08 12:25:32 2016

Properly disable tests under Mac ASAN.

An attempt was made to disable the tests before but due to bad macro
expansion all it did was mangle the name.

TBR=thestig@chromium.org
BUG= 592771 

Review URL: https://codereview.chromium.org/1772323002

Cr-Commit-Position: refs/heads/master@{#379813}

[modify] https://crrev.com/6536c52c05e9fec32516833e81621dac64fbbeff/third_party/WebKit/Source/web/tests/WebFrameTest.cpp

Comment 7 by benwells@chromium.org, Mar 8 2016

Cc: thestig@chromium.org
+thestig who is now the memory sheriff.

More and more webkit unit tests are flakily failing with what look like real memory errors. Memory sheriffs can just disable them all but feature owners should investigate underlying issues.

In this case it looks like the feature owners are probably WebKit layout people, or GC people, or Oilpan people. Y'all probably know who should investigate better than sheriffs do.

Comment 8 by sigbjo...@opera.com, Mar 9 2016

Mergedinto: 582755
Status: Duplicate (was: Untriaged)

Sign in to add a comment