Crash: v8::internal::GlobalHandles::Node::DecreaseBlockUses |
|||||||||||||||
Issue descriptionCrash Signature: v8::internal::GlobalHandles::Node::DecreaseBlockUses Process Type: Extension Platform: Win Channel: Canary Version: 51.0.2671.0 Distinct Clients: 204 Crash Reports: 232 Median Uptime: 00h:03m:04s Infected Clients: 34.05% Sample Reports: https://crash.corp.google.com/browse?q=reportid=%27126815c800000000%27 https://crash.corp.google.com/browse?q=reportid=%27a849925800000000%27 https://crash.corp.google.com/browse?q=reportid=%27698f35c800000000%27 https://crash.corp.google.com/browse?q=reportid=%27867c225800000000%27 https://crash.corp.google.com/browse?q=reportid=%2791bb79c800000000%27 Crash Link: https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20product.version%3D%2751.0.2671.0%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3AGlobalHandles%3A%3ANode%3A%3ADecreaseBlockUses%27 Crash Stacktrace: ACCESS_VIOLATION_READ on address 0xffffffffffffffff #0 0x7fecd8105b9 in v8::internal::GlobalHandles::Node::DecreaseBlockUses v8/src/global-handles.cc:493 #1 0x7fecd3999a9 in blink::WindowProxy::~WindowProxy third_party/webkit/source/bindings/core/v8/windowproxy.cpp:95 #2 0x7fece02c939 in blink::HeapObjectHeader::finalize third_party/webkit/source/platform/heap/heappage.cpp:104 #3 0x7fece02d755 in blink::NormalPage::sweep third_party/webkit/source/platform/heap/heappage.cpp:1150 #4 0x7fece02d857 in blink::BaseArena::sweepUnsweptPage third_party/webkit/source/platform/heap/heappage.cpp:318 #5 0x7fece02c77d in blink::BaseArena::completeSweep third_party/webkit/source/platform/heap/heappage.cpp:359 #6 0x7fece028344 in blink::ThreadState::completeSweep third_party/webkit/source/platform/heap/threadstate.cpp:1110 #7 0x7fece0285f9 in blink::ThreadState::detachMainThread third_party/webkit/source/platform/heap/threadstate.cpp:226 #8 0x7fece09fe06 in blink::shutdownWithoutV8 third_party/webkit/source/web/webkit.cpp:232 #9 0x7fece424e47 in content::RenderThreadImpl::Shutdown content/renderer/render_thread_impl.cc:980 #10 0x7fece38f550 in content::ChildProcess::~ChildProcess content/child/child_process.cc:71 #11 0x7fece40cc0e in content::RendererMain content/renderer/renderer_main.cc:236 #12 0x7fecdcc3529 in content::RunNamedProcessTypeMain content/app/content_main_runner.cc:395 #13 0x7fecdcc3366 in content::ContentMainRunnerImpl::Run content/app/content_main_runner.cc:766 #14 0x7fecdcc07e0 in content::ContentMain content/app/content_main.cc:19 #15 0x7fecdc363f1 in ChromeMain chrome/app/chrome_main.cc:84 #16 0x13f83160e in MainDllLoader::Launch chrome/app/main_dll_loader_win.cc:183 #17 0x13f83084f in wWinMain chrome/app/chrome_exe_main_win.cc:230 #18 0x13f86e337 in __tmainCRTStartup f:/dd/vctools/crt/crtw32/startup/crt0.c:251 #19 0x778059ec in BaseThreadInitThunk #20 0x7793b370 in RtlUserThreadStart
,
Mar 8 2016
This crash spiked recently. #1 crash on windows. 51.0.2671.1 0.08% 21 51.0.2671.0 1.50% 385 51.0.2664.1 0.00% 1 204 clients with 232 reports as of now. CPM PLs : 42.84 Link to the builds which introduced the crash: https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3AGlobalHandles%3A%3ANode%3A%3ADecreaseBlockUses%27&ignore_case=false#-samplereports:5,productversion:1000 Forwarding to V8 team to investigate.
,
Mar 8 2016
This looks more likely to be a Bindings or Oilpan issue than v8, since most of the stack is in Blink. Assigning to haraken@for more triage.
,
Mar 8 2016
This comment is for Fracas team. Adding Fracas-Wrong label due to below reason. Bug is shown as stale while hoovering.Message is " Issue 593092 is open in New Status and is missing an owner. Assign it to dev for triage". But the bug already have all the required info with an owner.
,
Mar 8 2016
Fracas currently has a 30 min update latency, in future, we will be shortening that. As you can see the owner assignment was done 29 minutes ago.
,
Mar 9 2016
This is top#2 renderer crash on Latest Canary#51.0.2672.0 with 137 crash instances. haraken@, could you please look into this? Many thanks!
,
Mar 9 2016
,
Mar 9 2016
We are seeing a sudden spike in the 'windows' crash instances (8829) for Latest Canary#51.0.2672.0.
,
Mar 9 2016
I see no spike in crashes with this stack (a total of 176 still). The big spike is in "v8::internal::`anonymous namespace'::Invoke", which I believe is issue 593332 (which is already fixed on master).
,
Mar 9 2016
oops., Its my bad, updated the wrong bug. Thanks Adam for correcting me.
,
Mar 9 2016
,
Mar 9 2016
I think that 5940f25b9d91258d698a5ce9f48e8a253c7b1652 is almost certainly the problematic commit (in Blink). It falls in the blamelist between 51.0.2670.0 and 51.0.2671.0, and adds exactly the code that's triggering the crash (ThreadState::detachMainThread() inside shutdownWithoutV8()). haraken, ptal.
,
Mar 10 2016
haraken@, it would be great if you can revert the above CL (5940f25b9d91258d698a5ce9f48e8a253c7b1652) if it is causing this v8 crash. We are targeting tonight's 8 PM PST build for tomorrow's Dev release. Thank you!
,
Mar 10 2016
I'll revert the CL at the moment.
,
Mar 10 2016
I need to revert two or three CLs via CQ. The first revert is still in the CQ (https://codereview.chromium.org/1783673002/). It may take a couple of more hours to revert all relevant CLs.
,
Mar 10 2016
Hmm, I noticed that I need to revert too many CLs. Alternately let me prepare a fix for this. I'll try to land the fix by the end of today.
,
Mar 10 2016
,
Mar 10 2016
Uploaded a fix: https://codereview.chromium.org/1771353010/
,
Mar 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/29a57aad9a5cd9388811408f1a457493d6f9671d commit 29a57aad9a5cd9388811408f1a457493d6f9671d Author: haraken <haraken@chromium.org> Date: Thu Mar 10 15:49:51 2016 Finish completeSweep before shutting down V8 If Oilpan runs completeSweep after shutting down V8, some destructor may access V8 and cause crash. Oilpan should finish completeSweep before shutting down V8. BUG= 593092 Review URL: https://codereview.chromium.org/1771353010 Cr-Commit-Position: refs/heads/master@{#380415} [modify] https://crrev.com/29a57aad9a5cd9388811408f1a457493d6f9671d/third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp [modify] https://crrev.com/29a57aad9a5cd9388811408f1a457493d6f9671d/third_party/WebKit/Source/platform/heap/HeapTest.cpp [modify] https://crrev.com/29a57aad9a5cd9388811408f1a457493d6f9671d/third_party/WebKit/Source/platform/heap/ThreadState.cpp [modify] https://crrev.com/29a57aad9a5cd9388811408f1a457493d6f9671d/third_party/WebKit/Source/platform/heap/ThreadState.h [modify] https://crrev.com/29a57aad9a5cd9388811408f1a457493d6f9671d/third_party/WebKit/Source/web/WebKit.cpp
,
Mar 10 2016
To which branch should I merge the change?
,
Mar 11 2016
haraken@, thank you for the fix. We are not seeing any crash instances on Latest Canary#51.0.2674.0.
,
Mar 14 2016
,
Mar 14 2016
,
Mar 23 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by ClusterFuzz
, Mar 8 2016