v8 crash in MergeAllocationSitePretenuringFeedback causing WebGL conformance test flake |
|||||
Issue descriptionWebglConformance.conformance_glsl_implicit_less_than_vert is flaking on the Mac 10.10 Retina Release (AMD) bot. Recent builds: https://build.chromium.org/p/chromium.gpu/builders/Mac%2010.10%20Retina%20Release%20%28AMD%29/builds/5241 https://build.chromium.org/p/chromium.gpu/builders/Mac%2010.10%20Retina%20Release%20%28AMD%29/builds/5249 Note that these crashes are happening even after the revert of the V8 roll in https://codereview.chromium.org/1871843002 (the above builds used v8 revision 23da806c07a3b3). Stack: Thread 0 (crashed) 0 Chromium Framework!__ZN2v88internal4Heap38MergeAllocationSitePretenuringFeedbackERKNS0_19TemplateHashMapImplINS0_25FreeStoreAllocationPolicyEEE + 0x5d rbx = 0x00007fd695102cf8 r12 = 0x1c00000000000000 r13 = 0x1000000000000000 r14 = 0x00007fd69482cc20 r15 = 0x00007fd695026cb0 rip = 0x0000000105141ffd rsp = 0x00007fff5c97fa70 rbp = 0x00007fff5c97faa0 Found by: given as instruction pointer in context 1 Chromium Framework!__ZN2v88internal20MarkCompactCollector23EvacuatePagesInParallelEv + 0x5c9 rbx = 0x00007fd695026cb0 r12 = 0x00007fd693e2ef90 r13 = 0x0000000000000002 r14 = 0x0000000000000002 r15 = 0x00007fd699a229f0 rip = 0x0000000105167c09 rsp = 0x00007fff5c97fab0 rbp = 0x00007fff5c97fbb0 Found by: call frame info 2 Chromium Framework!__ZN2v88internal20MarkCompactCollector29EvacuateNewSpaceAndCandidatesEv + 0x1f1 rbx = 0x000000010a3864a7 r12 = 0x00007fd69482cc20 r13 = 0x0000000105146268 r14 = 0x00007fd69482e500 r15 = 0x00007fd693e2ef90 rip = 0x0000000105162491 rsp = 0x00007fff5c97fbc0 rbp = 0x00007fff5c97fcc0 Found by: call frame info 3 Chromium Framework!__ZN2v88internal20MarkCompactCollector14CollectGarbageEv + 0x26 rbx = 0x00007fd693e2ef90 r12 = 0x00007fd69482cc20 r13 = 0x0000000105146268 r14 = 0x0000000000000005 r15 = 0x0000000001890810 rip = 0x0000000105160936 rsp = 0x00007fff5c97fcd0 rbp = 0x00007fff5c97fce0 Found by: call frame info 4 Chromium Framework!__ZN2v88internal4Heap11MarkCompactEv + 0xee rbx = 0x00000000015475a0 r12 = 0x00007fd69482cc20 r13 = 0x0000000105146268 r14 = 0x0000000000000005 r15 = 0x0000000001890810 rip = 0x000000010514608e rsp = 0x00007fff5c97fcf0 rbp = 0x00007fff5c97fd40 Found by: call frame info 5 Chromium Framework!__ZN2v88internal4Heap24PerformGarbageCollectionENS0_16GarbageCollectorENS_15GCCallbackFlagsE + 0x50f rbx = 0x000000000e85fc88 r12 = 0x00000000006252b8 r13 = 0x0000000000000001 r14 = 0x0000000000159300 r15 = 0x00007fd69482cc20 rip = 0x0000000105144def rsp = 0x00007fff5c97fd50 rbp = 0x00007fff5c97fe40 Found by: call frame info 6 Chromium Framework!__ZN2v88internal4Heap14CollectGarbageENS0_16GarbageCollectorEPKcS4_NS_15GCCallbackFlagsE + 0x2c4 rbx = 0x000000010a3864a5 r12 = 0x0000000000000001 r13 = 0x00007fd69482cc20 r14 = 0x00007fd694832790 r15 = 0x0000000000000000 rip = 0x0000000105144474 rsp = 0x00007fff5c97fe50 rbp = 0x00007fff5c97ff00 Found by: call frame info 7 Chromium Framework!__ZN2v88internal4Heap33TryFinalizeIdleIncrementalMarkingEd + 0x1a6 rbx = 0x00007fd694832600 r12 = 0x0000000000000005 r13 = 0x000000010514f548 r14 = 0x00007fd69482cc20 r15 = 0x00007fd69482d7c8 rip = 0x000000010514f526 rsp = 0x00007fff5c97ff10 rbp = 0x00007fff5c97ff50 Found by: call frame info 8 Chromium Framework!__ZN2v88internal21IncrementalMarkingJob8IdleTask11RunInternalEd + 0xa6 rbx = 0x00007fd693e2ef90 r12 = 0x00007fd693df8bd0 r13 = 0x850047d3ad890285 r14 = 0x00007fd69482cc20 r15 = 0x00007fd693e2e520 rip = 0x0000000105157146 rsp = 0x00007fff5c97ff60 rbp = 0x00007fff5c97ffa0 Found by: call frame info 9 Chromium Framework!__ZN9scheduler16WebSchedulerImpl11runIdleTaskENSt3__110unique_ptrIN5blink9WebThread8IdleTaskENS1_14default_deleteIS5_EEEEN4base9TimeTicksE + 0x28 rbx = 0x00003569f2a359c0 r12 = 0x0000000106fbe600 r13 = 0x850047d3ad890285 r14 = 0x0000000105ffbed0 r15 = 0x000000034eb95a44 rip = 0x0000000106fbe628 rsp = 0x00007fff5c97ffb0 rbp = 0x00007fff5c97ffd0 Found by: call frame info 10 Chromium Framework!__ZN4base8internal7InvokerINS_13IndexSequenceIJLm0EEEENS0_9BindStateINS0_15RunnableAdapterIPFvNSt3__110unique_ptrIN5blink9WebThread8IdleTaskENS6_14default_deleteISA_EEEENS_9TimeTicksEEEESF_JNS0_13PassedWrapperISD_EEEEENS0_12InvokeHelperILb0EvSH_EEFvSE_EE3RunEPNS0_13BindStateBaseEOSE_ + 0x70 rbx = 0x00007fd699a4ed30 r12 = 0x0000000106fbe600 r13 = 0x850047d3ad890285 r14 = 0x00007fff5c9801c8 r15 = 0x000000034eb95a44 rip = 0x0000000106fbf580 rsp = 0x00007fff5c97ffe0 rbp = 0x00007fff5c980130 Found by: call frame info 11 Chromium Framework!__ZN9scheduler26SingleThreadIdleTaskRunner7RunTaskEN4base8CallbackIFvNS1_9TimeTicksEELNS1_8internal8CopyModeE1EEE + 0x76 rbx = 0x00007fd693e21dd0 r12 = 0x000000010a38648a r13 = 0x850047d3ad890285 r14 = 0x00007fff5c980220 r15 = 0x000000034eb95a44 rip = 0x0000000106fbdf06 rsp = 0x00007fff5c980140 rbp = 0x00007fff5c980210 Found by: call frame info 12 Chromium Framework!__ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1EEEENS0_9BindStateINS0_15RunnableAdapterIMN9scheduler26SingleThreadIdleTaskRunnerEFvNS_8CallbackIFvNS_9TimeTicksEELNS0_8CopyModeE1EEEEEEFvPS7_SC_EJRNS_7WeakPtrIS7_EERKSC_EEENS0_12InvokeHelperILb1EvSF_EEFvvEE3RunEPNS0_13BindStateBaseE + 0x85 rbx = 0x00007fd699a42250 r12 = 0x0000000106fbde90 r13 = 0x00007fff5c9803c0 r14 = 0x00007fd693e21dd0 r15 = 0x00007fff5c980220 rip = 0x0000000106fbe2d5 rsp = 0x00007fff5c980220 rbp = 0x00007fff5c980260 Found by: call frame info 13 Chromium Framework!__ZN4base5debug13TaskAnnotator7RunTaskEPKcRKNS_11PendingTaskE + 0xbb rbx = 0x00007fff5c9802b8 r12 = 0x00007fd693e213b0 r13 = 0x00007fff5c9803c0 r14 = 0x0000000108574400 r15 = 0x000000010a38648b rip = 0x00000001038558ab rsp = 0x00007fff5c980270 rbp = 0x00007fff5c980360 Found by: call frame info 14 Chromium Framework!__ZN9scheduler16TaskQueueManager24ProcessTaskFromWorkQueueEPNS_8internal9WorkQueueEPNS1_13TaskQueueImpl4TaskE + 0x2db rbx = 0x00007fd693e21af0 r12 = 0x000000010a38648a r13 = 0x00007fff5c980558 r14 = 0x00007fd693e21310 r15 = 0x0000000000000000 rip = 0x0000000106fb706b rsp = 0x00007fff5c980370 rbp = 0x00007fff5c9804e0 Found by: call frame info 15 Chromium Framework!__ZN9scheduler16TaskQueueManager6DoWorkEN4base9TimeTicksEb + 0x129 rbx = 0x0000000000000002 r12 = 0x00007fd693e21310 r13 = 0x0000000000000000 r14 = 0x00007fff5c9805e8 r15 = 0x00007fff5c980558 rip = 0x0000000106fb5dd9 rsp = 0x00007fff5c9804f0 rbp = 0x00007fff5c980620
,
Apr 8 2016
This is indeed continuing to happen even with the most recent V8 rollback. For example WebglConformance.conformance_context_context_release_upon_reload crashed with the same stack as above in this build: https://build.chromium.org/p/chromium.gpu/builders/Mac%2010.10%20Retina%20Release%20%28AMD%29/builds/5265
,
Apr 8 2016
Thanks for catching this Ali. Assigning to V8 GC TL hpayer@.
,
Apr 9 2016
Note: probably unrelated, but also seeing crashes while viewing crash/ itself. Example: crash/38ea814400000000 Probably the issue already reported in Issue 601204 . Here's a stack trace: Thread 0 CRASHED [EXC_BAD_ACCESS / 0x0000000d @ 0x00000001020f0234 ] MAGIC SIGNATURE THREAD 0x00000001020f0234 (Google Chrome Framework -spaces.h:671 ) v8::internal::MarkCompactCollector::RecordRelocSlot(v8::internal::Code*, v8::internal::RelocInfo*, v8::internal::Object*) 0x00000001020e64d0 (Google Chrome Framework -objects-visiting-inl.h:224 ) void v8::internal::RelocInfo::Visit<v8::internal::IncrementalMarkingMarkingVisitor>(v8::internal::Heap*) 0x00000001020e434a (Google Chrome Framework -objects-body-descriptors-inl.h:412 ) v8::internal::StaticMarkingVisitor<v8::internal::IncrementalMarkingMarkingVisitor>::VisitCode(v8::internal::Map*, v8::internal::HeapObject*) 0x00000001020e2f12 (Google Chrome Framework -objects-visiting.h:344 ) v8::internal::IncrementalMarking::Step(long, v8::internal::IncrementalMarking::CompletionAction, v8::internal::IncrementalMarking::ForceMarkingAction, v8::internal::IncrementalMarking::ForceCompletionAction) 0x00000001020e2b84 (Google Chrome Framework -incremental-marking.cc:1032 ) v8::internal::IncrementalMarking::AdvanceIncrementalMarking(double, v8::internal::IncrementalMarking::StepActions) 0x00000001020e0064 (Google Chrome Framework -incremental-marking-job.cc:85 ) v8::internal::IncrementalMarkingJob::IdleTask::RunInternal(double) 0x0000000103f3d217 (Google Chrome Framework -web_scheduler_impl.cc:44 ) scheduler::WebSchedulerImpl::runIdleTask(std::__1::unique_ptr<blink::WebThread::IdleTask, std::__1::default_delete<blink::WebThread::IdleTask> >, base::TimeTicks) 0x0000000103f3e0ac (Google Chrome Framework -bind_internal.h:159 ) base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebThread::IdleTask, std::__1::default_delete<blink::WebThread::IdleTask> >, base::TimeTicks)>, void (std::__1::unique_ptr<blink::WebThread::IdleTask, std::__1::default_delete<blink::WebThread::IdleTask> >, base::TimeTicks), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebThread::IdleTask, std::__1::default_delete<blink::WebThread::IdleTask> > > >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebThread::IdleTask, std::__1::default_delete<blink::WebThread::IdleTask> >, base::TimeTicks)> >, void (base::TimeTicks)>::Run(base::internal::BindStateBase*, base::TimeTicks&&) 0x0000000103f3caf5 (Google Chrome Framework -callback.h:397 ) scheduler::SingleThreadIdleTaskRunner::RunTask(base::Callback<void (base::TimeTicks), (base::internal::CopyMode)1>) ...
,
Apr 11 2016
FYI https://codereview.chromium.org/1869363002 was already rolled in before in https://codereview.chromium.org/1863033002/. Did you observe flakes with this version too? If not I suspect some other Chromium component produces the flakes.
,
Apr 11 2016
Michi, that sounds like your recent bug. WDYT?
,
Apr 11 2016
Trace in #4 looks indeed like Issue 601204 , so we should be fine. Trace in #0 is related to non-contigous new space in V8. Should be fixed with V8 >= 5.1.291 https://chromium.googlesource.com/v8/v8/+log/5.1.291 I see the bots are green but I'll leave this open until somebody can confirm that the crasher is gone now.
,
Apr 11 2016
I don't see this crash after the roll to 5.1.294.3 (https://codereview.chromium.org/1873043002). Adding this week's pixel wrangler as fyi.
,
Apr 12 2016
Please open a new issue if are still able to observe the MergeAllocationSitePretenuringFeedback crasher. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ajuma@chromium.org
, Apr 8 2016