Crash renderer v8::internal::IteratingStringHasher::VisitConsString(v8::internal::ConsString*) |
|||||
Issue descriptionVersion:51.0.2704.7 OS: 10.11 Report ID: 4660186200000000 Thread 0 CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x14de6c05 ] MAGIC SIGNATURE THREAD 0x0000000104b69940 (Google Chrome Framework -objects-inl.h:3412 ) void v8::internal::String::WriteToFlat<unsigned char>(v8::internal::String*, unsigned char*, int, int) 0x0000000104b951d0 (Google Chrome Framework -objects.cc:12179 ) v8::internal::IteratingStringHasher::VisitConsString(v8::internal::ConsString*) 0x0000000104b944ae (Google Chrome Framework -objects-inl.h:6936 ) v8::internal::IteratingStringHasher::Hash(v8::internal::String*, unsigned int) 0x0000000104bacdae (Google Chrome Framework -objects.cc:12013 ) v8::internal::InternalizedStringKey::Hash() 0x0000000104ba5319 (Google Chrome Framework -objects.h:3380 ) v8::internal::StringTable::LookupKey(v8::internal::Isolate*, v8::internal::HashTableKey*) 0x0000000104ba528c (Google Chrome Framework -objects.cc:17906 ) v8::internal::StringTable::LookupString(v8::internal::Isolate*, v8::internal::Handle<v8::internal::String>) 0x00000001047b468d (Google Chrome Framework -factory.h:91 ) v8::internal::LookupIterator::LookupIterator(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>, v8::internal::LookupIterator::Configuration) 0x0000000104b10f4b (Google Chrome Framework -lookup.h:58 ) v8::internal::StoreIC::Store(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::Object::StoreFromKeyed) 0x0000000104b1624b (Google Chrome Framework -ic.cc:2327 ) v8::internal::Runtime_StoreIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*) 0x0000242a0bf092a6 0x0000242a0c6f0eef 0x0000242a0c3cf210 0x0000242a0bf3b7e2 0x0000242a0bf2514e 0x0000000104a7319f (Google Chrome Framework -execution.cc:97 ) v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) 0x0000000104a72fd5 (Google Chrome Framework -execution.cc:153 ) v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) 0x000000010479d135 (Google Chrome Framework -api.cc:1792 ) v8::Script::Run(v8::Local<v8::Context>) 0x0000000105bba0ac (Google Chrome Framework -V8ScriptRunner.cpp:417 ) blink::V8ScriptRunner::runCompiledScript(v8::Isolate*, v8::Local<v8::Script>, blink::ExecutionContext*) 0x0000000105b8b7eb (Google Chrome Framework -ScriptController.cpp:157 ) blink::ScriptController::executeScriptAndReturnValue(v8::Local<v8::Context>, blink::ScriptSourceCode const&, blink::AccessControlStatus, double*) 0x0000000105b8c790 (Google Chrome Framework -ScriptController.cpp:417 ) blink::ScriptController::evaluateScriptInMainWorld(blink::ScriptSourceCode const&, blink::AccessControlStatus, blink::ScriptController::ExecuteScriptPolicy, double*) 0x0000000105b8c8c5 (Google Chrome Framework -ScriptController.cpp:394 ) blink::ScriptController::executeScriptInMainWorld(blink::ScriptSourceCode const&, blink::AccessControlStatus, double*) 0x00000001053c7cc0 (Google Chrome Framework -ScriptLoader.cpp:434 ) blink::ScriptLoader::executeScript(blink::ScriptSourceCode const&, double*) 0x0000000105524888 (Google Chrome Framework -HTMLScriptRunner.cpp:75 ) blink::(anonymous namespace)::doExecuteScript(blink::Element*, blink::ScriptSourceCode const&, WTF::TextPosition const&) 0x0000000105524572 (Google Chrome Framework -HTMLScriptRunner.cpp:222 ) blink::HTMLScriptRunner::executePendingScriptAndDispatchEvent(blink::PendingScript*, blink::ScriptStreamer::Type) 0x0000000105524230 (Google Chrome Framework -HTMLScriptRunner.cpp:185 ) blink::HTMLScriptRunner::executeParsingBlockingScript() 0x0000000105524b97 (Google Chrome Framework -HTMLScriptRunner.cpp:301 ) blink::HTMLScriptRunner::execute(WTF::RawPtr<blink::Element>, WTF::TextPosition const&) 0x0000000105512cef (Google Chrome Framework -HTMLDocumentParser.cpp:300 ) blink::HTMLDocumentParser::processParsedChunkFromBackgroundParser(WTF::PassOwnPtr<blink::HTMLDocumentParser::ParsedChunk>) 0x00000001055115be (Google Chrome Framework -HTMLDocumentParser.cpp:578 ) blink::HTMLDocumentParser::pumpPendingSpeculations() 0x000000010690d447 (Google Chrome Framework -bind_internal.h:159 ) base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >)>, void (std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >)> >, void ()>::Run(base::internal::BindStateBase*) 0x00000001031d656a (Google Chrome Framework -callback.h:397 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) 0x000000010690578a (Google Chrome Framework -task_queue_manager.cc:289 ) scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue*, scheduler::internal::TaskQueueImpl::Task*) 0x00000001069044f8 (Google Chrome Framework -task_queue_manager.cc:201 ) scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) 0x0000000106906402 (Google Chrome Framework -bind_internal.h:181 ) base::internal::Invoker<base::IndexSequence<0ul, 1ul, 2ul>, base::internal::BindState<base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, void (scheduler::TaskQueueManager*, base::TimeTicks, bool), base::WeakPtr<scheduler::TaskQueueManager>, base::TimeTicks, bool>, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)> >, void ()>::Run(base::internal::BindStateBase*) 0x00000001031d656a (Google Chrome Framework -callback.h:397 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) 0x00000001031f91a2 (Google Chrome Framework -message_loop.cc:479 ) base::MessageLoop::RunTask(base::PendingTask const&) 0x00000001031f94bb (Google Chrome Framework -message_loop.cc:488 ) base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) 0x00000001031f96aa (Google Chrome Framework -message_loop.cc:600 ) base::MessageLoop::DoWork() 0x00000001031cba50 (Google Chrome Framework -message_pump_mac.mm:330 ) base::MessagePumpCFRunLoopBase::RunWork() 0x00000001031eebe9 (Google Chrome Framework + 0x00587be9 ) base::mac::CallWithEHFrame(void () block_pointer) 0x00000001031cb453 (Google Chrome Framework -message_pump_mac.mm:306 ) base::MessagePumpCFRunLoopBase::RunWorkSource(void*) 0x00007fff9358e880 (CoreFoundation + 0x000aa880 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x00007fff9356dfbb (CoreFoundation + 0x00089fbb ) __CFRunLoopDoSources0 0x00007fff9356d4de (CoreFoundation + 0x000894de ) __CFRunLoopRun 0x00007fff9356ced7 (CoreFoundation + 0x00088ed7 ) CFRunLoopRunSpecific 0x00007fff91c50dd8 (Foundation + 0x00024dd8 ) -[NSRunLoop(NSRunLoop) runMode:beforeDate:] 0x00000001031cc0bd (Google Chrome Framework -message_pump_mac.mm:608 ) base::MessagePumpNSRunLoop::DoRun(base::MessagePump::Delegate*) 0x00000001031cb8a3 (Google Chrome Framework -message_pump_mac.mm:238 ) base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) 0x000000010320fc52 (Google Chrome Framework -run_loop.cc:35 ) base::RunLoop::Run() 0x00000001031f892c (Google Chrome Framework -message_loop.cc:295 ) base::MessageLoop::Run() 0x000000010741d373 (Google Chrome Framework -renderer_main.cc:219 ) content::RendererMain(content::MainFunctionParams const&) 0x000000010318e3a3 (Google Chrome Framework -content_main_runner.cc:741 ) content::ContentMainRunnerImpl::Run() 0x000000010318d7a5 (Google Chrome Framework -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const&) 0x0000000102c69f91 (Google Chrome Framework -chrome_main.cc:84 ) ChromeMain 0x0000000102a00d51 (Google Chrome Helper -chrome_exe_main_mac.c:87 ) main 0x0000000102a00b33 (Google Chrome Helper + 0x00000b33 ) start
,
Apr 19 2016
On further check on Chromecrash dashboard I see just 6 crashes(from 5 different client_id's) so far on current Dev channel i.e., 51.0.2704.7, where in the crash is there for sometime(First seen in 28.0.1500.94) please find the Chrome versions where this crash was seen as well as operating systems where it's crashing : https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27void%20v8%3A%3Ainternal%3A%3AString%3A%3AWriteToFlat%3Cunsigned%20char%3E%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000 If possible can we please get the reproducible steps to bisect the bug(since the crashes are seen for a longtime)
,
Apr 19 2016
I'm not sure what you're asking - this is crash id 4660186200000000 from dev channel 51.0.2704.7. This and another crash (Issue 596120) were seen while visiting a couple sites (which I will IM to you).
,
Apr 19 2016
+v8 stability sheriffs
,
Apr 19 2016
This smells like some form of heap corruption: we're ending up with ConsStrings whose constituent parts are invalid. There seems to be a spike in 51.0.2700.0 (where the change log is https://chromium.googlesource.com/v8/v8/+log/d71ff17b883..ceab1d4795a), but I don't see any tell-tale sign there. There's still an elevated but not huge rate of these crashes in the M51 dev channel. Adding hpayer to see if this particular sort of heap corruption rings any bells, and yangguo based on many lines of the ConsString code being blamed to him (though I don't see any recent changes).
,
Apr 19 2016
Issue 602153 has been merged into this issue.
,
Apr 19 2016
Looking at the data again, I wonder if the spike in 2700 is just due to the fact that that was a dev channel release.
,
Apr 19 2016
Users experienced this crash on the following builds: If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Apr 20 2016
,
Apr 25 2016
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27void%20v8%3A%3Ainternal%3A%3AString%3A%3AWriteToFlat%3Cunsigned%20char%3E%27%20AND%20product.name%3D%27Chrome_Mac%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D Disappears on Canary again like the linked issue. Assuming it is the same root cause. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by tin...@google.com
, Apr 19 2016