New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 606694 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug

Blocking:
issue 596622



Sign in to add a comment

ASSERTION FAILED: !m_heapDoesNotContainCache->lookup(address) in XMLHttpRequest::createRequest

Project Member Reported by kbr@chromium.org, Apr 26 2016

Issue description

https://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_ng/builds/211124

A random webgl_conformance_test failed with the following assertion failure and stack trace:

ASSERTION FAILED: !m_heapDoesNotContainCache->lookup(address)
e:\b\build\slave\win\build\src\third_party\webkit\source\platform\heap\heap.cpp(334) : unsigned char *__thiscall blink::ThreadHeap::checkAndMarkPointer(class blink::Visitor *,unsigned char *)
Backtrace:
	blink::ThreadHeap::checkAndMarkPointer [0x61D835FB+251]
	blink::ThreadState::visitStack [0x61D79BBA+74]
	blink::ThreadHeap::visitStackRoots [0x61D866EF+399]
	blink::ThreadHeap::collectGarbage [0x61D83999+537]
	blink::ThreadState::scheduleGCIfNeeded [0x61D76FDB+331]
	blink::NormalPageArena::outOfLineAllocate [0x61D7ED09+313]
	blink::NormalPageArena::allocateObject [0x61D5D2B3+227]
	blink::ThreadHeap::allocateOnArenaIndex [0x61D5E98E+174]
	blink::RawResource::RawResourceFactory::create [0x627957E6+38]
	blink::ResourceFetcher::createResourceForLoading [0x625E0A5F+271]
	blink::ResourceFetcher::requestResource [0x625E4A8A+1242]
	blink::RawResource::fetch [0x62795B61+161]
	blink::DocumentThreadableLoader::loadRequest [0x6262B34F+591]
	blink::DocumentThreadableLoader::start [0x6262CEF6+1542]
	blink::XMLHttpRequest::createRequest [0x628629B4+1636]
	blink::XMLHttpRequest::send [0x62865E56+550]
	blink::XMLHttpRequest::send [0x62866564+52]
	blink::Iterable<unsigned int,blink::Node *>::EntrySelector::select [0x62C3D108+648]
	v8::internal::FunctionCallbackArguments::Call [0x63E5AA33+67]
	v8::internal::AllocationTracker::functionInfoIndexForVMState [0x63CB999F+10447]
	v8::internal::Builtins::BooleanConstructor_ConstructStub [0x63CC31F5+28661]
	v8::internal::AllocationTracker::functionInfoIndexForVMState [0x63CB7CB0+3040]
	(No symbol) [0x1B70B77E]
	(No symbol) [0x0CFB9C4D]
	(No symbol) [0x0CFB98CE]
	(No symbol) [0x0CFB97D4]
	(No symbol) [0x0CFB90BA]
	(No symbol) [0x0CFB8E8B]
	v8::internal::StackGuard::ThreadLocal::Initialize [0x63EE5F23+467]
	v8::internal::Execution::Call [0x63EE5871+449]
	v8::Function::Call [0x61E1B52B+459]
	blink::V8ScriptRunner::callFunction [0x62C2A88F+479]
	blink::ScriptController::callFunction [0x62B4C150+112]
	blink::V8EventListener::callListenerFunction [0x62CADE4F+191]
	blink::V8AbstractEventListener::invokeEventHandler [0x62C9BAA2+242]
	blink::V8AbstractEventListener::handleEvent [0x62C9B90A+106]
	blink::V8AbstractEventListener::handleEvent [0x62C9B882+146]
	blink::EventTarget::fireEventListeners [0x623C6867+871]
	blink::EventTarget::fireEventListeners [0x623C69DD+237]
	blink::EventTarget::dispatchEventInternal [0x623C6336+38]
	blink::XMLHttpRequestProgressEventThrottle::dispatchReadyStateChangeEvent [0x628FB37B+155]
	blink::XMLHttpRequest::dispatchReadyStateChangeEvent [0x6286377F+303]
	blink::XMLHttpRequest::endLoading [0x62863B47+103]
	blink::XMLHttpRequest::didFinishLoadingInternal [0x6286304F+255]
	blink::XMLHttpRequest::didFinishLoading [0x62862F1E+206]
	blink::DocumentThreadableLoader::handleSuccessfulFinish [0x6262AC21+241]
	blink::DocumentThreadableLoader::notifyFinished [0x6262BE3B+187]
	blink::Resource::checkNotify [0x62779AA9+57]
	blink::Resource::finish [0x6277A345+101]
	blink::ResourceLoader::didFinishLoading [0x627F7525+181]
	content::WebURLLoaderImpl::Context::OnCompletedRequest [0x641C2CDC+268]
	content::WebURLLoaderImpl::RequestPeerImpl::OnCompletedRequest [0x641C2D10+32]
	content::ResourceDispatcher::OnRequestComplete [0x62D3EDDE+590]
	IPC::MessageT<ResourceMsg_RequestComplete_Meta,std::tuple<int,ResourceMsg_RequestCompleteData>,void>::Dispatch<content::ResourceDispatcher,content::ResourceDispatcher,void,void (__thiscall content::ResourceDispatcher::*)(int,ResourceMsg_RequestCompleteDat [0x62D3BEAD+221]
	content::ResourceDispatcher::DispatchMessageW [0x62D3DAAC+652]
	content::ResourceDispatcher::OnMessageReceived [0x62D3DFD5+373]
	content::ResourceSchedulingFilter::SetRequestIdTaskRunner [0x62D499B9+169]
	scheduler::WebTaskRunnerImpl::runTask [0x641E4FFB+11]
	base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,void __cdecl(std::unique_ptr<blink::Web [0x641F83FF+95]
	base::debug::TaskAnnotator::RunTask [0x617D7D17+247]
	scheduler::TaskQueueManager::ProcessTaskFromWorkQueue [0x641EC49D+1037]
	scheduler::TaskQueueManager::DoWork [0x641EB950+560]

I'm still triaging other new flakes so don't know how often this is showing up. Still, marking P1 since this has been seen on the commit queue.

 
stdout.txt
4.1 MB View Download
Cc: haraken@chromium.org
Owner: keishi@chromium.org
Hmm, this looks like a real bug. The ASSERT means that the address is contained in some valid page but the address is contained in HeapDoesNotContainCache (which is a negative cache to keep track of addresses that are not contained in any page).

keishi@: Would you mind taking a look at this?

A good starting point would be to see if the crash is gone if you unconditionally flush the HeapDoesNotContainCache.

https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/platform/heap/ThreadState.cpp&sq=package:chromium&type=cs&l=923&rcl=1461640719

If the crash is gone, it would mean that m_shouldFlushHeapDoesNotContainCache is not set in places where it should be set.

Comment 3 by sigbjo...@opera.com, Apr 26 2016

Can HeapDoesNotContainCache's encoding scheme give false positives?
> Can HeapDoesNotContainCache's encoding scheme give false positives?

I don't think so.

I think it would be worth seeing if the crash is gone or not if we unconditionally flush the HeapDoesNotContainCache at every GC.

Comment 5 by sigbjo...@opera.com, Apr 27 2016

Do you remember where HeapDoesNotContainCache's implementation & design comes from? The hashing scheme looks unusual.

 
I don't think there was some deep discussion about the design. The cache is intended to be a simple two-way set associative negative cache.

Comment 7 by sigbjo...@opera.com, Apr 27 2016

https://codereview.chromium.org/616483002/ was the CL for the latest larger change to it.

(I'm just trying to convince myself that if you end up scanning non-pointer values on the stack, hash collisions won't happen against other valid pointer values you encounter later.)

Comment 8 by keishi@chromium.org, Apr 28 2016

I scanned through the build logs for the bot and I couldn't find the same crashes. It looks like this is a rare crash and I can't reproduce it.

Comment 9 by kbr@chromium.org, Apr 28 2016

OK. Please try your best but if it's not reproducible then close this as WontFix. Thanks.

Friendly ping. Any luck reproducing?

Comment 11 by kbr@chromium.org, Jun 7 2016

Status: WontFix (was: Assigned)
It sounds like this wasn't reproducible.

Sign in to add a comment