New issue
Advanced search Search tips

Issue 609046 link

Starred by 2 users
Status: Fixed
Owner:
yangguo@chromium.org
Closed: May 2016
Cc:
jarin@chromium.org
pfeldman@chromium.org
horo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Regression



Sign in to add a comment

for(let a=0;a<3;a++){debugger;eval()} causes tab crash

Reported by l446240525@gmail.com, May 4 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2724.0 Safari/537.36

Steps to reproduce the problem:
for(let a=0;a<3;a++){debugger;eval()} 

What is the expected behavior?

What went wrong?
.

Did this work before? N/A 

Chrome version: 52.0.2724.0  Channel: canary
OS Version: OS X 10.10.4
Flash Version: Shockwave Flash 22.0 r0
Screen Shot 2016-05-04 at 4.16.51 PM.png
35.9 KB View Download

Comment 1 by ligim...@chromium.org, May 4 2016

Labels: Needs-Bisect
Please provide the crash id from chrome://crashes

Comment 2 by ashej...@chromium.org, May 5 2016

Cc: pfeldman@chromium.org horo@chromium.org
Labels: -Type-Bug -Pri-2 -Needs-Bisect -OS-Mac ReleaseBlock-Beta M-52 hasTestcase hasbisect OS-All Pri-1 Type-Bug-Regression
Owner: carlosk@chromium.org
Status: Assigned (was: Unconfirmed)
The above issue is reproducible on All-OS (Windows (10 & 7), Mac 10.11.4 & Ubuntu 14.04) with chrome versions :  52.0.2717.0(Dev) & 52.0.2725.0(Canary).

This is a regression issue broken in M52 build.

Manual bisect info
==================
Last known Good build: 52.0.2715.0
First known Bad build: 52.0.2716.0

Narrow bisect
=============
You are probably looking for a change made after 389398 (known good), but no later than 389473 (first known bad).
CHANGELOG URL:
  https://chromium.googlesource.com/chromium/src/+log/67d8ccb45177b214dbdb51375f1ed1ba31ffa07b..c7c0d3ab719b356d8ccef636506507b2cead7ff1


From the narrow bisect, plausible offending CLs according to likability below: 
1. https://codereview.chromium.org/1890513004? 
2. https://codereview.chromium.org/1908313003

@carlosk/horo: Hey, can you both please check the above issue and see if it's related to your change ?

Feel free to route the above issue to concern dev, if it's not related. Marking this as Beta blocker as this is a very recent regression.

Feel free to change accordingly.

I really appreciate your help.

Thank you!

Comment 3 by carlosk@chromium.org, May 9 2016 

Running debug version  I got a full browser crash once with gave this stack trace:

#
# Fatal error in ../../v8/src/debug/debug-scopes.cc, line 227
# Check failed: context_->IsScriptContext() || context_->IsNativeContext().
#

==== C stack trace ===============================

 1: 0x7fe849faece5
 2: 0x7fe849b052f4
 3: 0x7fe849b04b62
 4: 0x7fe849d9cc57
 5: 0x7fe849d9c5e9
 6: 0x6d30e208d87
Received signal 4 ILL_ILLOPN 7fe849fb123f
Received signal 11 SEGV_MAPERR 003000000020
[26184:26777:0509/105132:FATAL:embedded_worker_registry.cc(249)] Check failed: ContainsKey(process_sender_map_, process_id). 
#0 0x7f5a040a091e base::debug::StackTrace::StackTrace()
#1 0x7f5a0410120f logging::LogMessage::~LogMessage()
#2 0x7f59fdfffbbb content::EmbeddedWorkerRegistry::SendStartWorker()
#3 0x7f59fdff7a5a content::EmbeddedWorkerInstance::StartTask::SendStartWorker()
#4 0x7f59fdff6083 content::EmbeddedWorkerInstance::StartTask::OnRegisteredToDevToolsManager()
#5 0x7f59fdff78a0 _ZN4base8internal15RunnableAdapterIMN7content22EmbeddedWorkerInstance9StartTaskEFvSt10unique_ptrI36EmbeddedWorkerMsg_StartWorker_ParamsSt14default_deleteIS6_EEbibEE3RunIJS9_RKbibEEEvPS4_DpOT_
#6 0x7f59fdff7778 _ZN4base8internal12InvokeHelperILb1EvNS0_15RunnableAdapterIMN7content22EmbeddedWorkerInstance9StartTaskEFvSt10unique_ptrI36EmbeddedWorkerMsg_StartWorker_ParamsSt14default_deleteIS7_EEbibEEEE8Ma
keItSoINS_7WeakPtrIS5_EEJSA_RKbibEEEvSD_T_DpOT0_
#7 0x7f59fdff76c3 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1ELm2EEEENS0_9BindStateINS0_15RunnableAdapterIMN7content22EmbeddedWorkerInstance9StartTaskEFvSt10unique_ptrI36EmbeddedWorkerMsg_StartWorker_P
aramsSt14default_deleteISA_EEbibEEEFvPS8_SD_bibEJNS_7WeakPtrIS8_EENS0_13PassedWrapperISD_EERbEEENS0_12InvokeHelperILb1EvSG_EEFvibEE3RunEPNS0_13BindStateBaseEOiOb
#8 0x7f59fdff72ea base::Callback<>::Run()
#9 0x7f59fdff7282 _ZN4base8internal12InvokeHelperILb0EvNS_8CallbackIFvibELNS0_8CopyModeE1EEEE8MakeItSoIJRKiRKbEEEvS5_DpOT_
#10 0x7f59fdff7224 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1EEEENS0_9BindStateINS_8CallbackIFvibELNS0_8CopyModeE1EEES6_JRiRbEEENS0_12InvokeHelperILb0EvS8_EEFvvEE3RunEPNS0_13BindStateBaseE
#11 0x7f5a04080d0e base::Callback<>::Run()
#12 0x7f5a040a630e base::debug::TaskAnnotator::RunTask()
#13 0x7f5a0411e06c base::MessageLoop::RunTask()
#14 0x7f5a0411e308 base::MessageLoop::DeferOrRunPendingTask()
#15 0x7f5a0411e4d2 base::MessageLoop::DoWork()
#16 0x7f5a0413311e base::MessagePumpLibevent::Run()
#17 0x7f5a0411da7f base::MessageLoop::RunHandler()
#18 0x7f5a041c4e04 base::RunLoop::Run()
#19 0x7f5a0411caf4 base::MessageLoop::Run()
#20 0x7f5a04255789 base::Thread::Run()
#21 0x7f59fd7e2b66 content::BrowserThreadImpl::IOThreadRun()
#22 0x7f59fd7e2efe content::BrowserThreadImpl::Run()
#23 0x7f5a04255ad9 base::Thread::ThreadMain()
#24 0x7f5a042417aa base::(anonymous namespace)::ThreadFunc()
#25 0x7f59f1dff182 start_thread
#26 0x7f59effc447d clone

Retrying didn't crash the browser gut got me a renderer crash as presented in the attached screenhost caused by the same failed check as presented in the trace above.

Reverting either or both suggested changes didn't make the renderer crash go away. Still investigating...

Comment 4 by carlosk@chromium.org, May 9 2016 

The problem lies in a V8 auto-roll: 48d42d5a041a1257c3a98f898f385379b7ce74f5
CRrev page: https://codereview.chromium.org/1915033002

Comment 5 by carlosk@chromium.org, May 9 2016

Owner: jarin@chromium.org
From the auto-roll page, this is the commit range: https://chromium.googlesource.com/v8/v8/+log/09a5d827..eeafcb65

Reassigning to jarin@ (random committer from that range).

Comment 6 by jarin@chromium.org, May 9 2016

Cc: jarin@chromium.org
Owner: yangguo@chromium.org

Comment 7 by brajkumar@chromium.org, May 11 2016 

Just to update the bug, Issue is still able to reproduce on Windows 7 using chrome latest canary M52-52.0.2730.0.

yangguo@ - Could you please have a look in to this issue? If it's not related to your change please re-assign it to the appropriate owner.

Thanks!

Comment 8 by yangguo@chromium.org, May 11 2016

Status: Started (was: Assigned)
Sorry not having updated this issue. I have a fix under review.

Comment 10 by yangguo@chromium.org, May 11 2016

Status: Fixed (was: Started)
Project Member

Comment 11 by blocker...@chrome-infra-auth.iam.gserviceaccount.com, Sep 28 2016

Labels: Merge-TBD
[Auto-generated comment by a script] We noticed that this issue is targeted for M-52; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-52 label, otherwise remove Merge-TBD label. Thanks.

Comment 12 by amineer@chromium.org, Sep 28 2016

Labels: -Merge-TBD
[Bulk edit]

Our blockerbot script was offline; it was recently brought back online, and thus labeled many old issues (including this one) erroneously.  Removing Merge-TBD label since all milestones for this issue are already completed; no further work should be done.

Sign in to add a comment