AdBlock memory leak in M51 |
|||||||||||||||
Issue descriptionThe regression happened somewhere between 51.2704.19 and 52.0.2705.0 V8 OOM crashes in M52 canaries is at 85%. https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27%20%20AND%20custom_data.ChromeCrashProto.ptype%3D%27extension%27%20AND%20(product.version%20LIKE%20%2752%25%27%20OR%20product.version%20LIKE%20%2751%25%27)%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27Out%20of%20Memory%20(v8)%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D
,
May 6 2016
Users experienced this crash on the following builds: Win Dev 52.0.2723.3 - 2.45 CPM, 33 reports, 30 clients (signature Out of Memory (v8)) Win Canary 52.0.2726.0 - 3.73 CPM, 21 reports, 19 clients (signature Out of Memory (v8)) Mac Dev 52.0.2723.2 - 12.25 CPM, 5 reports, 5 clients (signature Out of Memory (v8)) Mac Canary 52.0.2725.0 - 15.41 CPM, 70 reports, 66 clients (signature Out of Memory (v8)) Linux Dev 52.0.2716.0 - 25.29 CPM, 101 reports, 62 clients (signature Out of Memory (v8)) Linux Beta 51.0.2704.36 - 8.21 CPM, 10 reports, 8 clients (signature Out of Memory (v8)) Android Dev 52.0.2723.0 - 3.06 CPM, 44 reports, 28 clients (signature Out of Memory (v8)) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
May 10 2016
,
May 10 2016
Regression range from #1 was not precise. I bisected memory leak manually to https://codereview.chromium.org/1707743002 Repro steps: 1. Install AdBlock extension (not AdBlockPlus). 2. Open http://techcrunch.tumblr.com 3. Duplicate the tab 7 times. 4. Open task manager, add JavaScript Memory column. Expected: the memory usage is at 150MB. What happens instead: memory usage is at 300MB and grows if tabs are refreshed. Camillo, could you please take a look? The memory leak is massive and leading to many OOM crashes in AdBlock extension process.
,
May 10 2016
,
May 10 2016
Please fix this ASAP, so we can test the fix in Canary, dev, and merge it to Beta. Marking this as dev blocker for tracking purposes.
,
May 11 2016
,
May 11 2016
The crash first appeared in chrome version 51.0.2662.0. This crash hots the latest builds as below 52.0.2730.0 0.16% 13 canary 52.0.2729.3 0.05% 4 dev 51.0.2704.36 0.39% 31 beta Seeing a spike between the versions 52.0.2714.0 and 52.0.2715.0.
,
May 11 2016
Update on what Camillo and I found out today: 1. PrependElementIndicesImpl allocates large array of 91807 elements and right trims it to 16875. 2. Each right trim adds error to our live object size counter. The counter is larger than the actual live object size. 3. Eventually the counter reaches the max heap limit and we crash with OOM, even though the actual memory usage is low. I am looking into why the counter gets confused by right trimming.
,
May 11 2016
Found the bug: LargeObjectSpace::FreeUnmarkedObjects decrements the counter by the current size of the object instead of original size.
,
May 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/12fa3fff651181098956fa46bac7c3ac1d1424ab commit 12fa3fff651181098956fa46bac7c3ac1d1424ab Author: ulan <ulan@chromium.org> Date: Wed May 11 16:56:34 2016 Fix live bytes counter in large object space after right trimming. BUG= chromium:609761 LOG=NO Review-Url: https://codereview.chromium.org/1964143004 Cr-Commit-Position: refs/heads/master@{#36183} [modify] https://crrev.com/12fa3fff651181098956fa46bac7c3ac1d1424ab/src/heap/heap.cc [modify] https://crrev.com/12fa3fff651181098956fa46bac7c3ac1d1424ab/src/heap/spaces.h [modify] https://crrev.com/12fa3fff651181098956fa46bac7c3ac1d1424ab/test/cctest/heap/test-heap.cc
,
May 12 2016
Just to confirm, this does not need to be merged to 51, right?
,
May 12 2016
Yes, I will merge after canary coverage.
,
May 12 2016
,
May 13 2016
Canary looks good! V8 OOM for extention process is down.
,
May 13 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
May 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/11fc4de1ed401927a556db37d5fa8b0fb84ba8b5 commit 11fc4de1ed401927a556db37d5fa8b0fb84ba8b5 Author: Ulan Degenbaev <ulan@chromium.org> Date: Fri May 13 16:20:37 2016 Version 5.1.281.35 (cherry-pick) Merged 12fa3fff651181098956fa46bac7c3ac1d1424ab Fix live bytes counter in large object space after right trimming. BUG= chromium:609761 LOG=N R=vogelheim@chromium.org Review URL: https://codereview.chromium.org/1977883002 . Cr-Commit-Position: refs/branch-heads/5.1@{#41} Cr-Branched-From: 167dc63b4c9a1d0f0fe1b19af93644ac9a561e83-refs/heads/5.1.281@{#1} Cr-Branched-From: 03953f52bd4a184983a551927c406be6489ef89b-refs/heads/master@{#35282} [modify] https://crrev.com/11fc4de1ed401927a556db37d5fa8b0fb84ba8b5/include/v8-version.h [modify] https://crrev.com/11fc4de1ed401927a556db37d5fa8b0fb84ba8b5/src/heap/heap.cc [modify] https://crrev.com/11fc4de1ed401927a556db37d5fa8b0fb84ba8b5/src/heap/spaces.h [modify] https://crrev.com/11fc4de1ed401927a556db37d5fa8b0fb84ba8b5/test/cctest/heap/test-heap.cc
,
May 13 2016
,
May 13 2016
Per comment #18, this is already merged to M51. So removing "Merge-Approved-51" & "merge-review-5.1" labels.
,
May 13 2016
Want to update that currently the overall crash % is about 31.88% on Mac with latest Chrome Beta 51.0.2704.47, Please find the stats here : https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27%20AND%20product.version%3D%2751.0.2704.47%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27Out%20of%20Memory%20(v8)%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D .
,
May 14 2016
pbommana@, this bug is about extension process. Your link gives renderer stats. Here is the crashes for extension (drop from 71% in 52.0.2730.0 to 0.6% in 52.0.2734.0) : https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27%20AND%20product.version%3D%2751.0.2704.47%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27extension%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27Out%20of%20Memory%20(v8)%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D
,
Nov 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/14c6a651d1c04c90379299e577dd8e187967f5a9 commit 14c6a651d1c04c90379299e577dd8e187967f5a9 Author: cbruni <cbruni@chromium.org> Date: Tue Nov 15 18:30:35 2016 [elements] Precisely estimate elements size as last resort In case of an allocation failure in for-in over holey elements, use precise number of elements to allocate a smaller buffer for the collected indices. Drive-by-fix: make is_the_hole accept the isolate for faster checks. BUG= chromium:609761 Review-Url: https://codereview.chromium.org/2041963003 Cr-Commit-Position: refs/heads/master@{#41010} [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/compiler/js-create-lowering.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/compiler/js-global-object-specialization.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/elements.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/elements.h [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/factory.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/factory.h [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/lookup.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/objects-inl.h [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/objects.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/objects.h [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/runtime/runtime-scopes.cc
,
Nov 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/14c6a651d1c04c90379299e577dd8e187967f5a9 commit 14c6a651d1c04c90379299e577dd8e187967f5a9 Author: cbruni <cbruni@chromium.org> Date: Tue Nov 15 18:30:35 2016 [elements] Precisely estimate elements size as last resort In case of an allocation failure in for-in over holey elements, use precise number of elements to allocate a smaller buffer for the collected indices. Drive-by-fix: make is_the_hole accept the isolate for faster checks. BUG= chromium:609761 Review-Url: https://codereview.chromium.org/2041963003 Cr-Commit-Position: refs/heads/master@{#41010} [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/compiler/js-create-lowering.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/compiler/js-global-object-specialization.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/elements.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/elements.h [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/factory.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/factory.h [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/lookup.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/objects-inl.h [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/objects.cc [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/objects.h [modify] https://crrev.com/14c6a651d1c04c90379299e577dd8e187967f5a9/src/runtime/runtime-scopes.cc |
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by mlippautz@chromium.org
, May 6 2016