Recent failing builds on the tryservers:

https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_ng/builds/224273
https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_ng/builds/224266
https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_ng/builds/224211
https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_ng/builds/224208
https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_ng/builds/224196

Could this be related to recent Oilpan work around incremental marking of V8 wrappers?

I think this is a long-standing bug of V8 GC.

I dispute that claim. This crash was not happening on Chrome's bots before about a week ago. It is a new failure that is affecting Chrome's commit queue, and is much higher priority than Issue 459380, which is marked P2 and has been open for over a year.

Assigning to the current memory sheriff.

 Issue 604754  has been merged into this issue.

From discussion with jochen@:

 - He was not able to reproduce locally

 - He suggests enabling ASAN and, paradoxically, v8_target_arch=arm on one of the Mac bots on the chromium.gpu.fyi waterfall (which will make all of V8's jitted code go through the ARM simulator) to try to catch the error as it happens

I'm not confident that this approach will catch the bug we're seeing -- it is a huge change in behavior. Also, it sounds like this is a fairly long-term plan for diagnosing this bug, where it is a clear regression that made it in within the past two weeks.

I think the appropriate thing to do would be to stop V8 rolls and revert V8 back to a known good state, for example 2c5a2c5a06c94c5746f3c67deef0abec1b739972 from:

https://build.chromium.org/p/chromium.gpu.fyi/builders/Mac%2010.10%20Release%20%28ATI%29/builds/10486

Then let's see whether mac_chromium_rel_ng is stabilized for a day or so, and then try bisecting in the V8 range. https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_ng?numbuilds=200 is showing some 10% of runs failing with this error, so it should be obvious when it's resolved.

If it's not a V8 bug but instead some sort of memory error introduced in Blink recently, then eliminating V8 changes from the possible causes would also help narrow down the problem.

Note: this failure of WebglConformance.conformance_textures_webgl_canvas_tex_2d_rgb_rgb_unsigned_short_5_6_5  on Windows looks similar:

https://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_ng/builds/218443

Stack:

[ RUN      ] WebglConformance.conformance_textures_webgl_canvas_tex_2d_rgb_rgb_unsigned_short_5_6_5
Backtrace:
	v8::internal::Isolate::set_context [0x6776862E+14]
	v8::Context::Exit [0x6774DF31+177]
	blink::V8CSSStyleDeclaration::visitDOMWrapper [0x6858E5D3+179]
	blink::MajorGCWrapperVisitor::VisitPersistentHandle [0x68469007+503]
	v8::VisitorAdapter::VisitEmbedderReference [0x67765F58+24]
	v8::internal::GlobalHandles::IterateAllRootsWithClassIds [0x696E93A5+341]
	v8::Isolate::VisitHandlesWithClassIds [0x67765F8D+45]
	blink::MajorGCWrapperVisitor::notifyFinished [0x6846A102+322]
	blink::V8GCController::gcPrologue [0x68469BE0+528]
	v8::internal::Heap::CallGCPrologueCallbacks [0x67772B77+215]
	v8::internal::Heap::PerformGarbageCollection [0x67780834+372]
	v8::internal::Heap::CollectGarbage [0x67773A48+424]
	v8::internal::Factory::NewHeapNumber [0x696F3875+165]
	v8::internal::BasicJsonStringifier::StringifyString [0x695AC211+1873]
	v8::internal::Runtime_AllocateHeapNumber [0x695A4E64+100]
	(No symbol) [0x2250A366]
	(No symbol) [0x2250A7D0]
	(No symbol) [0x28721FFD]
	(No symbol) [0x287507E7]
	(No symbol) [0x2250BA76]
	(No symbol) [0x28750212]
	(No symbol) [0x2250BA76]
	(No symbol) [0x3CDDAFAA]
	(No symbol) [0x3CDD9C5B]
	(No symbol) [0x3CDD9AEA]
	(No symbol) [0x287315C9]
	v8::internal::StackGuard::ThreadLocal::Initialize [0x696E20E3+467]
	v8::internal::Execution::Call [0x696E1A31+449]
	v8::Script::Run [0x6775F365+501]
	blink::V8ScriptRunner::runCompiledScript [0x685550D2+562]
	blink::ScriptController::executeScriptAndReturnValue [0x6846729E+862]
	blink::ScriptController::evaluateScriptInMainWorld [0x68466E75+277]
	blink::ScriptController::executeScriptInMainWorld [0x68467A4C+44]
	blink::ScriptLoader::executeScript [0x69897042+1154]
	blink::ScriptLoader::prepareScript [0x6989847D+957]
	blink::HTMLScriptRunner::runScript [0x67E3E122+258]
	blink::HTMLScriptRunner::execute [0x67E3CCFE+302]
	blink::HTMLDocumentParser::processParsedChunkFromBackgroundParser [0x67DE8388+2680]
	blink::HTMLDocumentParser::pumpPendingSpeculations [0x67DE8922+1106]
	??$callInternal@$0A@$$Z$$V@?$PartBoundFunctionImpl@$00V?$tuple@$$QAV?$CrossThreadWeakPersistentThisPointer@VHTMLParserScheduler@blink@@@blink@@@std@@V?$FunctionWrapper@P8HTMLParserScheduler@blink@@AEXXZ@WTF@@$$V@WTF@@AAEXABU?$IndexSequence@$0A@@base@@@Z [0x67E3B146+134]
	??R?$PartBoundFunctionImpl@$00V?$tuple@$$QAV?$CrossThreadWeakPersistentThisPointer@VHTMLParserScheduler@blink@@@blink@@@std@@V?$FunctionWrapper@P8HTMLParserScheduler@blink@@AEXXZ@WTF@@$$V@WTF@@UAEXXZ [0x67E3B57D+13]
	scheduler::WebTaskRunnerImpl::runTask [0x69A1089B+11]
	base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,void __cdecl(std::unique_ptr<blink::Web [0x6860BD6F+95]
	base::debug::TaskAnnotator::RunTask [0x67077F37+247]
	scheduler::TaskQueueManager::ProcessTaskFromWorkQueue [0x69A1796D+1037]
	scheduler::TaskQueueManager::DoWork [0x69A16E20+560]
	base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,void __cdecl(scheduler::TaskQueueManager *,base::TimeTicks,bool),base::Wea [0x69A17F7F+79]
	base::debug::TaskAnnotator::RunTask [0x67077F37+247]
	base::MessageLoop::RunTask [0x6704578B+1211]
	base::MessageLoop::DoWork [0x67044AF5+549]
	base::MessagePumpDefault::Run [0x6707A40B+299]
	base::MessageLoop::RunHandler [0x670452C7+103]
	base::RunLoop::Run [0x6707A579+41]
	base::MessageLoop::Run [0x67045252+98]
	content::RendererMain [0x686EC5FE+670]
	content::RunNamedProcessTypeMain [0x6701DDF4+260]
	content::ContentMainRunnerImpl::Run [0x6701DCA1+321]
	content::ContentMain [0x6701ADD3+35]
	ChromeMain [0x66F74AE6+118]
	MainDllLoader::Launch [0x013382FC+812]
	wWinMain [0x01337667+567]
	__scrt_common_main_seh [0x013A833C+253] (f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255)
...

So this is probably not Mac-specific and not specific to maps_pixel_test, either. It just happens to show up most often with that combination.

Deleted: stdout.txt 3.9 MB

stdout.txt 3.9 MB View Download

Yes, inspector tests flakily triggers it also. Win dbg bots are a good place to look, e.g.,

 https://storage.googleapis.com/chromium-layout-test-archives/WebKit_Win7__dbg_/5607/layout-test-results/inspector/tracing/timeline-style-recalc-all-invalidator-types-crash-log.txt

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/24abea527df01d35b7afd8656009f09944019d8b

commit 24abea527df01d35b7afd8656009f09944019d8b
Author: jochen <jochen@chromium.org>
Date: Wed May 11 13:08:11 2016

Revert of Remove Oilpan-only StyleSheet/ test failures from TestExpectations (patchset #6 id:100001 of https://codereview.chromium.org/1904423002/ )

Reason for revert:
speculative revert to see whether this caused  crbug.com/610340 

BUG= 610340 

Original issue's description:
> Remove Oilpan-only StyleSheet/ test failures from TestExpectations
>
> BUG= 585328 
>
> Committed: https://crrev.com/23d02793c61cf69b1818cd007cc39db1d2238b09
> Cr-Commit-Position: refs/heads/master@{#390285}

TBR=haraken@chromium.org,oilpan-reviews@chromium.org,sigbjornf@opera.com,yukishiino@chromium.org,keishi@chromium.org
# CQ was green on first patchset, manual rebase of TestExpectations
NOTRY=true
BUG= 585328 

Review-Url: https://codereview.chromium.org/1968903002
Cr-Commit-Position: refs/heads/master@{#392907}

[modify] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/LayoutTests/fast/dom/StyleSheet/detached-parent-rule-without-wrapper-expected.txt
[modify] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/LayoutTests/fast/dom/StyleSheet/detached-parent-rule-without-wrapper.html
[modify] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/LayoutTests/fast/dom/StyleSheet/detached-stylesheet-without-wrapper-expected.txt
[modify] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/LayoutTests/fast/dom/StyleSheet/detached-stylesheet-without-wrapper.html
[modify] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/LayoutTests/fast/dom/StyleSheet/gc-declaration-parent-rule-expected.txt
[modify] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/LayoutTests/fast/dom/StyleSheet/gc-parent-rule-expected.txt
[modify] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/LayoutTests/fast/dom/StyleSheet/gc-parent-stylesheet-expected.txt
[add] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/LayoutTests/platform/oilpan/fast/dom/StyleSheet/detached-parent-rule-without-wrapper-expected.txt
[add] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/LayoutTests/platform/oilpan/fast/dom/StyleSheet/gc-parent-rule-expected.txt
[delete] https://crrev.com/2f78eb16262f1442e4c2b0cc9a03689e5cc47353/third_party/WebKit/Source/bindings/core/v8/custom/V8CSSStyleRuleCustom.cpp
[modify] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/Source/bindings/core/v8/custom/custom.gypi
[modify] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/Source/core/css/CSSStyleDeclaration.idl
[modify] https://crrev.com/24abea527df01d35b7afd8656009f09944019d8b/third_party/WebKit/Source/core/css/CSSStyleRule.idl

maybe fixed? let's wait and see...

Detected 13 new flakes for test/step "maps_pixel_test (with patch)". To see the actual flakes, please visit https://chromium-try-flakes.appspot.com/all_flake_occurrences?key=ahVzfmNocm9taXVtLXRyeS1mbGFrZXNyJwsSBUZsYWtlIhxtYXBzX3BpeGVsX3Rlc3QgKHdpdGggcGF0Y2gpDA. This message was posted automatically by the chromium-try-flakes app. Since flakiness is ongoing, the issue was moved back into Sheriff Bug Queue (unless already there).

i can't see the error anymore on the waterfall. Esp. on the WebKit Win7 (dbg) bot, every run used to have this crash (if you check "show stderr" and look at the inspector tests you should find it), but now they're gone

I'd be very interested to see/hear an explanation of what was wrong with the custom (?) wrapper.

Me too :)

In fact, the crashes I've seen don't have the custom visitDOMWrapper on the stack but the generated one

Jochen, thank you for tracking this down. I think the flakes reported in #14 all happened before your revert, and there are currently no failures of maps_pixel_test on https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_ng?numbuilds=200 .

Blocking this on  Issue 585328  and downgrading to P2. Whatever was wrong with the custom visitor needs to be fixed before re-landing it.

The crash is happening because we instantiate a ContextScope in visitDOMWrapper. And conceptually there's no reason we have to create the ContextScope.

I tried to remove the ContextScope a couple of months ago but didn't land due to some failures observed on win bots (https://codereview.chromium.org/1683493003/). I think a right fix would be to land the CL.

I'll take a look.

Issue 610623 has been merged into this issue.

I suspect issue 610623 is a duplicate of this - is it possible that those css objects generate that many references that we overflow stuff?

I guess that's possible.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b1b2e5dd2b1f6c4b314a813987724812e13fbc18

commit b1b2e5dd2b1f6c4b314a813987724812e13fbc18
Author: haraken <haraken@chromium.org>
Date: Fri May 13 10:12:33 2016

Remove Context::Scope from visitDOMWrapper

visitDOMWrapper should not create a Context::Scope.
Alternately, it should visit wrappers of all worlds
(currently the binding layer is assuming that wrappers of all worlds
are kept alive if any of the wrappers is alive).

Also it is important to remove the Context::Scope because if DOM has a long reference chain
to be visited, the Context::Scopes created on the stack can overflow and cause crashes.

BUG= 455160 , 610340 

Review-Url: https://codereview.chromium.org/1683493003
Cr-Commit-Position: refs/heads/master@{#393492}

[modify] https://crrev.com/b1b2e5dd2b1f6c4b314a813987724812e13fbc18/third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.cpp
[modify] https://crrev.com/b1b2e5dd2b1f6c4b314a813987724812e13fbc18/third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.h
[modify] https://crrev.com/b1b2e5dd2b1f6c4b314a813987724812e13fbc18/third_party/WebKit/Source/bindings/templates/interface.cpp
[modify] https://crrev.com/b1b2e5dd2b1f6c4b314a813987724812e13fbc18/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterface.cpp
[modify] https://crrev.com/b1b2e5dd2b1f6c4b314a813987724812e13fbc18/third_party/WebKit/Source/bindings/tests/results/modules/V8TestInterface5.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eb23b41351d08e79e222870c70d05151585fed26

commit eb23b41351d08e79e222870c70d05151585fed26
Author: adamk <adamk@chromium.org>
Date: Mon May 16 23:59:34 2016

Make sure ScriptWrappables have a wrapper before calling setReference()

Failure to check for a valid wrapper before calling setReference (and
then into v8::Isolate::SetReference) results in NULL handles being
visited (and crashing) during V8 GC.

BUG= 610340 ,612206

Review-Url: https://codereview.chromium.org/1981013002
Cr-Commit-Position: refs/heads/master@{#393986}

[modify] https://crrev.com/eb23b41351d08e79e222870c70d05151585fed26/third_party/WebKit/Source/bindings/core/v8/DOMWrapperWorld.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c3d6201e736206557251cfb9109197844fcfd340

commit c3d6201e736206557251cfb9109197844fcfd340
Author: haraken <haraken@chromium.org>
Date: Tue May 31 10:03:16 2016

Remove unnecessary Context::Scope from V8CSSStyleRuleCustom

This is a left-over of https://codereview.chromium.org/1683493003/.
This CL removes it.

BUG= 455160 ,  610340 

Review-Url: https://codereview.chromium.org/2024793002
Cr-Commit-Position: refs/heads/master@{#396808}

[modify] https://crrev.com/c3d6201e736206557251cfb9109197844fcfd340/third_party/WebKit/Source/bindings/core/v8/custom/V8CSSStyleRuleCustom.cpp