Issue 611562 link

Starred by 2 users

Issue metadata

Status:	Verified
Owner:	█ rookrishna@chromium.org Last visit > 30 days ago
Closed:	May 2016
Cc:	abodenha@chromium.org isherman@chromium.org sdantul...@chromium.org wfh@chromium.org dhadd...@chromium.org sque@chromium.org skare@chromium.org asvitk...@chromium.org █ rkaplow@chromium.org
Components:	Internals>Metrics
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	1
Type:	Bug-Regression
M-52 ReleaseBlock-Dev

metrics::MemoryLeakReportProto::CopyFrom

Project Member Reported by rookrishna@chromium.org, May 12 2016

Issue description

Crash ID - 4b2dac0a00000000

Google Chrome
52.0.2733.0 (Official Build) dev (64-bit)

Platform  8312.0.0 (Official Build) dev-channel samus

007f2bde9ca60c	(chrome -memory_leak_report.pb.cc:964 )	metrics::MemoryLeakReportProto::CopyFrom
0x00007f2be25cbab0	(chrome -malloc_hook-inl.h:165 )	tc_malloc
0x00007f2bdd7a002a	(chrome -allocator_shim.cc:150 )	ShimCppNew
0x00007f2be0285fb3	(chrome -new_allocator.h:104 )	std::_Rb_tree<std::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> >, std::_Select1st<std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> > >, std::less<std::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> > > >::_M_clone_node
0x00007f2be0289b01	(chrome -stl_tree.h:1237 )	std::_Rb_tree<std::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> >, std::_Select1st<std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> > >, std::less<std::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> > > >::_M_copy
0x00007f2be03241dc	(chrome -stl_tree.h:715 )	content::WebContentsImpl::GetSessionStorageNamespaceMap
0x00007f2be02946ed	(chrome -render_view_host_impl.cc:935 )	content::RenderViewHostImpl::ShutdownAndDestroy
0x00007f2be040466c	(chrome -frame_tree.cc:351 )	content::FrameTree::ReleaseRenderViewHostRef
0x00007f2be02263e6	(chrome -render_frame_host_impl.cc:294 )	content::RenderFrameHostImpl::~RenderFrameHostImpl
0x00007f2be02266a0	(chrome -render_frame_host_impl.cc:295 )	content::RenderFrameHostImpl::~RenderFrameHostImpl
0x00007f2be022cc25	(chrome -unique_ptr.h:76 )	content::RenderFrameHostManager::~RenderFrameHostManager
0x00007f2be0405e60	(chrome -frame_tree_node.cc:123 )	content::FrameTreeNode::~FrameTreeNode
0x00007f2be040393a	(chrome -frame_tree.cc:111 )	content::FrameTree::~FrameTree
0x00007f2be0323276	(chrome -web_contents_impl.cc:433 )	content::WebContentsImpl::~WebContentsImpl
0x00007f2be03235e0	(chrome -web_contents_impl.cc:520 )	content::WebContentsImpl::~WebContentsImpl
0x00007f2be0ffb001	(chrome -unique_ptr.h:76 )	extensions::ExtensionHost::~ExtensionHost
0x00007f2be0ffb1e0	(chrome -extension_host.cc:121 )	extensions::ExtensionHost::~ExtensionHost
0x00007f2be1025288	(chrome -process_manager.cc:719 )	extensions::ProcessManager::CloseBackgroundHost
0x00007f2be10280a6	(chrome -process_manager.cc:880 )	extensions::ProcessManager::CloseLazyBackgroundPageNow
0x00007f2be1024ecb	(chrome -bind_internal.h:181 )	base::internal::Invoker<base::IndexSequence<0ul, 1ul, 2ul>, base::internal::BindState<base::internal::RunnableAdapter<void (extensions::ProcessManager::*)(const std::basic_string<char, std::char_traits<char>, std::allocator<char> >&, long unsigned int)>, void(extensions::ProcessManager*, const std::basic_string<char, std::char_traits<char>, std::allocator<char> >&, long unsigned int), base::WeakPtr<extensions::ProcessManager>, const std::basic_string<char, std::char_traits<char>, std::allocator<char> >&, long unsigned int&>, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (extensions::ProcessManager::*)(const std::basic_string<char, std::char_traits<char>, std::allocator<char> >&, long unsigned int)> >, void()>::Run
0x00007f2bdd793b7c	(chrome -callback.h:397 )	base::debug::TaskAnnotator::RunTask

Comment 1 by gkihumba@chromium.org, May 16 2016

Owner: sque@chromium.org
Status: Assigned (was: Untriaged)

Top crasher in M52 Dev. Assigning to sque@ as it looks related to crbug.com/600044. 
Multiple boards affected: peppy, parrot, link, samus, auron, candy, monroe, lulu...

Comment 2 by sque@chromium.org, May 16 2016

Cc: wfh@chromium.org
Components: Internals>Metrics

metrics::MemoryLeakReportProto::CopyFrom() is not explicitly being called in my code. However, it could be called implicitly in this function:

https://code.google.com/p/chromium/codesearch#chromium/src/components/metrics/leak_detector/leak_detector.cc&q=file:leak_detector&sq=package:chromium&type=cs&l=316

I wonder if content::BrowserThread::PostTask() can't handle a vector of protobufs for some reason.

Comment 3 by gkihumba@chromium.org, May 16 2016

Labels: -Type-Bug ReleaseBlock-Dev Type-Bug-Regression

Looks like a regression from Chrome M52 dev 52.0.2707.0. Culprit CL is https://crrev.com/f4d8db9dc4a1344c076498a9a004270909ad2520.
Only crashing on Chrome OS.

Comment 4 by gkihumba@chromium.org, May 16 2016

Cc: isherman@chromium.org

Comment 5 by sque@chromium.org, May 17 2016

Discussed with gkihumba directly. No need to revert Chromium CLs, just cl/121853515.

I emailed chromium-dev about whether it is caused by what I mentioned in Comment #2. I'd like to wait until tomorrow for a response before taking action.

Comment 6 by dcheng@chromium.org, May 17 2016

As I noted on the chromium-dev thread, the problem is probably an issue with ShimCppNew or the tc_malloc hook being overwritten with something weird.

Comment 7 by tzik@chromium.org, May 17 2016

This looks crashing at leak_detector.cc:271.
> std::vector<MemoryLeakReportProto> leak_report_protos;
> std::transform(leak_reports.begin(), leak_reports.end(),
>                leak_report_protos.begin(), &ConvertLeakReportToProto);

Since std::transform doesn't allocate the memory for the vector, this writes beyond the boundary.
How about reserve() the capacity before std::transform and use std::back_inserter() here?

Comment 8 by sque@chromium.org, May 17 2016

Status: Started (was: Assigned)

Comment 9 by sque@chromium.org, May 17 2016

I tested this locally and tzik's suggestion was correct. Need to call reserve() before std::transform(), and also pass in std::back_inserter.

Project Member

Comment 10 by bugdroid1@chromium.org, May 17 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ba7c5f1c1f063f61a96d9749a55854760949c916

commit ba7c5f1c1f063f61a96d9749a55854760949c916
Author: sque <sque@chromium.org>
Date: Tue May 17 22:18:48 2016

leak_detector: call transform() with back_inserter

To grow the destination vector dynamically, std::back_inserter must be
passed to std::transform().

There must also be enough space in the destination container before
std::transform() can be called. Call reserve() first to avoid
reallocations.

BUG= chromium:611562 
TEST=build successfully

Review-Url: https://codereview.chromium.org/1985093003
Cr-Commit-Position: refs/heads/master@{#394243}

[modify] https://crrev.com/ba7c5f1c1f063f61a96d9749a55854760949c916/components/metrics/leak_detector/leak_detector.cc

Comment 11 by gkihumba@chromium.org, May 18 2016

Status: Fixed (was: Started)

Comment 12 by sque@chromium.org, May 25 2016

Cc: sque@chromium.org
Owner: rookrishna@chromium.org

rookrishna: Can you verify that this is fixed in or after 2740 -- i.e. this crash is no longer reported in those versions?

Comment 13 by abod...@chromium.org, Aug 2 2016

Status: Verified (was: Fixed)

no recent crash reports
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27metrics%3A%3AMemoryLeakReportProto%3A%3ACopyFrom%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D&stbtiq=&reportid=c0e6d30900000000&index=0#0

►

Issue 611562 link

Issue metadata

metrics::MemoryLeakReportProto::CopyFrom

Issue description

Comment 1 by gkihumba@chromium.org, May 16 2016

Comment 1 Deleted

Comment 2 by sque@chromium.org, May 16 2016

Comment 2 Deleted

Comment 3 by gkihumba@chromium.org, May 16 2016

Comment 3 Deleted

Comment 4 by gkihumba@chromium.org, May 16 2016

Comment 4 Deleted

Comment 5 by sque@chromium.org, May 17 2016

Comment 5 Deleted

Comment 6 by dcheng@chromium.org, May 17 2016

Comment 6 Deleted

Comment 7 by tzik@chromium.org, May 17 2016

Comment 7 Deleted

Comment 8 by sque@chromium.org, May 17 2016

Comment 8 Deleted

Comment 9 by sque@chromium.org, May 17 2016

Comment 9 Deleted

Comment 10 by bugdroid1@chromium.org, May 17 2016

Comment 10 Deleted

Comment 11 by gkihumba@chromium.org, May 18 2016

Comment 11 Deleted

Comment 12 by sque@chromium.org, May 25 2016

Comment 12 Deleted

Comment 13 by abod...@chromium.org, Aug 2 2016

Comment 13 Deleted

Sign in to add a comment