New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 611562 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: May 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Regression



Sign in to add a comment

metrics::MemoryLeakReportProto::CopyFrom

Project Member Reported by rookrishna@chromium.org, May 12 2016

Issue description

Crash ID - 4b2dac0a00000000

Google Chrome
52.0.2733.0 (Official Build) dev (64-bit)

Platform  8312.0.0 (Official Build) dev-channel samus

007f2bde9ca60c	(chrome -memory_leak_report.pb.cc:964 )	metrics::MemoryLeakReportProto::CopyFrom
0x00007f2be25cbab0	(chrome -malloc_hook-inl.h:165 )	tc_malloc
0x00007f2bdd7a002a	(chrome -allocator_shim.cc:150 )	ShimCppNew
0x00007f2be0285fb3	(chrome -new_allocator.h:104 )	std::_Rb_tree<std::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> >, std::_Select1st<std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> > >, std::less<std::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> > > >::_M_clone_node
0x00007f2be0289b01	(chrome -stl_tree.h:1237 )	std::_Rb_tree<std::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> >, std::_Select1st<std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> > >, std::less<std::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<const std::basic_string<char, std::char_traits<char>, std::allocator<char> >, scoped_refptr<content::SessionStorageNamespace> > > >::_M_copy
0x00007f2be03241dc	(chrome -stl_tree.h:715 )	content::WebContentsImpl::GetSessionStorageNamespaceMap
0x00007f2be02946ed	(chrome -render_view_host_impl.cc:935 )	content::RenderViewHostImpl::ShutdownAndDestroy
0x00007f2be040466c	(chrome -frame_tree.cc:351 )	content::FrameTree::ReleaseRenderViewHostRef
0x00007f2be02263e6	(chrome -render_frame_host_impl.cc:294 )	content::RenderFrameHostImpl::~RenderFrameHostImpl
0x00007f2be02266a0	(chrome -render_frame_host_impl.cc:295 )	content::RenderFrameHostImpl::~RenderFrameHostImpl
0x00007f2be022cc25	(chrome -unique_ptr.h:76 )	content::RenderFrameHostManager::~RenderFrameHostManager
0x00007f2be0405e60	(chrome -frame_tree_node.cc:123 )	content::FrameTreeNode::~FrameTreeNode
0x00007f2be040393a	(chrome -frame_tree.cc:111 )	content::FrameTree::~FrameTree
0x00007f2be0323276	(chrome -web_contents_impl.cc:433 )	content::WebContentsImpl::~WebContentsImpl
0x00007f2be03235e0	(chrome -web_contents_impl.cc:520 )	content::WebContentsImpl::~WebContentsImpl
0x00007f2be0ffb001	(chrome -unique_ptr.h:76 )	extensions::ExtensionHost::~ExtensionHost
0x00007f2be0ffb1e0	(chrome -extension_host.cc:121 )	extensions::ExtensionHost::~ExtensionHost
0x00007f2be1025288	(chrome -process_manager.cc:719 )	extensions::ProcessManager::CloseBackgroundHost
0x00007f2be10280a6	(chrome -process_manager.cc:880 )	extensions::ProcessManager::CloseLazyBackgroundPageNow
0x00007f2be1024ecb	(chrome -bind_internal.h:181 )	base::internal::Invoker<base::IndexSequence<0ul, 1ul, 2ul>, base::internal::BindState<base::internal::RunnableAdapter<void (extensions::ProcessManager::*)(const std::basic_string<char, std::char_traits<char>, std::allocator<char> >&, long unsigned int)>, void(extensions::ProcessManager*, const std::basic_string<char, std::char_traits<char>, std::allocator<char> >&, long unsigned int), base::WeakPtr<extensions::ProcessManager>, const std::basic_string<char, std::char_traits<char>, std::allocator<char> >&, long unsigned int&>, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (extensions::ProcessManager::*)(const std::basic_string<char, std::char_traits<char>, std::allocator<char> >&, long unsigned int)> >, void()>::Run
0x00007f2bdd793b7c	(chrome -callback.h:397 )	base::debug::TaskAnnotator::RunTask






 
Owner: sque@chromium.org
Status: Assigned (was: Untriaged)
Top crasher in M52 Dev. Assigning to sque@ as it looks related to crbug.com/600044. 
Multiple boards affected: peppy, parrot, link, samus, auron, candy, monroe, lulu...

Comment 2 by sque@chromium.org, May 16 2016

Cc: wfh@chromium.org
Components: Internals>Metrics
metrics::MemoryLeakReportProto::CopyFrom() is not explicitly being called in my code. However, it could be called implicitly in this function:

https://code.google.com/p/chromium/codesearch#chromium/src/components/metrics/leak_detector/leak_detector.cc&q=file:leak_detector&sq=package:chromium&type=cs&l=316

I wonder if content::BrowserThread::PostTask() can't handle a vector of protobufs for some reason.
Labels: -Type-Bug ReleaseBlock-Dev Type-Bug-Regression
Looks like a regression from Chrome M52 dev 52.0.2707.0. Culprit CL is https://crrev.com/f4d8db9dc4a1344c076498a9a004270909ad2520.
Only crashing on Chrome OS.


Cc: isherman@chromium.org

Comment 5 by sque@chromium.org, May 17 2016

Discussed with gkihumba directly. No need to revert Chromium CLs, just cl/121853515.

I emailed chromium-dev about whether it is caused by what I mentioned in Comment #2. I'd like to wait until tomorrow for a response before taking action.

Comment 6 by dcheng@chromium.org, May 17 2016

As I noted on the chromium-dev thread, the problem is probably an issue with ShimCppNew or the tc_malloc hook being overwritten with something weird.

Comment 7 by tzik@chromium.org, May 17 2016

This looks crashing at leak_detector.cc:271.
> std::vector<MemoryLeakReportProto> leak_report_protos;
> std::transform(leak_reports.begin(), leak_reports.end(),
>                leak_report_protos.begin(), &ConvertLeakReportToProto);

Since std::transform doesn't allocate the memory for the vector, this writes beyond the boundary.
How about reserve() the capacity before std::transform and use std::back_inserter() here?

Comment 8 by sque@chromium.org, May 17 2016

Status: Started (was: Assigned)

Comment 9 by sque@chromium.org, May 17 2016

I tested this locally and tzik's suggestion was correct. Need to call reserve() before std::transform(), and also pass in std::back_inserter.
Project Member

Comment 10 by bugdroid1@chromium.org, May 17 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ba7c5f1c1f063f61a96d9749a55854760949c916

commit ba7c5f1c1f063f61a96d9749a55854760949c916
Author: sque <sque@chromium.org>
Date: Tue May 17 22:18:48 2016

leak_detector: call transform() with back_inserter

To grow the destination vector dynamically, std::back_inserter must be
passed to std::transform().

There must also be enough space in the destination container before
std::transform() can be called. Call reserve() first to avoid
reallocations.

BUG= chromium:611562 
TEST=build successfully

Review-Url: https://codereview.chromium.org/1985093003
Cr-Commit-Position: refs/heads/master@{#394243}

[modify] https://crrev.com/ba7c5f1c1f063f61a96d9749a55854760949c916/components/metrics/leak_detector/leak_detector.cc

Status: Fixed (was: Started)

Comment 12 by sque@chromium.org, May 25 2016

Cc: sque@chromium.org
Owner: rookrishna@chromium.org
rookrishna: Can you verify that this is fixed in or after 2740 -- i.e. this crash is no longer reported in those versions?

Sign in to add a comment