chrome get crush when frequence display jpg images or make skype calls (webRTC and jpg refreshing)
Reported by
quak...@hotmail.com,
May 20 2016
|
|||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36 Steps to reproduce the problem: 1. playing video in the remote desktop, which is shown though refreshing .jpg 2-1. we have like 20% chance to see the tab crash with "aw, snap" randomly within 3min ~ 2 h. 2-2. if it not crush, it seems can work for all night(12h+) What is the expected behavior? no crush should happen even typedArray is used in js. What went wrong? from the dmp file, chrome_child.dll has a Access violation, which should be a chrome bug since Javascript have no right to directly access memory. Crashed report ID: no, also no client_id in Local State file How much crashed? Just one tab Is it a problem with a plugin? No Did this work before? Yes never see this in chrome version 49 for 10+ tests, but still might not be a regression since this crash can't be reproduced consistently Chrome version: 50.0.2661.102 m Channel: n/a OS Version: window 10 Pro Flash Version:
,
May 20 2016
other modules we are using websocket, asm.js codes(by emscripten), worker. the dmp for withWebRTC(RTAV) and withoutWebRTC seems different, without webRTC is at chrome_child!GetHandleVerifier+0xdbab77 with webRTC is at chrome_child!ovly_debug_event+0x57b5ac (ovly is not a typo) so upload both. Best Regards, Eden
,
May 20 2016
Hi thestig, I tried to enable the report, but find nothing in the chrome://crashes, and no one response to the question at http://stackoverflow.com/questions/37269606/chrome-aw-snap-crush-but-cant-see-crush-log-in-chrome-crashes-but-see-dmp. so I manually gather the dmp file and try to open this bug, and could you help to tell which information is also needed for this bug? Best Regards, Eden
,
May 20 2016
by adding symbols, we choose to focus on the with WebRTC case, where the dmp includes below informations consistently: ................................................... eax=00000000 ebx=0018ec34 ecx=00000001 edx=4000c028 esi=00000000 edi=00000000 eip=77b66f1c esp=0018ebf4 ebp=0018ec58 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 ntdll!NtDelayExecution+0xc: 77b66f1c c20800 ret 8 ... eax=0923fa18 ebx=00231cc0 ecx=00000001 edx=4000c028 esi=00000000 edi=66529360 eip=6415bbb3 esp=0018f3dc ebp=0018f3dc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 chrome_child!blink::HeapObjectHeader::isMarked [inlined in chrome_child!blink::VisitorHelper<blink::Visitor>::handleWeakCell<blink::Document>+0xc]: 6415bbb3 f641fc01 test byte ptr [ecx-4],1 ds:002b:fffffffd=?? And from https://chromium.googlesource.com/chromium/blink/+/master/Source/platform/heap/Visitor.h we see this function is for GC(seems the mark part), so could it be caused by bad javascripts? and how could I narrow down to which variable is causing this bug in our codes? p.s. from the call stack, I can see the calling is indeed from GC, but can't know which variable is causing this crash.
,
May 23 2016
update the dmp zip, and only focus on one of the crash issue, where it happens in GC. below is a part of the dmp information: This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (21f4.2938): Access violation - code c0000005 (first/second chance not available) *** WARNING: Unable to verify checksum for ntdll.dll *** WARNING: Unable to verify checksum for KERNELBASE.dll eax=00000000 ebx=0019ed74 ecx=00000001 edx=3040c028 esi=00000000 edi=00000000 eip=77b66f1c esp=0019ed34 ebp=0019ed98 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 ntdll!NtDelayExecution+0xc: 77b66f1c c20800 ret 8 0:000> .ecxr *** WARNING: Unable to verify checksum for chrome_child.dll eax=080ffcf0 ebx=001eb718 ecx=00000001 edx=3040c028 esi=00000000 edi=66529360 eip=6415bbb3 esp=0019f51c ebp=0019f51c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 chrome_child!blink::HeapObjectHeader::isMarked [inlined in chrome_child!blink::VisitorHelper<blink::Visitor>::handleWeakCell<blink::Document>+0xc]: 6415bbb3 f641fc01 test byte ptr [ecx-4],1 ds:002b:fffffffd=?? 0:000> !analyze -v -f ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: chrome_child!blink::VisitorHelper<blink::Visitor>::handleWeakCell<blink::Document>+c [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\heap\heap.h @ 546] 6415bbb3 f641fc01 test byte ptr [ecx-4],1 EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 6415bbb3 (chrome_child!blink::HeapObjectHeader::isMarked) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: fffffffd Attempt to read from address fffffffd DEFAULT_BUCKET_ID: INVALID_POINTER_READ PROCESS_NAME: chrome.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: fffffffd READ_ADDRESS: fffffffd FOLLOWUP_IP: chrome_child!blink::VisitorHelper<blink::Visitor>::handleWeakCell<blink::Document>+c [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\heap\heap.h @ 546] 6415bbb3 f641fc01 test byte ptr [ecx-4],1 NTGLOBALFLAG: 0 APP: chrome.exe FAULTING_THREAD: 00002938 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ LAST_CONTROL_TRANSFER: from 63fcdbbb to 6415bbb3 STACK_TEXT: 0019f51c 63fcdbbb 30b4ded0 080ffcf0 0019f55c chrome_child!blink::VisitorHelper<blink::Visitor>::handleWeakCell<blink::Document>+0xc 0019f52c 63fcdb14 30b4ded0 65cb115c 00000000 chrome_child!blink::Heap::popAndInvokeGlobalWeakCallback+0x2e 0019f55c 641458df 30b4ded0 30b4ded0 30b4ded0 chrome_child!blink::Heap::globalWeakProcessing+0x6f 0019f5b8 63c3080c 00000000 00000001 00000001 chrome_child!blink::Heap::collectGarbage+0x14a 0019f5cc 63c35345 00000000 006a1368 0068fc68 chrome_child!blink::ThreadState::runScheduledGC+0x36 0019f5e0 63c3532d 00000000 63c3530a 63c99e5e chrome_child!blink::ThreadState::safePoint+0x17 0019f5e8 63c3530a 63c99e5e 0019f624 006a1368 chrome_child!blink::GCTaskObserver::didProcessTask+0x20 0019f5ec 63c99e5e 0019f624 006a1368 00000001 chrome_child!scheduler::WebThreadBase::TaskObserverAdapter::DidProcessTask+0x8 0019f694 63c98e6d 0068ae30 0019f770 006adb58 chrome_child!scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x222 0019f7c0 63c98d42 00000000 00000000 00000000 chrome_child!scheduler::TaskQueueManager::DoWork+0x122 0019f7d4 63c98d01 63c98d4b 0068fc88 006a1368 chrome_child!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> >::MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks const &,bool const &>+0x39 0019f7fc 63bfb6a8 006adb38 006c0318 ffffffff chrome_child!base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,void __cdecl(scheduler::TaskQueueManager *,base::TimeTicks,bool),base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks &,bool>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> >,void __cdecl(void)>::Run+0x2e 0019f858 63bfb4ae 65bd6ab4 0019f8e8 00000000 chrome_child!base::debug::TaskAnnotator::RunTask+0x134 0019f8c4 63bfb2a1 0019f8e8 006b3ab0 006b3aa0 chrome_child!base::MessageLoop::RunTask+0x185 0019fa00 63bfd50c 0019fa68 006c0318 65bd48a0 chrome_child!base::MessageLoop::DoWork+0x49c 0019fa2c 63bfac2b 006c0318 65c24c30 00000000 chrome_child!base::MessagePumpDefault::Run+0xc6 0019fa58 63bfab6b 65bd48a0 00000000 006c0318 chrome_child!base::RunLoop::Run+0x4a 0019fa84 63c4d360 006a20b0 00000004 00686d68 chrome_child!base::MessageLoop::Run+0x23 0019fc1c 63bf2414 0019fc4c 006a03f0 00000000 chrome_child!content::RendererMain+0x32c 0019fc30 63bf2390 0019fc60 0019fc4c 0019fca8 chrome_child!content::RunNamedProcessTypeMain+0x61 0019fc7c 63bd7d9e 00000000 00686d60 00000000 chrome_child!content::ContentMainRunnerImpl::Run+0x5f 0019fc90 63bd7a7a 0019fcc4 011ca256 00689d90 chrome_child!content::ContentMain+0x28 0019fcd4 011c830c 011a0000 0019fcf0 011a0000 chrome_child!ChromeMain+0x61 0019fd6c 011c79aa 011a0000 011f6b64 0000000a chrome!MainDllLoader::Launch+0x1d7 0019fea4 011f6aea 011a0000 00000000 006718b8 chrome!wWinMain+0x163 0019fef0 774038f4 0030c000 774038d0 4bf050ba chrome!__tmainCRTStartup+0xfd 0019ff04 77b55de3 0030c000 32b32eee 00000000 KERNEL32!BaseThreadInitThunk+0x24 0019ff4c 77b55dae ffffffff 77b7b7d9 00000000 ntdll!__RtlUserThreadStart+0x2f 0019ff5c 00000000 011f6b64 0030c000 00000000 ntdll!_RtlUserThreadStart+0x1b
,
May 23 2016
p.s. the crush happened when playing mp4(without) should be caused by https://bugs.chromium.org/p/chromium/issues/detail?id=554025 and in tests, we indeed not show the playing tab at front, and don't check memory when doing tests in such a case. so, in this bug, we can just focus on the comment 5 where GC get broken somehow.
,
May 24 2016
,
May 26 2016
tommi@, does this look like a WebRTC issue, or should it be redirected to the Blink folks?
,
May 26 2016
Looks like blink or video (non-webrtc) related
,
May 27 2016
Changing component per #10.
,
Jul 19 2016
Could someone summarize what's going on and how to reproduce it? It sounds like there's more than one issue discussed here.
,
Jul 21 2016
,
Aug 17 2016
There is no obvious video issue here. Moving to Blink for triaging.
,
Oct 5 2016
Triaging to Blink JavaScript team to look into GC crash.
,
Oct 10 2016
Moving to Blink GC, not V8 GC related.
,
Oct 10 2017
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by thestig@chromium.org
, May 20 2016