Regression: Unable to search anything as page crash is seen on upgrading/re-installing to 54.0.2811.0 |
||||||||||||||
Issue descriptionVersion: 54.0.2811.0 dev OS: Ubuntu 14.04 What steps will reproduce the problem? (1) Upgrade to 54.0.2811.0 or re-install 54.0.2811.0 or open google-chrome-unstable from command prompt >> Open NTP >> Observe (2)Try searching in Omnibox and observe. Expected: No crash should be seen on searching or opening NTP. Actual: Instead crash is seen on every search. This is a regression issue broken in M54. Will provide other info soon. Crash id: Crash ID Chrome (Server ID: 51df594200000000)
,
Jul 29 2016
Able to reproduce the crash on Mac 10.11.6 upon updating to latest canary from 54.0.2810.2 to 54.0.2811.0.
,
Jul 29 2016
Looking. First I'll try to repro this w/ my chromium build. (cc jkummerow@ from V8 stability; FYI)
,
Jul 29 2016
Yup, this is def my stuff. Will fix.
,
Jul 29 2016
Crash id for the above Crash on Mac : 1575f8be00000000 Marking this as Release Block-Dev as its a recent regression.Please modify if not appropriate. Stack Trace for 1575f8be00000000 ================================ Thread 12 CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x000047ab ] MAGIC SIGNATURE THREAD 0x0000000106330967 (Google Chrome Framework -isolate.h:1114 ) v8::internal::Parser::Parser(v8::internal::ParseInfo*) 0x0000000105e9d103 (Google Chrome Framework -background-parsing-task.cc:63 ) v8::internal::BackgroundParsingTask::Run() 0x000000010954b615 (Google Chrome Framework -ScriptStreamerThread.cpp:86 ) blink::ScriptStreamerThread::runScriptStreamingTask(std::__1::unique_ptr<v8::ScriptCompiler::ScriptStreamingTask, std::__1::default_delete<v8::ScriptCompiler::ScriptStreamingTask> >, blink::ScriptStreamer*) 0x000000010954b1c5 (Google Chrome Framework -bind_internal.h:164 ) base::internal::Invoker<base::internal::BindState<void (*)(std::__1::unique_ptr<v8::ScriptCompiler::ScriptStreamingTask, std::__1::default_delete<v8::ScriptCompiler::ScriptStreamingTask> >, blink::ScriptStreamer*), WTF::PassedWrapper<std::__1::unique_ptr<v8::ScriptCompiler::ScriptStreamingTask, std::__1::default_delete<v8::ScriptCompiler::ScriptStreamingTask> > >, blink::CrossThreadPersistent<blink::ScriptStreamer> >, void ()>::Run(base::internal::BindStateBase*) 0x000000010927ba5b (Google Chrome Framework -bind_internal.h:164 ) base::internal::Invoker<base::internal::BindState<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > >, void ()>::Run(base::internal::BindStateBase*) 0x0000000106e92a3a (Google Chrome Framework -callback.h:389 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) 0x0000000109274202 (Google Chrome Framework -task_queue_manager.cc:315 ) scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue*, scheduler::internal::TaskQueueImpl::Task*) 0x000000010927312d (Google Chrome Framework -task_queue_manager.cc:218 ) scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) 0x0000000106e92a3a (Google Chrome Framework -callback.h:389 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) 0x0000000106eb3b8b (Google Chrome Framework -message_loop.cc:496 ) base::MessageLoop::RunTask(base::PendingTask const&) 0x0000000106eb3e9b (Google Chrome Framework -message_loop.cc:505 ) base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) 0x0000000106eb4242 (Google Chrome Framework -message_loop.cc:629 ) base::MessageLoop::DoWork() 0x0000000106eb637c (Google Chrome Framework -message_pump_mac.mm:330 ) base::MessagePumpCFRunLoopBase::RunWork() 0x0000000106ea9ec9 (Google Chrome Framework + 0x017ceec9 ) base::mac::CallWithEHFrame(void () block_pointer) 0x0000000106eb5d83 (Google Chrome Framework -message_pump_mac.mm:306 ) base::MessagePumpCFRunLoopBase::RunWorkSource(void*) 0x00007fff817fc880 (CoreFoundation + 0x000aa880 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x00007fff817dbfbb (CoreFoundation + 0x00089fbb ) __CFRunLoopDoSources0 0x00007fff817db4de (CoreFoundation + 0x000894de ) __CFRunLoopRun 0x00007fff817daed7 (CoreFoundation + 0x00088ed7 ) CFRunLoopRunSpecific 0x0000000106eb675e (Google Chrome Framework -message_pump_mac.mm:554 ) base::MessagePumpCFRunLoop::DoRun(base::MessagePump::Delegate*) 0x0000000106eb61d3 (Google Chrome Framework -message_pump_mac.mm:238 ) base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) 0x0000000106ed0a40 (Google Chrome Framework -run_loop.cc:35 ) base::RunLoop::Run() 0x0000000106ef367f (Google Chrome Framework -thread.cc:260 ) base::Thread::ThreadMain() 0x0000000106eefd86 (Google Chrome Framework -platform_thread_posix.cc:70 ) base::(anonymous namespace)::ThreadFunc(void*) 0x00007fff951ab99c (libsystem_pthread.dylib + 0x0000399c ) _pthread_body 0x00007fff951ab919 (libsystem_pthread.dylib + 0x00003919 ) _pthread_start 0x00007fff951a9350 (libsystem_pthread.dylib + 0x00001350 ) thread_start 0x0000000106eefd2f (Google Chrome Framework + 0x01814d2f ) Stack trace for 51df594200000000: ================================ Thread 8 CRASHED [SIGSEGV @ 0x00004763 ] MAGIC SIGNATURE THREAD 0x00007fdd14a6574c (chrome -./out/Release/../../v8/src/isolate.h:1114 ) <name omitted> 0x00007fdd14639900 (chrome -./out/Release/../../v8/src/background-parsing-task.cc:63 ) v8::internal::BackgroundParsingTask::Run 0x00007fdd16fb67d6 (chrome -./out/Release/../../third_party/WebKit/Source/bindings/core/v8/ScriptStreamerThread.cpp:86 ) blink::ScriptStreamerThread::runScriptStreamingTask 0x00007fdd18d6da4a (chrome + 0x0590ea4a ) _fini 0x00007fdd0cf9092c (libc-2.19.so -clock_gettime.c:115 ) __clock_gettime
,
Jul 29 2016
Issue 632588 has been merged into this issue.
,
Jul 29 2016
Looks like this requires harmony tailcalls to be on to happen, which was also why our tests didn't catch this.
,
Jul 29 2016
The fix is in flight: https://codereview.chromium.org/2197543002/
,
Jul 29 2016
The fix landed in V8; this bug was not updated probably because I missed chromium: in the bug number... https://chromium.googlesource.com/v8/v8/+/8558cbe557c5cd5f8a284743f8db48668afc4266
,
Jul 29 2016
,
Jul 29 2016
Still reproduced in the latest Chromium build 54.0.2812.0 (dev) 2b30faee222f7130b71f9da9fd8abea106207c03-refs/heads/master@{#408641}
,
Jul 29 2016
+nick Are we rolling a new version with the fix? This is currently at 98% of crash rates on canary, with over 230000 crashes. Also, is there anything we could've done to catch this earlier? I think we should have a postmortem about this.
,
Jul 29 2016
54.0.2811.0 canary (64-bit) (Windows) is totally unusable with this bug, so I had to switch back to Stable. Is there a way to push a canary asap to fix this, otherwise we might lose Canary users as a result.
,
Jul 29 2016
If we trigger new canary will it include the fix? Because as per comment #11, this issue still reproduce on Chromium build 54.0.2812.0.
,
Jul 29 2016
No, we need to roll v8 to get the fix.
,
Jul 29 2016
The V8 roll in 0e892d8dbe70d7ab172f9af4afa2a1a00839169b pulled in the deps to fix this in Chromium.
,
Jul 29 2016
Uh oh, this affects more users than I initially thought. ... would it be feasible to revert the bad V8 roll? (I'm asking V8 people, but on this time zone it might be that I won't get an answer.)
,
Jul 29 2016
Re#16, you are right, we should trigger the build then.
,
Jul 29 2016
I agree. I am doing a local build now to verify this is fixed on ToT.
,
Jul 29 2016
Dimu@ is triggering new canary now. Di you could you please make sure that it picks up a build after the v8 roll. Thank you.
,
Jul 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b221435484e798274fd21f47798185456780f1b6 commit b221435484e798274fd21f47798185456780f1b6 Author: Will Harris <wfh@chromium.org> Date: Fri Jul 29 17:34:45 2016 Merge 2811: Update V8 to version 5.4.296. Summary of changes available at: https://chromium.googlesource.com/v8/v8/+log/b9200bca..381147c5 Please follow these instructions for assigning/CC'ing issues: https://github.com/v8/v8/wiki/Triaging%20issues Please close rolling in case of a roll revert: https://v8-roll.appspot.com/ This only works with a Google account. CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel TBR=hablich@chromium.org,machenbach@chromium.org,littledan@chromium.org,vogelheim@chromium.org Review-Url: https://codereview.chromium.org/2195733002 Cr-Commit-Position: refs/heads/master@{#408663} (cherry picked from commit 0e892d8dbe70d7ab172f9af4afa2a1a00839169b) BUG= 632612 Review URL: https://codereview.chromium.org/2198483002 . Cr-Commit-Position: refs/branch-heads/2811@{#2} Cr-Branched-From: b19949388aaceb1d0dc2b48ad00b272dd1c72af5-refs/heads/master@{#408553} [modify] https://crrev.com/b221435484e798274fd21f47798185456780f1b6/DEPS
,
Jul 29 2016
,
Jul 29 2016
An alternative is to switch off Tail Calls via finch. This also works independent.
,
Jul 29 2016
V8_ES2015_TailCalls.json is the name of the experiment btw.
,
Jul 29 2016
,
Jul 29 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/b8b1b13f3606b4ed64a2f49ad06a0418bedb92a9 commit b8b1b13f3606b4ed64a2f49ad06a0418bedb92a9 Author: Michael Hablich <hablich@google.com> Date: Fri Jul 29 18:18:45 2016
,
Jul 29 2016
running with --disable-feature="V8_ES2015_TailCalls" does not seem to resolve this crash. Are you sure this should resolve the issue?
,
Jul 29 2016
Issue 632594 has been merged into this issue. Issue 632699 has been merged into this issue. Issue 632714 has been merged into this issue. Issue 632729 has been merged into this issue. Issue 632734 has been merged into this issue. Issue 632748 has been merged into this issue. Issue 632770 has been merged into this issue. Issue 632771 has been merged into this issue. Issue 632773 has been merged into this issue. Issue 632793 has been merged into this issue. Issue 632826 has been merged into this issue. Issue 632828 has been merged into this issue.
,
Jul 29 2016
Switching to 32 bit Canary on Windows fixed this issue for me.
,
Jul 29 2016
Problem resolved for me with the updated Version 54.0.2811.2 canary (64-bit) Thanks guys
,
Jul 29 2016
Issue 632854 has been merged into this issue.
,
Aug 1 2016
A postmortem is under way; the main problem was that V8 tests were not running with FLAG_harmony_tailcalls even though Chrome had it turned on by default.
,
Aug 1 2016
A postmortem is here & readable w/ your chromium account: https://docs.google.com/a/chromium.org/document/d/1eZUKK2_Dw2J7Z-CQMhIVHUkXnayXOt-EZo-iOlp_X2E/edit?usp=sharing
,
Aug 1 2016
#27 unfortunately this was a red herring. The crash happened in code related to tail calls but not behind the flag to activate tail calls..
,
Aug 1 2016
Issue 632996 has been merged into this issue.
,
Aug 2 2016
Issue 632834 has been merged into this issue.
,
Aug 2 2016
A bunch of non-chromium people have requested access to the postmortem doc. The TL;DR: is "V8 cctests didn't run w/ FLAG_harmony_tailcalls, Chrome shipped w/ FLAG_harmony_tailcalls -> disaster". See bug 633080.
,
Aug 2 2016
Issue 632625 has been merged into this issue.
,
Aug 2 2016
We are not seeing any crashes when upgraded to latest canary 54.0.2816.0 on Windows and Linux as of now and 54.0.2815.0 on Mac 10.11.6. Adding respective TE-Verified labels for the same.
,
Aug 3 2016
Issue 632929 has been merged into this issue. |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by sc00335...@techmahindra.com
, Jul 29 2016Owner: marja@chromium.org
Status: Assigned (was: Unconfirmed)