ContextualSearchManagerTest#testTapALot crashing on KK device |
|||
Issue descriptionFirst faliure: https://build.chromium.org/p/chromium.android/builders/Jelly%20Bean%20Tester/builds/5516 Bot symbolized stack seems completely bogus. Trying to reproduce.. signal 11 (SIGSEGV) at 0x00000000 (code=1), thread 29647 (Chrome_IOThread) pid: 29581, tid: 29647, name: Chrome_IOThread >>> org.chromium.chrome <<< signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000000 r0 00000000 r1 80596d20 r2 7f420a78 r3 802837a8 r4 7f420a68 r5 00000179 r6 775ca2a1 r7 00000000 r8 7f420b5c r9 7f420a78 sl 00000000 fp 400f1384 ip 73cf8001 sp 7f420a60 lr 775ca47d pc 775ca2a8 Stack Trace: RELADDR FUNCTION FILE:LINE 00c072a8 IPC::ParamTraits<gpu::error::ContextLostReason>::Write(base::Pickle*, gpu::error::ContextLostReason const&)+40 /b/c/b/Android_arm_Builder__dbg_/src/gpu/ipc/common/gpu_param_traits_macros.h:43 v------> IPC::ParamTraits<bool>::Write(base::Pickle*, bool const&) /b/c/b/Android_arm_Builder__dbg_/src/ipc/ipc_message_utils.h:129 v------> WriteParam<bool> /b/c/b/Android_arm_Builder__dbg_/src/ipc/ipc_message_utils.h:104 00c0747b IPC::ParamTraits<gpu::GPUInfo>::Write(base::Pickle*, gpu::GPUInfo const&)+22 /b/c/b/Android_arm_Builder__dbg_/src/gpu/ipc/common/gpu_param_traits_macros.h:68 0216f2c1 sfntly::CMapTable::CMapFormat0::CharacterIterator::HasNext()+10 /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/table/core/cmap_table.cc:377 02171d0f sfntly::CMapTable::CMapFormat4::Builder::Builder(std::__1::vector<sfntly::Ptr<sfntly::CMapTable::CMapFormat4::Builder::Segment>, std::__1::allocator<sfntly::Ptr<sfntly::CMapTable::CMapFormat4::Builder::Segment> > >*, std::__1::vector<int, std::__1::allocator<int> >*, sfntly::CMapTable::CMapId const&)+74 /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/table/core/cmap_table.cc:964 007efaa3 sk_linear_to_srgb_noclamp(SkNx<4, float> const&)+194 /b/c/b/Android_arm_Builder__dbg_/src/third_party/skia/src/core/SkSRGB.h:60 v------> sfntly::Ptr<sfntly::IndexSubTableFormat4>::operator=(sfntly::IndexSubTableFormat4*) /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/port/refcount.h:205 v------> sfntly::Ptr<sfntly::IndexSubTableFormat4>::Ptr(sfntly::IndexSubTableFormat4*) /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/port/refcount.h:185 0216c8b1 sfntly::IndexSubTableFormat4::Builder::SubBuildTable(sfntly::ReadableFontData*)+40 /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/table/bitmap/index_sub_table_format4.cc:204 0216c951 sfntly::RefCounted<sfntly::IndexSubTableFormat4::Builder>::~RefCounted()+92 /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/port/refcount.h:138 v------> vmulq_f32 /b/c/b/Android_arm_Builder__dbg_/src/third_party/android_tools/ndk/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/lib/gcc/arm-linux-androideabi/4.9/include/arm_neon.h:1018 v------> SkNx<4, float>::operator*(SkNx<4, float> const&) const /b/c/b/Android_arm_Builder__dbg_/src/third_party/skia/src/opts/SkNx_neon.h:122 007ef8ad to_565(SkNx<4, float> const&, SkNx<4, float> const&, SkNx<4, float> const&)+28 /b/c/b/Android_arm_Builder__dbg_/src/third_party/skia/src/core/SkRasterPipelineBlitter.cpp:136 021683fd sfntly::RefCounted<sfntly::EblcTable::Builder>::RefCounted() /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/port/refcount.h:125 v------> Builder /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/table/bitmap/big_glyph_metrics.cc:70 02164d7b sfntly::BigGlyphMetrics::Builder::Builder(sfntly::ReadableFontData*)+10 /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/table/bitmap/big_glyph_metrics.cc:71 v------> Builder /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/table/bitmap/big_glyph_metrics.cc:70 02164df9 sfntly::BigGlyphMetrics::Builder::Builder(sfntly::ReadableFontData*)+24 /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/table/bitmap/big_glyph_metrics.cc:71 02164f0b sfntly::BigGlyphMetrics::Builder::~Builder()+10 /b/c/b/Android_arm_Builder__dbg_/src/third_party/sfntly/src/cpp/src/sfntly/table/bitmap/big_glyph_metrics.cc:73 007eab1d SkPictureRecord::onDrawAtlas(SkImage const*, SkRSXform const*, SkRect const*, unsigned int const*, int, SkXfermode::Mode, SkRect const*, SkPaint const*)+148 /b/c/b/Android_arm_Builder__dbg_/src/third_party/skia/src/core/SkPictureRecord.cpp:824 007eac4b SkTHashTable<SkTHashMap<SkPath, int, SkPictureRecord::PathHash>::Pair, SkPath, SkTHashMap<SkPath, int, SkPictureRecord::PathHash>::Pair>::uncheckedSet(SkTHashMap<SkPath, int, SkPictureRecord::PathHash>::Pair const&)+70 /b/c/b/Android_arm_Builder__dbg_/src/third_party/skia/include/private/SkTHash.h:143 00e79267 content::AudioInputDeviceManager::Unregister()+86 /b/c/b/Android_arm_Builder__dbg_/src/content/browser/renderer_host/media/audio_input_device_manager.cc:69 00e8a2fd content::MediaStreamManager::ReadOutputParamsAndPostRequestToUI(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MediaStreamManager::DeviceRequest*)+468 /b/c/b/Android_arm_Builder__dbg_/src/content/browser/renderer_host/media/media_stream_manager.cc:1155 00e8835d content::MediaStreamManager::CancelRequest(int, int, int)+192 /b/c/b/Android_arm_Builder__dbg_/src/content/browser/renderer_host/media/media_stream_manager.cc:527 00e81659 content::AudioRendererHost::OnDeviceIDTranslated(int, base::TimeTicks, bool, content::AudioOutputDeviceInfo const&)+276 /b/c/b/Android_arm_Builder__dbg_/src/content/browser/renderer_host/media/audio_renderer_host.cc:554 00e776d9 content::TouchEventQueue::ForwardNextEventToRenderer()+128 /b/c/b/Android_arm_Builder__dbg_/src/content/browser/renderer_host/input/touch_event_queue.cc:593 00e786a5 content::WebKeyboardEventBuilder::Build(_JNIEnv*, base::android::JavaRef<_jobject*> const&, blink::WebInputEvent::Type, int, double, int, int, int, bool)+284 /b/c/b/Android_arm_Builder__dbg_/src/content/browser/renderer_host/input/web_input_event_builders_android.cc:112 0010f7c5 <unknown> /data/app-lib/org.chromium.chrome-1/libchrome.so 01e8a1a1 blink::toV8RequestDeviceOptions(blink::RequestDeviceOptions const&, v8::Local<v8::Object>, v8::Local<v8::Object>, v8::Isolate*)+200 /b/c/b/Android_arm_Builder__dbg_/src/out/Debug/gen/blink/bindings/modules/v8/V8RequestDeviceOptions.cpp:73 0010ed95 <unknown> /data/app-lib/org.chromium.chrome-1/libchrome.so 0010ddd3 <unknown> /data/app-lib/org.chromium.chrome-1/libchrome.so 00123f09 <unknown> /data/app-lib/org.chromium.chrome-1/libchrome.so 00140a8f <unknown> /data/app-lib/org.chromium.chrome-1/libchrome.so 00a80ee5 url_matcher::URLQueryElementMatcherCondition::operator<(url_matcher::URLQueryElementMatcherCondition const&) const+36 /b/c/b/Android_arm_Builder__dbg_/src/components/url_matcher/url_matcher.cc:633 00a8100f url_matcher::URLMatcher::IsEmpty() const+72 /b/c/b/Android_arm_Builder__dbg_/src/components/url_matcher/url_matcher.cc:895 00141585 <unknown> /data/app-lib/org.chromium.chrome-1/libchrome.so 0013d4b7 <unknown> /data/app-lib/org.chromium.chrome-1/libchrome.so 0000d170 __thread_entry+72 /system/lib/libc.so 0000d308 pthread_create+240
,
Aug 16 2016
downloaded the exact same build from bot, flashed to same build (although not same device), still no repro :/
,
Aug 16 2016
crashed on mako :o
,
Aug 16 2016
locally reproduced crash goes back much further than when the got turned red, so not good.. still looking for when it started..
,
Aug 17 2016
Bisected to https://codereview.chromium.org/2183703005 So summary * this is a flaky test crash on the browser IO thread, with a what looks like garbage stack (above) * it's device specific (nexus 4, hence not caught by cq) * it looks to be specific to certain compile configs (no repro on clang+component+release, repro on gcc+static+debug) Ideas? The looks to have greened up since yesterday, but I don't know if it's actually fixed or just flakes being hidden behind test retries.
,
Aug 17 2016
Seems plausibly a vtable UAF hence garbage stacks. Likely fixed by r412322 which landed shortly after the last red build.
,
Aug 17 2016
Ahh, verified that fixed this. Thanks I guess the associated bug must be security related, since I can't see it.. |
|||
►
Sign in to add a comment |
|||
Comment 1 by boliu@chromium.org
, Aug 16 2016