Repro steps wrapped in html for your convenience

Deleted: repro.html 39 bytes

repro.html 39 bytes View Download

Crash ID - bafc163500000000

Stack Trace:
============

Thread 0 CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000090 ] MAGIC SIGNATURE THREAD
0x000007fee3867bb7	(chrome_child.dll -v8console.cpp:361 )	v8_inspector::V8Console::countCallback(v8::FunctionCallbackInfo<v8::Value> const &)
0x000007fee13960fc	(chrome_child.dll -api-arguments.cc:21 )	v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const &))
0x000007fee13935a1	(chrome_child.dll -builtins-api.cc:106 )	v8::internal::`anonymous namespace'::HandleApiCallHelper<0>
0x000007fee1638d61	(chrome_child.dll -builtins-api.cc:211 )	v8::internal::Builtins::InvokeApiFunction(v8::internal::Isolate *,bool,v8::internal::Handle<v8::internal::HeapObject>,v8::internal::Handle<v8::internal::Object>,int,v8::internal::Handle<v8::internal::Object> * const,v8::internal::Handle<v8::internal::HeapObject>)
0x000007fee16097c1	(chrome_child.dll -execution.cc:86 )	v8::internal::`anonymous namespace'::Invoke
0x000007fee160934c	(chrome_child.dll -execution.cc:178 )	v8::internal::Execution::Call(v8::internal::Isolate *,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,int,v8::internal::Handle<v8::internal::Object> * const)
0x000007fee1608f70	(chrome_child.dll -api.cc:4743 )	v8::Function::Call(v8::Local<v8::Context>,v8::Local<v8::Value>,int,v8::Local<v8::Value> * const)
0x000007fee1608d90	(chrome_child.dll -v8scriptrunner.cpp:516 )	blink::V8ScriptRunner::callFunction(v8::Local<v8::Function>,blink::ExecutionContext *,v8::Local<v8::Value>,int,v8::Local<v8::Value> * const,v8::Isolate *)
0x000007fee16070f0	(chrome_child.dll -scheduledaction.cpp:124 )	blink::ScheduledAction::execute(blink::LocalFrame *)
0x000007fee135b386	(chrome_child.dll -scheduledaction.cpp:79 )	blink::ScheduledAction::execute(blink::ExecutionContext *)
0x000007fee135b240	(chrome_child.dll -domtimer.cpp:135 )	blink::DOMTimer::fired()
0x000007fee1417f06	(chrome_child.dll -timer.cpp:146 )	blink::TimerBase::runInternal()
0x000007fee1417e63	(chrome_child.dll -timer.h:115 )	blink::TimerBase::CancellableTimerTask::run()
0x000007fee1417155	(chrome_child.dll -web_task_runner_impl.cc:71 )	blink::scheduler::WebTaskRunnerImpl::runTask(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)
0x000007fee1417135	(chrome_child.dll -bind_internal.h:325 )	base::internal::Invoker<base::internal::BindState<void (*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >),base::internal::PassedWrapper<std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,void >::Run(base::internal::BindStateBase *)
0x000007fee130515d	(chrome_child.dll -task_annotator.cc:54 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x000007fee1308327	(chrome_child.dll -task_queue_manager.cc:311 )	blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue *)
0x000007fee1303b87	(chrome_child.dll -task_queue_manager.cc:215 )	blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks,bool)
0x000007fee1361dfc	(chrome_child.dll -bind_internal.h:325 )	base::internal::Invoker<base::internal::BindState<void ( blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void >::Run(base::internal::BindStateBase *)
0x000007fee130515d	(chrome_child.dll -task_annotator.cc:54 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x000007fee1304d8d	(chrome_child.dll -message_loop.cc:488 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x000007fee1306449	(chrome_child.dll -message_loop.cc:660 )	base::MessageLoop::DoDelayedWork(base::TimeTicks *)
0x000007fee1305d7a	(chrome_child.dll -message_pump_default.cc:39 )	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x000007fee18b85dd	(chrome_child.dll -message_loop.cc:451 )	base::MessageLoop::RunHandler()
0x000007fee18b856c	(chrome_child.dll -run_loop.cc:35 )	base::RunLoop::Run()
0x000007fee193f1ff	(chrome_child.dll -renderer_main.cc:198 )	content::RendererMain(content::MainFunctionParams const &)
0x000007fee18b480f	(chrome_child.dll -content_main_runner.cc:418 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x000007fee18b54d1	(chrome_child.dll -content_main_runner.cc:786 )	content::ContentMainRunnerImpl::Run()
0x000007fee18b5400	(chrome_child.dll -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const &)
0x000007fee18b4595	(chrome_child.dll -chrome_main.cc:85 )	ChromeMain
0x000000013fed7846	(chrome.exe -main_dll_loader_win.cc:168 )	MainDllLoader::Launch(HINSTANCE__ *)
0x000000013fed2374	(chrome.exe -chrome_exe_main_win.cc:246 )	wWinMain
0x000000014019a7d9	(chrome.exe -exe_common.inl:255 )	__scrt_common_main_seh
0x776559bc	(kernel32.dll + 0x000159bc )	BaseThreadInitThunk
0x7788a2e0	(ntdll.dll + 0x0002a2e0 )	RtlUserThreadStart

Crash observed on the following build:

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8_inspector%3A%3AV8Console%3A%3AcountCallback%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

====================================

Good Build:

52.0.2705.0    Base Position: 386318


Bad Build:

52.0.2715.0    Base Position: 388964

=====================================

Able to repro this issue on Windows 7, MAC (10.11.6) & Ubuntu Trusty (14.04) for the Google Chrome Stable Version - 53.0.2785.101

This is a regression issue broken in M48, below mentioned is the bisect info:

CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/31fe1233aed27affb741984db8903df127163981..8ec933c6a814b24154405931c0407a2e3b5579b4

Suspecting Commit: 807ec9550e8a31517966636e6a5b506474ab4ea9

Review URL: https://codereview.chromium.org/1859293002

@kozyatinskiy: Could you please look into the issue, and if it has nothing to do with your changes and if possible please do assign it to the concerned owner.

Thank you.

Small correction:

This is a regression issue broken in M52

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4dffc8a7008fd80e6b4ccac9ade2dfebe7649b56

commit 4dffc8a7008fd80e6b4ccac9ade2dfebe7649b56
Author: kozyatinskiy <kozyatinskiy@chromium.org>
Date: Tue Sep 27 17:11:21 2016

[inspector] fixed console.count with empty stack

BUG= chromium:644629 
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2372093002
Cr-Commit-Position: refs/heads/master@{#39786}

[modify] https://crrev.com/4dffc8a7008fd80e6b4ccac9ade2dfebe7649b56/src/inspector/v8-console.cc

Your change meets the bar and is auto-approved for M54 (branch: 2840)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d44ef1c01a5f5b3e2c55f373ff3d9b788c8c0597

commit d44ef1c01a5f5b3e2c55f373ff3d9b788c8c0597
Author: Alexey Kozyatinskiy <kozyatinskiy@chromium.org>
Date: Thu Sep 29 21:32:05 2016

[DevTools] fixed console.count with empty stack

BUG= chromium:644629 
TBR=dgozman@chromium.org
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2372093002
Commited to ToT: Cr-Commit-Position: refs/heads/master@{#39786}

Review URL: https://codereview.chromium.org/2382913002 .

Cr-Commit-Position: refs/branch-heads/2840@{#586}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/d44ef1c01a5f5b3e2c55f373ff3d9b788c8c0597/third_party/WebKit/Source/platform/v8_inspector/V8Console.cpp

It is reproducible only when DevTools is shown and async stack is enabled.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/759581ea933acd5b72d3d2c61048be9377cf6c19

commit 759581ea933acd5b72d3d2c61048be9377cf6c19
Author: kozyatinskiy <kozyatinskiy@chromium.org>
Date: Mon Oct 03 21:10:40 2016

[inspector] test for fixed empty stack processing in console.count

BUG= chromium:644629 
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2370033003
Cr-Commit-Position: refs/heads/master@{#39938}

[add] https://crrev.com/759581ea933acd5b72d3d2c61048be9377cf6c19/test/inspector/debugger/async-console-count-doesnt-crash-expected.txt
[add] https://crrev.com/759581ea933acd5b72d3d2c61048be9377cf6c19/test/inspector/debugger/async-console-count-doesnt-crash.js
[modify] https://crrev.com/759581ea933acd5b72d3d2c61048be9377cf6c19/test/inspector/protocol-test.js

Verified the merge on the latest M-54(54.0.2840.50) on Windows-10 & Mac OS 10.11.6 with the attached test file in C#1 and observed no crash.

Note: Could repro the crash on the latest stable(53.0.2785.143 - build without fix) on Mac OS 10.11.6.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d44ef1c01a5f5b3e2c55f373ff3d9b788c8c0597

commit d44ef1c01a5f5b3e2c55f373ff3d9b788c8c0597
Author: Alexey Kozyatinskiy <kozyatinskiy@chromium.org>
Date: Thu Sep 29 21:32:05 2016

[DevTools] fixed console.count with empty stack

BUG= chromium:644629 
TBR=dgozman@chromium.org
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2372093002
Commited to ToT: Cr-Commit-Position: refs/heads/master@{#39786}

Review URL: https://codereview.chromium.org/2382913002 .

Cr-Commit-Position: refs/branch-heads/2840@{#586}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/d44ef1c01a5f5b3e2c55f373ff3d9b788c8c0597/third_party/WebKit/Source/platform/v8_inspector/V8Console.cpp