New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 660622 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

SitePerProcessBrowserTest.NavigateAboutBlankAndDetach fails on linux

Project Member Reported by xidac...@chromium.org, Oct 29 2016

Issue description

Project Member

Comment 1 by bugdroid1@chromium.org, Oct 29 2016

Comment 2 by nasko@chromium.org, Nov 4 2016

Cc: creis@chromium.org nick@chromium.org nasko@chromium.org alex...@chromium.org
Components: Internals>Sandbox>SiteIsolation
Owner: ----
Status: Available (was: Assigned)

Comment 3 by creis@chromium.org, Nov 4 2016

Example output (before the link expires):

SitePerProcessBrowserTest.NavigateAboutBlankAndDetach (run #1):
[ RUN      ] SitePerProcessBrowserTest.NavigateAboutBlankAndDetach
[27287:27287:1028/161513:71842078531:WARNING:audio_manager.cc(317)] Multiple instances of AudioManager detected
[27287:27287:1028/161513:71842078653:WARNING:audio_manager.cc(278)] Multiple instances of AudioManager detected
Xlib:  extension "RANDR" missing on display ":9".
[27287:27287:1028/161514:71843694698:WARNING:render_frame_host_impl.cc(2072)] OnDidStopLoading was called twice.
[27287:27374:1028/161515:71843967558:WARNING:ipc_message_attachment_set.cc(57)] MessageAttachmentSet destroyed with unconsumed descriptors: 0/1
Found a corrupted memory buffer in MallocBlock (may be offset from user ptr): buffer index: 1, buffer ptr: 0x2dafc8b13c00, size of buffer: 800
Buffer byte 762 is 0x00 (should be 0xcd).
Deleted by thread 0x7f1da38f2980
*** WARNING: Cannot convert addresses to symbols in output below.
*** Reason: Cannot find 'pprof' (is PPROF_PATH set correctly?)
*** If you cannot fix this, try running pprof directly.
    @ 0x7f1db92fe253
    @ 0x7f1db92a4799
    @ 0x7f1db92a4097
    @ 0x7f1dbbae6a52
    @ 0x7f1dbbaf86dd
    @ 0x7f1db3ee4bfc
    @ 0x7f1db192607f
    @ 0x7f1db19919fb
    @ 0x7f1db1a50ec3
    @ 0x7f1db14bbd18
    @ 0x7f1db14bb857
    @ 0x7f1db14d1275
    @ 0x7f1db14d0f80
    @ 0x7f1db1605a6a
    @ 0x7f1db25a8959
    @ 0x7f1db25a8622
Memory was written to after being freed.  MallocBlock: 0x2dafc8b13800, user ptr: 0x2dafc8b13820, size: 1824.  If you can't find the source of the error, try using ASan (http://code.google.com/p/address-sanitizer/), Valgrind, or Purify, or study the output of the deleter's stack printed above.
Received signal 11 SEGV_MAPERR 000000000039
#0 0x7f1db8ff951e base::debug::StackTrace::StackTrace()
#1 0x7f1db8ff905f base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f1dc04e3cb0 <unknown>
#3 0x7f1db92a4858 tcmalloc::Abort()
#4 0x7f1db92ac86a LogPrintf()
#5 0x7f1db92ac6eb RAW_VLOG()
#6 0x7f1db92d511e MallocBlock::CheckForCorruptedBuffer()
#7 0x7f1db92d4e0b MallocBlock::CheckForDanglingWrites()
#8 0x7f1db92d2c7b MallocBlock::ProcessFreeQueue()
#9 0x7f1db92d6b84 MallocBlock::Deallocate()
#10 0x7f1db92cf4a5 DebugDeallocate()
#11 0x7f1db92fe253 tc_free
#12 0x7f1db92a4799 (anonymous namespace)::TCFree()
#13 0x7f1db92a4437 ShimFree
#14 0x7f1dbf3fffc5 base::AlignedFree()
#15 0x7f1dbf3fe830 mojo::edk::Channel::Message::~Message()
#16 0x7f1dbf3f9dab std::default_delete<>::operator()()
#17 0x7f1dbf3f9cdc std::unique_ptr<>::reset()
#18 0x7f1dbf3f9989 std::unique_ptr<>::~unique_ptr()
#19 0x7f1dbf40700c mojo::edk::(anonymous namespace)::MessageView::~MessageView()
#20 0x7f1dbf404dfa mojo::edk::(anonymous namespace)::ChannelPosix::Write()
#21 0x7f1dbf432ece mojo::edk::NodeChannel::WriteChannelMessage()
#22 0x7f1dbf433935 mojo::edk::NodeChannel::PortsMessage()
#23 0x7f1dbf43bd8f mojo::edk::NodeController::SendPeerMessage()
#24 0x7f1dbf43c414 mojo::edk::NodeController::ForwardMessage()
#25 0x7f1dbf48917a mojo::edk::ports::Node::SendMessageInternal()
#26 0x7f1dbf488d63 mojo::edk::ports::Node::SendMessage()
#27 0x7f1dbf4397de mojo::edk::NodeController::SendMessage()
#28 0x7f1dbf42e580 mojo::edk::MessagePipeDispatcher::WriteMessage()
#29 0x7f1dbf40ef21 mojo::edk::Core::WriteMessageNew()
#30 0x7f1dbf477eab MojoWriteMessageNewImpl
#31 0x7f1dc071d897 MojoWriteMessageNew
#32 0x7f1dc076b85d mojo::WriteMessageNew()
#33 0x7f1dc076a741 mojo::Connector::Accept()
#34 0x7f1db7cbfae1 IPC::(anonymous namespace)::ChannelAssociatedGroupController::SendMessage()
#35 0x7f1db7cc207e IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint::SendMessage()
#36 0x7f1dc0779478 mojo::InterfaceEndpointClient::Accept()
#37 0x7f1db7cf6ee4 IPC::mojom::ChannelProxy::Receive()
#38 0x7f1db7cae88c IPC::internal::MessagePipeReader::Send()
#39 0x7f1db7c74211 IPC::ChannelMojo::Send()
#40 0x7f1db7ce47ba IPC::SyncMessageFilter::SendOnIOThread()
#41 0x7f1db7ce8a5f _ZN4base8internal13FunctorTraitsIMN3IPC17SyncMessageFilterEFvPNS2_7MessageEEvE6InvokeIRK13scoped_refptrIS3_EJRKS5_EEEvS7_OT_DpOT0_
#42 0x7f1db7ce8976 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN3IPC17SyncMessageFilterEFvPNS4_7MessageEEJRK13scoped_refptrIS5_ERKS7_EEEvOT_DpOT0_
#43 0x7f1db7ce8903 _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC17SyncMessageFilterEFvPNS3_7MessageEEJ13scoped_refptrIS4_ES6_EEEFvvEE7RunImplIRKS8_RKSt5tupleIJSA_S6_EEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#44 0x7f1db7ce881c _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC17SyncMessageFilterEFvPNS3_7MessageEEJ13scoped_refptrIS4_ES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#45 0x7f1db8fff401 _ZNO4base8internal8RunMixinINS_8CallbackIFvvELNS0_8CopyModeE0ELNS0_10RepeatModeE0EEEE3RunEv
#46 0x7f1db8ffee09 base::debug::TaskAnnotator::RunTask()
#47 0x7f1db909190a base::MessageLoop::RunTask()
#48 0x7f1db9091b94 base::MessageLoop::DeferOrRunPendingTask()
#49 0x7f1db9091e7e base::MessageLoop::DoWork()
#50 0x7f1db90ac77e base::MessagePumpLibevent::Run()
#51 0x7f1db909148a base::MessageLoop::RunHandler()
#52 0x7f1db91370c4 base::RunLoop::Run()
#53 0x7f1db91dd5f8 base::Thread::Run()
#54 0x7f1db91dde9a base::Thread::ThreadMain()
#55 0x7f1db91c4eba base::(anonymous namespace)::ThreadFunc()
#56 0x7f1dc04dbe9a start_thread
#57 0x7f1dad38136d clone
  r8: 00007f1da15cabe0  r9: 000000000000002a r10: 2e65766f62612064 r11: 0000000000000202
 r12: 00007ffd926c6510 r13: 00007f1da15d09c0 r14: 0000000000000000 r15: 0000000000000003
  di: 0000000000000002  si: 00007f1da15cabe0  bp: 00007f1da15cab80  bx: 0000000000000000
  dx: 0000000000000126  ax: 0000000000000000  cx: 0000000000000000  sp: 00007f1da15cab80
  ip: 00007f1db92a4858 efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000006
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000039
[end of stack trace]
[27287:27287:1028/161515:71844340022:ERROR:browser_test_utils.cc(181)] Cannot communicate with DOMOperationObserver.
../../content/browser/site_per_process_browsertest.cc:6104: Failure
Value of: ExecuteScriptAndExtractInt( root, "domAutomationController.send(frames.length)", &child_count)
  Actual: false
Expected: true
[  FAILED  ] SitePerProcessBrowserTest.NavigateAboutBlankAndDetach, where TypeParam =  and GetParam() =  (3028 ms)
Project Member

Comment 4 by bugdroid1@chromium.org, Jan 23 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f076d91e660f7289f0ee4bbda0cd1f89563760f3

commit f076d91e660f7289f0ee4bbda0cd1f89563760f3
Author: alexmos <alexmos@chromium.org>
Date: Mon Jan 23 22:27:57 2017

When a proxy is detached, immediately delete the associated provisional frame.

This provides an alternate, more robust fix for race conditions in
issues  526304  and  568676 , avoiding early returns in OnNavigate and
didCommitProvisionalLoad when a provisional frame's proxy is detached.
Instead, the RenderFrameProxy now tracks a provisional frame that
would replace it if it commits, and cleans it up immediately if it
gets detached.  Likewise, if the provisional frame is destroyed before
commit (e.g., if the pending navigation is canceled), it unassigns
itself as the proxy's provisional frame.

RenderFrameProxy previously maintained frame_routing_id_, which is
currently unused, so the new provisional_frame_routing_id_ replaces
it.

BUG= 487872 , 526304 , 568676 , 660622 

Review-Url: https://codereview.chromium.org/2628133002
Cr-Commit-Position: refs/heads/master@{#445515}

[modify] https://crrev.com/f076d91e660f7289f0ee4bbda0cd1f89563760f3/content/browser/site_per_process_browsertest.cc
[modify] https://crrev.com/f076d91e660f7289f0ee4bbda0cd1f89563760f3/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/f076d91e660f7289f0ee4bbda0cd1f89563760f3/content/renderer/render_frame_proxy.cc
[modify] https://crrev.com/f076d91e660f7289f0ee4bbda0cd1f89563760f3/content/renderer/render_frame_proxy.h
[modify] https://crrev.com/f076d91e660f7289f0ee4bbda0cd1f89563760f3/content/renderer/render_view_browsertest.cc

Cc: -alex...@chromium.org
Owner: alex...@chromium.org
Status: Fixed (was: Available)
This test seems to be working fine after r445515, so I'll go ahead and mark this as fixed.  Note that there was a followup  issue 684699  when running this test with PlzNavigate, which has also been fixed by clamy@.

Sign in to add a comment