New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 664127 link

Starred by 3 users
Status: Duplicate
Owner:
h...@chromium.org
Last visit > 30 days ago
Closed: Nov 2016
Cc:
drinkcat@chromium.org
h...@chromium.org
piman@chromium.org
reve...@chromium.org
marc...@chromium.org
tfiga@chromium.org
dsinclair@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

gpu-process SIGSEGV in ui::GbmBuffer::CreateBufferFromFds

Project Member Reported by djkurtz@chromium.org, Nov 10 2016 
From crash server:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_ChromeOS%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27gpu-process%27%20AND%20stable_signature%20LIKE%20%27ui%3A%3AGbmBuffer%3A%3ACreateBufferFromFds-%25%27

Chrome Version: 53.0.2785.15 - 56.0.2905.0, but 56% of crashes are from 56.0.2905.0

DEVICE MODEL
Choose
1	veyron_minnie-signed-mp-v3keys	75.46%	3143	
2	samus-signed-mpkeys	9.53%	397	
3	samus-signed-mp-v2keys	8.98%	374	
4	veyron_speedy-signed-mp-v3keys	1.20%	50	
5	cyan-signed-mp-v2keys	1.10%	46	
6	veyron_jerry-signed-mp-v9keys	0.96%	40	
7	veyron_jerry-signed-mp-v10keys	0.84%	35	
8	cyan-signed-mpkeys	0.62%	26	
9	elm-signed-mpkeys	0.60%	25	
10	kevin-signed-mpkeys	0.46%	19	
11	cave-signed-mpkeys	0.07%	3	
12	asuka-signed-prempkeys	0.05%	2	
13	veyron_mighty-signed-mp-v11keys	0.05%	2	
14	chell-signed-mpkeys	0.02%	1	
15	cave-signed-prempkeys	0.02%	1	
16	edgar-signed-mp-v2keys	0.02%	1	
Total:	100.00%	4165

54% (2260) of these crashes are veyron_minnie-signed-mp-v3keys @ 56.0.2905.0.

Example:  https://crash.corp.google.com/browse?q=ReportID=3bf0a96700000000

Report Time Thu, 10 Nov 2016 12:18:28 GMT
Uptime 181 ms

Unfortunately, Stack Quality is only 5%

Thread 8 CRASHED [SIGSEGV @ 0x00000030 ] MAGIC SIGNATURE THREAD

0xb2a92cb8	(chrome -gbm_buffer.cc:170 )	ui::GbmBuffer::CreateBufferFromFds(scoped_refptr<ui::GbmDevice> const&, gfx::BufferFormat, gfx::Size const&, std::vector<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits>, std::allocator<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits> > >&&, std::vector<gfx::NativePixmapPlane, std::allocator<gfx::NativePixmapPlane> > const&)
0xb2a8cf77	(chrome -drm_thread.cc:124 )	ui::DrmThread::CreateBufferFromFds(int, gfx::Size const&, gfx::BufferFormat, std::vector<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits>, std::allocator<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits> > >&&, std::vector<gfx::NativePixmapPlane, std::allocator<gfx::NativePixmapPlane> > const&, scoped_refptr<ui::GbmBuffer>*)
0xb2a8cf0f	(chrome + 0x00906f0f )	non-virtual thunk to ui::DrmThread::~DrmThread()
0xb2a8cf0f	(chrome + 0x00906f0f )	non-virtual thunk to ui::DrmThread::~DrmThread()
0xb2a91001	(chrome -bind_internal.h:214 )	base::internal::Invoker<base::internal::BindState<void (ui::DrmThread::*)(int, gfx::Size const&, gfx::BufferFormat, std::vector<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits>, std::allocator<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits> > >&&, std::vector<gfx::NativePixmapPlane, std::allocator<gfx::NativePixmapPlane> > const&, scoped_refptr<ui::GbmBuffer>*), base::internal::UnretainedWrapper<ui::DrmThread>, int, gfx::Size, gfx::BufferFormat, base::internal::PassedWrapper<std::vector<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits>, std::allocator<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits> > > >, std::vector<gfx::NativePixmapPlane, std::allocator<gfx::NativePixmapPlane> >, scoped_refptr<ui::GbmBuffer>*>, void ()>::Run(base::internal::BindStateBase*)
0xb66ae2b6	(chrome + 0x045282b6 )	_fini
0xb2a998c1	(chrome -callback.h:64 )	OnRunPostedTaskAndSignal
0xb27936ff	(chrome -callback.h:47 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0xb2a9990f	(chrome -proxy_helpers.cc:27 )	ui::PostSyncTask(scoped_refptr<base::SingleThreadTaskRunner> const&, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&)
0xb278d799	(chrome -lock_impl_posix.cc:64 )	base::internal::LockImpl::Lock()
0xb2789515	(chrome -message_loop.cc:413 )	base::MessageLoop::DoWork()
0xb261aa5b	(chrome -central_freelist.cc:281 )	tcmalloc::CentralFreeList::RemoveRange(void**, void**, int)
0xb261aa5b	(chrome -central_freelist.cc:281 )	tcmalloc::CentralFreeList::RemoveRange(void**, void**, int)
0xb65880d2	(chrome + 0x044020d2 )	_fini
0xb261aa5b	(chrome -central_freelist.cc:281 )	tcmalloc::CentralFreeList::RemoveRange(void**, void**, int)
0xb6561616	(chrome + 0x043db616 )	_fini
0xb656167a	(chrome + 0x043db67a )	_fini
0xb6561616	(chrome + 0x043db616 )	_fini
0xb65615f2	(chrome + 0x043db5f2 )	_fini
0xb69a24ce	(chrome + 0x0481c4ce )	_fini
0xb65880d2	(chrome + 0x044020d2 )	_fini
0xb2a9990f	(chrome -proxy_helpers.cc:27 )	ui::PostSyncTask(scoped_refptr<base::SingleThreadTaskRunner> const&, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&)
0xb2154227	(libpthread-2.19.so + 0x0000c227 )	read
0xb2789b6d	(chrome -unistd.h:64 )	base::MessagePumpLibevent::OnWakeup(int, short, void*)
0xb279715f	(chrome -event.c:381 )	event_base_loop
0xb292acf3	(chrome -tcmalloc.cc:1122 )	do_malloc
0xb69a24ce	(chrome + 0x0481c4ce )	_fini
0xb65880d2	(chrome + 0x044020d2 )	_fini
0xb2a9990f	(chrome -proxy_helpers.cc:27 )	ui::PostSyncTask(scoped_refptr<base::SingleThreadTaskRunner> const&, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&)
0xb399a3fb	(chrome + 0x018143fb )	base::MessagePumpLibevent::~MessagePumpLibevent()
0xb278999f	(chrome -message_pump_libevent.cc:218 )	base::MessagePumpLibevent::Run(base::MessagePump::Delegate*)
0xb2790dc3	(chrome -tracked_objects.cc:374 )	tracked_objects::TaskStopwatch::Start()
0xb39ad0a1	(chrome -run_loop.cc:35 )	base::RunLoop::Run()
0xb39c0b21	(chrome -thread.cc:333 )	base::Thread::ThreadMain()
0xb39be8a5	(chrome -platform_thread_posix.cc:71 )	ThreadFunc
0xb39be863	(chrome + 0x01838863 )	base::PlatformThread::SetCurrentThreadPriority(base::ThreadPriority)
0xb214d6b9	(libpthread-2.19.so -pthread_create.c:311 )	start_thread


Assigning to dcastagna because crash server lists him as the "Author" for the crashing line from CL:
https://chromium.googlesource.com/chromium/src.git/+/d59fcd0ba1579ea2b8972ca6ff04833830979f4c
ozone: Fix scanout check for gbm_bo_import.
chrome.20161109.155619.31492.chrome.txt
12.2 KB View Download

Comment 1 by djkurtz@chromium.org, Nov 10 2016 

The crashes on elm have a more compact backtrace (Stable Signature = ui::GbmBuffer::CreateBufferFromFds-b2d503e6edit):

https://crash.corp.google.com/browse?q=ReportID=8ec835d700000000

Thread 3 CRASHED [SIGSEGV @ 0x00000030 ] MAGIC SIGNATURE THREAD
Stack Quality100%Show frame trust levels
0xf2d4cc6a	(chrome -gbm_buffer.cc:170 )	ui::GbmBuffer::CreateBufferFromFds
0xf2d46d29	(chrome -drm_thread.cc:124 )	ui::DrmThread::CreateBufferFromFds
0xf2d4afb1	(chrome -bind_internal.h:214 )	base::internal::Invoker<base::internal::BindState<void (ui::DrmThread::*)(int, const gfx::Size&, gfx::BufferFormat, std::vector<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits>, std::allocator<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits> > >&&, const std::vector<gfx::NativePixmapPlane, std::allocator<gfx::NativePixmapPlane> >&, scoped_refptr<ui::GbmBuffer>*), base::internal::UnretainedWrapper<ui::DrmThread>, int, gfx::Size, gfx::BufferFormat, base::internal::PassedWrapper<std::vector<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits>, std::allocator<base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits> > > >, std::vector<gfx::NativePixmapPlane, std::allocator<gfx::NativePixmapPlane> >, scoped_refptr<ui::GbmBuffer>*>, void()>::Run
0xf2d537c7	(chrome -callback.h:64 )	OnRunPostedTaskAndSignal
0xf2a1bddd	(chrome -callback.h:64 )	base::debug::TaskAnnotator::RunTask
0xf2a1131b	(chrome -message_loop.cc:405 )	base::MessageLoop::DoWork
0xf2a11693	(chrome -message_pump_libevent.cc:217 )	base::MessagePumpLibevent::Run
0xf3c16301	(chrome -run_loop.cc:35 )	base::RunLoop::Run
0xf3c2943d	(chrome -thread.cc:333 )	base::Thread::ThreadMain
0xf3c27661	(chrome -platform_thread_posix.cc:71 )	ThreadFunc
0xf23dd6b9	(libpthread-2.19.so -pthread_create.c:311 )	start_thread
0xf1df765b	(libc-2.19.so + 0x0009e65b )	clone

Thread 0 has a corresponding backtrace:
0xf23e6484	(libpthread-2.19.so + 0x0000e484 )	__libc_do_syscall
0xf23e192b	(libpthread-2.19.so -pthread_cond_wait.c:187 )	__pthread_cond_wait
0xf2a16971	(chrome -waitable_event_posix.cc:219 )	base::WaitableEvent::TimedWait
0xf3c1f975	(chrome -waitable_event_posix.cc:156 )	base::WaitableEvent::Wait
0xf2d53877	(chrome -proxy_helpers.cc:29 )	ui::PostSyncTask
0xf2d4b107	(chrome -drm_thread_proxy.cc:53 )	ui::DrmThreadProxy::CreateBufferFromFds
0xf2d4ea11	(chrome -gbm_surface_factory.cc:174 )	ui::GbmSurfaceFactory::CreateNativePixmapFromHandle
0xf438474f	(chrome -gpu_memory_buffer_factory_ozone_native_pixmap.cc:93 )	gpu::GpuMemoryBufferFactoryOzoneNativePixmap::CreateImageForGpuMemoryBuffer
0xf4385021	(chrome -gpu_channel.cc:1066 )	gpu::GpuChannel::CreateImageForGpuMemoryBuffer
0xf438c211	(chrome -gpu_command_buffer_stub.cc:1009 )	gpu::GpuCommandBufferStub::OnCreateImage
0xf2a8d87b	(chrome -tuple.h:144 )	gpu::GpuCommandBufferStub::OnMessageReceived
0xf5e83f1b	(chrome -message_router.cc:56 )	IPC::MessageRouter::RouteMessage
0xf43892e7	(chrome -gpu_channel.cc:807 )	gpu::GpuChannel::HandleMessageHelper
0xf4389399	(chrome -gpu_channel.cc:787 )	gpu::GpuChannel::HandleMessage
0xf2a1bddd	(chrome -callback.h:64 )	base::debug::TaskAnnotator::RunTask
0xf2a1131b	(chrome -message_loop.cc:405 )	base::MessageLoop::DoWork
0xf2a1158d	(chrome -message_pump_default.cc:35 )	base::MessagePumpDefault::Run
0xf3c16301	(chrome -run_loop.cc:35 )	base::RunLoop::Run
0xf50f5bcf	(chrome -gpu_main.cc:288 )	content::GpuMain
0xf398168b	(chrome -content_main_runner.cc:779 )	content::ContentMainRunnerImpl::Run
0xf398071d	(chrome -content_main.cc:20 )	content::ContentMain
0xf2bb0a73	(chrome -chrome_main.cc:97 )	ChromeMain
0xf1d6f307	(libc-2.19.so -libc-start.c:285 )	__libc_start_main
0xf2bb0937	(chrome + 0x007a2937 )	_start
0xf66cfe4f	(chrome -elf-init.c:87 )	__libc_csu_init
0xf23f79df	(ld-2.19.so + 0x0000b9df )	_dl_sort_fini
Thread 1

Comment 2 by dcasta...@chromium.org, Nov 10 2016

Owner: h...@chromium.org
If the reported line is correct (gbm_buffer.cc:170) this is the code we execute:

gbm_device_is_format_supported(
                         gbm->device(), fourcc_format,
                         GBM_BO_USE_SCANOUT | GBM_BO_USE_RENDERING)

I can't see much failing there, aside from |gbm| being null.
Haixia seems to have been working on a related issue (crbug.com/608839).

Reassigning to him.
Feel free to reassign it back to me in case I misunderstood something.

Comment 3 by h...@chromium.org, Nov 10 2016

Mergedinto: 608839
Status: Duplicate (was: Assigned)
This is a duplicate of bug 608839.

Fixes were landed at

Cr-Commit-Position: refs/heads/master@{#429173}
Cr-Commit-Position: refs/branch-heads/2883@{#430}

No such crash should be found at or after 56.0.2908.0

Comment 4 by sshru...@google.com, Feb 7 2017

Components: -Internals>Graphics Internals>GPU
Moving old issues out of Internal>Graphics to delete this obsolete component ( crbug.com/685425  for details)

Sign in to add a comment