Issue metadata
Sign in to add a comment
|
Tracing with "blink.debug.layout.trees" category crashes |
||||||||||||||||||||||
Issue descriptionI built chrome from top of the tree and run with --enable-heap-profiling. It crashes every time for me with the following error. If I don't add that flag, chrome works fine. This used to work. Steps to repro: (1) Sync to top of tree. Mine is at fc37c3c876af6913eecca1140240777b10377309 (2) Build chrome with GN flag "enable_profiling = true" (3) Launch Chrome with --enable-heap-profiling e.g. ./out/memory/chrome --enable-heap-profiling --user-data-dir=/tmp/uehdhakhd (4) Navigate to a popular website. E.g. https://reddit.com ASSERTION FAILED: !section() || !section() ->needsCellRecalc() ../../third_party/WebKit/Source/core/layout/LayoutTableRow.h(100) : unsigned int blink::LayoutTableRow::rowIndex() const 1 0x7fe9aad8de20 2 0x7fe9aad8d3c9 3 0x7fe9aadfd8c1 4 0x7fe9aadfdb84 5 0x7fe9aadfdb84 6 0x7fe9aadfdb84 7 0x7fe9aadfdb84 8 0x7fe9aadfdb84 9 0x7fe9aadfdb84 10 0x7fe9aadfdb84 11 0x7fe9aadfdb84 12 0x7fe9aadfd286 13 0x7fe9aa78ba43 blink::FrameView::layout() 14 0x7fe9aa3619b4 blink::Document::updateStyleAndLayout() 15 0x7fe9aa361755 blink::Document::updateStyleAndLayoutIgnorePendingStylesheets(blink::Document::RunPostLayoutTasks) 16 0x7fe9aa361703 blink::Document::updateStyleAndLayoutIgnorePendingStylesheetsForNode(blink::Node*) 17 0x7fe9aa88e0f3 blink::HTMLElement::unclosedOffsetParent() 18 0x7fe9aa88e289 blink::HTMLElement::offsetHeightForBinding() 19 0x7fe9ab4b9e23 20 0x7fe9ab4b9db5 21 0x7fe9b8c17538 22 0x7fe9b8cdc635 23 0x7fe9b8cdb841 24 0x7fe9b9252b1e 25 0x7fe9b9251fb9 v8::internal::Object::GetProperty(v8::internal::LookupIterator*) 26 0x7fe9b919fdd4 27 0x7fe9b91ab44c 28 0x7fe9b91aafea 29 0x1f90c41043a7 Received signal 4 ILL_ILLOPN 7fe9aad8de20 #0 0x7fe9c3d339fe base::debug::StackTrace::StackTrace() #1 0x7fe9c3d3353f base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7fe9c4182330 <unknown> #3 0x7fe9aad8de20 blink::LayoutTableRow::rowIndex() #4 0x7fe9aad8d3c9 blink::LayoutTableCell::rowIndex() #5 0x7fe9aadfd8c1 blink::(anonymous namespace)::dumpToTracedValue() #6 0x7fe9aadfdb84 blink::(anonymous namespace)::dumpToTracedValue() #7 0x7fe9aadfdb84 blink::(anonymous namespace)::dumpToTracedValue() #8 0x7fe9aadfdb84 blink::(anonymous namespace)::dumpToTracedValue() #9 0x7fe9aadfdb84 blink::(anonymous namespace)::dumpToTracedValue() #10 0x7fe9aadfdb84 blink::(anonymous namespace)::dumpToTracedValue() #11 0x7fe9aadfdb84 blink::(anonymous namespace)::dumpToTracedValue() #12 0x7fe9aadfdb84 blink::(anonymous namespace)::dumpToTracedValue() #13 0x7fe9aadfdb84 blink::(anonymous namespace)::dumpToTracedValue() #14 0x7fe9aadfd286 blink::TracedLayoutObject::create() #15 0x7fe9aa78ba43 blink::FrameView::layout() #16 0x7fe9aa3619b4 blink::Document::updateStyleAndLayout() #17 0x7fe9aa361755 blink::Document::updateStyleAndLayoutIgnorePendingStylesheets() #18 0x7fe9aa361703 blink::Document::updateStyleAndLayoutIgnorePendingStylesheetsForNode() #19 0x7fe9aa88e0f3 blink::HTMLElement::unclosedOffsetParent() #20 0x7fe9aa88e289 blink::HTMLElement::offsetHeightForBinding() #21 0x7fe9ab4b9e23 blink::HTMLElementV8Internal::offsetHeightAttributeGetter() #22 0x7fe9ab4b9db5 blink::HTMLElementV8Internal::offsetHeightAttributeGetterCallback() #23 0x7fe9b8c17538 v8::internal::FunctionCallbackArguments::Call() #24 0x7fe9b8cdc635 v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #25 0x7fe9b8cdb841 v8::internal::Builtins::InvokeApiFunction() #26 0x7fe9b9252b1e v8::internal::Object::GetPropertyWithAccessor() #27 0x7fe9b9251fb9 v8::internal::Object::GetProperty() #28 0x7fe9b919fdd4 v8::internal::LoadIC::Load() #29 0x7fe9b91ab44c v8::internal::__RT_impl_Runtime_LoadIC_Miss() #30 0x7fe9b91aafea v8::internal::Runtime_LoadIC_Miss() #31 0x1f90c41043a7 <unknown> r8: 00007fe9a3afea40 r9: 0000000000000001 r10: 00007fe9b0d9cbe0 r11: 0000000000000000 r12: 0000000000000000 r13: 00007ffe85143b98 r14: 00000b328707a020 r15: 00007fe9ab4b9da0 di: 0000000000000000 si: 00000000efcdab90 bp: 00007ffe85141e90 bx: 00007ffe85143ad0 dx: 0000000000000000 ax: 99b68d6ca53e1a00 cx: 99b68d6ca53e1a00 sp: 00007ffe85141e80 ip: 00007fe9aad8de20 efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000000 trp: 0000000000000006 msk: 0000000000000000 cr2: 0000000000000000 [end of stack trace] [30554:30554:1110/145417:ERROR:process_metrics_linux.cc(137)] opendir(/proc/0/task): No such file or directory
,
Nov 10 2016
,
Nov 10 2016
It seems that something changed in Blink, and this assert in LayoutTableRow::rowIndex() is now failing:
ASSERT(
!section() ||
!section()
->needsCellRecalc()); // index may be bogus if cells need recalc.
The interesting part is that TracedLayoutObject::create() is active only if TRACE_DISABLED_BY_DEFAULT("blink.debug.layout.trees") category is enabled. But how it's enabled if we're just enabling heap profiling?
,
Nov 10 2016
I guess some recent ssid change where enable-heap-profiling enables filtering mode. +ssid
,
Nov 10 2016
* enables filtering mode -> enables filtering mode on *all* categories, in order to maximize the quality of pseudo-stack.
,
Nov 11 2016
Dmitry seems to think that short-term you could work around the problem by using Release build instead of Debug.
,
Nov 11 2016
The stack trace is given in comment #0. szager@ changed this trace event last. Added by dsinclair@ and benjhayden@.
,
Nov 11 2016
Thanks everyone for looking into this. As suggested in #7, I am able to work around it by building Release version of Chrome instead of Debug.
,
Nov 11 2016
,
Nov 11 2016
The layout tracing code should not try to emit row/col information for table cells if the traceGeometry flag to dumpToTracedValue is false, because the table's layout may be dirty. https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/layout/TracedLayoutObject.cpp?l=18&gs=cpp%253Ablink%253A%253A%253Canonymous-namespace%253E%253A%253AdumpToTracedValue(const%2Bblink%253A%253ALayoutObject%2B%2526%252C%2Bbool%252C%2Bblink%253A%253ATracedValue%2B*)%2540chromium%252F..%252F..%252Fthird_party%252FWebKit%252FSource%252Fcore%252Flayout%252FTracedLayoutObject.cpp%257Cdef&gsn=dumpToTracedValue&ct=xref_usages
,
Nov 12 2016
,
Nov 15 2016
,
Nov 15 2016
kraynov@ can you solve this problem for us? There seem to be enough insight in this bug.
,
Nov 16 2016
,
Nov 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b8c29bca7e952d293a4e513d5253cfa95ab0ba4c commit b8c29bca7e952d293a4e513d5253cfa95ab0ba4c Author: kraynov <kraynov@chromium.org> Date: Fri Nov 18 18:15:18 2016 Fix TracedLayoutObject crash when table layout is expected to be dirty. Cell's position should not be traced if there is a risk of dirty layout in order to prevent assertion crash. BUG= 664271 Review-Url: https://codereview.chromium.org/2503163003 Cr-Commit-Position: refs/heads/master@{#433239} [modify] https://crrev.com/b8c29bca7e952d293a4e513d5253cfa95ab0ba4c/third_party/WebKit/Source/core/layout/TracedLayoutObject.cpp
,
Nov 18 2016
Fixed, reproduction steps described in this bug does not lead to failure after https://codereview.chromium.org/2503163003 |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by xunji...@chromium.org
, Nov 10 2016Summary: --enable-heap-profiling crashes everytime on ToT (was: --enabl-heap-profiling crashes everytime on ToT)