Issue 669858 link

Starred by 4 users

Issue metadata

Status:	WontFix
Owner:	cbruni@chromium.org
Closed:	Nov 2016
Cc:	rbasuvula@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	1
Type:	Bug
M-56

Chrome: Crash Report - v8::internal::`anonymous namespace'::FastElementsAccessor<v8::internal::`anonymous namespace'::FastHoleyObjectElementsAccessor,v8::internal::A0x61c6ae97::ElementsKindTraits<3> >::DeleteCommon

Project Member Reported by rbasuvula@chromium.org, Nov 30 2016

Issue description

Product name: Chrome
Magic Signature: media::v8::internal::`anonymous namespace'::FastElementsAccessor<v8::internal::`anonymous namespace'::FastHoleyObjectElementsAccessor,v8::internal::A0x61c6ae97::ElementsKindTraits<3> >::DeleteCommon

Current link:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20product.version%3D%2756.0.2924.10%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BRenderer%20hang%5D%20v8%3A%3Ainternal%3A%3A%60anonymous%20namespace%5C%27%3A%3AFastElementsAccessor%3Cv8%3A%3Ainternal%3A%3A%60anonymous%20namespace%5C%27%3A%3AFastHoleyObjectElementsAccessor%2Cv8%3A%3Ainternal%3A%3AA0x61c6ae97%3A%3AElementsKindTraits%3C3%3E%20%3E%3A%3ADeleteCommon%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D&stbtiq=&reportid=0ac4e79f00000000&index=0#0


Search properties:
product.name: Chrome
product.version: 56.0.2924.10
custom_data.chromecrashproto.ptype: renderer
reportid: 0ac4e79f00000000

Metadata :
Product Name: Chrome
Product Version: 56.0.2924.10
Report ID: 0ac4e79f00000000
Report Time: Wed, 30 Nov 2016 05:39:00 GMT
Uptime: 12247000 ms
Cumulative Uptime: 0 ms
User Email: 
OS Name: Mac OS X
OS Version: 10.12.1 16B2555
CPU Architecture: amd64
CPU Info: family 6 model 70 stepping 1


Stack Trace :
=====================

Thread 0 MAGIC SIGNATURE THREAD
Stack Quality80%Show frame trust levels
0x5549dfd2	(chrome_child.dll -elements.cc:1850 )	v8::internal::`anonymous namespace'::FastElementsAccessor<v8::internal::`anonymous namespace'::FastHoleyObjectElementsAccessor,v8::internal::A0x61c6ae97::ElementsKindTraits<3> >::DeleteCommon
0x554945f3	(chrome_child.dll -elements.cc:1908 )	v8::internal::`anonymous namespace'::FastElementsAccessor<v8::internal::`anonymous namespace'::FastHoleyObjectElementsAccessor,v8::internal::A0x61c6ae97::ElementsKindTraits<3> >::DeleteImpl
0x554945a0	(chrome_child.dll -elements.cc:952 )	v8::internal::`anonymous namespace'::ElementsAccessorBase<v8::internal::`anonymous namespace'::FastHoleyObjectElementsAccessor,v8::internal::A0x61c6ae97::ElementsKindTraits<3> >::Delete
0x5519a193	(chrome_child.dll -lookup.cc:422 )	v8::internal::LookupIterator::Delete()
0x55199f09	(chrome_child.dll -objects.cc:6387 )	v8::internal::JSReceiver::DeleteProperty(v8::internal::LookupIterator *,v8::internal::LanguageMode)
0x55199b84	(chrome_child.dll -runtime-object.cc:451 )	v8::internal::`anonymous namespace'::DeleteProperty
0x55783d10	(chrome_child.dll -runtime-object.cc:459 )	v8::internal::Runtime_DeleteProperty_Sloppy(int,v8::internal::Object * *,v8::internal::Isolate *)
0x0448623d		
0x2c5b9d6c		
0x04511f03		
0x044eaa39		
0x044dc49a		
0x0e5798ae		
0x04511dba		
0x0ed12cea		
0x0bf9c4b9		
0x044dbc5d		
0x044af797		
0x551b8cea	(chrome_child.dll -execution.cc:139 )	v8::internal::`anonymous namespace'::Invoke
0x551b8bb8	(chrome_child.dll -execution.cc:176 )	v8::internal::Execution::Call(v8::internal::Isolate *,v8::internal::Handle<v8::internal::Object>,v8::internal::Handle<v8::internal::Object>,int,v8::internal::Handle<v8::internal::Object> * const)
0x554029d6	(chrome_child.dll -api.cc:4976 )	v8::Function::Call(v8::Local<v8::Context>,v8::Local<v8::Value>,int,v8::Local<v8::Value> * const)
0x55402870	(chrome_child.dll -v8scriptrunner.cpp:638 )	blink::V8ScriptRunner::callFunction(v8::Local<v8::Function>,blink::ExecutionContext *,v8::Local<v8::Value>,int,v8::Local<v8::Value> * const,v8::Isolate *)
0x554b0359	(chrome_child.dll -v8eventlistener.cpp:111 )	blink::V8EventListener::callListenerFunction(blink::ScriptState *,v8::Local<v8::Value>,blink::Event *)
0x552a8520	(chrome_child.dll -v8abstracteventlistener.cpp:142 )	blink::V8AbstractEventListener::invokeEventHandler(blink::ScriptState *,blink::Event *,v8::Local<v8::Value>)
0x552ac9e4	(chrome_child.dll -v8abstracteventlistener.cpp:101 )	blink::V8AbstractEventListener::handleEvent(blink::ScriptState *,blink::Event *)
0x552ac8a0	(chrome_child.dll -v8abstracteventlistener.cpp:89 )	blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext *,blink::Event *)
0x552aa5d2	(chrome_child.dll -eventtarget.cpp:691 )	blink::EventTarget::fireEventListeners(blink::Event *,blink::EventTargetData *,blink::HeapVector<blink::RegisteredEventListener,1> &)
0x55215131	(chrome_child.dll -eventtarget.cpp:554 )	blink::EventTarget::fireEventListeners(blink::Event *)
0x554267a1	(chrome_child.dll -eventtarget.cpp:459 )	blink::EventTarget::dispatchEventInternal(blink::Event *)
0x552c507a	(chrome_child.dll -eventtarget.cpp:452 )	blink::EventTarget::dispatchEvent(blink::Event *)
0x554278de	(chrome_child.dll -localdomwindow.cpp:682 )	blink::LocalDOMWindow::dispatchMessageEventWithOriginCheck(blink::SecurityOrigin *,blink::Event *,std::unique_ptr<blink::SourceLocation,std::default_delete<blink::SourceLocation> >)
0x554278b1	(chrome_child.dll -localdomwindow.cpp:645 )	blink::LocalDOMWindow::postMessageTimerFired(blink::PostMessageTimer *)
0x5542781b	(chrome_child.dll -localdomwindow.cpp:145 )	blink::PostMessageTimer::fired()
0x552ab358	(chrome_child.dll -timer.cpp:143 )	blink::TimerBase::runInternal()
0x552ab2fa	(chrome_child.dll -bind_internal.h:339 )	base::internal::Invoker<base::internal::BindState<void ( blink::TimerBase::*)(void),base::WeakPtr<blink::TimerBase> >,void >::Run(base::internal::BindStateBase *)
0x55203d92	(chrome_child.dll -task_annotator.cc:52 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x55205308	(chrome_child.dll -task_queue_manager.cc:358 )	blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue *)
0x5521ad7f	(chrome_child.dll -task_queue_manager.cc:250 )	blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks,bool)
0x55742a03	(chrome_child.dll -bind_internal.h:339 )	base::internal::Invoker<base::internal::BindState<void ( blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void >::Run(base::internal::BindStateBase *)
0x55203d92	(chrome_child.dll -task_annotator.cc:52 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x55205021	(chrome_child.dll -message_loop.cc:413 )	base::MessageLoop::RunTask(base::PendingTask *)
0x5520446d	(chrome_child.dll -message_loop.cc:515 )	base::MessageLoop::DoWork()
0x5520358a	(chrome_child.dll -message_pump_default.cc:35 )	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x5536be2d	(chrome_child.dll -run_loop.cc:35 )	base::RunLoop::Run()
0x555c4360	(chrome_child.dll -renderer_main.cc:198 )	content::RendererMain(content::MainFunctionParams const &)
0x55573de6	(chrome_child.dll -content_main_runner.cc:408 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x5557438e	(chrome_child.dll -content_main_runner.cc:774 )	content::ContentMainRunnerImpl::Run()
0x55573e4d	(chrome_child.dll -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const &)
0x55573c54	(chrome_child.dll -chrome_main.cc:108 )	ChromeMain
0x003558e8	(chrome.exe -main_dll_loader_win.cc:174 )	MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks)
0x00351c38	(chrome.exe -chrome_exe_main_win.cc:249 )	wWinMain
0x003bbfa7	(chrome.exe -exe_common.inl:253 )	__scrt_common_main_seh
0x77091193	(KERNEL32.dll + 0x00051193 )	BaseThreadInitThunk
0x773db428	(ntdll.dll + 0x0005b428 )	__RtlUserThreadStart
0x773db3fb	(ntdll.dll + 0x0005b3fb )	_RtlUserThreadStart


This is regression issue and the crash is first seen on build #54.0.2840.14 In latest Dev #56.0.2924.10 seen 13 instances from 13 clients.


List of Builds encountered the crash:
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BRenderer%20hang%5D%20v8%3A%3Ainternal%3A%3A%60anonymous%20namespace%5C%27%3A%3AFastElementsAccessor%3Cv8%3A%3Ainternal%3A%3A%60anonymous%20namespace%5C%27%3A%3AFastHoleyObjectElementsAccessor%2Cv8%3A%3Ainternal%3A%3AA0x61c6ae97%3A%3AElementsKindTraits%3C3%3E%20%3E%3A%3ADeleteCommon%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000

56.0.2924.10	0.03%	13	Dev

This crash is seen on latest Dev.
This crash is observed in Windows.

Using code search for the file, "FastElementsAccessor" suspecting the following CL,
https://chromium.googlesource.com/v8/v8/+/2fd6d6093e746b561e8711897707ef7ce0e14467

@cbruni --  Could you please look into the issue, kindly re-assign if this is not related to your changes.

Thank You.

Comment 1 by cbruni@chromium.org, Nov 30 2016

Status: WontFix (was: Assigned)

WontFix Render Hang: long standing issue caused by badly written JavaScript on websites.

Comment 2 by verwa...@chromium.org, Feb 22 2017

Issue 612557 has been merged into this issue.

►

Issue 669858 link

Issue metadata

Chrome: Crash Report - v8::internal::`anonymous namespace'::FastElementsAccessor<v8::internal::`anonymous namespace'::FastHoleyObjectElementsAccessor,v8::internal::A0x61c6ae97::ElementsKindTraits<3> >::DeleteCommon

Issue description

Comment 1 by cbruni@chromium.org, Nov 30 2016

Comment 1 Deleted

Comment 2 by verwa...@chromium.org, Feb 22 2017

Comment 2 Deleted

Sign in to add a comment