Issue metadata
Sign in to add a comment
|
Chrome_Mac: Crash Report - base::internal::Dispatcher<content::ServiceWorkerContextObserver, void (content::ServiceWorkerContextObserver::*)(long long, GURL const&)>::Run |
||||||||||||||||||||||
Issue descriptionGetting Error Bad request when trying to file this via go/chromecrash. Crash id: f6e3c60080000000 Stack trace: ============ Thread 14 CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x4d55545a ] MAGIC SIGNATURE THREAD Stack Quality61%Show frame trust levels 0x00000001124e3dc1 (Google Chrome Framework -observer_list_threadsafe.h:67 ) base::internal::Dispatcher<content::ServiceWorkerContextObserver, void (content::ServiceWorkerContextObserver::*)(long long, GURL const&)>::Run(void (content::ServiceWorkerContextObserver::*)(long long, GURL const&), long long, GURL const&, content::ServiceWorkerContextObserver*) 0x00000001124e3f84 (Google Chrome Framework -callback.h:85 ) base::ObserverListThreadSafe<content::ServiceWorkerContextObserver>::NotifyWrapper(base::ObserverListThreadSafe<content::ServiceWorkerContextObserver>::ObserverListContext*, base::Callback<void (content::ServiceWorkerContextObserver*), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) 0x0000000112e7b560 (Google Chrome Framework -callback.h:68 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x0000000112e9fe3a (Google Chrome Framework -message_loop.cc:413 ) base::MessageLoop::RunTask(base::PendingTask*) 0x0000000112ea018b (Google Chrome Framework -message_loop.cc:422 ) base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) 0x0000000112ea0542 (Google Chrome Framework -message_loop.cc:515 ) base::MessageLoop::DoWork() 0x0000000112ea2024 (Google Chrome Framework -message_pump_libevent.cc:218 ) base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) 0x0000000112ec1362 (Google Chrome Framework -run_loop.cc:37 ) base::RunLoop::Run() 0x000000011225a143 (Google Chrome Framework -browser_thread_impl.cc:252 ) content::BrowserThreadImpl::IOThreadRun(base::RunLoop*) 0x000000011225a203 (Google Chrome Framework -browser_thread_impl.cc:287 ) content::BrowserThreadImpl::Run(base::RunLoop*) 0x0000000112eeeda8 (Google Chrome Framework -thread.cc:328 ) base::Thread::ThreadMain() 0x0000000112eea4c6 (Google Chrome Framework -platform_thread_posix.cc:71 ) base::(anonymous namespace)::ThreadFunc(void*) 0x00007fff8c6d8aaa (libsystem_pthread.dylib + 0x00003aaa ) 0x00007fff8c6d89f6 (libsystem_pthread.dylib + 0x000039f6 ) 0x00007fff8c6d81fc (libsystem_pthread.dylib + 0x000031fc ) 0x0000000112eea46f (Google Chrome Framework + 0x019ba46f ) Link to the list of the builds: ================================ https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27base%3A%3Ainternal%3A%3ADispatcher%3Ccontent%3A%3AServiceWorkerContextObserver%2C%20void%20(content%3A%3AServiceWorkerContextObserver%3A%3A*)(long%20long%2C%20GURL%20const%26)%3E%3A%3ARun%27%20AND%20product.name%3D%27Chrome_Mac%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000 Note: ===== 1. This has spiked in latest canary(57.0.2952.0- 12 crashes from 12 clients so far) from the last canary(57.0.2951.0). 2. There are different other variant of this magic signature also seen on the latest canary. 3. Crashes are spiking gradually hence marking this as Dev blocker. Considering below as the changelog: =================================== https://chromium.googlesource.com/chromium/src/+log/57.0.2951.0..57.0.2952.0?pretty=fuller&n=10000 haraken@: Could this spike be rooted to https://codereview.chromium.org/2556893003.
,
Dec 15 2016
,
Dec 15 2016
Just to update other variants of this magic signature on Mac and Windows canary(57.0.2952.0) spiked from last canary(57.0.2951.0). Mac canary(57.0.2952.0 - live for 4 hours) ============================================ >base::internal::Dispatcher<content::ServiceWorkerContextObserver, void (content::ServiceWorkerContextObserver::*)(long long, content::EmbeddedWorkerStatus)>::Run >base::ObserverListThreadSafe<content::ServiceWorkerContextObserver>::NotifyWrapper >base::internal::Dispatcher<content::ServiceWorkerContextObserver, void (content::ServiceWorkerContextObserver::*)(long long, int, int)>::Run Windows canary(57.0.2952.0 - live for 2 hours) ================================================ >base::ObserverListThreadSafe<content::GpuDataManagerObserver>::NotifyWrapper >base::ObserverListThreadSafe<media::UserInputMonitor::MouseEventListener>::NotifyWrapper nhiroki@: Could this be related to https://codereview.chromium.org/2466513002 for the MessageEvent related changes from the spike range.
,
Dec 15 2016
,
Dec 15 2016
Users experienced this crash on the following builds: Mac Canary 57.0.2952.0 - 27.81 CPM, 25 reports, 23 clients (signature base::internal::Dispatcher<content::ServiceWorkerContextObserver, void (content::ServiceWorkerContextObserver::*)(long long, content::EmbeddedWorkerStatus)>::Run) Mac Canary 57.0.2952.0 - 27.27 CPM, 25 reports, 24 clients (signature base::ObserverListThreadSafe<content::ServiceWorkerContextObserver>::NotifyWrapper) Mac Canary 57.0.2952.0 - 103.62 CPM, 95 reports, 82 clients (signature base::internal::Dispatcher<content::ServiceWorkerContextObserver, void (content::ServiceWorkerContextObserver::*)(long long, GURL const&)>::Run) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Dec 15 2016
,
Dec 15 2016
,
Dec 15 2016
Bisected this as per the test steps of the duped Issue 674471 on Mac OS 10.11.6. Last good build: 57.0.2951.0 First bad build: 57.0.2952.0 Changelog: ========== https://chromium.googlesource.com/chromium/src/+log/0d69452813c95ee10e53b8e83eaceea23a2b1780..b41d221cb138f0f5e3824229f12bf794172e106f dgozman@: Could you please take a look at these crashes.
,
Dec 15 2016
As per steps in issue 674471 , I am able to repro this issue reliably under Windows, Mac and Linux, with: 1. Open a tab. 2. Inspect the page with Developer Tools. 3. Close the tab. 4. Open a new tab. Under Mac we reliably get ServiceWorkerContextObserver signatures as noted above. FWIW, Mac 32-bit crashes I checked all had a null-deref, whereas 64-bit ones are all hitting bad addresses whose top 32-bits are null. Under Windows we get a variety of other signatures, mainly GpuDataManagerObserver and Histogram::AddCount. The bogus addresses being access seem more random on Windows, though all the crashes I generated locally were dereferencing 0x10000000000000000. Under Linux I repro'd the issue in a debug build and got the following: Program received signal SIGTRAP, Trace/breakpoint trap. [Switching to Thread 0x7fffc5240700 (LWP 32122)] base::debug::(anonymous namespace)::DebugBreak () at ../../base/debug/debugger_posix.cc:232 232 } (gdb) where #0 base::debug::(anonymous namespace)::DebugBreak () at ../../base/debug/debugger_posix.cc:232 #1 0x00007ffff77623b8 in base::debug::BreakDebugger () at ../../base/debug/debugger_posix.cc:251 #2 0x00007ffff77d38b2 in logging::LogMessage::~LogMessage (this=0x7fffc523ce08) at ../../base/logging.cc:759 #3 0x00007ffff46e8d22 in PrefNotifierImpl::RemovePrefObserver (this=0x3d303681d120, path="alternate_error_pages.enabled", obs=0x3d3037edeac8) at ../../components/prefs/pref_notifier_impl.cc:53 #4 0x00007ffff46fa7d4 in PrefService::RemovePrefObserver (this=0x3d3036ef6da0, path="alternate_error_pages.enabled", obs=0x3d3037edeac8) at ../../components/prefs/pref_service.cc:361 #5 0x00007ffff46e007b in PrefChangeRegistrar::RemoveAll (this=0x3d3037edeac8) at ../../components/prefs/pref_change_registrar.cc:54 #6 0x00007ffff46dff87 in PrefChangeRegistrar::~PrefChangeRegistrar (this=0x3d3037edeac8) at ../../components/prefs/pref_change_registrar.cc:18 #7 0x000055555940376f in NavigationCorrectionTabObserver::~NavigationCorrectionTabObserver (this=0x3d3037edeaa0) at ../../chrome/browser/ui/navigation_correction_tab_observer.cc:53 #8 0x00005555594037f9 in NavigationCorrectionTabObserver::~NavigationCorrectionTabObserver (this=0x3d3037edeaa0) at ../../chrome/browser/ui/navigation_correction_tab_observer.cc:52 #9 0x00007ffff1674457 in base::internal::Dispatcher<content::ServiceWorkerContextObserver, void (content::ServiceWorkerContextObserver::*)(long, std::string const&, int, int, content::ServiceWorkerProviderType)>::Run (m=&virtual table offset 64, params=content::SERVICE_WORKER_PROVIDER_FOR_WINDOW, params=content::SERVICE_WORKER_PROVIDER_FOR_WINDOW, params=content::SERVICE_WORKER_PROVIDER_FOR_WINDOW, params=content::SERVICE_WORKER_PROVIDER_FOR_WINDOW, params=content::SERVICE_WORKER_PROVIDER_FOR_WINDOW, obj=0x3d3037edeaa0) at ../../base/observer_list_threadsafe.h:67 #10 0x00007ffff1674a6d in base::internal::FunctorTraits<void (*)(void (content::ServiceWorkerContextObserver::*)(long, std::string const&, int, int, content::ServiceWorkerProviderType), long, std::string const&, int, int, content::ServiceWorkerProviderType, content::ServiceWorkerContextObserver*), void>::Invoke<void (content::ServiceWorkerContextObserver::* const&)(long, std::string const&, int, int, content::ServiceWorkerProviderType), long const&, std::string const&, int const&, int const&, content::ServiceWorkerProviderType const&, content::ServiceWorkerContextObserver*>(void (*)(void (content::ServiceWorkerContextObserver::*)(long, std::string const&, int, int, content::ServiceWorkerProviderType), long, std::string const&, int, int, content::ServiceWorkerProviderType, content::ServiceWorkerContextObserver*), void (content::ServiceWorkerContextObserver::* const&)(long, std::string const&, int, int, content::ServiceWorkerProviderType), long const&, std::string const&, int const&, int const&, content::ServiceWorkerProviderType const&, content::ServiceWorkerContextObserver*&&) ( function=0x7ffff1674360 <base::internal::Dispatcher<content::ServiceWorkerContextObserver, void (content::ServiceWorkerContextObserver::*)(long, std::string const&, int, int, content::ServiceWorkerProviderType)>::Run(void (content::ServiceWorkerContextObserver::*)(long, std::string const&, int, int, content::ServiceWorkerProviderType), long, std::string const&, int, int, content::ServiceWorkerProviderType, content::ServiceWorkerContextObserver*)>, ...
,
Dec 15 2016
I'm currently looking into this.
,
Dec 15 2016
Reverting both https://codereview.chromium.org/2574843003/ and https://codereview.chromium.org/2573993003/ locally helps. Proceeding with reverts for now.
,
Dec 15 2016
Issue 674428 has been merged into this issue.
,
Dec 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5 commit 2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5 Author: dgozman <dgozman@chromium.org> Date: Thu Dec 15 22:53:05 2016 Revert of [DevTools] Migrate ServiceWorker domain to new generator. (patchset #2 id:20001 of https://codereview.chromium.org/2573993003/ ) Reason for revert: Crashes. BUG= 674474 Original issue's description: > [DevTools] Migrate ServiceWorker domain to new generator. > > BUG= 664683 > TBR=pfeldman > > Committed: https://crrev.com/b41d221cb138f0f5e3824229f12bf794172e106f > Cr-Commit-Position: refs/heads/master@{#438676} TBR=caseq@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= 664683 Review-Url: https://codereview.chromium.org/2577233002 Cr-Commit-Position: refs/heads/master@{#438942} [modify] https://crrev.com/2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5/content/browser/BUILD.gn [modify] https://crrev.com/2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5/content/browser/devtools/BUILD.gn [modify] https://crrev.com/2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5/content/browser/devtools/protocol/devtools_protocol_handler_generator.py [modify] https://crrev.com/2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5/content/browser/devtools/protocol/service_worker_handler.cc [modify] https://crrev.com/2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5/content/browser/devtools/protocol/service_worker_handler.h [modify] https://crrev.com/2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5/content/browser/devtools/protocol_config.json [modify] https://crrev.com/2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5/content/browser/devtools/render_frame_devtools_agent_host.cc [modify] https://crrev.com/2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5/content/browser/devtools/render_frame_devtools_agent_host.h
,
Dec 15 2016
For the record: second revert is https://codereview.chromium.org/2577233002/, landed as https://crrev.com/2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5.
,
Dec 16 2016
Issue 674761 has been merged into this issue.
,
Dec 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6ac97c212042cc7f4f3b7c3033c8ef4392a133ed commit 6ac97c212042cc7f4f3b7c3033c8ef4392a133ed Author: dgozman <dgozman@chromium.org> Date: Fri Dec 16 03:36:29 2016 [DevTools] Call InnerDetach instead of NotifyDetached in DTAHI::HostClosed. InnerDetach destroyes the current session and domain handlers, as opposite to NotifyDetached, which prevents stale pointers and inconsistent state at the time of DTAHI destruction. BUG= 674474 Review-Url: https://codereview.chromium.org/2579923002 Cr-Commit-Position: refs/heads/master@{#439003} [modify] https://crrev.com/6ac97c212042cc7f4f3b7c3033c8ef4392a133ed/content/browser/devtools/devtools_agent_host_impl.cc [modify] https://crrev.com/6ac97c212042cc7f4f3b7c3033c8ef4392a133ed/content/shell/browser/shell_devtools_frontend.cc
,
Dec 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b31e7730c9167a6395b702e42fb931002acaca0a commit b31e7730c9167a6395b702e42fb931002acaca0a Author: dgozman <dgozman@chromium.org> Date: Fri Dec 16 04:08:39 2016 Reland of [DevTools] Migrate ServiceWorker domain to new generator. (patchset #1 id:1 of https://codereview.chromium.org/2577233002/ ) Reason for revert: Fixed crash reason in https://codereview.chromium.org/2579923002/ Original issue's description: > Revert of [DevTools] Migrate ServiceWorker domain to new generator. (patchset #2 id:20001 of https://codereview.chromium.org/2573993003/ ) > > Reason for revert: > Crashes. > BUG= 674474 > > Original issue's description: > > [DevTools] Migrate ServiceWorker domain to new generator. > > > > BUG= 664683 > > TBR=pfeldman > > > > Committed: https://crrev.com/b41d221cb138f0f5e3824229f12bf794172e106f > > Cr-Commit-Position: refs/heads/master@{#438676} > > TBR=caseq@chromium.org > # Skipping CQ checks because original CL landed less than 1 days ago. > NOPRESUBMIT=true > NOTREECHECKS=true > NOTRY=true > BUG= 664683 > > Committed: https://crrev.com/2cbd54ce7ac7c807af2c9065a6eedd81ac97a3c5 > Cr-Commit-Position: refs/heads/master@{#438942} TBR=caseq@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= 674474 Review-Url: https://codereview.chromium.org/2580833004 Cr-Commit-Position: refs/heads/master@{#439015} [modify] https://crrev.com/b31e7730c9167a6395b702e42fb931002acaca0a/content/browser/BUILD.gn [modify] https://crrev.com/b31e7730c9167a6395b702e42fb931002acaca0a/content/browser/devtools/BUILD.gn [modify] https://crrev.com/b31e7730c9167a6395b702e42fb931002acaca0a/content/browser/devtools/protocol/devtools_protocol_handler_generator.py [modify] https://crrev.com/b31e7730c9167a6395b702e42fb931002acaca0a/content/browser/devtools/protocol/service_worker_handler.cc [modify] https://crrev.com/b31e7730c9167a6395b702e42fb931002acaca0a/content/browser/devtools/protocol/service_worker_handler.h [modify] https://crrev.com/b31e7730c9167a6395b702e42fb931002acaca0a/content/browser/devtools/protocol_config.json [modify] https://crrev.com/b31e7730c9167a6395b702e42fb931002acaca0a/content/browser/devtools/render_frame_devtools_agent_host.cc [modify] https://crrev.com/b31e7730c9167a6395b702e42fb931002acaca0a/content/browser/devtools/render_frame_devtools_agent_host.h
,
Dec 16 2016
Verified the revert(C#13) on the latest canary(57.0.2953.0) as per the manual steps from Issue 674471 and didn't encounter any crash. Revert from C#13 works fine on Windows-10, Mac OS 10.12.2 and Linux Ubuntu 14.04. Will verify the CLs from C#16(Fix) and C#17(Reland of reverted CL) in next canary as they missed today's canary.
,
Dec 16 2016
I've tried to recreate as I've reported on 674471 and is not crashing anymore.
,
Dec 19 2016
,
Sep 14 2017
Issue 765137 has been merged into this issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by haraken@chromium.org
, Dec 15 2016