New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 677289 link

Starred by 1 user
Status: Duplicate
Owner:
primiano@chromium.org
Closed: Jan 2017
Cc:
mariakho...@chromium.org
primiano@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 3
Type: Bug



Sign in to add a comment

Check failed: next_unused_cell_ < num_cells_ + 1

Project Member Reported by erikc...@chromium.org, Dec 28 2016 
I hooked up the allocator shim on macOS and took a trace. Then, when I click on the purple "M", about 75% of the time the renderer crashes. 

[1119:775:1228/091657.276643:FATAL:heap_profiler_allocation_register.h(201)] Check failed: next_unused_cell_ < num_cells_ + 1 (1500001 vs. 1500001)
0   libbase.dylib                       0x0000000116a8611e _ZN4base5debug10StackTraceC2Ev + 30
1   libbase.dylib                       0x0000000116a86195 _ZN4base5debug10StackTraceC1Ev + 21
2   libbase.dylib                       0x0000000116b1e620 _ZN7logging10LogMessageD2Ev + 80
3   libbase.dylib                       0x0000000116b1c125 _ZN7logging10LogMessageD1Ev + 21
4   libbase.dylib                       0x0000000116d7ec52 _ZN4base11trace_event8internal12FixedHashMapILm262144EPKvNS0_18AllocationRegister14AllocationInfoENS5_13AddressHasherEE11GetFreeCellEv + 306
5   libbase.dylib                       0x0000000116d7dbb7 _ZN4base11trace_event8internal12FixedHashMapILm262144EPKvNS0_18AllocationRegister14AllocationInfoENS5_13AddressHasherEE6InsertERKS4_RKS6_ + 343
6   libbase.dylib                       0x0000000116d7d905 _ZN4base11trace_event18AllocationRegister6InsertEPKvmRKNS0_17AllocationContextE + 357
7   libblink_platform.dylib             0x000000012f20bacd _ZN5blink25BlinkGCMemoryDumpProvider6insertEPhmPKc + 269
8   libblink_platform.dylib             0x000000012f20b23d _ZN5blink12_GLOBAL__N_116reportAllocationEPhmPKc + 45
9   libblink_core.dylib                 0x00000001323308b6 _ZN5blink14HeapAllocHooks23allocationHookIfEnabledEPhmPKc + 86
10  libblink_core.dylib                 0x00000001323300a9 _ZN5blink10ThreadHeap20allocateOnArenaIndexEPNS_11ThreadStateEmimPKc + 233
11  libblink_core.dylib                 0x0000000133ffd381 _ZN5blink13HeapAllocator24allocateHashTableBackingIN3WTF12KeyValuePairINS_13QualifiedNameENS_6MemberINS_23SVGAnimatedPropertyBaseEEEEENS2_9HashTableIS4_S8_NS2_24KeyValuePairKeyExtractorENS_17QualifiedNameHashENS2_18HashMapValueTraitsINS2_10HashTraitsIS4_EENSD_IS7_EEEESE_S0_EEEEPT_m + 65
12  libblink_core.dylib                 0x0000000133ffc6b1 _ZN3WTF9HashTableIN5blink13QualifiedNameENS_12KeyValuePairIS2_NS1_6MemberINS1_23SVGAnimatedPropertyBaseEEEEENS_24KeyValuePairKeyExtractorENS1_17QualifiedNameHashENS_18HashMapValueTraitsINS_10HashTraitsIS2_EENSB_IS6_EEEESC_NS1_13HeapAllocatorEE13allocateTableEj + 33
13  libblink_core.dylib                 0x0000000133ffc1fe _ZN3WTF9HashTableIN5blink13QualifiedNameENS_12KeyValuePairIS2_NS1_6MemberINS1_23SVGAnimatedPropertyBaseEEEEENS_24KeyValuePairKeyExtractorENS1_17QualifiedNameHashENS_18HashMapValueTraitsINS_10HashTraitsIS2_EENSB_IS6_EEEESC_NS1_13HeapAllocatorEE6rehashEjPS7_ + 126
14  libblink_core.dylib                 0x0000000133ffbe2b _ZN3WTF9HashTableIN5blink13QualifiedNameENS_12KeyValuePairIS2_NS1_6MemberINS1_23SVGAnimatedPropertyBaseEEEEENS_24KeyValuePairKeyExtractorENS1_17QualifiedNameHashENS_18HashMapValueTraitsINS_10HashTraitsIS2_EENSB_IS6_EEEESC_NS1_13HeapAllocatorEE6expandEPS7_ + 187
15  libblink_core.dylib                 0x0000000133ffb936 _ZN3WTF9HashTableIN5blink13QualifiedNameENS_12KeyValuePairIS2_NS1_6MemberINS1_23SVGAnimatedPropertyBaseEEEEENS_24KeyValuePairKeyExtractorENS1_17QualifiedNameHashENS_18HashMapValueTraitsINS_10HashTraitsIS2_EENSB_IS6_EEEESC_NS1_13HeapAllocatorEE3addINS_17HashMapTranslatorISE_S9_EERKS2_RPS5_EENS_18HashTableAddResultISG_S7_EEOT0_OT1_ + 486
16  libblink_core.dylib                 0x0000000133ffb70c _ZN3WTF7HashMapIN5blink13QualifiedNameENS1_6MemberINS1_23SVGAnimatedPropertyBaseEEENS1_17QualifiedNameHashENS_10HashTraitsIS2_EENS7_IS5_EENS1_13HeapAllocatorEE9inlineAddIRKS2_RPS4_EENS_18HashTableAddResultINS_9HashTableIS2_NS_12KeyValuePairIS2_S5_EENS_24KeyValuePairKeyExtractorES6_NS_18HashMapValueTraitsIS8_S9_EES8_SA_EESK_EEOT_OT0_ + 60
17  libblink_core.dylib                 0x0000000133fe8b64 _ZN3WTF7HashMapIN5blink13QualifiedNameENS1_6MemberINS1_23SVGAnimatedPropertyBaseEEENS1_17QualifiedNameHashENS_10HashTraitsIS2_EENS7_IS5_EENS1_13HeapAllocatorEE3setIRKS2_RPS4_EENS_18HashTableAddResultINS_9HashTableIS2_NS_12KeyValuePairIS2_S5_EENS_24KeyValuePairKeyExtractorES6_NS_18HashMapValueTraitsIS8_S9_EES8_SA_EESK_EEOT_OT0_ + 68
18  libblink_core.dylib                 0x0000000133fe3c09 _ZN5blink10SVGElement16addToPropertyMapEPNS_23SVGAnimatedPropertyBaseE + 73
19  libblink_core.dylib                 0x0000000133fe3b3c _ZN5blink10SVGElementC2ERKNS_13QualifiedNameERNS_8DocumentENS_4Node16ConstructionTypeE + 220
20  libblink_core.dylib                 0x0000000134053070 _ZN5blink18SVGGraphicsElementC2ERKNS_13QualifiedNameERNS_8DocumentENS_4Node16ConstructionTypeE + 64
21  libblink_core.dylib                 0x0000000134048960 _ZN5blink18SVGGeometryElementC2ERKNS_13QualifiedNameERNS_8DocumentENS_4Node16ConstructionTypeE + 64
22  libblink_core.dylib                 0x0000000133fc5259 _ZN5blink16SVGCircleElementC2ERNS_8DocumentE + 57
23  libblink_core.dylib                 0x0000000133fc476d _ZN5blink16SVGCircleElementC1ERNS_8DocumentE + 29
24  libblink_core.dylib                 0x0000000133fc46eb _ZN5blink16SVGCircleElement6createERNS_8DocumentE + 43
25  libblink_core.dylib                 0x000000013255dcc8 _ZN5blinkL17circleConstructorERNS_8DocumentENS_18CreateElementFlagsE + 24
26  libblink_core.dylib                 0x000000013255c80e _ZN5blink17SVGElementFactory16createSVGElementERKN3WTF12AtomicStringERNS_8DocumentENS_18CreateElementFlagsE + 126
27  libblink_core.dylib                 0x0000000132b4261a _ZN5blink8Document13createElementERKNS_13QualifiedNameENS_18CreateElementFlagsE + 234
28  libblink_core.dylib                 0x0000000132b44042 _ZN5blink8Document10importNodeEPNS_4NodeEbRNS_14ExceptionStateE + 786
29  libblink_core.dylib                 0x0000000132b43bdc _ZN5blink8Document27importContainerNodeChildrenEPNS_13ContainerNodeES2_RNS_14ExceptionStateE + 172
30  libblink_core.dylib                 0x0000000132b4409e _ZN5blink8Document10importNodeEPNS_4NodeEbRNS_14ExceptionStateE + 878
31  libblink_core.dylib                 0x0000000132b43bdc _ZN5blink8Document27importContainerNodeChildrenEPNS_13ContainerNodeES2_RNS_14ExceptionStateE + 172
32  libblink_core.dylib                 0x0000000132b4409e _ZN5blink8Document10importNodeEPNS_4NodeEbRNS_14ExceptionStateE + 878
33  libblink_core.dylib                 0x0000000132b43bdc _ZN5blink8Document27importContainerNodeChildrenEPNS_13ContainerNodeES2_RNS_14ExceptionStateE + 172
34  libblink_core.dylib                 0x0000000132b44311 _ZN5blink8Document10importNodeEPNS_4NodeEbRNS_14ExceptionStateE + 1505
35  libblink_core.dylib                 0x0000000134432107 _ZN5blink18DocumentV8InternalL16importNodeMethodERKN2v820FunctionCallbackInfoINS1_5ValueEEE + 2503
36  libblink_core.dylib                 0x000000013443170f _ZN5blink18DocumentV8Internal24importNodeMethodCallbackERKN2v820FunctionCallbackInfoINS1_5ValueEEE + 47
37  ???                                 0x0000224e6800a30b 0x0 + 37720147665675

Using https://codereview.chromium.org/2601573002/ to hook up the allocator shim on mac. Given that the trace is being successfully emitted and loaded, don't think there are any problems on that front.
trace_test10.json.gz
3.4 MB Download

Comment 1 by erikc...@chromium.org, Dec 28 2016 

Ran into this same error on a clean linux build [enable_profiling = true]. I started chrome with --enable-heap-profiling=true, took a short trace, clicked on the purple memory button, scrolled to the bottom, then clicked something (?). Page didn't respond for a while, and eventually crashed.

"""
[1:1:1228/100113.912679:FATAL:heap_profiler_allocation_register.h(201)] Check failed: next_unused_cell_ < num_cells_ + 1 (1500001 vs. 1500001)
#0 0x7f818263f37e base::debug::StackTrace::StackTrace()
#1 0x7f8182687cef logging::LogMessage::~LogMessage()
#2 0x7f81827c0411 base::trace_event::internal::FixedHashMap<>::GetFreeCell()
#3 0x7f81827bfb32 base::trace_event::internal::FixedHashMap<>::Insert()
#4 0x7f81827bf4e4 base::trace_event::AllocationRegister::Insert()
#5 0x7f81814da676 blink::BlinkGCMemoryDumpProvider::insert()
#6 0x7f81814da41d blink::(anonymous namespace)::reportAllocation()
#7 0x7f81816af456 blink::HeapAllocHooks::allocationHookIfEnabled()
#8 0x7f81816aea09 blink::ThreadHeap::allocateOnArenaIndex()
#9 0x7f8187dc4fdf blink::Node::allocateObject()
#10 0x7f818855ad97 blink::Node::operator new()
#11 0x7f818876d98f blink::Text::create()
#12 0x7f81885e0bfd blink::Document::createTextNode()
#13 0x7f81885e1207 blink::Document::importNode()
#14 0x7f81885e10be blink::Document::importContainerNodeChildren()
#15 0x7f81885e14ad blink::Document::importNode()
#16 0x7f81885e10be blink::Document::importContainerNodeChildren()
#17 0x7f81885e14ad blink::Document::importNode()
#18 0x7f81885e10be blink::Document::importContainerNodeChildren()
#19 0x7f81885e1720 blink::Document::importNode()
#20 0x7f8188059376 blink::DocumentV8Internal::importNodeMethod()
#21 0x7f8188058ac2 blink::DocumentV8Internal::importNodeMethodCallback()
#22 0x0385117f28eb <unknown>

Received signal 6
#0 0x7f818263f37e base::debug::StackTrace::StackTrace()
#1 0x7f818263eebf base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f817ce97330 <unknown>
#3 0x7f8176906c37 gsignal
#4 0x7f817690a028 abort
#5 0x7f818263dc56 base::debug::(anonymous namespace)::DebugBreak()
#6 0x7f818263dc38 base::debug::BreakDebugger()
#7 0x7f8182688092 logging::LogMessage::~LogMessage()
#8 0x7f81827c0411 base::trace_event::internal::FixedHashMap<>::GetFreeCell()
#9 0x7f81827bfb32 base::trace_event::internal::FixedHashMap<>::Insert()
#10 0x7f81827bf4e4 base::trace_event::AllocationRegister::Insert()
#11 0x7f81814da676 blink::BlinkGCMemoryDumpProvider::insert()
#12 0x7f81814da41d blink::(anonymous namespace)::reportAllocation()
#13 0x7f81816af456 blink::HeapAllocHooks::allocationHookIfEnabled()
#14 0x7f81816aea09 blink::ThreadHeap::allocateOnArenaIndex()
#15 0x7f8187dc4fdf blink::Node::allocateObject()
#16 0x7f818855ad97 blink::Node::operator new()
#17 0x7f818876d98f blink::Text::create()
#18 0x7f81885e0bfd blink::Document::createTextNode()
#19 0x7f81885e1207 blink::Document::importNode()
#20 0x7f81885e10be blink::Document::importContainerNodeChildren()
#21 0x7f81885e14ad blink::Document::importNode()
#22 0x7f81885e10be blink::Document::importContainerNodeChildren()
#23 0x7f81885e14ad blink::Document::importNode()
#24 0x7f81885e10be blink::Document::importContainerNodeChildren()
#25 0x7f81885e1720 blink::Document::importNode()
#26 0x7f8188059376 blink::DocumentV8Internal::importNodeMethod()
#27 0x7f8188058ac2 blink::DocumentV8Internal::importNodeMethodCallback()
#28 0x0385117f28eb <unknown>
  r8: 00007ffe974304d0  r9: 00007f8176a20a00 r10: 0000000000000008 r11: 0000000000000202
 r12: 000037faedefe020 r13: 000037faedeae0e8 r14: 000037faedf3e750 r15: 000037faedeaf980
  di: 0000000000000001  si: 0000000000000001  bp: 00007ffe974308f0  bx: 000037faedf3e750
  dx: 0000000000000006  ax: 0000000000000000  cx: ffffffffffffffff  sp: 00007ffe974307b8
  ip: 00007f8176906c37 efl: 0000000000000202 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
"""

Comment 2 by erikc...@chromium.org, Dec 29 2016

Owner: primiano@chromium.org
Status: Assigned (was: Untriaged)
Sending over to primiano for further triage.

Comment 3 by primiano@chromium.org, Jan 4 2017

Labels: OS-Linux OS-Windows
Mergedinto: 673009
Status: Duplicate (was: Assigned)
This is a dupe of Issue 673009 : running out of the memory we reserved to store heap profiler metadata.
Cure is coming in https://codereview.chromium.org/2587823004/ (not landed yet)

Sign in to add a comment