New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 679667 link

Starred by 8 users

Issue metadata

Status: Verified
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Regression: Tab crash is observed on 'https://davidwalsh.name/webgl-demo'

Reported by dmascare...@etouch.net, Jan 10 2017

Issue description

Chrome Version:57.0.2977.0 (Official Build) 20e4bfed4baf6f6eac0d7142bb9e763bc11512e4-refs/heads/master@{#442447}
OS : Mac(10.12.1, 10.11.6, 10.12), Windows(7,8,10), 

Test url: https://davidwalsh.name/webgl-demo

What steps will reproduce the problem?
1. Launch chrome and navigate to above test url,observe.

Actual: Tab crash is observed.
Expected: Tab should not crash.

This is regression issue, broken in 'M 57' and below is manual bisect info:

Good build:57.0.2976.5
Bad build:57.0.2977.0

Crash id: Crash ID a5f98a58-76fc-4a14-a202-81928db31e11 (Server ID: ae0b0bd080000000)
          Crash ID a86b0dec-7d79-4101-af94-7479a82716f5 (Server ID: 02fe0bd080000000)
 
Cc: rbasuvula@chromium.org
Owner: chrishtr@chromium.org
Status: Assigned (was: Unconfirmed)
Using the per-revision bisect providing the bisect results,
Good build: 57.0.2976.5 (Revision: 442165).
Bad build: 57.0.2977.0 (Revision: 442447).

You are probably looking for a change made after 442443 (known good), but no later than 442444 (first known bad).

CHANGE-LOG URL:
----------------
 https://chromium.googlesource.com/chromium/src/+log/fe43aec35bceddb3187a83dcab03eedb2a2fbdb7..ad9aa972891607894db3a60370afd8b19445df0c


Stack Trace:
============
Thread 0 CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000008 ] MAGIC SIGNATURE THREAD
Stack Quality80%Show frame trust levels
0x000000011299ff8b	(Google Chrome Framework -CompositedLayerMapping.cpp:3296 )	blink::CompositedLayerMapping::pixelSnappedCompositedBounds() const
0x000000011299f9ce	(Google Chrome Framework -CompositedLayerMapping.cpp:946 )	blink::CompositedLayerMapping::updateGraphicsLayerGeometry(blink::PaintLayer const*, blink::PaintLayer const*, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&)
0x00000001129abf74	(Google Chrome Framework -GraphicsLayerUpdater.cpp:105 )	blink::GraphicsLayerUpdater::updateRecursive(blink::PaintLayer&, blink::GraphicsLayerUpdater::UpdateType, blink::GraphicsLayerUpdater::UpdateContext const&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&)
0x00000001129ac023	(Google Chrome Framework -GraphicsLayerUpdater.cpp:118 )	blink::GraphicsLayerUpdater::updateRecursive(blink::PaintLayer&, blink::GraphicsLayerUpdater::UpdateType, blink::GraphicsLayerUpdater::UpdateContext const&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&)
0x00000001129ac023	(Google Chrome Framework -GraphicsLayerUpdater.cpp:118 )	blink::GraphicsLayerUpdater::updateRecursive(blink::PaintLayer&, blink::GraphicsLayerUpdater::UpdateType, blink::GraphicsLayerUpdater::UpdateContext const&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&)
0x00000001129ac023	(Google Chrome Framework -GraphicsLayerUpdater.cpp:118 )	blink::GraphicsLayerUpdater::updateRecursive(blink::PaintLayer&, blink::GraphicsLayerUpdater::UpdateType, blink::GraphicsLayerUpdater::UpdateContext const&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&)
0x00000001129ac023	(Google Chrome Framework -GraphicsLayerUpdater.cpp:118 )	blink::GraphicsLayerUpdater::updateRecursive(blink::PaintLayer&, blink::GraphicsLayerUpdater::UpdateType, blink::GraphicsLayerUpdater::UpdateContext const&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&)
0x00000001129ac023	(Google Chrome Framework -GraphicsLayerUpdater.cpp:118 )	blink::GraphicsLayerUpdater::updateRecursive(blink::PaintLayer&, blink::GraphicsLayerUpdater::UpdateType, blink::GraphicsLayerUpdater::UpdateContext const&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&)
0x00000001129abdbd	(Google Chrome Framework -GraphicsLayerUpdater.cpp:83 )	blink::GraphicsLayerUpdater::update(blink::PaintLayer&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&)
0x00000001129ad482	(Google Chrome Framework -PaintLayerCompositor.cpp:421 )	blink::PaintLayerCompositor::updateIfNeeded()
0x00000001129acf7b	(Google Chrome Framework -PaintLayerCompositor.cpp:223 )	blink::PaintLayerCompositor::updateIfNeededRecursiveInternal()
0x00000001129ace28	(Google Chrome Framework -PaintLayerCompositor.cpp:183 )	blink::PaintLayerCompositor::updateIfNeededRecursive()
0x0000000112634012	(Google Chrome Framework -FrameView.cpp:2916 )	blink::FrameView::updateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState)
0x0000000112a73b1d	(Google Chrome Framework -PageAnimator.cpp:86 )	blink::PageAnimator::updateAllLifecyclePhases(blink::LocalFrame&)
0x0000000112012775	(Google Chrome Framework -WebViewImpl.cpp:1993 )	blink::WebViewImpl::updateAllLifecyclePhases()
0x000000011059c33f	(Google Chrome Framework -proxy_main.cc:182 )	cc::ProxyMain::BeginMainFrame(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >)
0x000000011059b745	(Google Chrome Framework -bind_internal.h:214 )	void base::internal::Invoker<base::internal::BindState<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, void ()>::RunImpl<void (cc::ProxyMain::* const&)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > > const&, 0ul, 1ul>(void (cc::ProxyMain::* const&&&)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > > const&&&, base::IndexSequence<0ul, 1ul>)
0x000000010f43a080	(Google Chrome Framework -callback.h:68 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x0000000111eacffb	(Google Chrome Framework -task_queue_manager.cc:349 )	blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, blink::scheduler::LazyNow*)
0x0000000111eab935	(Google Chrome Framework -task_queue_manager.cc:242 )	blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool)
0x000000010f43a080	(Google Chrome Framework -callback.h:68 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x000000010f45ebba	(Google Chrome Framework -message_loop.cc:421 )	base::MessageLoop::RunTask(base::PendingTask*)
0x000000010f45ef0b	(Google Chrome Framework -message_loop.cc:430 )	base::MessageLoop::DeferOrRunPendingTask(base::PendingTask)
0x000000010f45f2c2	(Google Chrome Framework -message_loop.cc:523 )	base::MessageLoop::DoWork()
0x000000010f462559	(Google Chrome Framework -message_pump_mac.mm:302 )	base::MessagePumpCFRunLoopBase::RunWork()
0x000000010f4531c9	(Google Chrome Framework + 0x0197c1c9 )	base::mac::CallWithEHFrame(void () block_pointer)
0x000000010f461fd3	(Google Chrome Framework -message_pump_mac.mm:278 )	base::MessagePumpCFRunLoopBase::RunWorkSource(void*)
0x00007fffa2bfb980	(CoreFoundation + 0x000a7980 )	__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x00007fffa2bdca7c	(CoreFoundation + 0x00088a7c )	__CFRunLoopDoSources0
0x00007fffa2bdbf75	(CoreFoundation + 0x00087f75 )	__CFRunLoopRun
0x00007fffa2bdb973	(CoreFoundation + 0x00087973 )	CFRunLoopRunSpecific
0x00007fffa45f0611	(Foundation + 0x00022611 )	-[NSRunLoop(NSRunLoop) runMode:beforeDate:]
0x000000010f462bfd	(Google Chrome Framework -message_pump_mac.mm:580 )	base::MessagePumpNSRunLoop::DoRun(base::MessagePump::Delegate*)
0x000000010f46241b	(Google Chrome Framework -message_pump_mac.mm:210 )	base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
0x000000010f480d52	(Google Chrome Framework -run_loop.cc:37 )	base::RunLoop::Run()
0x0000000113229732	(Google Chrome Framework -renderer_main.cc:200 )	content::RendererMain(content::MainFunctionParams const&)
0x000000010efc6b9f	(Google Chrome Framework -content_main_runner.cc:793 )	content::ContentMainRunnerImpl::Run()
0x000000010efc5e65	(Google Chrome Framework -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const&)
0x000000010dad9e7a	(Google Chrome Framework -chrome_main.cc:112 )	ChromeMain
0x000000010da9fda9	(Google Chrome Helper -chrome_exe_main_mac.c:85 )	main
0x00007fffb8134254	(libdyld.dylib + 0x00005254 )	start


From the CL above, assigning the issue to the concern owner

@chrishtr: 
------------------
Could you please look into the issue, pardon me if it has nothing to do with your changes and if possible please assign it to concern owner.

Review-Url: https://codereview.chromium.org/2611233003

Thank You!

Comment 2 by ajha@chromium.org, Jan 10 2017

Cc: manoranj...@chromium.org durga.behera@chromium.org
Components: -Blink>WebGL Blink>Compositing
Labels: ReleaseBlock-Dev
This is #1 renderer crash on the latest canary(57.0.2977.0 -15 crashes from 15 clients) of Mac based on the available crash data. Windows canary is still not pushed to the users, will update the crash server behavior once the crash data comes in.

Marking this as Dev blocker based on available crash data and recent regression.

Link to the list of the builds:
==============================
https://goto.google.com/zfoel




Labels: OS-Linux
Note: Above issue is reproducible on Linux OS also but need to reload the webpage
Able to reproduce the issue on Ubuntu 14.04.

Thank You!
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 10 2017

Labels: FoundIn-M-57 Fracas
Users experienced this crash on the following builds:

Mac Canary 57.0.2977.0 -  237.79 CPM, 155 reports, 133 clients (signature blink::CompositedLayerMapping::pixelSnappedCompositedBounds)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas
I can reproduce on macOS 10.12.2, Canary 57.0.2977.0, Intel HD 6000.

Interesting note: the page does NOT crash if the tab is in the background while loading. If I then switch to it, it seems to be fine. So it seems to be triggered only if visible during load.
Cc: kainino@chromium.org
Re comment 6: did you reproduce by just loading the page?
Yes, I didn't have to do anything special. It crashed after about 2 seconds of loading.
Hit this repeatedly on Windows and Mac 57.0.2977.0 at http://www.reuters.com/article/us-usa-congress-hearings-postponed-idUSKBN14U2U2
Project Member

Comment 11 by bugdroid1@chromium.org, Jan 11 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e00ffecc157dfa92f60c583cd3bfab7f102b65ae

commit e00ffecc157dfa92f60c583cd3bfab7f102b65ae
Author: chrishtr <chrishtr@chromium.org>
Date: Wed Jan 11 03:22:11 2017

Return the enclosing composited PaintLayer rather than containingBlock for floats.

A previous patch failed to return the composited PaintLayer, which is what
GraphicsLayerUpdater expected.

BUG= 679667 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2624843002
Cr-Commit-Position: refs/heads/master@{#442778}

[modify] https://crrev.com/e00ffecc157dfa92f60c583cd3bfab7f102b65ae/third_party/WebKit/Source/core/layout/compositing/GraphicsLayerUpdater.cpp
[modify] https://crrev.com/e00ffecc157dfa92f60c583cd3bfab7f102b65ae/third_party/WebKit/Source/core/paint/PaintLayer.cpp
[modify] https://crrev.com/e00ffecc157dfa92f60c583cd3bfab7f102b65ae/third_party/WebKit/Source/core/paint/PaintLayerTest.cpp

Status: Fixed (was: Assigned)

Comment 13 by ajha@chromium.org, Jan 11 2017

Labels: OS-Android OS-Chrome
CL from C#11 looks like missed today's canary(57.0.2978.0 - revision@442756). Will have to wait for next canary to verify this issue.


Note: Crashes seen on the latest canary(57.0.2977.0) of Chrome OS and Android as well. 
chrishtr@, could you please merge the above fix to 2977 branch? I am planning to prepare a back-up build for this week's Dev release.

PS: You do not need to follow any 'Merge-Request' process since 2977 is yet to be branched officially.

Thank you!
ok
oops, sorry, I meant to be 2978 instead of 2977.
Project Member

Comment 17 by bugdroid1@chromium.org, Jan 11 2017

Labels: merge-merged-2978
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e9d7b27fb83ad0bfcdc303d5228c5a51d68f526e

commit e9d7b27fb83ad0bfcdc303d5228c5a51d68f526e
Author: Chris Harrelson <chrishtr@chromium.org>
Date: Wed Jan 11 18:24:48 2017

Return the enclosing composited PaintLayer rather than containingBlock for floats.

A previous patch failed to return the composited PaintLayer, which is what
GraphicsLayerUpdater expected.

BUG= 679667 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2624843002
Cr-Commit-Position: refs/heads/master@{#442778}
(cherry picked from commit e00ffecc157dfa92f60c583cd3bfab7f102b65ae)

Review-Url: https://codereview.chromium.org/2621343003 .
Cr-Commit-Position: refs/branch-heads/2978@{#3}
Cr-Branched-From: e2867aed46b3f00f3735d310144d6ef638f8be1a-refs/heads/master@{#442756}

[modify] https://crrev.com/e9d7b27fb83ad0bfcdc303d5228c5a51d68f526e/third_party/WebKit/Source/core/layout/compositing/GraphicsLayerUpdater.cpp
[modify] https://crrev.com/e9d7b27fb83ad0bfcdc303d5228c5a51d68f526e/third_party/WebKit/Source/core/paint/PaintLayer.cpp
[modify] https://crrev.com/e9d7b27fb83ad0bfcdc303d5228c5a51d68f526e/third_party/WebKit/Source/core/paint/PaintLayerTest.cpp

Labels: TE-Verified-M57 TE-Verified-57.0.2979.0
Tested the issue on windows 7, Linux Ubuntu 14.04 and Mac 10.12.1 using chrome version 57.0.2979.0.Not observed crash whlie navigating to URL https://davidwalsh.name/webgl-demo.

Adding TE-Verified labels.

Thanks,
679667.mp4
2.6 MB View Download
Issue 684058 has been merged into this issue.
Issue 680649 has been merged into this issue.
Status: Verified (was: Fixed)
The crashes are not reproducible in Chrome OS 9202.10.0, 57.0.2987.17.

Comment 22 by aluo@chromium.org, Feb 22 2017

Issue 681526 has been merged into this issue.

Sign in to add a comment