New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 688162 link

Starred by 1 user
Status: Fixed
Owner:
mlippautz@chromium.org
Closed: Feb 2017
Cc:
jochen@chromium.org
kozyatinskiy@chromium.org
haraken@chromium.org
alph@chromium.org
u...@chromium.org
hpayer@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug



Sign in to add a comment

[DevTools] crash during collecting heap snapshot

Project Member Reported by kozyatinskiy@chromium.org, Feb 2 2017 
Chrome Version: 58.0.3001.0
Revision	c398506e3abc0799330e39144194d70c00e4032e-refs/heads/master@{#447858}
OS: Linux

What steps will reproduce the problem?
(1) build Chromium with is_debug = true to enable DCHECKs
(2) open DevTools on NTP or google.com.
(3) go to memory tab and click "Take heap snapshot"

What is the expected result?
Snapshot is collected.

What happens instead?
#
# Fatal error in ../../v8/src/heap/heap.cc, line 5675
# Check failed: mark_compact_collector()->in_use().
#

Received signal 4 ILL_ILLOPN 7fba1790b2e2
#0 0x7fba2f37f3fb base::debug::StackTrace::StackTrace()
#1 0x7fba2f37da3c base::debug::StackTrace::StackTrace()
#2 0x7fba2f37ef0f base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7fba2f7e6330 <unknown>
#4 0x7fba1790b2e2 v8::base::OS::Abort()
#5 0x7fba205c7016 v8::internal::Heap::RegisterExternallyReferencedObject()
#6 0x7fba14f1263b v8::PersistentValueMapBase<>::RegisterExternallyReferencedObject()
#7 0x7fba14f12517 blink::DOMWrapperMap<>::markWrapper()
#8 0x7fba14f1177c blink::DOMDataStore::markWrapper()
#9 0x7fba14f0f8a8 blink::DOMWrapperWorld::markWrappersInAllWorlds()
#10 0x7fba14f8938d blink::ScriptWrappableVisitor::markWrappersInAllWorlds()
#11 0x7fba15264d68 blink::TraceTrait<>::traceMarkedWrapper()
#12 0x7fba14f89ed4 blink::WrapperMarkingData::traceWrappers()
#13 0x7fba14f89184 blink::ScriptWrappableVisitor::AdvanceTracing()
#14 0x7fba14fcc769 blink::HeapSnaphotWrapperVisitor::findV8WrappersDirectlyReachableFrom()
#15 0x7fba14fc4ac0 blink::HeapSnaphotWrapperVisitor::traceV8Roots()
#16 0x7fba14fc1d6a blink::V8GCController::getRetainerInfos()
#17 0x7fba207cf23b v8::internal::HeapProfiler::GetRetainerInfos()
#18 0x7fba207e79b6 v8::internal::NativeObjectsExplorer::FillRetainedObjects()
#19 0x7fba207e8dfe v8::internal::HeapSnapshotGenerator::GenerateSnapshot()
#20 0x7fba207cf342 v8::internal::HeapProfiler::TakeSnapshot()
#21 0x7fba20b309f9 v8_inspector::V8HeapProfilerAgentImpl::takeHeapSnapshot()
#22 0x7fba20adddc6 v8_inspector::protocol::HeapProfiler::DispatcherImpl::takeHeapSnapshot()
#23 0x7fba20add027 v8_inspector::protocol::HeapProfiler::DispatcherImpl::dispatch()
#24 0x7fba20abdf9a v8_inspector::protocol::UberDispatcher::dispatch()
#25 0x7fba20b3bfd9 v8_inspector::V8InspectorSessionImpl::dispatchProtocolMessage()
#26 0x7fba15d538f7 blink::InspectorSession::dispatchProtocolMessage()
#27 0x7fba1ecc2290 blink::WebDevToolsAgentImpl::dispatchMessageFromFrontend()
#28 0x7fba1ecc211e blink::WebDevToolsAgentImpl::dispatchOnInspectorBackend()
#29 0x7fba298ef95f content::DevToolsAgent::OnDispatchOnInspectorBackend()
#30 0x7fba27d1a838 _ZN4base20DispatchToMethodImplIPN7content25SharedWorkerDevToolsAgentEMS2_FviiRKSsS5_ERKSt5tupleIJiiSsSsEEJLm0ELm1ELm2ELm3EEEEvRKT_T0_OT1_NS_13IndexSequenceIJXspT2_EEEE
#31 0x7fba27d1a740 _ZN4base16DispatchToMethodIPN7content25SharedWorkerDevToolsAgentEMS2_FviiRKSsS5_ERKSt5tupleIJiiSsSsEEEEvRKT_T0_OT1_
#32 0x7fba298f45bf _ZN3IPC16DispatchToMethodIN7content13DevToolsAgentEMS2_FviiRKSsS4_EvSt5tupleIJiiSsSsEEEEvPT_T0_PT1_RKT2_
#33 0x7fba298f1dbf _ZN3IPC8MessageTI48DevToolsAgentMsg_DispatchOnInspectorBackend_MetaSt5tupleIJiiSsSsEEvE8DispatchIN7content13DevToolsAgentES7_vMS7_FviiRKSsS9_EEEbPKNS_7MessageEPT_PT0_PT1_T2_
#34 0x7fba298ef341 content::DevToolsAgent::OnMessageReceived()
#35 0x7fba29a36b6c content::RenderFrameImpl::OnMessageReceived()
#36 0x7fba2d86476b IPC::MessageRouter::RouteMessage()
#37 0x7fba27be35f8 content::ChildThreadImpl::ChildThreadMessageRouter::RouteMessage()
#38 0x7fba2d8646ee IPC::MessageRouter::OnMessageReceived()
#39 0x7fba27be77f1 content::ChildThreadImpl::OnMessageReceived()
#40 0x7fba2d80a818 IPC::ChannelProxy::Context::OnDispatchMessage()
#41 0x7fba2d8105bf _ZN4base8internal13FunctorTraitsIMN3IPC12ChannelProxy7ContextEFvRKNS2_7MessageEEvE6InvokeIRK13scoped_refptrIS4_EJS7_EEEvS9_OT_DpOT0_
#42 0x7fba2d8104a6 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN3IPC12ChannelProxy7ContextEFvRKNS4_7MessageEEJRK13scoped_refptrIS6_ES9_EEEvOT_DpOT0_
#43 0x7fba2d810433 _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEJ13scoped_refptrIS5_ES6_EEEFvvEE7RunImplIRKSA_RKSt5tupleIJSC_S6_EEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#44 0x7fba2d81034c _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEJ13scoped_refptrIS5_ES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#45 0x7fba2f3851d1 _ZNO4base8internal8RunMixinINS_8CallbackIFvvELNS0_8CopyModeE0ELNS0_10RepeatModeE0EEEE3RunEv
#46 0x7fba2f384bc2 base::debug::TaskAnnotator::RunTask()
#47 0x7fba1f63ea46 blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#48 0x7fba1f63bb2d blink::scheduler::TaskQueueManager::DoWork()
#49 0x7fba1f646eb4 _ZN4base8internal13FunctorTraitsIMN5blink9scheduler16TaskQueueManagerEFvbEvE6InvokeIRKNS_7WeakPtrIS4_EEJRKbEEEvS6_OT_DpOT0_
#50 0x7fba1f646dbf _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink9scheduler16TaskQueueManagerEFvbERKNS_7WeakPtrIS6_EEJRKbEEEvOT_OT0_DpOT1_
#51 0x7fba1f646d33 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvbEJNS_7WeakPtrIS5_EEbEEEFvvEE7RunImplIRKS7_RKSt5tupleIJS9_bEEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#52 0x7fba1f646c4c _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvbEJNS_7WeakPtrIS5_EEbEEEFvvEE3RunEPNS0_13BindStateBaseE
#53 0x7fba2f3851d1 _ZNO4base8internal8RunMixinINS_8CallbackIFvvELNS0_8CopyModeE0ELNS0_10RepeatModeE0EEEE3RunEv
#54 0x7fba2f384bc2 base::debug::TaskAnnotator::RunTask()
#55 0x7fba2f41183f base::MessageLoop::RunTask()
#56 0x7fba2f411ac4 base::MessageLoop::DeferOrRunPendingTask()
#57 0x7fba2f411dae base::MessageLoop::DoWork()
#58 0x7fba2f429208 base::MessagePumpDefault::Run()
#59 0x7fba2f4113e7 base::MessageLoop::RunHandler()
#60 0x7fba2f4c056a base::RunLoop::Run()
#61 0x7fba29b3291c content::RendererMain()

Comment 1 by mlippautz@chromium.org, Feb 2 2017

Cc: jochen@chromium.org haraken@chromium.org
Status: Started (was: Assigned)
Thanks. The problem is that we fail to intercept the markWrapper calls in isolated worlds for snapshotting.

If we want to handle extensions, then we need to find a way to somehow intercept these registrations instead of calling into V8's GC.

Comment 2 by mlippautz@chromium.org, Feb 3 2017 

fyi: I verified that https://codereview.chromium.org/2673693003/# indeed fixes the problem.
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 3 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c03dcfbe13aecc48b0b4cd0a107a8d659bdda939

commit c03dcfbe13aecc48b0b4cd0a107a8d659bdda939
Author: mlippautz <mlippautz@chromium.org>
Date: Fri Feb 03 19:45:34 2017

[wrapper-tracing] Don't call into V8 during heap snapshot creation

Without this fix we would call into V8 for marking an object when
creating a heap snapshot. The intented behavior is to intercept marking
and record an edge in the snapshot. We cannot do that right now as we
cannot properly intercept marking in GlobalValueMaps and their friends.

Note that this is not a regression as we still record the object as live
in the snapshot and we also didn't record the edge using object
grouping.

BUG= chromium:688162 

Review-Url: https://codereview.chromium.org/2673693003
Cr-Commit-Position: refs/heads/master@{#448056}

[modify] https://crrev.com/c03dcfbe13aecc48b0b4cd0a107a8d659bdda939/third_party/WebKit/Source/bindings/core/v8/V8GCController.cpp

Comment 4 by mlippautz@chromium.org, Feb 3 2017

Status: Fixed (was: Started)

Sign in to add a comment