Regression:NTP crash is seen after closing devtools
Reported by
svich...@etouch.net,
Mar 21 2017
|
||||||||||
Issue descriptionChrome Version: 59.0.3047.0 (Official Build) 15ae1e89e749d6443b6caffdbc78ad24f945aa67-refs/heads/master@{#458255}(32/64 Bit). OS: Windows(7,8,8.1,10), Mac(10.11.6, 10.12.1, 10.12), Linux(14.04 LTS) What steps will reproduce the problem? (1)Launch chrome, navigate to NTP and open devtools. (2)Go to 'Layers' section from 'Customize and control DevTools' menu list. (3)Resize the devtools window 2-3 times and open NTP.(Kindly refer the video) (4)Close the previous tab and observe. Actual:NTP crash is seen after closing the previous tab. Expected:NTP crash should not be seen. This is a Regression issue broken in M-58,will soon update other info. Good build:58.0.3005.2 Bad build:58.0.3006.0 Crash ID: ea65934f-6363-4a1a-b016-d3bfde8157e6 (Server ID: 293016a160000000)
,
Mar 21 2017
Using the per-revision bisect providing the bisect results, Good build:58.0.3005.2 (Revision:448507). Bad build:58.0.3006.0 (Revision:448862). You are probably looking for a change made after 448687 (known good), but no later than 448688 (first known bad). CHANGE-LOG URL: --------------- https://chromium.googlesource.com/chromium/src/+log/184394b156baaeb9ea061711192b5a5cae697505..eeca548902f5508923a683529845f369cc392c6f From the CL above, assigning the issue to the concern owner @fs : Could you please look into the issue, pardon me if it has nothing to do with your changes and if possible please assign it to concern owner. Review-Url: https://codereview.chromium.org/2680683003 Note :Able to reproduce the issue in Win 10.0,Ubuntu 14.04 & Mac 10.12.3 and Able to reproduce in latest Canary #59.0.3047.0 Adding Release Block-Stable for this issue.Please remove if not the case. Stack Trace: ------------ Thread 0 CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x000000d8 ] MAGIC SIGNATURE THREAD Stack Quality98%Show frame trust levels 0x00007fff610304dc (chrome_child.dll -frameview.cpp:582 ) blink::FrameView::layoutViewItem() 0x00007fff62baa888 (chrome_child.dll -inspectorlayertreeagent.cpp:267 ) blink::InspectorLayerTreeAgent::buildLayerIdToNodeIdMap(blink::PaintLayer *,WTF::HashMap<int,int,WTF::IntHash<unsigned int>,WTF::HashTraits<int>,WTF::HashTraits<int>,WTF::PartitionAllocator> &) 0x00007fff62baa84e (chrome_child.dll -inspectorlayertreeagent.cpp:262 ) blink::InspectorLayerTreeAgent::buildLayerIdToNodeIdMap(blink::PaintLayer *,WTF::HashMap<int,int,WTF::IntHash<unsigned int>,WTF::HashTraits<int>,WTF::HashTraits<int>,WTF::PartitionAllocator> &) 0x00007fff62baa84e (chrome_child.dll -inspectorlayertreeagent.cpp:262 ) blink::InspectorLayerTreeAgent::buildLayerIdToNodeIdMap(blink::PaintLayer *,WTF::HashMap<int,int,WTF::IntHash<unsigned int>,WTF::HashTraits<int>,WTF::HashTraits<int>,WTF::PartitionAllocator> &) 0x00007fff62baa84e (chrome_child.dll -inspectorlayertreeagent.cpp:262 ) blink::InspectorLayerTreeAgent::buildLayerIdToNodeIdMap(blink::PaintLayer *,WTF::HashMap<int,int,WTF::IntHash<unsigned int>,WTF::HashTraits<int>,WTF::HashTraits<int>,WTF::PartitionAllocator> &) 0x00007fff62baa93f (chrome_child.dll -inspectorlayertreeagent.cpp:233 ) blink::InspectorLayerTreeAgent::buildLayerTree() 0x00007fff62bab9e2 (chrome_child.dll -inspectorlayertreeagent.cpp:202 ) blink::InspectorLayerTreeAgent::layerTreeDidChange() 0x00007fff61b3a2cd (chrome_child.dll -paintlayercompositor.cpp:482 ) blink::PaintLayerCompositor::updateIfNeeded() 0x00007fff61030895 (chrome_child.dll -paintlayercompositor.cpp:228 ) blink::PaintLayerCompositor::updateIfNeededRecursiveInternal() 0x00007fff6102ed46 (chrome_child.dll -paintlayercompositor.cpp:188 ) blink::PaintLayerCompositor::updateIfNeededRecursive() 0x00007fff61032178 (chrome_child.dll -frameview.cpp:3060 ) blink::FrameView::updateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) 0x00007fff6172b1dd (chrome_child.dll -webviewimpl.cpp:3577 ) blink::WebViewImpl::clearBaseBackgroundColorOverride() 0x00007fff6172b282 (chrome_child.dll -inspectoremulationagent.cpp:194 ) blink::InspectorEmulationAgent::setDefaultBackgroundColorOverride(blink::protocol::Maybe<blink::protocol::DOM::RGBA>) 0x00007fff6164091c (chrome_child.dll -inspectoremulationagent.cpp:92 ) blink::InspectorEmulationAgent::disable() 0x00007fff616a4517 (chrome_child.dll -inspectorbaseagent.h:88 ) blink::InspectorBaseAgent<blink::protocol::Emulation::Metainfo>::dispose() 0x00007fff6172c99b (chrome_child.dll -inspectorsession.cpp:72 ) blink::InspectorSession::dispose() 0x00007fff6193982c (chrome_child.dll -webdevtoolsagentimpl.cpp:419 ) blink::WebDevToolsAgentImpl::destroySession() 0x00007fff619397c2 (chrome_child.dll -webdevtoolsagentimpl.cpp:444 ) blink::WebDevToolsAgentImpl::detach() 0x00007fff62edb5d6 (chrome_child.dll -devtools_agent.cc:250 ) content::DevToolsAgent::OnDetach() 0x00007fff62edafee (chrome_child.dll -ipc_message_templates.h:121 ) IPC::MessageT<DevToolsAgentMsg_Detach_Meta,std::tuple<>,void>::Dispatch<content::DevToolsAgent,content::DevToolsAgent,void,void ( content::DevToolsAgent::*)(void)>(IPC::Message const *,content::DevToolsAgent *,content::DevToolsAgent *,void *,void ( content::DevToolsAgent::*)(void)) 0x00007fff61c6bb91 (chrome_child.dll -devtools_agent.cc:106 ) content::DevToolsAgent::OnMessageReceived(IPC::Message const &) 0x00007fff614fdf8b (chrome_child.dll -render_frame_impl.cc:1512 ) content::RenderFrameImpl::OnMessageReceived(IPC::Message const &) 0x00007fff614fc219 (chrome_child.dll -child_thread_impl.cc:754 ) content::ChildThreadImpl::OnMessageReceived(IPC::Message const &) 0x00007fff614fc0e7 (chrome_child.dll -ipc_channel_proxy.cc:329 ) IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &) 0x00007fff6119e373 (chrome_child.dll -task_annotator.cc:59 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *) 0x00007fff610ebfff (chrome_child.dll -task_queue_manager.cc:533 ) blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue *,bool,blink::scheduler::LazyNow,base::TimeTicks *) 0x00007fff610f1bb2 (chrome_child.dll -task_queue_manager.cc:331 ) blink::scheduler::TaskQueueManager::DoWork(bool) 0x00007fff61650782 (chrome_child.dll -bind_internal.h:339 ) base::internal::Invoker<base::internal::BindState<void ( blink::scheduler::TaskQueueManager::*)(bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,bool>,void >::Run(base::internal::BindStateBase *) 0x00007fff6119e373 (chrome_child.dll -task_annotator.cc:59 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *) 0x00007fff610ebbaa (chrome_child.dll -message_loop.cc:423 ) base::MessageLoop::RunTask(base::PendingTask *) 0x00007fff6119d729 (chrome_child.dll -message_loop.cc:527 ) base::MessageLoop::DoWork() 0x00007fff6119d532 (chrome_child.dll -message_pump_default.cc:33 ) base::MessagePumpDefault::Run(base::MessagePump::Delegate *) 0x00007fff61596f21 (chrome_child.dll -run_loop.cc:37 ) base::RunLoop::Run() 0x00007fff614a3814 (chrome_child.dll -renderer_main.cc:200 ) content::RendererMain(content::MainFunctionParams const &) 0x00007fff6159aa5d (chrome_child.dll -content_main_runner.cc:490 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x00007fff6159a962 (chrome_child.dll -content_main_runner.cc:835 ) content::ContentMainRunnerImpl::Run() 0x00007fff6159a87d (chrome_child.dll -content_main.cc:29 ) content::ContentMain(content::ContentMainParams const &) 0x00007fff6159b4bc (chrome_child.dll -chrome_main.cc:121 ) ChromeMain 0x00007ff782ab75b0 (chrome.exe -main_dll_loader_win.cc:201 ) MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks) 0x00007ff782ab267a (chrome.exe -chrome_exe_main_win.cc:271 ) wWinMain 0x00007ff782b48232 (chrome.exe -exe_common.inl:253 ) __scrt_common_main_seh 0x00007fff93998101 (KERNEL32.DLL + 0x00018101 ) BaseThreadInitThunk 0x00007fff93ebc5b3 (ntdll.dll + 0x0005c5b3 ) RtlUserThreadStart
,
Mar 21 2017
I don't see any relation to my CL. Looking at the code though it seems this might susceptible to a race (with loading, the <iframe> in question not getting its inner document/FrameView attached "in time".) Looks like this code has been like this for a long time, so not quite sure who should be assigned. It looks like this code was added in 51066ee33ed808ad59888e06f67b798db037d937, and has been essentially unchanged since, so assigning to caseq.
,
Mar 21 2017
,
Mar 28 2017
,
Mar 29 2017
From the crash server data this crash seems to be a non regression. Started during M54 time frame. Since there is a reproducible testcase, can we get it fixed? More details. ============== https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3AFrameView%3A%3AlayoutViewItem%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000 svichare@ Is this still reproducible?
,
Mar 30 2017
Above issue is reproducible on latest chrome version i.e 59.0.3056.0
,
Mar 30 2017
Not sure where this goes but tentatively layout. Also adding devtools since that's on the stack.
,
Apr 6 2017
Just to update, still able to reproduce the issue on Latest Canary# 59.0.3064.0. @caseq -- Could you please look into the issue and update. Thank You.
,
Apr 12 2017
Friendly ping to get an update on this.
,
Apr 14 2017
Does this need to be a ReleaseBlock-Stable? Seems like a good bug, but I am hesitant to confirm that it's significant enough to block a release.
,
Apr 17 2017
Removing RBS considering this is not a regression and steps to reproduce are pretty elaborate. Couldn't reproduce this right away on ToT Mac (60.0.3074.0), but will keep it open and try on more platforms.
,
Jun 19 2017
,
May 29 2018
No longer reproduces. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by ranjitkan@chromium.org
, Mar 21 2017Status: Untriaged (was: Unconfirmed)