New issue
Advanced search Search tips

Issue 705306 link

Starred by 4 users
Status: Fixed
Owner:
a...@chromium.org
Closed: Mar 2017
Cc:
pfeldman@chromium.org
dgozman@chromium.org
thakis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

DevToolsBeforeUnloadTest.* tests fail on Linux MSan Tests bot

Project Member Reported by caseq@chromium.org, Mar 26 2017 
First failing build: https://build.chromium.org/p/chromium.memory.full/builders/Linux%20MSan%20Tests/builds/6404

Sample stack:

==20372==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x15c76af4 in size buildtools/third_party/libc++/trunk/include/vector:639:46
    #1 0x15c76af4 in count chrome/browser/ui/tabs/tab_strip_model.h:132:0
    #2 0x15c76af4 in ContainsIndex chrome/browser/ui/tabs/tab_strip_model.cc:261:0
    #3 0x15c76af4 in TabStripModel::GetWebContentsAtImpl(int) const chrome/browser/ui/tabs/tab_strip_model.cc:1243:0
    #4 0x15c7ae50 in GetWebContentsFromIndices chrome/browser/ui/tabs/tab_strip_model.cc:1099:24
    #5 0x15c7ae50 in TabStripModel::InternalCloseTabs(std::__1::vector<int, std::__1::allocator<int> > const&, unsigned int) chrome/browser/ui/tabs/tab_strip_model.cc:1157:0
    #6 0x15c7d8be in TabStripModel::CloseWebContentsAt(int, unsigned int) chrome/browser/ui/tabs/tab_strip_model.cc:521:10
    #7 0xd5ae30 in Run base/callback.h:85:12
    #8 0xd5ae30 in DevToolsBeforeUnloadTest::RunBeforeUnloadSanityTest(bool, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>, bool) chrome/browser/devtools/devtools_sanity_browsertest.cc:410:0
    #9 0xd5b874 in DevToolsBeforeUnloadTest_TestUndockedDevToolsInspectedTabClose_Test::RunTestOnMainThread() chrome/browser/devtools/devtools_sanity_browsertest.cc:742:3
    #10 0xb4f9d89 in InProcessBrowserTest::RunTestOnMainThreadLoop() chrome/test/base/in_process_browser_test.cc:574:5
    #11 0xd02967f in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop() content/public/test/browser_test_base.cc:346:5
    #12 0xc686cd2 in Run base/callback.h:85:12
    #13 0xc686cd2 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl() chrome/browser/chrome_browser_main.cc:1920:0
    #14 0xc6822f1 in ChromeBrowserMainParts::PreMainMessageLoopRun() chrome/browser/chrome_browser_main.cc:1237:18
    #15 0x5839004 in content::BrowserMainLoop::PreMainMessageLoopRun() content/browser/browser_main_loop.cc:1173:13
    #16 0x68bed59 in Run base/callback.h:85:12
    #17 0x68bed59 in content::StartupTaskRunner::RunAllTasksNow() content/browser/startup_task_runner.cc:45:0
    #18 0x582f874 in content::BrowserMainLoop::CreateStartupTasks() content/browser/browser_main_loop.cc:981:25
    #19 0x584b655 in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) content/browser/browser_main_runner.cc:125:17
    #20 0x5822c5c in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:42:32
    #21 0xb0dd402 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:491:14
    #22 0xb0e00ae in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:836:12
    #23 0xb0d8530 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28
    #24 0xd02860f in content::BrowserTestBase::SetUp() content/public/test/browser_test_base.cc:312:3
    #25 0xb4f3e4f in InProcessBrowserTest::SetUp() chrome/test/base/in_process_browser_test.cc:265:20
    #26 0xf2cd237 in HandleExceptionsInMethodIfSupported<testing::Test, void> testing/gtest/src/gtest.cc:2458:12
    #27 0xf2cd237 in testing::Test::Run() testing/gtest/src/gtest.cc:2470:0
    #28 0xf2d02f1 in testing::TestInfo::Run() testing/gtest/src/gtest.cc:2656:11
    #29 0xf2d1859 in testing::TestCase::Run() testing/gtest/src/gtest.cc:2774:28
    #30 0xf2f1d6d in testing::internal::UnitTestImpl::RunAllTests() testing/gtest/src/gtest.cc:4647:43
    #31 0xf2f0bde in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> testing/gtest/src/gtest.cc:2458:12
    #32 0xf2f0bde in testing::UnitTest::Run() testing/gtest/src/gtest.cc:4255:0
    #33 0xb540930 in RUN_ALL_TESTS testing/gtest/include/gtest/gtest.h:2237:46
    #34 0xb540930 in base::TestSuite::Run() base/test/test_suite.cc:271:0
    #35 0xb11e4c0 in ChromeTestSuiteRunner::RunTestSuite(int, char**) chrome/test/base/chrome_test_launcher.cc:62:38
    #36 0xd1610f1 in content::LaunchTests(content::TestLauncherDelegate*, int, int, char**) content/public/test/test_launcher.cc:520:31
    #37 0xb11e2bc in main chrome/test/base/browser_tests_main.cc:15:10
    #38 0x7ffb2577ef44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
    #39 0x734a68 in _start ??:0:0

  Uninitialized value was created by a heap deallocation
    #0 0x7a4be2 in operator delete(void*) ??:0:0
    #1 0x15f3ccc7 in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13
    #2 0x15f3ccc7 in reset buildtools/third_party/libc++/trunk/include/memory:2735:0
    #3 0x15f3ccc7 in BrowserView::~BrowserView() chrome/browser/ui/views/frame/browser_view.cc:467:0
    #4 0x15f3d943 in ~BrowserView chrome/browser/ui/views/frame/browser_view.cc:423:29
    #5 0x15f3d943 in non-virtual thunk to BrowserView::~BrowserView() chrome/browser/ui/views/frame/browser_view.cc:0:0
    #6 0xf5dde16 in views::View::~View() ui/views/view.cc:163:9
    #7 0xf64bde9 in ~NonClientView ui/views/window/non_client_view.cc:56:1
    #8 0xf64bde9 in views::NonClientView::~NonClientView() ui/views/window/non_client_view.cc:52:0
    #9 0xf5e3fdb in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13
    #10 0xf5e3fdb in reset buildtools/third_party/libc++/trunk/include/memory:2735:0
    #11 0xf5e3fdb in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2703:0
    #12 0xf5e3fdb in views::View::DoRemoveChildView(views::View*, bool, bool, bool, views::View*) ui/views/view.cc:1971:0
    #13 0xf5e740f in views::View::RemoveAllChildViews(bool) ui/views/view.cc:301:5
    #14 0xf7693de in views::internal::RootView::~RootView() ui/views/widget/root_view.cc:182:5
    #15 0x15f3a8ec in BrowserRootView::~BrowserRootView() chrome/browser/ui/views/frame/browser_root_view.h:23:7
    #16 0xf6126af in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13
    #17 0xf6126af in reset buildtools/third_party/libc++/trunk/include/memory:2735:0
    #18 0xf6126af in DestroyRootView ui/views/widget/widget.cc:1440:0
    #19 0xf6126af in views::Widget::~Widget() ui/views/widget/widget.cc:181:0
    #20 0x15f3019c in BrowserFrame::~BrowserFrame() chrome/browser/ui/views/frame/browser_frame.cc:61:31
    #21 0xf78e0b5 in views::DesktopNativeWidgetAura::~DesktopNativeWidgetAura() ui/views/widget/desktop_aura/desktop_native_widget_aura.cc:0:5
    #22 0x165b9820 in ~DesktopBrowserFrameAuraX11 chrome/browser/ui/views/frame/desktop_browser_frame_aurax11.cc:27:1
    #23 0x165b9820 in DesktopBrowserFrameAuraX11::~DesktopBrowserFrameAuraX11() chrome/browser/ui/views/frame/desktop_browser_frame_aurax11.cc:26:0
    #24 0xf6776d7 in views::DesktopWindowTreeHostX11::CloseNow() ui/views/widget/desktop_aura/desktop_window_tree_host_x11.cc:556:32
    #25 0xb44da44 in Run base/callback.h:68:12
    #26 0xb44da44 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:59:0
    #27 0xb1e4ef1 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:423:19
    #28 0xb1e6911 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:434:5
    #29 0xb1e84d5 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:527:13
    #30 0xb1f7cd9 in HandleDispatch base/message_loop/message_pump_glib.cc:267:25
    #31 0xb1f7cd9 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:109:0
    #32 0x7ffb2f3453ce in g_main_dispatch /home/tom/chromium/src/third_party/instrumented_libraries/scripts/out/Instrumented-msan-chained-origins-trusty/gen/third_party/instrumented_libraries/libglib2.0-0/glib2.0-2.40.2/glib/gmain.c:3064:27
    #33 0x7ffb2f3453ce in g_main_context_dispatch /home/tom/chromium/src/third_party/instrumented_libraries/scripts/out/Instrumented-msan-chained-origins-trusty/gen/third_party/instrumented_libraries/libglib2.0-0/glib2.0-2.40.2/glib/gmain.c:3663:0
Project Member

Comment 1 by bugdroid1@chromium.org, Mar 26 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6e14d3fe0ec345ca2955b4f1eb4416f0d3e1f00a

commit 6e14d3fe0ec345ca2955b4f1eb4416f0d3e1f00a
Author: caseq <caseq@chromium.org>
Date: Sun Mar 26 23:09:04 2017

Reland of DevTools: fix mixed arguments in Tracing.bufferUsage event (patchset #1 id:1 of https://codereview.chromium.org/2776043002/ )

Reason for revert:
Re-land, see comments in https://codereview.chromium.org/2752083002 for details.
BUG= 705306 

Original issue's description:
> Revert of DevTools: fix mixed arguments in Tracing.bufferUsage event (patchset #1 id:1 of https://codereview.chromium.org/2752083002/ )
>
> Reason for revert:
> Speculative, looks like this broke a bunch of devtool tests on msan, first failure at https://build.chromium.org/p/chromium.memory.full/builders/Linux%20MSan%20Tests/builds/6404 but still broken 80 builds later.
>
> Original issue's description:
> > DevTools: fix mixed arguments in Tracing.bufferUsage event
> >
> > Originally regressed by https://codereview.chromium.org/2500093002
> >
> > BUG=b/36176396
> >
> > Review-Url: https://codereview.chromium.org/2752083002
> > Cr-Commit-Position: refs/heads/master@{#457227}
> > Committed: https://chromium.googlesource.com/chromium/src/+/c8dc5d159a4716659d8698b093794f7c9eaa24ed
>
> TBR=dgozman@chromium.org,caseq@chromium.org
> # Not skipping CQ checks because original CL landed more than 1 days ago.
> BUG=b/36176396
>
> Review-Url: https://codereview.chromium.org/2776043002
> Cr-Commit-Position: refs/heads/master@{#459668}
> Committed: https://chromium.googlesource.com/chromium/src/+/e14291f0adaf71cd42ef1c1a9d70ace4e309a1ba

TBR=dgozman@chromium.org,thakis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=b/36176396

Review-Url: https://codereview.chromium.org/2763413011
Cr-Commit-Position: refs/heads/master@{#459681}

[modify] https://crrev.com/6e14d3fe0ec345ca2955b4f1eb4416f0d3e1f00a/content/browser/devtools/protocol/tracing_handler.cc

Comment 2 by a...@chromium.org, Mar 28 2017 

I'm digging.

Two interesting things.

First, half the failing tests fail with:

[ RUN      ] DevToolsBeforeUnloadTest.TestDockedDevToolsInspectedTabClose
../../chrome/test/base/ui_test_utils.cc:117: Failure
Value of: dialog_
  Actual: false
Expected: true

and the other half fail with the:
MemorySanitizer: use-of-uninitialized-value

Second, I think the dealloc stack trace is useless. It's a dangling pointer and we finally crash when we hit it.

Dunno why this isn't crashing on non-msan bots. Still digging.

Comment 3 by a...@chromium.org, Mar 28 2017 

Almost certainly a dup of  issue 702171 ,  issue 702767 .

Comment 4 by a...@chromium.org, Mar 28 2017 

../../chrome/test/base/ui_test_utils.cc:117: Failure

A test is calling either AcceptModalDialog() or CancelModalDialog(), which calls GetDialog() which calls ui_test_utils::WaitForAppModalDialog(). If there's already a modal dialog, it's returned. Otherwise, it creates a AppModalDialogWaiter object, and calls Wait on it.

This spins a MessageLoopRunner, and when the runner returns, there's supposed to be a dialog but there's not. That's the failure.

But there doesn't seem to be any way that the runner could be stopped without a dialog. I'm not sure how this fits in.

Comment 5 by a...@chromium.org, Mar 28 2017 

The core of all the failing tests is RunBeforeUnloadSanityTest. It's passed some parameters on how to set things up, and a callback on how to close things.

RunBeforeUnloadSanityTest:
1. Sets up the devtools window and injects a beforeunload listener in the inspected page.
2. Calls the callback, waits for the beforeunload dialog, cancels the dialog, and waits for the ack from the page.
3. Calls the callback, waits for the beforeunload dialog, accepts the dialog, and waits for the ack from the page.
4. Waits for the devtools to close.

    #8 0xd5ae30 in DevToolsBeforeUnloadTest::RunBeforeUnloadSanityTest(bool, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>, bool) chrome/browser/devtools/devtools_sanity_browsertest.cc:410:0

Line 410 of devtools_sanity_browsertest.cc is the calling of the callback the *second* time, in step 3. My suspicion here is that the page is somehow actually getting closed the first time despite the beforeunload dialog.

That could explain both the dialog failure (if we somehow survived the callback, there wouldn't be a dialog spawned) and the failure in the callback (which would be trying to close something already closed).

Comment 6 by a...@chromium.org, Mar 28 2017 

class DevToolsBeforeUnloadTest: public DevToolsSanityTest {
 public:
  void SetUpCommandLine(base::CommandLine* command_line) override {
    command_line->AppendSwitch(
        switches::kDisableHangMonitor);
  }

That used to disable the hang monitor for beforeunload as well, but after beforeunload moved to its own timer, it doesn't.

Comment 7 by a...@chromium.org, Mar 28 2017 

 Issue 702171  has been merged into this issue.

Comment 8 by a...@chromium.org, Mar 28 2017 

 Issue 702767  has been merged into this issue.
Project Member

Comment 9 by bugdroid1@chromium.org, Mar 29 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/64b8b65b733a3ac8bd0b5f707431f6d1fae20948

commit 64b8b65b733a3ac8bd0b5f707431f6d1fae20948
Author: avi <avi@chromium.org>
Date: Wed Mar 29 18:50:34 2017

Fix DevToolsBeforeUnloadTest and BrowserCloseManagerBrowserTest.

They were attempting to disable the beforeunload timeout, but the switch provided no longer worked.

BUG= 705306 ,  418266 ,  700271 ,  700641 
TEST=Linux MSan Tests goes green
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation;master.tryserver.chromium.linux:linux_chromium_msan_rel_ng

Review-Url: https://codereview.chromium.org/2777013004
Cr-Commit-Position: refs/heads/master@{#460472}

[modify] https://crrev.com/64b8b65b733a3ac8bd0b5f707431f6d1fae20948/chrome/browser/devtools/devtools_sanity_browsertest.cc
[modify] https://crrev.com/64b8b65b733a3ac8bd0b5f707431f6d1fae20948/chrome/browser/lifetime/browser_close_manager_browsertest.cc
[modify] https://crrev.com/64b8b65b733a3ac8bd0b5f707431f6d1fae20948/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/64b8b65b733a3ac8bd0b5f707431f6d1fae20948/content/browser/frame_host/render_frame_host_impl.h
[modify] https://crrev.com/64b8b65b733a3ac8bd0b5f707431f6d1fae20948/content/browser/renderer_host/render_widget_host_impl.cc
[modify] https://crrev.com/64b8b65b733a3ac8bd0b5f707431f6d1fae20948/content/browser/renderer_host/render_widget_host_impl.h
[modify] https://crrev.com/64b8b65b733a3ac8bd0b5f707431f6d1fae20948/content/public/browser/render_frame_host.h
[modify] https://crrev.com/64b8b65b733a3ac8bd0b5f707431f6d1fae20948/content/public/browser/render_widget_host.h
Project Member

Comment 10 by bugdroid1@chromium.org, Mar 30 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4588bf925fa2b0aae2462cda08c7066886b09dcc

commit 4588bf925fa2b0aae2462cda08c7066886b09dcc
Author: avi <avi@chromium.org>
Date: Thu Mar 30 21:28:02 2017

Always disable the beforeunload timer when injecting the beforeunload method.

BUG= 705306 
TEST=Linux MSan Tests goes green

Review-Url: https://codereview.chromium.org/2780343002
Cr-Commit-Position: refs/heads/master@{#460884}

[modify] https://crrev.com/4588bf925fa2b0aae2462cda08c7066886b09dcc/chrome/browser/devtools/devtools_sanity_browsertest.cc

Comment 11 by a...@chromium.org, Mar 31 2017

Status: Fixed (was: Assigned)
The tree is green!

Sign in to add a comment