crash in View::BoundsChanged when clearing all notification while adding notifications. |
||||||||||||||
Issue description
Chrome sometimes crashes when clearing all notifications while adding notifications.
I can reproduce this crash only by using fuzzing testing app. This hardly ever happens in normal use.
stack trace:
Thread 0 (crashed)
0 chrome!BoundsChanged [view.cc : 2168 + 0x0]
rax = 0x0000000800000042 rdx = 0x0000005c00000170
rcx = 0x0000000800000000 rbx = 0x0000000000000001
rsi = 0x0000000000000170 rdi = 0x0000000000000001
rbp = 0x000025169f60a3d8 rsp = 0x00007ffde4c81e80
r8 = 0x000000007ffffff7 r9 = 0x0000000000000000
r10 = 0x0000000000000042 r11 = 0x0000000000000000
r12 = 0x00007ffde4c82030 r13 = 0x000025169f60a3c0
r14 = 0x00007ffde4c81f50 r15 = 0x000025169e8c8880
rip = 0x000064b7803cafe3
Found by: given as instruction pointer in context
1 chrome!SetBoundsRect [view.cc : 346 + 0x8]
rbx = 0x000025169e8c897c rbp = 0x000025169f60a3d8
rsp = 0x00007ffde4c81f10 r12 = 0x00007ffde4c82030
r13 = 0x000025169f60a3c0 r14 = 0x00007ffde4c81fa8
r15 = 0x000025169e8c8880 rip = 0x000064b7803cadd1
Found by: call frame info
2 chrome!AnimationProgressed [bounds_animator.cc : 242 + 0x8]
rbx = 0x000025169fc70ae0 rbp = 0x000025169f60a3d8
rsp = 0x00007ffde4c81f90 r12 = 0x00007ffde4c82030
r13 = 0x000025169f60a3c0 r14 = 0x000025169f3f4f80
r15 = 0x00007ffde4c81fa8 rip = 0x000064b7823a8b58
Found by: call frame info
3 chrome!Step [linear_animation.cc : 81 + 0x6]
rbx = 0x000025169bdb5c80 rbp = 0x000025169f60a3d8
rsp = 0x00007ffde4c81ff0 r12 = 0x00007ffde4c82030
r13 = 0x000025169f60a3c0 r14 = 0x000025169f60a3d0
r15 = 0x000000036a18aaaa rip = 0x000064b77f70248b
Found by: call frame info
4 chrome!Run [animation_container.cc : 75 + 0x6]
rbx = 0x000025169eebb9c0 rbp = 0x000025169f60a3d8
rsp = 0x00007ffde4c82020 r12 = 0x00007ffde4c82030
r13 = 0x000025169f60a3c0 r14 = 0x000025169f60a3d0
r15 = 0x000000036a18aaaa rip = 0x000064b77f702242
Found by: call frame info
5 chrome!RunScheduledTask [callback.h : 80 + 0x3]
rbx = 0x000025169f60a408 rbp = 0x00007ffde4c822e8
rsp = 0x00007ffde4c820a0 r12 = 0x000064b784114d50
r13 = 0x00007ffde4c82190 r14 = 0x000064b783241321
r15 = 0x000025169b07e870 rip = 0x000064b77eed63af
Found by: call frame info
6 chrome!RunTask [callback.h : 91 + 0x3]
rbx = 0x00007ffde4c821b8 rbp = 0x00007ffde4c822e8
rsp = 0x00007ffde4c820c0 r12 = 0x000064b784114d50
r13 = 0x00007ffde4c82190 r14 = 0x000064b783241321
r15 = 0x000025169b07e870 rip = 0x000064b77eefe863
Found by: call frame info
7 chrome!RunTask [message_loop.cc : 423 + 0xf]
rbx = 0x00007ffde4c82260 rbp = 0x0000000000000000
rsp = 0x00007ffde4c82200 r12 = 0x000025169b07e848
r13 = 0x00007ffde4c822e8 r14 = 0x000025169b07e700
r15 = 0x000064b7841631b8 rip = 0x000064b77ee9124d
Found by: call frame info
8 chrome!DeferOrRunPendingTask [message_loop.cc : 434 + 0xb]
rbx = 0x00007ffde4c822e8 rbp = 0x0000000000000000
rsp = 0x00007ffde4c822c0 r12 = 0x000025169b09c0d0
r13 = 0x0000000000000000 r14 = 0x000025169b07e700
r15 = 0x00007ffde4c82350 rip = 0x000064b77ee914f8
Found by: call frame info
9 chrome!DoDelayedWork [message_loop.cc : 566 + 0xb]
rbx = 0x000025169b07e700 rbp = 0x0000000000000000
rsp = 0x00007ffde4c822e0 r12 = 0x000025169b09c0d0
r13 = 0x0000000000000000 r14 = 0x00007ffde4c822e8
r15 = 0x00007ffde4c82350 rip = 0x000064b77ee91a9f
Found by: call frame info
10 chrome!Run [message_pump_libevent.cc : 229 + 0xc]
rbx = 0x000025169b09c0c0 rbp = 0x0000000000000000
rsp = 0x00007ffde4c823e0 r12 = 0x000025169b09c0d0
r13 = 0x0000000000000000 r14 = 0x000025169b07e700
r15 = 0x000025169bbd1700 rip = 0x000064b77ee92f3d
Found by: call frame info
11 chrome!Run [run_loop.cc : 37 + 0x5]
rbx = 0x00007ffde4c824d0 rbp = 0x0000000000000000
rsp = 0x00007ffde4c82440 r12 = 0x00007ffde4c827e0
r13 = 0x00007ffde4c829b0 r14 = 0x00007ffde4c82448
r15 = 0x000025169b069c00 rip = 0x000064b77eeb03ce
Found by: call frame info
12 chrome!MainMessageLoopRun [chrome_browser_main.cc : 1972 + 0x8]
rbx = 0x00007ffde4c824d0 rbp = 0x0000000000000000
rsp = 0x00007ffde4c824d0 r12 = 0x00007ffde4c827e0
r13 = 0x00007ffde4c829b0 r14 = 0x000025169b07ea98
r15 = 0x000025169b069c00 rip = 0x000064b77eb34a4e
Found by: call frame info
13 chrome!RunMainMessageLoopParts [browser_main_loop.cc : 1169 + 0x3]
rbx = 0x000064b784114ce0 rbp = 0x00000000ffffffff
rsp = 0x00007ffde4c82540 r12 = 0x00007ffde4c827e0
r13 = 0x00007ffde4c829b0 r14 = 0x000025169b07ea80
r15 = 0x000025169b064d80 rip = 0x000064b77d7ed571
Found by: call frame info
,
Apr 24 2017
,
Apr 24 2017
This issue is use-after-free. SetBoundsRect() of the view already deleted in MessageListView::OnBoundsAnimatorDone() is called.
,
Apr 25 2017
,
Apr 25 2017
,
Apr 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4518695792a1cad0afdb80bbe0e3ea1850f310c1 commit 4518695792a1cad0afdb80bbe0e3ea1850f310c1 Author: yhanada <yhanada@chromium.org> Date: Wed Apr 26 05:50:23 2017 Fix use-after-free in MessageListView. This is caused by calling RemoveNotification() while 'Clear All' operation is in progress. A MessageView could be deleted twice. BUG= 713983 Review-Url: https://codereview.chromium.org/2836023002 Cr-Commit-Position: refs/heads/master@{#467248} [modify] https://crrev.com/4518695792a1cad0afdb80bbe0e3ea1850f310c1/ui/message_center/views/message_center_view.cc [modify] https://crrev.com/4518695792a1cad0afdb80bbe0e3ea1850f310c1/ui/message_center/views/message_center_view.h [modify] https://crrev.com/4518695792a1cad0afdb80bbe0e3ea1850f310c1/ui/message_center/views/message_list_view.cc
,
Apr 26 2017
,
Apr 26 2017
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 26 2017
,
Apr 27 2017
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/15a2c765e69aef8f8470aac02b62c8c3198c6e47 commit 15a2c765e69aef8f8470aac02b62c8c3198c6e47 Author: yhanada <yhanada@chromium.org> Date: Thu Apr 27 06:25:45 2017 Fix use-after-free in MessageListView. This is caused by calling RemoveNotification() while 'Clear All' operation is in progress. A MessageView could be deleted twice. BUG= 713983 Review-Url: https://codereview.chromium.org/2836023002 Cr-Commit-Position: refs/heads/master@{#467248} (cherry picked from commit 4518695792a1cad0afdb80bbe0e3ea1850f310c1) Review-Url: https://codereview.chromium.org/2848523002 . Cr-Commit-Position: refs/branch-heads/3071@{#255} Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641} [modify] https://crrev.com/15a2c765e69aef8f8470aac02b62c8c3198c6e47/ui/message_center/views/message_center_view.cc [modify] https://crrev.com/15a2c765e69aef8f8470aac02b62c8c3198c6e47/ui/message_center/views/message_center_view.h [modify] https://crrev.com/15a2c765e69aef8f8470aac02b62c8c3198c6e47/ui/message_center/views/message_list_view.cc
,
Apr 27 2017
Bernie, Chrome PFQ hasn't rolled in a couple days so we haven't been able to officially test in a canary image. This (https://codereview.chromium.org/2836023002) is a crash fix for N, can we get clearance to merge after manual testing?
,
Apr 27 2017
SGTM for 58.
,
Apr 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ef773bb9e3af631d42213cd3d8eedb7dd8c3678e commit ef773bb9e3af631d42213cd3d8eedb7dd8c3678e Author: yhanada <yhanada@chromium.org> Date: Fri Apr 28 12:31:23 2017 Fix use-after-free in MessageListView. This is caused by calling RemoveNotification() while 'Clear All' operation is in progress. A MessageView could be deleted twice. BUG= 713983 Review-Url: https://codereview.chromium.org/2836023002 Cr-Commit-Position: refs/heads/master@{#467248} (cherry picked from commit 4518695792a1cad0afdb80bbe0e3ea1850f310c1) Review-Url: https://codereview.chromium.org/2844363005 . Cr-Commit-Position: refs/branch-heads/3029@{#778} Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471} [modify] https://crrev.com/ef773bb9e3af631d42213cd3d8eedb7dd8c3678e/ui/message_center/views/message_center_view.cc [modify] https://crrev.com/ef773bb9e3af631d42213cd3d8eedb7dd8c3678e/ui/message_center/views/message_center_view.h [modify] https://crrev.com/ef773bb9e3af631d42213cd3d8eedb7dd8c3678e/ui/message_center/views/message_list_view.cc
,
Apr 28 2017
,
May 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/73029ea45937488ac4b586f759856682db1e3962 commit 73029ea45937488ac4b586f759856682db1e3962 Author: yhanada <yhanada@chromium.org> Date: Mon May 08 10:53:22 2017 Add a regression test for crbug.com/713983 . BUG= 713983 TEST=Reverting http://crrev.com/2836023002 makes this test crash. Review-Url: https://codereview.chromium.org/2864293002 Cr-Commit-Position: refs/heads/master@{#469957} [modify] https://crrev.com/73029ea45937488ac4b586f759856682db1e3962/ui/message_center/views/message_list_view_unittest.cc
,
May 19 2017
|
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by yhanada@chromium.org
, Apr 21 2017Another more detailed stack trace. Thread 0 (crashed) 0 chrome!ui::LayerAnimator::SetDelegate(ui::LayerAnimationDelegate*) [layer_animator.cc : 129 + 0x6] rax = 0xffffe41a4d642f72 rdx = 0x00001be6aca4b6f8 rcx = 0x0000000000000001 rbx = 0x0000000000000000 rsi = 0x00001be6ac32f240 rdi = 0x00001be6ac32f240 rbp = 0x00001be6abe2fb7c rsp = 0x00007ffec63bb030 r8 = 0x0000000000000000 r9 = 0x00000000000001b1 r10 = 0x0000000000000068 r11 = 0x0000000000000000 r12 = 0x00001be6ac32f240 r13 = 0x00001be6a9337a58 r14 = 0x00001be6ac32f240 r15 = 0x00001be6a91bf500 rip = 0x000063d69352b667 Found by: given as instruction pointer in context 1 chrome!ui::Layer::SetAnimator(ui::LayerAnimator*) [layer.cc : 312 + 0x8] rbx = 0x0000000000000000 rbp = 0x00001be6abe2fb7c rsp = 0x00007ffec63bb070 r12 = 0x00001be6ac32f240 r13 = 0x00001be6a9337a58 r14 = 0x0000000000000000 r15 = 0x00001be6a91bf500 rip = 0x000063d69352157f Found by: call frame info 2 chrome!ui::Layer::SetBounds(gfx::Rect const&) [layer.cc : 320 + 0xb] rbx = 0x00001be6ac32f240 rbp = 0x00001be6abe2fb7c rsp = 0x00007ffec63bb220 r12 = 0x00001be6abe2fa80 r13 = 0x00001be6a9337a58 r14 = 0x00001be6abe2fb7c r15 = 0x00001be6abe2fa80 rip = 0x000063d693522a36 Found by: call frame info 3 chrome!views::View::SetLayerBounds(gfx::Rect const&) [view.cc : 2239 + 0x5] rbx = 0x00001be6abe2fa80 rbp = 0x00001be6abe2fb7c rsp = 0x00007ffec63bb240 r12 = 0x00001be6abe2fa80 r13 = 0x00001be6a9337a58 r14 = 0x00007ffec63bb320 r15 = 0x00001be6abe2fa80 rip = 0x000063d693980b2f Found by: call frame info 4 chrome!views::View::BoundsChanged(gfx::Rect const&) [view.cc : 2148 + 0x10] rbx = 0x0000000000000000 rbp = 0x00001be6abe2fb7c rsp = 0x00007ffec63bb260 r12 = 0x00001be6abe2fa80 r13 = 0x00001be6a9337a58 r14 = 0x00007ffec63bb320 r15 = 0x00001be6abe2fa80 rip = 0x000063d69397acb5 Found by: call frame info 5 chrome!views::View::SetBoundsRect(gfx::Rect const&) [view.cc : 346 + 0x8] rbx = 0x00007ffec63bb508 rbp = 0x00001be6abe2fb7c rsp = 0x00007ffec63bb2e0 r12 = 0x00001be6a9337a00 r13 = 0x00001be6a9337a58 r14 = 0x00001be6a92d1380 r15 = 0x00001be6abe2fa80 rip = 0x000063d69397a977 Found by: call frame info 6 chrome!views::BoundsAnimator::AnimationProgressed(gfx::Animation const*) [bounds_animator.cc : 242 + 0x8] rbx = 0x00001be6aca4a540 rbp = 0x00007ffec63bc198 rsp = 0x00007ffec63bb4f0 r12 = 0x00001be6a9337a00 r13 = 0x00001be6a9337a58 r14 = 0x00001be6a92d1380 r15 = 0x00007ffec63bb508 rip = 0x000063d69691f06d Found by: call frame info 7 chrome!gfx::LinearAnimation::Step(base::TimeTicks) [linear_animation.cc : 81 + 0x6] rbx = 0x00001be6ac619e00 rbp = 0x00007ffec63bc198 rsp = 0x00007ffec63bb850 r12 = 0x00001be6a9337a00 r13 = 0x00001be6a9337a58 r14 = 0x000000248c98be67 r15 = 0x00007ffec63bb888 rip = 0x000063d692b1b82b Found by: call frame info 8 chrome!gfx::AnimationContainer::Run() [animation_container.cc : 75 + 0x6] rbx = 0x00001be6a850a570 rbp = 0x00007ffec63bc198 rsp = 0x00007ffec63bb880 r12 = 0x00001be6a9337a00 r13 = 0x00001be6a9337a58 r14 = 0x000000248c98be67 r15 = 0x00007ffec63bb888 rip = 0x000063d692b1b5e2 Found by: call frame info 9 chrome!base::Timer::RunScheduledTask() [callback.h : 80 + 0x3] rbx = 0x00001be6a9337a88 rbp = 0x00007ffec63bc198 rsp = 0x00007ffec63bb8f0 r12 = 0x000063d698514200 r13 = 0x00007ffec63bbd40 r14 = 0x000063d6973c78df r15 = 0x00001be6a5efe870 rip = 0x000063d6921000bf Found by: call frame info 10 chrome!base::Callback<void (), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>::Run() && [callback.h : 91 + 0x3] rbx = 0x00007ffec63bbc68 rbp = 0x00007ffec63bc198 rsp = 0x00007ffec63bba90 r12 = 0x000063d698514200 r13 = 0x00007ffec63bbd40 r14 = 0x000063d6973c78df r15 = 0x00001be6a5efe870 rip = 0x000063d68fe80b41 Found by: call frame info 11 chrome!base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) [task_annotator.cc : 59 + 0x5] rbx = 0x00007ffec63bbc68 rbp = 0x00007ffec63bc198 rsp = 0x00007ffec63bbc30 r12 = 0x000063d698514200 r13 = 0x00007ffec63bbd40 r14 = 0x000063d6973c78df r15 = 0x00001be6a5efe870 rip = 0x000063d6921382ed Found by: call frame info 12 chrome!base::MessageLoop::RunTask(base::PendingTask*) [message_loop.cc : 423 + 0xf] rbx = 0x00007ffec63bc198 rbp = 0x00001be6a5efe700 rsp = 0x00007ffec63bbdb0 r12 = 0x00001be6a5f30890 r13 = 0x0000000000000000 r14 = 0x00001be6a5efe700 r15 = 0x000063d698514190 rip = 0x000063d6920a7621 Found by: call frame info 13 chrome!base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) [message_loop.cc : 434 + 0xb] rbx = 0x00007ffec63bc198 rbp = 0x000000008d4f4e01 rsp = 0x00007ffec63bc170 r12 = 0x00001be6a5f30890 r13 = 0x0000000000000000 r14 = 0x00001be6a5efe700 r15 = 0x00007ffec63bc200 rip = 0x000063d6920a7998 Found by: call frame info 14 chrome!base::MessageLoop::DoDelayedWork(base::TimeTicks*) [message_loop.cc : 566 + 0xb] rbx = 0x00001be6a5efe700 rbp = 0x000000008d4f4e01 rsp = 0x00007ffec63bc190 r12 = 0x00001be6a5f30890 r13 = 0x0000000000000000 r14 = 0x00007ffec63bc198 r15 = 0x00007ffec63bc200 rip = 0x000063d6920a7fff Found by: call frame info 15 chrome!base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) [message_pump_libevent.cc : 229 + 0xc] rbx = 0x00001be6a5f30840 rbp = 0x000000008d4f4e01 rsp = 0x00007ffec63bc290 r12 = 0x00001be6a5f30890 r13 = 0x0000000000000000 r14 = 0x00001be6a5efe700 r15 = 0x00001be6a706ca00 rip = 0x000063d6920aa52d Found by: call frame info 16 chrome!base::MessageLoop::RunHandler() [message_loop.cc : 387 + 0x6] rbx = 0x00001be6a5efe700 rbp = 0x00000000ffffffff rsp = 0x00007ffec63bc2f0 r12 = 0x00007ffec63bcff8 r13 = 0x00007ffec63bd840 r14 = 0x00007ffec63bc620 r15 = 0x00001be6a5efec40 rip = 0x000063d6920a727b Found by: call frame info 17 chrome!base::RunLoop::Run() [run_loop.cc : 37 + 0x5] rbx = 0x00007ffec63bc870 rbp = 0x00000000ffffffff rsp = 0x00007ffec63bc620 r12 = 0x00007ffec63bcff8 r13 = 0x00007ffec63bd840 r14 = 0x00007ffec63bc620 r15 = 0x00001be6a5efec40 rip = 0x000063d6920ced94 Found by: call frame info 18 chrome!ChromeBrowserMainParts::MainMessageLoopRun(int*) [chrome_browser_main.cc : 1977 + 0x8] rbx = 0x00007ffec63bc870 rbp = 0x00000000ffffffff rsp = 0x00007ffec63bc870 r12 = 0x00007ffec63bcff8 r13 = 0x00007ffec63bd840 r14 = 0x00001be6a5efea98 r15 = 0x00001be6a5efec40 rip = 0x000063d691c5737f Found by: call frame info 19 chrome!content::BrowserMainLoop::RunMainMessageLoopParts() [browser_main_loop.cc : 1166 + 0x3] rbx = 0x000063d698514190 rbp = 0x00000000ffffffff rsp = 0x00007ffec63bca90 r12 = 0x00007ffec63bcff8 r13 = 0x00007ffec63bd840 r14 = 0x00001be6a5efea80 r15 = 0x00007ffec63bd6d8 rip = 0x000063d6904872c1 Found by: call frame info 20 chrome!content::BrowserMainRunnerImpl::Run() [browser_main_runner.cc : 140 + 0x5] rbx = 0x00001be6a5f19ca0 rbp = 0x00000000ffffffff rsp = 0x00007ffec63bcac0 r12 = 0x00007ffec63bcff8 r13 = 0x00007ffec63bd840 r14 = 0x00007ffec63bcfc8 r15 = 0x00007ffec63bd6d8 rip = 0x000063d690489f8f Found by: call frame info 21 chrome!content::BrowserMain(content::MainFunctionParams const&) [browser_main.cc : 46 + 0x6] rbx = 0x00001be6a5f19ca0 rbp = 0x00000000ffffffff rsp = 0x00007ffec63bcde0 r12 = 0x00007ffec63bcff8 r13 = 0x00007ffec63bd840 r14 = 0x00007ffec63bcfc8 r15 = 0x00007ffec63bd6d8 rip = 0x000063d690482686 Found by: call frame info 22 chrome!content::RunNamedProcessTypeMain(std::string const&, content::MainFunctionParams const&, content::ContentMainDelegate*) [content_main_runner.cc : 438 + 0x7] rbx = 0x0000000000000000 rbp = 0x00007ffec63bcff8 rsp = 0x00007ffec63bce10 r12 = 0x00007ffec63bcff8 r13 = 0x00007ffec63bd840 r14 = 0x00007ffec63bcfc8 r15 = 0x00007ffec63bd6d8 rip = 0x000063d691c0c617 Found by: call frame info 23 chrome!content::ContentMainRunnerImpl::Run() [content_main_runner.cc : 740 + 0x8] rbx = 0x0000000000000000 rbp = 0x00007ffec63bcff8 rsp = 0x00007ffec63bcfc0 r12 = 0x00007ffec63bd670 r13 = 0x00007ffec63bd840 r14 = 0x00001be6a5ee6f80 r15 = 0x00001be6a5edfd80 rip = 0x000063d691c0d2ca Found by: call frame info 24 chrome!service_manager::Main(service_manager::MainParams const&) [main.cc : 179 + 0xa] rbx = 0x0000000000000000 rbp = 0x00000000ffffffff rsp = 0x00007ffec63bd340 r12 = 0x00007ffec63bd670 r13 = 0x00007ffec63bd840 r14 = 0x000063d6985639c8 r15 = 0x00007ffec63bd658 rip = 0x000063d6935b2a5d Found by: call frame info 25 chrome!content::ContentMain(content::ContentMainParams const&) [content_main.cc : 19 + 0x8] rbx = 0x00007ffec63bd710 rbp = 0x000000000000001d rsp = 0x00007ffec63bd650 r12 = 0x000063d697217660 r13 = 0x00007ffec63bd840 r14 = 0x00007ffec63bd670 r15 = 0x00007ffec63bd658 rip = 0x000063d691c0be52 Found by: call frame info 26 chrome!ChromeMain [chrome_main.cc : 123 + 0x5] rbx = 0x00007ffec63bd848 rbp = 0x000000000000001d rsp = 0x00007ffec63bd6d0 r12 = 0x000063d697217660 r13 = 0x00007ffec63bd840 r14 = 0x00001be6a5ee6f80 r15 = 0x0000000000000000 rip = 0x000063d68fe79524 Found by: call frame info 27 libc-2.23.so + 0x20816 rbx = 0x0000000000000000 rbp = 0x00007ffec63bd820 rsp = 0x00007ffec63bd760 r12 = 0x000063d697217660 r13 = 0x00007ffec63bd840 r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x0000742c9b7d0816 Found by: call frame info 28 chrome!frame_dummy + 0x30 rbp = 0x00007ffec63bd820 rsp = 0x00007ffec63bd780 rip = 0x000063d68fe79440 Found by: stack scanning 29 chrome + 0x814e660 rbp = 0x00007ffec63bd820 rsp = 0x00007ffec63bd798 rip = 0x000063d697217660 Found by: stack scanning 30 ld-2.23.so + 0xfbcc rbp = 0x00007ffec63bd820 rsp = 0x00007ffec63bd7f0 rip = 0x0000742c9cda1bcc Found by: stack scanning 31 chrome + 0xdb02e0 rbp = 0x00007ffec63bd820 rsp = 0x00007ffec63bd808 rip = 0x000063d68fe792e0 Found by: stack scanning 32 chrome!_start + 0x29 rsp = 0x00007ffec63bd830 rip = 0x000063d68fe79309 Found by: stack scanning 33 0x7ffec63bd838 rsp = 0x00007ffec63bd838 rip = 0x00007ffec63bd838 Found by: call frame info