CHECK(!ThreadState::Current()->IsWrapperTracingForbidden()) fails in blink::ScriptWrappableVisitor::TracePrologue |
||||||||||
Issue descriptionChrome Version : 60.0.3080.3 OS Version: 9500.0.0 URLs (if applicable) : https://googlechrome.github.io/samples/service-worker/prefetch-video/index.html Reported from https://github.com/GoogleChrome/samples/issues/506 --- Hi, the following demo crashes the Chrome tab: https://github.com/googlechrome/samples/tree/gh-pages/service-worker/prefetch-video (Actuall demo here: https://googlechrome.github.io/samples/service-worker/prefetch-video/index.html) On the first-time page load it works, but on consequent loads - when the video is served by ServiceWorker - it crashes the tab either right away or after couple of clicks on the timeline and seeking to various (mostly un-buffered) points. It's not very consistent, sometimes it happens after every load, sometimes it needs a lot of clicking around and even multiple page loads. Project of my own has a same problem, but it's not as consistent as this sample. It seems to be related to video size, the bigger the video, the more crashes. I've tried to run Chrome using the --enable-logging flag and it seems that the bug is somehow related to video buffering, but it's hard to tell. Anyway, the log is attached and also the net-internals log. It happens bot on Chrome 57.0.2987.133 (64-bit) and Chrome Canary 59.0.3057.0, running on Windows 10 Pro. logs.zip Not sure if this is the best place to report it, maybe it should be moved somewhere "closer" to the Chrome developers? Update: it also happens on Mac OS. Update 2: It seems that with videos, which are really short (<20s) it never happens. --- Note that I can reproduce as well in Chrome OS.
,
Apr 28 2017
dutton@ said it does not crash in 60.0.3038.0 I can see it crashing in 59.0.3067.0. Would be great to know what fixed it in order to merge to M59.
,
Apr 28 2017
I can reproduce as well in Chrome OS: Google Chrome 60.0.3080.3 (Official Build) canary (64-bit) Revision 0 Platform 9500.0.0 (Official Build) canary-channel samus
,
May 10 2017
I could repro on Chrome Linux 60.0.3088.3. mlippautz@ can you advise? It looks like a failed CHECK in blink::ScriptWrappableVisitor::TracePrologue: 32 mlippautz 7 months // This CHECK ensures that wrapper tracing is not started from scopes 33 mlippautz 7 months // that forbid GC execution, e.g., constructors. 34 Blink Reformat 1 month CHECK(ThreadState::Current()); 35 Blink Reformat 1 month CHECK(!ThreadState::Current()->IsWrapperTracingForbidden()); (failing at line 35) We're entering this function from blink::Response::Create. There are two magic signatures for crashes on this URL[1]: 1) blink::ScriptWrappableVisitor::TracePrologue (this signature is linked to issue 668059 and issue 665401 which are marked fixed since last year) 2) blink::ScriptWrappableVisitor::AdvanceTracing (linked to issue 713667 which was marked fixed recently) Most are for 1). Here are some sample stack traces: crash/06757bfd90000000 0x00005db37f44244a (chrome + 0x04e8444a ) blink::ScriptWrappableVisitor::TracePrologue() 0x00005db37c80d01d (chrome + 0x0224f01d ) v8::internal::IncrementalMarking::StartMarking() 0x00005db37c80f38e (chrome + 0x0225138e ) v8::internal::IncrementalMarking::Step(unsigned long, v8::internal::IncrementalMarking::CompletionAction, v8::internal::IncrementalMarking::ForceCompletionAction, v8::internal::StepOrigin) 0x00005db37c80ebf5 (chrome + 0x02250bf5 ) v8::internal::IncrementalMarking::AdvanceIncrementalMarking(double, v8::internal::IncrementalMarking::CompletionAction, v8::internal::IncrementalMarking::ForceCompletionAction, v8::internal::StepOrigin) 0x00005db380a220f9 (chrome + 0x064640f9 ) blink::V8ArrayBuffer::toImpl(v8::Local<v8::Object>) 0x00005db37fa962a4 (chrome + 0x054d82a4 ) blink::Response::Create(blink::ScriptState*, blink::ScriptValue, blink::ResponseInit const&, blink::ExceptionState&) 0x00005db37f83fe3f (chrome + 0x05281e3f ) blink::V8Response::constructorCallback(v8::FunctionCallbackInfo<v8::Value> const&) 0x00005db37b3675d2 (chrome + 0x00da95d2 ) v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) crash/819b588590000000 0x0fe40f04 (chrome_child.dll -scriptwrappablevisitor.cpp:35 ) blink::ScriptWrappableVisitor::TracePrologue() 0x0ff69fc7 (chrome_child.dll -incremental-marking.cc:522 ) v8::internal::IncrementalMarking::StartMarking() 0x0fc02412 (chrome_child.dll -incremental-marking.cc:1133 ) v8::internal::IncrementalMarking::Step(unsigned int,v8::internal::IncrementalMarking::CompletionAction,v8::internal::IncrementalMarking::ForceCompletionAction,v8::internal::StepOrigin) 0x0fc654b4 (chrome_child.dll -incremental-marking.cc:1036 ) v8::internal::IncrementalMarking::AdvanceIncrementalMarking(double,v8::internal::IncrementalMarking::CompletionAction,v8::internal::IncrementalMarking::ForceCompletionAction,v8::internal::StepOrigin) 0x0ff67001 (chrome_child.dll -heap.cc:957 ) v8::internal::Heap::ReportExternalMemoryPressure() 0x11d1eb54 (chrome_child.dll -arraybuffercontents.h:146 ) WTF::ArrayBufferContents::DataHolder::AdjustAmountOfExternalAllocatedMemory(__int64) 0x11d1eb82 (chrome_child.dll -arraybuffercontents.cpp:181 ) WTF::ArrayBufferContents::DataHolder::Adopt(std::unique_ptr<void,void (*)(void *)>,unsigned int,WTF::ArrayBufferContents::SharingType) 0x11d1ea3a (chrome_child.dll -arraybuffercontents.cpp:76 ) WTF::ArrayBufferContents::ArrayBufferContents(std::unique_ptr<void,void (*)(void *)>,unsigned int,WTF::ArrayBufferContents::SharingType) 0x11dd6806 (chrome_child.dll -v8arraybuffer.cpp:70 ) blink::V8ArrayBuffer::toImpl(v8::Local<v8::Object>) 0x11fcc13b (chrome_child.dll -response.cpp:152 ) blink::Response::Create(blink::ScriptState *,blink::ScriptValue,blink::ResponseInit const &,blink::ExceptionState &) 0x11656f25 (chrome_child.dll -v8response.cpp:308 ) blink::ResponseV8Internal::constructor [1] https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.url.raw%3D%27https%3A%2F%2Fgooglechrome.github.io%2Fsamples%2Fservice-worker%2Fprefetch-video%2Findex.html%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#-property-selector,samplereports:5,magicsignature
,
May 10 2017
Thanks for reporting and the data provided! That's a defensive CHECK avoiding potential heap corruption (which would be much harder to find). Details: The problem is calling into V8 from within the initializer list of a ctor in [1]. [1]: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/modules/fetch/Response.cpp?dr=Ss&l=151
,
May 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e563fd2fa55fd2d327c0f44bcfe6c4c98805bb55 commit e563fd2fa55fd2d327c0f44bcfe6c4c98805bb55 Author: mlippautz <mlippautz@chromium.org> Date: Thu May 11 09:24:04 2017 BodyStreamBuffer: Avoid calling into V8 during construction ::toImpl ca call AdjustAmountOfExternalMemory for ArrayBuffers which can trigger a V8 GC. Avoid being in the constructor when creating a BodyStreamBuffer in Response creation. BUG= chromium:716364 Review-Url: https://codereview.chromium.org/2871143002 Cr-Commit-Position: refs/heads/master@{#470888} [modify] https://crrev.com/e563fd2fa55fd2d327c0f44bcfe6c4c98805bb55/third_party/WebKit/Source/modules/fetch/Response.cpp
,
May 12 2017
+yhirano
,
May 31 2017
This should actually have been fixed with the patch in #6.
,
Jun 1 2017
OP here, great to hear it's fixed :) so does that mean it will be in release 61? |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by fbeaufort@chromium.org
, Apr 28 2017