New issue
Advanced search Search tips

Issue 735217 link

Starred by 1 user
Status: Fixed
Owner:
danakj@chromium.org
Closed: Jun 2017
Cc:
vmp...@chromium.org
enne@chromium.org
senorblanco@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Recording a "Frame Viewer" trace at chrome://tracing crashes chrome

Project Member Reported by flackr@chromium.org, Jun 20 2017 
Chrome Version: 61.0.3135.4 (Official Build) dev (64-bit)
OS: Linux

What steps will reproduce the problem?
(1) Open a new tab
(2) Navigate to chrome://tracing
(3) Click record
(4) Select "Frame Viewer"
(5) Click Record

What is the expected result?
A trace can be recorded.

What happens instead?
Chrome crashes with the following trace:
Received signal 11 SEGV_MAPERR 000000000000
#0 0x7f51d1ac6a87 base::debug::StackTrace::StackTrace()
#1 0x7f51d1ac65ff base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f51d1c06330 <unknown>
#3 0x7f51cd9a815c cc::DisplayItemList::CreateTracedValue()
#4 0x7f51cd9a7fb2 cc::DisplayItemList::EmitTraceSnapshot()
#5 0x7f51ce4ed0c7 cc::RecordingSource::FinishDisplayItemListUpdate()
#6 0x7f51ce4e84bd cc::PictureLayer::Update()
#7 0x7f51ce58d0d9 cc::LayerTreeHost::DoUpdateLayers()
#8 0x7f51ce58cba2 cc::LayerTreeHost::UpdateLayers()
#9 0x7f51ce5c684b cc::ProxyMain::BeginMainFrame()
#10 0x7f51ce5c58b0 _ZN4base8internal7InvokerINS0_9BindStateIMN2cc9ProxyMainEFvSt10unique_ptrINS3_28BeginMainFrameAndCommitStateESt14default_deleteIS6_EEEJNS_7WeakPtrIS4_EENS0_13PassedWrapperIS9_EEEEEFvvEE7RunImplISB_St5tupleIJSD_SF_EEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#11 0x7f51d1ac73a0 base::debug::TaskAnnotator::RunTask()
#12 0x7f51cad15fa8 blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#13 0x7f51cad142bf blink::scheduler::TaskQueueManager::DoWork()
#14 0x7f51d1ac73a0 base::debug::TaskAnnotator::RunTask()
#15 0x7f51d1aec0bd base::MessageLoop::RunTask()
#16 0x7f51d1aec408 base::MessageLoop::DeferOrRunPendingTask()
#17 0x7f51d1aec9ff base::MessageLoop::DoDelayedWork()
#18 0x7f51d1aed82d base::MessagePumpDefault::Run()
#19 0x7f51d1b1517e base::RunLoop::Run()
#20 0x7f51cfb65a0c content::RendererMain()
#21 0x7f51cfc60f8a content::RunZygote()
#22 0x7f51cfc61e18 content::ContentMainRunnerImpl::Run()
#23 0x7f51d1fde156 service_manager::Main()
#24 0x7f51cfc60d72 content::ContentMain()
#25 0x562b5621701c ChromeMain
#26 0x7f51c6949f45 __libc_start_main
#27 0x562b56216e7f <unknown>
  r8: 0000000000000058  r9: 00007f51d1bdb340 r10: 0000000000000000 r11: 0000000000000246
 r12: 0000142edc706900 r13: 00007ffcae674330 r14: 000000000000000c r15: 0000000000000000
  di: 0000142edc6bda88  si: 0000000000000040  bp: 0000142edc6bda80  bx: 0000000000000000
  dx: 0000142edc71fe14  ax: 0000000000000000  cx: 0000142edc7069a8  sp: 00007ffcae674140
  ip: 00007f51cd9a815c efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.
Received signal 11 SEGV_MAPERR 000000000000
#0 0x7feff76dfa87 base::debug::StackTrace::StackTrace()
#1 0x7feff76df5ff base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7feff781f330 <unknown>
#3 0x7feff35c115c cc::DisplayItemList::CreateTracedValue()
#4 0x7feff35c0fb2 cc::DisplayItemList::EmitTraceSnapshot()
#5 0x7feff41060c7 cc::RecordingSource::FinishDisplayItemListUpdate()
#6 0x7feff41014bd cc::PictureLayer::Update()
#7 0x7feff41a60d9 cc::LayerTreeHost::DoUpdateLayers()
#8 0x7feff41a5ba2 cc::LayerTreeHost::UpdateLayers()
#9 0x7feff41e4841 cc::SingleThreadProxy::BeginMainFrame()
#10 0x7feff76e03a0 base::debug::TaskAnnotator::RunTask()
#11 0x7feff77050bd base::MessageLoop::RunTask()
#12 0x7feff7705408 base::MessageLoop::DeferOrRunPendingTask()
#13 0x7feff7705841 base::MessageLoop::DoWork()
#14 0x7feff7706c29 base::MessagePumpGlib::Run()
#15 0x7feff772e17e base::RunLoop::Run()
#16 0x560066a32ddf ChromeBrowserMainParts::MainMessageLoopRun()
#17 0x7feff5231192 content::BrowserMainLoop::RunMainMessageLoopParts()
#18 0x7feff5233e9d content::BrowserMainRunnerImpl::Run()
#19 0x7feff522c978 content::BrowserMain()
#20 0x7feff587ae18 content::ContentMainRunnerImpl::Run()
#21 0x7feff7bf7156 service_manager::Main()
#22 0x7feff5879d72 content::ContentMain()
#23 0x56006648c01c ChromeMain
#24 0x7fefec562f45 __libc_start_main
#25 0x56006648be7f <unknown>
  r8: 0000000000000058  r9: 00007feff77f42c0 r10: 0000000000000000 r11: 0000000000000246
 r12: 00001204a04b1d80 r13: 00007fffcf79d4e0 r14: 000000000000000c r15: 0000000000000000
  di: 00001204a07d0cf8  si: 0000000000000040  bp: 00001204a07d0cf0  bx: 0000000000000000
  dx: 00001204a08ac234  ax: 0000000000000000  cx: 00001204a04b1e28  sp: 00007fffcf79d2f0
  ip: 00007feff35c115c efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.

I bisected this crash to f4730d5033656a932a06a3d6465fd3be9591b9c3 (https://chromium-review.googlesource.com/506430). Assigning to danakj to triage.

Please use labels and text to provide additional information.


For graphics-related bugs, please copy/paste the contents of the about:gpu
page at the end of this report.

Comment 1 by danakj@chromium.org, Jun 20 2017

Status: Started (was: Untriaged)

Comment 2 by danakj@chromium.org, Jun 20 2017

Labels: -Pri-3 Pri-1

Comment 3 by danakj@chromium.org, Jun 20 2017

Cc: vmp...@chromium.org enne@chromium.org

Comment 4 by danakj@chromium.org, Jun 20 2017 

Suspect this happens as of https://chromium.googlesource.com/chromium/src/+/ea95edfd6

The visual rect array is empty, but the paintopbuffer has 50 ops in it.

Comment 6 by danakj@chromium.org, Jun 20 2017 

That change has only made it to dev so far, so no merges should be needed :3

Comment 7 by danakj@chromium.org, Jun 20 2017

Components: Internals>Compositing>Rasterization

Comment 8 by senorblanco@chromium.org, Jun 21 2017

Cc: senorblanco@chromium.org
/sub

Comment 9 by danakj@chromium.org, Jun 21 2017 

https://chromium-review.googlesource.com/c/541938/ if you want a local patch
Project Member

Comment 10 by bugdroid1@chromium.org, Jun 21 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4e67ff77a768dc68734539361280fed92136ada1

commit 4e67ff77a768dc68734539361280fed92136ada1
Author: danakj <danakj@chromium.org>
Date: Wed Jun 21 17:56:02 2017

cc: Stop trying to add visual rects to tracing.

These are only added in unit tests, in production they are always empty
so stop doing this. That way we also avoid crashing because the visual
rects array is empty.

R=vmpstr@chromium.org

Bug:  735217 
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I01032ec5de7d3a5239fb193762cae6872b2d1af6
Reviewed-on: https://chromium-review.googlesource.com/541938
Reviewed-by: Vladimir Levin <vmpstr@chromium.org>
Commit-Queue: danakj <danakj@chromium.org>
Cr-Commit-Position: refs/heads/master@{#481240}
[modify] https://crrev.com/4e67ff77a768dc68734539361280fed92136ada1/cc/paint/display_item_list.cc
[modify] https://crrev.com/4e67ff77a768dc68734539361280fed92136ada1/cc/paint/display_item_list.h
[modify] https://crrev.com/4e67ff77a768dc68734539361280fed92136ada1/cc/paint/display_item_list_unittest.cc
[modify] https://crrev.com/4e67ff77a768dc68734539361280fed92136ada1/cc/test/fake_content_layer_client.cc

Comment 11 by danakj@chromium.org, Jun 21 2017

Status: Fixed (was: Started)

Sign in to add a comment