Shutdown crash in exo::SurfaceTreeHost::SubmitCompositorFrame() since 63.0.3239.0 |
||||||||
Issue description(CCing ARC constables this week.) Chrome Version: 63.0.3239.0 OS: Chrome OS R63-10034.0.0 What steps will reproduce the problem? (1) ARC autotests are almost always crashing in the background during Chrome shutdown. For instance: https://pantheon.corp.google.com/storage/browser/chromeos-autotest-results/149169711-chromeos-test/chromeos4-row8-rack4-host12/debug/ Operating system: Linux 0.0.0 Linux 3.14.0 #1 SMP PREEMPT Sat Oct 14 12:03:08 PDT 2017 x86_64 CPU: amd64 family 6 model 61 stepping 4 1 CPU GPU: UNKNOWN Crash reason: SIGSEGV Crash address: 0x0 Process uptime: not available Thread 0 (crashed) 0 chrome!exo::SurfaceTreeHost::SubmitCompositorFrame() [surface_tree_host.cc : 324 + 0x0] rax = 0x0000000000000000 rdx = 0x0000000000000004 rcx = 0x00007ffeb0e70650 rbx = 0x0000000000000000 rsi = 0x00003ee9d3f0c600 rdi = 0x00003ee9d4680000 rbp = 0x00007ffeb0e70b40 rsp = 0x00007ffeb0e70820 r8 = 0x00007ffeb0e70650 r9 = 0x0000000000000000 r10 = 0x0000000000000000 r11 = 0x0000000000000003 r12 = 0x00007ffeb0e70b98 r13 = 0x1fffffffffffffff r14 = 0x00003ee9d51fe900 r15 = 0x00003ee9d51fe990 rip = 0x000055d1861e8030 Found by: given as instruction pointer in context 1 chrome!non-virtual thunk to exo::SurfaceTreeHost::OnLostResources() [surface_tree_host.cc : 294 + 0x8] rbx = 0x00003ee9d51fe900 rbp = 0x00007ffeb0e70b80 rsp = 0x00007ffeb0e70b50 r12 = 0x00007ffeb0e70b98 r13 = 0x1fffffffffffffff r14 = 0x0000000000000000 r15 = 0x00007ffeb0e70b98 rip = 0x000055d1861e8320 Found by: call frame info 2 chrome!content::GpuProcessTransportFactory::RemoveCompositor(ui::Compositor*) [gpu_process_transport_factory.cc : 734 + 0x9] rbx = 0x00007ffeb0e70bb8 rbp = 0x00007ffeb0e70c00 rsp = 0x00007ffeb0e70b90 r12 = 0x00007ffeb0e70b98 r13 = 0x1fffffffffffffff r14 = 0x0000000000000000 r15 = 0x00007ffeb0e70b98 rip = 0x000055d185e21361 Found by: call frame info 3 chrome!ui::Compositor::~Compositor() [compositor.cc : 235 + 0x9] rbx = 0x00007ffeb0e70c70 rbp = 0x00007ffeb0e70d00 rsp = 0x00007ffeb0e70c10 r12 = 0x00003ee9d3b1b780 r13 = 0x1fffffffffffffff r14 = 0x000055d18cd0a730 r15 = 0x00003ee9d3b1b7e8 rip = 0x000055d1882e795b Found by: call frame info 4 chrome!std::unique_ptr<SkRasterHandleAllocator, std::default_delete<SkRasterHandleAllocator> >::operator bool() const [compositor.cc : 216 + 0x5] rbx = 0x00003ee9d3b1b780 rbp = 0x00007ffeb0e70d20 rsp = 0x00007ffeb0e70d10 r12 = 0x0000000000000000 r13 = 0x1fffffffffffffff r14 = 0x00003ee9d39a5d88 r15 = 0x0000000000000000 rip = 0x000055d1882e7cde Found by: call frame info 5 chrome!SkTArray<GrResourceIOProcessor::BufferAccess const*, true>::count() const [window_tree_host_platform.cc : 71 + 0x5] rbx = 0x00003ee9d39a5d88 rbp = 0x00007ffeb0e70d40 rsp = 0x00007ffeb0e70d30 r12 = 0x0000000000000000 r13 = 0x1fffffffffffffff r14 = 0x00003ee9d39a5d88 r15 = 0x0000000000000000 rip = 0x000055d1882e140d Found by: call frame info 6 chrome!std::_Rb_tree_const_iterator<std::pair<ntp_tiles::SectionType const, std::vector<ntp_tiles::NTPTile, std::allocator<ntp_tiles::NTPTile> > > >::operator==(std::_Rb_tree_const_iterator<std::pair<ntp_tiles::SectionType const, std::vector<ntp_tiles::NTPTile, std::allocator<ntp_tiles::NTPTile> > > > const&) const [ash_window_tree_host_platform.cc : 39 + 0x8] rbx = 0x00003ee9d39a5d80 rbp = 0x00007ffeb0e70d60 rsp = 0x00007ffeb0e70d50 r12 = 0x0000000000000000 r13 = 0x1fffffffffffffff r14 = 0x00003ee9d39a5d88 r15 = 0x0000000000000000 rip = 0x000055d188f8921c Found by: call frame info 7 chrome!ash::RootWindowController::~RootWindowController() [unique_ptr.h : 76 + 0x6] rbx = 0x00003ee9d3ad8e40 rbp = 0x00007ffeb0e70d80 rsp = 0x00007ffeb0e70d70 r12 = 0x0000000000000000 r13 = 0x1fffffffffffffff r14 = 0x00003ee9d3ad8e40 r15 = 0x0000000000000000 rip = 0x000055d188f94350 Found by: call frame info 8 chrome!ash::RootWindowController::~RootWindowController() [root_window_controller.cc : 277 + 0x5] rbx = 0x00003ee9d3ad8e40 rbp = 0x00007ffeb0e70da0 rsp = 0x00007ffeb0e70d90 r12 = 0x0000000000000000 r13 = 0x1fffffffffffffff r14 = 0x00003ee9d3ad8e40 r15 = 0x0000000000000000 rip = 0x000055d188f9477e Found by: call frame info 9 chrome!ash::WindowTreeHostManager::Shutdown() [window_tree_host_manager.cc : 221 + 0xc] rbx = 0x00003ee9d3ad8e40 rbp = 0x00007ffeb0e70ee0 rsp = 0x00007ffeb0e70db0 r12 = 0x0000000000000000 r13 = 0x1fffffffffffffff r14 = 0x00003ee9d3ad8e40 r15 = 0x0000000000000000 rip = 0x000055d188f82389 Found by: call frame info 10 chrome!ash::Shell::~Shell() [shell.cc : 795 + 0x5] rbx = 0x00003ee9d396c450 rbp = 0x00007ffeb0e70fd0 rsp = 0x00007ffeb0e70ef0 r12 = 0x00003ee9d396c400 r13 = 0x00003ee9d38c94b8 r14 = 0x00003ee9d396c410 r15 = 0x0000000000000000 rip = 0x000055d188face90 Found by: call frame info 11 chrome!<name omitted> [shell.cc : 651 + 0x5] rbx = 0x00003ee9d396c400 rbp = 0x00007ffeb0e70ff0 rsp = 0x00007ffeb0e70fe0 r12 = 0x00003ee9d36e7400 r13 = 0x00007ffeb0e717b8 r14 = 0x00003ee9d38ac1d0 r15 = 0x000055d18cd4eab0 rip = 0x000055d188fae11e Found by: call frame info 12 chrome!AshInit::~AshInit() [ash_init.cc : 143 + 0x5] rbx = 0x00003ee9d38ac1d0 rbp = 0x00007ffeb0e71010 rsp = 0x00007ffeb0e71000 r12 = 0x00003ee9d36e7400 r13 = 0x00007ffeb0e717b8 r14 = 0x00003ee9d38ac1d0 r15 = 0x000055d18cd4eab0 rip = 0x000055d1894171b7 Found by: call frame info 13 chrome!ChromeBrowserMainExtraPartsAsh::PostMainMessageLoopRun() [unique_ptr.h : 76 + 0x8] rbx = 0x00003ee9d3721d80 rbp = 0x00007ffeb0e71030 rsp = 0x00007ffeb0e71020 r12 = 0x00003ee9d36e7400 r13 = 0x00007ffeb0e717b8 r14 = 0x00003ee9d38ac1d0 r15 = 0x000055d18cd4eab0 rip = 0x000055d18928a739 Found by: call frame info 14 chrome!ChromeBrowserMainParts::PostMainMessageLoopRun() [chrome_browser_main.cc : 1943 + 0x3] rbx = 0x0000000000000002 rbp = 0x00007ffeb0e710e0 rsp = 0x00007ffeb0e71040 r12 = 0x00003ee9d36e7400 r13 = 0x00007ffeb0e717b8 r14 = 0x000055d18cd0a2c0 r15 = 0x000055d18cd4eab0 rip = 0x000055d186d6ca9a Found by: call frame info 15 chrome!chromeos::ChromeBrowserMainPartsChromeos::PostMainMessageLoopRun() [chrome_browser_main_chromeos.cc : 1159 + 0x8] rbx = 0x00003ee9d4110100 rbp = 0x00007ffeb0e71130 rsp = 0x00007ffeb0e710f0 r12 = 0x00007ffeb0e711c0 r13 = 0x00007ffeb0e717b8 r14 = 0x00003ee9d36e7400 r15 = 0x000055d18cd4eab0 rip = 0x000055d1862dc3d7 Found by: call frame info 16 chrome!content::BrowserMainLoop::ShutdownThreadsAndCleanUp() [browser_main_loop.cc : 1238 + 0x3] rbx = 0x000055d18cd0a730 rbp = 0x00007ffeb0e71240 rsp = 0x00007ffeb0e71140 r12 = 0x00007ffeb0e711c0 r13 = 0x00007ffeb0e717b8 r14 = 0x00003ee9d3716a80 r15 = 0x00007ffeb0e711c8 rip = 0x000055d185a177fe Found by: call frame info 17 chrome!content::BrowserMainRunnerImpl::Shutdown() [browser_main_runner.cc : 200 + 0x5] rbx = 0x000055d18cd36eb8 rbp = 0x00007ffeb0e712f0 rsp = 0x00007ffeb0e71250 r12 = 0x00003ee9d3738920 r13 = 0x00007ffeb0e717b8 r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x000055d185a1a349 Found by: call frame info 18 chrome!content::BrowserMain(content::MainFunctionParams const&) [browser_main.cc : 48 + 0x6] rbx = 0x00003ee9d3738920 rbp = 0x00007ffeb0e71370 rsp = 0x00007ffeb0e71300 r12 = 0x00007ffeb0e713b0 r13 = 0x00007ffeb0e717b8 r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x000055d185a13358 Found by: call frame info 19 chrome!content::ContentMainRunnerImpl::Run() [content_main_runner.cc : 709 + 0x8] rbx = 0x00003ee9d36fdea0 rbp = 0x00007ffeb0e713e0 rsp = 0x00007ffeb0e71380 r12 = 0x00007ffeb0e713b0 r13 = 0x00007ffeb0e717b8 r14 = 0x00003ee9d370df80 r15 = 0x0000000000000000 rip = 0x000055d186d595ec Found by: call frame info 20 chrome!service_manager::Main(service_manager::MainParams const&) [main.cc : 453 + 0xa] rbx = 0x000055d18cd515e8 rbp = 0x00007ffeb0e71790 rsp = 0x00007ffeb0e713f0 r12 = 0x0000000000000003 r13 = 0x00007ffeb0e717b8 r14 = 0x00000000ffffffff r15 = 0x0000000000000000 rip = 0x000055d186d6295d Found by: call frame info 21 chrome!content::ContentMain(content::ContentMainParams const&) [content_main.cc : 19 + 0x8] rbx = 0x00007ffeb0e71888 rbp = 0x00007ffeb0e71810 rsp = 0x00007ffeb0e717a0 r12 = 0x000055d18bc5d3c0 r13 = 0x00007ffeb0e719c0 r14 = 0x00007ffeb0e717b8 r15 = 0x00007ffeb0e717a0 rip = 0x000055d186d585c1 Found by: call frame info 22 chrome!ChromeMain [chrome_main.cc : 123 + 0x5] rbx = 0x00003ee9d370df80 rbp = 0x00007ffeb0e718d0 rsp = 0x00007ffeb0e71820 r12 = 0x000055d18bc5d3c0 r13 = 0x00007ffeb0e719c0 r14 = 0x00007ffeb0e719c8 r15 = 0x00007ffeb0e71828 rip = 0x000055d18539ee28 Found by: call frame info 23 libc-2.23.so!__libc_start_main [libc-start.c : 289 + 0x1a] rbx = 0x0000000000000000 rbp = 0x00007ffeb0e719a0 rsp = 0x00007ffeb0e718e0 r12 = 0x000055d18bc5d3c0 r13 = 0x00007ffeb0e719c0 r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x00007c3788072736 Found by: call frame info 24 chrome!_start + 0x29 rbx = 0x0000000000000000 rbp = 0x0000000000000000 rsp = 0x00007ffeb0e719b0 r12 = 0x000055d18b879480 r13 = 0x00007ffeb0e719c0 r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x000055d18b8794a9 Found by: call frame info 25 0x7ffeb0e719b8 rbx = 0x0000000000000000 rbp = 0x0000000000000000 rsp = 0x00007ffeb0e719b8 r12 = 0x000055d18b879480 r13 = 0x00007ffeb0e719c0 r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x00007ffeb0e719b8 Found by: call frame info Two changes are touching exo::SurfaceTreeHost in the regression range: Peng (https://chromium-review.googlesource.com/716663), and David (https://chromium-review.googlesource.com/696648), Could you take a look? The crash is inside AshInit::~AshInit(). I guess at this point exo::WMHelper (in exo_parts_) is already released and null? https://cs.chromium.org/chromium/src/chrome/browser/ui/views/ash/chrome_browser_main_extra_parts_ash.h?type=cs&l=66
,
Oct 16 2017
Actually. It seems like my change is fine. Although kinda bad that we might register a shell observer while the shell is shutting down. This looks related to the sync token change. penghuang@, can you take a look?
,
Oct 16 2017
,
Oct 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cc1ff3dda1bcbfb310cbd0299dc0b19e1b7d684e commit cc1ff3dda1bcbfb310cbd0299dc0b19e1b7d684e Author: Peng Huang <penghuang@chromium.org> Date: Tue Oct 17 15:34:35 2017 exo: Fix crash during chrome shutdown The crash is because wayland resources are leaked. This CL fixes the problem by releasing all wayland resources with wl_display. Bug: 774920 Change-Id: I91e7085e98551aea637da72e4237b6035831f689 Reviewed-on: https://chromium-review.googlesource.com/721737 Reviewed-by: David Reveman <reveman@chromium.org> Commit-Queue: Peng Huang <penghuang@chromium.org> Cr-Commit-Position: refs/heads/master@{#509394} [modify] https://crrev.com/cc1ff3dda1bcbfb310cbd0299dc0b19e1b7d684e/components/exo/wayland/scoped_wl.cc
,
Oct 17 2017
,
Oct 19 2017
Issue 775600 has been merged into this issue.
,
Oct 19 2017
,
Oct 19 2017
,
Oct 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b86a9a4e5d78c9be2b4dda31ee7cbc5d8089d17a commit b86a9a4e5d78c9be2b4dda31ee7cbc5d8089d17a Author: Peng Huang <penghuang@chromium.org> Date: Fri Oct 20 01:30:21 2017 exo: Fix crash during chrome shutdown The crash is because wayland resources are leaked. This CL fixes the problem by releasing all wayland resources with wl_display. (cherry picked from commit cc1ff3dda1bcbfb310cbd0299dc0b19e1b7d684e) Bug: 774920 Change-Id: I91e7085e98551aea637da72e4237b6035831f689 Reviewed-on: https://chromium-review.googlesource.com/721737 Reviewed-by: David Reveman <reveman@chromium.org> Commit-Queue: Peng Huang <penghuang@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#509394} Reviewed-on: https://chromium-review.googlesource.com/729324 Reviewed-by: Grace Kihumba <gkihumba@chromium.org> Cr-Commit-Position: refs/branch-heads/3239@{#98} Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578} [modify] https://crrev.com/b86a9a4e5d78c9be2b4dda31ee7cbc5d8089d17a/components/exo/wayland/scoped_wl.cc
,
Nov 11 2017
Not seeing this crash anymore. Closing this bug, on M64 dev build (10115.0.0, 64.0.3264.0).
,
Nov 11 2017
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by reve...@chromium.org
, Oct 16 2017Owner: reve...@chromium.org