Webview sandboxed_process crashed in Compositor thread
Reported by
julian....@mediatek.com,
Oct 24 2017
|
|||||||||||
Issue descriptionTHIS TEMPLATE IS FOR FILING BUGS ON THE ANDROID SYSTEM WEBVIEW. GENERAL WEB BUGS SHOULD BE FILED USING A DIFFERENT TEMPLATE! Device name: Mediatek Helio P20 based platform Android version: 8.0.0 WebView version: Android WebView 58.0.3029.125 Application: com.android.webview:sandboxed_process1 Application version: N/A URLs (if applicable): N/A Steps to reproduce: Execute MTBF auto test case Expected result: No native crash Actual result: Webview sandboxed_process crashed during MTBF auto test We don't know the crashed WebView was used by which app (not included in log) And it seems not related to the test case running foreground. 10-22 11:22:37.773175 11295 11317 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 10-22 11:22:37.773753 11295 11317 F DEBUG : Build fingerprint: 'alps/full_k57pv1_64/k57pv1_64:8.0.0/O00623/1507846185:eng/dev-keys' 10-22 11:22:37.773912 11295 11317 F DEBUG : Revision: '0' 10-22 11:22:37.774325 11295 11317 F DEBUG : ABI: 'arm' 10-22 11:22:37.774482 11295 11317 F DEBUG : pid: 11295, tid: 11317, name: com.android.webview:sandboxe >>> dboxed_process1 <<< 10-22 11:22:37.774647 11295 11317 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGWV_MAPERR), fault addr 0x84 10-22 11:22:37.775129 11295 11317 F DEBUG : Cause: null pointer dereference 10-22 11:22:37.803132 11295 11317 F DEBUG : r0 00000000 r1 e9418718 r2 00000000 r3 e94396c8 10-22 11:22:37.803303 11295 11317 F DEBUG : r4 e9418700 r5 df170654 r6 d5f7f270 r7 00000000 10-22 11:22:37.803378 11295 11317 F DEBUG : r8 d5f7f398 r9 df1903d0 sl 00000000 fp eaaba218 10-22 11:22:37.803457 11295 11317 F DEBUG : ip 00000001 sp d5f7f228 lr dd23481f pc dd234640 cpsr 60010030 10-22 11:22:37.815614 11295 11317 F DEBUG : 10-22 11:22:37.815614 11295 11317 F DEBUG : backtrace: 10-22 11:22:37.815880 11295 11317 F DEBUG : #00 pc 00734640 /system/app/webview/webview.apk (offset 0x457c000)
,
Oct 25 2017
I checked the latest Android 8.0 branches/tags: https://android.googlesource.com/platform/external/chromium-webview/+log/1c61257c834ea5ce2161d12de6cfe0e21b5f7ed8 It seems the latest Android WebView is still 58.0.3029.125.(Not the Google WebView from GMS). If WebView M61 fixed this native crash, would you release it to AOSP? Thanks.
,
Oct 25 2017
From Android N the WebView and Chrome packages were combined in order to reduce the update size for users. Updating Chrome also updates WebView. This means that in the Play store the WebView package will appear to be permanently disabled. The Play store WebView entry is only relevant for users with older operating systems, and users who have decided to disable Chrome. If you need, or are being asked by an application, to update WebView, the action you should take now is to UPDATE CHROME. This should resolve any issues you are currently experiencing. Please let us know by updating the versions and provide the latest behavior. Thanks in Advance.
,
Oct 25 2017
The scenario you described is for the projects with GMS. Actually, this project is AOSP project without GMS. Neither Google WebView nor Chrome are in the WebView implementation list (config_webview_packages.xml). Even we install the latest Chrome on this project, it won't become the default WebView implementation. User can't switch to WebView to Chrome, unless we modify config_webview_packages.xml Anyway, we can't check the AOSP Webview native crash without the (unstripped)libwebviewchromium.so symbols. Report the crash log to this forum won't help, you guys always ask us to update WebView version. Are you suggest that use Chrome as WebView implementation in pure AOSP projects (without GMS)? Thanks.
,
Oct 25 2017
Thank you for providing more feedback. Adding requester "msrchandra@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 25 2017
,
Oct 25 2017
Please ignore comment 3; that's not relevant here. The prebuilt binaries in AOSP are provided as a convenience to make sure that AOSP has a functional webview out of the box. You are expected to be able to compile your own updated webview from the Chromium sources (the accompanying README should reference all the documentation needed to do this). We don't currently have a process in place to update the AOSP webview binaries other than when Android releases a new version. (also, if you are shipping AOSP products then it's also your responsibility to update the WebView on devices after they ship, via your own store/update mechanisms..)
,
Nov 20 2017
the log in the OP symbolizes to: libwebviewchromium.so!gpu::SharedState<gpu::CommandBuffer::State>::Read(gpu::CommandBuffer::State*) [atomic : 653 + 0x0] 1 libwebviewchromium.so!gpu::CommandBufferProxyImpl::TryUpdateState() [command_buffer_proxy_impl.cc : 773 + 0x9] 2 libwebviewchromium.so!gpu::CommandBufferProxyImpl::WaitForGetOffsetInRange(int, int) [command_buffer_proxy_impl.cc : 394 + 0x5] 3 libwebviewchromium.so!gpu::CommandBufferHelper::WaitForGetOffsetInRange(int, int) [cmd_buffer_helper.cc : 168 + 0xb] 4 libwebviewchromium.so!gpu::CommandBufferHelper::Finish() [cmd_buffer_helper.cc : 223 + 0x9] 5 libwebviewchromium.so!gpu::gles2::GLES2Implementation::WaitForCmd() [gles2_implementation.cc : 477 + 0x5] 6 libwebviewchromium.so!gpu::gles2::GLES2Implementation::FreeEverything() [gles2_implementation.cc : 361 + 0x3] 7 libwebviewchromium.so!gpu::gles2::GLES2Implementation::SetAggressivelyFreeResources(bool) [gles2_implementation.cc : 436 + 0x7] 8 libwebviewchromium.so!cc::LayerTreeHostImpl::SetContextVisibility(bool) [layer_tree_host_impl.cc : 4149 + 0x1] 9 libwebviewchromium.so!cc::TileManager::CheckAndIssueSignals() [tile_manager.cc : 1154 + 0x5] 10 libwebviewchromium.so!base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) [callback.h : 68 + 0x3] 11 libwebviewchromium.so!base::MessageLoop::RunTask(base::PendingTask*) [message_loop.cc : 423 + 0xd] 12 libwebviewchromium.so!base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) [message_loop.cc : 434 + 0x7] 13 libwebviewchromium.so!base::MessageLoop::DoWork() [message_loop.cc : 527 + 0x7] 14 libwebviewchromium.so!base::MessagePumpDefault::Run(base::MessagePump::Delegate*) [message_pump_default.cc : 33 + 0x7] 15 libwebviewchromium.so!base::RunLoop::Run() [run_loop.cc : 37 + 0x5] 16 libwebviewchromium.so!base::Thread::ThreadMain() [thread.cc : 333 + 0x7] 17 libwebviewchromium.so!ThreadFunc [platform_thread_posix.cc : 71 + 0x7] I haven't seen this before, and can't find it existing bugs. Could you try reproducing this with a newer version of WebView please? (61/62)
,
Nov 21 2017
,
Nov 21 2017
Thank you for providing more feedback. Adding requester "gsennton@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 21 2017
Ok, I'm gonna add the needs-feedback label here again, please comment again on this bug when you have tried running the tests with 61.
,
Dec 12 2017
Hi, we encountered another compositor thread crash on WebView 61. We are not sure this crash is segment fault or not due to WebView 61 has SECCOMP-BPF and debuggerd issue ( crbug.com/781110 ), but the log shows the exit code is 11. 12-09 11:48:55.820596 18459 18530 E chromium: [ERROR:aw_browser_terminator.cc(132)] Renderer process (18867) crash detected (code 11).
,
Dec 12 2017
Operating system: Android
alps/full_k71v1_64_bsp/k71v1_64_bsp:8.1.0/O11019/1512540500:eng/dev-keys
CPU: arm
8 CPUs
GPU: UNKNOWN
Crash reason:
Crash address: 0x0
Process uptime: not available
Thread 0 (crashed)
0 libwebviewchromium.so!cc::AnimationPlayer::TickAnimation(base::TimeTicks, cc::Animation*, cc::AnimationTarget*) [animation.h : 64 + 0x0]
r0 = 0x59bc8d56 r1 = 0x00000000 r2 = 0x00000000 r3 = 0xd43efa30
r4 = 0x00000000 r5 = 0x59bc8d56 r6 = 0xd43ef7b0 r7 = 0xd3765278
r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 r12 = 0x0166add8
fp = 0x00000000 sp = 0xda37ed00 lr = 0xe1e93243 pc = 0xe1e93f76
Found by: given as instruction pointer in context
1 libwebviewchromium.so!cc::AnimationPlayer::Tick(base::TimeTicks) [animation_player.cc : 778 + 0x5]
r4 = 0x0defaced r5 = 0x0defaced r6 = 0x0defaced r7 = 0x0defaced
r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000
sp = 0xda37ed38 pc = 0xe1e93243
Found by: call frame info
2 libwebviewchromium.so!cc::AnimationHost::TickAnimations(base::TimeTicks) [animation_host.cc : 296 + 0x7]
r4 = 0x0defaced r5 = 0x0defaced r6 = 0x0defaced r7 = 0x0defaced
r8 = 0x0defaced r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000
sp = 0xda37ed50 pc = 0xe1e91907
Found by: call frame info
3 libwebviewchromium.so!cc::LayerTreeHostImpl::AnimateLayers(base::TimeTicks) [layer_tree_host_impl.cc : 3852 + 0x1]
r4 = 0x0defaced r5 = 0x0defaced r6 = 0x0defaced r7 = 0x00000000
r8 = 0x0defaced r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000
sp = 0xda37edd8 pc = 0xe19fa639
Found by: call frame info
4 libwebviewchromium.so!cc::LayerTreeHostImpl::AnimateInternal(bool) [layer_tree_host_impl.cc : 483 + 0xf]
r4 = 0x00000088 r5 = 0x0defaced r6 = 0x0defaced r7 = 0x00000000
r8 = 0x0defaced r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000
sp = 0xda37edf0 pc = 0xe19f3459
Found by: call frame info
5 libwebviewchromium.so!cc::LayerTreeHostImpl::WillBeginImplFrame(cc::BeginFrameArgs const&) [layer_tree_host_impl.cc : 455 + 0xb]
r4 = 0x00000088 r5 = 0x0defaced r6 = 0x00000000 r7 = 0x0defaced
r8 = 0x00000001 r9 = 0x0defaced r10 = 0x00000000 fp = 0x00000000
sp = 0xda37ee50 pc = 0xe19f7083
Found by: call frame info
6 libwebviewchromium.so!cc::Scheduler::BeginImplFrame(cc::BeginFrameArgs const&, base::TimeTicks) [scheduler.cc : 472 + 0x3]
r4 = 0xe1a11777 r5 = 0x0defaced r6 = 0x0defaced r7 = 0x00000001
r8 = 0xda37f101 r9 = 0xe13d0369 r10 = 0x0defaced fp = 0x00000004
sp = 0xda37eea0 pc = 0xe19cc607
Found by: call frame info
7 libwebviewchromium.so!cc::Scheduler::BeginImplFrameSynchronous(cc::BeginFrameArgs const&) [scheduler.cc : 427 + 0x7]
r4 = 0x0defaced r5 = 0xda37f0b0 r6 = 0x0defaced r7 = 0x00000000
r8 = 0xe332c7a5 r9 = 0x00000000 r10 = 0x0defaced fp = 0xda37f4a8
sp = 0xda37ef28 pc = 0xe19cbe67
Found by: call frame info
8 libwebviewchromium.so!cc::Scheduler::OnBeginFrameDerivedImpl(cc::BeginFrameArgs const&) [scheduler.cc : 283 + 0x7]
r4 = 0x0defaced r5 = 0xda37f0b0 r6 = 0x0defaced r7 = 0x00000000
r8 = 0xe332c7a5 r9 = 0x00000000 r10 = 0x0defaced fp = 0xda37f4a8
sp = 0xda37efb8 pc = 0xe19cbaeb
Found by: call frame info
9 libwebviewchromium.so!cc::BeginFrameObserverBase::OnBeginFrame(cc::BeginFrameArgs const&) [begin_frame_source.cc : 45 + 0x7]
r4 = 0x0defaced r5 = 0xda37f0b0 r6 = 0x0defaced r7 = 0x00000000
r8 = 0xe332c7a5 r9 = 0x00000000 r10 = 0x0defaced fp = 0xda37f4a8
sp = 0xda37f058 pc = 0xe19c7b4b
Found by: call frame info
10 libwebviewchromium.so!cc::ExternalBeginFrameSource::OnBeginFrame(cc::BeginFrameArgs const&) [begin_frame_source.cc : 339 + 0x9]
r4 = 0xda37f0b0 r5 = 0x0defaced r6 = 0x0defaced r7 = 0x00000000
r8 = 0xe332c7a5 r9 = 0x00000000 r10 = 0x0defaced fp = 0xda37f4a8
sp = 0xda37f068 pc = 0xe19c8297
Found by: call frame info
11 libwebviewchromium.so!bool IPC::MessageT<ViewMsg_BeginFrame_Meta, std::__ndk1::tuple<cc::BeginFrameArgs>, void>::Dispatch<content::CompositorExternalBeginFrameSource, content::CompositorExternalBeginFrameSource, void, void (content::CompositorExternalBeginFrameSource::*)(cc::BeginFrameArgs const&)>(IPC::Message const*, content::CompositorExternalBeginFrameSource*, content::CompositorExternalBeginFrameSource*, void*, void (content::CompositorExternalBeginFrameSource::*)(cc::BeginFrameArgs const&)) [tuple.h : 84 + 0x3]
r4 = 0x0defaced r5 = 0x0defaced r6 = 0xda37f0b0 r7 = 0x00000001
r8 = 0xe332c7a5 r9 = 0x00000000 r10 = 0x0defaced fp = 0xda37f4a8
sp = 0xda37f098 pc = 0xe30c999d
Found by: call frame info
12 libwebviewchromium.so!content::CompositorExternalBeginFrameSource::OnMessageReceived(IPC::Message const&) [compositor_external_begin_frame_source.cc : 79 + 0x15]
r4 = 0x0defaced r5 = 0x0defaced r6 = 0xda37f108 r7 = 0x00000001
r8 = 0xe332c7a5 r9 = 0x00000000 r10 = 0x0defaced fp = 0xda37f4a8
sp = 0xda37f0f8 pc = 0xe30c9869
Found by: call frame info
13 libwebviewchromium.so!content::CompositorForwardingMessageFilter::ProcessMessageOnCompositorThread(IPC::Message const&) [callback.h : 80 + 0x1]
r4 = 0x0defaced r5 = 0x0defaced r6 = 0x0defaced r7 = 0x0defaced
r8 = 0xe332c7a5 r9 = 0x00000000 r10 = 0x0defaced fp = 0xda37f4a8
sp = 0xda37f1a8 pc = 0xe30c9c15
Found by: call frame info
14 libwebviewchromium.so!base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) [callback.h : 91 + 0x1]
r4 = 0xda37f3a0 r5 = 0xda37f258 r6 = 0x0defaced r7 = 0x0defaced
r8 = 0xe332c7a5 r9 = 0x00000000 r10 = 0x0defaced fp = 0xda37f4a8
sp = 0xda37f1c8 pc = 0xe13a9e95
Found by: call frame info
15 libwebviewchromium.so!blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) [task_queue_manager.cc : 532 + 0x3]
r4 = 0x00000000 r5 = 0xda37f3b8 r6 = 0x0defaced r7 = 0xda37f368
r8 = 0x00000000 r9 = 0x0defaced r10 = 0x0defaced fp = 0xda37f4a8
sp = 0xda37f300 pc = 0xe240fd31
Found by: call frame info
16 libwebviewchromium.so!blink::scheduler::TaskQueueManager::DoWork(bool) [task_queue_manager.cc : 330 + 0x13]
r4 = 0x0defaced r5 = 0xda37f508 r6 = 0xec291341 r7 = 0x0defaced
r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0xda37f4a8
sp = 0xda37f458 pc = 0xe240f01d
Found by: call frame info
17 libwebviewchromium.so!base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) [callback.h : 91 + 0x1]
r4 = 0xda37f768 r5 = 0xda37f5f0 r6 = 0x0defaced r7 = 0x0defaced
r8 = 0xe31e7b06 r9 = 0x00000000 r10 = 0xda37f810 fp = 0x0defaced
sp = 0xda37f560 pc = 0xe13a9e95
Found by: call frame info
18 libwebviewchromium.so!base::MessageLoop::RunTask(base::PendingTask*) [message_loop.cc : 422 + 0x7]
r4 = 0x00000000 r5 = 0xda37f768 r6 = 0xda37f6d4 r7 = 0xda37f788
r8 = 0xe332c688 r9 = 0x0defaced r10 = 0xda37f810 fp = 0x0defaced
sp = 0xda37f698 pc = 0xe13bde07
Found by: call frame info
19 libwebviewchromium.so!base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) [message_loop.cc : 433 + 0x7]
r4 = 0x0defaced r5 = 0xda37f768 r6 = 0xda37f7b0 r7 = 0xda37f808
r8 = 0x0defaced r9 = 0xda37f7f8 r10 = 0xda37f810 fp = 0x0defaced
sp = 0xda37f740 pc = 0xe13be08f
Found by: call frame info
20 libwebviewchromium.so!base::MessageLoop::DoWork() [message_loop.cc : 540 + 0x7]
r4 = 0x0defaced r5 = 0xda37f768 r6 = 0xda37f7b0 r7 = 0xda37f808
r8 = 0x0defaced r9 = 0xda37f7f8 r10 = 0xda37f810 fp = 0x0defaced
sp = 0xda37f758 pc = 0xe13be27b
Found by: call frame info
21 libwebviewchromium.so!base::MessagePumpDefault::Run(base::MessagePump::Delegate*) [message_pump_default.cc : 33 + 0x7]
r4 = 0x0defaced r5 = 0x0defaced r6 = 0x00000000 r7 = 0x0defaced
r8 = 0x0defaced r9 = 0x00000000 r10 = 0xe13ec445 fp = 0xda37f950
sp = 0xda37f868 pc = 0xe13bf05b
Found by: call frame info
22 libwebviewchromium.so!base::RunLoop::Run() [run_loop.cc : 111 + 0x5]
r4 = 0xda37f908 r5 = 0xda37f880 r6 = 0x0defaced r7 = 0x00000000
r8 = 0xda37f908 r9 = 0x00000000 r10 = 0xe13ec445 fp = 0xda37f950
sp = 0xda37f880 pc = 0xe13d08ff
Found by: call frame info
23 libwebviewchromium.so!base::Thread::ThreadMain() [thread.cc : 338 + 0x5]
r4 = 0x0defaced r5 = 0x0defaced r6 = 0x0defaced r7 = 0x00000000
r8 = 0xda37f908 r9 = 0x00000000 r10 = 0xe13ec445 fp = 0xda37f950
sp = 0xda37f908 pc = 0xe13efe09
Found by: call frame info
24 libwebviewchromium.so!base::(anonymous namespace)::ThreadFunc(void*) [platform_thread_posix.cc : 71 + 0x7]
r4 = 0x0defaced r5 = 0x0defaced r6 = 0xda37f970 r7 = 0x00000078
r8 = 0x0defaced r9 = 0x0defaced r10 = 0xe13ec445 fp = 0xda37f950
sp = 0xda37f938 pc = 0xe13ec48d
Found by: call frame info
25 libc.so + 0x5f312
r4 = 0xda37f970 r5 = 0xda37f970 r6 = 0xda37f970 r7 = 0x00000078
r8 = 0x0defaced r9 = 0x0defaced r10 = 0xe13ec445 fp = 0xda37f950
sp = 0xda37f948 pc = 0xed321314
Found by: call frame info
26 libc.so + 0x5f2ea
sp = 0xda37f94c pc = 0xed3212ec
Found by: stack scanning
27 libwebviewchromium.so!<name omitted> [platform_thread_posix.cc : 261 + 0xb]
sp = 0xda37f950 pc = 0xe13ec445
Found by: stack scanning
28 libc.so + 0x1c1ae
r4 = 0xda37f968 sp = 0xda37f958 pc = 0xed2de1b0
Found by: call frame info
29 libc.so + 0x5f2ea
sp = 0xda37f960 pc = 0xed3212ec
Found by: stack scanning
30 libwebviewchromium.so!<name omitted> [platform_thread_posix.cc : 261 + 0xb]
sp = 0xda37f968 pc = 0xe13ec445
Found by: stack scanning
,
Dec 12 2017
It's not a seccomp issue if it dies with signal 11, it would die with SIGSYS if the sandbox was breaking it. This is just a regular renderer crash. We have a low level of this crash being reported in our crash DB, dating back several versions and still occurring on 62, but no existing bug filed: https://crash.corp.google.com/browse?q=product.name%3D%27AndroidWebView%27%20AND%20STRPOS(custom_data.ChromeCrashProto.magic_signature_1.name%2C%20%27cc%3A%3AAnimationPlayer%3A%3ATickAnimation%27)%20%3E%200&sql_dialect=googlesql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D I don't see any occurrences on 63 yet though (currently being released to stable) - it might have been fixed already, but it may just not have rolled out to enough people yet to catch it happening since it doesn't seem to be very common. May be worth investigating unless we go for a while without seeing any on 63.
,
Jan 23 2018
,
Jan 23 2018
nothing from 63, so I guess don't need to look then |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by ligim...@chromium.org
, Oct 24 2017