New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 783081 link

Starred by 4 users

Issue metadata

Status: Assigned
Owner:
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Chrome: Crash Report - [Third party - usermgrproxy.dll] Windows::System::UserMarshalClient::Release

Project Member Reported by cr...@system.gserviceaccount.com, Nov 9 2017

Issue description

reporter:ajha@google.com

Magic Signature: [Third party - usermgrproxy.dll] Windows::System::UserMarshalClient::Release

Crash link: https://crash.corp.google.com//browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D'%5BThird%20party%20-%20usermgrproxy.dll%5D%20Windows%3A%3ASystem%3A%3AUserMarshalClient%3A%3ARelease'%20AND%20product.name%3D'Chrome'%20AND%20product.Version%3D'64.0.3262.0'%20AND%20ReportID%3D'2761e0738330f108'&sql_dialect=dremelsql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#3

-------------------------------------------------------------------------------
Sample Report
-------------------------------------------------------------------------------
Product name: Chrome
Magic Signature : [Third party - usermgrproxy.dll] Windows::System::UserMarshalClient::Release
Product Version: 64.0.3262.0
Process type: utility
Report ID: 2761e0738330f108
Report Url: https://crash.corp.google.com/2761e0738330f108
Report Time: 2017-11-08T13:47:40-08:00
Upload Time: 2017-11-08T13:47:41.339-08:00
Uptime: 1000 ms
CumulativeProductUptime: 0 ms
OS Name: Windows NT
OS Version: 10.0.16199 1000
CPU Architecture: amd64
CPU Info: family 6 model 42 stepping 7

-------------------------------------------------------------------------------
Crashing thread: Thread index: 0. Stack Quality: 100%. Thread id: 9476.
-------------------------------------------------------------------------------
0x00007fff30f232b5 (usermgrproxy.dll + 0x000032b5)	Windows::System::UserMarshalClient::Release()
0x00007fff1ddc48f2 (StartTileData.dll + 0x002348f2)	DataStoreCache::CloudUtil::Internal::CloudItemManager<DataStoreCache::CloudUtil::GenericCloudItem<Windows::Data::UnifiedTile::LocalStartGlobalProperties,0> >::~CloudItemManager<DataStoreCache::CloudUtil::GenericCloudItem<Windows::Data::UnifiedTile::LocalStartGlobalProperties,0> >()
0x00007fff1dbe11ff (StartTileData.dll + 0x000511ff)	std::_Ref_count_base::_Decref()
0x00007fff1de46eae (StartTileData.dll + 0x002b6eae)	DataStoreCache::CDSDataTransformer::CDSDataTransformerBase<Windows::Data::UnifiedTile::LocalStartGlobalProperties,Microsoft::WRL::ChainInterfaces<DataStoreCache::IGlobalLocalPropertiesTransformer,DataStoreCache::IGlobalCDSDataTransformer,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil>,0>::~CDSDataTransformerBase<Windows::Data::UnifiedTile::LocalStartGlobalProperties,Microsoft::WRL::ChainInterfaces<DataStoreCache::IGlobalLocalPropertiesTransformer,DataStoreCache::IGlobalCDSDataTransformer,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil>,0>()
0x00007fff1de48df3 (StartTileData.dll + 0x002b8df3)	DataStoreCache::CDSDataTransformer::CDSDataTransformer<Windows::Data::UnifiedTile::LocalStartGlobalProperties,Microsoft::WRL::ChainInterfaces<DataStoreCache::IGlobalLocalPropertiesTransformer,DataStoreCache::IGlobalCDSDataTransformer,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil> >::`vector deleting destructor'(unsigned int)
0x00007fff1dbe11ff (StartTileData.dll + 0x000511ff)	std::_Ref_count_base::_Decref()
0x00007fff1de9ee48 (StartTileData.dll + 0x0030ee48)	DataStoreCache::CuratedTileCollectionTransformer::Internal::ContainerSingleton::~ContainerSingleton()
0x00007fff1dbe11ff (StartTileData.dll + 0x000511ff)	std::_Ref_count_base::_Decref()
0x00007fff1dea90e6 (StartTileData.dll + 0x003190e6)	std::_List_buy<std::pair<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> > const ,std::shared_ptr<DataStoreCache::CuratedTileCollectionTransformer::Internal::ContainerSingleton> >,std::allocator<std::pair<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> > const ,std::shared_ptr<DataStoreCache::CuratedTileCollectionTransformer::Internal::ContainerSingleton> > > >::_Freenode(std::_List_node<std::pair<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> > const ,std::shared_ptr<DataStoreCache::CuratedTileCollectionTransformer::Internal::ContainerSingleton> >,void *> *)
0x00007fff1de9e67d (StartTileData.dll + 0x0030e67d)	std::_Hash<std::_Umap_traits<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> >,std::shared_ptr<DataStoreCache::CuratedTileCollectionTransformer::Internal::ContainerSingleton>,std::_Uhash_compare<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> >,std::hash<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> > >,std::equal_to<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> > > >,std::allocator<std::pair<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> > const ,std::shared_ptr<DataStoreCache::CuratedTileCollectionTransformer::Internal::ContainerSingleton> > >,0> >::~_Hash<std::_Umap_traits<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> >,std::shared_ptr<DataStoreCache::CuratedTileCollectionTransformer::Internal::ContainerSingleton>,std::_Uhash_compare<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> >,std::hash<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> > >,std::equal_to<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> > > >,std::allocator<std::pair<std::basic_string<unsigned short,std::char_traits<unsigned short>,std::allocator<unsigned short> > const ,std::shared_ptr<DataStoreCache::CuratedTileCollectionTransformer::Internal::ContainerSingleton> > >,0> >()
0x00007fff36611852 (ucrtbase.dll + 0x00011852)	msize_base
0x00007fff3660c976 (ucrtbase.dll + 0x0000c976)	register_onexit_function
0x00007fff36611500 (ucrtbase.dll + 0x00011500)	execute_onexit_table
0x00007fff3660f064 (ucrtbase.dll + 0x0000f064)	__crt_state_management::wrapped_invoke<int (*)(_onexit_table_t *),_onexit_table_t *,int>(int (*)(_onexit_table_t *),_onexit_table_t *)
0x00007fff1dc713d1 (StartTileData.dll + 0x000e13d1)	_local_stdio_scanf_options
0x00007fff1dc714f7 (StartTileData.dll + 0x000e14f7)	_local_stdio_scanf_options
0x00007fff394dfa6a (ntdll.dll + 0x0003fa6a)	LdrpCallInitRoutine
0x00007fff394ebc3b (ntdll.dll + 0x0004bc3b)	LdrShutdownProcess
0x00007fff394ebaf3 (ntdll.dll + 0x0004baf3)	RtlExitUserProcess
0x00007fff3858c369 (KERNEL32.DLL + 0x0001c369)	ExitProcessImplementation
0x00007ff77e13c774 (chrome.exe - exit.cpp: 129)	exit_or_terminate_process
0x00007ff77e13c72a (chrome.exe - exit.cpp: 265)	common_exit
0x00007ff77e12b864 (chrome.exe - exe_common.inl: 290)	__scrt_common_main_seh
0x00007fff385831e3 (KERNEL32.DLL + 0x000131e3)	BaseThreadInitThunk
0x00007fff394efac0 (ntdll.dll + 0x0004fac0)	RtlUserThreadStart

 

Comment 1 by ajha@chromium.org, Nov 9 2017

Cc: ajha@chromium.org
Labels: -Stability-Crash -Type-Bug -Pri-2 ReleaseBlock-Stable TE-CrashTriage M-64 Stability-ThirdParty Stability-Sheriff-Desktop Pri-1 Type-Bug-Regression
Link to the list of the builds:
===============================
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BThird%20party%20-%20usermgrproxy.dll%5D%20Windows%3A%3ASystem%3A%3AUserMarshalClient%3A%3ARelease%27%20AND%20product.name%3D%27Chrome%27&sql_dialect=dremelsql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#productversion:1000

Note:
=====
1. All the crashes are from Windows-10 and is third party usermgrproxy.dll related crash. 
2. Crashes seems to have spiked in M-64 on Windows since chrome version: 64.0.3257.0, hence considering below as the changelog:

https://chromium.googlesource.com/chromium/src/+log/64.0.3256.0..64.0.3257.0?pretty=fuller&n=10000

Nothing suspicious from the above changelog, hence putting this into stability sheriff's queue for help in routing this to appropriate owner. 

Comment 2 by bjoyce@chromium.org, Nov 11 2017

Cc: sergeyu@chromium.org
Closest code that we have in Chromium I can find is the ucrtbase.dll. I don't see any files for the starttiledata.dll or usermgrproxy.dll. Sergeyu, would you be able to help with this crash in any way?

Comment 3 by falken@chromium.org, Nov 20 2017

Cc: jcivelli@chromium.org xhw...@chromium.org p...@chromium.org
[stability sheriff] I am not sure how to attack these third party crash signatures. Some analysis:
* All crashes I saw are in a utility process and started with exit_or_terminate_process, so the process was trying to exit already.
* As c#2 states, nothing in the Chrome source tree mentions starttiledata.dll or usermgrproxy.dll. ucrtbase.dll looks like it's just copying something to the output directory.
* starttiledata.dll is a DLL included in Windows 10 that seems related with the "start menu layout". ucrtbase.dll is something about the universal CRT/"Visual C++ C Runtime (CRT) for Visual Studio 2015". usermgrproxy.dll is also something included in Windows 10.
* The crash signature definitely regressed in 64.0.3257.0, but I don't see anything obvious in the blame list from c#1. Some grepping of "utility" or "windows" yields:

build: Set LTO opt level to 0 on Windows.
https://chromium-review.googlesource.com/750194

Servicifying ZipFileCreator.
https://chromium-review.googlesource.com/708517

Fix ChildControl binding in ChildProcessHostImpl
https://chromium-review.googlesource.com/749639

CC members of those CLs in case something rings a bell.


Comment 4 by falken@chromium.org, Nov 20 2017

Cc: wfh@chromium.org
+wfh: do you know how to investigate this third party crash on Windows further?

Comment 5 by ajha@chromium.org, Nov 27 2017

Just to update, the latest Dev(64.0.3269.3) has reported 44 crashes from 15 clients. Friendly ping for an update on this.

Comment 6 by xhw...@chromium.org, Nov 27 2017

Cc: -xhw...@chromium.org
Owner: wfh@chromium.org
ping wfh@ for suggestions on how to investigate this further.

Comment 8 by wfh@chromium.org, Nov 28 2017

Labels: -Restrict-View-EditIssue
Friendly ping to get an update on this issue.

I think the third-party module detection in crash is a little wonky, as the first-party and third-party lists are largely duplicated, and many of the identified third-party modules have the same version number as Windows (making me believe that they are not third-party at all).

usermgrproxy.dll falls in this category.  Windows appears to be hooking browser process shutdown, trying to update some UX state and crashing.

I did some searching to see if there were other reports related to this DLL but didn't come up with anything.  Not sure how to proceed, but I can look at more reports tomorrow to see if there are any clues.

FWIW I don't think this is R-B-S as it's not code that we control.

I looked at some crashes - the flags and loaded modules don't yield enough clues for me to figure out *which* utility process or processes is crashing in this way.  Also looked at the change log for 64.0.3257.0 and didn't find anything beyond what falken@ did in C#20.

I don't have much else to go on here; going to leave for the next sheriff to see if they can make any further progress.
Just to update:

Only 2 instances seen from 2 clients so far on latest Canary-65.0.3290.0 (live for 1 day).

Link to the list of builds:
--------------------------
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BThird%20party%20-%20usermgrproxy.dll%5D%20Windows%3A%3ASystem%3A%3AUserMarshalClient%3A%3ARelease%27%20AND%20product.name%3D%27Chrome%27&sql_dialect=dremelsql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#productversion:1000

Since there are only 2 instances & as per C#10 removing RBS label for now.Please add if required.

Need to wait for more crash data.
Thanks..!

Labels: -ReleaseBlock-Stable

Comment 14 by mad@chromium.org, Dec 19 2017

Labels: -Stability-Sheriff-Desktop
Crashing in OS code, has been seen in previous releases, and doesn’t occur that often. Is it really worth to have it on the Stability-Sheriff list?

I took a quick look, and wonder if there could be some bad interactions with IShellLink related to the start tile data? E.g., could we sometimes delete data that is marshalled via the usermgrproxy for the StartTileData? Or something like that? I searched through the Chrome code and didn't find anything, but maybe I wasn't looking for the right thing. Any other idea? Anyone? :-)

Status: Assigned (was: Untriaged)

Sign in to add a comment