Regression: Tab crash is seen in Devtools
Reported by
nutan.ga...@etouch.net,
Nov 16 2017
|
||||
Issue descriptionVersion: 64.0.3269.3 1d74d56f7fb838be3c05549bc5e11cdf665f1990-refs/branch-heads/3269@{#3} 32/64 bit OS: Windows (7,8,8.1,10),Linux (14.04 LTS),Mac OS X(10.12.6,10.13.2) What steps will reproduce the problem? 1. Launch chrome, navigate to NTP and open devtools 2. Press Esc > click on 'More action' iron icon and select 'Coverage' option and click on 'reload' icon, observe Actual: Tab crash is seen in Devtools Expected: Tab crash should not be seen in Devtools Crash id: Uploaded Crash Report ID 0d171d4c2593f7ee (Local Crash ID: 0364b1ae-03dc-42a7-b9fe-0ae14774fccb) This is an Regression issue broken in M-64 and will soon update other info
,
Nov 16 2017
This is an Regression issue broken in M-64 and below is the bisect info: Good Build: 64.0.3264.0 Bad Build: 64.0.3265.0 You are probably looking for a change made after 515741 (known good), but no later than 515742 (first known bad). CHANGELOG URL: The script might not always return single CL as suspect as some perf builds might get missing due to failure. https://chromium.googlesource.com/chromium/src/+log/7ccd0cfa7bb47c3b24944d0400cc3a6ae4e5d6ec..30370868dffeec9cd8881dba002b40e938b3ba29 Suspect: https://chromium.googlesource.com/chromium/src/+/30370868dffeec9cd8881dba002b40e938b3ba29 @jgruber : Kindly help to reassign, if your changes are not related to this issue.
,
Nov 16 2017
Stack Trace for the Crash ID provided: -------------------------------------- Thread 0 (id: 254974) CRASHED [EXC_BAD_INSTRUCTION / EXC_I386_INVOP @ 0x000000011392eb22 ] MAGIC SIGNATURE THREAD Stack Quality75%Show frame trust levels 0x000000011392eb22 (Google Chrome Framework -platform-posix.cc:376 ) v8::base::OS::Abort() 0x00000001104b1b14 (Google Chrome Framework -ast-source-ranges.h:108 ) v8::internal::ConditionalSourceRanges::GetRange(v8::internal::SourceRangeKind) 0x00000001103b72ff (Google Chrome Framework -block-coverage-builder.h:36 ) v8::internal::interpreter::BlockCoverageBuilder::AllocateBlockCoverageSlot(v8::internal::ZoneObject*, v8::internal::SourceRangeKind) 0x00000001103b4f8e (Google Chrome Framework -bytecode-generator.cc:4592 ) v8::internal::interpreter::BytecodeGenerator::VisitLogicalAndExpression(v8::internal::BinaryOperation*) 0x00000001103b812e (Google Chrome Framework -bytecode-generator.h:71 ) v8::internal::interpreter::BytecodeGenerator::VisitNoStackOverflowCheck(v8::internal::AstNode*) 0x00000001103a6fcb (Google Chrome Framework -bytecode-generator.h:71 ) v8::internal::interpreter::BytecodeGenerator::VisitBlock(v8::internal::Block*) 0x00000001103a8603 (Google Chrome Framework -bytecode-generator.h:71 ) v8::internal::interpreter::BytecodeGenerator::VisitIfStatement(v8::internal::IfStatement*) 0x00000001103a62a3 (Google Chrome Framework -bytecode-generator.h:71 ) v8::internal::interpreter::BytecodeGenerator::GenerateBytecodeBody() 0x00000001103a5901 (Google Chrome Framework -bytecode-generator.cc:986 ) v8::internal::interpreter::BytecodeGenerator::GenerateBytecode(unsigned long) 0x00000001103c05b8 (Google Chrome Framework -interpreter.cc:192 ) v8::internal::interpreter::InterpreterCompilationJob::ExecuteJobImpl() 0x00000001100936f5 (Google Chrome Framework -compiler.cc:111 ) v8::internal::(anonymous namespace)::PrepareAndExecuteUnoptimizedCompileJob(v8::internal::ParseInfo*, v8::internal::FunctionLiteral*, v8::internal::Isolate*) 0x000000011008e895 (Google Chrome Framework -compiler.cc:424 ) v8::internal::(anonymous namespace)::GenerateUnoptimizedCode(v8::internal::ParseInfo*, v8::internal::Isolate*, std::__1::forward_list<std::__1::unique_ptr<v8::internal::CompilationJob, std::__1::default_delete<v8::internal::CompilationJob> >, std::__1::allocator<std::__1::unique_ptr<v8::internal::CompilationJob, std::__1::default_delete<v8::internal::CompilationJob> > > >*) 0x000000011008e595 (Google Chrome Framework -compiler.cc:926 ) v8::internal::Compiler::Compile(v8::internal::Handle<v8::internal::SharedFunctionInfo>, v8::internal::Compiler::ClearExceptionFlag) 0x000000011008eb38 (Google Chrome Framework -compiler.cc:957 ) v8::internal::Compiler::Compile(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Compiler::ClearExceptionFlag) 0x000000011053f09f (Google Chrome Framework -runtime-compiler.cc:38 ) v8::internal::Runtime_CompileLazy(int, v8::internal::Object**, v8::internal::Isolate*) 0x00002c3efc6844bc 0x00002c3efc693c69 0x00002c3efc690937 0x00002c3efc6840fe 0x00000001102bc766 (Google Chrome Framework -execution.cc:142 ) v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling) 0x00000001102bc52b (Google Chrome Framework -execution.cc:178 ) v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) 0x000000010ffbda7e (Google Chrome Framework -api.cc:5352 ) v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) 0x00000001136fb29e (Google Chrome Framework -V8ScriptRunner.cpp:669 ) blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) 0x00000001136f0502 (Google Chrome Framework -V8EventListener.cpp:115 ) blink::V8EventListener::CallListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) 0x00000001136eb8e2 (Google Chrome Framework -V8AbstractEventListener.cpp:147 ) blink::V8AbstractEventListener::InvokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) 0x00000001136eb78e (Google Chrome Framework -V8AbstractEventListener.cpp:104 ) blink::V8AbstractEventListener::HandleEvent(blink::ScriptState*, blink::Event*) 0x00000001136eb6b0 (Google Chrome Framework -V8AbstractEventListener.cpp:92 ) blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) 0x0000000113da6238 (Google Chrome Framework -EventTarget.cpp:792 ) blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) 0x0000000113da575d (Google Chrome Framework -EventTarget.cpp:647 ) blink::EventTarget::FireEventListeners(blink::Event*) 0x0000000113d9d1fa (Google Chrome Framework -EventDispatcher.cpp:221 ) blink::EventDispatcher::Dispatch() 0x0000000113d9c657 (Google Chrome Framework -EventDispatcher.cpp:60 ) blink::EventDispatcher::DispatchEvent(blink::Node&, blink::EventDispatchMediator*) 0x0000000114300801 (Google Chrome Framework -ImageLoader.cpp:725 ) blink::ImageLoader::DispatchPendingLoadEvent(std::__1::unique_ptr<blink::IncrementLoadEventDelayCount, std::__1::default_delete<blink::IncrementLoadEventDelayCount> >) 0x0000000114301dc5 (Google Chrome Framework -bind_internal.h:194 ) void base::internal::FunctorTraits<void (blink::ImageLoader::*)(std::__1::unique_ptr<blink::IncrementLoadEventDelayCount, std::__1::default_delete<blink::IncrementLoadEventDelayCount> >), void>::Invoke<blink::Persistent<blink::ImageLoader> const&, std::__1::unique_ptr<blink::IncrementLoadEventDelayCount, std::__1::default_delete<blink::IncrementLoadEventDelayCount> > >(void (blink::ImageLoader::*)(std::__1::unique_ptr<blink::IncrementLoadEventDelayCount, std::__1::default_delete<blink::IncrementLoadEventDelayCount> >), blink::Persistent<blink::ImageLoader> const&&&, std::__1::unique_ptr<blink::IncrementLoadEventDelayCount, std::__1::default_delete<blink::IncrementLoadEventDelayCount> >&&) 0x0000000114301cc1 (Google Chrome Framework -bind_internal.h:277 ) base::internal::Invoker<base::internal::BindState<void (blink::ImageLoader::*)(std::__1::unique_ptr<blink::IncrementLoadEventDelayCount, std::__1::default_delete<blink::IncrementLoadEventDelayCount> >), blink::Persistent<blink::ImageLoader>, WTF::PassedWrapper<std::__1::unique_ptr<blink::IncrementLoadEventDelayCount, std::__1::default_delete<blink::IncrementLoadEventDelayCount> > > >, void ()>::Run(base::internal::BindStateBase*) 0x000000011394258f (Google Chrome Framework -callback.h:105 ) blink::TaskHandle::Runner::Run(blink::TaskHandle const&) 0x0000000110cde49b (Google Chrome Framework -callback.h:65 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x00000001107e92f1 (Google Chrome Framework -task_queue_manager.cc:535 ) blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) 0x00000001107e7251 (Google Chrome Framework -task_queue_manager.cc:323 ) blink::scheduler::TaskQueueManager::DoWork(bool) 0x0000000110cde49b (Google Chrome Framework -callback.h:65 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x0000000110d03713 (Google Chrome Framework -message_loop.cc:394 ) base::MessageLoop::RunTask(base::PendingTask*) 0x0000000110d03c48 (Google Chrome Framework -message_loop.cc:406 ) base::MessageLoop::DoWork() 0x0000000110d05a79 (Google Chrome Framework -message_pump_mac.mm:452 ) base::MessagePumpCFRunLoopBase::RunWork() 0x0000000110cf6939 (Google Chrome Framework + 0x01d2e939 ) base::mac::CallWithEHFrame(void () block_pointer) 0x0000000110d0539e (Google Chrome Framework -message_pump_mac.mm:428 ) base::MessagePumpCFRunLoopBase::RunWorkSource(void*) 0x00007fff3f6d6ad0 (CoreFoundation + 0x0009fad0 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x00007fff3f78e54b (CoreFoundation + 0x0015754b ) __CFRunLoopDoSource0 0x00007fff3f6b9abf (CoreFoundation + 0x00082abf ) __CFRunLoopDoSources0 0x00007fff3f6b8f3c (CoreFoundation + 0x00081f3c ) __CFRunLoopRun 0x00007fff3f6b8796 (CoreFoundation + 0x00081796 ) CFRunLoopRunSpecific 0x00007fff417833f5 (Foundation + 0x000213f5 ) -[NSRunLoop(NSRunLoop) runMode:beforeDate:] 0x0000000110d060dd (Google Chrome Framework -message_pump_mac.mm:724 ) base::MessagePumpNSRunLoop::DoRun(base::MessagePump::Delegate*) 0x0000000110d04ebd (Google Chrome Framework -message_pump_mac.mm:179 ) base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) 0x0000000110d28013 (Google Chrome Framework -run_loop.cc:114 ) <name omitted> 0x0000000114c71b87 (Google Chrome Framework -renderer_main.cc:222 ) content::RendererMain(content::MainFunctionParams const&) 0x000000011090318e (Google Chrome Framework -content_main_runner.cc:705 ) content::ContentMainRunnerImpl::Run() 0x00000001121c2a9a (Google Chrome Framework -main.cc:456 ) service_manager::Main(service_manager::MainParams const&) 0x0000000110902743 (Google Chrome Framework -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const&) 0x000000010efcb66e (Google Chrome Framework -chrome_main.cc:125 ) ChromeMain 0x000000010badc49b (Google Chrome Helper -chrome_exe_main_mac.cc:165 ) main 0x00007fff66d39144 (libdyld.dylib + 0x00001144 ) start Adding Release blocker for this issue.Please undo if not the case. Thank You!
,
Nov 16 2017
,
Nov 16 2017
I've tracked this issue down to conditional block coverage being used in conjunction with binary block coverage (both of which are relatively new additions to coverage tracking). The following tests reproduce: const c = a && (b ? 'left' : 'right') const c = a || (b ? 'left' : 'right') Off the top of my head, I think binary and conditional coverage might be the only two constructs that conflict in this way; Does anything else come to mind @jgruber? My suggestion to @jgruber was that we have Conditional and Binary expressions share the ExpressionSourceRange object, which I believe should correct this issue.
,
Nov 17 2017
#6, no AFAIK this is the only potential conflict at this time. Fix by Ben in flight here: https://crrev.com/c/776027
,
Nov 20 2017
Original CL reverted: https://crrev.com/c/776768. Relanding here: https://crrev.com/c/778288. |
||||
►
Sign in to add a comment |
||||
Comment 1 by nutan.ga...@etouch.net
, Nov 16 2017Labels: hasbisect-per-revision Stability-Crash HasTestcase
Owner: jgruber@chromium.org
Status: Assigned (was: Unconfirmed)