PerformanceObserver.disconnect crashes renderer during navigation |
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063 Steps to reproduce the problem: 1. Open attached crash.html file 2. Wait 5 seconds 3. See crash page What is the expected behavior? The page reloads normally What went wrong? Renderer process has crashed on PerformanceObserver.disconnect() call Did this work before? N/A Does this work in other browsers? Yes Chrome version: 65.0.3292.0 Channel: dev OS Version: 10.0 Flash Version:
,
Dec 12 2017
I can reproduce this at ToT. Crash stack: Received signal 11 SEGV_MAPERR 000000000030 #0 0x7f777729f4dc base::debug::StackTrace::StackTrace() #1 0x7f777729f041 base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7f77773af330 <unknown> #3 0x7f77710dd720 <unknown> #4 0x7f7771656244 blink::Performance::UpdateLongTaskInstrumentation() #5 0x7f7771659fc2 blink::PerformanceBase::UnregisterPerformanceObserver() #6 0x7f7771660726 blink::PerformanceObserver::disconnect() #7 0x7f7771dc2729 v8::internal::FunctionCallbackArguments::Call() #8 0x7f7771e531ac v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #9 0x7f7771e527a8 v8::internal::Builtin_Impl_HandleApiCall() #10 0x07ae5e4041fd <unknown>
,
Dec 12 2017
,
Dec 12 2017
,
Dec 12 2017
GetFrame() can be nullptr in UpdateLongTaskInstrumentation when trying to disconnect the observer, so the cause is just an incorrect DCHECK.
,
Dec 13 2017
Able to reproduce the issue on Windows 10, mac 10.12.6 and Ubuntu 14.04 using chrome reported version #65.0.3292.0. Bisect Information: ===================== Good build: 61.0.3158.0 Bad Build : 61.0.3160.0 Change Log URL: https://chromium.googlesource.com/chromium/src/+log/80312194b99b0f8b03d0e5c9a3920b81399d6fd6..e4a2d76b144acd15b8600162950e973965ababb9 From the above change log suspecting below change Review-Url: https://codereview.chromium.org/2449673002 panicker@ - Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks...!!
,
Dec 13 2017
I'm happy to address this.
,
Dec 13 2017
,
Dec 13 2017
,
Dec 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d500724ea3059c124a89feb6154d46840384d684 commit d500724ea3059c124a89feb6154d46840384d684 Author: Tim Dresser <tdresser@chromium.org> Date: Wed Dec 13 21:23:08 2017 Fix PerformanceObserver.disconnect DCHECK. Bug: 793720 Change-Id: I541d6520d2399de5296240f7af5155567481b2f2 Reviewed-on: https://chromium-review.googlesource.com/825464 Reviewed-by: Dave Tapuska <dtapuska@chromium.org> Commit-Queue: Timothy Dresser <tdresser@chromium.org> Cr-Commit-Position: refs/heads/master@{#523881} [modify] https://crrev.com/d500724ea3059c124a89feb6154d46840384d684/third_party/WebKit/Source/core/timing/Performance.cpp
,
Dec 14 2017
Leaving open to track landing the test here: https://chromium-review.googlesource.com/c/chromium/src/+/825022/
,
Jan 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ac2d13bd987c2dfa887c447fc31dabb41dfb0dfd commit ac2d13bd987c2dfa887c447fc31dabb41dfb0dfd Author: Denis Bessonov <dbessonov@yandex-team.ru> Date: Tue Jan 02 20:17:58 2018 Added a javascript layout test to reproduce the 793720 crash. The crash occurs in the following situation: - Navigation is performing which results in Frame detach from DOMWindow - PerformanceObserver::disconnect is called from PromiseReactionJob micro task In this case, this call graph is executed: blink::(anonymous namespace)::EndOfTaskRunner::DidProcessTask() v8::internal::Isolate::RunMicrotasks() v8::internal::Isolate::RunMicrotasksInternal() v8::internal::Isolate::PromiseReactionJob() ... some V8 magic to call browser API from JS ... blink::PerformanceObserver::disconnect() blink::PerformanceBase::UnregisterPerformanceObserver() blink::Performance::UpdateLongTaskInstrumentation() blink::LocalFrame::GetDocument() const and, given that Frame has been detached, GetDocument() is called with this equal to nullptr, which leads to segfault. Bug: 793720 Change-Id: Id3cd67e3ebb5a197024b8ac269eebfc241cf2fc7 Reviewed-on: https://chromium-review.googlesource.com/825022 Commit-Queue: Steve Kobes <skobes@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/master@{#526528} [add] https://crrev.com/ac2d13bd987c2dfa887c447fc31dabb41dfb0dfd/third_party/WebKit/LayoutTests/performance/performance-observer-crash-expected.txt [add] https://crrev.com/ac2d13bd987c2dfa887c447fc31dabb41dfb0dfd/third_party/WebKit/LayoutTests/performance/performance-observer-crash.html
,
Jan 3 2018
Thanks for the test! |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by dbesso...@yandex-team.ru
, Dec 11 2017