Heap is inconsistent under load
Reported by
apisa...@yandex-team.ru,
Feb 6 2018
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Steps to reproduce the problem: This problem appears only on debug build of a browser on Linux OS. But looks like it may affect all OSes. Reproduced about 1 time per 5-10 try. 1. Open https://yandex.ru 2. Go to page https://yandex.ru/pogoda/moscow/maps/nowcast What is the expected behavior? Everything work fine What went wrong? Renderer crashes with callstack: [1:1:0205/135016.860221:FATAL:HeapPage.cpp(1675)] Check failed: !current_allocation_point || (PageFromObject(current_allocation_point) != this). #0 0x7f93a1ef5c86 base::debug::StackTrace::StackTrace() #1 0x7f93a1ef425c base::debug::StackTrace::StackTrace() #2 0x7f93a1f7790e logging::LogMessage::~LogMessage() #3 0x7f938e6dbcbb blink::NormalPage::VerifyObjectStartBitmapIsConsistentWithPayload() #4 0x7f938e6e0f3b blink::NormalPage::Sweep() #5 0x7f938e6de9e7 blink::NormalPageArena::LazySweepPages() #6 0x7f938e6d9477 blink::BaseArena::LazySweep() #7 0x7f938e6dc779 blink::NormalPageArena::OutOfLineAllocate() #8 0x7f938e6dc504 blink::NormalPageArena::AllocateObject() #9 0x7f938fb8f44d blink::ThreadHeap::AllocateOnArenaIndex() #10 0x7f93906e9149 blink::ThreadHeap::Allocate<>() #11 0x7f93906e90b5 blink::GarbageCollected<>::AllocateObject() #12 0x7f93906e8b07 blink::GarbageCollected<>::operator new() #13 0x7f93906fc554 blink::SourceListDirective::Parse() #14 0x7f93906fc2f6 blink::SourceListDirective::SourceListDirective() #15 0x7f93906db054 blink::CSPDirectiveList::SetCSPDirective<>() #16 0x7f93906d82c8 blink::CSPDirectiveList::AddDirective() #17 0x7f93906d204d blink::CSPDirectiveList::Parse() #18 0x7f93906d1cc2 blink::CSPDirectiveList::Create() #19 0x7f93906ead46 blink::ContentSecurityPolicy::AddPolicyFromHeaderValue() #20 0x7f93906ea58a blink::ContentSecurityPolicy::AddAndReportPolicyFromHeaderValue() #21 0x7f93906ea4fb blink::ContentSecurityPolicy::CopyStateFrom() #22 0x7f9390207c0c blink::Document::InitContentSecurityPolicy() #23 0x7f93901e8880 blink::Document::InitSecurityContext() #24 0x7f93901e745e blink::Document::Document() #25 0x7f93907466de blink::HTMLDocument::HTMLDocument() #26 0x7f938fcb468d blink::HTMLDocument::Create() #27 0x7f93901db6d9 blink::DOMImplementation::createDocument() #28 0x7f939060417b blink::LocalDOMWindow::CreateDocument() #29 0x7f9390604357 blink::LocalDOMWindow::InstallNewDocument() #30 0x7f9390debda1 blink::DocumentLoader::InstallNewDocument() #31 0x7f9390deb877 blink::DocumentLoader::CommitNavigation() #32 0x7f9390de9b7a blink::DocumentLoader::CommitData() #33 0x7f9390de90d3 blink::DocumentLoader::FinishedLoading() #34 0x7f9390decd78 blink::DocumentLoader::MaybeLoadEmpty() #35 0x7f9390ded34d blink::DocumentLoader::StartLoading() #36 0x7f9390e133ae blink::FrameLoader::StartLoad() #37 0x7f9390e12371 blink::FrameLoader::Load() #38 0x7f939075d9f8 blink::HTMLFrameOwnerElement::LoadOrRedirectSubframe() #39 0x7f939075a914 blink::HTMLFrameElementBase::OpenURL() #40 0x7f939075b594 blink::HTMLFrameElementBase::SetNameAndOpenURL() #41 0x7f939075b74e blink::HTMLFrameElementBase::DidNotifySubtreeInsertionsToDocument() #42 0x7f93901c39b0 blink::ContainerNode::DidInsertNodeVector() #43 0x7f93901c4383 blink::ContainerNode::AppendChild() #44 0x7f93902cfc2a blink::Node::appendChild() #45 0x7f93914c14a1 blink::NodeV8Internal::appendChildMethodForMainWorld() #46 0x7f93914c115a blink::V8Node::appendChildMethodCallbackForMainWorld() #47 0x7f9392465262 v8::internal::FunctionCallbackArguments::Call() #48 0x7f93924fb835 v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #49 0x7f93924f9929 v8::internal::Builtin_Impl_HandleApiCall() #50 0x7f93924f936d v8::internal::Builtin_HandleApiCall() #51 0x0292e6d84384 <unknown> Did this work before? N/A Chrome version: 63.0.3239.132 Channel: n/a OS Version: OS X 10.12.6 Flash Version: I try to find the reason. Problem is caused by allocating a new object in free list area during sweep didn't fill page bitmap. I will send CL with workaround shortly. But I think there is a better way to fix it.
,
Feb 6 2018
,
Feb 7 2018
,
Feb 9 2018
Thanks for filing the issue! Checked the issue on reported chrome version 63.0.3239.132 and on the latest canary 66.0.3344.0 using Mac 10.13.1 with the below mentioned steps. 1. Launched chrome 2. Navigated to ttps://yandex.ru 3. Then navigated to https://yandex.ru/pogoda/moscow/maps/nowcast We are able to navigate to those sites with out any crashes. Note: Unable to check the same on Ubuntu 14.04, as navigating to the mentioned URLs says "Your connection is not private". Adding Needs-Feedback label as per comment#0 by reporter.
,
Feb 12 2018
I think I found the reason of error. Detaching of SVG layout cause creation of a new object and it corrupt bitmap/memory consistency. Here allocation stack: [1:1:0212/071906.068618:FATAL:HeapPage.cpp(1031)] Check failed: result. #0 0x7f0a03c5ac86 base::debug::StackTrace::StackTrace() #1 0x7f0a03c5925c base::debug::StackTrace::StackTrace() #2 0x7f0a03cdc90e logging::LogMessage::~LogMessage() #3 0x7f09f044349a blink::NormalPageArena::OutOfLineAllocate() #4 0x7f09f0443026 blink::NormalPageArena::AllocateObject() #5 0x7f09f18f544d blink::ThreadHeap::AllocateOnArenaIndex() #6 0x7f09f20b2fb9 blink::ThreadHeap::Allocate<>() #7 0x7f09f20b2f25 blink::GarbageCollected<>::AllocateObject() #8 0x7f09f20b22e7 blink::GarbageCollected<>::operator new() #9 0x7f09f20b0ad9 blink::TreeScope::EnsureSVGTreeScopedResources() #10 0x7f09f2afed88 blink::SvgTreeScopeResourcesFromElement() #11 0x7f09f2afefe8 blink::LayoutSVGResourceContainer::DetachAllClients() #12 0x7f09f2e95bb9 blink::SVGTreeScopeResources::UnregisterResource() #13 0x7f09f2e9613a blink::SVGTreeScopeResources::RemoveResource() #14 0x7f09f2afebed blink::LayoutSVGResourceContainer::WillBeDestroyed() #15 0x7f09f297f44d blink::LayoutObject::Destroy() #16 0x7f09f297f326 blink::LayoutObject::DestroyAndCleanupAnonymousWrappers() #17 0x7f09f20393ea blink::Node::DetachLayoutTree() #18 0x7f09f1f2d5ff blink::ContainerNode::DetachLayoutTree() #19 0x7f09f1fbecae blink::Element::DetachLayoutTree() #20 0x7f09f2e1b887 blink::SVGElement::DetachLayoutTree() #21 0x7f09f1f2d5d7 blink::ContainerNode::DetachLayoutTree() #22 0x7f09f1fbecae blink::Element::DetachLayoutTree() #23 0x7f09f2e1b887 blink::SVGElement::DetachLayoutTree() #24 0x7f09f1f2d5d7 blink::ContainerNode::DetachLayoutTree() #25 0x7f09f1fbecae blink::Element::DetachLayoutTree() #26 0x7f09f2e1b887 blink::SVGElement::DetachLayoutTree() #27 0x7f09f1f2d5d7 blink::ContainerNode::DetachLayoutTree() #28 0x7f09f1f5ce49 blink::Document::Shutdown() #29 0x7f09f237c06e blink::LocalFrame::Detach() #30 0x7f09f2c1eb0e blink::Page::WillBeDestroyed() #31 0x7f09f2ec2a6c blink::SVGImage::~SVGImage() #32 0x7f09f2ec2cc9 blink::SVGImage::~SVGImage() #33 0x7f09f18f4d5b WTF::RefCounted<>::DeleteInternal<>() #34 0x7f09f18f4d25 WTF::DefaultRefCountedTraits<>::Destruct() #35 0x7f09f19d769c base::RefCountedThreadSafe<>::Release() #36 0x7f09f19d7659 scoped_refptr<>::Release() #37 0x7f09f19d549a scoped_refptr<>::~scoped_refptr() #38 0x7f09f1c85b21 blink::ImageResourceContent::~ImageResourceContent() #39 0x7f09f1c85ac5 blink::GarbageCollectedFinalized<>::FinalizeGarbageCollectedObject() #40 0x7f09f1c85aa5 blink::FinalizerTraitImpl<>::Finalize() #41 0x7f09f1c85a85 blink::FinalizerTrait<>::Finalize() #42 0x7f09f043f0f1 blink::HeapObjectHeader::Finalize() #43 0x7f09f04477e0 blink::NormalPage::Sweep() #44 0x7f09f0445433 blink::NormalPageArena::LazySweepPages() #45 0x7f09f0440347 blink::BaseArena::LazySweep() #46 0x7f09f044332f blink::NormalPageArena::OutOfLineAllocate() #47 0x7f09f0443026 blink::NormalPageArena::AllocateObject() #48 0x7f09f18f544d blink::ThreadHeap::AllocateOnArenaIndex() #49 0x7f09f19413e9 blink::ThreadHeap::Allocate<>() #50 0x7f09f1941355 blink::GarbageCollected<>::AllocateObject() #51 0x7f09f1940477 blink::GarbageCollected<>::operator new() #52 0x7f09f193e54c blink::ScheduledAction::Create() #53 0x7f09f234d742 blink::DOMWindowTimers::setTimeout() #54 0x7f09f349a2e7 blink::DOMWindowV8Internal::setTimeout1Method() #55 0x7f09f348eca5 blink::DOMWindowV8Internal::setTimeoutMethod() #56 0x7f09f348e7aa blink::V8Window::setTimeoutMethodCallback() #57 0x7f09f41cc262 v8::internal::FunctionCallbackArguments::Call() #58 0x7f09f4262835 v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #59 0x7f09f4260929 v8::internal::Builtin_Impl_HandleApiCall() #60 0x7f09f426036d v8::internal::Builtin_HandleApiCall() #61 0x1ca26b484384 <unknown>
,
Feb 12 2018
Thank you for providing more feedback. Adding requester "vamshi.kommuri@techmahindra.com" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 12 2018
The error in #5 is different from the error in #0. - #0 is an inconsistency of the bitmap - #5 is an allocation failure
,
Feb 26 2018
Yes, it is different errors. First stack is original problem - inconsistent bitmap. Second is problem caused by disable allocation in free space during sweep (this action cause original problem). So it shows place, where bitmap was corrupted. Unfortunately, I have no idea how to fix it. If someone know what can I do here - please help.
,
Apr 13 2018
This issue seems to be out of TE scope as issue is seen on debug builds. Hence adding TE-NeedsTriageHelp label for further investigation from dev team. Thanks!
,
Jun 5 2018
Please file a new issue if this is still present. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by krajshree@chromium.org
, Feb 6 2018Labels: Needs-Triage-M63