Calling drawImage & toBlob repeatedly in an extension causes the extension to crash
Reported by
peterwil...@gmail.com,
Mar 19 2018
|
||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36 Steps to reproduce the problem: 1. Load 'extensionCrashPoC' as a extension 2. Navigate to 'http://example.com' 3. When prompted select 'Your Entire Screen' and then 'Share' 4. Wait between 20 minutes and an hour What is the expected behavior? When starting the extension's background script should capture the user's screen as a media stream and write it to a video element. It should then loop forever doing the following: 1. Create a canvas 2. Draw the current frame from the video element to the canvas 3. Convert the image currently drawn on the canvas to a blob 4. Repeat What went wrong? After between 20 minutes and an hour the extension will crash with the message 'extensionCrashPoC has crashed'. Did this work before? Yes 64 Chrome version: 65 Channel: stable OS Version: 10 (1709) Flash Version: If Developer Tools for the background page are open they will also crash, and if a remote debugger is connected it will disconnect from the background page. No error message is visible. Running the Javascript Profiler does not reveal any memory leaks and resources appear to be successfully released and cleared up after their loop has been completed. The extension does not crash when running under Chrome 64, only under Chrome 65. The issue happens when running under Windows (10 - 1709) and Linux (Fedora 27), it may also happen on Mac OS but I have not observed this. There does not appear to be any issue running the same code on the page directly, only as part of an extension.
,
Mar 19 2018
,
Mar 19 2018
I've looked a bit more of this and made a simpler PoC. In the Javascript Profiler and 'JavaScript memory' column of Chrome's Task Manager it appears that resources are being cleared. However the 'Memory footprint' column of Chrome's Task Manager grows until the extension crashes. I've also added 'inPageNoCrash.html' which demonstrates that the issue only happens in a background script. When this page is loaded the 'Memory footprint' column of Chrome's Task Manager grows and then gets cleared periodically.
,
Mar 20 2018
Unable to reproduce this issue on latest stable 65.0.3325.162 using Windows 10, Ubuntu 14.04 and Mac 10.13.3 with steps mentioned below. 1. Added attached extensions(tried with both extensions in #0 and #4) to chrome. 2. Navigated to 'http://example.com' and didn't observe any prompt to select 'Your Entire Screen' and then 'Share' and didn't observe any crash even after waiting for more than one hour. @Reporter: Could you please let us know if we miss anything? Also please provide crash id from chrome://crashes if you see any crash. Any further info on reproducing this issue would help in further triaging. Thanks!
,
Mar 20 2018
Hi Sindhu, Thanks for looking into this. The second attachment with the simpler PoC wont capture your screen, just draw to a canvas and call toBlob over and over - sorry, should have explained that and given updated steps to reproduce: 1. Load 'extensionCrashPoC' as a extension 2. Navigate to 'http://example.com' 3. Open Chrome's Task Manager 4. Observe the 'Memory footprint' value for 'Extension: extensionCrashPoC' 5. Wait between 20 minutes and an hour The value for 'Memory footprint' will continue growing until the system is out of memory and the extension crashes. For a Windows 10 system with 2GB of RAM this is about 20 minutes. Unfortunately nothing appears to be written to chrome://crashes I've also attached to screenshots showing the value of 'Memory footprint' in after 10 minutes of execution Chrome 64 (64.0.3282.140) and Chrome 65 (65.0.3325.162). You can see memory usage on 64 is ~250,000K while memory usage on 65 is ~2,000,000K.
,
Mar 20 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 21 2018
Able to reproduce this issue on latest stable 65.0.3325.167, on latest beta 66.0.3359.33 and on latest canary 67.0.3377.0 using Windows 10, Ubuntu 14.04 and Mac 10.13.3. High Increase of memory footprint is seen on adding that extension. Good Build: 65.0.3285.0 Bad Build: 65.0.3286.0 You are probably looking for a change made after 521714 (known good), but no later than 521715 (first known bad). CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/510c597b5876820f33c678b5d04a5f71e42e26f6..6e0ab6ae54cc837abd96024dae5595a8d299e7b8 Reviewed-on: https://chromium-review.googlesource.com/780279 Suspecting same from Changelog. @zakerinasab: Please confirm the bug and help in re-assigning if it is not related to your change. Adding RB-Stable for M-65. Please change if not the case. Thanks!
,
Mar 21 2018
,
Mar 21 2018
This is interesting. I'll look into that.
,
Mar 21 2018
,
Mar 21 2018
The fix is ready for this bug. This won't block M65 further roll out as crashing happens after running the extension 20 minutes on a 2GB memory machine for one user.
,
Mar 21 2018
Thank you zakerinasab@. Pls request a merge to M66 once fix is ready to be merged.
,
Mar 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8fe039154b1c022e97ea9a7bbb1169b23ca483f7 commit 8fe039154b1c022e97ea9a7bbb1169b23ca483f7 Author: Reza.Zakerinasab <zakerinasab@chromium.org> Date: Wed Mar 21 19:48:32 2018 Enforce early release of storage image in CanvasAsyncBlobCreator dtor TBR=junov@chromium.org Bug: 823260 Change-Id: I9851d6ff38c36c16edbdfa1cb715957e8e6e3eed Reviewed-on: https://chromium-review.googlesource.com/973554 Reviewed-by: Mohammad Reza Zakerinasab <zakerinasab@chromium.org> Commit-Queue: Mohammad Reza Zakerinasab <zakerinasab@chromium.org> Cr-Commit-Position: refs/heads/master@{#544807} [modify] https://crrev.com/8fe039154b1c022e97ea9a7bbb1169b23ca483f7/third_party/WebKit/Source/core/html/canvas/CanvasAsyncBlobCreator.cpp
,
Mar 21 2018
,
Mar 22 2018
Able to reproduce the issue on reported version hence verifying the fix on latest canary 67.0.3378.0 using Ubuntu 14.04, Mac 10.13.3 and Windows 10. Now there is no increase in memory footprint value after 10 minutes. Hence adding verified labels. Attaching screenshot for reference. Thanks!
,
Mar 22 2018
,
Mar 22 2018
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 23 2018
Approving merge to M66. Branch:3359
,
Mar 23 2018
Merged to M66 (branch 3359): https://chromium.googlesource.com/chromium/src/+/e98da69c6777ddfcb9306bf28445f443a98563e7
,
Mar 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e98da69c6777ddfcb9306bf28445f443a98563e7 commit e98da69c6777ddfcb9306bf28445f443a98563e7 Author: Reza.Zakerinasab <zakerinasab@chromium.org> Date: Fri Mar 23 14:06:11 2018 Enforce early release of storage image in CanvasAsyncBlobCreator dtor TBR=junov@chromium.org, zakerinasab@chromium.org (cherry picked from commit 8fe039154b1c022e97ea9a7bbb1169b23ca483f7) Bug: 823260 Change-Id: I9851d6ff38c36c16edbdfa1cb715957e8e6e3eed Reviewed-on: https://chromium-review.googlesource.com/973554 Reviewed-by: Mohammad Reza Zakerinasab <zakerinasab@chromium.org> Commit-Queue: Mohammad Reza Zakerinasab <zakerinasab@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#544807} Reviewed-on: https://chromium-review.googlesource.com/977889 Cr-Commit-Position: refs/branch-heads/3359@{#395} Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276} [modify] https://crrev.com/e98da69c6777ddfcb9306bf28445f443a98563e7/third_party/WebKit/Source/core/html/canvas/CanvasAsyncBlobCreator.cpp
,
Mar 28 2018
Able to reproduce the issue on reported version hence verifying the fix on latest beta 66.0.3359.66 using Ubuntu 14.04, Mac 10.13.3 and Windows 10. Now there is no increase in memory footprint value after 10 minutes. Hence adding verified labels. Attaching screenshot for reference. Thanks! |
||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||
Comment 1 by aonumapa...@gmail.com
, Mar 19 201865.9 KB
65.9 KB View Download