Correction in chrome version: 66.0.3359.66 (Official Build)  Revision	39153890c35e9e94c7acdb48d4158630ab185c99-refs/branch-heads/3359@{#475}(32/64-bit)

This is regression issue, broken in ‘M 64’ and below is the bisect info :
Good build: 64.0.3247.0 (Revision: 510692).
Bad build: 64.0.3248.0 (Revision: 510988).

You are probably looking for a change made after 510840 (known good), but no later than 510841 (first known bad).

CHANGELOG URL:

The script might not always return single CL as suspect as some perf builds might get missing due to failure.

https://chromium.googlesource.com/chromium/src/+log/22b22f21e78ef21e6b9622f5104a364c551750c7..3ebe7b184b8b60fb7fdf57fea1b4868f7676614e

Suspect : https://chromium.googlesource.com/chromium/src/+/3ebe7b184b8b60fb7fdf57fea1b4868f7676614e

From the CL above, assigning the issue to the concern owner 

@sfiera- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Note : Issue is also seen on Stable build #65.0.3325.181,Dev build #67.0.3381.1 and Canary build #67.0.3382.0

Deleted: Expected_video.mp4 524 KB

	Expected_video.mp4 524 KB View Download

Hrm. My CL definitely exposed the crash, but it’s not the source. Any webpage could probably trigger it. If you could pull the same HTML/CSS into an earlier Chrome version, then you could reproduce it earlier and find the crasher. Unfortunately, it’s difficult to do that with the NTP. I tried to reduce to a minimal test case (attached) but couldn’t trigger the crash.

The HTML/CSS in question is inside an iframe, so it’s possibly worth trying for both values of chrome://flags/#enable-site-per-process. I can reproduce the crash with “Disabled” but I think it’s actually enabled for me due to enterprise policy, per the explanation on that flag.

The right people to look at this are probably Blink/Skia people, but I don’t have a better idea than that.

Deleted: test.html 36 bytes

test.html 36 bytes View Download

Deleted: iframe.html 873 bytes

iframe.html 873 bytes View Download

Re bisected on different machine using Per-revision script and found the range below :

You are probably looking for a change made after 510835 (known good), but no later than 510836 (first known bad).

CHANGELOG URL:

The script might not always return single CL as suspect as some perf builds might get missing due to failure.

https://chromium.googlesource.com/chromium/src/+log/355d9bbd8dc073a13b545ab20f77b697a949d378..fd89fae64111cbc80f7f3d07e899784c0428edd1

Suspect : https://chromium.googlesource.com/chromium/src/+/fd89fae64111cbc80f7f3d07e899784c0428edd1

From the CL above, assigning the issue to the concern owner 

@sunxd- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Stack trace for the provided crash id:
--------------------------------------
Thread 0 (id: 9128) CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0xffffffffffffffff ] MAGIC SIGNATURE THREAD
Stack Quality100%Show frame trust levels
0x000007fecd8587e2	(chrome_child.dll -GraphicsLayer.cpp:383 )	blink::GraphicsLayer::PaintWithoutCommit(blink::IntRect const *,blink::GraphicsContext::DisabledMode)
0x000007fecd85855e	(chrome_child.dll -GraphicsLayer.cpp:339 )	blink::GraphicsLayer::Paint(blink::IntRect const *,blink::GraphicsContext::DisabledMode)
0x000007fed073ddad	(chrome_child.dll -InspectorLayerTreeAgent.cpp:451 )	blink::InspectorLayerTreeAgent::makeSnapshot(WTF::String const &,WTF::String *)
0x000007fece2fc69c	(chrome_child.dll -LayerTree.cpp:534 )	blink::protocol::LayerTree::DispatcherImpl::makeSnapshot(int,std::unique_ptr<blink::protocol::DictionaryValue,std::default_delete<blink::protocol::DictionaryValue> >,blink::protocol::ErrorSupport *)
0x000007fece2ca565	(chrome_child.dll -Accessibility.cpp:466 )	blink::protocol::Accessibility::DispatcherImpl::dispatch(int,WTF::String const &,std::unique_ptr<blink::protocol::DictionaryValue,std::default_delete<blink::protocol::DictionaryValue> >)
0x000007fece31b0a2	(chrome_child.dll -Protocol.cpp:822 )	blink::protocol::UberDispatcher::dispatch(std::unique_ptr<blink::protocol::Value,std::default_delete<blink::protocol::Value> >,int *,WTF::String *)
0x000007fed0755fe3	(chrome_child.dll -InspectorSession.cpp:82 )	blink::InspectorSession::DispatchProtocolMessage(WTF::String const &,WTF::String const &)
0x000007fece9381d2	(chrome_child.dll -devtools_agent.mojom-blink.cc:394 )	blink::mojom::blink::DevToolsSessionStubDispatch::Accept(blink::mojom::blink::DevToolsSession *,mojo::Message *)
0x000007fecec2a118	(chrome_child.dll -ipc_mojo_bootstrap.cc:865 )	IPC::`anonymous namespace'::ChannelAssociatedGroupController::AcceptOnProxyThread
0x000007fecec284b9	(chrome_child.dll -bind_internal.h:586 )	base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message),scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>,base::internal::PassedWrapper<mojo::Message> >,void ()>::Run
0x000007fecd46862e	(chrome_child.dll -task_annotator.cc:61 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x000007fece971fa0	(chrome_child.dll -thread_controller_impl.cc:162 )	blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::SequencedTaskSource::WorkType)
0x000007fecd46862e	(chrome_child.dll -task_annotator.cc:61 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x000007fecd46810b	(chrome_child.dll -message_loop.cc:391 )	base::MessageLoop::RunTask(base::PendingTask *)
0x000007fecd45eaf7	(chrome_child.dll -message_loop.cc:447 )	base::MessageLoop::DoWork()
0x000007fecd45e938	(chrome_child.dll -message_pump_default.cc:37 )	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x000007fecd45dee0	(chrome_child.dll -run_loop.cc:130 )	base::RunLoop::Run()
0x000007fecd4470b8	(chrome_child.dll -renderer_main.cc:247 )	content::RendererMain(content::MainFunctionParams const &)
0x000007fecd446b3d	(chrome_child.dll -content_main_runner.cc:427 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x000007fecd43f9a0	(chrome_child.dll -content_main_runner.cc:706 )	content::ContentMainRunnerImpl::Run()
0x000007fecd414eda	(chrome_child.dll -main.cc:453 )	service_manager::Main(service_manager::MainParams const &)
0x000007fecd4149a7	(chrome_child.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x000007fecd41195f	(chrome_child.dll -chrome_main.cc:101 )	ChromeMain
0x000000013fe2352b	(chrome.exe -main_dll_loader_win.cc:198 )	MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks)
0x000000013fe21698	(chrome.exe -chrome_exe_main_win.cc:230 )	wWinMain
0x000000013fefc3b2	(chrome.exe -exe_common.inl:283 )	__scrt_common_main_seh
0x773959cc	(kernel32.dll + 0x000159cc )	BaseThreadInitThunk
0x77aab980	(ntdll.dll + 0x0002b980 )	RtlUserThreadStart

I can still repro this issue with my patch reverted. When running I see logging:  ContextResult::kTransientFailure: Failed to send GpuChannelMsg_CreateCommandBuffer.

Hi danakj@, can you take a look at this crash since it triggers command buffer proxy transient failure?

ContextResult::kTransientFailure means context creation failed such as a lost context, and we'll try to make a context again. I am failing to see the connection of that to blink crashing though?

rpise@etouch.net the bisect is wrong if it still repros before that CL. Can you try again?

With respect to comment #6 :
Again re-bisected this issue on different machines with Windows and Mac OS and getting the same range as mentioned in comment #1.

@sfiera- Kindly take a look into this and please help to reassign.

Again re bisected this issue using old script (Chromium bisect) and found the range below :

https://chromium.googlesource.com/chromium/src/+log/1f536b2360673ad9a2c95450fe9475769dc85b57..c973b1752686bb8a103505fe51846c96eb605395?pretty=fuller&n=50

Note : Unable to find the exact suspect from the above bisect CL so please help to reassign this issue.

Re: Bisecting: https://crrev.com/3ebe7b184b8b60fb7fdf57fea1b4868f7676614e is definitely what introduced the HTML/CSS that causes the crash, but to fix it, we need to find the C++ that crashes.

The attached test case should be able to find that. It should be possible to reproduce the crash using the “outer.html” file it contains (instead of the NTP), even before https://crrev.com/3ebe7b184b8b60fb7fdf57fea1b4868f7676614e.

Deleted: test.zip 61.9 KB

test.zip 61.9 KB Download

Users experienced this crash on the following builds:

Mac Canary 67.0.3390.0 -  0.58 CPM, 1 reports, 1 clients (signature blink::GraphicsLayer::PaintWithoutCommit)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas