Stack sampler crash on macOS 10.12.6 on Mac Minis |
|||
Issue descriptionCrash seen here: https://ci.chromium.org/p/chromium/builders/luci.chromium.try/mac_optional_gpu_tests_rel/1348 from mac_optional_gpu_tests_rel tryjob from this CL: https://chromium-review.googlesource.com/c/chromium/src/+/1005362 Failing shard: https://chromium-swarm.appspot.com/task?id=3ccada30100eb410&refresh=10&show_raw=1 Stack excerpt follows. Marking P1 at least until this gets triaged. I don't know how often this is happening, but this is a browser process crash, which is serious. Operating system: Mac OS X 10.12.6 16G29 CPU: amd64 family 6 model 69 stepping 1 4 CPUs GPU: UNKNOWN Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS Crash address: 0xffffffffffffffe9 Process uptime: 25 seconds Thread 3 (crashed) 0 libunwind.dylib + 0x1195 rax = 0x00007fffe2d0d195 rdx = 0x0000000000000161 rcx = 0x000070000f01a1b0 rbx = 0x000070000f01a160 rsi = 0xffffffffffffffe9 rdi = 0x0000000000000000 rbp = 0x000070000f01a120 rsp = 0x000070000f01a118 r8 = 0x0000000000000001 r9 = 0x00007fffe2d0d214 r10 = 0x0000000119111470 r11 = 0x0000000119111410 r12 = 0x00007fe6a7716470 r13 = 0x000070000f01a160 r14 = 0x0000000000000000 r15 = 0x000070000f01acd0 rip = 0x00007fffe2d0d195 Found by: given as instruction pointer in context 1 libunwind.dylib + 0x10d1 rbp = 0x000070000f01a150 rsp = 0x000070000f01a130 rip = 0x00007fffe2d0d0d1 Found by: previous frame's frame pointer 2 Chromium Framework!__ZN4base12_GLOBAL__N_120WalkStackFromContextIZNS0_21NativeStackSamplerMac27SuspendThreadAndRecordStackEPNS_18NativeStackSampler11StackBufferEPNS_21StackSamplingProfiler6SampleEE3$_1EEbP13unw_context_tmPmPNSt3__16vectorINS6_6ModuleENSD_9allocatorISF_EEEEPNSE_INS0_11ModuleIndexENSG_ISK_EEEERKT_ + 0x124 rbp = 0x000070000f01a660 rsp = 0x000070000f01a160 rip = 0x00000001190794f4 Found by: previous frame's frame pointer 3 Chromium Framework!__ZN4base12_GLOBAL__N_121NativeStackSamplerMac17RecordStackSampleEPNS_18NativeStackSampler11StackBufferEPNS_21StackSamplingProfiler6SampleE + 0x477 rbp = 0x000070000f01ad10 rsp = 0x000070000f01a670 rip = 0x0000000119078807 Found by: previous frame's frame pointer 4 Chromium Framework!__ZN4base21StackSamplingProfiler14SamplingThread12RecordSampleEPNS1_17CollectionContextE + 0x43f rbp = 0x000070000f01ae80 rsp = 0x000070000f01ad20 rip = 0x000000011907c38f Found by: previous frame's frame pointer 5 Chromium Framework!__ZN4base21StackSamplingProfiler14SamplingThread21PerformCollectionTaskEi + 0xea rbp = 0x000070000f01b020 rsp = 0x000070000f01ae90 rip = 0x000000011907c6da Found by: previous frame's frame pointer 6 Chromium Framework!__ZN4base5debug13TaskAnnotator7RunTaskEPKcPNS_11PendingTaskE + 0x143 rbp = 0x000070000f01b1e0 rsp = 0x000070000f01b030 rip = 0x0000000118fffe93 Found by: previous frame's frame pointer 7 Chromium Framework!__ZN4base8internal17IncomingTaskQueue7RunTaskEPNS_11PendingTaskE + 0x79 rbp = 0x000070000f01b330 rsp = 0x000070000f01b1f0 rip = 0x000000011903ceb9 Found by: previous frame's frame pointer 8 Chromium Framework!__ZN4base11MessageLoop7RunTaskEPNS_11PendingTaskE + 0x257 rbp = 0x000070000f01b520 rsp = 0x000070000f01b340 rip = 0x0000000119041687 Found by: previous frame's frame pointer
,
Apr 13 2018
Here's the unwind state for this crash: unw_proc_info start_ip = 0x0000000119111410 Chromium Framework 3394.0.0.0 + 0x367c410 end_ip = 0x0000000119111470 Chromium Framework 3394.0.0.0 + 0x367c470 (function size: 96) format = 0x01030161 (rbp_frame) extra = 0x0000000115a95000 Chromium Framework 3394.0.0.0 + 0x0 thread_state rsp = 0x000000010b96a048 rbp = 0x0000000000000001 rip = 0x000000011911143d Chromium Framework 3394.0.0.0 + 0x367c43d (start_ip offset: 0x2d) leaf thread_state rsp = 0x000000010b96a000 rbp = 0x000000010b96a088 rip = 0x00007fffe2c4d5e7 libsystem_malloc.dylib 116.50.8.0 + 0x45e7 Seems like this is not being caught by the rbp check because rbp - offset * 8 is underflowing, so (rbp - offset * 8) > rsp is true.
,
Apr 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d408e982d8ea7cdcc89f5c7cab7d1639106e616e commit d408e982d8ea7cdcc89f5c7cab7d1639106e616e Author: Mike Wittman <wittman@chromium.org> Date: Mon Apr 16 21:07:21 2018 [Sampling profiler] Avoid underflow in OS X rbp check When rbp was less than the offset, the check was underflowing and incorrectly passing. Add a check for rbp < offset to detect this situation. Bug: 831448 Change-Id: I4f780c1573782af3ca29b0f814e93ff2dca839f2 Reviewed-on: https://chromium-review.googlesource.com/1013213 Reviewed-by: Leonard Grey <lgrey@chromium.org> Commit-Queue: Mike Wittman <wittman@chromium.org> Cr-Commit-Position: refs/heads/master@{#551113} [modify] https://crrev.com/d408e982d8ea7cdcc89f5c7cab7d1639106e616e/base/profiler/native_stack_sampler_mac.cc
,
Apr 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d408e982d8ea7cdcc89f5c7cab7d1639106e616e commit d408e982d8ea7cdcc89f5c7cab7d1639106e616e Author: Mike Wittman <wittman@chromium.org> Date: Mon Apr 16 21:07:21 2018 [Sampling profiler] Avoid underflow in OS X rbp check When rbp was less than the offset, the check was underflowing and incorrectly passing. Add a check for rbp < offset to detect this situation. Bug: 831448 Change-Id: I4f780c1573782af3ca29b0f814e93ff2dca839f2 Reviewed-on: https://chromium-review.googlesource.com/1013213 Reviewed-by: Leonard Grey <lgrey@chromium.org> Commit-Queue: Mike Wittman <wittman@chromium.org> Cr-Commit-Position: refs/heads/master@{#551113} [modify] https://crrev.com/d408e982d8ea7cdcc89f5c7cab7d1639106e616e/base/profiler/native_stack_sampler_mac.cc
,
Apr 19 2018
The change above landed in 68.0.3398.0 and no crashes have been seen since. With this and the fix for issue 831793 all known sampling profiler crashes on Mac are now fixed. If we see anything else please file a new bug and assign to me. |
|||
►
Sign in to add a comment |
|||
Comment 1 by wittman@chromium.org
, Apr 11 2018Labels: -Pri-1 Pri-2
Status: Assigned (was: Untriaged)