Issue 866652 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Owner:	lizeb@chromium.org
Closed:	Aug 2
Cc:	mlippautz@chromium.org adamk@chromium.org haraken@chromium.org lfg@chromium.org
Components:	Blink>Bindings
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	1
Type:	Bug
Stability ReleaseBlock-Stable M-69

Crash v8::GlobalValueMap<WTF::MovableStringImpl*, v8::String, blink::MovableStringCacheMapTraits>::SecondWeakCallback

Project Member Reported by abodenha@chromium.org, Jul 23

Issue description

Chrome Version: 69.0.3494.0
OS: Chrome OS

#7 crash in latest Chrome OS dev

Thread 0 (id: 0x7f90) CRASHED [SIGSEGV /SEGV_MAPERR @ 0x00000008 ] MAGIC SIGNATURE THREAD
Stack Quality83%Show frame trust levels
0x00005e2c836e9293	(chrome -__tree:148 )	WTF::MovableStringTable::Remove(WTF::MovableStringImpl*, WTF::StringImpl*)
0x00005e2c836e914e	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/platform/wtf/text/movable_string.cc:44 )	WTF::MovableStringImpl::~MovableStringImpl()
0x00005e2c83732e9c	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/platform/wtf/ref_counted.h:54 )	v8::GlobalValueMap<WTF::MovableStringImpl*, v8::String, blink::MovableStringCacheMapTraits>::SecondWeakCallback(v8::WeakCallbackInfo<WTF::MovableStringImpl> const&)
0x00005e2c7fbd1648	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/v8/src/global-handles.cc:903 )	v8::internal::GlobalHandles::InvokeSecondPassPhantomCallbacks()
0x00005e2c7fbf8b45	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/v8/src/heap/heap.cc:1347 )	v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags)
0x00005e2c7dabe5b9	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/v8/src/heap/heap.cc:4539 )	v8::internal::Heap::AllocateRawWithRetryOrFail(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment)
0x00005e2c7fbda392	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/v8/src/heap/factory.cc:196 )	v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationSpace)
0x00005e2c7fe106bd	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/v8/src/runtime/runtime-internal.cc:280 )	v8::internal::Runtime_AllocateInNewSpace(int, v8::internal::Object**, v8::internal::Isolate*)
0x00005e2c800ae9ed	(chrome + 0x026db9ed )	
0x00005e2c80020b83	(chrome + 0x0264db83 )	
0x00003a0a128841cc		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00005e2c8001e2a5	(chrome + 0x0264b2a5 )	
0x00005e2c800b821f	(chrome + 0x026e521f )	
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00003a0a125886a5		
0x00005e2c8001e2a5	(chrome + 0x0264b2a5 )	
0x00005e2c80022162	(chrome + 0x0264f162 )	
0x00003a0a12585b00		
0x00005e2c7dab7dd1	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/v8/src/simulator.h:113 )	v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target)
0x00005e2c7fbb9cd7	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/v8/src/execution.cc:191 )	v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*)
0x00005e2c7da8c212	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/v8/src/api.cc:5313 )	v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*)
0x00005e2c7dbe539d	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/bindings/core/v8/v8_script_runner.cc:386 )	blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*)
0x00005e2c84fa4cd5	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/bindings/core/v8/v8_event_listener.cc:115 )	blink::V8EventListener::CallListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*)
0x00005e2c7dbe4ab3	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:171 )	blink::V8AbstractEventListener::InvokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>)
0x00005e2c84f9cc8c	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:120 )	blink::V8AbstractEventListener::HandleEvent(blink::ScriptState*, blink::Event*)
0x00005e2c84f9caee	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:108 )	blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*)
0x00005e2c83836e43	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/core/dom/events/event_target.cc:816 )	blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&)
0x00005e2c8383665c	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/core/dom/events/event_target.cc:656 )	blink::EventTarget::FireEventListeners(blink::Event*)
0x00005e2c8382cac3	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/core/dom/events/event_dispatcher.cc:241 )	blink::EventDispatcher::Dispatch()
0x00005e2c8382bae0	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/core/dom/events/event_dispatcher.cc:59 )	blink::EventDispatcher::DispatchEvent(blink::Node&, blink::Event*)
0x00005e2c855d3fe0	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/core/dom/events/event_target.cc:553 )	blink::Document::FinishedParsing()
0x00005e2c857280b0	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/core/html/parser/html_construction_site.cc:621 )	blink::HTMLDocumentParser::AttemptToRunDeferredScriptsAndEnd()
0x00005e2c85729fc8	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/blink/renderer/core/html/parser/html_document_parser.cc:543 )	blink::HTMLDocumentParser::PumpPendingSpeculations()
0x00005e2c837a979b	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/callback.h:99 )	blink::TaskHandle::Runner::Run(blink::TaskHandle const&)
0x00005e2c7db2fdf6	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/callback.h:99 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x00005e2c7db2a911	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/task/sequence_manager/thread_controller_impl.cc:166 )	base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType)
0x00005e2c7db2fdf6	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/callback.h:99 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x00005e2c806c4741	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/message_loop/incoming_task_queue.cc:114 )	base::MessageLoop::RunTask(base::PendingTask*)
0x00005e2c806c5019	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/message_loop/message_loop.cc:368 )	<name omitted>
0x00005e2c7db27b7a	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/message_loop/message_loop.cc:438 )	base::MessageLoop::DoWork()
0x00005e2c806c65d6	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/message_loop/message_pump_default.cc:37 )	base::MessagePumpDefault::Run(base::MessagePump::Delegate*)
0x00005e2c806e62e3	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/run_loop.cc:102 )	<name omitted>
0x00005e2c84255bf5	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/content/renderer/renderer_main.cc:200 )	content::RendererMain(content::MainFunctionParams const&)
0x00005e2c802f2d09	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/content/app/content_main_runner_impl.cc:554 )	content::ContentMainRunnerImpl::Run(bool)
0x00005e2c802fa492	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/services/service_manager/embedder/main.cc:472 )	service_manager::Main(service_manager::MainParams const&)
0x00005e2c7dc10da4	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/content/app/content_main.cc:19 )	ChromeMain
0x00007a6e7c6a2735	(libc-2.23.so -libc-start.c:289 )	__libc_start_main
0x00005e2c7dc00e98	(chrome + 0x0022de98 )	_start
0x00007ffe2f9241c7

Comment 1 by machenb...@chromium.org, Jul 24

Components: -Infra>Client>V8 Blink>JavaScript
Labels: Stability

Comment 2 by hablich@chromium.org, Jul 31

Owner: adamk@chromium.org
Status: Assigned (was: Untriaged)

Assigning to on-duty stab sheriff for further triage.

Comment 3 by adamk@chromium.org, Jul 31

Cc: adamk@chromium.org
Components: -Blink>JavaScript Blink>Bindings
Owner: ----
Status: Available (was: Assigned)

Looks more like a bindings issue than V8 itself.

Comment 4 by raphael....@intel.com, Aug 1

Cc: haraken@chromium.org mlippautz@chromium.org

Tentatively over to haraken/mlippautz for triaging.

Comment 5 by mlippautz@chromium.org, Aug 1

I am not aware of any changes in the area of GlobalValueMap and/or wrappers that could affect this.

Also, the V8 parts for firing callbacks have been unchanged for months.

Comment 6 by lfg@chromium.org, Aug 1

Owner: lizeb@chromium.org
Status: Assigned (was: Available)

I suspect this is related to the work done on  issue 837659 .

lizeb@, can you take a look?

Comment 7 by lizeb@chromium.org, Aug 2

I believe this is https://bugs.chromium.org/p/chromium/issues/detail?id=863786, which has been fixed by this revert:
https://chromium.googlesource.com/chromium/src/+/38b255587ab8598eee49da1b7581646682f6d5f5

Comment 8 by lizeb@chromium.org, Aug 2

See https://crash.corp.google.com/browse?q=stable_signature%3D%27WTF%3A%3AMovableStringTable%3A%3ARemove-e15d6397%27#-property-selector,productname:1000,+productversion,-magicsignature:50,-magicsignature2:50,-stablesignature:50,-magicsignaturesorted:50

No crashes after 69.0.3494.0, which maps to when the revert landed.

Comment 9 by lfg@chromium.org, Aug 2

Mergedinto: 863786
Status: Duplicate (was: Assigned)

Thanks, yes, it looks like the revert has fixed it, let's close it as duplicate.

►

Issue 866652 link

Issue metadata

Crash v8::GlobalValueMap<WTF::MovableStringImpl*, v8::String, blink::MovableStringCacheMapTraits>::SecondWeakCallback

Issue description

Comment 1 by machenb...@chromium.org, Jul 24

Comment 1 Deleted

Comment 2 by hablich@chromium.org, Jul 31

Comment 2 Deleted

Comment 3 by adamk@chromium.org, Jul 31

Comment 3 Deleted

Comment 4 by raphael....@intel.com, Aug 1

Comment 4 Deleted

Comment 5 by mlippautz@chromium.org, Aug 1

Comment 5 Deleted

Comment 6 by lfg@chromium.org, Aug 1

Comment 6 Deleted

Comment 7 by lizeb@chromium.org, Aug 2

Comment 7 Deleted

Comment 8 by lizeb@chromium.org, Aug 2

Comment 8 Deleted

Comment 9 by lfg@chromium.org, Aug 2

Comment 9 Deleted

Sign in to add a comment