Update:

Change-Log URL: https://chromium.googlesource.com/chromium/src/+log/71.0.3543.0..71.0.3544.2?pretty=fuller&n=10000

Suspecting:r588887?

@sergeyu: Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Note:
1. Providing suspect through 'Change-Log' because unable to perform bisect using 'per-revision' and 'chromium bisect' script.
2. Tried performing 'per revision' bisect on multiple Windows, Mac and Linux machines but unable to perform the same since getting following error:
   (a) Error message on Windows and Linux OS : Unable to find locale data files
   (b) Error message on Mac OS:[Errno 2] No such file or directory error message
3. Unable to perform 'chromium bisect' script as issue is not reproducible on chromium builds. 

Deleted: ExpectedVideo.mp4 975 KB

	ExpectedVideo.mp4 975 KB View Download

Stack trace for the crash id:
-----------------------------
Thread 2 (id: 0x1750d) CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000000 ] MAGIC SIGNATURE THREAD
Stack Quality84%Show frame trust levels
0x0000000111477ee3	(Google Chrome Framework -socket_tcp.cc:222 )	network::P2PSocketTcpBase::DoRead()
0x000000011026b1ae	(Google Chrome Framework -callback.h:99 )	net::TCPClientSocket::DidCompleteRead(base::OnceCallback<void (int)>, int)
0x000000011026bd0b	(Google Chrome Framework -bind_internal.h:516 )	base::internal::Invoker<base::internal::BindState<void (net::TCPClientSocket::*)(base::OnceCallback<void (int)>, int), base::internal::UnretainedWrapper<net::TCPClientSocket>, base::OnceCallback<void (int)> >, void (int)>::RunOnce(base::internal::BindStateBase*, int)
0x000000011033bf25	(Google Chrome Framework -callback.h:99 )	net::TCPSocketPosix::ReadCompleted(scoped_refptr<net::IOBuffer> const&, base::OnceCallback<void (int)>, int)
0x000000011033cd87	(Google Chrome Framework -bind_internal.h:516 )	base::internal::Invoker<base::internal::BindState<void (net::TCPSocketPosix::*)(scoped_refptr<net::IOBuffer> const&, base::OnceCallback<void (int)>, int), base::internal::UnretainedWrapper<net::TCPSocketPosix>, scoped_refptr<net::IOBuffer>, base::OnceCallback<void (int)> >, void (int)>::RunOnce(base::internal::BindStateBase*, int)
0x000000011033af7a	(Google Chrome Framework -callback.h:99 )	net::SocketPosix::RetryRead(int)
0x000000011033b37c	(Google Chrome Framework -socket_posix.cc )	net::SocketPosix::OnFileCanReadWithoutBlocking(int)
0x000000010fe049d4	(Google Chrome Framework -message_pump_libevent.cc:90 )	base::MessagePumpLibevent::OnLibeventNotification(int, short, void*)
0x000000010fe05d6b	(Google Chrome Framework -event.c:381 )	event_base_loop
0x000000010fe04cf1	(Google Chrome Framework -message_pump_libevent.cc:247 )	base::MessagePumpLibevent::Run(base::MessagePump::Delegate*)
0x000000010fd86c94	(Google Chrome Framework -run_loop.cc:102 )	<name omitted>
0x000000010e55cd53	(Google Chrome Framework -browser_process_sub_thread.cc:175 )	content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*)
0x000000010fdc9660	(Google Chrome Framework -thread.cc:357 )	base::Thread::ThreadMain()
0x000000010fdfbc26	(Google Chrome Framework -platform_thread_posix.cc:76 )	base::(anonymous namespace)::ThreadFunc(void*)
0x00007fff7b5c233c	(libsystem_pthread.dylib + 0x0000333c )	_pthread_body
0x00007fff7b5c52a6	(libsystem_pthread.dylib + 0x000062a6 )	_pthread_start
0x00007fff7b5c1424	(libsystem_pthread.dylib + 0x00002424 )	thread_start
0x000000010fdfbbcf	(Google Chrome Framework + 0x0252fbcf )	

Regressed recently in M71 and is the #1 crash in mac canary- 71.0.3544.2.

71.0.3544.2	3.11%	6
71.0.3544.0	5.18%	10
71.0.3542.0	91.71%	177

Links to the list of builds:
----------------------------
https://crash.corp.google.com/browse?q=product_name%3D%27Chrome_Mac%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27browser%27+AND+expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27network%3A%3AP2PSocketTcpBase%3A%3ADoRead%27

Note: This Stack trace is similar to issue 880218.

Adding release blocker label for this issue.Please reduce priority or remove if not the case.

Thank You!

I can't reproduce this on Windows or Linux.

Note that the high crashes on Mac are before the reland of the fix.

The crash happens on Chrome 70.0.3538.10/CrOS 11021.71 - Kefka

crash ID : 82fa2f46f2dfba9f

This crash is fixed, please verify in builds after 70.0.3538.8 and 71.0.3544.0.

Well it's still happening per comment 2 and crash, just with lower frequency.

Cannot manually reproduce the crash in Win and Mac canary- 71.0.3544.2 and latest M70- 70.0.3538.10. 

But as per #4 its reproducible in ChromeOS.

Crash with magic signature 'network::P2PSocketTcpBase::DoRead'(Issue 880218) duped in  issue 877515  is ranked as #1 browser process related crash on the latest Windows dev 70.0.3538.9. 143 crashes from 125 clients so far.

seems the frequency of this crash with network service on is lower than with network service off. removing servicification label.

Friendly ping to get an update as it is marked as RBD.
Thanks..!

Issue 882252 has been merged into this issue.

Crashes with magic signature 'network::P2PSocketTcpBase::DoRead' is #1 browser process related crash on canary and dev channel and will block next M-70/M-71 dev release.


Stack trace of crash id: 08a08c99db1d2422
=========================================== 
Thread 2 (id: 0x18e9ef) CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000000 ] MAGIC SIGNATURE THREAD
Stack Quality84%Show frame trust levels
0x00000001090139e3	(Google Chrome Framework -socket_tcp.cc:222 )	network::P2PSocketTcpBase::DoRead()
0x0000000107e0f23e	(Google Chrome Framework -callback.h:99 )	net::TCPClientSocket::DidCompleteRead(base::OnceCallback<void (int)>, int)
0x0000000107e0fd9b	(Google Chrome Framework -bind_internal.h:516 )	base::internal::Invoker<base::internal::BindState<void (net::TCPClientSocket::*)(base::OnceCallback<void (int)>, int), base::internal::UnretainedWrapper<net::TCPClientSocket>, base::OnceCallback<void (int)> >, void (int)>::RunOnce(base::internal::BindStateBase*, int)
0x0000000107edffa5	(Google Chrome Framework -callback.h:99 )	net::TCPSocketPosix::ReadCompleted(scoped_refptr<net::IOBuffer> const&, base::OnceCallback<void (int)>, int)
0x0000000107ee0e07	(Google Chrome Framework -bind_internal.h:516 )	base::internal::Invoker<base::internal::BindState<void (net::TCPSocketPosix::*)(scoped_refptr<net::IOBuffer> const&, base::OnceCallback<void (int)>, int), base::internal::UnretainedWrapper<net::TCPSocketPosix>, scoped_refptr<net::IOBuffer>, base::OnceCallback<void (int)> >, void (int)>::RunOnce(base::internal::BindStateBase*, int)
0x0000000107edeffa	(Google Chrome Framework -callback.h:99 )	net::SocketPosix::RetryRead(int)
0x0000000107edf3fc	(Google Chrome Framework -socket_posix.cc )	net::SocketPosix::OnFileCanReadWithoutBlocking(int)
0x00000001079a84b4	(Google Chrome Framework -message_pump_libevent.cc:90 )	base::MessagePumpLibevent::OnLibeventNotification(int, short, void*)
0x00000001079a984b	(Google Chrome Framework -event.c:381 )	event_base_loop
0x00000001079a87d1	(Google Chrome Framework -message_pump_libevent.cc:247 )	base::MessagePumpLibevent::Run(base::MessagePump::Delegate*)
0x000000010792d324	(Google Chrome Framework -run_loop.cc:102 )	<name omitted>
0x0000000106168d53	(Google Chrome Framework -browser_process_sub_thread.cc:175 )	content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*)
0x000000010796ff60	(Google Chrome Framework -thread.cc:357 )	base::Thread::ThreadMain()
0x00000001079a2526	(Google Chrome Framework -platform_thread_posix.cc:76 )	base::(anonymous namespace)::ThreadFunc(void*)
0x00007fff7005d660	(libsystem_pthread.dylib + 0x00003660 )	_pthread_body
0x00007fff7005d50c	(libsystem_pthread.dylib + 0x0000350c )	_pthread_start
0x00007fff7005cbf8	(libsystem_pthread.dylib + 0x00002bf8 )	thread_start
0x00000001079a24cf	(Google Chrome Framework + 0x024c14cf )	

This crash is showing on the latest dev 70.0.3538.9 but didn't showed up on previous dev 70.0.3534.4, hence considering below as the changelog:

https://chromium.googlesource.com/chromium/src/+log/70.0.3534.0..70.0.3538.9?pretty=fuller&n=10000

Suspected CL is https://chromium-review.googlesource.com/c/chromium/src/+/1189083 on trunk and crashes are showing in branch due to reland of the same CL in https://chromium.googlesource.com/chromium/src.git/+/fb713998d9d9e769ba92e01c82a4c94fcc86ea33.


sergeyu@/jam@: Could you please take a look at these crashes as this will block next M-70/M-71 dev release.

Issue 882398 has been merged into this issue.

It still happens on Mac 10.13.4 and Chrome 70.0.3538.9 (3538.9)

Deleted: chrome_crash.log 102 KB

chrome_crash.log 102 KB View Download

Still able to reproduce this issue on M70_11021.11.0 build.

+Stability sheriff.

Similar crash but on sample test page. https://bugs.chromium.org/p/chromium/issues/detail?id=882847

I'm hitting this all the time now, on mac, with a local build trying to dig into another bug. It's definitely that socket_ is nullptr. 

It seems that socket_ is destroyed by P2PSocket::OnError() called from P2PSocketTcpBase::DidCompleteResult(result) when result < 0. That's when I'm hitting this, at least.

Thanks vasanthakumar@ for the update(C#19).

I was able to repro this crash on Test.webrtc.org on the latest canary 71.0.3549.0 and on dev 70.0.3538.9 on Mac OS 10.13.6.

Bisect info:
https://chromium.googlesource.com/chromium/src/+log/70.0.3538.7..70.0.3538.9?pretty=fuller&n=10000

As updated in C#14 this indeed is caused due to https://chromium-review.googlesource.com/c/chromium/src/+/1207091 and needs to be reverted from M-70 branch to unblock the next dev release.  

This crash occurred on my MBP running 71.0.3547.0 and 71.0.3544.0 Yesterday and Saturday, respectively.

I received phone calls via hangouts during the day, but it wasn't like the call came in and the browser crashed immediately.

Monday crash: https://crash.corp.google.com/browse?stbtiq=f5dfd8ddbcbeda29
Saturday crash: https://crash.corp.google.com/browse?stbtiq=28165f42b44e4fca

Stack:
Thread 2 (id: 0x1c54ce) CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000000 ] MAGIC SIGNATURE THREAD
Stack Quality84%Show frame trust levels
0x000000010d7f8463	(Google Chrome Framework -socket_tcp.cc:222 )	network::P2PSocketTcpBase::DoRead()
0x000000010c5e965e	(Google Chrome Framework -callback.h:99 )	net::TCPClientSocket::DidCompleteRead(base::OnceCallback<void (int)>, int)
0x000000010c5ea1bb	(Google Chrome Framework -bind_internal.h:516 )	base::internal::Invoker<base::internal::BindState<void (net::TCPClientSocket::*)(base::OnceCallback<void (int)>, int), base::internal::UnretainedWrapper<net::TCPClientSocket>, base::OnceCallback<void (int)> >, void (int)>::RunOnce(base::internal::BindStateBase*, int)
0x000000010c6baa95	(Google Chrome Framework -callback.h:99 )	net::TCPSocketPosix::ReadCompleted(scoped_refptr<net::IOBuffer> const&, base::OnceCallback<void (int)>, int)
0x000000010c6bb8f7	(Google Chrome Framework -bind_internal.h:516 )	base::internal::Invoker<base::internal::BindState<void (net::TCPSocketPosix::*)(scoped_refptr<net::IOBuffer> const&, base::OnceCallback<void (int)>, int), base::internal::UnretainedWrapper<net::TCPSocketPosix>, scoped_refptr<net::IOBuffer>, base::OnceCallback<void (int)> >, void (int)>::RunOnce(base::internal::BindStateBase*, int)
0x000000010c6b9aea	(Google Chrome Framework -callback.h:99 )	net::SocketPosix::RetryRead(int)
0x000000010c6b9eec	(Google Chrome Framework -socket_posix.cc )	net::SocketPosix::OnFileCanReadWithoutBlocking(int)
0x000000010c181ce4	(Google Chrome Framework -message_pump_libevent.cc:90 )	base::MessagePumpLibevent::OnLibeventNotification(int, short, void*)
0x000000010c18307b	(Google Chrome Framework -event.c:381 )	event_base_loop
0x000000010c182001	(Google Chrome Framework -message_pump_libevent.cc:247 )	base::MessagePumpLibevent::Run(base::MessagePump::Delegate*)
0x000000010c103fc4	(Google Chrome Framework -run_loop.cc:102 )	<name omitted>
0x000000010a8d8c13	(Google Chrome Framework -browser_process_sub_thread.cc:175 )	content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*)
0x000000010c146900	(Google Chrome Framework -thread.cc:357 )	base::Thread::ThreadMain()
0x000000010c178e36	(Google Chrome Framework -platform_thread_posix.cc:76 )	base::(anonymous namespace)::ThreadFunc(void*)
0x00007fff6a472660	(libsystem_pthread.dylib + 0x00003660 )	_pthread_body
0x00007fff6a47250c	(libsystem_pthread.dylib + 0x0000350c )	_pthread_start
0x00007fff6a471bf8	(libsystem_pthread.dylib + 0x00002bf8 )	thread_start
0x000000010c178ddf	(Google Chrome Framework + 0x02531ddf )

Per c#22, jam@ can you please look into this change (https://chromium-review.googlesource.com/c/chromium/src/+/1207091) ASAP?

Thank you!

I think I've isolated the cause of the crash and put a CL up here: https://chromium-review.googlesource.com/c/chromium/src/+/1219390

The problem is that reading doesn't stop even though the DidCompleteRead has caused the socket to close. I'll leave it up to jam@ to decide if the original should be rolled back or this patch applied. 

Actually, jam@ seems to be OOO for the rest of the week, so I assigned my CL to sergeyu@. Since it's way past quitting time here, I'll leave it up to you if, and to who, the bug should be reassigned.

ossu@, We are fine with landing your fix in tonight's canary and will consider the same fix to M70 Dev branch#3538 tomorrow if everything looks good.

Thank you!

Sounds good, I'll try to land it asap! Finally got over some build problems and was able to verify the fix on my MacBook. My Linux build seemed to avoid crashing even without the fix.

+dxie@ - It's unclear whether this is related to the network service experiment or not.

Checked with sergeyu@, he will be landing the fix in #25 soon. 

this isn't limited to network service. 

see comparison: https://crash.corp.google.com/browse?q=product_name%3D%27Chrome_Mac%27+AND+product.version%3D%2771.0.3548.0%27+AND+expanded_custom_data.ChromeCrashProto.channel%3D%27canary%27&compProp=expanded_custom_data.ChromeCrashProto.experiments.ids&v1=e111fcd-f23d1dea&v2=e111fcd-3f4a17df

Reproducible on today's CrOS M70 Dev RC # 11021.12.0/70.0.3538.15 - Pixel
Browser crashes after sometime [~20 seconds] once the video call has started from hangouts.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f25c20e731087dbb7d09f42b9a03bf08f83dcda3

commit f25c20e731087dbb7d09f42b9a03bf08f83dcda3
Author: Sergey Ulanov <sergeyu@chromium.org>
Date: Wed Sep 12 00:02:47 2018

Stop accessing P2P sockets after being closed due to error

As an example: P2PSocketTcpBase::DoRead already stops looping if result <= 0,
but a delayed read result handled by OnRead doesn't.
Earlier, the socket entered an ERROR state after OnError() was
called, which would stop reads from continuing.

This CL fixes that issue and similar issues when sending and when using UDP.

Bug:  881260 
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: If7cd62b36705f69cfd95a71908d610cc871561b0
Reviewed-on: https://chromium-review.googlesource.com/1219390
Reviewed-by: Sergey Ulanov <sergeyu@chromium.org>
Commit-Queue: Sergey Ulanov <sergeyu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590539}
[modify] https://crrev.com/f25c20e731087dbb7d09f42b9a03bf08f83dcda3/services/network/p2p/socket_tcp.cc
[modify] https://crrev.com/f25c20e731087dbb7d09f42b9a03bf08f83dcda3/services/network/p2p/socket_udp.cc
[modify] https://crrev.com/f25c20e731087dbb7d09f42b9a03bf08f83dcda3/services/network/p2p/socket_udp.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/52eeafd377e38d5e39ab9c807f9df5a67e41dadf

commit 52eeafd377e38d5e39ab9c807f9df5a67e41dadf
Author: Sergey Ulanov <sergeyu@chromium.org>
Date: Wed Sep 12 00:14:49 2018

Stop accessing P2P sockets after being closed due to error

As an example: P2PSocketTcpBase::DoRead already stops looping if result <= 0,
but a delayed read result handled by OnRead doesn't.
Earlier, the socket entered an ERROR state after OnError() was
called, which would stop reads from continuing.

This CL fixes that issue and similar issues when sending and when using UDP.

Bug:  881260 
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: If7cd62b36705f69cfd95a71908d610cc871561b0
Reviewed-on: https://chromium-review.googlesource.com/1219390
Reviewed-by: Sergey Ulanov <sergeyu@chromium.org>
Commit-Queue: Sergey Ulanov <sergeyu@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#590539}(cherry picked from commit f25c20e731087dbb7d09f42b9a03bf08f83dcda3)
Reviewed-on: https://chromium-review.googlesource.com/1220814
Reviewed-by: Abdul Syed <abdulsyed@google.com>
Cr-Commit-Position: refs/branch-heads/3538@{#305}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/52eeafd377e38d5e39ab9c807f9df5a67e41dadf/services/network/p2p/socket_tcp.cc
[modify] https://crrev.com/52eeafd377e38d5e39ab9c807f9df5a67e41dadf/services/network/p2p/socket_udp.cc
[modify] https://crrev.com/52eeafd377e38d5e39ab9c807f9df5a67e41dadf/services/network/p2p/socket_udp.h

Since it's a dev blocker for M70, merged to M70. We'll verify this in canary tomorrow and it's already been verified locally. 

The CL I landed addresses the case when this crash is most likely to occur, but there are still some other cases when crash may still happen. I've uploaded https://chromium-review.googlesource.com/c/chromium/src/+/1220676 to fix it. We will need to merge it to M70 as well.

 Issue 882847  has been merged into this issue.

Update :

Rechecked the above issue on Mac(10.12.6, 10.13.1, 10.13.6, 10.14), Windows(7,8,8.1,10) and Linux(14.04) OS with latest Dev version #70.0.3538.16 and the issue is fixed. 

Kindly refer the attached screen cast.

Deleted: DevBehaviour.mp4 836 KB

	DevBehaviour.mp4 836 KB View Download

Marking as verified per comment 39 above.

Issue is seen on chrome version #70.0.3538.15/11021.12.0 dev-channel Daisy,Kip and Reks before fix and issue is working fine on #70.0.3538.16/11021.13.0 dev-channel Daisy,Kip and Reks after Fix

Thanks..!!

Looks like CL from C#33(landed @590539) missed the latest canary #71.0.3550.0(cut @590498). We have to wait for next canary to verify this on M-71.

Seems like this has been fixed:

https://crash.corp.google.com/browse?q=product_name%3D%27Chrome%27&compProp=product.Version&v1=71.0.3551.0&v2=71.0.3550.0

Update :

Rechecked the above issue on Mac(10.12.6, 10.13.1, 10.13.6, 10.14), Windows(7,8,8.1,10) and Linux(14.04) OS with build #71.0.3551.3 and the issue is fixed. 

Kindly refer the attached screen cast.

Thank You...

Deleted: Canary behaviour.mp4 1.1 MB

	Canary behaviour.mp4 1.1 MB View Download

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Issue 883898 has been merged into this issue.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot