Issue metadata
Sign in to add a comment
|
crash in RenderMessageFilter::FetchCachedCode |
||||||||||||||||||||||||
Issue description
Chrome Version: 71.0.3545.2
OS: Windows 10
What steps will reproduce the problem?
(1) was just browsing
(2)
(3)
What is the expected result?
No crash
What happens instead?
I had debugger attached to browser because I'd been experiencing other instability with Chrome Canary, and I was browsing (I had just opened an incognito window and pasted a URL in) and I got an access violation.
(aaec.1ecc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chrome!SkGlyphCache::getDescriptor:
00007ffd`c3763290 488b4108 mov rax,qword ptr [rcx+8] ds:00000000`00000008=????????????????
0:002> k
# Child-SP RetAddr Call Site
00 00000017`411fe928 00007ffd`c3da700c chrome!SkGlyphCache::getDescriptor
01 00000017`411fe930 00007ffd`c39adcc3 chrome!content::RenderMessageFilter::FetchCachedCode+0x3c [C:\b\c\b\win64_clang\src\content\browser\renderer_host\render_message_filter.cc @ 263]
02 00000017`411fea60 00007ffd`c3da7600 chrome!content::mojom::RenderMessageFilterStubDispatch::AcceptWithResponder+0x3f1 [C:\b\c\b\win64_clang\src\out\Release_x64\gen\content\common\render_message_filter.mojom.cc @ 1816]
03 00000017`411fec90 00007ffd`c2fed342 chrome!content::mojom::RenderMessageFilterStub<mojo::RawPtrImplRefTraits<content::mojom::RenderMessageFilter> >::AcceptWithResponder+0x3a [C:\b\c\b\win64_clang\src\out\Release_x64\gen\content\common\render_message_filter.mojom.h @ 232]
04 00000017`411fece0 00007ffd`c47045be chrome!mojo::InterfaceEndpointClient::HandleValidatedMessage+0x176 [C:\b\c\b\win64_clang\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc @ 0]
05 00000017`411fed60 00007ffd`c2feb6c2 chrome!IPC::`anonymous namespace'::ChannelAssociatedGroupController::Accept+0xf0 [C:\b\c\b\win64_clang\src\ipc\ipc_mojo_bootstrap.cc @ 838]
06 00000017`411fef60 00007ffd`c2feb53d chrome!mojo::Connector::ReadSingleMessage+0xfe [C:\b\c\b\win64_clang\src\mojo\public\cpp\bindings\lib\connector.cc @ 456]
07 00000017`411ff100 00007ffd`c2feb427 chrome!mojo::Connector::ReadAllAvailableMessages+0x63 [C:\b\c\b\win64_clang\src\mojo\public\cpp\bindings\lib\connector.cc @ 486]
08 00000017`411ff170 00007ffd`c2f1603c chrome!mojo::SimpleWatcher::OnHandleReady+0xab [C:\b\c\b\win64_clang\src\mojo\public\cpp\system\simple_watcher.cc @ 274]
09 00000017`411ff1e0 00007ffd`c2f15c7f chrome!base::debug::TaskAnnotator::RunTask+0x12c [C:\b\c\b\win64_clang\src\base\debug\task_annotator.cc @ 101]
0a 00000017`411ff300 00007ffd`c2f0d885 chrome!base::MessageLoop::RunTask+0xdf [C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 436]
0b 00000017`411ff440 00007ffd`c2f0d6ea chrome!base::MessageLoop::DoWork+0x185 [C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 517]
0c 00000017`411ff670 00007ffd`c2f0d57e chrome!base::MessagePumpForIO::DoRunLoop+0x14a [C:\b\c\b\win64_clang\src\base\message_loop\message_pump_win.cc @ 494]
0d 00000017`411ff710 00007ffd`c2f0d2e1 chrome!base::MessagePumpWin::Run+0x4e [C:\b\c\b\win64_clang\src\base\message_loop\message_pump_win.cc @ 54]
0e 00000017`411ff760 00007ffd`c2f0d276 chrome!base::RunLoop::Run+0x31 [C:\b\c\b\win64_clang\src\base\run_loop.cc @ 108]
0f 00000017`411ff790 00007ffd`c2f0abeb chrome!content::BrowserProcessSubThread::IOThreadRun+0x24 [C:\b\c\b\win64_clang\src\content\browser\browser_process_sub_thread.cc @ 176]
10 00000017`411ff7d0 00007ffd`c415469d chrome!base::Thread::ThreadMain+0x19b [C:\b\c\b\win64_clang\src\base\threading\thread.cc @ 360]
11 00000017`411ff860 00007ffe`2d593034 chrome!base::`anonymous namespace'::ThreadFunc+0xbd [C:\b\c\b\win64_clang\src\base\threading\platform_thread_win.cc @ 103]
12 00000017`411ff8e0 00007ffe`300c1431 KERNEL32!BaseThreadInitThunk+0x14
13 00000017`411ff910 00000000`00000000 ntdll!RtlUserThreadStart+0x21
Code is
if (!generated_code_cache_context_->generated_code_cache()) { <--- CRASH HERE?
std::move(callback).Run(base::Time(), std::vector<uint8_t>());
return;
}
This has recent change : https://chromium-review.googlesource.com/c/1188677/
I can't see how Skia could be being called from here??? Heap corruption? Unfortunately windbg hung while I was debugging this... so I can't get any more info.
,
Sep 7
Thanks for the report. I think the crash is happening because generated_cache_context is null. The check should have been if (generated_cache_contex_ && generated_cache_context_->generated_code_cache()). In incognito mode, we won't use the code caches. I will verify this and upload a cl on Monday. For now, I have disabled the finch trial, so hopefully the crash should go away.
,
Sep 7
the pending task was posted from:
class trace_event_internal::HeapProfilerScopedStackFrame trace_event_unique_task_pc_event430 = class trace_event_internal::HeapProfilerScopedStackFrame
0:002> dx -r1 ((chrome!base::PendingTask *)0x17411ff460)
((chrome!base::PendingTask *)0x17411ff460) : 0x17411ff460 [Type: base::PendingTask *]
[+0x000] task [Type: base::OnceCallback<void ()>]
[+0x008] posted_from [Type: base::Location]
[+0x028] delayed_run_time [Type: base::TimeTicks]
[+0x030] queue_time : {...} [Type: base::Optional<base::TimeTicks>]
[+0x040] task_backtrace : { size=4 } [Type: std::array<const void *,4>]
[+0x060] sequence_num : 980895 [Type: int]
[+0x064] nestable : kNestable (1) [Type: base::Nestable]
[+0x068] is_high_res : false [Type: bool]
0:002> dx -r1 (*((chrome!base::Location *)0x17411ff468))
(*((chrome!base::Location *)0x17411ff468)) [Type: base::Location]
[+0x000] function_name_ : 0x7ffdc5c2ff75 : "Notify" [Type: char *]
[+0x008] file_name_ : 0x7ffdc5cd54a8 : "../../mojo/public/cpp/system/simple_watcher.cc" [Type: char *]
[+0x010] line_number_ : 108 [Type: int]
[+0x018] program_counter_ : 0x7ffdc2fdccfe [Type: void *]
https://cs.chromium.org/chromium/src/mojo/public/cpp/system/simple_watcher.cc?l=108
so this gives no useful info...
the message looks like it contains the URL I was pasting/navigating to
0:002> dx -r1 (*((chrome!base::Location *)0x17411ff468))
(*((chrome!base::Location *)0x17411ff468)) [Type: base::Location]
[+0x000] function_name_ : 0x7ffdc5c2ff75 : "Notify" [Type: char *]
[+0x008] file_name_ : 0x7ffdc5cd54a8 : "../../mojo/public/cpp/system/simple_watcher.cc" [Type: char *]
[+0x010] line_number_ : 108 [Type: int]
[+0x018] program_counter_ : 0x7ffdc2fdccfe [Type: void *]
0:002> dx Debugger.Sessions[0].Processes[43756].Threads[7884].Stack.Frames[2].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[43756].Threads[7884].Stack.Frames[2].SwitchTo()
@r12 class content::mojom::RenderMessageFilter * impl = 0x0000014d`cb6174e0
@rbx class mojo::Message * message = 0x00000017`411ff030
00000017`411fecb8 class std::unique_ptr<mojo::MessageReceiverWithStatus,std::default_delete<mojo::MessageReceiverWithStatus> > responder = empty
00000017`411feb38 class mojo::internal::MessageDispatchContext context = class mojo::internal::MessageDispatchContext
00000017`411feb68 class mojo::internal::SerializationContext serialization_context = class mojo::internal::SerializationContext
00000017`411febc0 class GURL p_url = "https://www.nytimes.com/aponline/2018/09/07/us/ap-us-dynamite-candle-confusion.html"
00000017`411feba0 class base::OnceCallback<void (base::Time, const std::vector<unsigned char,std::allocator<unsigned char> > &)> callback = class base::OnceCallback<void (base::Time, const std::vector<unsigned char,std::allocator<unsigned char> > &)>
<unavailable> class content::mojom::internal::RenderMessageFilter_FetchCachedCode_Params_Data * params = <value unavailable>
class content::mojom::RenderMessageFilter_FetchCachedCode_ParamsDataView input_data_view = class content::mojom::RenderMessageFilter_FetchCachedCode_ParamsDataView
<unavailable> bool success = <value unavailable>
<unavailable> class mojo::internal::MessageDispatchContext context = <value unavailable>
<unavailable> class mojo::internal::SerializationContext serialization_context = <value unavailable>
<unavailable> blink::WebPopupType p_popup_type = <value unavailable>
<unavailable> class mojo::InterfacePtr<content::mojom::Widget> p_widget = <value unavailable>
<unavailable> class base::OnceCallback<void (int)> callback = <value unavailable>
<unavailable> class content::mojom::internal::RenderMessageFilter_CreateNewWidget_Params_Data * params = <value unavailable>
<unavailable> class content::mojom::RenderMessageFilter_CreateNewWidget_ParamsDataView input_data_view = <value unavailable>
<unavailable> int p_opener_id = <value unavailable>
<unavailable> bool success = <value unavailable>
0:002> dx Debugger.Sessions[0].Processes[43756].Threads[7884].Stack.Frames[1].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[43756].Threads[7884].Stack.Frames[1].SwitchTo()
@rbx class content::RenderMessageFilter * this = 0x0000014d`cb617460
@rdi class GURL * url = 0x00000017`411febc0 "https://www.nytimes.com/aponline/2018/09/07/us/ap-us-dynamite-candle-confusion.html"
00000017`411feaa8 class base::OnceCallback<void (base::Time, const std::vector<unsigned char,std::allocator<unsigned char> > &)> callback = class base::OnceCallback<void (base::Time, const std::vector<unsigned char,std::allocator<unsigned char> > &)>
00000017`411fe9a0 class base::Optional<url::Origin> requesting_origin = {...}
00000017`411fe978 class base::RepeatingCallback<void (const base::Time &, const std::vector<unsigned char,std::allocator<unsigned char> > &)> read_callback = class base::RepeatingCallback<void (const base::Time &, const std::vector<unsigned char,std::allocator<unsigned char> > &)>
i.e. chrome!content::RenderMessageFilter::FetchCachedCode was called with the URL I had just pasted and pushed enter on. So, putting UI>Browser>Navigation as a guess here.
0:002> .dump /ma c:\src\dumps\chrome-crash-2018-09-07.dmp
Creating c:\src\dumps\chrome-crash-2018-09-07.dmp - mini user dump
Created a dump, if it's needed for future triage.
,
Sep 7
ah yes "chrome!content::GeneratedCodeCacheContext::generated_code_cache" is one of the potential callbacks here.
dumping 'this' for chrome!content::RenderMessageFilter::FetchCachedCode frame gives:
0:002> dx -r1 ((chrome!content::RenderMessageFilter *)0x14dcb6174e0)
((chrome!content::RenderMessageFilter *)0x14dcb6174e0) : 0x14dcb6174e0 [Type: content::RenderMessageFilter *]
[+0x008] ref_count_ [Type: base::AtomicRefCount]
[+0x010] internal_ : 0x14dcdad1f30 [Type: content::BrowserMessageFilter::Internal *]
[+0x018] sender_ : 0x14de44ff580 [Type: IPC::Sender *]
[+0x020] peer_process_ [Type: base::Process]
[+0x030] message_classes_to_filter_ : { size=1 } [Type: std::vector<unsigned int,std::allocator<unsigned int> >]
[+0x048] associated_interfaces_ : { size=0 } [Type: std::vector<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::RepeatingCallback<void (mojo::ScopedInterfaceEndpointHandle)> >,std::allocator<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::RepeatingCallback<void (mojo::ScopedInterfaceEndpointHandle)> > > >]
[+0x060] filter_removed_callbacks_ : { size=1 } [Type: std::vector<base::OnceCallback<void ()>,std::allocator<base::OnceCallback<void ()> > >]
[+0x088] internal_state_ : [0x3] 0x14dcfcc26f0 {...} [Type: scoped_refptr<content::BrowserAssociatedInterface<content::mojom::RenderMessageFilter>::InternalState>]
[=0x7ffdc5befc30] Name_ : "content.mojom.RenderMessageFilter" [Type: char [0]]
[+0x090] resource_dispatcher_host_ : 0x14da812a040 [Type: content::ResourceDispatcherHostImpl *]
[+0x098] request_context_ : [0xc5fefed0] 0x14dde634910 {...} [Type: scoped_refptr<net::URLRequestContextGetter>]
[+0x0a0] resource_context_ : 0x14dd656ee20 [Type: content::ResourceContext *]
[+0x0a8] render_widget_helper_ : [0x3] 0x14ddddb2760 {...} [Type: scoped_refptr<content::RenderWidgetHelper>]
[+0x0b0] render_process_id_ : 276 [Type: int]
[+0x0b8] media_internals_ : 0x14daa4b6430 [Type: content::MediaInternals *]
[+0x0c0] cache_storage_context_ : 0x14dc6226930 [Type: content::CacheStorageContextImpl *]
[+0x0c8] generated_code_cache_context_ : 0x0 [Type: content::GeneratedCodeCacheContext *]
[+0x0d0] weak_ptr_factory_ [Type: base::WeakPtrFactory<content::RenderMessageFilter>]
and it is indeed null:
generated_code_cache_context_ : 0x0
,
Sep 7
aside: it makes it really hard to debug when multiple symbols are reusing the same code. In this case the little trampoline at 00007ffd`c3763290 seems to be: chrome!SkGlyphCache::getDescriptor: 00007ffd`c3763290 488b4108 mov rax,qword ptr [rcx+8] ds:00000000`00000008=???????????????? but of course symbol resolution doesn't know which of these in #1 it actually is... perhaps this is a clang thing, can these be pulled out into their own little bits of separate code, although they are all doing the same thing? +thakis.
,
Sep 7
Isn't that just ICF? https://cs.chromium.org/chromium/src/build/config/win/BUILD.gn?type=cs&q=opt:icf+file:%5C.gn&sq=package:chromium&g=0&l=147 msvc did that too.
,
Sep 7
yes this looks like /OPT:ICF. How much binary size increase do we get without this?
,
Sep 7
I don't know off the top of my head, but it's easy to check if you're curious :-) Probably on the order of "megabytes".
,
Sep 10
,
Sep 13
This is a regression in M71, stats below. 71.0.3551.0 14.71% 5 71.0.3550.3 11.76% 4 71.0.3550.0 17.65% 6 71.0.3549.1 5.88% 2 71.0.3549.0 17.65% 6 Sample report - go/crash/688429763860d391 ============== Thread 24 (id: 0xaafa77) CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000558 ] MAGIC SIGNATURE THREAD Stack Quality84%Show frame trust levels 0x000000010ee3336a (Google Chrome Framework -memory:2619 ) content::RenderThreadImpl::render_message_filter() 0x000000010ee5be6d (Google Chrome Framework -renderer_blink_platform_impl.cc:475 ) content::RendererBlinkPlatformImpl::FetchCachedCode(GURL const&, base::OnceCallback<void (base::Time, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&)>) 0x000000010ed3d1d2 (Google Chrome Framework -code_cache_loader_impl.cc:73 ) content::CodeCacheLoaderImpl::FetchFromCodeCacheImpl(GURL const&, base::OnceCallback<void (base::Time const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&)>, base::WaitableEvent*) 0x000000010ed3d221 (Google Chrome Framework -code_cache_loader_impl.cc:63 ) content::CodeCacheLoaderImpl::FetchFromCodeCache(GURL const&, base::OnceCallback<void (base::Time const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&)>) 0x000000010a4489a8 (Google Chrome Framework -resource_loader.cc:169 ) blink::ResourceLoader::CodeCacheRequest::FetchFromCodeCache(blink::WebURLLoader*, blink::ResourceLoader*) 0x000000010a44970f (Google Chrome Framework -resource_loader.cc:398 ) blink::ResourceLoader::StartWith(blink::ResourceRequest const&) 0x000000010a446500 (Google Chrome Framework -resource_load_scheduler.cc:682 ) blink::ResourceLoadScheduler::Request(blink::ResourceLoadSchedulerClient*, blink::ResourceLoadScheduler::ThrottleOption, blink::WebURLRequest::Priority, int, unsigned long long*) 0x000000010a449380 (Google Chrome Framework -resource_loader.cc:348 ) blink::ResourceLoader::Start() 0x000000010a43b57a (Google Chrome Framework -resource_fetcher.cc:1757 ) blink::ResourceFetcher::StartLoad(blink::Resource*) 0x000000010a43a5dd (Google Chrome Framework -resource_fetcher.cc:935 ) blink::ResourceFetcher::RequestResource(blink::FetchParameters&, blink::ResourceFactory const&, blink::ResourceClient*, blink::SubstituteData const&) 0x000000010e3bec51 (Google Chrome Framework -script_resource.cc:81 ) blink::ScriptResource::Fetch(blink::FetchParameters&, blink::ResourceFetcher*, blink::ResourceClient*) 0x000000010e3b08c8 (Google Chrome Framework -worklet_module_script_fetcher.cc:41 ) blink::WorkletModuleScriptFetcher::Fetch(blink::FetchParameters&, blink::ModuleGraphLevel, blink::ModuleScriptFetcher::Client*) 0x000000010e3aba9a (Google Chrome Framework -module_script_loader.cc:204 ) blink::ModuleScriptLoader::FetchInternal(blink::ModuleScriptFetchRequest const&, blink::FetchClientSettingsObjectSnapshot*, blink::ModuleGraphLevel, blink::ModuleScriptCustomFetchType) 0x000000010e4c7826 (Google Chrome Framework -module_map.cc:133 ) blink::ModuleMap::FetchSingleModuleScript(blink::ModuleScriptFetchRequest const&, blink::FetchClientSettingsObjectSnapshot*, blink::ModuleGraphLevel, blink::ModuleScriptCustomFetchType, blink::SingleModuleClient*) 0x000000010e3accd3 (Google Chrome Framework -module_tree_linker.cc:231 ) blink::ModuleTreeLinker::FetchRoot(blink::KURL const&, blink::ScriptFetchOptions const&) 0x000000010e4c5fef (Google Chrome Framework -modulator_impl_base.cc:71 ) blink::ModulatorImplBase::FetchTree(blink::KURL const&, blink::FetchClientSettingsObjectSnapshot*, blink::WebURLRequest::RequestContext, blink::ScriptFetchOptions const&, blink::ModuleScriptCustomFetchType, blink::ModuleTreeClient*) 0x000000010e5c3193 (Google Chrome Framework -worker_or_worklet_global_scope.cc:200 ) blink::WorkerOrWorkletGlobalScope::FetchModuleScript(blink::KURL const&, blink::FetchClientSettingsObjectSnapshot*, blink::WebURLRequest::RequestContext, network::mojom::FetchCredentialsMode, blink::ModuleScriptCustomFetchType, blink::ModuleTreeClient*) 0x000000010e5caaa8 (Google Chrome Framework -worklet_global_scope.cc:108 ) blink::WorkletGlobalScope::FetchAndInvokeScript(blink::KURL const&, network::mojom::FetchCredentialsMode, blink::FetchClientSettingsObjectSnapshot*, scoped_refptr<base::SingleThreadTaskRunner>, blink::WorkletPendingTasks*) 0x000000010e5b7f51 (Google Chrome Framework -threaded_worklet_object_proxy.cc:38 ) blink::ThreadedWorkletObjectProxy::FetchAndInvokeScript(blink::KURL const&, network::mojom::FetchCredentialsMode, std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> >, scoped_refptr<base::SingleThreadTaskRunner>, blink::WorkletPendingTasks*, blink::WorkerThread*) 0x000000010e5b7938 (Google Chrome Framework -bind_internal.h:516 ) void base::internal::FunctorTraits<void (blink::ThreadedWorkletObjectProxy::*)(blink::KURL const&, network::mojom::FetchCredentialsMode, std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> >, scoped_refptr<base::SingleThreadTaskRunner>, blink::WorkletPendingTasks*, blink::WorkerThread*), void>::Invoke<void (blink::ThreadedWorkletObjectProxy::*)(blink::KURL const&, network::mojom::FetchCredentialsMode, std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> >, scoped_refptr<base::SingleThreadTaskRunner>, blink::WorkletPendingTasks*, blink::WorkerThread*), blink::ThreadedWorkletObjectProxy*, blink::KURL const&, network::mojom::FetchCredentialsMode const&, std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> >, scoped_refptr<base::SingleThreadTaskRunner> const&, blink::CrossThreadPersistent<blink::WorkletPendingTasks> const&, blink::WorkerThread*>(void (blink::ThreadedWorkletObjectProxy::*)(blink::KURL const&, network::mojom::FetchCredentialsMode, std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> >, scoped_refptr<base::SingleThreadTaskRunner>, blink::WorkletPendingTasks*, blink::WorkerThread*), blink::ThreadedWorkletObjectProxy*&&, blink::KURL const&&&, network::mojom::FetchCredentialsMode const&&&, std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> >&&, scoped_refptr<base::SingleThreadTaskRunner> const&&&, blink::CrossThreadPersistent<blink::WorkletPendingTasks> const&&&, blink::WorkerThread*&&) 0x000000010e5b77de (Google Chrome Framework -bind_internal.h:616 ) void base::internal::Invoker<base::internal::BindState<void (blink::ThreadedWorkletObjectProxy::*)(blink::KURL const&, network::mojom::FetchCredentialsMode, std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> >, scoped_refptr<base::SingleThreadTaskRunner>, blink::WorkletPendingTasks*, blink::WorkerThread*), WTF::CrossThreadUnretainedWrapper<blink::ThreadedWorkletObjectProxy>, blink::KURL, network::mojom::FetchCredentialsMode, WTF::PassedWrapper<std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> > >, scoped_refptr<base::SingleThreadTaskRunner>, blink::CrossThreadPersistent<blink::WorkletPendingTasks>, WTF::CrossThreadUnretainedWrapper<blink::WorkerThread> >, void ()>::RunImpl<void (blink::ThreadedWorkletObjectProxy::* const&)(blink::KURL const&, network::mojom::FetchCredentialsMode, std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> >, scoped_refptr<base::SingleThreadTaskRunner>, blink::WorkletPendingTasks*, blink::WorkerThread*), std::__1::tuple<WTF::CrossThreadUnretainedWrapper<blink::ThreadedWorkletObjectProxy>, blink::KURL, network::mojom::FetchCredentialsMode, WTF::PassedWrapper<std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> > >, scoped_refptr<base::SingleThreadTaskRunner>, blink::CrossThreadPersistent<blink::WorkletPendingTasks>, WTF::CrossThreadUnretainedWrapper<blink::WorkerThread> > const&, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul>(void (blink::ThreadedWorkletObjectProxy::* const&&&)(blink::KURL const&, network::mojom::FetchCredentialsMode, std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> >, scoped_refptr<base::SingleThreadTaskRunner>, blink::WorkletPendingTasks*, blink::WorkerThread*), std::__1::tuple<WTF::CrossThreadUnretainedWrapper<blink::ThreadedWorkletObjectProxy>, blink::KURL, network::mojom::FetchCredentialsMode, WTF::PassedWrapper<std::__1::unique_ptr<blink::CrossThreadFetchClientSettingsObjectData, std::__1::default_delete<blink::CrossThreadFetchClientSettingsObjectData> > >, scoped_refptr<base::SingleThreadTaskRunner>, blink::CrossThreadPersistent<blink::WorkletPendingTasks>, WTF::CrossThreadUnretainedWrapper<blink::WorkerThread> > const&&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul>) 0x000000010da9757b (Google Chrome Framework -callback.h:140 ) blink::(anonymous namespace)::RunCrossThreadClosure(WTF::CrossThreadFunction<void ()>) 0x000000010da97c02 (Google Chrome Framework -bind_internal.h:416 ) base::internal::Invoker<base::internal::BindState<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> >, void ()>::RunOnce(base::internal::BindStateBase*) 0x000000010aa1a171 (Google Chrome Framework -callback.h:99 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x000000010aa80e23 (Google Chrome Framework -thread_controller_impl.cc:196 ) base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) 0x000000010aa1a171 (Google Chrome Framework -callback.h:99 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x000000010aa3596d (Google Chrome Framework -message_loop.cc:434 ) base::MessageLoop::RunTask(base::PendingTask*) 0x000000010aa35cd2 (Google Chrome Framework -message_loop.cc:445 ) base::MessageLoop::DoWork() 0x000000010aa37558 (Google Chrome Framework -message_pump_default.cc:37 ) base::MessagePumpDefault::Run(base::MessagePump::Delegate*) 0x000000010aa5a3d4 (Google Chrome Framework -run_loop.cc:102 ) <name omitted> 0x000000010aa9d660 (Google Chrome Framework -thread.cc:357 ) base::Thread::ThreadMain() 0x000000010aacf976 (Google Chrome Framework -platform_thread_posix.cc:76 ) base::(anonymous namespace)::ThreadFunc(void*) 0x00007fff5be9e660 (libsystem_pthread.dylib + 0x00003660 ) _pthread_body 0x00007fff5be9e50c (libsystem_pthread.dylib + 0x0000350c ) _pthread_start 0x00007fff5be9dbf8 (libsystem_pthread.dylib + 0x00002bf8 ) thread_start 0x000000010aacf91f (Google Chrome Framework + 0x0254491f ) The stack frame seem to be slightly different, but the root cause seems to be same. Manual regression Range ======================= https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.ptype%3D%27renderer%27+AND+expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27content%3A%3ARenderThreadImpl%3A%3Arender_message_filter%27 Assigning to Mythri for further updates.
,
Sep 14
Thanks ligimole@ for updating the bug. One fix for this landed in 71.0.3549.0 and I thought this was fixed. I will have a look at the new crashers.
,
Sep 14
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by wfh@chromium.org
, Sep 7ah weird, windbg hasn't hung but it was resolving all the symbols at the crash address, which are: 0:002> ln 00007ffd`c3763290 Browse module Set bu breakpoint (00007ffd`c3763290) chrome!SkGlyphCache::getDescriptor | (00007ffd`c37632a0) chrome!SkGlyphCache::countCachedGlyphs Exact matches: chrome!content::AppCacheURLRequest::GetURLRequest (void) 0:002> Browse module Set bu breakpoint (00007ffd`c3763290) chrome!SkGlyphCache::getDescriptor | (00007ffd`c37632a0) chrome!SkGlyphCache::countCachedGlyphs Exact matches: chrome!content::AppCacheURLRequest::GetURLRequest (void) chrome!wm::CaptureController::GetCaptureWindow (void) chrome!PermissionContextBase::profile (void) chrome!headless::HeadlessWindowParentingClient::GetDefaultParent (class aura::Window *, class gfx::Rect *) chrome!EC_KEY_get0_public_key (struct ec_key_st *) chrome!content::PaymentAppContextImpl::payment_app_database (void) chrome!service_manager::Service::context (void) chrome!google::protobuf::internal::MapEntryImpl<assist_ranker::ExamplePreprocessorConfig_NormalizersEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,float,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_FLOAT,0>::key (void) chrome!ui::IMEBridgeImpl::GetInputContextHandler (void) chrome!net::FailingHttpTransactionFactory::GetSession (void) chrome!google::protobuf::internal::MapEntryImpl<browser_watcher::Activity_UserDataEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,browser_watcher::TypedValue,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_MESSAGE,0>::key (void) chrome!policy::TypeCheckingPolicyHandler::policy_name (void) chrome!policy::SchemaValidatingPolicyHandler::policy_name (void) chrome!SkGlyphCache::getDescriptor (void) chrome!icu_62::number::impl::SymbolsWrapper::getNumberingSystem (void) chrome!wm::CaptureController::GetGlobalCaptureWindow (void) chrome!extensions::PasswordsPrivateDelegateImpl::GetProfile (void) chrome!disk_cache::StorageBlock<disk_cache::EntryStore>::buffer (void) chrome!base::internal::PendingTaskQueue::DelayedQueue::Peek (void) chrome!prefs::DictionaryValueUpdate::AsConstDictionary (void) chrome!google::protobuf::internal::MapEntryImpl<assist_ranker::SparseWeights_WeightsEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,float,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_FLOAT,0>::key (void) chrome!safe_browsing::SettingsResetPromptModel::profile (void) chrome!TabContentsSyncedTabDelegate::web_contents (void) chrome!syncer::syncable::Directory::kernel (void) chrome!syncer::syncable::Directory::kernel (void) chrome!extensions::DeclarativeContentIsBookmarkedPredicate::GetEvaluator (void) chrome!device::OpenVRWrapper::GetCompositor (void) chrome!google::protobuf::internal::MapEntryImpl<assist_ranker::TranslateRankerModel_TranslateLogisticRegressionModel_TargetLanguageWeightEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,float,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_FLOAT,0>::key (void) chrome!google::protobuf::internal::MapEntryImpl<assist_ranker::TranslateRankerModel_TranslateLogisticRegressionModel_CountryWeightEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,float,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_FLOAT,0>::key (void) chrome!security_interstitials::SecurityInterstitialPage::web_contents (void) chrome!CBS_len (struct cbs_st *) chrome!google::protobuf::internal::MapEntryImpl<assist_ranker::GenericLogisticRegressionModel_WeightsEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,assist_ranker::FeatureWeight,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_MESSAGE,0>::key (void) chrome!syncer::ModelTypeSyncBridge::change_processor (void) chrome!extensions::DeclarativeContentPageUrlPredicate::GetEvaluator (void) chrome!content::NavigationControllerImpl::GetBrowserContext (void) chrome!icu_62::number::impl::SymbolsWrapper::getDecimalFormatSymbols (void) chrome!storage::SandboxFileSystemBackend::GetQuotaUtil (void) chrome!AXTreeSourceAura::GetRoot (void) chrome!sync_file_system::drive_backend::SyncEngineContext::GetDriveUploader (void) chrome!net::QuicChromiumConnectionHelper::GetClock (void) chrome!CRYPTO_BUFFER_data (struct crypto_buffer_st *) chrome!content::ServiceManagerConnectionImpl::GetConnector (void) chrome!invalidation::ProfileInvalidationProvider::GetIdentityProvider (void) chrome!printing::PrintedPage::metafile (void) chrome!cc::TaskRunnerProvider::MainThreadTaskRunner (void) chrome!google::protobuf::internal::MapEntryImpl<assist_ranker::ExamplePreprocessorConfig_BucketizersEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,assist_ranker::ExamplePreprocessorConfig_Boundaries,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_MESSAGE,0>::key (void) chrome!ENGINE_get_ECDSA_method (struct engine_st *) chrome!content::IndexDataKey::ObjectStoreId (void) chrome!device::SendBuffer::GetData (void) chrome!safe_browsing::Incident::payload (void) chrome!safe_browsing::Incident::payload (void) chrome!safe_browsing::ServicesDelegateImpl::GetCsdService (void) chrome!security_interstitials::ControllerClient::metrics_helper (void) chrome!google::protobuf::internal::MapEntryImpl<browser_watcher::StabilityReport_GlobalDataEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,browser_watcher::TypedValue,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_MESSAGE,0>::key (void) chrome!disk_cache::StorageBlock<disk_cache::RankingsNode>::buffer (void) chrome!SiteEngagementObserver::GetSiteEngagementService (void) chrome!icu_62::numparse::impl::ArraySeriesMatcher::begin (void) chrome!content::GeneratedCodeCacheContext::generated_code_cache (void) chrome!content::MediaSessionController::render_frame_host (void) chrome!google::protobuf::internal::MapEntryImpl<assist_ranker::GenericLogisticRegressionModel_FullnameWeightsEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,float,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_FLOAT,0>::key (void) chrome!webrtc::AudioBuffer::num_keyboard_frames (void) chrome!google::protobuf::internal::MapEntryImpl<autofill::PasswordRequirementsShard_SpecsEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,autofill::PasswordRequirementsSpec,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_MESSAGE,0>::key (void) chrome!google::protobuf::internal::MapEntryImpl<assist_ranker::RankerExample_FeaturesEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,assist_ranker::Feature,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_MESSAGE,0>::key (void) chrome!extensions::DeclarativeContentCssPredicate::GetEvaluator (void) chrome!spdy::PriorityWriteScheduler<unsigned int>::NumReadyStreams (void) chrome!google::protobuf::internal::MapEntryImpl<assist_ranker::ExamplePreprocessorConfig_FeatureIndicesEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,int,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_INT32,0>::key (void) chrome!google::protobuf::internal::MapEntryImpl<assist_ranker::TranslateRankerModel_TranslateLogisticRegressionModel_SourceLanguageWeightEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,float,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_FLOAT,0>::key (void) chrome!syncer::ChangeProcessor::error_handler (void) chrome!SkMD5::bytesWritten (void) chrome!net::`anonymous namespace'::ReportingServiceImpl::GetPolicy (void) chrome!snappy::UncheckedByteArraySink::GetAppendBuffer (unsigned int64, char *) chrome!skia_bindings::GrContextForGLES2Interface::get (void) chrome!content::WebContentsObserver::web_contents (void) chrome!icu_62::RegexMatcher::pattern (void) chrome!ChooserBubbleDelegate::OwningFrame (void) chrome!content::IndexMetaDataKey::IndexId (void) chrome!base::PowerMonitor::Source (void) chrome!google::protobuf::internal::MapEntryImpl<browser_watcher::ProcessState_DataEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,browser_watcher::TypedValue,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_MESSAGE,0>::key (void) chrome!extensions::URLPatternSet::size (void) chrome!extensions::ExtensionSet::size (void) chrome!content::PepperPlayerDelegate::render_frame_host (void) chrome!SkPictureData::serialize::DevNull::bytesWritten (void) chrome!google::protobuf::internal::MapEntryImpl<assist_ranker::TranslateRankerModel_TranslateLogisticRegressionModel_LocaleWeightEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,float,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_FLOAT,0>::key (void) chrome!storage_monitor::StorageMonitor::receiver (void) chrome!audio::InProcessAudioManagerAccessor::GetAudioManager (void) chrome!ui::AXPlatformNodeBase::GetDelegate (void) chrome!BrowserDistribution::GetAppRegistrationData (void) chrome!icu_62::CaseFoldingUCharIterator::getIndex (void) chrome!content::BrowserPpapiHostImpl::GetPpapiHost (void) chrome!gpu::gles2::PassthroughAbstractTextureImpl::GetTextureBase (void) chrome!google::protobuf::internal::MapEntryImpl<content::proto::internal::ServiceWorkerFetchRequest_HeadersEntry_DoNotUse,google::protobuf::MessageLite,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,google::protobuf::internal::WireFormatLite::TYPE_STRING,google::protobuf::internal::WireFormatLite::TYPE_STRING,0>::key (void) chrome!gpu::MemoryBufferBacking::GetMemory (void) chrome!base::debug::ActivityUserData::TypedValue::GetInt (void) chrome!base::win::ObjectWatcher::GetWatchedObject (void) chrome!base::debug::ActivityUserData::TypedValue::GetUint (void) chrome!safe_browsing::ReferrerChainData::GetReferrerChain (void) chrome!IOThread::net_log (void) chrome!base::sequence_manager::TimeDomain::sequence_manager (void)