Issue metadata
Sign in to add a comment
|
[LayoutNG] Crash in ShapingLineBreaker::ShapeLine() |
||||||||||||||||||||
Issue descriptionTo reproduce: Visit https://www.nrk.no Crashes in 72.0.3595.2 (Official Build) Also with my self-built content_shell, currently at 8b97e2b522c5f8d478f9ee4aceb0d6467189f830 Make sure that the window isn't too narrow. I only get it to crash when it's somewhat wider than 800px, i.e. the default content_shell window size isn't enough. [104463:104512:1102/140426.442180:FATAL:shaping_line_breaker.cc(311)] Check failed: first_safe <= break_opportunity.offset (23 vs. 22) Thread 20 "Chrome_InProcRe" received signal SIGTRAP, Trace/breakpoint trap. [Switching to Thread 0x7fffa2291700 (LWP 104512)] base::debug::(anonymous namespace)::DebugBreak () at ../../base/debug/debugger_posix.cc:240 (gdb) bt #0 base::debug::(anonymous namespace)::DebugBreak () at ../../base/debug/debugger_posix.cc:240 #1 0x00007ffff7ce79d8 in base::debug::BreakDebugger () at ../../base/debug/debugger_posix.cc:263 #2 0x00007ffff7a557f1 in logging::LogMessage::~LogMessage (this=0x7fffa2257518) at ../../base/logging.cc:876 #3 0x00007fffde7f146e in blink::ShapingLineBreaker::ShapeLine (this=0x7fffa2258760, start=12, available_space=248.6875px, options=2, result_out=0x7fffa22581d0) at ../../third_party/blink/renderer/platform/fonts/shaping/shaping_line_breaker.cc:311 #4 0x00007fffe2a46ff1 in blink::NGLineBreaker::BreakText (this=0x7fffa2259dd8, item_result=0x7fffa2259f30, item=..., available_width=239.34375px) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_line_breaker.cc:427 #5 0x00007fffe2a4415b in blink::NGLineBreaker::HandleText (this=0x7fffa2259dd8, item=...) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_line_breaker.cc:346 #6 0x00007fffe2a42b9b in blink::NGLineBreaker::BreakLine (this=0x7fffa2259dd8) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_line_breaker.cc:235 #7 0x00007fffe2a42861 in blink::NGLineBreaker::NextLine (this=0x7fffa2259dd8, line_info=0x7fffa2259f10) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_line_breaker.cc:180 #8 0x00007fffe2a2f1e8 in blink::NGInlineLayoutAlgorithm::Layout (this=0x7fffa225b708) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_inline_layout_algorithm.cc:747 #9 0x00007fffe2a3afb0 in blink::NGInlineNode::Layout (this=0x7fffa225cf68, constraint_space=..., break_token=0xdceeab95ce0, context=0x7fffa225eb58) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_inline_node.cc:691 #10 0x00007fffe2a9dee1 in blink::NGLayoutInputNode::Layout (this=0x7fffa225cf68, space=..., break_token=0xdceeab95ce0, context=0x7fffa225eb58) at ../../third_party/blink/renderer/core/layout/ng/ng_layout_input_node.cc:69 #11 0x00007fffe2a7657e in blink::NGBlockLayoutAlgorithm::HandleInflow (this=0x7fffa225e7c0, child=..., child_break_token=0xdceeab95ce0, previous_inflow_position=0x7fffa225d318, previous_inline_break_token=0x7fffa225d298) at ../../third_party/blink/renderer/core/layout/ng/ng_block_layout_algorithm.cc:1227 #12 0x00007fffe2a726c5 in blink::NGBlockLayoutAlgorithm::Layout (this=0x7fffa225e7c0) at ../../third_party/blink/renderer/core/layout/ng/ng_block_layout_algorithm.cc:547 #13 0x00007fffe2a83559 in blink::(anonymous namespace)::LayoutWithAlgorithm (node=..., space=..., break_token=0x0) at ../../third_party/blink/renderer/core/layout/ng/ng_block_node.cc:73 #14 0x00007fffe2a82337 in blink::NGBlockNode::Layout (this=0x7fffa22600d0, constraint_space=..., break_token=0x0) at ../../third_party/blink/renderer/core/layout/ng/ng_block_node.cc:240 #15 0x00007fffe2a5d8e6 in blink::LayoutNGBlockFlow::UpdateBlockLayout (this=0x45eb7b68530, relayout_children=false) at ../../third_party/blink/renderer/core/layout/ng/layout_ng_block_flow.cc:66 #16 0x00007fffe2839240 in blink::LayoutBlock::UpdateLayout (this=0x45eb7b68530) at ../../third_party/blink/renderer/core/layout/layout_block.cc:444 #17 0x00007fffe2937ca4 in blink::LayoutObject::ForceChildLayout (this=0x45eb7b68530) at ../../third_party/blink/renderer/core/layout/layout_object.cc:3473 #18 0x00007fffe28d53c9 in blink::LayoutFlexibleBox::ConstructAndAppendFlexItem (this=0x45eb7b5deb0, algorithm=0x7fffa22609c0, child=..., layout_type=blink::LayoutFlexibleBox::kForceLayout) at ../../third_party/blink/renderer/core/layout/layout_flexible_box.cc:1133 #19 0x00007fffe28d162c in blink::LayoutFlexibleBox::LayoutFlexItems (this=0x45eb7b5deb0, relayout_children=true, layout_scope=...) at ../../third_party/blink/renderer/core/layout/layout_flexible_box.cc:830 #20 0x00007fffe28d10e6 in blink::LayoutFlexibleBox::UpdateBlockLayout (this=0x45eb7b5deb0, relayout_children=true) at ../../third_party/blink/renderer/core/layout/layout_flexible_box.cc:338 #21 0x00007fffe2839240 in blink::LayoutBlock::UpdateLayout (this=0x45eb7b5deb0) at ../../third_party/blink/renderer/core/layout/layout_block.cc:444 #22 0x00007fffe2937c62 in blink::LayoutObject::ForceLayout (this=0x45eb7b5deb0) at ../../third_party/blink/renderer/core/layout/layout_object.cc:3464 #23 0x00007fffe2a82a1f in blink::NGBlockNode::RunOldLayout (this=0x7fffa2262640, constraint_space=...) at ../../third_party/blink/renderer/core/layout/ng/ng_block_node.cc:853 #24 0x00007fffe2a82007 in blink::NGBlockNode::Layout (this=0x7fffa2262640, constraint_space=..., break_token=0x0) at ../../third_party/blink/renderer/core/layout/ng/ng_block_node.cc:179 #25 0x00007fffe2a7a343 in blink::NGBlockLayoutAlgorithm::LayoutNewFormattingContext (this=0x7fffa2265420, child=..., child_break_token=0x0, child_data=..., origin_offset=..., abort_if_cleared=false) at ../../third_party/blink/renderer/core/layout/ng/ng_block_layout_algorithm.cc:1173 #26 0x00007fffe2a74fd5 in blink::NGBlockLayoutAlgorithm::HandleNewFormattingContext (this=0x7fffa2265420, child=..., child_break_token=0x0, previous_inflow_position=0x7fffa2263f78, previous_inline_break_token=0x7fffa2263ef8) at ../../third_party/blink/renderer/core/layout/ng/ng_block_layout_algorithm.cc:972
,
Dec 16
Can't reproduce any longer, probably the site was changed? Can you still reproduce on your PC? Looked at crash data for ShapingLineBreaker, the number seems high but most stack seems unreliable. Not sure if they're from broken stack and crash in somewhere else, or because ShapingLineBreaker has some inline functions. Probably mix? Some reports say ShapingLineBreaker is called from legacy, so they seem invalid. https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name+LIKE+%27%25ShapingLineBreaker%25%27#-propertyselector,productname:1000,-magicsignature:50,-magicsignature2:50,+stablesignature:50
,
Dec 17
I can't reproduce it right now. I think the problem has disappeared and reappeared before, though. But no point in investigating it while it's not reproducible. Let's close it for now. I'll reopen it if the issue comes back. Who knows? Maybe the issue has actually been fixed. :)
,
Dec 17
Thank you, yeah, I'll try to keep watching the crash data, hopefully it should cover. Also if you happened to find, please add me so that I can react quicker.
,
Jan 11
Seeing [Renderer hang] blink::ShapingLineBreaker::ShapeLine on the latest Windows dev 73.0.3664.3. 18 crashes from 18 clients so far. Link to the list of the builds: =============================== https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BRenderer+hang%5D+blink%3A%3AShapingLineBreaker%3A%3AShapeLine%27#-propertyselector,productname:1000,productversion:100,-magicsignature:50,-magicsignature2:50,-stablesignature:50 Re-opening for further investigation.
,
Jan 15
Just to update: [Renderer hang] blink::ShapingLineBreaker::ShapeLine Still seeing 34 instances from 32 clients on Windows dev-73.0.3664.3 so far. Link to the list of the builds: =============================== https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BRenderer+hang%5D+blink%3A%3AShapingLineBreaker%3A%3AShapeLine%27#-propertyselector,productname:1000,productversion:100,-magicsignature:50,-magicsignature2:50,-stablesignature:50 kojii@, Please take a look into it. Thanks..!
,
Yesterday
(45 hours ago)
Just to update: [Renderer hang] blink::ShapingLineBreaker::ShapeLine Still seeing 10 instances from 10 clients on Windows dev-73.0.3673.0 so far. Link to the list of the builds: =============================== https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BRenderer+hang%5D+blink%3A%3AShapingLineBreaker%3A%3AShapeLine%27+AND+product_name%3D%27Chrome%27+AND+product.Version%3D%2773.0.3673.0%27#-propertyselector,productname:1000,productversion:100,-magicsignature:50,-magicsignature2:50,-stablesignature:50 kojii@,Please take a look into it as it is marked as RBS & stable release coming soon this week Thanks..!
,
Yesterday
(28 hours ago)
Removing RBS because this is only for LayoutNG runtime flag is enabled. Looks like we hung and the main thread calls DumpProcessForHungInputThread(). The abort point is where we're handling a text node in available_width==0 && break-word, but not for min-/fit-content, the normal layout code. The length of text is unknown but we're at offset 23 of the paragraph. The best guess at this point is we're very slow and prompted to wait or kill, for the issue 919123. |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by e...@chromium.org
, Dec 13Owner: kojii@chromium.org
Status: Assigned (was: Available)