New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 904546 link

Starred by 7 users
Status: Verified
Owner:
mlippautz@chromium.org
Closed: Nov 14
Cc:
kbr@chromium.org
keishi@chromium.org
haraken@chromium.org
u...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Regression

Blocking:
issue 903081



Sign in to add a comment

Crash in Oilpan garbage collection during mixin construction

Project Member Reported by rjkroege@chromium.org, Nov 12 
On MacOS AMD Debug Retina (builder): https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Mac%20Retina%20Debug%20(AMD)
https://chromium-swarm.appspot.com/task?id=4121f146702f9510&refresh=10&show_raw=1

Different WebGL tests:

WebglConformance_deqp_data_gles2_shaders_functions
WebglConformance_deqp_data_gles2_shaders_swizzles

occasionally crash the blink thread while doing GC. Perhaps this an issue with oilpan. haraken@: can you redirect this appropriately? Or tell me if this is not an oilpan issue.


-- details --

Chrome, Mac, running WebGL conformance tests, AMD Retina debug.

common part of stack trace of crash of blink thread during a GC cycle, shows up every ~5 builds.

  	Thread 0 (crashed)
  	 0  libblink_core.dylib!__ZNK5blink16HeapObjectHeader7IsValidEv + 0x1d
  	 1  libblink_core.dylib!__ZNK5blink16HeapObjectHeader11CheckHeaderEv + 0x2c
  	 2  libblink_core.dylib!__ZNK5blink16HeapObjectHeader8IsMarkedEv + 0x19
  	 3  libblink_core.dylib!__ZN5blink16ObjectAliveTraitINS_21LifecycleObserverBaseELb1EE17IsHeapObjectAliveEPKS1_ + 0x2c
  	 4  libblink_core.dylib!__ZN5blink10ThreadHeap17IsHeapObjectAliveINS_21LifecycleObserverBaseEEEbPKT_ + 0x121
  	 5  libblink_core.dylib!__ZN5blink10ThreadHeap17IsHeapObjectAliveINS_21LifecycleObserverBaseEEEbRKNS_10WeakMemberIT_EE + 0x1d
  	 6  libblink_core.dylib!__ZN3WTF10HashTraitsIN5blink10WeakMemberINS1_21LifecycleObserverBaseEEEE7IsAliveERS4_ + 0x15
  	 7  libblink_core.dylib!__ZN3WTF22TraceInCollectionTraitILNS_16WeakHandlingFlagE1EN5blink10WeakMemberINS2_21LifecycleObserverBaseEEENS_10HashTraitsIS5_EEE7IsAliveERS5_ + 0x15
  	 8  libblink_core.dylib!__ZN3WTF22TraceInCollectionTraitILNS_16WeakHandlingFlagE1ENS_17LinkedHashSetNodeIN5blink10WeakMemberINS3_21LifecycleObserverBaseEEENS3_13HeapAllocatorEEENS_19LinkedHashSetTraitsIS6_NS_10HashTraitsIS6_EES7_EEE7IsAliveERS8_ + 0x19
  	 9  libblink_core.dylib!__ZN3WTF29WeakProcessingHashTableHelperILNS_16WeakHandlingFlagE1ENS_17LinkedHashSetNodeIN5blink10WeakMemberINS3_21LifecycleObserverBaseEEENS3_13HeapAllocatorEEES8_NS_17IdentityExtractorENS_23LinkedHashSetTranslatorIS6_NS_10MemberHashIS5_EES7_EENS_19LinkedHashSetTraitsIS6_NS_10HashTraitsIS6_EES7_EESH_S7_E7ProcessEPNS3_7VisitorEPv + 0x89
  	10  libblink_platform.dylib!__ZN5blink10ThreadHeap14WeakProcessingEPNS_7VisitorE + 0xaa
  	11  libblink_platform.dylib!__ZN5blink11ThreadState17MarkPhaseEpilogueENS_7BlinkGC11MarkingTypeE + 0x6f
  	12  libblink_platform.dylib!__ZN5blink11ThreadState23AtomicPauseMarkEpilogueENS_7BlinkGC11MarkingTypeE + 0x1b
  	13  libblink_platform.dylib!__ZN5blink11ThreadState14RunAtomicPauseENS_7BlinkGC10StackStateENS1_11MarkingTypeENS1_12SweepingTypeENS1_8GCReasonE + 0x12e
  	14  libblink_platform.dylib!__ZN5blink11ThreadState14CollectGarbageENS_7BlinkGC10StackStateENS1_11MarkingTypeENS1_12SweepingTypeENS1_8GCReasonE + 0x266
  	15  libblink_platform.dylib!__ZN5blink11ThreadState18ScheduleGCIfNeededEv + 0x3f4
  	16  libblink_platform.dylib!__ZN5blink15NormalPageArena17OutOfLineAllocateEmm + 0x280
  	17  libblink_core.dylib!__ZN5blink15NormalPageArena14AllocateObjectEmm + 0x2f8
  	18  libblink_core.dylib!__ZN5blink10ThreadHeap20AllocateOnArenaIndexEPNS_11ThreadStateEmijPKc + 0x1cd
  	19  libblink_core.dylib!__ZN5blink13HeapAllocator24AllocateHashTableBackingIN3WTF17LinkedHashSetNodeINS_10WeakMemberINS_21LifecycleObserverBaseEEES0_EENS2_9HashTableIS7_S7_NS2_17IdentityExtractorENS2_23LinkedHashSetTranslatorIS6_NS2_10MemberHashIS5_EES0_EENS2_19LinkedHashSetTraitsIS6_NS2_10HashTraitsIS6_EES0_EESH_S0_EEEEPT_m + 0x4c
  	20  libblink_core.dylib!__ZN5blink13HeapAllocator30AllocateZeroedHashTableBackingIN3WTF17LinkedHashSetNodeINS_10WeakMemberINS_21LifecycleObserverBaseEEES0_EENS2_9HashTableIS7_S7_NS2_17IdentityExtractorENS2_23LinkedHashSetTranslatorIS6_NS2_10MemberHashIS5_EES0_EENS2_19LinkedHashSetTraitsIS6_NS2_10HashTraitsIS6_EES0_EESH_S0_EEEEPT_m + 0x15
  	21  libblink_core.dylib!__ZN3WTF9HashTableINS_17LinkedHashSetNodeIN5blink10WeakMemberINS2_21LifecycleObserverBaseEEENS2_13HeapAllocatorEEES7_NS_17IdentityExtractorENS_23LinkedHashSetTranslatorIS5_NS_10MemberHashIS4_EES6_EENS_19LinkedHashSetTraitsIS5_NS_10HashTraitsIS5_EES6_EESG_S6_E13AllocateTableEj + 0x50
  	22  libblink_core.dylib!__ZN3WTF9HashTableINS_17LinkedHashSetNodeIN5blink10WeakMemberINS2_21LifecycleObserverBaseEEENS2_13HeapAllocatorEEES7_NS_17IdentityExtractorENS_23LinkedHashSetTranslatorIS5_NS_10MemberHashIS4_EES6_EENS_19LinkedHashSetTraitsIS5_NS_10HashTraitsIS5_EES6_EESG_S6_E6RehashEjPS7_ + 0x7e
  	23  libblink_core.dylib!__ZN3WTF9HashTableINS_17LinkedHashSetNodeIN5blink10WeakMemberINS2_21LifecycleObserverBaseEEENS2_13HeapAllocatorEEES7_NS_17IdentityExtractorENS_23LinkedHashSetTranslatorIS5_NS_10MemberHashIS4_EES6_EENS_19LinkedHashSetTraitsIS5_NS_10HashTraitsIS5_EES6_EESG_S6_E6ExpandEPS7_ + 0x13f
  	24  libblink_core.dylib!__ZN3WTF9HashTableINS_17LinkedHashSetNodeIN5blink10WeakMemberINS2_21LifecycleObserverBaseEEENS2_13HeapAllocatorEEES7_NS_17IdentityExtractorENS_23LinkedHashSetTranslatorIS5_NS_10MemberHashIS4_EES6_EENS_19LinkedHashSetTraitsIS5_NS_10HashTraitsIS5_EES6_EESG_S6_E6insertISC_RPS4_PNS_21LinkedHashSetNodeBaseEEENS_18HashTableAddResultISH_S7_EEOT0_OT1_ + 0x4f4
  	25  libblink_core.dylib!__ZN3WTF13LinkedHashSetIN5blink10WeakMemberINS1_21LifecycleObserverBaseEEENS_10MemberHashIS3_EENS_10HashTraitsIS4_EENS1_13HeapAllocatorEE6insertIRPS3_EENSA_9AddResultEOT_ + 0x59
  	26  libblink_core.dylib!__ZN5blink17LifecycleNotifierINS_16ExecutionContextENS_24ContextLifecycleObserverEE11AddObserverEPNS_21LifecycleObserverBaseE + 0xc9
  	27  libblink_core.dylib!__ZN5blink17LifecycleObserverINS_16ExecutionContextENS_24ContextLifecycleObserverEE10SetContextEPS1_ + 0xcd
  	28  libblink_core.dylib!__ZN5blink17LifecycleObserverINS_16ExecutionContextENS_24ContextLifecycleObserverEEC2EPS1_ + 0x4f
  	29  libblink_core.dylib!__ZN5blink24ContextLifecycleObserverC2EPNS_16ExecutionContextENS0_4TypeE + 0x2a
  	30  libblink_core.dylib!__ZN5blink14PausableObjectC2EPNS_16ExecutionContextE + 0x5a
  	31  libblink_core.dylib!__ZN5blink13PausableTimerC2EPNS_16ExecutionContextENS_8TaskTypeE + 0xaf
  	32  libblink_core.dylib!__ZN5blink8DOMTimerC2EPNS_16ExecutionContextEPNS_15ScheduledActionEN4base9TimeDeltaEbi + 0x6c
  	33  libblink_core.dylib!__ZN5blink8DOMTimerC1EPNS_16ExecutionContextEPNS_15ScheduledActionEN4base9TimeDeltaEbi + 0x46
  	34  libblink_core.dylib!__ZN5blink20MakeGarbageCollectedINS_8DOMTimerEJRPNS_16ExecutionContextERPNS_15ScheduledActionERN4base9TimeDeltaERbRiEEEPT_DpOT0_ + 0xaa
  	35  libblink_core.dylib!__ZN5blink8DOMTimer6CreateEPNS_16ExecutionContextEPNS_15ScheduledActionEN4base9TimeDeltaEbi + 0x46
  	36  libblink_core.dylib!__ZN5blink19DOMTimerCoordinator17InstallNewTimeoutEPNS_16ExecutionContextEPNS_15ScheduledActionEN4base9TimeDeltaEb + 0x16b
  	37  libblink_core.dylib!__ZN5blink8DOMTimer7InstallEPNS_16ExecutionContextEPNS_15ScheduledActionEN4base9TimeDeltaEb + 0x61
  	38  libblink_core.dylib!__ZN5blink15DOMWindowTimers10setTimeoutEPNS_11ScriptStateERNS_11EventTargetERKNS_11ScriptValueEiRKN3WTF6VectorIS5_Lj0ENS8_18PartitionAllocatorEEE + 0xdc
  	39  libblink_core.dylib!__ZN5blink22dom_window_v8_internalL17setTimeout1MethodERKN2v820FunctionCallbackInfoINS1_5ValueEEE + 0xa7f
  	40  libblink_core.dylib!__ZN5blink22dom_window_v8_internalL16setTimeoutMethodERKN2v820FunctionCallbackInfoINS1_5ValueEEE + 0x4da
  	41  libblink_core.dylib!__ZN5blink8V8Window24setTimeoutMethodCallbackERKN2v820FunctionCallbackInfoINS1_5ValueEEE + 0x1a
  	42  libv8.dylib!__ZN2v88internal25FunctionCallbackArguments4CallEPNS0_15CallHandlerInfoE + 0x3a9
  	43  libv8.dylib!__ZN2v88internal12_GLOBAL__N_119HandleApiCallHelperILb0EEENS0_11MaybeHandleINS0_6ObjectEEEPNS0_7IsolateENS0_6HandleINS0_10HeapObjectEEESA_NS8_INS0_20FunctionTemplateInfoEEENS8_IS4_EENS0_16BuiltinArgumentsE + 0x3f2
  	44  libv8.dylib!__ZN2v88internalL26Builtin_Impl_HandleApiCallENS0_16BuiltinArgumentsEPNS0_7IsolateE + 0x238
  	45  libv8.dylib!__ZN2v88internal21Builtin_HandleApiCallEiPmPNS0_7IsolateE + 0x71
  	46  libv8.dylib!_v8_Default_embedded_blob_ + 0x2c4692
  	47  0x14f370ad0d
  	48  0x14f370ad0d
  	49  0x14f370ad0d
  	50  libv8.dylib!_v8_Default_embedded_blob_ + 0xd943
  	51  0x14f3702137
  	52  libv8.dylib!__ZN2v88internal12_GLOBAL__N_16InvokeEPNS0_7IsolateEbNS0_6HandleINS0_6ObjectEEES6_iPS6_S6_NS0_9Execution15MessageHandlingENS8_6TargetE + 0xb12
  	53  libv8.dylib!__ZN2v88internal12_GLOBAL__N_112CallInternalEPNS0_7IsolateENS0_6HandleINS0_6ObjectEEES6_iPS6_NS0_9Execution15MessageHandlingENS8_6TargetE + 0x18d
  	54  libv8.dylib!__ZN2v88internal9Execution4CallEPNS0_7IsolateENS0_6HandleINS0_6ObjectEEES6_iPS6_ + 0x17
  	55  libv8.dylib!__ZN2v88Function4CallENS_5LocalINS_7ContextEEENS1_INS_5ValueEEEiPS5_ + 0x214
  	56  libblink_core.dylib!__ZN5blink14V8ScriptRunner12CallFunctionEN2v85LocalINS1_8FunctionEEEPNS_16ExecutionContextENS2_INS1_5ValueEEEiPS8_PNS1_7IsolateE + 0x5b3
  	57  libblink_core.dylib!__ZN5blink15ScheduledAction7ExecuteEPNS_10LocalFrameE + 0x586
  	58  libblink_core.dylib!__ZN5blink15ScheduledAction7ExecuteEPNS_16ExecutionContextE + 0x363
  	59  libblink_core.dylib!__ZN5blink8DOMTimer5FiredEv + 0x569
  	60  libblink_platform.dylib!__ZN5blink9TimerBase11RunInternalEv + 0x3a8
  	61  libblink_platform.dylib!__ZN4base8internal13FunctorTraitsIMN5blink9TimerBaseEFvvEvE6InvokeIS5_NS_7WeakPtrIS3_EEJEEEvT_OT0_DpOT1_ + 0x7f
  	62  libblink_platform.dylib!__ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIMN5blink9TimerBaseEFvvENS_7WeakPtrIS5_EEJEEEvOT_OT0_DpOT1_ + 0x6a
  	63  libblink_platform.dylib!__ZN4base8internal7InvokerINS0_9BindStateIMN5blink9TimerBaseEFvvEJNS_7WeakPtrIS4_EEEEEFvvEE7RunImplIS6_NSt3__15tupleIJS8_EEEJLm0EEEEvOT_OT0_NSD_16integer_sequenceImJXspT1_EEEE + 0x42
  	64  libblink_platform.dylib!__ZN4base8internal7InvokerINS0_9BindStateIMN5blink9TimerBaseEFvvEJNS_7WeakPtrIS4_EEEEEFvvEE7RunOnceEPNS0_13BindStateBaseE + 0x3e
  	65  libblink_platform.dylib!__ZNO4base12OnceCallbackIFvvEE3RunEv + 0x5c
  	66  libblink_platform.dylib!__ZN3WTF29ThreadCheckingCallbackWrapperIN4base12OnceCallbackIFvvEEES3_E11RunInternalEPS4_ + 0x1d
  	67  libblink_platform.dylib!__ZN3WTF29ThreadCheckingCallbackWrapperIN4base12OnceCallbackIFvvEEES3_E3RunEv + 0x102
  	68  libblink_platform.dylib!__ZN4base8internal13FunctorTraitsIMN3WTF29ThreadCheckingCallbackWrapperINS_12OnceCallbackIFvvEEES5_EEFvvEvE6InvokeIS9_NSt3__110unique_ptrIS7_NSC_14default_deleteIS7_EEEEJEEEvT_OT0_DpOT1_ + 0x7f
  	69  libblink_platform.dylib!__ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIMN3WTF29ThreadCheckingCallbackWrapperINS_12OnceCallbackIFvvEEES7_EEFvvEJNSt3__110unique_ptrIS9_NSC_14default_deleteIS9_EEEEEEEvOT_DpOT0_ + 0x51
  	70  libblink_platform.dylib!__ZN4base8internal7InvokerINS0_9BindStateIMN3WTF29ThreadCheckingCallbackWrapperINS_12OnceCallbackIFvvEEES6_EEFvvEJNSt3__110unique_ptrIS8_NSB_14default_deleteIS8_EEEEEEES6_E7RunImplISA_NSB_5tupleIJSF_EEEJLm0EEEEvOT_OT0_NSB_16integer_sequenceImJXspT1_EEEE + 0x42
  	71  libblink_platform.dylib!__ZN4base8internal7InvokerINS0_9BindStateIMN3WTF29ThreadCheckingCallbackWrapperINS_12OnceCallbackIFvvEEES6_EEFvvEJNSt3__110unique_ptrIS8_NSB_14default_deleteIS8_EEEEEEES6_E7RunOnceEPNS0_13BindStateBaseE + 0x3e
  	72  libbase.dylib!__ZNO4base12OnceCallbackIFvvEE3RunEv + 0x5c
  	73  libbase.dylib!__ZN4base5debug13TaskAnnotator7RunTaskEPKcPNS_11PendingTaskE + 0x319
  	74  libbase.dylib!__ZN4base16sequence_manager8internal20ThreadControllerImpl6DoWorkENS2_8WorkTypeE + 0x641
  	75  libbase.dylib!__ZN4base8internal13FunctorTraitsIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS4_8WorkTypeEEvE6InvokeIS7_RKNS_7WeakPtrIS4_EEJRKS5_EEEvT_OT0_DpOT1_ + 0x96
  	76  libbase.dylib!__ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMNS_16sequence_manager8internal20ThreadControllerImplEFvNS6_8WorkTypeEERKNS_7WeakPtrIS6_EEJRKS7_EEEvOT_OT0_DpOT1_ + 0x7f
  	77  libbase.dylib!__ZN4base8internal7InvokerINS0_9BindStateIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS5_8WorkTypeEEJNS_7WeakPtrIS5_EES6_EEEFvvEE7RunImplIRKS8_RKNSt3__15tupleIJSA_S6_EEEJLm0ELm1EEEEvOT_OT0_NSH_16integer_sequenceImJXspT1_EEEE + 0x63
  	78  libbase.dylib!__ZN4base8internal7InvokerINS0_9BindStateIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS5_8WorkTypeEEJNS_7WeakPtrIS5_EES6_EEEFvvEE3RunEPNS0_13BindStateBaseE + 0x2c

At this point, there is divergence:
  	79  libbase.dylib!__ZNO4base12OnceCallbackIFvvEE3RunEv + 0x5c
  	80  libbase.dylib!__ZN4base5debug13TaskAnnotator7RunTaskEPKcPNS_11PendingTaskE + 0x319
  	81  libbase.dylib!__ZN4base15MessageLoopImpl7RunTaskEPNS_11PendingTaskE + 0x358
  	82  libbase.dylib!__ZN4base15MessageLoopImpl21DeferOrRunPendingTaskENS_11PendingTaskE + 0x59
  	83  libbase.dylib!__ZN4base15MessageLoopImpl6DoWorkEv + 0x1c7
  	84  libbase.dylib!__ZN4base24MessagePumpCFRunLoopBase7RunWorkEv + 0x62
  	85  libbase.dylib!____ZN4base24MessagePumpCFRunLoopBase13RunWorkSourceEPv_block_invoke + 0x1c
  	86  libbase.dylib!__ZN4base3mac15CallWithEHFrameEU13block_pointerFvvE + 0xa
  	87  libbase.dylib!__ZN4base24MessagePumpCFRunLoopBase13RunWorkSourceEPv + 0x65
  	88  CoreFoundation + 0xa3a11
  	89  CoreFoundation + 0x15d42c
  	90  CoreFoundation + 0x86470
  	91  CoreFoundation + 0x858ed
  	92  CoreFoundation + 0x85153
  	93  Foundation + 0x20f26
  	94  libbase.dylib!__ZN4base20MessagePumpNSRunLoop5DoRunEPNS_11MessagePump8DelegateE + 0xb9
  	95  libbase.dylib!__ZN4base24MessagePumpCFRunLoopBase3RunEPNS_11MessagePump8DelegateE + 0x65
  	96  libbase.dylib!__ZN4base15MessageLoopImpl3RunEb + 0x1f8
  	97  libbase.dylib!__ZN4base7RunLoop3RunEv + 0x20d
  	98  libcontent.dylib!__ZN7content12RendererMainERKNS_18MainFunctionParamsE + 0x6fb
  	99  libcontent.dylib!__ZN7content28RunOtherNamedProcessTypeMainERKNSt3__112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEERKNS_18MainFunctionParamsEPNS_19ContentMainDelegateE + 0xb1
  	100  libcontent.dylib!__ZN7content21ContentMainRunnerImpl3RunEb + 0x508
  	101  libcontent.dylib!__ZN7content33ContentServiceManagerMainDelegate18RunEmbedderProcessEv + 0x39
  	102  libembedder.dylib!__ZN15service_manager4MainERKNS_10MainParamsE + 0x647
  	103  libcontent.dylib!__ZN7content11ContentMainERKNS_17ContentMainParamsE + 0x59
  	104  libchrome_dll.dylib!_ChromeMain + 0x10e
  	105  Chromium Helper!_main + 0x350
  	106  libdyld.dylib + 0x1015
  	107  libdyld.dylib + 0x1015

vs

  	79  libbase.dylib!__ZNKR4base17RepeatingCallbackIFvvEE3RunEv + 0x3d
  	80  libbase.dylib!__ZN4base8internal22CancelableCallbackImplINS_17RepeatingCallbackIFvvEEEE16ForwardRepeatingIJEEEvDpT_ + 0x15
  	81  libbase.dylib!__ZN4base8internal13FunctorTraitsIMNS0_22CancelableCallbackImplINS_17RepeatingCallbackIFvvEEEEEFvvEvE6InvokeIS8_RKNS_7WeakPtrIS6_EEJEEEvT_OT0_DpOT1_ + 0x7f
  	82  libbase.dylib!__ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMNS0_22CancelableCallbackImplINS_17RepeatingCallbackIFvvEEEEEFvvERKNS_7WeakPtrIS8_EEJEEEvOT_OT0_DpOT1_ + 0x6a
  	83  libbase.dylib!__ZN4base8internal7InvokerINS0_9BindStateIMNS0_22CancelableCallbackImplINS_17RepeatingCallbackIFvvEEEEEFvvEJNS_7WeakPtrIS7_EEEEES5_E7RunImplIRKS9_RKNSt3__15tupleIJSB_EEEJLm0EEEEvOT_OT0_NSH_16integer_sequenceImJXspT1_EEEE + 0x42
  	84  libbase.dylib!__ZN4base8internal7InvokerINS0_9BindStateIMNS0_22CancelableCallbackImplINS_17RepeatingCallbackIFvvEEEEEFvvEJNS_7WeakPtrIS7_EEEEES5_E3RunEPNS0_13BindStateBaseE + 0x2c
  	85  libbase.dylib!__ZNO4base12OnceCallbackIFvvEE3RunEv + 0x5c
  	86  libbase.dylib!__ZN4base5debug13TaskAnnotator7RunTaskEPKcPNS_11PendingTaskE + 0x319
  	87  libbase.dylib!__ZN4base15MessageLoopImpl7RunTaskEPNS_11PendingTaskE + 0x358
  	88  libbase.dylib!__ZN4base15MessageLoopImpl21DeferOrRunPendingTaskENS_11PendingTaskE + 0x59
  	89  libbase.dylib!__ZN4base15MessageLoopImpl13DoDelayedWorkEPNS_9TimeTicksE + 0x295
  	90  libbase.dylib!__ZN4base24MessagePumpCFRunLoopBase7RunWorkEv + 0xa0
  	91  libbase.dylib!____ZN4base24MessagePumpCFRunLoopBase13RunWorkSourceEPv_block_invoke + 0x1c
  	92  libbase.dylib!__ZN4base3mac15CallWithEHFrameEU13block_pointerFvvE + 0xa
  	93  libbase.dylib!__ZN4base24MessagePumpCFRunLoopBase13RunWorkSourceEPv + 0x65
  	94  Core
  	95  Core
  	96  Core
  	97  Core
  	98  Core
  	99  
  	100  libbase.dylib!__ZN4base20MessagePumpNSRunLoop5DoRunEPNS_11MessagePump8DelegateE + 0xb9
  	101  libbase.dylib!__ZN4base24MessagePumpCFRunLoopBase3RunEPNS_11MessagePump8DelegateE + 0x65
  	102  libbase.dylib!__ZN4base15MessageLoopImpl3RunEb + 0x1f8
  	103  libbase.dylib!__ZN4base7RunLoop3RunEv + 0x20d
  	104  libcontent.dylib!__ZN7content12RendererMainERKNS_18MainFunctionParamsE + 0x6fb
  	105  libcontent.dylib!__ZN7content28RunOtherNamedProcessTypeMainERKNSt3__112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEERKNS_18MainFunctionParamsEPNS_19ContentMainDelegateE + 0xb1
  	106  libcontent.dylib!__ZN7content21ContentMainRunnerImpl3RunEb + 0x508
  	107  libcontent.dylib!__ZN7content33ContentServiceManagerMainDelegate18RunEmbedderProcessEv + 0x39
  	108  libembedder.dylib!__ZN15service_manager4MainERKNS_10MainParamsE + 0x647
  	109  libcontent.dylib!__ZN7content11ContentMainERKNS_17ContentMainParamsE + 0x59
  	110  libchrome_dll.dylib!_ChromeMain + 0x10e
  	111  Chromium Helper!_main + 0x350
  	112  libdyld.dylib + 0x1015
  	113  libdyld.dylib + 0x1015

Comment 1 by haraken@chromium.org, Nov 13

Cc: keishi@chromium.org haraken@chromium.org
Owner: mlippautz@chromium.org
This looks like a real bug of Oilpan.

- A GC is triggered during ContextLifecycleObserver's constructor.

- The GC triggers weak processing.

- ObjectAliveTrait::IsHeapObjectAlive (https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/heap/heap.h?type=cs&q=ObjectAliveTrait&sq=package:chromium&g=0&l=145) crashes because object->GetHeapObjectHeader() returns nullptr for a not-fully constructed object (i.e., the ContextLifecycleObserver being constructed).

Aren't we suppressing GCs while a mixin object is being constructed...? Why is that GC happening...?

Michael: Would you mind taking a look? :)

Comment 2 by kbr@chromium.org, Nov 13

Cc: mlippautz@chromium.org
Components: -Internals>GPU Internals>GPU>Testing
Labels: -Type-Bug -Pri-3 Pri-1 Type-Bug-Regression
Intermittent crashes on the waterfall, like these, are P1. These tests must be reliable.

+mlippautz and JavaScript>GC in case this is in any way related to unified GC.

Any help re-stabilizing these tests is appreciated. If this crash is caused by work ongoing in another bug, please block that bug on this one. Thanks.

Comment 3 by kbr@chromium.org, Nov 13

Status: Assigned (was: Available)

Comment 4 by mlippautz@google.com, Nov 13

Cc: -mlippautz@chromium.org
I will take a look but I am unfortunately traveling this week. 

There's no culprit CL here to revert; unified heap has not been enabled.

Comment 5 by mlippautz@google.com, Nov 13

Cc: u...@chromium.org
 Issue 904759  has been merged into this issue.

Comment 6 by mlippautz@google.com, Nov 13 

The analysis in #1 is correct.

I think this can happen because MarkGarbageCollected<T> now uses placement new, so we sidestep the constructor and thus the mechanism to avoid doing GC.

At the top of my heap, a fix for MarkGarbageCollected could be a specialization on T::IsGarbageCollectedMixinMarker. If this marker exists, then we can simple call new T(...), otherwise we go through new(allocate()) T(...).

Will write a test today and see if the theory holds.

Comment 7 by haraken@chromium.org, Nov 13 

Or can we simply implement the forbidden-gc-scope mechanism to MakeGarbageCollected?

Comment 8 by mlippautz@google.com, Nov 13 

That was the ultimate goal, see the email thread when this was proposed.

That requires some larger refactorings though as it would not only affect mixins but regular constructors. I think that would require us to shuffle things around.

For this bug I'd propose fixing the mixin constructors using specialization now and then have a look at the general mechanism once the tests are stabilized.

Comment 9 by haraken@chromium.org, Nov 13 

Sounds good to me :)

Comment 10 by mlippautz@google.com, Nov 13

Status: Started (was: Assigned)

Comment 11 by mlippautz@google.com, Nov 13

Cc: kbr@chromium.org
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Windows
Summary: Crash in Oilpan garbage collection during mixin construction (was: WebGL conformance test failure , MacOS AMD retina, crash during blink GC action)
Fix in flight https://chromium-review.googlesource.com/c/chromium/src/+/1333761

I will be on my way to JFK soon but the reviewers can CQ and then this should be fixed.

Comment 12 by kbr@chromium.org, Nov 13 

Thank you Michael for picking up this bug in the middle of your travel!

Comment 13 by kbr@chromium.org, Nov 13 

FYI, this is affecting real content. Trying to help a colleague debug their WebGL based program, saw the following crash while interacting with their web UI:

Received signal 11 SEGV_MAPERR 000000000000
0   libbase.dylib                       0x000000010cbdeb1f base::debug::StackTrace::StackTrace(unsigned long) + 31
1   libbase.dylib                       0x000000010cbde971 base::debug::(anonymous namespace)::StackDumpSignalHandler(int, __siginfo*, void*) + 2385
2   libsystem_platform.dylib            0x00007fff737c8f5a _sigtramp + 26
3   ???                                 0x0000003a90b01e01 0x0 + 251535564289
4   libblink_core.dylib                 0x0000000117bd1b86 WTF::WeakProcessingHashTableHelper<(WTF::WeakHandlingFlag)1, WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::IdentityExtractor, WTF::LinkedHashSetTranslator<blink::WeakMember<blink::LifecycleObserverBase>, WTF::MemberHash<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::LinkedHashSetTraits<blink::WeakMember<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>, WTF::LinkedHashSetTraits<blink::WeakMember<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>, blink::HeapAllocator>::Process(blink::Visitor*, void*) + 70
5   libblink_platform.dylib             0x000000011b220faa blink::ThreadHeap::WeakProcessing(blink::Visitor*) + 202
6   libblink_platform.dylib             0x000000011b241a3f blink::ThreadState::MarkPhaseEpilogue(blink::BlinkGC::MarkingType) + 63
7   libblink_platform.dylib             0x000000011b2416c7 blink::ThreadState::RunAtomicPause(blink::BlinkGC::StackState, blink::BlinkGC::MarkingType, blink::BlinkGC::SweepingType, blink::BlinkGC::GCReason) + 455
8   libblink_platform.dylib             0x000000011b238e73 blink::ThreadState::CollectGarbage(blink::BlinkGC::StackState, blink::BlinkGC::MarkingType, blink::BlinkGC::SweepingType, blink::BlinkGC::GCReason) + 291
9   libblink_platform.dylib             0x000000011b23bbef blink::ThreadState::ScheduleGCIfNeeded() + 1007
10  libblink_platform.dylib             0x000000011b231660 blink::NormalPageArena::OutOfLineAllocate(unsigned long, unsigned long) + 432
11  libblink_core.dylib                 0x00000001176d0bb5 blink::ThreadHeap::AllocateOnArenaIndex(blink::ThreadState*, unsigned long, int, unsigned int, char const*) + 325
12  libblink_core.dylib                 0x00000001177ba083 WTF::HashTable<WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::IdentityExtractor, WTF::LinkedHashSetTranslator<blink::WeakMember<blink::LifecycleObserverBase>, WTF::MemberHash<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::LinkedHashSetTraits<blink::WeakMember<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>, WTF::LinkedHashSetTraits<blink::WeakMember<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>, blink::HeapAllocator>::Rehash(unsigned int, WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>*) + 147
13  libblink_core.dylib                 0x00000001177bb8fe WTF::HashTable<WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::IdentityExtractor, WTF::LinkedHashSetTranslator<blink::WeakMember<blink::LifecycleObserverBase>, WTF::MemberHash<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::LinkedHashSetTraits<blink::WeakMember<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>, WTF::LinkedHashSetTraits<blink::WeakMember<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>, blink::HeapAllocator>::Expand(WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>*) + 142
14  libblink_core.dylib                 0x00000001177bb7e9 WTF::HashTableAddResult<WTF::HashTable<WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::IdentityExtractor, WTF::LinkedHashSetTranslator<blink::WeakMember<blink::LifecycleObserverBase>, WTF::MemberHash<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::LinkedHashSetTraits<blink::WeakMember<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>, WTF::LinkedHashSetTraits<blink::WeakMember<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>, blink::HeapAllocator>, WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator> > WTF::HashTable<WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::LinkedHashSetNode<blink::WeakMember<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::IdentityExtractor, WTF::LinkedHashSetTranslator<blink::WeakMember<blink::LifecycleObserverBase>, WTF::MemberHash<blink::LifecycleObserverBase>, blink::HeapAllocator>, WTF::LinkedHashSetTraits<blink::WeakMember<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>, WTF::LinkedHashSetTraits<blink::WeakMember<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>, blink::HeapAllocator>::insert<WTF::LinkedHashSetTranslator<blink::WeakMember<blink::LifecycleObserverBase>, WTF::MemberHash<blink::LifecycleObserverBase>, blink::HeapAllocator>, blink::LifecycleObserverBase*&, WTF::LinkedHashSetNodeBase*>(blink::LifecycleObserverBase*&&&, WTF::LinkedHashSetNodeBase*&&) + 937
15  libblink_core.dylib                 0x00000001177bb3bb WTF::LinkedHashSet<blink::WeakMember<blink::LifecycleObserverBase>, WTF::MemberHash<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>::AddResult WTF::LinkedHashSet<blink::WeakMember<blink::LifecycleObserverBase>, WTF::MemberHash<blink::LifecycleObserverBase>, WTF::HashTraits<blink::WeakMember<blink::LifecycleObserverBase> >, blink::HeapAllocator>::insert<blink::LifecycleObserverBase*&>(blink::LifecycleObserverBase*&&&) + 43
16  libblink_core.dylib                 0x00000001177b9edc blink::LifecycleObserver<blink::ExecutionContext, blink::ContextLifecycleObserver>::SetContext(blink::ExecutionContext*) + 236
17  libblink_core.dylib                 0x00000001177b988a blink::ContextLifecycleObserver::ContextLifecycleObserver(blink::ExecutionContext*, blink::ContextLifecycleObserver::Type) + 154
18  libblink_core.dylib                 0x0000000117c7bdde blink::PausableObject::PausableObject(blink::ExecutionContext*) + 30
19  libblink_core.dylib                 0x0000000117f92c8c blink::PausableTimer::PausableTimer(blink::ExecutionContext*, blink::TaskType) + 92
20  libblink_core.dylib                 0x0000000117f12a50 blink::DOMTimer::DOMTimer(blink::ExecutionContext*, blink::ScheduledAction*, base::TimeDelta, bool, int) + 64
21  libblink_core.dylib                 0x0000000117f13c3e blink::DOMTimerCoordinator::InstallNewTimeout(blink::ExecutionContext*, blink::ScheduledAction*, base::TimeDelta, bool) + 286
22  libblink_core.dylib                 0x0000000118c30170 blink::worker_global_scope_v8_internal::setTimeout1Method(v8::FunctionCallbackInfo<v8::Value> const&) + 720
23  libv8.dylib                         0x000000010a95e319 v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) + 937
24  libv8.dylib                         0x000000010a95ca22 v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) + 978
25  libv8.dylib                         0x000000010a95b10a v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) + 554
26  libv8.dylib                         0x000000010a95acaa v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) + 122
27  libv8.dylib                         0x000000010b7cb892 v8_Default_embedded_blob_ + 2903506
Project Member

Comment 14 by bugdroid1@chromium.org, Nov 14 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ac99379aadb42b81baec1c5c3c1b44b9851a0ac7

commit ac99379aadb42b81baec1c5c3c1b44b9851a0ac7
Author: Michael Lippautz <mlippautz@chromium.org>
Date: Wed Nov 14 02:20:49 2018

[heap] Fix GC forbidden scopes for mixin construction

Mixin construction relies on the fact that no garbage collection can be
triggered.

When moving to the new MakeGarbageCollected bottleneck the hook for
mixin construction was dropped. This restores previous behavior.

In a followup GarabgeCollectedMixin::operator new() should be inlined in
the construct trait, creating the invariant that all operator new()
methods are deleted for Oilpan.

Bug:  904546 , 757708
Change-Id: I47e672f1cb3035d8a4bea72d90bfceb2a31c5d89
Reviewed-on: https://chromium-review.googlesource.com/c/1333761
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#607872}
[modify] https://crrev.com/ac99379aadb42b81baec1c5c3c1b44b9851a0ac7/third_party/blink/renderer/platform/heap/heap.h
[modify] https://crrev.com/ac99379aadb42b81baec1c5c3c1b44b9851a0ac7/third_party/blink/renderer/platform/heap/heap_test.cc

Comment 15 by keishi@chromium.org, Nov 14 

 Issue 904657  has been merged into this issue.
Project Member

Comment 16 by ClusterFuzz, Nov 14

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5489347991961600 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 17 by jgruber@chromium.org, Nov 14 

Thanks Michi, just confirming that Speedometer2 completes successfully again, seems fixed.

Comment 18 by ligimole@google.com, Nov 14 

Issue 905223 has been merged into this issue.
Project Member

Comment 19 by bugdroid1@chromium.org, Nov 14

Labels: merge-merged-3610
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b6148f8156c8da30f503999e71334c4e82e3848b

commit b6148f8156c8da30f503999e71334c4e82e3848b
Author: Michael Lippautz <mlippautz@chromium.org>
Date: Wed Nov 14 23:51:24 2018

[heap] Fix GC forbidden scopes for mixin construction

Mixin construction relies on the fact that no garbage collection can be
triggered.

When moving to the new MakeGarbageCollected bottleneck the hook for
mixin construction was dropped. This restores previous behavior.

In a followup GarabgeCollectedMixin::operator new() should be inlined in
the construct trait, creating the invariant that all operator new()
methods are deleted for Oilpan.

Bug:  904546 , 757708
Change-Id: I47e672f1cb3035d8a4bea72d90bfceb2a31c5d89
Reviewed-on: https://chromium-review.googlesource.com/c/1333761
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#607872}(cherry picked from commit ac99379aadb42b81baec1c5c3c1b44b9851a0ac7)
Reviewed-on: https://chromium-review.googlesource.com/c/1336491
Reviewed-by: Abdul Syed <abdulsyed@google.com>
Cr-Commit-Position: refs/branch-heads/3610@{#6}
Cr-Branched-From: 070b13aa73c17a7fbe958d30352de51880f9582e-refs/heads/master@{#607838}
[modify] https://crrev.com/b6148f8156c8da30f503999e71334c4e82e3848b/third_party/blink/renderer/platform/heap/heap.h
[modify] https://crrev.com/b6148f8156c8da30f503999e71334c4e82e3848b/third_party/blink/renderer/platform/heap/heap_test.cc

Comment 20 by kbr@chromium.org, Nov 15

Blocking: 903081

Comment 21 by ajha@chromium.org, Nov 15 

Just to update, no crashes on the latest canary i.e Dev RC 72.0.3610.2 from 4 hrs of crash data on Win,Mac for the duped Issue 905223(C#18).

Comment 22 by mlippautz@chromium.org, Nov 20 

Issue 906797 has been merged into this issue.

Comment 23 by mlippautz@chromium.org, Nov 20 

Issue 906783 has been merged into this issue.

Sign in to add a comment