The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/32483d1c6ba286a52824794c9faf50be5c315484

commit 32483d1c6ba286a52824794c9faf50be5c315484
Author: Greg Kerr <kerrnel@chromium.org>
Date: Tue Dec 18 02:29:14 2018

macOS V2 Sandbox: Add feature for GPU sandbox.

This adds a new feature flag to test the V2 GPU sandbox, the last
process type which must be converted.

Bug: 915934
Change-Id: I5808930e29920adc3cc275748a6e027c6e66dc00
Reviewed-on: https://chromium-review.googlesource.com/c/1379218
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Steven Holte <holte@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Greg Kerr <kerrnel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#617352}
[modify] https://crrev.com/32483d1c6ba286a52824794c9faf50be5c315484/chrome/browser/about_flags.cc
[modify] https://crrev.com/32483d1c6ba286a52824794c9faf50be5c315484/chrome/browser/flag-metadata.json
[modify] https://crrev.com/32483d1c6ba286a52824794c9faf50be5c315484/chrome/browser/flag_descriptions.cc
[modify] https://crrev.com/32483d1c6ba286a52824794c9faf50be5c315484/chrome/browser/flag_descriptions.h
[modify] https://crrev.com/32483d1c6ba286a52824794c9faf50be5c315484/content/browser/child_process_launcher_helper_mac.cc
[modify] https://crrev.com/32483d1c6ba286a52824794c9faf50be5c315484/content/public/common/content_features.cc
[modify] https://crrev.com/32483d1c6ba286a52824794c9faf50be5c315484/content/public/common/content_features.h
[modify] https://crrev.com/32483d1c6ba286a52824794c9faf50be5c315484/testing/variations/fieldtrial_testing_config.json
[modify] https://crrev.com/32483d1c6ba286a52824794c9faf50be5c315484/tools/metrics/histograms/enums.xml

Looking at a few crashes from our canary data... the data are a bit noisy due to issue 919425 / issue 918365. But I think there are some actionable pieces:

====================

[GPU hang] media::VTVideoEncodeAccelerator::CreateCompressionSession
- Doesn't bucket entirely cleanly
- crash/fa43520830dbc13a:

0x00007fff888e8c02	(libsystem_kernel.dylib + 0x00016c02 )	__open
0x00007fff8a62c364	(CoreFoundation + 0x001c8364 )	-[CFPDSource(DirectMode) clearCacheIfStale:]
0x00007fff8a62caeb	(CoreFoundation + 0x001c8aeb )	__51-[CFPrefsDirectSource alreadylocked_requestNewData]_block_invoke
0x00007fff8a6247eb	(CoreFoundation + 0x001c07eb )	__25-[CFPDSource lockedSync:]_block_invoke
0x00007fff8d4de40a	(libdispatch.dylib + 0x0000240a )	_dispatch_client_callout
0x00007fff8d4df9f1	(libdispatch.dylib + 0x000039f1 )	_dispatch_barrier_sync_f_invoke
0x00007fff8a6247a8	(CoreFoundation + 0x001c07a8 )	-[CFPDSource lockedSync:]
0x00007fff8a62ca45	(CoreFoundation + 0x001c8a45 )	-[CFPrefsDirectSource alreadylocked_requestNewData]
0x00007fff8a6356b2	(CoreFoundation + 0x001d16b2 )	-[CFPrefsPlistSource generationCount]
0x00007fff8a62c510	(CoreFoundation + 0x001c8510 )	-[CFPrefsDirectSource createRequestNewContentMessageForDaemon:]
0x00007fff8a4a2c17	(CoreFoundation + 0x0003ec17 )	-[CFPrefsSearchListSource createRequestNewContentMessageForDaemon:]
0x00007fff8a4a2ad6	(CoreFoundation + 0x0003ead6 )	__66-[CFPrefsSearchListSource generationCountFromListOfSources:count:]_block_invoke
0x00007fff8a4a28e2	(CoreFoundation + 0x0003e8e2 )	-[CFPrefsSearchListSource generationCountFromListOfSources:count:]
0x00007fff8a4a21c3	(CoreFoundation + 0x0003e1c3 )	-[CFPrefsSearchListSource alreadylocked_copyDictionary]
0x00007fff8a4a1e0b	(CoreFoundation + 0x0003de0b )	-[CFPrefsSearchListSource alreadylocked_copyValueForKey:]
0x00007fff8a4a1d9b	(CoreFoundation + 0x0003dd9b )	___CFPreferencesCopyAppValueWithContainer_block_invoke
0x00007fff8a499abf	(CoreFoundation + 0x00035abf )	+[CFPrefsSearchListSource withSearchListForIdentifier:container:perform:]
0x00007fff8a499816	(CoreFoundation + 0x00035816 )	_CFPreferencesCopyAppValueWithContainer
0x00007fff8a9a25cc	(AppleGVA + 0x0009d5cc )	AVFQTXENC_IsHWScalerAvailable
0x00007fff8a98e916	(AppleGVA + 0x00089916 )	AVFQTXENC_IsHWScalerAvailable
0x00007fff8a99c857	(AppleGVA + 0x00097857 )	AVFQTXENC_IsHWScalerAvailable
0x00007fff8a9a885e	(AppleGVA + 0x000a385e )	AVFQTXENC_IsHWScalerAvailable
0x00007fff8441f9b0	(VideoToolbox + 0x000b09b0 )	VTRemoteDecompressionServer_ServiceEventHandler
0x00007fff84371095	(VideoToolbox + 0x00002095 )	VTCompressionSessionCreate
0x0000000114045792	(Google Chrome Framework -vt_video_encode_accelerator_mac.cc:505 )	media::VTVideoEncodeAccelerator::CreateCompressionSession(gfx::Size const&)
0x000000011404553c	(Google Chrome Framework -vt_video_encode_accelerator_mac.cc:116 )	media::VTVideoEncodeAccelerator::GetSupportedProfiles()
0x000000011403f1ee	(Google Chrome Framework -gpu_video_encode_accelerator_factory.cc:143 )	media::GpuVideoEncodeAcceleratorFactory::GetSupportedProfiles(gpu::GpuPreferences const&)
0x000000011095e87b	(Google Chrome Framework -gpu_service_impl.cc:209 )	viz::GpuServiceImpl::UpdateGPUInfo()
0x000000011116d81b	(Google Chrome Framework -viz_main_impl.cc:148 )	viz::VizMainImpl::CreateGpuService(mojo::InterfaceRequest<viz::mojom::GpuService>, mojo::InterfacePtr<viz::mojom::GpuHost>, mojo::InterfacePtr<discardable_memory::mojom::DiscardableSharedMemoryManager>, mojo::ScopedHandleBase<mojo::SharedBufferHandle>, gfx::FontRenderParams::SubpixelRendering)
0x000000011098e752	(Google Chrome Framework -viz_main.mojom.cc:297 )	viz::mojom::VizMainStubDispatch::Accept(viz::mojom::VizMain*, mojo::Message*)
0x0000000112e311a4	(Google Chrome Framework -ipc_mojo_bootstrap.cc:877 )	IPC::(anonymous namespace)::ChannelAssociatedGroupController::AcceptOnProxyThread(mojo::Message)

Looks like this is hanging trying to open ~/Library/Preferences/ByHost/com.apple.AppleGVA.3DA8BE9C-71F8-579A-90EE-C4C3F1FA5436.plist. Probably need to whitelist that using a regex for the UUID.

====================

[GPU hang] gl::init::InitializeGLOneOffPlatform

- Maybe missing an XPC endpoint allow for 10.13, based on:
  - crash/f3f4a75634dd0ca5
  - crash/8006505cdef44021

0x00007fff7202f20a	(libsystem_kernel.dylib + 0x0001320a )	mach_msg_trap
0x00007fff71ec9ac1	(libdispatch.dylib + 0x0001cac1 )	_dispatch_mach_send_and_wait_for_reply
0x00007fff71ec9fac	(libdispatch.dylib + 0x0001cfac )	dispatch_mach_send_with_result_and_wait_for_reply
0x00007fff7223cd97	(libxpc.dylib + 0x0000ad97 )	xpc_connection_send_message_with_reply_sync
0x00007fff53942afb	(libCoreVMClient.dylib + 0x00000afb )	cvms_connection_create
0x00007fff5393a5ec	(libCVMSPluginSupport.dylib + 0x000015ec )	cvmPreInit
0x00007fff5394940f	(libGFXShared.dylib + 0x0000240f )	gfxInitializeLibrary
0x00007fff544cdb1a	(GLEngine + 0x00000b1a )	gliInitializeLibrary
0x00007fff544bf97d	(OpenGL + 0x0000297d )	glcPluginCount
0x00007fff544bf850	(OpenGL + 0x00002850 )	glcPluginCount
0x00007fff544bf610	(OpenGL + 0x00002610 )	glcPluginCount
0x00007fff544c6d2b	(OpenGL + 0x00009d2b )	CGLChoosePixelFormat
0x00007fff544c6064	(OpenGL + 0x00009064 )	CGLChoosePixelFormat
0x0000000116abd494	(Google Chrome Framework -gl_initializer_mac.cc:63 )	gl::init::InitializeGLOneOffPlatform()
0x0000000116abc9e3	(Google Chrome Framework -gl_factory.cc:97 )	gl::init::InitializeGLOneOffImplementation(gl::GLImplementation, bool, bool, bool, bool)
0x0000000116abc8af	(Google Chrome Framework -gl_factory.cc:74 )	gl::init::(anonymous namespace)::InitializeGLOneOffHelper(bool)
0x0000000116db5a8d	(Google Chrome Framework -gpu_init.cc:252 )	gpu::GpuInit::InitializeAndStartSandbox(base::CommandLine*, gpu::GpuPreferences const&)
0x00000001198951b8	(Google Chrome Framework -gpu_main.cc:318 )	content::GpuMain(content::MainFunctionParams const&)
0x0000000115107f39	(Google Chrome Framework -content_main_runner_impl.cc:871 )	content::ContentMainRunnerImpl::Run(bool)
0x00000001177236dc	(Google Chrome Framework -main.cc:461 )	service_manager::Main(service_manager::MainParams const&)
0x0000000115107323	(Google Chrome Framework -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const&)
0x0000000112cfdfae	(Google Chrome Framework -chrome_main.cc:102 )	ChromeMain
0x000000010cd2751f	(Google Chrome Helper -chrome_exe_main_mac.cc:101 )	main
0x00007fff71ee8014	(libdyld.dylib + 0x00001014 )	start

- Crashes on 10.14 bucket differently, though:
  - crash/0c75c501fc1aca80
  - crash/30a03f49c1f2f98c

0x00007fff6f5e8ea6	(libsystem_kernel.dylib + 0x00002ea6 )	__mac_syscall
0x00007fff6f6a9b69	(libsystem_sandbox.dylib + 0x00000b69 )	sandbox_check
0x00007fff4390b099	(LaunchServices + 0x000e7099 )	_LSDatabaseClean(LSDatabase**)
0x00007fff438281c0	(LaunchServices + 0x000041c0 )	___ZL20_LSContextInitClientP9LSContext_block_invoke
0x00007fff6f45fdce	(libdispatch.dylib + 0x00003dce )	_dispatch_client_callout
0x00007fff6f46ba2b	(libdispatch.dylib + 0x0000fa2b )	_dispatch_lane_barrier_sync_invoke_and_complete
0x00007fff43827e4b	(LaunchServices + 0x00003e4b )	_LSContextInitClient(LSContext*)
0x00007fff43827bcb	(LaunchServices + 0x00003bcb )	_LSContextInit
0x00007fff4383c255	(LaunchServices + 0x00018255 )	prepareIsApplicationValue(_LSOnDemandContext&, FSNode*, __FileCache*, __CFString const*, NSError* __autoreleasing*)
0x00007fff43826d8c	(LaunchServices + 0x00002d8c )	LSPropertyProviderPrepareValues(__CFURL const*, __FileCache*, __CFString const* const*, void const**, long, void const*, __CFError**)
0x00007fff56cc5d60	(CoreServicesInternal + 0x00003d60 )	__ZL22prepareValuesForBitmapPK7__CFURLP11__FileCacheP19_FilePropertyBitmapPP9__CFError
0x00007fff56cc7a94	(CoreServicesInternal + 0x00005a94 )	__ZL40_FSURLCopyResourcePropertyForKeyInternalPK7__CFURLPK10__CFStringPvS5_PP9__CFErrorh
0x00007fff421e164d	(CoreFoundation + 0x0004564d )	CFURLCopyResourcePropertyForKey
0x00007fff44cca860	(IOSurface + 0x00002860 )	_iosConnectInitalize
0x00007fff6f69fce3	(libsystem_pthread.dylib + 0x00001ce3 )	__pthread_once_handler
0x00007fff6f695aca	(libsystem_platform.dylib + 0x00001aca )	_os_once_callout
0x00007fff6f69fc7e	(libsystem_pthread.dylib + 0x00001c7e )	pthread_once
0x00007fff44ccba32	(IOSurface + 0x00003a32 )	IOSurfaceClientCopyGPUPolicies
0x00007fff4b7907b5	(libGFXShared.dylib + 0x000017b5 )	__apply_selection_policy_block_invoke
0x00007fff6f45fdce	(libdispatch.dylib + 0x00003dce )	_dispatch_client_callout
0x00007fff6f461514	(libdispatch.dylib + 0x00005514 )	_dispatch_once_callout
0x00007fff4b7906d2	(libGFXShared.dylib + 0x000016d2 )	gfxPreferRemovable
0x00007fff4c3487a9	(OpenGL + 0x000097a9 )	CGLChoosePixelFormat
0x00007fff4c348134	(OpenGL + 0x00009134 )	CGLChoosePixelFormat
0x000000010ec2f494	(Google Chrome Framework -gl_initializer_mac.cc:63 )	gl::init::InitializeGLOneOffPlatform()
0x000000010ec2e9e3	(Google Chrome Framework -gl_factory.cc:97 )	gl::init::InitializeGLOneOffImplementation(gl::GLImplementation, bool, bool, bool, bool)
0x000000010ec2e8af	(Google Chrome Framework -gl_factory.cc:74 )	gl::init::(anonymous namespace)::InitializeGLOneOffHelper(bool)
0x000000010ef27a8d	(Google Chrome Framework -gpu_init.cc:252 )	gpu::GpuInit::InitializeAndStartSandbox(base::CommandLine*, gpu::GpuPreferences const&)
0x0000000111a071b8	(Google Chrome Framework -gpu_main.cc:318 )	content::GpuMain(content::MainFunctionParams const&)
0x000000010d279f39	(Google Chrome Framework -content_main_runner_impl.cc:871 )	content::ContentMainRunnerImpl::Run(bool)
0x000000010f8956dc	(Google Chrome Framework -main.cc:461 )	service_manager::Main(service_manager::MainParams const&)
0x000000010d279323	(Google Chrome Framework -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const&)
0x000000010ae6ffae	(Google Chrome Framework -chrome_main.cc:102 )	ChromeMain
0x0000000109de551f	(Google Chrome Helper -chrome_exe_main_mac.cc:101 )	main
0x00007fff6f4aded8	(libdyld.dylib + 0x00016ed8 )	start

Not sure what to make of hanging in the MAC syscall...

====================

[GPU hang] media::`anonymous namespace'::CreateVideoToolboxSession

- Not necessarily new (c.f. issue 871280), but worth looking at
- In 73.0.3668.0 found on 10.12, 10.13, 10.14 but with roughly the same signature
  - crash/ee4cb6fc0cbb4aa7 (10.12)
  - crash/0caba358ae881f2f (10.13)
  - crash/0eecb26b27acbe47 (10.14):

0x00007fff7df0b17a	(libsystem_kernel.dylib + 0x0000117a )	mach_msg_trap
0x00007fff7dffeb95	(libxpc.dylib + 0x00005b95 )	xpc_pipe_routine
0x00007fff7dffe89c	(libxpc.dylib + 0x0000589c )	_xpc_interface_routine
0x00007fff7e005868	(libxpc.dylib + 0x0000c868 )	_xpc_bootstrap_services
0x00007fff7e00548b	(libxpc.dylib + 0x0000c48b )	_xpc_uncork_domain
0x00007fff7e00271d	(libxpc.dylib + 0x0000971d )	_xpc_connection_init
0x00007fff7e0026c0	(libxpc.dylib + 0x000096c0 )	_xpc_connection_activate_if_needed
0x00007fff7e00264b	(libxpc.dylib + 0x0000964b )	xpc_connection_resume
0x00007fff5d0baece	(VideoToolbox + 0x000c3ece )	VTRemoteVideoDecoderGetClassID
0x00007fff5d0bc12e	(VideoToolbox + 0x000c512e )	VTRemoteVideoDecoderGetClassID
0x00007fff5d001983	(VideoToolbox + 0x0000a983 )	VTDecompressionSessionCreateWithOptions
0x00007fff5d00c445	(VideoToolbox + 0x00015445 )	VTDecompressionSessionCreate
0x0000000112908b6b	(Google Chrome Framework -vt_video_decode_accelerator_mac.cc:184 )	media::(anonymous namespace)::CreateVideoToolboxSession(unsigned char const*, unsigned long, unsigned char const*, unsigned long, bool)
0x0000000112908a2c	(Google Chrome Framework -vt_video_decode_accelerator_mac.cc:224 )	media::VTVideoDecodeAccelerator::GetSupportedProfiles()
0x0000000112903dc2	(Google Chrome Framework -gpu_video_decode_accelerator_factory.cc:81 )	media::GpuVideoDecodeAcceleratorFactory::GetDecoderCapabilities(gpu::GpuPreferences const&, gpu::GpuDriverBugWorkarounds const&)
0x00000001128f7fcd	(Google Chrome Framework -gpu_video_decode_accelerator.cc:205 )	media::GpuVideoDecodeAccelerator::GetCapabilities(gpu::GpuPreferences const&, gpu::GpuDriverBugWorkarounds const&)
0x000000010f2210a0	(Google Chrome Framework -gpu_service_impl.cc:205 )	viz::GpuServiceImpl::UpdateGPUInfo()
0x000000010fa2b8fb	(Google Chrome Framework -viz_main_impl.cc:148 )	viz::VizMainImpl::CreateGpuService(mojo::InterfaceRequest<viz::mojom::GpuService>, mojo::InterfacePtr<viz::mojom::GpuHost>, mojo::InterfacePtr<discardable_memory::mojom::DiscardableSharedMemoryManager>, mojo::ScopedHandleBase<mojo::SharedBufferHandle>, gfx::FontRenderParams::SubpixelRendering)
0x000000010f250ea6	(Google Chrome Framework -viz_main.mojom.cc:297 )	viz::mojom::VizMainStubDispatch::Accept(viz::mojom::VizMain*, mojo::Message*)
0x00000001116f1144	(Google Chrome Framework -ipc_mojo_bootstrap.cc:877 )	IPC::(anonymous namespace)::ChannelAssociatedGroupController::AcceptOnProxyThread(mojo::Message)

Might be missing an XPC service?

Looking at [GPU hang] media::`anonymous namespace'::CreateVideoToolboxSession, might need to allow some things:

- Reading prefs for "com.apple.coremedia" domain
- XPC endpoint "com.apple.coremedia.videoencoder" (.videodecoder is currently allowed, so the above stack about VTDecompressionSessionCreate may not get fixed with this...)

For [GPU hang] gl::init::InitializeGLOneOffPlatform, we already allow lookup of "com.apple.cvmsServ" so I'm not sure what's causing that one.