renderer crashes in 32.0.1685.0

[Paweł Hajdan, Jr.]

I'm packaging Chromium 32.0.1685.0 for Linux, and I'm getting the following stack trace. Does it look familiar? Are there some areas or libraries I should look at more closely?

#0  WebCore::FontFallbackList::determinePitch (this=0x55555aefc9d0, 

    font=<optimized out>)

    at ../../third_party/WebKit/Source/core/platform/graphics/FontFallbackList.cpp:79

#1  0x000055555783724d in isFixedPitch (f=0x55555aefdc60, this=<optimized out>)

    at ../../third_party/WebKit/Source/core/platform/graphics/FontFallbackList.h:73

#2  isFixedPitch (this=0x55555aefdc60)

    at ../../third_party/WebKit/Source/core/platform/graphics/Font.h:316

#3  widthFromCache (glyphOverflow=0x7fffffff9160, 

    fallbackFonts=0x7fffffff9140, xPos=<optimized out>, len=1, start=0, f=..., 

    this=0x2510583383a0)

    at ../../third_party/WebKit/Source/core/rendering/RenderText.cpp:714

#4  WebCore::RenderText::computePreferredLogicalWidths (this=0x2510583383a0, 

    leadWidth=0, fallbackFonts=..., glyphOverflow=...)

    at ../../third_party/WebKit/Source/core/rendering/RenderText.cpp:997

#5  0x000055555783aab2 in WebCore::RenderText::computePreferredLogicalWidths (

    this=0x2510583383a0, leadWidth=<optimized out>)

    at ../../third_party/WebKit/Source/core/rendering/RenderText.cpp:867

#6  0x00005555578362ae in WebCore::RenderText::trimmedPrefWidths (

    this=0x2510583383a0, leadWidth=<optimized out>, 

    firstLineMinWidth=@0x7fffffff94a8: 0, hasBreakableStart=<optimized out>, 

    lastLineMinWidth=@0x7fffffff94ac: 0, hasBreakableEnd=<optimized out>, 

    hasBreakableChar=<optimized out>, hasBreak=@0x7fffffff94bd: 127, 

    firstLineMaxWidth=@0x7fffffff94b0: 3.24597823e+16, 

    lastLineMaxWidth=@0x7fffffff94b4: 3.0611365e-41, 

    minWidth=@0x7fffffff94a0: 0, maxWidth=@0x7fffffff94a4: 0, 

    stripFrontSpaces=@0x7fffffff94bc: true)

    at ../../third_party/WebKit/Source/core/rendering/RenderText.cpp:768

#7  0x00005555576f8eae in WebCore::RenderBlock::computeInlinePreferredLogicalWidths (this=<optimized out>, minLogicalWidth=..., maxLogicalWidth=...)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlock.cpp:4491

#8  0x00005555576fb1a0 in WebCore::RenderBlock::computeIntrinsicLogicalWidths (

    this=0x25105832d840, minLogicalWidth=..., maxLogicalWidth=...)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlock.cpp:4090

#9  0x00005555576ebcb9 in WebCore::RenderBlock::computePreferredLogicalWidths (

    this=0x25105832d840)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlock.cpp:4129

#10 0x0000555557731b53 in WebCore::RenderBox::maxPreferredLogicalWidth (

    this=0x25105832d840)

    at ../../third_party/WebKit/Source/core/rendering/RenderBox.cpp:1055

#11 0x0000555557777bac in WebCore::RenderFlexibleBox::preferredMainAxisContentExtentForChild (this=0x251058354040, child=0x25105832d840, 

    hasInfiniteLineLength=false)

    at ../../third_party/WebKit/Source/core/rendering/RenderFlexibleBox.cpp:649

#12 0x000055555777ad81 in WebCore::RenderFlexibleBox::computeNextFlexLine (

    this=0x251058354040, orderedChildren=..., sumFlexBaseSize=..., 

    totalFlexGrow=@0x7fffffff9880: 0, 

    totalWeightedFlexShrink=@0x7fffffff9888: 0, sumHypotheticalMainSize=..., 

    hasInfiniteLineLength=@0x7fffffff98cf: false)

    at ../../third_party/WebKit/Source/core/rendering/RenderFlexibleBox.cpp:885

#13 0x000055555777d5b3 in WebCore::RenderFlexibleBox::layoutFlexItems (

    this=0x251058354040, relayoutChildren=true, lineContexts=...)

    at ../../third_party/WebKit/Source/core/rendering/RenderFlexibleBox.cpp:667

#14 0x000055555777dc21 in WebCore::RenderFlexibleBox::layoutBlock (

    this=0x251058354040, relayoutChildren=true)

    at ../../third_party/WebKit/Source/core/rendering/RenderFlexibleBox.cpp:255

#15 0x00005555576eaa48 in WebCore::RenderBlock::layout (this=0x251058354040)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlock.cpp:1276

#16 0x000055555770747c in layoutIfNeeded (this=0x251058354040)

    at ../../third_party/WebKit/Source/core/rendering/RenderObject.h:686

#17 layoutIfNeeded (this=0x251058354040)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlock.cpp:1943

#18 WebCore::RenderBlock::layoutPositionedObjects (this=0x25105832c1c0, 

    relayoutChildren=false, fixedPositionObjectsOnly=false)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlock.cpp:1998

#19 0x000055555771ac90 in WebCore::RenderBlockFlow::layoutBlock (

    this=0x25105832c1c0, relayoutChildren=false, pageLogicalHeight=...)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlockFlow.cpp:269

#20 0x00005555576eaa48 in WebCore::RenderBlock::layout (this=0x25105832c1c0)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlock.cpp:1276

#21 0x000055555770747c in layoutIfNeeded (this=0x25105832c1c0)

    at ../../third_party/WebKit/Source/core/rendering/RenderObject.h:686

#22 layoutIfNeeded (this=0x25105832c1c0)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlock.cpp:1943

#23 WebCore::RenderBlock::layoutPositionedObjects (this=0x251058324040, 

    relayoutChildren=false, fixedPositionObjectsOnly=false)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlock.cpp:1998

#24 0x0000555557708891 in WebCore::RenderBlock::simplifiedLayout (

    this=0x251058324040)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlock.cpp:1876

#25 0x000055555771a730 in WebCore::RenderBlockFlow::layoutBlock (

    this=0x251058324040, relayoutChildren=false, pageLogicalHeight=...)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlockFlow.cpp:165

#26 0x00005555576eaa48 in WebCore::RenderBlock::layout (this=0x251058324040)

    at ../../third_party/WebKit/Source/core/rendering/RenderBlock.cpp:1276

#27 0x000055555785c799 in WebCore::RenderView::layoutContent (

    this=0x251058324040, state=...)

    at ../../third_party/WebKit/Source/core/rendering/RenderView.cpp:169

#28 0x000055555785e00e in WebCore::RenderView::layout (this=0x251058324040)

    at ../../third_party/WebKit/Source/core/rendering/RenderView.cpp:346

#29 0x000055555750554e in WebCore::FrameView::performLayout (

    this=0x55555ace81b0, rootForThisLayout=0x251058324040, 

    inSubtreeLayout=false)

    at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:909

#30 0x000055555750408a in layout (allowSubtree=<optimized out>, 

    this=0x55555ace81b0)

    at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:1079

#31 WebCore::FrameView::layout (this=0x55555ace81b0, 

    allowSubtree=<optimized out>)

    at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:960

#32 0x0000555556fe93b4 in WebCore::Document::updateLayout (this=0x11c16ba4a40)

    at ../../third_party/WebKit/Source/core/dom/Document.cpp:1797

#33 0x0000555557005094 in WebCore::Element::offsetTop (this=<optimized out>)

    at ../../third_party/WebKit/Source/core/dom/Element.cpp:570

#34 0x0000555557a0ece5 in offsetTopAttributeGetterForMainWorld (info=..., 

    name=...) at gen/blink/bindings/V8Element.cpp:345

#35 WebCore::ElementV8Internal::offsetTopAttributeGetterCallbackForMainWorld (

    name=..., info=...) at gen/blink/bindings/V8Element.cpp:351

#36 0x0000555556dce8c9 in v8::internal::PropertyCallbackArguments::Call (

    this=0x7fffffffa900, 

    f=0x555557a0ecb0 <WebCore::ElementV8Internal::offsetTopAttributeGetterCallbackForMainWorld(v8::Local<v8::String>, v8::PropertyCallbackInfo<v8::Value> const&)>, arg1=...) at ../../v8/src/arguments.cc:110

#37 0x0000555556c6a93c in v8::internal::JSObject::GetPropertyWithCallback (

    object=..., receiver=..., structure=..., name=...)

    at ../../v8/src/objects.cc:399

#38 0x0000555556c95ace in v8::internal::Object::GetProperty (

    this=<optimized out>, receiver=0x1635c307d8f9, result=<optimized out>, 

    name=<optimized out>, attributes=<optimized out>)

    at ../../v8/src/objects.cc:905

#39 0x0000555556c95f52 in v8::internal::Object::GetProperty (object=..., 

    receiver=..., result=0x7fffffffaa80, key=..., attributes=0x7fffffffaacc)

    at ../../v8/src/objects.cc:801

#40 0x0000555556c01015 in v8::internal::LoadIC::Load (this=0x7fffffffab10, 

    object=..., name=...) at ../../v8/src/ic.cc:927

#41 0x0000555556c017bd in __RT_impl_LoadIC_Miss (isolate=0x55555ac94ad0, 

    args=...) at ../../v8/src/ic.cc:2065

#42 v8::internal::LoadIC_Miss (args_length=<optimized out>, 

    args_object=0x7fffffffaba0, isolate=<optimized out>)

    at ../../v8/src/ic.cc:2058

#43 0x00001047b3e0824e in ?? ()

#44 0x00001047b3e081a1 in ?? ()

#45 0x00001047b3e081a1 in ?? ()

#46 0x00007fffffffab70 in ?? ()

#47 0x00007fffffffabe0 in ?? ()

#48 0x00001047b3ed92a0 in ?? ()

#49 0x000011ef03c31e39 in ?? ()

#50 0x00001635c307d8f9 in ?? ()

#51 0x00000fef24b04121 in ?? ()

#52 0x0000000000000000 in ?? ()

Paweł

[Paweł Hajdan, Jr.]

I can still reproduce with public code corresponding to 32.0.1700.2 and trunk as of today (src@233323). Note that this is a Gentoo chroot - maybe that environment makes some difference, but it shouldn't lead to crashes.

git bisect points to a Blink roll. I'll investigate further (manually bisect the roll), I just thought I'd post here for more advice.

8edb4c2fd563405d09737c6b0ed217f875645a49 is the first bad commit

commit 8edb4c2fd563405d09737c6b0ed217f875645a49

Author: pfel...@chromium.org <pfel...@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>

Date:   Tue Oct 22 12:49:55 2013 +0000

    Blink roll 160139:160175

    

    http://build.chromium.org/f/chromium/perf/dashboard/ui/changelog_blink.html?url=/trunk&range=160140:160175&mode=html

    TBR=

    BUG=

    

    Review URL: https://codereview.chromium.org/34883002

    

    git-svn-id: svn://svn.chromium.org/chrome/trunk/src@230112 0039d316-1c4b-4281-b951-d872f2087c98

:100644 100644 adc963941a6fbe0d01ce3621e91f6d028d55f3c3 b77e91a7f0532ad3b3359b4b34d69d6e7d39d724 M DEPS

Paweł

[James Robinson]

This'll probably be easier to track on the bug tracker.  Could you file a bug and cc approprate folks as you discover more detailed information?  The mailing list isn't as good for tracking bugs as the bug tracker is.

- James

[Paweł Hajdan, Jr.]

I think this is
https://code.google.com/p/chromium/issues/detail?id=314128 . There are
some more reports there linked by Karen - marked as top crashes for
Linux Dev channel. I can repro the crash every time using my Gentoo
chroot.

Emil, my local bisecting points to
https://codereview.chromium.org/31923005 as the culprit. I hope that
helps with fixing it, and I'm also happy to help testing fixes locally
since I can repro very reliably.

Karen, we now have two consecutive dev channel releases with this
problem. Should this have a bumped priority and block next dev channel
release or beta promotion?

Paweł

[Emil A Eklund]

Thanks Pawel,

Could you try patching in https://codereview.chromium.org/63473002/
and see if that helps?


On Wed, Nov 6, 2013 at 6:17 PM, Paweł Hajdan, Jr.

[Paweł Hajdan, Jr.]

Thank you. Doesn't fix my crash.

There might be different issues though, with that patch fixing some of
them but not the one I have.

Paweł

[Karen Grunberg]

any help u have in being able to bisect it and/or figure out what's wrong is deeply appreciated!!

[Karen Grunberg]

I can't really block beta on this since we're working hard on getting aura out the door, however, i talked to emil already today and it's his top priority. if you have means to help him and have a repro, i am sure it would be much appreciated. I promise to accept any reasonable merge that makes  these go away :)

[Roger Johannesson]

Hi Paweł,

I ran into a very similar crash yesterday and just posted a possible fix for that here:

https://codereview.chromium.org/64243002/

Could you try if that fixes the crash you are seeing as well?

/ Roger

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

[Paweł Hajdan, Jr.]

Yay, thanks Roger. https://codereview.chromium.org/64243002/ fixes the crashes.

Please make sure 1700 branch either is not affected by this or has the fix. :)

Paweł

[Karen Grunberg]

it is affected. We will merge it after the first dev on m33 to make sure it doesn't cause some other crash :)