Issue 797802 in chromium: Chrome_Android: Crash Report - blink::LayoutBoxModelObject::PixelSnappedOffsetLeft
8 views
Skip to first unread message
cma… via monorail
Jan 9, 2018, 6:03:35 PM1/9/18
to inpu...@chromium.org
Updates:
Cc: inpu...@chromium.org
Comment #8 on issue 797802 by cma...@google.com: Chrome_Android: Crash Report - blink::LayoutBoxModelObject::PixelSnappedOffsetLeft
https://bugs.chromium.org/p/chromium/issues/detail?id=797802#c8
Can anyone from inpu...@chromium.org take a look at this bug?
--
You received this message because:
1. You were specifically CC'd on the issue
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
Reply to this email to add a comment.
Cc: inpu...@chromium.org
Comment #8 on issue 797802 by cma...@google.com: Chrome_Android: Crash Report - blink::LayoutBoxModelObject::PixelSnappedOffsetLeft
https://bugs.chromium.org/p/chromium/issues/detail?id=797802#c8
Can anyone from inpu...@chromium.org take a look at this bug?
--
You received this message because:
1. You were specifically CC'd on the issue
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
Reply to this email to add a comment.
bo… via monorail
Jan 10, 2018, 11:20:22 AM1/10/18
to inpu...@chromium.org
Updates:
Cc: bo...@chromium.org
Comment #9 on issue 797802 by bo...@chromium.org: Chrome_Android: Crash Report - blink::LayoutBoxModelObject::PixelSnappedOffsetLeft
https://bugs.chromium.org/p/chromium/issues/detail?id=797802#c9
Most of the reports have a stack trace like this:
0xc5c9a032 (libchrome.so -LayoutBoxModelObject.h:161 ) blink::LayoutBoxModelObject::PixelSnappedOffsetLeft(blink::Element const*) const
0xc5c9a005 (libchrome.so -HTMLElement.cpp:1240 ) blink::HTMLElement::offsetLeftForBinding()
0xc6e8fb9d (libchrome.so -memory:3047 ) syncer::ModelTypeRegistry::RegisterDirectoryType(syncer::ModelType, syncer::ModelSafeGroup)
0xc6e76f4b (libchrome.so -sync_backend_host_core.cc:151 ) syncer::SyncBackendHostCore::OnInitializationComplete(syncer::WeakHandle<syncer::JsBackend> const&, syncer::WeakHandle<syncer::DataTypeDebugInfoListener> const&, bool, syncer::EnumSet<syncer::ModelType, (syncer::ModelType)2, (syncer::ModelType)39>)
0xc6e7727b (libchrome.so -sync_backend_host_core.cc ) non-virtual thunk to syncer::SyncBackendHostCore::OnInitializationComplete(syncer::WeakHandle<syncer::JsBackend> const&, syncer::WeakHandle<syncer::DataTypeDebugInfoListener> const&, bool, syncer::EnumSet<syncer::ModelType, (syncer::ModelType)2, (syncer::ModelType)39>)
0xc6e96209 (libchrome.so -sync_manager_impl.cc:332 ) syncer::SyncManagerImpl::NotifyInitializationSuccess()
0xc6e96035 (libchrome.so -sync_manager_impl.cc:327 ) syncer::SyncManagerImpl::Init(syncer::SyncManager::InitArgs*)
0xc6e7785d (libchrome.so -sync_backend_host_core.cc:331 ) syncer::SyncBackendHostCore::DoInitialize(syncer::SyncEngine::InitParams)
0xc6e79da1 (libchrome.so -bind_internal.h:194 ) void base::internal::FunctorTraits<void (syncer::SyncBackendHostCore::*)(syncer::SyncEngine::InitParams), void>::Invoke<scoped_refptr<syncer::SyncBackendHostCore> const&, syncer::SyncEngine::InitParams>(void (syncer::SyncBackendHostCore::*)(syncer::SyncEngine::InitParams), scoped_refptr<syncer::SyncBackendHostCore> const&&&, syncer::SyncEngine::InitParams&&)
0xc6e79d61 (libchrome.so -bind_internal.h:351 ) void base::internal::Invoker<base::internal::BindState<void (syncer::SyncBackendHostCore::*)(syncer::SyncEngine::InitParams), scoped_refptr<syncer::SyncBackendHostCore>, base::internal::PassedWrapper<syncer::SyncEngine::InitParams> >, void ()>::RunImpl<void (syncer::SyncBackendHostCore::* const&)(syncer::SyncEngine::InitParams), std::__ndk1::tuple<scoped_refptr<syncer::SyncBackendHostCore>, base::internal::PassedWrapper<syncer::SyncEngine::InitParams> > const&, 0u, 1u>(void (syncer::SyncBackendHostCore::* const&&&)(syncer::SyncEngine::InitParams), std::__ndk1::tuple<scoped_refptr<syncer::SyncBackendHostCore>, base::internal::PassedWrapper<syncer::SyncEngine::InitParams> > const&&&, std::__ndk1::integer_sequence<unsigned int, 0u, 1u>)
0xc55bd0fb (libchrome.so -callback.h:65 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0xc55bcd51 (libchrome.so -message_loop.cc:391 ) base::MessageLoop::RunTask(base::PendingTask*)
0xc577fc5d (libchrome.so -message_loop.cc:403 ) base::MessageLoop::DoWork()
0xc586f5c7 (libchrome.so -message_pump_default.cc:37 ) base::MessagePumpDefault::Run(base::MessagePump::Delegate*)
0xc577f9e5 (libchrome.so -run_loop.cc:114 ) <name omitted>
0xc577ce63 (libchrome.so -thread.cc:338 ) base::Thread::ThreadMain()
0xc577cc4b (libchrome.so -platform_thread_posix.cc:75 ) base::(anonymous namespace)::ThreadFunc(void*)
This doesn't make much sense to me since ModelTypeRegistry::RegisterDirectoryType doesn't have any calls into any Blink types at all. The crashes tend to all be random addresses rather than a null-deref so I expect we're calling into bad memory somewhere in ModelTypeRegistry::RegisterDirectoryType.
That said, there's something fishy here. All the reports are from one country (Brasil) and the same device (Samsung Galaxy J7). Not sure if this has any significance but additionally, all but one client ID has the same prefix ("AECnTL") - there's only 14 clients total. I think this might be some group tinkering with their system rather than an actual issue in Chrome. Given that, I wouldn't call it a stable blocker and I don't think we should expend time trying to figure this out.
Cc: bo...@chromium.org
Comment #9 on issue 797802 by bo...@chromium.org: Chrome_Android: Crash Report - blink::LayoutBoxModelObject::PixelSnappedOffsetLeft
https://bugs.chromium.org/p/chromium/issues/detail?id=797802#c9
Most of the reports have a stack trace like this:
0xc5c9a032 (libchrome.so -LayoutBoxModelObject.h:161 ) blink::LayoutBoxModelObject::PixelSnappedOffsetLeft(blink::Element const*) const
0xc5c9a005 (libchrome.so -HTMLElement.cpp:1240 ) blink::HTMLElement::offsetLeftForBinding()
0xc6e8fb9d (libchrome.so -memory:3047 ) syncer::ModelTypeRegistry::RegisterDirectoryType(syncer::ModelType, syncer::ModelSafeGroup)
0xc6e76f4b (libchrome.so -sync_backend_host_core.cc:151 ) syncer::SyncBackendHostCore::OnInitializationComplete(syncer::WeakHandle<syncer::JsBackend> const&, syncer::WeakHandle<syncer::DataTypeDebugInfoListener> const&, bool, syncer::EnumSet<syncer::ModelType, (syncer::ModelType)2, (syncer::ModelType)39>)
0xc6e7727b (libchrome.so -sync_backend_host_core.cc ) non-virtual thunk to syncer::SyncBackendHostCore::OnInitializationComplete(syncer::WeakHandle<syncer::JsBackend> const&, syncer::WeakHandle<syncer::DataTypeDebugInfoListener> const&, bool, syncer::EnumSet<syncer::ModelType, (syncer::ModelType)2, (syncer::ModelType)39>)
0xc6e96209 (libchrome.so -sync_manager_impl.cc:332 ) syncer::SyncManagerImpl::NotifyInitializationSuccess()
0xc6e96035 (libchrome.so -sync_manager_impl.cc:327 ) syncer::SyncManagerImpl::Init(syncer::SyncManager::InitArgs*)
0xc6e7785d (libchrome.so -sync_backend_host_core.cc:331 ) syncer::SyncBackendHostCore::DoInitialize(syncer::SyncEngine::InitParams)
0xc6e79da1 (libchrome.so -bind_internal.h:194 ) void base::internal::FunctorTraits<void (syncer::SyncBackendHostCore::*)(syncer::SyncEngine::InitParams), void>::Invoke<scoped_refptr<syncer::SyncBackendHostCore> const&, syncer::SyncEngine::InitParams>(void (syncer::SyncBackendHostCore::*)(syncer::SyncEngine::InitParams), scoped_refptr<syncer::SyncBackendHostCore> const&&&, syncer::SyncEngine::InitParams&&)
0xc6e79d61 (libchrome.so -bind_internal.h:351 ) void base::internal::Invoker<base::internal::BindState<void (syncer::SyncBackendHostCore::*)(syncer::SyncEngine::InitParams), scoped_refptr<syncer::SyncBackendHostCore>, base::internal::PassedWrapper<syncer::SyncEngine::InitParams> >, void ()>::RunImpl<void (syncer::SyncBackendHostCore::* const&)(syncer::SyncEngine::InitParams), std::__ndk1::tuple<scoped_refptr<syncer::SyncBackendHostCore>, base::internal::PassedWrapper<syncer::SyncEngine::InitParams> > const&, 0u, 1u>(void (syncer::SyncBackendHostCore::* const&&&)(syncer::SyncEngine::InitParams), std::__ndk1::tuple<scoped_refptr<syncer::SyncBackendHostCore>, base::internal::PassedWrapper<syncer::SyncEngine::InitParams> > const&&&, std::__ndk1::integer_sequence<unsigned int, 0u, 1u>)
0xc55bd0fb (libchrome.so -callback.h:65 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0xc55bcd51 (libchrome.so -message_loop.cc:391 ) base::MessageLoop::RunTask(base::PendingTask*)
0xc577fc5d (libchrome.so -message_loop.cc:403 ) base::MessageLoop::DoWork()
0xc586f5c7 (libchrome.so -message_pump_default.cc:37 ) base::MessagePumpDefault::Run(base::MessagePump::Delegate*)
0xc577f9e5 (libchrome.so -run_loop.cc:114 ) <name omitted>
0xc577ce63 (libchrome.so -thread.cc:338 ) base::Thread::ThreadMain()
0xc577cc4b (libchrome.so -platform_thread_posix.cc:75 ) base::(anonymous namespace)::ThreadFunc(void*)
This doesn't make much sense to me since ModelTypeRegistry::RegisterDirectoryType doesn't have any calls into any Blink types at all. The crashes tend to all be random addresses rather than a null-deref so I expect we're calling into bad memory somewhere in ModelTypeRegistry::RegisterDirectoryType.
That said, there's something fishy here. All the reports are from one country (Brasil) and the same device (Samsung Galaxy J7). Not sure if this has any significance but additionally, all but one client ID has the same prefix ("AECnTL") - there's only 14 clients total. I think this might be some group tinkering with their system rather than an actual issue in Chrome. Given that, I wouldn't call it a stable blocker and I don't think we should expend time trying to figure this out.
cma… via monorail
Jan 10, 2018, 6:08:22 PM1/10/18
to inpu...@chromium.org
Updates:
Labels: -ReleaseBlock-Stable
Comment #10 on issue 797802 by cma...@google.com: Chrome_Android: Crash Report - blink::LayoutBoxModelObject::PixelSnappedOffsetLeft
https://bugs.chromium.org/p/chromium/issues/detail?id=797802#c10
Agreed! Thanks!
Labels: -ReleaseBlock-Stable
Comment #10 on issue 797802 by cma...@google.com: Chrome_Android: Crash Report - blink::LayoutBoxModelObject::PixelSnappedOffsetLeft
https://bugs.chromium.org/p/chromium/issues/detail?id=797802#c10
Agreed! Thanks!
yang… via monorail
Jan 17, 2018, 3:03:51 AM1/17/18
to inpu...@chromium.org
Updates:
Status: WontFix
Comment #11 on issue 797802 by yan...@chromium.org: Chrome_Android: Crash Report - blink::LayoutBoxModelObject::PixelSnappedOffsetLeft
https://bugs.chromium.org/p/chromium/issues/detail?id=797802#c11
I think Samsung Galaxy J7 devices generally have issues with memory corruption. We have experienced similar, seemingly inexplicable crashes elsewhere that only happen on J7 devices.
Status: WontFix
Comment #11 on issue 797802 by yan...@chromium.org: Chrome_Android: Crash Report - blink::LayoutBoxModelObject::PixelSnappedOffsetLeft
https://bugs.chromium.org/p/chromium/issues/detail?id=797802#c11
I think Samsung Galaxy J7 devices generally have issues with memory corruption. We have experienced similar, seemingly inexplicable crashes elsewhere that only happen on J7 devices.
Reply all
Reply to author
Forward
0 new messages