Updates:
Cc:
bo...@chromium.orgComment #9 on issue 797802 by
bo...@chromium.org: Chrome_Android: Crash Report - blink::LayoutBoxModelObject::PixelSnappedOffsetLeft
https://bugs.chromium.org/p/chromium/issues/detail?id=797802#c9Most of the reports have a stack trace like this:
0xc5c9a032 (libchrome.so -LayoutBoxModelObject.h:161 ) blink::LayoutBoxModelObject::PixelSnappedOffsetLeft(blink::Element const*) const
0xc5c9a005 (libchrome.so -HTMLElement.cpp:1240 ) blink::HTMLElement::offsetLeftForBinding()
0xc6e8fb9d (libchrome.so -memory:3047 ) syncer::ModelTypeRegistry::RegisterDirectoryType(syncer::ModelType, syncer::ModelSafeGroup)
0xc6e76f4b (libchrome.so -sync_backend_host_core.cc:151 ) syncer::SyncBackendHostCore::OnInitializationComplete(syncer::WeakHandle<syncer::JsBackend> const&, syncer::WeakHandle<syncer::DataTypeDebugInfoListener> const&, bool, syncer::EnumSet<syncer::ModelType, (syncer::ModelType)2, (syncer::ModelType)39>)
0xc6e7727b (libchrome.so -sync_backend_host_core.cc ) non-virtual thunk to syncer::SyncBackendHostCore::OnInitializationComplete(syncer::WeakHandle<syncer::JsBackend> const&, syncer::WeakHandle<syncer::DataTypeDebugInfoListener> const&, bool, syncer::EnumSet<syncer::ModelType, (syncer::ModelType)2, (syncer::ModelType)39>)
0xc6e96209 (libchrome.so -sync_manager_impl.cc:332 ) syncer::SyncManagerImpl::NotifyInitializationSuccess()
0xc6e96035 (libchrome.so -sync_manager_impl.cc:327 ) syncer::SyncManagerImpl::Init(syncer::SyncManager::InitArgs*)
0xc6e7785d (libchrome.so -sync_backend_host_core.cc:331 ) syncer::SyncBackendHostCore::DoInitialize(syncer::SyncEngine::InitParams)
0xc6e79da1 (libchrome.so -bind_internal.h:194 ) void base::internal::FunctorTraits<void (syncer::SyncBackendHostCore::*)(syncer::SyncEngine::InitParams), void>::Invoke<scoped_refptr<syncer::SyncBackendHostCore> const&, syncer::SyncEngine::InitParams>(void (syncer::SyncBackendHostCore::*)(syncer::SyncEngine::InitParams), scoped_refptr<syncer::SyncBackendHostCore> const&&&, syncer::SyncEngine::InitParams&&)
0xc6e79d61 (libchrome.so -bind_internal.h:351 ) void base::internal::Invoker<base::internal::BindState<void (syncer::SyncBackendHostCore::*)(syncer::SyncEngine::InitParams), scoped_refptr<syncer::SyncBackendHostCore>, base::internal::PassedWrapper<syncer::SyncEngine::InitParams> >, void ()>::RunImpl<void (syncer::SyncBackendHostCore::* const&)(syncer::SyncEngine::InitParams), std::__ndk1::tuple<scoped_refptr<syncer::SyncBackendHostCore>, base::internal::PassedWrapper<syncer::SyncEngine::InitParams> > const&, 0u, 1u>(void (syncer::SyncBackendHostCore::* const&&&)(syncer::SyncEngine::InitParams), std::__ndk1::tuple<scoped_refptr<syncer::SyncBackendHostCore>, base::internal::PassedWrapper<syncer::SyncEngine::InitParams> > const&&&, std::__ndk1::integer_sequence<unsigned int, 0u, 1u>)
0xc55bd0fb (libchrome.so -callback.h:65 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0xc55bcd51 (libchrome.so -message_loop.cc:391 ) base::MessageLoop::RunTask(base::PendingTask*)
0xc577fc5d (libchrome.so -message_loop.cc:403 ) base::MessageLoop::DoWork()
0xc586f5c7 (libchrome.so -message_pump_default.cc:37 ) base::MessagePumpDefault::Run(base::MessagePump::Delegate*)
0xc577f9e5 (libchrome.so -run_loop.cc:114 ) <name omitted>
0xc577ce63 (libchrome.so -thread.cc:338 ) base::Thread::ThreadMain()
0xc577cc4b (libchrome.so -platform_thread_posix.cc:75 ) base::(anonymous namespace)::ThreadFunc(void*)
This doesn't make much sense to me since ModelTypeRegistry::RegisterDirectoryType doesn't have any calls into any Blink types at all. The crashes tend to all be random addresses rather than a null-deref so I expect we're calling into bad memory somewhere in ModelTypeRegistry::RegisterDirectoryType.
That said, there's something fishy here. All the reports are from one country (Brasil) and the same device (Samsung Galaxy J7). Not sure if this has any significance but additionally, all but one client ID has the same prefix ("AECnTL") - there's only 14 clients total. I think this might be some group tinkering with their system rather than an actual issue in Chrome. Given that, I wouldn't call it a stable blocker and I don't think we should expend time trying to figure this out.