My favorites | Sign in
Logo
Project Home
  
Downloads
  
Wiki
  
Issues
    
New issue | Search
for
| Advanced search | Search tips
Issue 23780: New crash in reliability tests: MayAccessPreCheck
4 people starred this issue and may be notified of changes. Back to list
 
Reported by j...@chromium.org, Oct 04, 2009 
What steps will reproduce the problem?
1. See recent reliability builder reports, e.g. 
http://build.chromium.org/buildbot/waterfall/builders/Chromium%20Reliabilit
y/builds/5947/steps/reliability:%20partial%20result%20of%20current%20build/
logs/stdio

I'm following the instructions at 
http://sites.google.com/a/chromium.org/dev/developers/how-tos/reliability-
tests, and I couldn't find an existing bug or known crash for this one, 
although it seems to have been occurring pretty regularly in the last ~48 
hours.

Using http://chromebot/ the oldest revision for which I can find this crash 
is http://src.chromium.org/viewvc/chrome?view=rev&revision=27848 so 
assigning to Darin.  I may not be familiar enough with the tools and it's 
quite possible there's an older change (e.g. I couldn't figure a way to get 
the waterfall or console to show me results that far back in time) so this 
is just a best effort.

INFO: NEW stack trace signature found:
v8::internal::mayaccessprecheck___v8::internal::top::maynamedaccess___v8::i
nternal::jsobject::getpropertyattribute___v8::internal::jsobject::getlocalp
ropertyattribute___v8::internal::gethiddenproperties___v8::object::deletehi
ddenvalue___webcore::v8abstracteventlistener::~v8abstracteventlistener___we
bcore::v8workercontexteventlistener::`scalar deleting destructor'

REGRESSION: NEW crash stack traces found
--------------------
chrome_23a0000!v8::internal::MayAccessPreCheck+0x51 [c:\b\slave\chromium-
rel-xp\build\src\v8\src\top.cc @ 481]
chrome_23a0000!v8::internal::Top::MayNamedAccess+0xd [c:\b\slave\chromium-
rel-xp\build\src\v8\src\top.cc @ 502]
chrome_23a0000!v8::internal::JSObject::GetPropertyAttribute+0x22 
[c:\b\slave\chromium-rel-xp\build\src\v8\src\objects.cc @ 2097]
chrome_23a0000!v8::internal::JSObject::GetLocalPropertyAttribute+0x7e 
[c:\b\slave\chromium-rel-xp\build\src\v8\src\objects.cc @ 2136]
chrome_23a0000!v8::internal::GetHiddenProperties+0x81 [c:\b\slave\chromium-
rel-xp\build\src\v8\src\handles.cc @ 306]
chrome_23a0000!v8::Object::DeleteHiddenValue+0x62 [c:\b\slave\chromium-rel-
xp\build\src\v8\src\api.cc @ 2276]
chrome_23a0000!WebCore::V8AbstractEventListener::~V8AbstractEventListener+0
x3e [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\bindings\v8\v8abstracteventlistener
.cpp @ 80]
chrome_23a0000!WebCore::V8WorkerContextEventListener::`scalar deleting 
destructor'+0xb
chrome_23a0000!WTF::VectorDestructor<1,WebCore::RegisteredEventListener>::d
estruct+0x34 [c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\javascriptcore\wtf\vector.h @ 88]
chrome_23a0000!std::pair<WebCore::AtomicString,WTF::Vector<WebCore::Registe
redEventListener,1> 
>::~pair<WebCore::AtomicString,WTF::Vector<WebCore::RegisteredEventListener
,1> >+0x17
chrome_23a0000!WTF::HashTable<WebCore::AtomicString,std::pair<WebCore::Atom
icString,WTF::Vector<WebCore::RegisteredEventListener,1> 
>,WTF::PairFirstExtractor<std::pair<WebCore::AtomicString,WTF::Vector<WebCo
re::RegisteredEventListener,1> > 
>,WebCore::AtomicStringHash,WTF::PairHashTraits<WTF::HashTraits<WebCore::At
omicString>,WTF::HashTraits<WTF::Vector<WebCore::RegisteredEventListener,1> 
> >,WTF::HashTraits<WebCore::AtomicString> >::deallocateTable+0x1e 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\javascriptcore\wtf\hashtable.h @ 872]
chrome_23a0000!WebCore::EventTarget::removeAllEventListeners+0x1a 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\dom\eventtarget.cpp @ 301]
chrome_23a0000!WebCore::Document::removeAllEventListeners+0x8 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\dom\document.cpp @ 1470]
chrome_23a0000!WebCore::FrameLoader::stopLoading+0x1e2 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\loader\frameloader.cpp @ 531]
chrome_23a0000!WebCore::FrameLoader::stopLoading+0x2a4 
[c:\b\slave\chromium-rel-
xp\build\src\third_party\webkit\webcore\loader\frameloader.cpp @ 550]
chrome_23a0000!WebCore::FrameLoader::closeURL+0x30 [c:\b\slave\chromium-
rel-xp\build\src\third_party\webkit\webcore\loader\frameloader.cpp @ 577]
chrome_23a0000!RenderView::OnClosePage+0x94 [c:\b\slave\chromium-rel-
xp\build\src\chrome\renderer\render_view.cc @ 3155]
chrome_23a0000!IPC::MessageWithTuple<Tuple1<ViewMsg_ClosePage_Params> 
>::Dispatch<RenderView,void (__thiscall 
RenderView::*)(ViewMsg_ClosePage_Params const &)>+0x34 
[c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_message_utils.h @ 1000]
chrome_23a0000!RenderView::OnMessageReceived+0x668 [c:\b\slave\chromium-
rel-xp\build\src\chrome\renderer\render_view.cc @ 425]
chrome_23a0000!MessageRouter::RouteMessage+0x33 [c:\b\slave\chromium-rel-
xp\build\src\chrome\common\message_router.cc @ 41]
chrome_23a0000!MessageRouter::OnMessageReceived+0x2f [c:\b\slave\chromium-
rel-xp\build\src\chrome\common\message_router.cc @ 32]
chrome_23a0000!ChildThread::OnMessageReceived+0x81 [c:\b\slave\chromium-
rel-xp\build\src\chrome\common\child_thread.cc @ 119]
chrome_23a0000!RunnableMethod<CancelableRequest<CallbackRunner<Tuple2<int,S
kBitmap *> > >,void (__thiscall 
CancelableRequest<CallbackRunner<Tuple2<int,SkBitmap *> > 
>::*)(Tuple2<int,SkBitmap *> const &),Tuple1<Tuple2<int,SkBitmap *> > 
>::Run+0x17 [c:\b\slave\chromium-rel-xp\build\src\base\task.h @ 277]
chrome_23a0000!MessageLoop::RunTask+0x7e [c:\b\slave\chromium-rel-
xp\build\src\base\message_loop.cc @ 315]
chrome_23a0000!MessageLoop::DoWork+0x1ea [c:\b\slave\chromium-rel-
xp\build\src\base\message_loop.cc @ 437]
chrome_23a0000!base::MessagePumpDefault::Run+0x111 [c:\b\slave\chromium-
rel-xp\build\src\base\message_pump_default.cc @ 50]
chrome_23a0000!MessageLoop::RunInternal+0xc0 [c:\b\slave\chromium-rel-
xp\build\src\base\message_loop.cc @ 199]
chrome_23a0000!MessageLoop::RunHandler+0xa0 [c:\b\slave\chromium-rel-
xp\build\src\base\message_loop.cc @ 182]
chrome_23a0000!MessageLoop::Run+0x3d [c:\b\slave\chromium-rel-
xp\build\src\base\message_loop.cc @ 156]
chrome_23a0000!RendererMain+0x41f [c:\b\slave\chromium-rel-
xp\build\src\chrome\renderer\renderer_main.cc @ 169]
chrome_23a0000!ChromeMain+0x652 [c:\b\slave\chromium-rel-
xp\build\src\chrome\app\chrome_dll_main.cc @ 552]
chrome!wWinMain+0x2fd [c:\b\slave\chromium-rel-
xp\build\src\chrome\app\chrome_exe_main.cc @ 104]
chrome!__tmainCRTStartup+0x176 
[f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 324]
WARNING: Stack unwind information not available. Following frames may be 
wrong.
kernel32!RegisterWaitForInputIdle+0x49
Comment 1 by darin@chromium.org, Oct 04, 2009 
My change was Mac-only and really couldn't have had anything to do with this.  Adding 
some V8 folks since this looks like a V8 issue.  The stack also mentions workers.
Cc: a...@chromium.org vita...@chromium.org ant...@chromium.org le...@chromium.org dim...@chromium.org jia...@chromium.org
Comment 2 by antonm@chromium.org, Oct 05, 2009 
Vitaly recently worked on listeners (and tweaked some hidden properties related stuff).  
Vitaly, may you have a look?
Comment 3 by darin@chromium.org, Oct 05, 2009 
(No comment was entered for this change.)
Status: Assigned
Owner: vita...@chromium.org
Cc: da...@chromium.org
Comment 4 by bugdroid1@chromium.org, Oct 06, 2009 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=27984 

------------------------------------------------------------------------
r27984 | joi@chromium.org | 2009-10-05 05:57:52 -0700 (Mon, 05 Oct 2009) | 9 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/reliability/known_crashes.txt?r1=27984&r2=27983

Adding known crash that's been around for the last couple of days.
I'm pretty new to the stability bot so I'm not sure if this is the
most appropriate thing to do or whether this should not be submitted
until the underlying problem has been investigated - let me know.

BUG=23780
TEST=should stop seeing this in stability bot redness

Review URL: http://codereview.chromium.org/255073
------------------------------------------------------------------------
Comment 5 by bugdroid1@chromium.org, Oct 06, 2009 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=28010 

------------------------------------------------------------------------
r28010 | huanr@chromium.org | 2009-10-05 11:20:19 -0700 (Mon, 05 Oct 2009) | 6 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/reliability/known_crashes.txt?r1=28010&r2=28009

Update the crash signature for 23780 in known list.

BUG=23780
TEST=none

Review URL: http://codereview.chromium.org/246088
------------------------------------------------------------------------
Comment 6 by venkataramana@chromium.org, Oct 06, 2009 
Build: 4.0.221.6 (Official Build 28091)

Looks like the crash is still happening.

-I visited cnn.com webpage and refreshed (F5) the page, the tab crashed twice. Though
can't reproduce consistently.

The callstack can be found here.

http://crash/reportdetail?reportid=774c89557e7c4511#crashing_thread

-Venkat.
Cc: lafo...@chromium.org venkatar...@chromium.org
Comment 7 by vitalyr@chromium.org, Oct 06, 2009 
My best guess is that the JS listener object gets collected while we're trying to
clear a hidden property on it. Working on a WebKit patch to protect from this.
Status: Started
Comment 8 by vitalyr@chromium.org, Oct 06, 2009 
Sent https://bugs.webkit.org/show_bug.cgi?id=30137 for WebKit review.
Comment 9 by bugdroid1@chromium.org, Oct 08, 2009 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=28464 

------------------------------------------------------------------------
r28464 | huanr@chromium.org | 2009-10-08 15:52:07 -0700 (Thu, 08 Oct 2009) | 6 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/reliability/known_crashes.txt?r1=28464&r2=28463

Make the signature for 23780 more generic.

TEST=none
BUG=23780

Review URL: http://codereview.chromium.org/266030
------------------------------------------------------------------------
Comment 10 by vitalyr@chromium.org, Oct 12, 2009 
(No comment was entered for this change.)
Status: Duplicate
Mergedinto: 24200
Comment 11 by bugdroid1@chromium.org, Oct 27, 2009 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=30174 

------------------------------------------------------------------------
r30174 | sgjesse@chromium.org | 2009-10-27 01:08:20 -0700 (Tue, 27 Oct 2009) | 7 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/reliability/known_crashes.txt?r1=30174&r2=30173

Remove some recently fixed bugs from the known_issues file

Landing http://codereview.chromium.org/334026.

BUG=20825,23780,24200
TEST=none
Review URL: http://codereview.chromium.org/338039
------------------------------------------------------------------------
Comment 12 by bugdroid1@chromium.org, Nov 06, 2009 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=31224 

------------------------------------------------------------------------
r31224 | ager@chromium.org | 2009-11-06 05:16:32 -0800 (Fri, 06 Nov 2009) | 10 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/reliability/known_crashes.txt?r1=31224&r2=31223

Removed some crash suppressions:

* event listener map rehash 
* access pre check (restored because of bad merge in r30201)

BUG=23780, 26506

Landing for Vitaly. 

Review URL: http://codereview.chromium.org/372018
------------------------------------------------------------------------
Comment 13 by bugdroid1@chromium.org, Nov 18, 2009 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=31224 

------------------------------------------------------------------------
r31224 | ager@chromium.org | 2009-11-06 05:16:32 -0800 (Fri, 06 Nov 2009) | 10 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/reliability/known_crashes.txt?r1=31224&r2=31223

Removed some crash suppressions:

* event listener map rehash 
* access pre check (restored because of bad merge in r30201)

BUG=23780, 26506

Landing for Vitaly. 

Review URL: http://codereview.chromium.org/372018
------------------------------------------------------------------------
Sign in to add a comment

Powered by Google Project Hosting