Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
959303003:
Make sure the --site-per-process flag is present for subframe process swaps. (Closed)
|
Created:
5 years, 9 months ago by Charlie Reis Modified:
5 years, 9 months ago CC:
chromium-reviews, darin-cc_chromium.org, nasko+codewatch_chromium.org, jam, creis+watch_chromium.org, site-isolation-reviews_chromium.org Base URL:
https://chromium.googlesource.com/chromium/src.git@master Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionMake sure the --site-per-process flag is present for subframe process swaps.
BUG=461494
TEST=Crash report should show that --site-per-process flag is present.
Committed: https://crrev.com/159d8ae5ad6c2b45a3c891cef89fe15cdaf46b5e
Cr-Commit-Position: refs/heads/master@{#318558}
Patch Set 1 #Patch Set 2 : Fix compile #Patch Set 3 : Move check #Messages
Total messages: 22 (6 generated)
creis@chromium.org changed reviewers: + alexmos@chromium.org
Alex, can you take a look? This should prove whether --site-per-process was present or not, regardless of the flags listed in the crash report.
[+site-isolation-reviews]
LGTM
The CQ bit was checked by creis@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from alexmos@chromium.org Link to the patchset: https://codereview.chromium.org/959303003/#ps20001 (title: "Fix compile")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/959303003/20001
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: win_chromium_x64_rel_ng on tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_x64_...)
Alex, can you take another look? It turns out we do hit that path for OnCreateChildFrame in default Chrome. I've moved the check to a place earlier in the crash call stack where we definitely shouldn't reach in default Chrome.
LGTM
The CQ bit was checked by creis@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/959303003/40001
Message was sent while issue was closed.
Committed patchset #3 (id:40001)
Message was sent while issue was closed.
Patchset 3 (id:??) landed as https://crrev.com/159d8ae5ad6c2b45a3c891cef89fe15cdaf46b5e Cr-Commit-Position: refs/heads/master@{#318558}
Message was sent while issue was closed.
thakis@chromium.org changed reviewers: + thakis@chromium.org
Message was sent while issue was closed.
the win/asan bot turned red after this. First red build: http://build.chromium.org/p/chromium.fyi/builders/CrWinAsan%20tester/builds/170 Stack: ================================================================= ==4232==ERROR: AddressSanitizer: heap-use-after-free on address 0x170178a4 at pc 0x0b646e20 bp 0xdeadbeef sp 0x0032b054 READ of size 4 at 0x170178a4 thread T0 #0 0xb646e1f in content::FrameAccessibility::GetParent C:\b\build\slave\CrWinAsan\build\src\base\memory\scoped_ptr.h:252 #1 0xb0d55ec in content::RenderFrameHostImpl::AccessibilityGetParentFrame C:\b\build\slave\CrWinAsan\build\src\content\browser\frame_host\render_frame_host_impl.cc:531 #2 0xb068e8e in content::BrowserAccessibilityManager::GetDelegateFromRootManager C:\b\build\slave\CrWinAsan\build\src\content\browser\accessibility\browser_accessibility_manager.cc:461 #3 0xb62e9a7 in content::BrowserAccessibilityManagerWin::NotifyAccessibilityEvent C:\b\build\slave\CrWinAsan\build\src\content\browser\accessibility\browser_accessibility_manager_win.cc:191 #4 0xb067016 in content::BrowserAccessibilityManager::OnWindowBlurred C:\b\build\slave\CrWinAsan\build\src\content\browser\accessibility\browser_accessibility_manager.cc:154 #5 0xb98dba9 in content::RenderWidgetHostViewAura::OnWindowFocused C:\b\build\slave\CrWinAsan\build\src\content\browser\renderer_host\render_widget_host_view_aura.cc:2221 #6 0xc5cd393 in wm::FocusController::SetFocusedWindow C:\b\build\slave\CrWinAsan\build\src\ui\wm\core\focus_controller.cc:256 #7 0xc5ce045 in wm::FocusController::WindowLostFocusFromDispositionChange C:\b\build\slave\CrWinAsan\build\src\ui\wm\core\focus_controller.cc:343 #8 0xc5ce1cb in wm::FocusController::OnWindowDestroying C:\b\build\slave\CrWinAsan\build\src\ui\wm\core\focus_controller.cc:190 #9 0x405b1cf in aura::Window::~Window C:\b\build\slave\CrWinAsan\build\src\ui\aura\window.cc:230 #10 0x4053b4b in aura::Window::`scalar deleting destructor' C:\b\build\slave\CrWinAsan\build\src\ui\aura\window.cc:219 #11 0xb979987 in content::RenderWidgetHostViewAura::Destroy C:\b\build\slave\CrWinAsan\build\src\content\browser\renderer_host\render_widget_host_view_aura.cc:888 #12 0xb9798e4 in content::RenderWidgetHostViewAura::RenderProcessGone C:\b\build\slave\CrWinAsan\build\src\content\browser\renderer_host\render_widget_host_view_aura.cc:880 #13 0xb36d0ea in content::RenderWidgetHostImpl::RendererExited C:\b\build\slave\CrWinAsan\build\src\content\browser\renderer_host\render_widget_host_impl.cc:1217 #14 0xb0d155d in content::RenderFrameHostImpl::OnRenderProcessGone C:\b\build\slave\CrWinAsan\build\src\content\browser\frame_host\render_frame_host_impl.cc:1075 #15 0xb0c5431 in content::RenderFrameHostImpl::OnMessageReceived C:\b\build\slave\CrWinAsan\build\src\base\tuple.h:246 #16 0xb397ac5 in content::RenderProcessHostImpl::ProcessDied C:\b\build\slave\CrWinAsan\build\src\content\browser\renderer_host\render_process_host_impl.cc:2062 #17 0xb396c72 in content::RenderProcessHostImpl::FastShutdownIfPossible C:\b\build\slave\CrWinAsan\build\src\content\browser\renderer_host\render_process_host_impl.cc:1441 #18 0x1e4f037 in content::ContentBrowserTest::RunTestOnMainThreadLoop C:\b\build\slave\CrWinAsan\build\src\content\public\test\content_browser_test.cc:154 #19 0x1f0b954 in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop C:\b\build\slave\CrWinAsan\build\src\content\public\test\browser_test_base.cc:295 #20 0x19ddb11 in base::internal::Invoker\u003CIndexSequence\u003C0>,base::internal::BindState\u003Cbase::internal::RunnableAdapter\u003Cvoid (__thiscall media::FakeAudioWorker::Worker::*)(void)>,void __cdecl(media::FakeAudioWorker::Worker *),base::internal::TypeList\u003Cmedia::FakeAudioWorker::Worker *> >,base::internal::TypeList\u003Cbase::internal::UnwrapTraits\u003Cmedia::FakeAudioWorker::Worker *> >,base::internal::InvokeHelper\u003C0,void,base::internal::RunnableAdapter\u003Cvoid (__thiscall media::FakeAudioWorker::Worker::*)(void)>,base::internal::TypeList\u003Cmedia::FakeAudioWorker::Worker * const &> >,void __cdecl(void)>::Run C:\b\build\slave\CrWinAsan\build\src\base\bind_internal.h:176 #21 0x1e9f389 in content::ShellBrowserMainParts::PreMainMessageLoopRun C:\b\build\slave\CrWinAsan\build\src\base\callback.h:396 #22 0xb305ee9 in content::BrowserMainLoop::PreMainMessageLoopRun C:\b\build\slave\CrWinAsan\build\src\content\browser\browser_main_loop.cc:790 #23 0xb25b2b0 in base::internal::Invoker\u003CIndexSequence\u003C0>,base::internal::BindState\u003Cbase::internal::RunnableAdapter\u003Cint (__thiscall ppapi::proxy::FileIOResource::WriteOp::*)(void)>,int __cdecl(ppapi::proxy::FileIOResource::WriteOp *),base::internal::TypeList\u003Cscoped_refptr\u003Cppapi::proxy::FileIOResource::WriteOp> > >,base::internal::TypeList\u003Cbase::internal::UnwrapTraits\u003Cscoped_refptr\u003Cppapi::proxy::FileIOResource::WriteOp> > >,base::internal::InvokeHelper\u003C0,int,base::internal::RunnableAdapter\u003Cint (__thiscall ppapi::proxy::FileIOResource::WriteOp::*)(void)>,base::internal::TypeList\u003Cppapi::proxy::FileIOResource::WriteOp *> >,int __cdecl(void)>::Run C:\b\build\slave\CrWinAsan\build\src\base\bind_internal.h:176 #24 0xb872d9a in content::StartupTaskRunner::RunAllTasksNow C:\b\build\slave\CrWinAsan\build\src\base\callback.h:396 #25 0xb2ff99d in content::BrowserMainLoop::CreateStartupTasks C:\b\build\slave\CrWinAsan\build\src\content\browser\browser_main_loop.cc:688 #26 0xb9ad8b8 in content::BrowserMainRunnerImpl::Initialize C:\b\build\slave\CrWinAsan\build\src\content\browser\browser_main_runner.cc:188 #27 0xc8be9d1 in ShellBrowserMain C:\b\build\slave\CrWinAsan\build\src\content\shell\browser\shell_browser_main.cc:22 #28 0xc8b5ada in content::ShellMainDelegate::RunProcess C:\b\build\slave\CrWinAsan\build\src\content\shell\app\shell_main_delegate.cc:275 #29 0xafe195e in content::RunNamedProcessTypeMain C:\b\build\slave\CrWinAsan\build\src\content\app\content_main_runner.cc:369 #30 0xafe4357 in content::ContentMainRunnerImpl::Run C:\b\build\slave\CrWinAsan\build\src\content\app\content_main_runner.cc:768 0x170178a4 is located 36 bytes inside of 328-byte region [0x17017880,0x170179c8) freed by thread T0 here: #0 0xe3d9704 in free c:\b\build\slave\crwinasan\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:42 #1 0xb647d16 in ScopedVector\u003Ccontent::FrameTreeNode>::~ScopedVector\u003Ccontent::FrameTreeNode> C:\b\build\slave\CrWinAsan\build\src\base\stl_util.h:44 #2 0xb6497af in content::FrameTreeNode::~FrameTreeNode C:\b\build\slave\CrWinAsan\build\src\content\browser\frame_host\frame_tree_node.cc:46 #3 0xb648cde in content::FrameTreeNode::ResetForNewProcess C:\b\build\slave\CrWinAsan\build\src\base\stl_util.h:44 #4 0xb0d1406 in content::RenderFrameHostImpl::OnRenderProcessGone C:\b\build\slave\CrWinAsan\build\src\content\browser\frame_host\render_frame_host_impl.cc:1066 #5 0xb0c5431 in content::RenderFrameHostImpl::OnMessageReceived C:\b\build\slave\CrWinAsan\build\src\base\tuple.h:246 #6 0xb397ac5 in content::RenderProcessHostImpl::ProcessDied C:\b\build\slave\CrWinAsan\build\src\content\browser\renderer_host\render_process_host_impl.cc:2062 #7 0xb396c72 in content::RenderProcessHostImpl::FastShutdownIfPossible C:\b\build\slave\CrWinAsan\build\src\content\browser\renderer_host\render_process_host_impl.cc:1441 #8 0x1e4f037 in content::ContentBrowserTest::RunTestOnMainThreadLoop C:\b\build\slave\CrWinAsan\build\src\content\public\test\content_browser_test.cc:154 previously allocated by thread T0 here: #0 0xe3d97d8 in malloc c:\b\build\slave\crwinasan\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:58 #1 0xe3ea8bf in operator new f:\dd\vctools\crt\crtw32\heap\new.cpp:59 #2 0xb6359de in content::FrameTree::AddFrame C:\b\build\slave\CrWinAsan\build\src\content\browser\frame_host\frame_tree.cc:158 #3 0xb0d6f04 in content::RenderFrameHostImpl::OnCreateChildFrame C:\b\build\slave\CrWinAsan\build\src\content\browser\frame_host\render_frame_host_impl.cc:677 Your change looks the most related, I think.
Message was sent while issue was closed.
A revert of this CL (patchset #3 id:40001) has been created in https://codereview.chromium.org/971443003/ by thakis@chromium.org. The reason for reverting is: Somewhat speculative; looks like this might have turned the asan/win bot red. (See comment #17 on the review for links / stack.).
Message was sent while issue was closed.
On 2015/02/28 21:01:27, Nico wrote: > A revert of this CL (patchset #3 id:40001) has been created in > https://codereview.chromium.org/971443003/ by mailto:thakis@chromium.org. > > The reason for reverting is: Somewhat speculative; looks like this might have > turned the asan/win bot red. (See comment #17 on the review for links / stack.). @thakis: Hmm, I don't see how this CL could have caused that stack. This just adds a CHECK to a function that isn't called there. There were also similar failures before my CL landed (in builds 168 and 153). I'll file a bug.
Message was sent while issue was closed.
The bot was consistently red for two or three runs after this landed, and went back to consistently green after revert. So this does look related from that point of view. On Mon, Mar 2, 2015 at 2:03 PM, <creis@chromium.org> wrote: > On 2015/02/28 21:01:27, Nico wrote: > >> A revert of this CL (patchset #3 id:40001) has been created in >> https://codereview.chromium.org/971443003/ by mailto:thakis@chromium.org. >> > > The reason for reverting is: Somewhat speculative; looks like this might >> have >> turned the asan/win bot red. (See comment #17 on the review for links / >> > stack.). > > @thakis: Hmm, I don't see how this CL could have caused that stack. This > just > adds a CHECK to a function that isn't called there. There were also > similar > failures before my CL landed (in builds 168 and 153). I'll file a bug. > > https://codereview.chromium.org/959303003/ > To unsubscribe from this group and stop receiving emails from it, send an email to chromium-reviews+unsubscribe@chromium.org.
Message was sent while issue was closed.
Sure, but that had to be a coincidence, because my code is not called during that test. I just tried putting an unconditional CHECK(false) in the same spot and that test doesn't hit it. On Mon, Mar 2, 2015 at 2:14 PM, Nico Weber <thakis@chromium.org> wrote: > The bot was consistently red for two or three runs after this landed, and > went back to consistently green after revert. So this does look related > from that point of view. > > On Mon, Mar 2, 2015 at 2:03 PM, <creis@chromium.org> wrote: > >> On 2015/02/28 21:01:27, Nico wrote: >> >>> A revert of this CL (patchset #3 id:40001) has been created in >>> https://codereview.chromium.org/971443003/ by mailto:thakis@chromium.org >>> . >>> >> >> The reason for reverting is: Somewhat speculative; looks like this might >>> have >>> turned the asan/win bot red. (See comment #17 on the review for links / >>> >> stack.). >> >> @thakis: Hmm, I don't see how this CL could have caused that stack. This >> just >> adds a CHECK to a function that isn't called there. There were also >> similar >> failures before my CL landed (in builds 168 and 153). I'll file a bug. >> >> https://codereview.chromium.org/959303003/ >> > > To unsubscribe from this group and stop receiving emails from it, send an email to chromium-reviews+unsubscribe@chromium.org.
Message was sent while issue was closed.
That'd surprise me, but relanding and seeing what happens sounds fine to me. If the bot goes red by coincidence again and stays red, I will try to heal it by coincidence by reverting again though ;-) On Mon, Mar 2, 2015 at 2:16 PM, Charlie Reis <creis@chromium.org> wrote: > Sure, but that had to be a coincidence, because my code is not called > during that test. I just tried putting an unconditional CHECK(false) in > the same spot and that test doesn't hit it. > > On Mon, Mar 2, 2015 at 2:14 PM, Nico Weber <thakis@chromium.org> wrote: > >> The bot was consistently red for two or three runs after this landed, and >> went back to consistently green after revert. So this does look related >> from that point of view. >> >> On Mon, Mar 2, 2015 at 2:03 PM, <creis@chromium.org> wrote: >> >>> On 2015/02/28 21:01:27, Nico wrote: >>> >>>> A revert of this CL (patchset #3 id:40001) has been created in >>>> https://codereview.chromium.org/971443003/ by mailto: >>>> thakis@chromium.org. >>>> >>> >>> The reason for reverting is: Somewhat speculative; looks like this >>>> might have >>>> turned the asan/win bot red. (See comment #17 on the review for links / >>>> >>> stack.). >>> >>> @thakis: Hmm, I don't see how this CL could have caused that stack. >>> This just >>> adds a CHECK to a function that isn't called there. There were also >>> similar >>> failures before my CL landed (in builds 168 and 153). I'll file a bug. >>> >>> https://codereview.chromium.org/959303003/ >>> >> >> > To unsubscribe from this group and stop receiving emails from it, send an email to chromium-reviews+unsubscribe@chromium.org. |
