Chromium 84 crashes when closing any tab

[ghost]

Not sure if this is just me,

I built and ran chromium 84 but when I closed any tab in the browser it would crash:

Received signal 11 SEGV_MAPERR fffffffd514ed34a
#0 0x55d6283c1e59 (/usr/lib/chromium/chromium+0x4361e58)
  r8: 0000000000000016  r9: 0000000000000001 r10: 0000000000004000 r11: 0000000000000000
 r12: 0000000000000000 r13: 0000000000000000 r14: 0000000000000000 r15: 000012393f0a8808
  di: 000012393f0a8808  si: 0000000000000000  bp: 00007ffd7e159d80  bx: 0000000000000000
  dx: 000012393e1f2f60  ax: fffffffd514ed30a  cx: 000012393f0a8af8  sp: 00007ffd7e159cf0
  ip: 000055d628525b52 efl: 0000000000010203 cgf: 002b000000000033 erf: 0000000000000005
 trp: 000000000000000e msk: 0000000000000000 cr2: fffffffd514ed34a
[end of stack trace]

[ghost]

You've given us insufficient information. What branch and distribution?

[ghost]

I apologise, branch: debian_sid, distribution: sid.

[ghost]

@Eloston any suggestions? There's not enough information here but it should be reproducible if it's as simple as stated. Right now I'm going to finish getting all the branches building on Chromium 84 before looking into crashes.

[Eloston]

@rt1omas Can you get a backtrace?

1. Install the ungoogled-chromium-dbgsym package
2. Run chromium -g
3. Enter command run
4. When the program crashes, run bt to get a backtrace

[gadall]

# Env:
#     LD_LIBRARY_PATH=/usr/lib/chromium
#                PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
#            GTK_PATH=
#      CHROMIUM_FLAGS= --show-component-extension-options --enable-gpu-rasterization --no-default-browser-check --media-router=0 --enable-remote-extensions --load-extension=
/usr/bin/gdb /usr/lib/chromium/chromium -x /tmp/chromiumargs.4FBUnr
GNU gdb (Debian 9.2-1) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/chromium/chromium...
Reading symbols from /usr/lib/debug/.build-id/39/c8fe964e1baed9.debug...
(No debugging symbols found in /usr/lib/debug/.build-id/39/c8fe964e1baed9.debug)
(gdb) run
Starting program: /usr/lib/chromium/chromium --show-component-extension-options --enable-gpu-rasterization --no-default-browser-check --media-router=0 --enable-remote-extensions --load-extension= --single-process 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffeb91f700 (LWP 51436)]
[Detaching after fork from child process 51437]
[Detaching after fork from child process 51438]
[New Thread 0x7fffeb11e700 (LWP 51442)]
[New Thread 0x7fffe9ad3700 (LWP 51443)]
[New Thread 0x7fffe92d2700 (LWP 51444)]
[New Thread 0x7fffe82d0700 (LWP 51446)]
[New Thread 0x7fffe8ad1700 (LWP 51445)]
[New Thread 0x7fffe7acf700 (LWP 51447)]
[New Thread 0x7fffe72ce700 (LWP 51448)]
[New Thread 0x7fffe66f0700 (LWP 51449)]
[New Thread 0x7fffe5eef700 (LWP 51450)]
[New Thread 0x7fffe56ee700 (LWP 51451)]
[New Thread 0x7fffe4eed700 (LWP 51452)]
[New Thread 0x7fffe46dc700 (LWP 51454)]
[New Thread 0x7fffe4edd700 (LWP 51453)]
[New Thread 0x7fffe3edb700 (LWP 51455)]
[New Thread 0x7fffe36da700 (LWP 51456)]
[New Thread 0x7fffe2e99700 (LWP 51457)]
[New Thread 0x7fffe2698700 (LWP 51458)]
[New Thread 0x7fffe1e96700 (LWP 51459)]
[New Thread 0x7fffdd695700 (LWP 51460)]
[New Thread 0x7fffdce94700 (LWP 51461)]
[New Thread 0x7fffd05fa700 (LWP 51462)]
[51432:51432:0812/203938.256051:ERROR:system_network_context_manager.cc(580)] Cannot use V8 Proxy resolver in single process mode.
[New Thread 0x7fffcfdf9700 (LWP 51463)]
[New Thread 0x7fffceacf700 (LWP 51464)]
[New Thread 0x7fffce2ce700 (LWP 51465)]
[51432:51432:0812/203938.344254:ERROR:system_network_context_manager.cc(580)] Cannot use V8 Proxy resolver in single process mode.
[New Thread 0x7fffcc64b700 (LWP 51468)]
[New Thread 0x7fffcd64d700 (LWP 51466)]
[New Thread 0x7fffcce4c700 (LWP 51467)]
[New Thread 0x7fffcbe4a700 (LWP 51469)]
[New Thread 0x7fffcb649700 (LWP 51470)]
[New Thread 0x7fffcae48700 (LWP 51471)]
[New Thread 0x7fffc988a700 (LWP 51472)]
[New Thread 0x7fffc9089700 (LWP 51473)]
[New Thread 0x7fffc8888700 (LWP 51474)]
[New Thread 0x7fffc7fea700 (LWP 51475)]
[New Thread 0x7fffc77e9700 (LWP 51476)]
[New Thread 0x7fffc6fe8700 (LWP 51477)]
[New Thread 0x7fffc67e7700 (LWP 51478)]
[New Thread 0x7fffc5dec700 (LWP 51479)]
[New Thread 0x7fffc55eb700 (LWP 51480)]
[New Thread 0x7fffc4dea700 (LWP 51481)]
[New Thread 0x7fffc45e9700 (LWP 51482)]
libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
[New Thread 0x7fffc2f51700 (LWP 51483)]
libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
[New Thread 0x7fffc2650700 (LWP 51484)]
[Thread 0x7fffc2650700 (LWP 51484) exited]
[New Thread 0x7fffc2650700 (LWP 51485)]
[51432:51432:0812/203939.022390:ERROR:CONSOLE(889)] "Uncaught TypeError: Cannot read property 'newTabPage' of undefined", source: chrome-search://local-ntp/local-ntp.js (889)
[New Thread 0x7fffbeb0f700 (LWP 51486)]
[New Thread 0x7fffbf310700 (LWP 51487)]
[Detaching after fork from child process 51488]
[Detaching after fork from child process 51489]
[51432:51472:0812/203947.233010:ERROR:font_unique_name_lookup_linux.cc(20)] @font-face src: local() instantiation only available when connected to browser process.
[51432:51472:0812/203947.233047:ERROR:font_unique_name_lookup_linux.cc(20)] @font-face src: local() instantiation only available when connected to browser process.
[51432:51472:0812/203947.233433:ERROR:font_unique_name_lookup_linux.cc(20)] @font-face src: local() instantiation only available when connected to browser process.
[51432:51472:0812/203947.233453:ERROR:font_unique_name_lookup_linux.cc(20)] @font-face src: local() instantiation only available when connected to browser process.
[51432:51432:0812/203954.095709:ERROR:CONSOLE(889)] "Uncaught TypeError: Cannot read property 'newTabPage' of undefined", source: chrome-search://local-ntp/local-ntp.js (889)
[Thread 0x7fffc2650700 (LWP 51485) exited]
[New Thread 0x7fffc2650700 (LWP 51495)]
[New Thread 0x7fffbbd52700 (LWP 51496)]
[New Thread 0x7fffbb551700 (LWP 51497)]
[New Thread 0x7fffbcfd2700 (LWP 51498)]
[New Thread 0x7fffbad50700 (LWP 51499)]
[Thread 0x7fffbeb0f700 (LWP 51486) exited]
[Thread 0x7fffcce4c700 (LWP 51467) exited]
[Thread 0x7fffcd64d700 (LWP 51466) exited]
[Thread 0x7fffceacf700 (LWP 51464) exited]
--Type <RET> for more, q to quit, c to continue without paging--c

Thread 1 "chromium" received signal SIGSEGV, Segmentation fault.
0x0000555559a19b52 in mojo::internal::MultiplexRouter::OnPipeConnectionError(bool) ()
(gdb) bt
#0  0x0000555559a19b52 in mojo::internal::MultiplexRouter::OnPipeConnectionError(bool) ()
#1  0x0000555559a1838d in mojo::internal::InterfacePtrStateBase::~InterfacePtrStateBase() ()
#2  0x0000555557d805cc in content::ManifestManagerHost::~ManifestManagerHost() ()
#3  0x0000555557479227 in std::_Rb_tree<unsigned long, std::pair<unsigned long const, std::unique_ptr<storage::FileSystemOperation, std::default_delete<storage::FileSystemOperation> > >, std::_Select1st<std::pair<unsigned long const, std::unique_ptr<storage::FileSystemOperation, std::default_delete<storage::FileSystemOperation> > > >, std::less<unsigned long>, std::allocator<std::pair<unsigned long const, std::unique_ptr<storage::FileSystemOperation, std::default_delete<storage::FileSystemOperation> > > > >::_M_erase(std::_Rb_tree_node<std::pair<unsigned long const, std::unique_ptr<storage::FileSystemOperation, std::default_delete<storage::FileSystemOperation> > > >*) ()
#4  0x000055555985fa26 in base::SupportsUserData::ClearAllUserData() ()
#5  0x0000555557ca983b in content::RenderFrameHostImpl::SetRenderFrameCreated(bool) ()
#6  0x0000555557faf060 in content::WebContentsImpl::~WebContentsImpl() ()
#7  0x0000555557fb021e in content::WebContentsImpl::~WebContentsImpl() ()
#8  0x000055555ba98f88 in TabStripModel::SendDetachWebContentsNotifications(TabStripModel::DetachNotifications*) ()
#9  0x000055555baa1656 in TabStripModel::CloseWebContentses(base::span<content::WebContents* const, 18446744073709551615ul>, unsigned int)
    ()
#10 0x000055555ba9b089 in TabStripModel::InternalCloseTabs(base::span<content::WebContents* const, 18446744073709551615ul>, unsigned int)
    ()
#11 0x000055555ba9c654 in TabStripModel::CloseSelectedTabs() ()
#12 0x000055555ba52339 in chrome::CloseTab(Browser*) ()
#13 0x000055555ba4f875 in chrome::BrowserCommandController::ExecuteCommandWithDisposition(int, WindowOpenDisposition, base::TimeTicks) ()
#14 0x000055555b2214f2 in ui::AcceleratorManager::Process(ui::Accelerator const&) ()
#15 0x000055555b220276 in views::FocusManager::ProcessAccelerator(ui::Accelerator const&) ()
#16 0x000055555bc07a21 in BrowserView::PreHandleKeyboardEvent(content::NativeWebKeyboardEvent const&) ()
#17 0x0000555557ea1445 in content::RenderWidgetHostImpl::ForwardKeyboardEventWithCommands(content::NativeWebKeyboardEvent const&, ui::LatencyInfo const&, std::vector<mojo::InlinedStructPtr<blink::mojom::EditCommand>, std::allocator<mojo::InlinedStructPtr<blink::mojom::EditCommand> > >, bool*) ()
#18 0x0000555557eb62b9 in content::RenderWidgetHostViewAura::ForwardKeyboardEventWithLatencyInfo(content::NativeWebKeyboardEvent const&, ui::LatencyInfo const&, bool*) ()
#19 0x000055555808de5e in content::RenderWidgetHostViewEventHandler::OnKeyEvent(ui::KeyEvent*) ()
#20 0x000055555a334eb1 in ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) ()
#21 0x000055555a334c9f in ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget*, ui::Event*) ()
#22 0x000055555a334bd8 in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ()
#23 0x000055555a8ec7bf in ui::EventProcessor::OnEventFromSource(ui::Event*) ()
#24 0x000055555a8f2ab7 in aura::WindowTreeHost::DispatchKeyEventPostIME(ui::KeyEvent*) ()
--Type <RET> for more, q to quit, c to continue without paging--c
#25 0x000055555a947c33 in ui::InputMethodBase::DispatchKeyEventPostIME(ui::KeyEvent*) const ()
#26 0x000055555a945e95 in ui::InputMethodAuraLinux::ProcessKeyEventDone(ui::KeyEvent*, bool, bool) ()
#27 0x000055555a9459cf in ui::InputMethodAuraLinux::DispatchKeyEvent(ui::KeyEvent*) ()
#28 0x000055555a8ea763 in aura::WindowEventDispatcher::PreDispatchEvent(ui::EventTarget*, ui::Event*) ()
#29 0x000055555a334bb2 in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ()
#30 0x000055555a8ec7bf in ui::EventProcessor::OnEventFromSource(ui::Event*) ()
#31 0x000055555a8f46a6 in ui::EventSource::DeliverEventToSink(ui::Event*) ()
#32 0x000055555a8f4593 in ui::EventSource::SendEventToSinkFromRewriter(ui::Event const*, ui::EventRewriter const*) ()
#33 0x000055555b279143 in aura::WindowTreeHostPlatform::DispatchEvent(ui::Event*) ()
#34 0x000055555b277b5e in views::DesktopWindowTreeHostLinux::DispatchEvent(ui::Event*) ()
#35 0x000055555b27b73f in ui::X11Window::DispatchUiEvent(ui::Event*, _XEvent*) ()
#36 0x000055555b27b3d6 in ui::X11Window::DispatchEvent(ui::Event* const&) ()
#37 0x000055555b27b7d0 in non-virtual thunk to ui::X11Window::DispatchEvent(ui::Event* const&) ()
#38 0x000055555a35ddd5 in ui::PlatformEventSource::DispatchEvent(ui::Event*) ()
#39 0x000055555a35c075 in ui::X11EventSource::DispatchPlatformEvent(ui::Event* const&, _XEvent*) ()
#40 0x000055555a35b784 in ui::X11EventSource::ExtractCookieDataDispatchEvent(_XEvent*) ()
#41 0x000055555a35b502 in ui::X11EventSource::DispatchXEvents() ()
#42 0x000055555a35e14c in ui::(anonymous namespace)::XSourceDispatch(_GSource*, int (*)(void*), void*) ()
#43 0x00007ffff7e554ce in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#44 0x00007ffff7e55880 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#45 0x00007ffff7e5590f in g_main_context_iteration () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#46 0x0000555559829a62 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) ()
#47 0x0000555559872335 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, base::TimeDelta) ()
#48 0x000055555984a71b in base::RunLoop::Run() ()
#49 0x0000555559449100 in ChromeBrowserMainParts::MainMessageLoopRun(int*) ()
#50 0x0000555557b2ca28 in content::BrowserMainLoop::RunMainMessageLoopParts() ()
#51 0x0000555557b2ea62 in content::BrowserMainRunnerImpl::Run() ()
#52 0x0000555557b299c0 in content::BrowserMain(content::MainFunctionParams const&) ()
#53 0x000055555940a723 in content::ContentMainRunnerImpl::RunServiceManager(content::MainFunctionParams&, bool) ()
#54 0x000055555940a3d7 in content::ContentMainRunnerImpl::Run(bool) ()
#55 0x0000555559427f9c in service_manager::Main(service_manager::MainParams const&) ()
#56 0x0000555559408971 in content::ContentMain(content::ContentMainParams const&) ()
#57 0x0000555556eaefea in ChromeMain ()
#58 0x00007ffff326ecca in __libc_start_main (main=0x555556eaeef0 <main>, argc=8, argv=0x7fffffffdf28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf18) at ../csu/libc-start.c:308
#59 0x0000555556eaee2a in _start ()

[gadall]

looks like this was previously fixed with debian/patches/fixes/serviceworker-double-destruction.patch which was deleted in the latest release.

[ghost]

Debian upstream removed it as it should have been integrated into Chromium upstream.

Edit: Confirmed. It is already applied in Chromium 84 source release.

[Eloston]

Can confirm that I get this backtrace in the OBS Development version of 84.0.4147.105-2.buster1, revision 10.

[ghost]

I bumped the chromium version. Is the issue still present?

[gadall]

it still crashes.

[ghost]

I found a patch from the Arch repository that patches a crash in some of the same subroutines found in the backtrace. I have imported it into all branches. Is the issue still present?

[gadall]

Just tried the new build on OBS, still crashes when closing a tab

[ghost]

Which build? I'm not getting any crashes when I close tabs in the Bionic build. Can you get a new backtrace to see if it's something different this time?

[gadall]

sid
84.0.4147.125-1.sid1_amd64.deb
interesting...
I could try to build locally, but it takes a bit longer on my hardware vs. OBS

[ghost]

Could you try testing with a fresh chromium browser profile as well? If that resolves the problem then it's something it doesn't like with the profile.

Edit: I mean, try removing your existing profile (or back it up) and re-test.

[gadall]

new blank profile behaves the same

[ghost]

Well my main concern is how crash happy it is in the stable releases. If it's only crash happy in Sid then that's something we can live with for now.

[ghost]

I'm getting the crash in my LM Debian test VM. It does not occur with Ubuntu Bionic. I will be testing Ubuntu Focal soon.

Edit: Focal crashes as well.

[ghost]

I'll try making a custom debug build since the existing symbols are basically useless as there's no line numbers.

[ghost]

Welp that didn't go anywhere. I'm trying one more thing but if this doesn't work then I'm out of ideas.

[gadall]

Latest build 84.0.4147.135-1.sid1 works fine! Thanks!!

[ghost]

Interesting. Well in any case I will tag it now.