Bug 77592

Summary: REGRESSION(r106408): crashes in chromium mac release tests (Requested by japhet on #webkit).
Product: WebKit Reporter: WebKit Review Bot <webkit.review.bot>
Component: New BugsAssignee: WebKit Review Bot <webkit.review.bot>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, danakj, japhet
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 72294    
Attachments:
Description Flags
ROLLOUT of r106408 none

Description WebKit Review Bot 2012-02-01 18:21:19 PST
http://trac.webkit.org/changeset/106408 broke the build:
crashes in chromium mac release tests (Requested by japhet on #webkit).

This is an automatic bug report generated by the sheriff-bot. If this bug
report was created because of a flaky test, please file a bug for the flaky
test (if we don't already have one on file) and dup this bug against that bug
so that we can track how often these flaky tests case pain.

"Only you can prevent forest fires." -- Smokey the Bear
Comment 1 WebKit Review Bot 2012-02-01 18:21:51 PST
Created attachment 125061 [details]
ROLLOUT of r106408

Any committer can land this patch automatically by marking it commit-queue+.  The commit-queue will build and test the patch before landing to ensure that the rollout will be successful.  This process takes approximately 15 minutes.

If you would like to land the rollout faster, you can use the following command:

  webkit-patch land-attachment ATTACHMENT_ID

where ATTACHMENT_ID is the ID of this attachment.
Comment 2 Nate Chapin 2012-02-01 18:24:36 PST
The crashes seem to be of the form:
#0	0x6e9abef9 in CrMallocErrorBreak at process_util_mac.mm:556
#1	0x95525563 in free
#2	0x6f69826f in WTF::VectorBufferBase<int>::deallocateBuffer at Vector.h:285
#3	0x6f69826f in WTF::Vector<int, 0ul>::expandCapacity at Vector.h:899
#4	0x6f69826f in WebCore::Region::Shape::shapeOperation<WebCore::Region::Shape::SubtractOperation> at Vector.h:820
#5	0x6f6971ae in WebCore::Region::subtract at Region.cpp:411
#6	0x6f6b34fd in WebCore::TiledLayerChromium::updateBounds at TiledLayerChromium.cpp:140
#7	0x6f6b4b61 in WebCore::TiledLayerChromium::prepareToUpdate at TiledLayerChromium.cpp:527
#8	0x6f69e288 in WebCore::ContentLayerChromium::paintContentsIfDirty at ContentLayerChromium.cpp:107
#9	0x6f6c4e24 in WebCore::CCLayerTreeHost::paintLayerContents at CCLayerTreeHost.cpp:422
#10	0x6f6c48c8 in WebCore::CCLayerTreeHost::updateLayers at CCLayerTreeHost.cpp:385
#11	0x6f6c4408 in WebCore::CCLayerTreeHost::updateLayers at CCLayerTreeHost.cpp:355
#12	0x6f6cd1af in WebCore::CCSingleThreadProxy::commitIfNeeded at CCSingleThreadProxy.h:275
#13	0x6f6cd1af in WebCore::CCSingleThreadProxy::compositeImmediately at CCSingleThreadProxy.cpp:217
#14	0x6f6c43d4 in WebCore::CCLayerTreeHost::composite at CCLayerTreeHost.cpp:344

They're occurring reliable on chromium mac release ToT.  See http://build.chromium.org/p/chromium.webkit/builders/Mac10.6%20Tests/builds/8700.

I'm also hitting it reliably by going to http://chrome.angrybirds.com with a ToT chromium build.
Comment 3 WebKit Review Bot 2012-02-01 18:46:26 PST
Comment on attachment 125061 [details]
ROLLOUT of r106408

Clearing flags on attachment: 125061

Committed r106525: <http://trac.webkit.org/changeset/106525>
Comment 4 WebKit Review Bot 2012-02-01 18:46:30 PST
All reviewed patches have been landed.  Closing bug.