Status Update
No update yet.
Comments
ko...@chromium.org
Thank you for reporting the issue to us.
Could you find the crash ID you're seeing? You can find it by going to chrome://crashes/, and if your crash is listed there, you should see the uploaded crash ID.
ss...@google.com
--------------------------------------------
Able to reproduce the issue on chrome version #133.0.6943.142 Using Linux debian, Windows 11 as per steps in
Observed tab crash is seen
Crash ID:
Note:
1) Unable check the issue in Mac Localhost:8080 server isn’t opening
2) Unable to run per revision biscect due to server will ran while we give option "npm start" through terminal which is not possible while doing bisect. Hence, providing manual changelog from chromium dash
Reproducible:
==========
Stable - 134.0.6998.35/ 133.0.6943.142
Not Reproducible:
==========
Canary- 135.0.7049.3
Dev - 135.0.7039.0
Beta - 135.0.7049.3
Bisect Information: (Forward)
---------------------------------
Good Build: 133.0.6910.0
Bad Build: 133.0.6911.0
CHANGELOG URL:
Suspect:
Change-Id: I5bcf8840a1c71783dfa0bdce442a92eb5ddbf7b4
Reviewed-on:
Bisect Information: (Reverse)
---------------------------------
Good Build: 135.0.7002.0
Bad Build: 135.0.7001.0
CHANGELOG URL:
Suspect:
Change-Id: I0ecd83dec79e0a40ab743b618e67596a2c181d5f
Reviewed-on:
Note: Looping owner kbabbitt@ with reference to this issue
Looping moonira@/mstensho@ Please help us in assigning if this is not related to your change.
Could you please check and confirm if this should be RBS for M133. Please feel free to remove.
Thanks..!
ss...@google.com
ms...@chromium.org
Looks like most of the code on the call stack was last touched by kbabbit.
Exception infoSIGSEGV /SEGV_MAPERR @0x00000030
0x00005625ce43cc8e (chrome -scoped_refptr.h:284) scoped_refptr<blink::DescendantInvalidationSet>::get() const
0x00005625ce43cc8e (chrome -invalidation_set.h:474) blink::SiblingInvalidationSet::SiblingDescendants() const
0x00005625ce43cc8e (chrome -rule_invalidation_data_visitor.cc:2004) blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::EnsureSiblingDescendantInvalidationSet(blink::SiblingInvalidationSet const*)
0x00005625ce43cc8e (chrome -rule_invalidation_data_visitor.cc:1071) blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::AddFeaturesToUniversalSiblingInvalidationSet(blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::InvalidationSetFeatures const&, blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::InvalidationSetFeatures const&)
0x00005625ce43cc8e (chrome -rule_invalidation_data_visitor.cc:893) blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::AddFeaturesToInvalidationSetsForCompoundSelector(blink::CSSSelector const&, bool, blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::InvalidationSetFeatures*, blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::InvalidationSetFeatures&)
0x00005625ce43caf0 (chrome -rule_invalidation_data_visitor.cc:851) blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::AddFeaturesToInvalidationSets(blink::CSSSelector const&, bool, blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::InvalidationSetFeatures*, blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::InvalidationSetFeatures&)
0x00005625ce43afd4 (chrome -rule_invalidation_data_visitor.cc:545) blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::UpdateInvalidationSetsForComplex(blink::CSSSelector const&, bool, blink::StyleScope const*, blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::InvalidationSetFeatures&, blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::PositionType, blink::CSSSelector::PseudoType)
0x00005625ce43adcd (chrome -rule_invalidation_data_visitor.cc:469) blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::UpdateInvalidationSets(blink::CSSSelector const&, blink::StyleScope const*)
0x00005625ce43aa92 (chrome -rule_invalidation_data_visitor.cc:347) blink::RuleInvalidationDataVisitor<(blink::RuleInvalidationDataVisitorType)1>::CollectFeaturesFromSelector(blink::CSSSelector const&, blink::StyleScope const*)
0x00005625d42ac104 (chrome -rule_feature_set.cc:66) blink::RuleFeatureSet::RevisitSelectorForInspector(blink::CSSSelector const&) const
0x00005625d42b9778 (chrome -style_engine.cc:4660) blink::StyleEngine::RevisitStyleRulesForInspector(blink::RuleFeatureSet const&, blink::HeapVector<cppgc::internal::BasicMember<blink::StyleRuleBase, cppgc::internal::StrongMemberTag, cppgc::internal::DijkstraWriteBarrierPolicy, cppgc::internal::DisabledCheckingPolicy, cppgc::internal::CompressedPointer>, 0u> const&)
0x00005625d42b966f (chrome -style_engine.cc:4643) blink::StyleEngine::RevisitActiveStyleSheetsForInspector()
0x00005625ca4e4917 (chrome -invalidation_set_to_selector_map.cc:46) blink::PendingInvalidations::ScheduleInvalidationSetsForNode(blink::InvalidationLists const&, blink::ContainerNode&)
0x00005625ca4e3bdc (chrome -style_engine.cc:1828) blink::StyleEngine::AttributeChangedForElement(blink::QualifiedName const&, blink::Element&)
0x00005625ca4e3916 (chrome -element.cc:9488) blink::Element::WillModifyAttribute(blink::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&)
0x00005625ca4cb887 (chrome -element.cc:11055) blink::Element::SetAttributeWithoutValidation(blink::QualifiedName const&, WTF::AtomicString const&)
0x00005625ca4cad2e (chrome -element.h:288) blink::bindings::PerformAttributeSetCEReactionsReflectTypeString(v8::FunctionCallbackInfo<v8::Value> const&, blink::QualifiedName const&)
0x00005625ca112abd (chrome -api-arguments-inl.h:95) v8::internal::Builtins::InvokeApiFunction(v8::internal::Isolate*, bool, v8::internal::DirectHandle<v8::internal::FunctionTemplateInfo>, v8::internal::DirectHandle<v8::internal::Object>, v8::base::Vector<v8::internal::DirectHandle<v8::internal::Object> const>, v8::internal::DirectHandle<v8::internal::HeapObject>)
0x00005625ca11149f (chrome -objects.cc:1630) v8::internal::Object::SetPropertyWithAccessor(v8::internal::LookupIterator*, v8::internal::DirectHandle<v8::internal::Object>, v8::Maybe<v8::internal::ShouldThrow>)
0x00005625ca03d1bd (chrome -ic.cc:1961) v8::internal::Runtime_StoreIC_Miss(int, unsigned long*, v8::internal::Isolate*)
0x00005625ce226f75 (chrome + 0x07003f75) Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit
ch...@google.com
This issue appears to be blocking an upcoming release and is therefore an Urgent Release Blocking Issue as per
If this is not a release blocking issue, please adjust the release block field. Adjusting the priority will have no affect, P0 will be re-applied whilever this is marked as a release blocking issue.
ms...@chromium.org
To help developers proceed here, it would be useful to have a reduction, or at the very least some sort of HTML, rather than having to install something.
kb...@microsoft.com
sr...@google.com
ch...@google.com
Merges to the Stable channel should first be merged and validated in Beta. Adding a merge request to M135 Beta.
M135 merge request created. Please update crbug/401260110 to have this merge reviewed.
M134 merge request created. Please update crbug/401260383 to have this merge reviewed.
*This merge request uses Chrome's new merge process. Find more information at
ap...@google.com
Project: chromium/src
Branch: refs/branch-heads/6998
Author: Kevin Babbitt <
Link:
[M134] Invalidation tracing: Null-check invalidation sets that might be missing
Expand for full commit details
[M134] Invalidation tracing: Null-check invalidation sets that might be missing
On carfax.com I was able to reproduce a crash during stylesheet revisit
due to not finding a universal sibling invalidation set that we expected
to find. This crash did not reproduce consistently, which suggests it's
a timing issue similar to https://crbug.com/379170483 where, at the time
tracing starts, a new rule has been added but is not yet indexed into
RuleInvalidationData. When this occurs, rather than mapping the selector
to invalidation set(s) during the revisit phase, we instead map the
selector at the time the relevant invalidation set(s) are subsequently
constructed or added to.
To prevent crashes from occurring in this situation, this CL adds null
checks to spots where we can't assume an invalidation set exists during
the revisit phase.
(cherry picked from commit b64727240ed6ea6e7c96ff7490ca62d70687f302)
Fixed: 401260383
Bug: 400483865, 396817121
Change-Id: I4f407c1ece4eb5ad13302436818b4b8893215cb1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6284226
Reviewed-by: Anders Hartvoll Ruud <andruud@chromium.org>
Commit-Queue: Kevin Babbitt <kbabbitt@microsoft.com>
Cr-Original-Commit-Position: refs/heads/main@{#1423205}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6333871
Auto-Submit: Kevin Babbitt <kbabbitt@microsoft.com>
Cr-Commit-Position: refs/branch-heads/6998@{#1863}
Cr-Branched-From: de9c6fafd8ae5c6ea0438764076ca7d04a0b165d-refs/heads/main@{#1415337}
Files:
- M
third_party/blink/renderer/core/css/invalidation/rule_invalidation_data_visitor.cc - M
third_party/blink/renderer/core/inspector/invalidation_set_to_selector_map_test.cc
Hash: a6927fc264f1cd027d12410d7ce85c048fd1893f
Date: Thu Mar 06 16:29:10 2025
kb...@microsoft.com
ch...@google.com
This release blocking issue appears to be targeted for one or more milestones which may have already branched:
- M133, which branched on 2025-01-06 (Chromium branch: 6943, Chromium branch position: 1402768)
Because this issue was marked as fixed on or after branch day, a merge of any CLs which landed on or after branch day may be required.
If no merge is needed (e.g. the necessary CLs are already present in the relevant branch), please remove TBD-## from the Merge field and replace it with NA-## (where ## corresponds to the milestone under evaluation). If a merge is necessary, the requested milestone(s) to the Merge-Request field. If you're not sure, reach out to the relevant release manager (can be found at
To learn more about the merge process, including how to land any required merges, see
ss...@google.com
Observed tab crash is seen
Hence fix is working as expected, and the verified labels have been added.
Attaching screencast for reference.
Thank you..!
kb...@microsoft.com
I don't think a merge is needed to 133 since 134 has released. cc pbommana@ in case there are any concerns.
Description
Steps to reproduce the problem
Result: chrome tab crashes most of time time
Problem Description
The index file in
example-angular-build-output/index.htmlThe last 2 attributes are placed there by default by the Angular builder as an optimization (
inlineCritical, to improve First Contentful Paint, enabled by default). This construction makes chromium crash when used in combination with a lighthouse flow.The
lighthouse.mjsfile (executed by runningnpm start) contains a reproduction for this issue. It will run an HTTP server on theexample-angular-build-outputfolder, launch chrome, attach puppeteer and start a lighthouse flow. As soon as we then navigate to the first url, the browser seems to crash when executingtheonloadfunction (error 11).Additional Comments
Chromium 133.0.6943.53 (Official Build) built on Debian GNU/Linux 12 (bookworm) (64-bit)
Summary
Changing stylesheet media type crashes browser tab when using Lighthouse Flows (error code 11)
Custom Questions
Which component does this fall under?
Not sure - I don't know
Does this work in other browsers?
Yes - This is just a Chrome problem
Additional Data
Category: API
Chrome Channel: Stable
Regression: N/A