Hi.
Thanks for the hint with reproducing it via the Task Manager, makes
debugging a lot easier :)
So the problem is `task_manager::TaskManagerImpl::Refresh()` calling
`memory_instrumentation::MemoryInstrumentation::GetInstance()` and using the
returned pointer without checking it; but is is `NULL`; this is what the
segfault in
`memory_instrumentation::MemoryInstrumentation::RequestPrivateMemoryFootprint()`
(0x000055.......f87; dereferencing `this` from register `rdi`) is about.
(gdb) frame 1
(gdb) disassemble /r
Dump of assembler code for function
_ZN12task_manager15TaskManagerImpl7RefreshEv:
...
0x00005555591ba757 <+39>: 41 80 bd 99 01 00 00 00 cmpb $0x0,0x199(%r13)
0x00005555591ba75f <+47>: 0f 84 7b 02 00 00 je 0x5555591ba9e0
<_ZN12task_manager15TaskManagerImpl7RefreshEv+688>
0x00005555591ba765 <+53>: a8 80 test $0x80,%al
0x00005555591ba767 <+55>: 0f 85 b3 01 00 00 jne 0x5555591ba920
<_ZN12task_manager15TaskManagerImpl7RefreshEv+496>
...
(gdb) info proc mappings
...
Start Addr End Addr Size Offset objfile
0x555555554000 0x55556035b000 0xae07000 0x0
/usr/lib/chromium/chromium
0x55556035b000 0x555560922000 0x5c7000 0xae06000
/usr/lib/chromium/chromium
0x555560922000 0x55556098b000 0x69000 0xb3cd000
/usr/lib/chromium/chromium
So for a hotfix I changed the `je` at `+47` into `jne`; this negates
the check for `!waiting_for_memory_dump_` in
https://github.com/chromium/chromium/blob/master/chrome/browser/task_manager/sampling/task_manager_impl.cc#L603
and should make it never use that block.
The offset of `0f 84` in the file is:
0x00005555591ba75f - 0x555555554000 = 0x3C6675F
To patch it to `0f 85`:
$ cp -a /usr/lib/chromium/chromium /usr/lib/chromium/chromium-pre-patched
$ printf '3C66760: 85\n' | xxd -r - /usr/lib/chromium/chromium
$ sha1sum /usr/lib/chromium/chromium*
036f623e158cffaa91be63df307bb2eda4d359e1 /usr/lib/chromium/chromium
5056c781602f4bbd41f06b3bd1940b6edbd7dc8c /usr/lib/chromium/chromium-pre-patched
cheers,
Stefan
