Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 551666 - www-client/chromium-43.0.2357.65: chrome[5798]: segfault at d8 ip 00007ffa62d926aa sp 00007ffe9d3a48a0 error 4 in chrome[7ffa616c5000+679d000]
Summary: www-client/chromium-43.0.2357.65: chrome[5798]: segfault at d8 ip 00007ffa62d...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Chromium Project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-10 13:27 UTC by Alexey Dobriyan
Modified: 2015-07-31 14:25 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Dobriyan 2015-06-10 13:27:12 UTC 
Happened randomly, no coredump (wasn't setup).

Reproducible: Sometimes

Steps to Reproduce:
N/A



chrome[5798]: segfault at d8 ip 00007ffa62d926aa sp 00007ffe9d3a48a0 error 4 in chrome[7ffa616c5000+679d000]

[ebuild   R    ] www-client/chromium-43.0.2357.65::gentoo  USE="(pic) tcmalloc -cups -custom-cflags -gnome -gnome-keyring -hidpi -kerberos (-neon) -proprietary-codecs -pulseaudio (-selinux) {-test} -widevine" LINGUAS="am ar bg bn ca cs da de el en_GB es es_LA et fa fi fil fr gu he hi hr hu id it ja kn ko lt lv ml mr ms nb nl pl pt_BR pt_PT ro ru sk sl sr sv sw ta te th tr uk vi zh_CN zh_TW" 0 KiB

----------------------------------------------------

Portage 2.2.18 (python 2.7.9-final-0, default/linux/amd64/13.0, gcc-4.9.2, glibc-2.20-r2, 4.0.5 x86_64)
=================================================================
System uname: Linux-4.0.5-x86_64-Intel-R-_Core-TM-2_Duo_CPU_E6550_@_2.33GHz-with-gentoo-2.2
KiB Mem:     3966080 total,   1104980 free
KiB Swap:    8388788 total,   8388788 free
Timestamp of repository gentoo: Mon, 08 Jun 2015 09:00:01 +0000
sh bash 4.3_p33-r2
ld GNU ld (Gentoo 2.24 p1.4) 2.24
app-shells/bash:          4.3_p33-r2::gentoo
dev-lang/perl:            5.20.2::gentoo
dev-lang/python:          2.7.9-r1::gentoo
dev-util/cmake:           2.8.12.2-r1::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.2::gentoo
sys-apps/openrc:          0.13.11::gentoo
sys-apps/sandbox:         2.6-r1::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.9.6-r4::gentoo, 1.10.3-r1::gentoo, 1.11.6-r1::gentoo, 1.12.6::gentoo, 1.13.4::gentoo, 1.14.1::gentoo
sys-devel/binutils:       2.24-r3::gentoo
sys-devel/gcc:            4.9.2::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 3.18::gentoo (virtual/os-headers)
sys-libs/glibc:           2.20-r2::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

x-portage
    location: /usr/local/portage
    masters: gentoo
    priority: 0

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LC_ALL="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
USE="X amd64 bzip2 cairo cli common-lisp cracklib crypt cxx djvu dri emacs gdbm gpm iconv icu ipv6 kde lzma mmx mmxext modules multilib ncurses nptl opengl openmp pcre python qt3support readline session sse sse2 ssl ssse3 tcpd unicode vim-syntax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-06-12 18:53:29 UTC 
If you don't have any sort of backtrace or error log, I don't think chromium maintainers will be able to address this...

At the very minimum, please give a scenario for reproducing the bug - e.g. chromium always crashes when visiting url X and clicking on Y.
Comment 2 Alexey Dobriyan 2015-06-15 10:00:02 UTC 
I completely understand you. This bug is mostly for search engines and reference.

"error 4" is read access to unmapped page.

Assuming it is straight NULL pointer dereference and searching for reads from addresses ending with 6aa gives:

$ objdump -dr /usr/lib64/chromium-browser/chrome | grep -e '6aa:.*0xd8('
 16cd6aa:       4c 39 b7 d8 00 00 00    cmp    %r14,0xd8(%rdi)
 24296aa:       4c 8b a5 d8 00 00 00    mov    0xd8(%rbp),%r12
 25f86aa:       49 8d be d8 00 00 00    lea    0xd8(%r14),%rdi
 31ec6aa:       48 89 87 d8 00 00 00    mov    %rax,0xd8(%rdi)

LEA can't fault and MOV at 31ec6aa is a write.

16cd6aa leads to:
----------------------------------------------------------------------------
 16cd660:       41 57                   push   %r15
 16cd662:       48 8d 05 27 6b 51 05    lea    0x5516b27(%rip),%rax        # 6be4190 <_ZTV19DefaultSysAllocator+0x1ff90>
 16cd669:       41 56                   push   %r14
 16cd66b:       41 55                   push   %r13
 16cd66d:       41 54                   push   %r12
 16cd66f:       55                      push   %rbp
 16cd670:       53                      push   %rbx
 16cd671:       48 89 fb                mov    %rdi,%rbx
 16cd674:       4c 8d 73 08             lea    0x8(%rbx),%r14
 16cd678:       48 81 ec 88 01 00 00    sub    $0x188,%rsp
 16cd67f:       48 89 07                mov    %rax,(%rdi)
 16cd682:       48 8d 05 6f 6b 51 05    lea    0x5516b6f(%rip),%rax        # 6be41f8 <_ZTV19DefaultSysAllocator+0x1fff8>
 16cd689:       48 89 47 08             mov    %rax,0x8(%rdi)
 16cd68d:       48 8d 05 84 6b 51 05    lea    0x5516b84(%rip),%rax        # 6be4218 <_ZTV19DefaultSysAllocator+0x20018>
 16cd694:       48 89 47 28             mov    %rax,0x28(%rdi)
 16cd698:       48 8d 05 f9 6b 51 05    lea    0x5516bf9(%rip),%rax        # 6be4298 <_ZTV19DefaultSysAllocator+0x20098>
 16cd69f:       48 89 87 b8 00 00 00    mov    %rax,0xb8(%rdi)
 16cd6a6:       48 8b 7f 18             mov    0x18(%rdi),%rdi
 16cd6aa: ***** 4c 39 b7 d8 00 00 00    cmp    %r14,0xd8(%rdi) ****************
 16cd6b1:       0f 84 2b 03 00 00       je     16cd9e2 <_ZNSt6vectorISt4pairIN2ui18AXIntListAttributeES_IiSaIiEEESaIS5_EE19_M_emplace_back_a
uxIIS5_EEEvDpOT_+0x9172>
 16cd6b7:       e8 04 a5 00 00          callq  16d7bc0 <_ZNSt6vectorISt4pairIN2ui18AXIntListAttributeES_IiSaIiEEESaIS5_EE19_M_emplace_back_a
uxIIS5_EEEvDpOT_+0x13350>

-----------------------------------------------------------------------------

24296aa leads to ffmpeg code with maybe NULL passed as first argument:

 2429680:       41 54                   push   %r12
 2429682:       55                      push   %rbp
 2429683: ***** 48 89 fd                mov    %rdi,%rbp   <=================
 2429686:       53                      push   %rbx
 2429687:       48 8b 87 a0 00 00 00    mov    0xa0(%rdi),%rax
 242968e:       bf 38 00 00 00          mov    $0x38,%edi
 2429693:       4c 8b 60 08             mov    0x8(%rax),%r12
 2429697:       e8 74 ab 3e ff          callq  1814210 <_ZNSt8_Rb_treeIN18third_party_ffmpeg11StubModulesESt4pairIKS1_PvESt10_Select1stIS5_E
St4lessIS1_ESaIS5_EE29_M_get_insert_hint_unique_posESt23_Rb_tree_const_iteratorIS5_ERS3_+0x119f0>
 242969c:       48 89 c7                mov    %rax,%rdi
 242969f:       48 89 c3                mov    %rax,%rbx
 24296a2:       4c 89 e6                mov    %r12,%rsi
 24296a5:       e8 b6 50 22 00          callq  264e760 <_ZNSt5dequeIiSaIiEE12emplace_backIIiEEEvDpOT_+0xb299e0>
 24296aa: ***** 4c 8b a5 d8 00 00 00    mov    0xd8(%rbp),%r12 ***************
Comment 3 Alexey Dobriyan 2015-07-10 12:08:16 UTC 
This is semi reproducible (with coredump and backtrace).

(gdb) bt
#0  0x00005647314727ea in aura::Window::~Window() ()
#1  0x0000564731472b89 in aura::Window::~Window() ()
#2  0x0000564732f1c800 in content::RenderWidgetHostImpl::Destroy() ()
#3  0x0000564732f1d155 in content::RenderWidgetHostImpl::OnMessageReceived(IPC::Message const&) ()
#4  0x0000564732f026de in content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const&) [clone .part.223] ()
#5  0x00005647312d26e8 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ()
#6  0x0000564730e052bb in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) ()
#7  0x0000564730dbb204 in base::MessageLoop::RunTask(base::PendingTask const&) ()
#8  0x0000564730dbb4e1 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ()
#9  0x0000564730dbb9db in base::MessageLoop::DoWork() ()
#10 0x0000564730e04229 in base::MessagePumpGlib::HandleDispatch() ()
#11 0x0000564730e0426d in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) ()
#12 0x00007fcab6cbe8bd in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0
#13 0x00007fcab6cbeba8 in g_main_context_iterate.isra () from /usr/lib64/libglib-2.0.so.0
#14 0x00007fcab6cbec5c in g_main_context_iteration () from /usr/lib64/libglib-2.0.so.0
#15 0x0000564730e03fca in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) ()
#16 0x0000564730dcd308 in base::RunLoop::Run() ()
#17 0x0000564730aa1fcf in ChromeBrowserMainParts::MainMessageLoopRun(int*) ()
#18 0x000056473303fbe4 in content::BrowserMainLoop::RunMainMessageLoopParts() ()
#19 0x0000564732e3530d in content::BrowserMainRunnerImpl::Run() ()
#20 0x0000564732e35291 in content::BrowserMain(content::MainFunctionParams const&) ()
#21 0x0000564730d43c2a in content::ContentMainRunnerImpl::Run() ()
#22 0x0000564730d42471 in content::ContentMain(content::ContentMainParams const&) ()
#23 0x00005647307ea9ea in ChromeMain ()
#24 0x00007fcaae791fa0 in __libc_start_main () from /lib64/libc.so.6
#25 0x00005647307ea8a5 in _start ()
Comment 4 Alexey Dobriyan 2015-07-10 12:15:29 UTC 
It always happens after I do the following:

* go to http://news.gmane.org/gmane.linux.kernel
* try to open page drop down list in the upper right corner (near --Action--)
* it will not open, then I try to switch to another tab and back and
  whole process coredumps.

"Always" means no other site exhibits this behavior, only one UI element on gmane.

I tried to get 100% reliable instructions for this bug but failed. Gmane tab becomes white for several seconds after I switch back to it, CPU is 100% but it  recovers eventually. Anyway, it's high probability crash to the point I do not click on that paginator anymore.
Comment 5 Alexey Dobriyan 2015-07-10 12:17:46 UTC 
chrome[1564]: segfault at d8 ip 00005647314727ea sp 00007ffddb9083f0 error 4 in chrome[56472fda7000+679c000]



[ebuild   R    ] www-plugins/chrome-binary-plugins-43.0.2357.132_p1:stable::gentoo  USE="flash -widevine" 0 KiB
[ebuild   R    ] www-client/chromium-43.0.2357.130::gentoo  USE="(pic) tcmalloc -cups -custom-cflags -gnome -gnome-keyring -hidpi -hotwording -kerberos (-neon) -proprietary-codecs -pulseaudio (-selinux) {-test} -widevine" LINGUAS="am ar bg bn ca cs da de el en_GB es es_LA et fa fi fil fr gu he hi hr hu id it ja kn ko lt lv ml mr ms nb nl pl pt_BR pt_PT ro ru sk sl sr sv sw ta te th tr uk vi zh_CN zh_TW" 0 KiB
Comment 6 Alexey Dobriyan 2015-07-10 12:19:27 UTC 
(gdb) info registers
rax            0x56473698a258   94863858639448
rbx            0x1cf33e58c700   31831048636160
rcx            0x1cf33e7e66b0   31831051101872
rdx            0x0      0
rsi            0x7ffddb908560   140728287135072
rdi            0x0      0
rbp            0x1cf33e7e6480   0x1cf33e7e6480
rsp            0x7ffddb9083f0   0x7ffddb9083f0
r8             0x1cf33991adb0   31830968479152
r9             0x1cf33c5d74c0   31831015388352
r10            0x5647368477e8   94863857317864
r11            0x1cf340b5d1c0   31831088288192
r12            0x7ffddb908610   140728287135248
r13            0x564736c333e0   94863861429216
r14            0x1cf33e58c708   31831048636168
r15            0x564736c33340   94863861429056
rip            0x5647314727ea   0x5647314727ea <aura::Window::~Window()+74>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
Comment 7 Alexey Dobriyan 2015-07-10 12:20:33 UTC 
(gdb) disassemble $rip
Dump of assembler code for function _ZN4aura6WindowD2Ev:
   0x00005647314727a0 <+0>:     push   %r15
   0x00005647314727a2 <+2>:     lea    0x55179a7(%rip),%rax        # 0x56473698a150 <_ZTVN4aura6WindowE+16>
   0x00005647314727a9 <+9>:     push   %r14
   0x00005647314727ab <+11>:    push   %r13
   0x00005647314727ad <+13>:    push   %r12
   0x00005647314727af <+15>:    push   %rbp
   0x00005647314727b0 <+16>:    push   %rbx
   0x00005647314727b1 <+17>:    mov    %rdi,%rbx
   0x00005647314727b4 <+20>:    lea    0x8(%rbx),%r14
   0x00005647314727b8 <+24>:    sub    $0x188,%rsp
   0x00005647314727bf <+31>:    mov    %rax,(%rdi)
   0x00005647314727c2 <+34>:    lea    0x55179ef(%rip),%rax        # 0x56473698a1b8 <_ZTVN4aura6WindowE+120>
   0x00005647314727c9 <+41>:    mov    %rax,0x8(%rdi)
   0x00005647314727cd <+45>:    lea    0x5517a04(%rip),%rax        # 0x56473698a1d8 <_ZTVN4aura6WindowE+152>
   0x00005647314727d4 <+52>:    mov    %rax,0x28(%rdi)
   0x00005647314727d8 <+56>:    lea    0x5517a79(%rip),%rax        # 0x56473698a258 <_ZTVN4aura6WindowE+280>
   0x00005647314727df <+63>:    mov    %rax,0xb8(%rdi)
   0x00005647314727e6 <+70>:    mov    0x18(%rdi),%rdi


=> 0x00005647314727ea <+74>:    cmp    %r14,0xd8(%rdi)   <================


   0x00005647314727f1 <+81>:    je     0x564731472b22 <_ZN4aura6WindowD2Ev+898>
   0x00005647314727f7 <+87>:    callq  0x56473147cd00 <_ZN2ui5Layer13SuppressPaintEv>
   0x00005647314727fc <+92>:    mov    0xe0(%rbx),%rdi
   0x0000564731472803 <+99>:    test   %rdi,%rdi
   0x0000564731472806 <+102>:   je     0x564731472814 <_ZN4aura6WindowD2Ev+116>
   0x0000564731472808 <+104>:   mov    (%rdi),%rax
   0x000056473147280b <+107>:   mov    %rbx,%rsi
   0x000056473147280e <+110>:   callq  *0xa0(%rax)
Comment 8 Alexey Dobriyan 2015-07-12 10:09:23 UTC 
I got same crash on another machine where chromium is built with debugging symbols enabled.

(gdb) bt
#0  aura::Window::~Window (this=this@entry=0x31cc3cff41c0, __in_chrg=<optimized out>) at ../../ui/aura/window.cc:206
#1  0x000055c08e69f219 in aura::Window::~Window (this=0x31cc3cff41c0, __in_chrg=<optimized out>) at ../../ui/aura/window.cc:268
#2  0x000055c090146440 in content::RenderWidgetHostImpl::Destroy (this=0x31cc39759900) at ../../content/browser/renderer_host/render_widget_host_impl.cc:1350
#3  0x000055c090146d95 in Dispatch<content::RenderWidgetHostImpl, content::RenderWidgetHostImpl, void> (msg=<optimized out>, sender=0x31cc39759900, parameter=0x0,
    func=(void (content::RenderWidgetHostImpl::*)(content::RenderWidgetHostImpl * const)) 0x55c090140820 <content::RenderWidgetHostImpl::OnClose()>, obj=0x31cc39759900)
    at ../../ipc/ipc_message.h:148
#4  content::RenderWidgetHostImpl::OnMessageReceived (this=0x31cc39759900, msg=...) at ../../content/browser/renderer_host/render_widget_host_impl.cc:456
#5  0x000055c09012c36e in content::RenderProcessHostImpl::OnMessageReceived (this=0x31cc394912c0, msg=...) at ../../content/browser/renderer_host/render_process_host_impl.cc:1544
#6  0x000055c08e4ff478 in IPC::ChannelProxy::Context::OnDispatchMessage (this=0x31cc3bccba50, message=...) at ../../ipc/ipc_channel_proxy.cc:282
#7  0x000055c08e03352b in Run (this=0x7ffc975fa318) at ../../base/callback.h:396
#8  base::debug::TaskAnnotator::RunTask (this=this@entry=0x31cc36bbd150, queue_function=queue_function@entry=0x55c091ef0a8b "MessageLoop::PostTask",
    run_function=run_function@entry=0x55c091ef0a76 "MessageLoop::RunTask", pending_task=...) at ../../base/debug/task_annotator.cc:63
#9  0x000055c08dfe95b1 in base::MessageLoop::RunTask (this=this@entry=0x31cc36bbd000, pending_task=...) at ../../base/message_loop/message_loop.cc:445
#10 0x000055c08dfe9891 in base::MessageLoop::DeferOrRunPendingTask (this=this@entry=0x31cc36bbd000, pending_task=...) at ../../base/message_loop/message_loop.cc:454
#11 0x000055c08dfe9d7b in base::MessageLoop::DoWork (this=0x31cc36bbd000) at ../../base/message_loop/message_loop.cc:566
#12 0x000055c08e032499 in base::MessagePumpGlib::HandleDispatch (this=0x31cc36cac3c0) at ../../base/message_loop/message_pump_glib.cc:267
#13 0x000055c08e0324dd in base::(anonymous namespace)::WorkSourceDispatch (source=<optimized out>, unused_func=<optimized out>, unused_data=<optimized out>)
    at ../../base/message_loop/message_pump_glib.cc:109
#14 0x00007f9dbf2c38bd in g_main_dispatch (context=0x31cc36b96b40) at /var/tmp/portage/dev-libs/glib-2.42.2/work/glib-2.42.2/glib/gmain.c:3111
#15 g_main_context_dispatch (context=context@entry=0x31cc36b96b40) at /var/tmp/portage/dev-libs/glib-2.42.2/work/glib-2.42.2/glib/gmain.c:3710
#16 0x00007f9dbf2c3ba8 in g_main_context_iterate (context=context@entry=0x31cc36b96b40, block=block@entry=0, dispatch=dispatch@entry=1, self=<optimized out>)
    at /var/tmp/portage/dev-libs/glib-2.42.2/work/glib-2.42.2/glib/gmain.c:3781
#17 0x00007f9dbf2c3c5c in g_main_context_iteration (context=0x31cc36b96b40, may_block=0) at /var/tmp/portage/dev-libs/glib-2.42.2/work/glib-2.42.2/glib/gmain.c:3842
#18 0x000055c08e03223a in base::MessagePumpGlib::Run (this=0x31cc36cac3c0, delegate=<optimized out>) at ../../base/message_loop/message_pump_glib.cc:309
#19 0x000055c08dffb648 in base::RunLoop::Run (this=this@entry=0x7ffc975fa620) at ../../base/run_loop.cc:55
#20 0x000055c08dcd0fef in ChromeBrowserMainParts::MainMessageLoopRun (this=0x31cc36bbeea0, result_code=0x31cc36bbdd98) at ../../chrome/browser/chrome_browser_main.cc:1670
#21 0x000055c090269284 in content::BrowserMainLoop::RunMainMessageLoopParts (this=0x31cc36bbdd80) at ../../content/browser/browser_main_loop.cc:809
#22 0x000055c09005f33d in content::BrowserMainRunnerImpl::Run (this=0x31cc36b9da40) at ../../content/browser/browser_main_runner.cc:209
#23 0x000055c09005f2c1 in content::BrowserMain (parameters=...) at ../../content/browser/browser_main.cc:26
#24 0x000055c08df7227a in content::ContentMainRunnerImpl::Run (this=0x31cc36b992d0) at ../../content/app/content_main_runner.cc:775
#25 0x000055c08df70ac1 in content::ContentMain (params=...) at ../../content/app/content_main.cc:19
#26 0x000055c08da1a93a in ChromeMain (argc=4, argv=0x7ffc975fa8d8) at ../../chrome/app/chrome_main.cc:66
#27 0x00007f9db6d88fa0 in __libc_start_main (main=0x55c08da1a330 <main(int, char const**)>, argc=4, argv=0x7ffc975fa8d8, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7ffc975fa8c8) at libc-start.c:289
#28 0x000055c08da1a7f5 in _start () at ../sysdeps/x86_64/start.S:112
Comment 9 Alexey Dobriyan 2015-07-31 14:25:14 UTC 
OK crash is fixed with www-client/chromium-44.0.2403.89.

It still takes tons of CPU and delay to open that dropdown list element, though.
But it works correctly.