[TOC]
Debug builds are the default configuration for Chromium and can be explicitly
specified with is_debug=true
in the args.gn
file of the out directory. Debug
builds are larger and non-portable because they default to
is_component_build=true
, but they contain full debug information.
If you set is_debug=false
, a release build will be created with no symbol
information, which cannot be used for effective debugging.
A middle-ground is to set symbol_level=1
, which will produce a minimal symbol
table, capable of creating backtraces, but without frame-level local variables.
This is faster to build than a debug build, but it is less useful for debugging.
When doing an is_official_build=true
build (which is meant for producing
builds with full compiler optimization suitable for shipping to users),
enable_dsyms
and enable_stripping
both get set to true
. The binary itself
will be stripped of its symbols, but the debug information will be saved off
into a dSYM file. Producing a dSYM is rather slow, so it is uncommon for
developers to build with this configuration.
The official Google Chrome build has published dSYMs that can be downloaded with
the script at tools/mac/download_symbols.py
or by using the LLDB integration
at tools/lldb/lldb_chrome_symbols.py
.
However, the official Chrome build is
codesigned with the restrict
and runtime
options, which generally prohibit debuggers from attaching.
In order to debug production/released Chrome, you need to do one of two things:
- Disable System Integrity
Protection,
by:
- Rebooting into macOS recovery mode
- Launching Terminal
- Running
csrutil enable --without debug
- Rebooting
- Stripping or force-re-codesigning the binary to not use those options:
codesign --force --sign - path/to/Google\ Chrome.app
If you will frequently debug official builds, (1) is recommended. Note that disabling SIP reduces the overall security of the system, so your system administrator may frown upon it.
The debugger on macOS is lldb
and it is included in both a full Xcode install
and the Command Line Tools package. There are two ways to use LLDB: either
launching Chromium directly in LLDB, or attaching to an existing process:
lldb ./out/debug/Chromium.app/Contents/MacOS/Chromium
lldb -p <pid>
LLDB has an extensive help system which you can access by typing help
at the
(lldb)
command prompt. The commands are organized into a functional hierarchy,
and you can explore the subcommands via (lldb) help breakpoint
, etc. Commands
can take arguments in a command-line flag style. Many commands also have short
mnemonics that match the gdb
equivalents. You can also just use enough letters
to form a unique prefix of the command hierarchy. E.g., these are equivalent:
(lldb) help breakpoint set
(lldb) h br s
When the program is running, you can use Ctrl-C to interrupt it and pause the debugger.
To pass arguments to LLDB when starting Chromium, use a --
:
lldb ./out/debug/Chromium.app/contents/MacOS/Chromium -- --renderer-startup-dialog
Simple function-name breakpoints can be specified with a short mnemonic:
(lldb) b BrowserWindow::Close
But there are a range of other options for setting breakpoints using the, such as:
-t
to limit the breakpoint to a specific thread-s
to specify a specific shared library, if the same symbol name is exported by multiple libraries-o
for a one-shot breakpoint (delete after first hit)
See (lldb) help br set
for full details.
When the debugger is paused, you can get a backtrace by typing bt
. To navigate
the stack by-1 type either up
or down
. You can also jump to a specific index
in the stack by typing f #
(short for frame select #
).
To see local variables, type v
(short for frame variable
).
To step through the program, use:
s
orsi
for step-inn
for step-overc
to continue (resume or go to next breakpoint)
To print values, use the p <value>
command, where <value>
can be a variable,
a variable expression like object->member_->sub_member_.value
, or an address.
If <value>
is a pointer to a structure, p <value>
will usually just print
the address. To show the contents of the structure, dereference the value. E.g.:
(lldb) p item
(HistoryMenuBridge::HistoryItem *) $3 = 0x0000000245ef5b30
(lldb) p *item
(HistoryMenuBridge::HistoryItem) $4 = {
title = u"Google"
url = {
spec_ = "https://www.google.com/"
is_valid_ = true
…
Note above that LLDB has also stored the results of the expressions passed to
p
into the variables $3
and $4
, which can be referenced in other LLDB
expressions.
Often (and always when printing addresses) there is not type information to enable printing the full structure of the referenced memory. In these cases, use a C-style cast:
(lldb) p 0x0000000245ef5b30 # Does not have type information
(long) $5 = 9763248944
(lldb) p (HistoryMenuBridge::HistoryItem*)0x0000000245ef5b30
(HistoryMenuBridge::HistoryItem *) $6 = 0x0000000245ef5b30
(lldb) p *$6
(HistoryMenuBridge::HistoryItem) $7 = {
title = u"Google"
…
- For printing Cocoa NSObjects, use the
po
command to get the-[NSObject description]
. - If
uptr
is astd::unique_ptr
, the address it wraps is accessible asuptr.__ptr_.__value_
. - To pretty-print
std::u16string
, follow the instructions here.
Chrome is split into multiple processes, which can mean that the logic you want to debug is in a different process than the main browser/GUI process. There are a few ways to debug the multi-process architecture, discussed below.
You can use Chrome's Task Manager to associate specific sites with their PID. Then simply attach with LLDB:
lldb -p <pid>
Or, if you have already been debugging a Chrome process and want to retain your breakpoints:
(lldb) attach <pid>
If you need to attach early in the child process's lifetime, you can use one of these startup-dialog switches for the relevant process type:
--renderer-startup-dialog
--utility-startup-dialog
--utility-startup-dialog=data_decoder.mojom.DataDecoderService
After the process launches, it will print a message like this to standard error:
[80156:775:0414/130021.862239:ERROR:content_switches_internal.cc(112)] Renderer (80156) paused waiting for debugger to attach. Send SIGUSR1 to unpause.
Then attach the the process like above in (a), using the PID in parenthesis (e.g. 80156 above).
This option is not recommended. Single-process mode is not tested and is frequently broken.
Chrome has an option to run all child processes as threads inside a single
process, using the --single-process
command line flag. This can make debugging
easier.
Similar to debugging the renderer process, simply attaching LLDB to a
out-of-process test like browser_tests will not hit the test code. In order to
debug a browser test, you need to run the test binary with "--single_process
"
(note the underscore in single_process
). Because you can only run one browser
test in the same process, you're probably going to need to add --gtest_filter
as well. So your command will look like this:
/path/to/src/out/debug/browser_tests --single_process --gtest_filter=GoatTeleporterTest.DontTeleportSheep
If you'd prefer to use Xcode GUI to use the debugger, there are two options:
This approach creates an empty Xcode project that only provides a GUI debugger:
- Select File > New > Project... and make a new project. Dump it anywhere, call it anything. It doesn't matter.
- Launch Chromium.
- In Xcode, select Debug > Attach to Process > Chromium.
- You can now pause the process and set breakpoints. The debugger will also activate if a crash occurs.
- Tell
gn
to generate an Xcode project for your out directory:gn gen --ide=xcode out/debug
- Open out/debug/all.xcodeproj
- Have it automatically generate schemes for you
- You can now build targets from within Xcode, which will simply call out to
ninja
via an Xcode script. But the resulting binaries are available as debuggable targets in Xcode.
Note that any changes to the .xcodeproj will be overwritten; all changes to the build system need to be done in GN.
See the page on sandbox debugging.
When debugging issues with OS-mediated permissions (e.g. Location, Camera, etc.), you need to launch Chromium with LaunchServices rather than through a shell. If you launch Chromium as a subprocess of your terminal shell, the permission requests get attributed to the terminal app rather than Chromium.
To launch Chromium via launch services, use the open(1)
command:
open ./out/debug/Chromium.app
To pass command line arguments:
open ./out/debug/Chromium.app -- --enable-features=MyCoolFeature
A quick and easy way to investigate slow or hung processes is to use the sample facility, which will generate a CPU sample trace. This can be done either in the Terminal with the sample(1) command or by using Activity Monitor:
- Open Activity Monitor
- Find the process you want to sample (for "Helper" processes, you may want to consult the Chrome Task Manager)
- Double-click on the row
- Click the Sample button in the process's information window
After a few seconds, the sample will be completed. For official Google Chrome builds, the sample should be symbolized using crsym. If you do not have access to crsym, save the entire contents as a file and attach it to a bug report for later analysis.
See also How to Obtain a Heap Dump.
For more sophisticated CPU sampling, use the Time Profiler tool from Instruments. Instruments is macOS's performance analysis toolkit that comes with Xcode. The following steps assume that you've installed Xcode 12.0 or later.
After installing Xcode, run xcode-select -s XCODE_FOLDER
from the command line to set up the Xcode folder for the command line tools. XCODE_FOLDER
is where the Xcode is installed, and should be something like /Applications/Xcode.app/Contents/Developer
.
Time Profiler provides a GUI to record traces, but is likely to be janky. To generate a trace from the terminal,
- Start Chrome.
- Run
xcrun xctrace record --template 'Time Profiler' --all-processes
in terminal to start tracing. - Perform actions that you want to profile, e.g. open a new tab page.
- Back to the terminal, press Ctrl+C to terminate the profiling. A
.trace
profile file will be generated at the current working path.
In Step 2, if you know which process you are looking at, you can change the --all-processes
to --attach PID
.
To visualize a trace,
- In Time Profiler, load the profile file by File > Open. You will see the traces of all threads and other stats like the Thermal State. You may filter the threads of your interest.
- For official Google Chrome builds, you need to follow this doc to download the dSYMs files for symbolization.
- In Time Profiler, use File > Symbols to load symbols. Loading symbols only for the main executable (Google Chrome) should be sufficient for other executables (Google Chrome Helper and Renderer) as well.
macOS helpfully tries to write a crash report every time a binary crashes –
which happens for example when a test in unit_tests fails. Since Chromium's
debug binaries are huge, this takes forever. If this happens, "ReportCrash" will
be the top cpu consuming process in Activity Monitor. You should disable
ReportCrash while you work on Chromium. Run man ReportCrash
to learn how to do
this on your version of macOS. On 10.15, the command is
launchctl unload -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist
Yes, you need to run this for both the normal user and the admin user.
If you get a Google Chrome crash report caught by ReportCrash/macOS, it will not have symbols (every frame will be ChromeMain). To get a symbolized stack trace, use the internal crsym tool by simply pasting the contents of an entire Apple crash report.
To test Chrome in a different locale, change your system locale via the System Preferences. (Keep the preferences window open so that you can change the locale back without needing to navigate through menus in a language you may not know.)
DTrace is a powerful, kernel-level profiling and dynamic tracing utility. In order to use DTrace, you need to (at least partially) disable System Integrity Protection with (see above):
csrutil enable --without dtrace
Using DTrace is beyond the scope of this document, but the following resources are useful:
- jgm's awesome introductory article
- Big Nerd Ranch's four-part series
- Defining static probes on macOS
- Examples
- Tips from Sun
DTrace examples on macOS: /usr/share/examples/DTTk
To get truss on macOS, use dtruss. That requires root, so use sudo dtruss -p
and to attach to a running non-root program.
Chrome has built-in memory instrumentation that can be used to identify allocations and potential leaks.
MacOS also provides several low-level command-line tools that can be used to inspect what's going on with memory inside a process. Note that most of these tools only work effectively with system malloc and not PartitionAlloc. Since PartitionAlloc Everywhere, you should additionally disable PartitionAlloc with these GN args:
use_partition_alloc_as_malloc = false
enable_backup_ref_ptr_support = false
Note that PartitionAlloc will still be used in Blink, just not for malloc
in
other places anymore. See PartitionAlloc build config
for disabling PartitionAlloc completely via GN arg use_partition_alloc
.
heap
summarizes what's currently in the malloc heap(s) of a process. It
shows a number of useful things:
- How much of the heap is used or free
- The distribution of block sizes
- A listing of every C++, Objective-C and CoreFoundation class found in the heap, with the number of instances, total size and average size.
It identifies C++ objects by their vtables, so it can't identify vtable-less
classes, including a lot of the lower-level WebCore ones like StringImpl. To
work around, temporarily added the virtual
keyword to WTF::RefCounted
's
destructor method, which forces every ref-counted object to include a vtable
pointer identifying its class.
malloc_history
identifies the stack backtrace that allocated every malloc
block in the heap. It lists every unique backtrace together with its number of
blocks and their total size. It requires that the process use malloc stack
logging, which is enabled if the environment variable MallocStackLogging is set
when it launches. The env
command is handy for this:
$ env MallocStackLogging=1 Chromium.app/Contents/MacOS/Chromium
Then in another shell you run
$ malloc_history <pid> -allBySize
Watch out: the output is big.
leaks
finds malloc blocks that have no pointers to them and are probably
leaked. It doesn't require MallocStackLogging, but it's more useful if it's on
because it can then show the backtrace that allocated each leaked block.
vmmap
shows all the virtual-memory regions in the process's address space.
This is less useful since it doesn't say anything about individual malloc blocks
(except huge ones) but it can be useful for looking at things like static data
size, mapped files, and how much memory is paged out. The "-resident" flag shows
how much of each allocation is currently paged into RAM. See the man page for
details.
Notes:
- These are not going to be very useful on stripped binaries, and they're less useful in release builds.
- All of these except vmmap take several minutes to run, apparently because of the number of symbols in Chrome. They spend most of their time pegging one CPU down inside system code that's reading symbol tables from the binary. Be patient.
- Instruments is an application bundled with Xcode that provides GUI interfaces
for many of these tools, including
sample
andleaks
. Most Chromies prefer the command line tools, but Instruments can be useful. If running Instruments on a local build, expect to wait a few minutes for it to load symbols before it starts recording useful data
The Mac OS X Debugging Magic Technote contains a wealth of (mostly outdated) information about various debugging options built in to macOS.