New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 122214 link

Starred by 9 users

Issue metadata

Status: Verified
Owner:
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Moving apps around in a new tab crashes the browser

Reported by federico...@gmail.com, Apr 5 2012

Issue description

OS: Windows XP SP3/ Ubuntu 11.10 (Ocelot)
Build: Intel CoreI7 2600K, 8GB ram, Ati Radeon 5850 HD.
Internet connection: Fibertel 6 MB.
Chrome version: 19.0.1984.15

Can you reproduce this crash? Yes, 100% of the times on both systems.

What steps will reproduce this crash (or if it's not reproducible,

Steps:
1. Open a Chrome.
2. Open anew tab.
3. Grab any app available (even the market icon will do) and drag it to the arrow on the right, a new apps sheet is created.
4. Drop the app in the created sheet.
5. Repeat steps 3&4 a few times until Chrome crashes.

- After moving around the apps for a bit, the browser crashes, this happens 100% of the times. See video attached for details

****DO NOT CHANGE BELOW THIS LINE****
report_id:067b8da022eb4f37
 
crash.swf
1.8 MB Download

Comment 1 Deleted

Labels: -Feature-Flash nomedia
Labels: Feature-NewTabPage
can't repro

Comment 5 by dbeam@chromium.org, Apr 6 2012

NOTE: The crash report says that all 5 crashes were with --enable-sync-tabs flag enabled (and on XP, but that's probably less related...), btw.
I was able to trigger on version 20.0.1096.1, no flags on the shortcut this time. 

Comment 7 by dharani@google.com, Apr 10 2012

Here is the crash details - http://crash.corp.google.com/reportdetail?reportid=067b8da022eb4f37

Thread 0 *CRASHED* ( EXCEPTION_BREAKPOINT @ 0x01ca4aa0 )

0x01ca4aa0	 [chrome.dll	 - debugger_win.cc:107	base::debug::BreakDebugger()
0x02c6046b	 [chrome.dll	 - extension_sorting.cc:400	ExtensionSorting::PageIntegerAsStringOrdinal(unsigned int)
0x027f0eca	 [chrome.dll	 - app_launcher_handler.cc:686	AppLauncherHandler::HandleSetPageIndex(base::ListValue const *)
0x02e2da26	 [chrome.dll	 - bind_internal.h:1225	base::internal::Invoker<1,base::internal::BindState<base::internal::RunnableAdapter<void ( internal_cloud_print_helpers::CloudPrintFlowHandler::*)(base::ListValue const *)>,void (internal_cloud_print_helpers::CloudPrintFlowHandler *,base::ListValue const *),void (base::internal::UnretainedWrapper<internal_cloud_print_helpers::CloudPrintFlowHandler>)>,void (internal_cloud_print_helpers::CloudPrintFlowHandler *,base::ListValue const *)>::Run(base::internal::BindStateBase *,base::ListValue const * const &)
0x02b8c53d	 [chrome.dll	 - web_ui_impl.cc:96	WebUIImpl::OnWebUISend(GURL const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::ListValue const &)
0x02b8bd9d	 [chrome.dll	 - tuple.h:560	DispatchToMethod<WebUIImpl,void ( WebUIImpl::*)(GURL const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::ListValue const &),GURL,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::ListValue>(WebUIImpl *,void ( WebUIImpl::*)(GURL const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::ListValue const &),Tuple3<GURL,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::ListValue> const &)
0x02b8be61	 [chrome.dll	 - view_messages.h:1643	ViewHostMsg_WebUISend::Dispatch<WebUIImpl,WebUIImpl,void ( WebUIImpl::*)(GURL const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::ListValue const &)>(IPC::Message const *,WebUIImpl *,WebUIImpl *,void ( WebUIImpl::*)(GURL const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::ListValue const &))
0x02b8c9b8	 [chrome.dll	 - web_ui_impl.cc:73	WebUIImpl::OnMessageReceived(IPC::Message const &)
0x02baa810	 [chrome.dll	 - tab_contents.cc:518	TabContents::OnMessageReceived(IPC::Message const &)
0x02b8550f	 [chrome.dll	 - render_view_host_impl.cc:797	content::RenderViewHostImpl::OnMessageReceived(IPC::Message const &)
0x02b802b0	 [chrome.dll	 - render_process_host_impl.cc:936	RenderProcessHostImpl::OnMessageReceived(IPC::Message const &)
0x02601c20	 [chrome.dll	 - ipc_channel_proxy.cc:268	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &)
0x029025ed	 [chrome.dll	 - bind_internal.h:1254	base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void ( remoting::PluginMessageLoopProxy::*)(base::Callback<void (void)> const &)>,void (remoting::PluginMessageLoopProxy *,base::Callback<void (void)> const &),void (remoting::PluginMessageLoopProxy *,base::Callback<void (void)>)>,void (remoting::PluginMessageLoopProxy *,base::Callback<void (void)> const &)>::Run(base::internal::BindStateBase *)
0x01ca1f25	 [chrome.dll	 - message_loop.cc:458	MessageLoop::RunTask(base::PendingTask const &)
0x01ca297a	 [chrome.dll	 - message_loop.cc:660	MessageLoop::DoWork()
0x01cd0868	 [chrome.dll	 - message_pump_win.cc:203	base::MessagePumpForUI::DoRunLoop()
0x01cd0646	 [chrome.dll	 - message_pump_win.cc:51	base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)
0x01ca1a65	 [chrome.dll	 - message_loop.cc:390	MessageLoop::RunHandler()
0x01ca2c48	 [chrome.dll	 - message_loop.cc:776	MessageLoopForUI::RunWithDispatcher(base::MessagePumpWin::Dispatcher *)
0x026fa116	 [chrome.dll	 - chrome_browser_main.cc:1846	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x02ba2857	 [chrome.dll	 - browser_main_loop.cc:452	content::BrowserMainLoop::RunMainMessageLoopParts()
0x02bbd8ed	 [chrome.dll	 - browser_main_runner.cc:94	`anonymous namespace'::BrowserMainRunnerImpl::Run()
0x02b7d955	 [chrome.dll	 - browser_main.cc:21	BrowserMain(content::MainFunctionParams const &)
0x02674488	 [chrome.dll	 - content_main_runner.cc:282	`anonymous namespace'::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x026744f5	 [chrome.dll	 - content_main_runner.cc:511	`anonymous namespace'::ContentMainRunnerImpl::Run()
0x02671e77	 [chrome.dll	 - content_main.cc:35	content::ContentMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,content::ContentMainDelegate *)
0x025d9b9c	 [chrome.dll	 - chrome_main.cc:28	ChromeMain
0x0042796c	 [chrome.exe	 - client_util.cc:424	MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *)
0x00427be7	 [chrome.exe	 - chrome_exe_main_win.cc:37	RunChrome(HINSTANCE__ *)
0x00427c36	 [chrome.exe	 - chrome_exe_main_win.cc:48	wWinMain
0x0044545b	 [chrome.exe	 - crt0.c:263	__tmainCRTStartup
0x7c817076	 [kernel32.dll	 + 0x00017076]	BaseProcessStart

Comment 8 by dbeam@chromium.org, Apr 10 2012

^ That also has --enable-sync-tabs ... ?

Comment 10 by dharani@google.com, Apr 10 2012

Cc: csharp@chromium.org
This crash has started from 18.0.1003.1 - http://crash.corp.google.com/reportdetail?reportid=2bf1b386ac75a44e

csharp@: can you please comment on it?
Cc: mbollu@chromium.org
@mbollu .. Can you please confirm this issue .

Comment 12 by csharp@google.com, Apr 10 2012

I had no luck trying to repo so I'm not exactly sure what's happening.

The two ways I can see this condition getting hit are:
1)somehow an empty page is added (this page must have always been empty) to the end of the pages and we try to move the app to the page after that
2)An earlier empty page is removed but the page_index of the later pages isn't changed (the map size and the page index count wouldn't line up then)

dbeam@, has there been any progress on removing empty app pages?

Comment 13 Deleted

Comment 14 by mbollu@google.com, Apr 10 2012

OS: Linux Ubuntu 10.04 Lucid Lynx, 32-bit
Chrome version: 20.0.1096.1 dev

Findings: Able to reproduce the crash with crash id: 1d6727d660c37957
Steps to Reproduce:
1. Start chrome after clean install.
2. Have default apps.
3. Drag and drop apps to new Apps tab to your right.
Result: When dragging apps you will observe the crash.

Stack Trace: 
Thread 0 *CRASHED* ( SIGABRT @ 0x00006974 )

0xb3bdf424	 [linux-gate.so	 + 0x00000424]	
0xb5e5b07c	 [chrome	 - chrome/browser/extensions/extension_sorting.cc:400]	ExtensionSorting::PageIntegerAsStringOrdinal
0xb3f768ca	 [chrome	 - chrome/browser/ui/webui/ntp/app_launcher_handler.cc:680]	AppLauncherHandler::HandleSetPageIndex
0xb3f74c20	 [chrome	 - ./base/bind_internal.h:188]	base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (AppLauncherHandler::*)(const base::ListValue*)>, void(AppLauncherHandler*, const base::ListValue*), void(base::internal::UnretainedWrapper<AppLauncherHandler>)>, void(AppLauncherHandler*, const base::ListValue*)>::Run
0xb60118ad	 [chrome	 - ./base/callback.h:311]	WebUIImpl::OnWebUISend
0xb6012ae9	 [chrome	 - ./base/tuple.h:560]	WebUIImpl::OnMessageReceived
0xb60023f4	 [chrome	 - content/browser/tab_contents/tab_contents.cc:526]	TabContents::OnMessageReceived
0xb5fc1fad	 [chrome	 - content/browser/renderer_host/render_view_host_impl.cc:797]	content::RenderViewHostImpl::OnMessageReceived
0xb5fb20f8	 [chrome	 - content/browser/renderer_host/render_process_host_impl.cc:937]	RenderProcessHostImpl::OnMessageReceived
0xb464234a	 [chrome	 - ipc/ipc_channel_proxy.cc:269]	IPC::ChannelProxy::Context::OnDispatchMessage
0xb4641ccc	 [chrome	 - ./base/bind_internal.h:188]	base::internal::Invoker<2, base::internal::BindState<base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(const IPC::Message&)>, void(IPC::ChannelProxy::Context*, const IPC::Message&), void(IPC::ChannelProxy::Context*, IPC::Message)>, void(IPC::ChannelProxy::Context*, const IPC::Message&)>::Run
0xb45e7df8	 [chrome	 - ./base/callback.h:272]	MessageLoop::RunTask
0xb45e868b	 [chrome	 - base/message_loop.cc:470]	MessageLoop::DeferOrRunPendingTask
0xb45e8c1e	 [chrome	 - base/message_loop.cc:647]	MessageLoop::DoWork
0xb461d18d	 [chrome	 - base/message_pump_glib.cc:275]	base::MessagePumpGlib::HandleDispatch
0xb461d1d3	 [chrome	 - base/message_pump_glib.cc:105]	WorkSourceDispatch
0xb395b25e	 [libglib-2.0.so.0.3000.0	 - gmain.c:2441]	g_main_context_dispatch
0xb395b98f	 [libglib-2.0.so.0.3000.0	 - gmain.c:3089]	g_main_context_iterate
0xb395bc29	 [libglib-2.0.so.0.3000.0	 - gmain.c:3152]	g_main_context_iteration
0xb461d4e4	 [chrome	 - base/message_pump_glib.cc:206]	base::MessagePumpGlib::RunWithDispatcher
0xb461d1ff	 [chrome	 - base/message_pump_glib.cc:298]	base::MessagePumpGlib::Run
0xb45e5202	 [chrome	 - base/message_loop.cc:417]	MessageLoop::RunInternal
0xb45e526b	 [chrome	 - base/message_loop.cc:390]	MessageLoopForUI::RunWithDispatcher
0xb43ac4ec	 [chrome	 - chrome/browser/chrome_browser_main.cc:1887]	ChromeBrowserMainParts::MainMessageLoopRun
0xb5f3c37d	 [chrome	 - content/browser/browser_main_loop.cc:458]	content::BrowserMainLoop::RunMainMessageLoopParts
0xb5f3de54	 [chrome	 - content/browser/browser_main_runner.cc:94]	BrowserMainRunnerImpl::Run
0xb5f3c04f	 [chrome	 - content/browser/browser_main.cc:21]	BrowserMain
0xb458e3a8	 [chrome	 - content/app/content_main_runner.cc:282]	ContentMainRunnerImpl::Run
0xb458daf7	 [chrome	 - content/app/content_main.cc:35]	content::ContentMain
0xb3dffaea	 [chrome	 - chrome/app/chrome_main.cc:32]	ChromeMain
0xb3dffa8d	 [chrome	 - chrome/app/chrome_exe_main_gtk.cc:18]	main
0xb2ab0112	 [libc-2.13.so	 + 0x00019112]	
0xb3bfeff3	 [ld-2.13.so	 + 0x0001eff3]	
0xb3bff917	 [ld-2.13.so	 + 0x0001f917]	
0xb3bedbda	 [ld-2.13.so	 + 0x0000dbda]	
0xb3bffacf	 [ld-2.13.so	 + 0x0001facf]	
0xb2c10ff3	 [libc-2.13.so	 + 0x00179ff3]	
0xb3bf3c0f	 [ld-2.13.so	 + 0x00013c0f]	
0xb2ab0028	 [libc-2.13.so	 + 0x00019028]	
0xb3dffa5f	 [chrome	 + 0x001ffa5f]	
0xb3beeb9f	 [ld-2.13.so	 + 0x0000eb9f]	
0xb3bff917	 [ld-2.13.so	 + 0x0001f917]
Labels: Mstone-20 ReleaseBlock-Beta
Status: Untriaged
Looks like a Regression . @mbollu .. It would be great if you provide a bisect result .
Also confirm whether the issue is reproducible in other OS .

Comment 16 by dharani@google.com, Apr 11 2012

Owner: mbollu@chromium.org
Status: Assigned
mbollu@: can you please get the regression window? thanks!
Owner: ----
Status: Untriaged
Currently I am unable to reproduce the issue on Linux Ubuntu 32-bit m/c for version 20.0.1096.1 dev. Hence couldn't give you the regression window.

I am unable to reproduce it on Win7, Linux Ubuntu 10.04 64-bit, Mac 10.7.3.
@dharani, @ligi: In Comment 14 I was able to reproduce the issue with default apps. For regression window I was not able to reproduce with default apps and adding apps from chrome web store.

Comment 19 by dbeam@chromium.org, Apr 11 2012

OK, so I wrote a long comment describing this but accidentally closed this tab.

tl;dr when the 3rd drag fails in the video (and "wormholes") the C++ is unaware of the last apps page. when you drag to the end on the 4th drag (or any sub-sequent drag before refreshing) we hit a CHECK_LE() (rightfully so) because we tried to drop on a page that doesn't exist yet (according to the C++).

Potential fixes:
1) save the temporary app page / nav dot if you fail to drop an app on it but are still on that page in the UI so the C++ knows it's there
2) delete the temporary app page if you don't drop anything on it and scroll back a page (probably worse experience)

Comment 20 by dbeam@chromium.org, Apr 11 2012

also, I might mention that there may not be a clear "regression" CL as this could've always been the case and the defect just never exposed, additionally I believe you can reproduce this by

1) drag app to right page switcher (assuming LTR) and hold until last page
2) *without moving your mouse* drop the app, it should "wormhole"
3) scroll back to previous page, drag app to last page, drop

Comment 21 by dbeam@chromium.org, Apr 11 2012

ammending step #3 ^ move your mouse and drop on the area where the pane switcher used to be (you should get a "drop not allowed" cursor, depending on the OS it'll probably look like a "no smoking" sign or something)

Comment 22 by dbeam@chromium.org, Apr 11 2012

see 591bc33b18b8c133

Comment 23 by dbeam@chromium.org, Apr 11 2012

OK, figured out another set of repro steps:

1) start dragging any app, move to newly creating page, quickly drop on another page to create empty page at the end of pane list
2) do step #1 again
3) try to drop anything on the last page in the list

BOOM! see crash 7229ad0776dab237

Comment 24 by dharani@google.com, Apr 11 2012

Owner: dbeam@chromium.org
Status: Assigned
dbeam@: Assigning this bug to you. Please delegate if you aren't the right person. 

Comment 26 by dbeam@chromium.org, Apr 12 2012

Labels: -Mstone-20 Mstone-19
I can reproduce this in 19 as well.

Comment 27 by dbeam@chromium.org, Apr 13 2012

Cc: laforge@google.com
Labels: Merge-Requested
Laforge: very small functional change to fix a relatively easy to reproduce crash.

Comment 28 by laforge@google.com, Apr 13 2012

Labels: -Merge-Requested Merge-Approved
Project Member

Comment 29 by bugdroid1@chromium.org, Apr 16 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=132468

------------------------------------------------------------------------
r132468 | dbeam@chromium.org | Mon Apr 16 14:50:03 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/extensions/extension_sorting_unittest.cc?r1=132468&r2=132467&pathrev=132468
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/extensions/extension_sorting.h?r1=132468&r2=132467&pathrev=132468
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/extensions/extension_sorting.cc?r1=132468&r2=132467&pathrev=132468

[NTP4] Fix empty apps page crash.

R=estade@chromium.org,csharp@chromium.org
BUG= 122214 
TEST=Drag, switch to new pane, drop on original nav dot. Drop on newly created
pane. Nothing should asplode.


Review URL: http://codereview.chromium.org/10068001
------------------------------------------------------------------------
Project Member

Comment 30 by bugdroid1@chromium.org, Apr 17 2012

Labels: merge-merged-1084
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=132528

------------------------------------------------------------------------
r132528 | dbeam@chromium.org | Mon Apr 16 20:18:49 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/1084/src/chrome/browser/extensions/extension_sorting.h?r1=132528&r2=132527&pathrev=132528
 M http://src.chromium.org/viewvc/chrome/branches/1084/src/chrome/browser/extensions/extension_sorting.cc?r1=132528&r2=132527&pathrev=132528
 M http://src.chromium.org/viewvc/chrome/branches/1084/src/chrome/browser/extensions/extension_sorting_unittest.cc?r1=132528&r2=132527&pathrev=132528

Merge 132468 - [NTP4] Fix empty apps page crash.

R=estade@chromium.org,csharp@chromium.org
BUG= 122214 
TEST=Drag, switch to new pane, drop on original nav dot. Drop on newly created
pane. Nothing should asplode.


Review URL: http://codereview.chromium.org/10068001

TBR=dbeam@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10105019
------------------------------------------------------------------------

Comment 31 by dbeam@chromium.org, Apr 17 2012

Status: Fixed
Status: Verified
verified that the crash doesn't happen with steps in Comment #23 
chrome version tested: 20.0.1105.0
OS: Ubuntu 10.04 64bit

Comment 33 by k...@google.com, Aug 8 2012

Labels: -Merge-Approved
Removing Merge-Approved from past milestones.
Project Member

Comment 34 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 35 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Feature-NewTabPage -Mstone-19 Cr-UI-Browser-NewTabPage M-19
Project Member

Comment 36 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Sign in to add a comment