New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 14594 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Jul 2009
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug
M-3

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Crash - views::NativeMenuWin::MenuHostWindow::ProcessWindowMessage(HWND__ *,unsigned int,unsigned int,long,long *)

Project Member Reported by lafo...@chromium.org, Jun 18 2009

Issue description

This crash was detected in 3.0.189.0 and was seen in 3.0.187.1.
It is currently ranked #2 (based on the relative number of reports in the release).  There have been 60 reports from 52 clients.
Search query: http://crash/search?query=Chrome+3.0.189.0+views%3A%3ANativeMenuWin%3A%3AMenuHostWindow%3A%3AProcessWindowMessage%28HWND__+*%2Cunsigned+int%2Cunsigned+int%2Clong%2Clong+*%29
----------------------------
*       Summary Data       *
----------------------------
Report Link: http://crash/reportdetail?reportid=e41ede936ca2861e
Mini Dump Link: http://crash/file?reportid=e41ede936ca2861e&name=upload_file_minidump

Uptime: 4560 sec
User Comments: null
OS: Windows XP Service Pack 2
CPU Architecture: x86
CPU Info: AuthenticAMD family 6 model 8 stepping 1
rept: null
ptype: browser
plat: Win32
crash type:(EXCEPTION_ACCESS_VIOLATION@0x550f9400)

----------------------------
*      Loaded Modules      *
----------------------------
    ru.dll
    default.dll
    chrome.dll
    gears.dll
    icudt38.dll
    rlz.dll
    chrome.exe
    adialhk.dll
    dnsq.dll
    miscr3.dll
    pshook.dll
    comctl32.dll
    advapi32.dll
    crypt32.dll
    cryptnet.dll
    dnsapi.dll
    dssenh.dll
    gdi32.dll
    hnetcfg.dll
    imm32.dll
    iphlpapi.dll
    kernel32.dll
    lz32.dll
    msasn1.dll
    msv1_0.dll
    msvcp60.dll
    msvcrt.dll
    mswsock.dll
    netapi32.dll
    ntdll.dll
    ntmarta.dll
    ole32.dll
    oleacc.dll
    oleaut32.dll
    psapi.dll
    rasadhlp.dll
    rasapi32.dll
    rasman.dll
    riched20.dll
    rpcrt4.dll
    rsaenh.dll
    rtutils.dll
    samlib.dll
    schannel.dll
    secur32.dll
    sensapi.dll
    serwvdrv.dll
    shell32.dll
    shlwapi.dll
    sxs.dll
    t2embed.dll
    tapi32.dll
    umdmxfrm.dll
    urlmon.dll
    user32.dll
    userenv.dll
    usp10.dll
    uxtheme.dll
    version.dll
    winhttp.dll
    wininet.dll
    winmm.dll
    wldap32.dll
    ws2_32.dll
    ws2help.dll
    wshtcpip.dll
    xpsp2res.dll

----------------------------
*        Crash Trace       *
----------------------------
            [user32.dll+0x00008708] - InternalCallWinProc
            [user32.dll+0x000087ea] - UserCallWinProcCheckWow
            [user32.dll+0x0000b367] - DispatchClientMessage
            [user32.dll+0x0000b3b3] - __fnDWORD
             [ntdll.dll+0x0000eae2] - KiUserCallbackDispatcher
           [native_menu_win.cc:269] - views::NativeMenuWin::MenuHostWindow::ProcessWindowMessage(HWND__ *,unsigned int,unsigned int,long,long *)
            [user32.dll+0x0000b31a] - TestWindowProcess
         [render_view_host.cc:1116] - RenderViewHost::OnMsgContextMenu(ContextMenuParams const &)
         [ipc_message_utils.h:1101] - IPC::MessageWithTuple<Tuple1<ContextMenuParams> >::Dispatch<RenderViewHost,void ( RenderViewHost::*)(ContextMenuParams const &)>(IPC::Message const *,RenderViewHost *,void ( RenderViewHost::*)(ContextMenuParams const &))
          [render_view_host.cc:768] - RenderViewHost::OnMessageReceived(IPC::Message const &)
[browser_render_process_host.cc:667] - BrowserRenderProcessHost::OnMessageReceived(IPC::Message const &)
    [resource_message_filter.cc:85] - `anonymous namespace'::ContextMenuMessageDispatcher::Run()
              [message_loop.cc:309] - MessageLoop::RunTask(Task *)
              [message_loop.cc:317] - MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
              [message_loop.cc:423] - MessageLoop::DoWork()
          [message_pump_win.cc:209] - base::MessagePumpForUI::DoRunLoop()
           [message_pump_win.cc:52] - base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)
              [message_loop.cc:193] - MessageLoop::RunInternal()
              [message_loop.cc:181] - MessageLoop::RunHandler()
              [message_loop.cc:585] - MessageLoopForUI::Run(base::MessagePumpWin::Dispatcher *)
              [browser_main.cc:192] - `anonymous namespace'::RunUIMessageLoop(BrowserProcess *)
              [browser_main.cc:797] - BrowserMain(MainFunctionParams const &)
           [chrome_dll_main.cc:510] - ChromeMain
       [google_update_client.cc:93] - google_update::GoogleUpdateClient::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,wchar_t *,char const *,int *)
              [machine_deal.cc:378] - rlz_lib::MachineDealCode::GetMachineId(ATL::CStringT<wchar_t,ATL::StrTraitATL<wchar_t,ATL::ChTraitsOS<wchar_t> > > *)
            [chrome.exe+0x000c005b] - 

 
Labels: Mstone-3
Status: Assigned
Related to changes made in r17895?
Labels: Crash-3.0.190.1
This crash was found in 3.0.190.1 and is currently ranked #2 (based on the relative number of reports in the release).  There have been 59 reports from 49 clients.

Report Link: http://crash/reportdetail?reportid=6a4a570bfbbb7216
http://crash/search?query=Chrome+3.0.190.1+views%3A%3ANativeMenuWin%3A%3AMenuHostWindow%3A%3AProcessWindowMessage%28HWND__+*%2Cunsigned+int%2Cunsigned+int%2Clong%2Clong+*%29

Comment 3 by huanr@chromium.org, Jun 26 2009

 Issue 14596  has been merged into this issue.

Comment 4 by huanr@chromium.org, Jun 26 2009

// -> crash in this function
NativeMenuWin::MenuHostWindow::OnMenuSelect(WPARAM w_param, HMENU menu) {
    if (!menu)
      return;  // menu is null when closing on XP.

    int position = GetMenuItemIndexFromWPARAM(menu, w_param);
    if (position >= 0)
      // -> crash on this line
      // GetNativeMenuWinFromHMENU has returned and 
      // GetNativeMenuWinFromHMENU(menu)->model_ is dereferenced.
      // it seems model_ is invalid so crash happens when calling  HighlightChangedTo
      GetNativeMenuWinFromHMENU(menu)->model_->HighlightChangedTo(position);
  }

Comment 5 by bugdro...@gmail.com, Jun 26 2009

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=19411 

------------------------------------------------------------------------
r19411 | ben@chromium.org | 2009-06-26 13:29:41 -0700 (Fri, 26 Jun 2009) | 8 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/views/controls/menu/native_menu_win.cc?r1=19411&r2=19410

Fix a menu crash.

The menu's host window, the message window that receives notifications from the native menu about selection changes, is destroyed, however if the menu is still active it will continue to send messages to it. SDK docs say properties set with SetProp should be removed with RemoveProp before a window is finally NCDESTROYed. The code wasn't doing this, so it was still theoretically possible for the code in the message window's window procedure to locate "something" on that property.

 http://crbug.com/14594 
TEST=none

Review URL: http://codereview.chromium.org/147230
------------------------------------------------------------------------

Comment 6 by ben@chromium.org, Jun 29 2009

Status: Fixed
This should be fixed now.

Comment 7 by huanr@chromium.org, Jun 29 2009

 Issue 15378  has been merged into this issue.

Comment 8 by huanr@chromium.org, Jun 29 2009

 Issue 14600  has been merged into this issue.
Status: Assigned

Comment 10 by jon@chromium.org, Jul 14 2009

This appears to be fixed.
It's not yet, waiting on a check-in from Ben.
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=20692 

------------------------------------------------------------------------
r20692 | ben@chromium.org | 2009-07-14 17:37:06 -0700 (Tue, 14 Jul 2009) | 6 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/views/controls/menu/menu_2.h?r1=20692&r2=20691

Attempt fixing a crash. Looks like NativeMenuWin was getting leaked by Menu2... meaning a NativeMenuWin could outlive its model potentially!

 http://crbug.com/14594 
TEST=none

Review URL: http://codereview.chromium.org/149635
------------------------------------------------------------------------

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=20696 

------------------------------------------------------------------------
r20696 | laforge@chromium.org | 2009-07-14 17:52:28 -0700 (Tue, 14 Jul 2009) | 10 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/193/src/views/controls/menu/menu_2.h?r1=20696&r2=20695

Merge 20692 - Attempt fixing a crash. Looks like NativeMenuWin was getting leaked by Menu2... meaning a NativeMenuWin could outlive its model potentially!

 http://crbug.com/14594 
TEST=none

Review URL: http://codereview.chromium.org/149635

TBR=ben@chromium.org

Review URL: http://codereview.chromium.org/155549
------------------------------------------------------------------------

Status: Verified
This crash has not appeared in 193.1, marking as verified.
Project Member

Comment 15 by crashbot@chromium.org, Aug 11 2009

Labels: -Pri-1 Pri-3 Crash-3.0.197.11
This crash was found in 3.0.197.11 and is currently ranked #220 (based on the relative number of reports in the release).  There have been 2 reports from 2 clients.

Report Link: http://crash/reportdetail?reportid=acb6ab0dffeb515d
http://crash/search?query=Chrome+3.0.197.11+IPC%3A%3AMessageWithReply%3CTuple1%3Cint%3E%2CTuple0%3E%3A%3ADispatchDelayReply%3CAutomationProvider%2Cvoid+%28+AutomationProvider%3A%3A*%29%28int%2CIPC%3A%3AMessage+*%29%3E%28IPC%3A%3AMessage+const+*%2CAutomationProvider+*%2Cvoid+%28+AutomationProvider%3A%3A*%29%28int%2CIPC%3A%3AMessage+*%29%29
This crash does not appear to have been in 3.0.196.2
Project Member

Comment 16 by crashbot@chromium.org, Oct 6 2009

Project Member

Comment 17 by crashbot@chromium.org, Oct 12 2009

Labels: Crash-4.0.221.6
This crash was found in 4.0.221.6 and is currently ranked #104 (based on the relative number of reports in the release).  There have been 14 reports from 8 clients.

Report Link: http://crash/reportdetail?reportid=908a1ebc0896c5de
http://crash/search?query=Chrome+4.0.221.6+IPC%3A%3AMessageWithReply%3CTuple1%3Cint%3E%2CTuple0%3E%3A%3ADispatchDelayReply%3CPluginChannel%2Cvoid+%28+PluginChannel%3A%3A*%29%28int%2CIPC%3A%3AMessage+*%29%3E%28IPC%3A%3AMessage+const+*%2CPluginChannel+*%2Cvoid+%28+PluginChannel%3A%3A*%29%28int%2CIPC%3A%3AMessage+*%29%29
This crash does not appear to have been in 4.0.220.1
Project Member

Comment 19 by crashbot@chromium.org, Oct 26 2009

Labels: Crash-4.0.223.11
This crash was found in 4.0.223.11 and is currently ranked #234 (based on the relative number of reports in the release).  There have been 2 reports from 2 clients.

Report Link: http://crash/reportdetail?reportid=c749e2027c61aeea
http://crash/search?query=Chrome+4.0.223.11+IPC%3A%3AMessageWithReply%3CTuple1%3Cint%3E%2CTuple0%3E%3A%3ADispatchDelayReply%3CPluginChannel%2Cvoid+%28+PluginChannel%3A%3A*%29%28int%2CIPC%3A%3AMessage+*%29%3E%28IPC%3A%3AMessage+const+*%2CPluginChannel+*%2Cvoid+%28+PluginChannel%3A%3A*%29%28int%2CIPC%3A%3AMessage+*%29%29
This crash does not appear to have been in 4.0.223.9
Project Member

Comment 20 by crashbot@chromium.org, Nov 5 2009

Project Member

Comment 21 by bugdroid1@chromium.org, Oct 12 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Mstone-3 M-3
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Sign in to add a comment