|
|
||||||||
Issue descriptionThis crash was detected in 3.0.192.1 and appears to be a regression from 3.0.191.3. It is currently ranked #9 (based on the relative number of reports in the release). There have been 4 reports from 4 clients. Search query: http://crash/search?query=Chrome+3.0.192.1+RenderWidgetHost%3A%3ASend%28IPC%3A%3AMessage+*%29 ---------------------------- * Summary Data * ---------------------------- Report Link: http://crash/reportdetail?reportid=a009b5d204c725c1 Mini Dump Link: http://crash/file?reportid=a009b5d204c725c1&name=upload_file_minidump Uptime: 41 sec User Comments: null OS: Windows 7 CPU Architecture: x86 CPU Info: GenuineIntel family 6 model 14 stepping 12 rept: null ptype: browser plat: Win32 crash type:(EXCEPTION_ACCESS_VIOLATION@0x0000001b) ---------------------------- * Crash Trace * ---------------------------- [render_widget_host.cc:127] - RenderWidgetHost::Send(IPC::Message *) [render_view_host.cc:567] - RenderViewHost::DragSourceMovedTo(int,int,int,int) [web_drag_source.cc:68] - WebDragSource::OnDragSourceMove() [base_drag_source.cc:28] - BaseDragSource::QueryContinueDrag(int,unsigned long) [ole32.dll+0x0010783f] - CDragOperation::UpdateTarget() [ole32.dll+0x00107b14] - DoDragDrop [tab_contents_view_win.cc:186] - TabContentsViewWin::StartDragging(WebDropData const &) [ipc_message_utils.h:1152] - IPC::MessageWithTuple<Tuple1<WebDropData> >::Dispatch<RenderViewHost,void ( RenderViewHost::*)(WebDropData const &)>(IPC::Message const *,RenderViewHost *,void ( RenderViewHost::*)(WebDropData const &)) [render_view_host.cc:709] - RenderViewHost::OnMessageReceived(IPC::Message const &) [browser_render_process_host.cc:772] - BrowserRenderProcessHost::OnMessageReceived(IPC::Message const &) [task.h:307] - RunnableMethod<CancelableRequest<CallbackRunner<Tuple5<int,bool,scoped_refptr<RefCountedVector<unsigned char> >,bool,GURL> > >,void ( CancelableRequest<CallbackRunner<Tuple5<int,bool,scoped_refptr<RefCountedVector<unsigned char> >,bool,GURL> > >::*)(Tuple5<int,bool,scoped_refptr<RefCountedVector<unsigned char> >,bool,GURL> const &),Tuple1<Tuple5<int,bool,scoped_refptr<RefCountedVector<unsigned char> >,bool,GURL> > >::Run() [message_loop.cc:313] - MessageLoop::RunTask(Task *) [message_loop.cc:321] - MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &) [message_loop.cc:427] - MessageLoop::DoWork() [message_pump_win.cc:209] - base::MessagePumpForUI::DoRunLoop() [message_pump_win.cc:52] - base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *) [message_loop.cc:193] - MessageLoop::RunInternal() [message_loop.cc:181] - MessageLoop::RunHandler() [message_loop.cc:589] - MessageLoopForUI::Run(base::MessagePumpWin::Dispatcher *) [browser_main.cc:192] - `anonymous namespace'::RunUIMessageLoop(BrowserProcess *) [browser_main.cc:792] - BrowserMain(MainFunctionParams const &) [chrome_dll_main.cc:513] - ChromeMain [google_update_client.cc:96] - google_update::GoogleUpdateClient::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,wchar_t *,char const *,int *) [chrome_exe_main.cc:94] - wWinMain [crt0.c:324] - __tmainCRTStartup [kernel32.dll+0x000510db] - BaseThreadInitThunk [ntdll.dll+0x00061e9d] - [ntdll.dll+0x00061e70] - ---------------------------- * Loaded Modules * ---------------------------- mdnsNSP.dll WLIDNSP.DLL GoogleDesktopAPI2.dll GoogleDesktopCommon.dll GoogleDesktopNetwork3.dll GoogleDesktopResources_en.dll sfShellTools.dll chrome.dll gears.dll icudt38.dll chrome.exe CRYPTBASE.dll EhStorShell.dll FWPUCLNT.DLL IPHLPAPI.DLL KERNELBASE.dll PeerDist.dll RpcRtRemote.dll SensApi.dll WSHTCPIP.DLL WindowsCodecs.dll Wldap32.dll advapi32.dll apphelp.dll authz.dll bcrypt.dll bcryptprimitives.dll cabinet.dll cfgmgr32.dll clbcatq.dll credssp.dll crypt32.dll cryptnet.dll cryptsp.dll cscapi.dll cscdll.dll cscui.dll devobj.dll devrtl.dll dhcpcsvc.dll dhcpcsvc6.DLL dnsapi.dll dwmapi.dll gdi32.dll gpapi.dll iertutil.dll imm32.dll kernel32.dll lpk.dll msasn1.dll mscms.dll msctf.dll msvcrt.dll mswsock.dll ncrypt.dll normaliz.dll nsi.dll ntdll.dll ntmarta.dll ntshrui.dll ole32.dll oleacc.dll oleaut32.dll profapi.dll propsys.dll psapi.dll rasadhlp.dll riched20.dll rpcrt4.dll rsaenh.dll schannel.dll sechost.dll secur32.dll setupapi.dll shdocvw.dll shell32.dll shlwapi.dll slc.dll srvcli.dll sspicli.dll sxs.dll t2embed.dll urlmon.dll user32.dll userenv.dll usp10.dll uxtheme.dll version.dll webio.dll winhttp.dll wininet.dll winmm.dll winnsi.dll wpdshext.dll ws2_32.dll wship6.dll comctl32.dll GdiPlus.dll , Jul 9 2009
, Jul 9 2009
Hmm, it looks like the RenderWidgetHost is a junk address here since the crash is a bad address deref @0x0000001b. That is a bit of a strange address. The offset of the process_ member of RenderWidgetHost is not 0x1b as best as I can tell. And, besides the WebDragSource has a CHECK that the given RenderWidgetHost is not null. At any rate, I suspect that we probably began tearing down parts of the UI (possibly only the tab) while a drag-n-drop operation was in progress. -> BrowserUI , Jul 9 2009Arv's been looking at this recently, although the stack doesn't seem to be related to his change. , Jul 9 2009FWIW I saw crashes in Safari for Windows as well when I was fixing another DnD bug. , Jul 10 2009
I'm able to repro. Darin is right, if the window that we're dragging from is closed (e.g., via JS), we crash. Investigating... , Jul 10 2009Issue 12524 has been merged into this issue. , Jul 10 2009Issue 16366 has been merged into this issue. , Jul 10 2009
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=20436
------------------------------------------------------------------------
r20436 | tc@google.com | 2009-07-10 16:10:42 -0700 (Fri, 10 Jul 2009) | 13 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/trunk/src/base/base_drag_source.cc?r1=20436&r2=20435
M http://src.chromium.org/viewvc/chrome/trunk/src/base/base_drag_source.h?r1=20436&r2=20435
M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/tab_contents/tab_contents.cc?r1=20436&r2=20435
M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/tab_contents/tab_contents_view.h?r1=20436&r2=20435
M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/tab_contents/web_drag_source.cc?r1=20436&r2=20435
M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/views/tab_contents/tab_contents_view_win.cc?r1=20436&r2=20435
M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/views/tab_contents/tab_contents_view_win.h?r1=20436&r2=20435
Fix a crash that happens if a tab is closed while
we're in the middle of a drag originating from the tab.
The problem is that the tab gets deleted out from under the
drag operation which is happening in a nested message loop.
To work around this, if we're in the middle of a drag and
we get a tab close request, delay the tab close until after
the drag operation is finished.
BUG= 16280
Review URL: http://codereview.chromium.org/149466
------------------------------------------------------------------------
, Jul 10 2009
, Jul 15 2009
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=20695
------------------------------------------------------------------------
r20695 | laforge@chromium.org | 2009-07-14 17:51:20 -0700 (Tue, 14 Jul 2009) | 17 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/branches/193/src/base/base_drag_source.cc?r1=20695&r2=20694
M http://src.chromium.org/viewvc/chrome/branches/193/src/base/base_drag_source.h?r1=20695&r2=20694
M http://src.chromium.org/viewvc/chrome/branches/193/src/chrome/browser/tab_contents/tab_contents.cc?r1=20695&r2=20694
M http://src.chromium.org/viewvc/chrome/branches/193/src/chrome/browser/tab_contents/tab_contents_view.h?r1=20695&r2=20694
M http://src.chromium.org/viewvc/chrome/branches/193/src/chrome/browser/tab_contents/web_drag_source.cc?r1=20695&r2=20694
M http://src.chromium.org/viewvc/chrome/branches/193/src/chrome/browser/views/tab_contents/tab_contents_view_win.cc?r1=20695&r2=20694
M http://src.chromium.org/viewvc/chrome/branches/193/src/chrome/browser/views/tab_contents/tab_contents_view_win.h?r1=20695&r2=20694
Merge 20436 - Fix a crash that happens if a tab is closed while
we're in the middle of a drag originating from the tab.
The problem is that the tab gets deleted out from under the
drag operation which is happening in a nested message loop.
To work around this, if we're in the middle of a drag and
we get a tab close request, delay the tab close until after
the drag operation is finished.
BUG= 16280
Review URL: http://codereview.chromium.org/149466
TBR=tc@google.com
Review URL: http://codereview.chromium.org/155548
------------------------------------------------------------------------
, Jul 17 2009Issue 16073 has been merged into this issue. , Oct 12 2012Project Member
This issue has been closed for some time. No one will pay attention to new comments. If you are seeing this bug or have new data, please click New Issue to start a new bug. , Mar 10 2013Project Member
, Mar 13 2013Project Member
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by lafo...@chromium.org, Jul 9 2009
Status: Assigned