Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 175454 Crash on deleting text
Starred by 12 users Project Member Reported by aurimas@chromium.org, Feb 11, 2013 Back to list
Status: Fixed
Owner: aurimas@chromium.org
Closed: Mar 2013
Cc: aurimas@chromium.org, isherman@chromium.org, yus...@chromium.org, yfried...@chromium.org, csharp@chromium.org
Components:
OS: Android
Pri: 1
Type: Bug


Sign in to add a comment
Version: ToT
OS: Android 4.2.2 using LatinIME keyboard

What steps will reproduce the problem?
1. Go to form870.appspot.com/smoke.html
2. Tap on the field "name:"
3. Type in "Hell"
4. Press "go"
5. Navigate back
6. Tap on the field "name:"
7. Press "X" to delete "Hell" a few times and then any other key on the keyboard.

What is the expected output?
It works!

What do you see instead?
CRASH!!!

Stack Trace:
  RELADDR   FUNCTION                                                                                             FILE:LINE
  00931e3c  content::RenderWidgetHostImpl::KeyPressListenersHandleEvent(content::NativeWebKeyboardEvent const&)  /usr/local/google/ssd1/clankium/src/out/Debug/../../content/browser/renderer_host/render_widget_host_impl.cc:2132
  00934e65  content::RenderWidgetHostImpl::ForwardKeyboardEvent(content::NativeWebKeyboardEvent const&)          /usr/local/google/ssd1/clankium/src/out/Debug/../../content/browser/renderer_host/render_widget_host_impl.cc:1067
  00936129  content::RenderWidgetHostViewAndroid::SendKeyEvent(content::NativeWebKeyboardEvent const&)           /usr/local/google/ssd1/clankium/src/out/Debug/../../content/browser/renderer_host/render_widget_host_view_android.cc:517
  0090d63d  content::ImeAdapterAndroid::SendSyntheticKeyEvent(_JNIEnv*, _jobject*, int, long, int, int)          /usr/local/google/ssd1/clankium/src/out/Debug/../../content/browser/renderer_host/ime_adapter_android.cc:111
  0090dfb5  SendSyntheticKeyEvent                                                                                /usr/local/google/ssd1/clankium/src/out/Debug/gen/content/jni/ImeAdapter_jni.h:42
  0001e290  dvmPlatformInvoke+112                                                                                /system/lib/libdvm.so
  0004d411  dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*)+396                           /system/lib/libdvm.so
  000276a0  <unknown>                                                                                            /system/lib/libdvm.so
  0002b57c  dvmInterpret(Thread*, Method const*, JValue*)+184                                                    /system/lib/libdvm.so
  0005ff07  dvmInvokeMethod(Object*, Method const*, ArrayObject*, ArrayObject*, ClassObject*, bool)+374          /system/lib/libdvm.so
  000677e1  <unknown>                                                                                            /system/lib/libdvm.so
  000276a0  <unknown>                                                                                            /system/lib/libdvm.so
  0002b57c  dvmInterpret(Thread*, Method const*, JValue*)+184                                                    /system/lib/libdvm.so
  0005fc31  dvmCallMethodV(Thread*, Method const*, Object*, bool, JValue*, std::__va_list)+272                   /system/lib/libdvm.so
  000499fb  <unknown>                                                                                            /system/lib/libdvm.so
  00046871  <unknown>                                                                                            /system/lib/libandroid_runtime.so
  00047533  android::AndroidRuntime::start(char const*, char const*)+390                                         /system/lib/libandroid_runtime.so
  00000db7  <unknown>                                                                                            /system/bin/app_process
  0001271f  __libc_init+38                                                                                       /system/lib/libc.so
  00000ae8  <unknown>                                                                                            /system/bin/app_process
 
Comment 1 by aurimas@chromium.org, Feb 11, 2013
It does not repro on 25.0.1364.80
Comment 2 by aurimas@chromium.org, Feb 12, 2013
Cc: csharp@chromium.org isherman@chromium.org
Labels: Mstone-26
Status: Available
+isherman and csharp who recently changed this code path.

This crash happens on 
((*it)->HandleKeyPressEvent(event))

which in turns calls the only KeyboardListener --> AutofillPopupControllerImpl::HandleKeyPressEvent().
Comment 3 by aurimas@chromium.org, Feb 12, 2013
Labels: OS-Linux
There is the same crash on linux.

Repro steps.
1. Enable "Enable new Autofill UI" flag in chrome://flags
2. Go to form870.appspot.com/smoke.html
3. Type in a name "Bob"
4. Click the "submit" button
5. Go back
6. Tap twice on the name field with value "Bob" so Autofill suggestion shows up.
7. Press any key (i.e. "y") and then press backspace.

This crashes chrome with stacktrace below.

Program received signal SIGSEGV, Segmentation fault.
0x000055555778c908 in content::RenderWidgetHostImpl::KeyPressListenersHandleEvent (this=0x389d58798428, event=...)
    at ../../content/browser/renderer_host/render_widget_host_impl.cc:2134
2134	    if ((*it)->HandleKeyPressEvent(event))
(gdb) bt
#0  0x000055555778c908 in content::RenderWidgetHostImpl::KeyPressListenersHandleEvent (this=0x389d58798428, event=...)
    at ../../content/browser/renderer_host/render_widget_host_impl.cc:2134
#1  0x0000555557787bde in content::RenderWidgetHostImpl::ForwardKeyboardEvent (this=0x389d58798428, key_event=...)
    at ../../content/browser/renderer_host/render_widget_host_impl.cc:1073
#2  0x0000555557767a0e in content::RenderViewHostImpl::ForwardKeyboardEvent (this=0x389d58798420, key_event=...)
    at ../../content/browser/renderer_host/render_view_host_impl.cc:1675
#3  0x000055555779c21c in content::RenderWidgetHostViewGtk::ForwardKeyboardEvent (this=0x389d57e4d020, event=...)
    at ../../content/browser/renderer_host/render_widget_host_view_gtk.cc:1391
#4  0x00005555578eaf9c in content::GtkIMContextWrapper::ProcessUnfilteredKeyPressEvent (this=0x389d57bf0230, wke=0x7fffffffba30)
    at ../../content/browser/renderer_host/gtk_im_context_wrapper.cc:390
#5  0x00005555578ea89a in content::GtkIMContextWrapper::ProcessKeyEvent (this=0x389d57bf0230, event=0x389d57b7c550)
    at ../../content/browser/renderer_host/gtk_im_context_wrapper.cc:207
#6  0x000055555779d40c in content::RenderWidgetHostViewGtkWidget::OnKeyPressReleaseEvent (widget=0x7ffff7f24840, event=0x389d57b7c550, 
    host_view=0x389d57e4d020) at ../../content/browser/renderer_host/render_widget_host_view_gtk.cc:229
#7  0x00007ffff642add8 in _gtk_marshal_BOOLEAN__BOXED (closure=0x389d58993dc0, return_value=0x7fffffffbca0, 
    n_param_values=<optimized out>, param_values=0x7fffffffbd10, invocation_hint=<optimized out>, marshal_data=<optimized out>)
    at /build/buildd/gtk+2.0-2.24.10/gtk/gtkmarshalers.c:86
#8  0x00007ffff6c32ca2 in g_closure_invoke (closure=0x389d58993dc0, return_value=0x7fffffffbca0, n_param_values=2, 
    param_values=0x7fffffffbd10, invocation_hint=<optimized out>) at /build/buildd/glib2.0-2.32.3/./gobject/gclosure.c:777
#9  0x00007ffff6c43d71 in signal_emit_unlocked_R (node=<optimized out>, detail=0, instance=<optimized out>, 
    emission_return=0x7fffffffbee0, instance_and_params=0x7fffffffbd10) at /build/buildd/glib2.0-2.32.3/./gobject/gsignal.c:3547
#10 0x00007ffff6c4bd7e in g_signal_emit_valist (instance=0x7ffff7f24840, signal_id=<optimized out>, detail=0, var_args=<optimized out>)
    at /build/buildd/glib2.0-2.32.3/./gobject/gsignal.c:3306
#11 0x00007ffff6c4c242 in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>)
    at /build/buildd/glib2.0-2.32.3/./gobject/gsignal.c:3352
#12 0x00007ffff6545191 in gtk_widget_event_internal (widget=0x7ffff7f24840, event=0x389d57b7c550)
    at /build/buildd/gtk+2.0-2.24.10/gtk/gtkwidget.c:4992
#13 0x00007ffff6559b6b in IA__gtk_window_propagate_key_event (window=0x389d563c27e0, event=0x389d57b7c550)
    at /build/buildd/gtk+2.0-2.24.10/gtk/gtkwindow.c:5216
#14 0x00005555579c91c1 in BrowserWindowGtk::OnKeyPress (this=0x389d56f19820, widget=0x389d563c27e0, event=0x389d57b7c550)
    at ../../chrome/browser/ui/gtk/browser_window_gtk.cc:2007
#15 0x00005555579ca872 in BrowserWindowGtk::OnKeyPressThunk (sender=0x389d563c27e0, one=0x389d57b7c550, userdata=0x389d56f19820)
    at ../../chrome/browser/ui/gtk/browser_window_gtk.h:414
#16 0x00007ffff642add8 in _gtk_marshal_BOOLEAN__BOXED (closure=0x389d56b922c0, return_value=0x7fffffffc420, 
    n_param_values=<optimized out>, param_values=0x7fffffffc490, invocation_hint=<optimized out>, marshal_data=<optimized out>)
    at /build/buildd/gtk+2.0-2.24.10/gtk/gtkmarshalers.c:86
#17 0x00007ffff6c32ca2 in g_closure_invoke (closure=0x389d56b922c0, return_value=0x7fffffffc420, n_param_values=2, 
    param_values=0x7fffffffc490, invocation_hint=<optimized out>) at /build/buildd/glib2.0-2.32.3/./gobject/gclosure.c:777
#18 0x00007ffff6c43d71 in signal_emit_unlocked_R (node=<optimized out>, detail=0, instance=<optimized out>, 
    emission_return=0x7fffffffc660, instance_and_params=0x7fffffffc490) at /build/buildd/glib2.0-2.32.3/./gobject/gsignal.c:3547
#19 0x00007ffff6c4bd7e in g_signal_emit_valist (instance=0x389d563c27e0, signal_id=<optimized out>, detail=0, var_args=<optimized out>)
    at /build/buildd/glib2.0-2.32.3/./gobject/gsignal.c:3306
#20 0x00007ffff6c4c242 in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>)
    at /build/buildd/glib2.0-2.32.3/./gobject/gsignal.c:3352
#21 0x00007ffff6545191 in gtk_widget_event_internal (widget=0x389d563c27e0, event=0x389d57b7c550)
    at /build/buildd/gtk+2.0-2.24.10/gtk/gtkwidget.c:4992
#22 0x00007ffff6429037 in IA__gtk_propagate_event (widget=0x389d563c27e0, event=0x389d57b7c550)
    at /build/buildd/gtk+2.0-2.24.10/gtk/gtkmain.c:2541
#23 0x00007ffff64292c3 in IA__gtk_main_do_event (event=0x389d57b7c550) at /build/buildd/gtk+2.0-2.24.10/gtk/gtkmain.c:1757
#24 0x0000555556fa6aab in base::MessagePumpGtk::DispatchEvents (this=0x389d5644f2a0, event=0x389d57b7c550)
    at ../../base/message_pump_gtk.cc:76
#25 0x0000555556fa6d47 in base::MessagePumpGtk::EventDispatcher (event=0x389d57b7c550, data=0x389d5644f2a0)
    at ../../base/message_pump_gtk.cc:111
#26 0x00007ffff609dcac in gdk_event_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
    at /build/buildd/gtk+2.0-2.24.10/gdk/x11/gdkevents-x11.c:2377
#27 0x00007ffff6975d53 in g_main_dispatch (context=0x7ffff7f1db60) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:2539
#28 g_main_context_dispatch (context=0x7ffff7f1db60) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3075
#29 0x00007ffff69760a0 in g_main_context_iterate (dispatch=1, block=<optimized out>, context=0x7ffff7f1db60, self=<optimized out>)
    at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3146
#30 g_main_context_iterate (context=0x7ffff7f1db60, block=<optimized out>, dispatch=1, self=<optimized out>)
    at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3083
#31 0x00007ffff6976164 in g_main_context_iteration (context=0x7ffff7f1db60, may_block=0)
    at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3207
#32 0x0000555556fa4ba8 in base::MessagePumpGlib::RunWithDispatcher (this=0x389d5644f2a0, delegate=0x7ffff7ee6920, dispatcher=0x0)
    at ../../base/message_pump_glib.cc:199
#33 0x0000555556fa5078 in base::MessagePumpGlib::Run (this=0x389d5644f2a0, delegate=0x7ffff7ee6920)
    at ../../base/message_pump_glib.cc:296
#34 0x0000555556f22e4d in MessageLoop::RunInternal (this=0x7ffff7ee6920) at ../../base/message_loop.cc:433
#35 0x0000555556f22d08 in MessageLoop::RunHandler (this=0x7ffff7ee6920) at ../../base/message_loop.cc:406
#36 0x0000555556f4bf9c in base::RunLoop::Run (this=0x7fffffffcf90) at ../../base/run_loop.cc:45
#37 0x0000555556437279 in ChromeBrowserMainParts::MainMessageLoopRun (this=0x7ffff7ef3de0, result_code=0x7ffff7ee4d38)
    at ../../chrome/browser/chrome_browser_main.cc:1636
#38 0x000055555763265b in content::BrowserMainLoop::RunMainMessageLoopParts (this=0x7ffff7ee4d20)
    at ../../content/browser/browser_main_loop.cc:510
#39 0x0000555557833dd2 in content::BrowserMainRunnerImpl::Run (this=0x7ffff7ef1e00) at ../../content/browser/browser_main_runner.cc:124
#40 0x000055555a972ddc in content::BrowserMain (parameters=...) at ../../content/browser/browser_main.cc:22
#41 0x00005555590a67da in content::RunNamedProcessTypeMain (process_type=<std::string::_Rep::_S_empty_rep_storage+24> "", 
    main_function_params=..., delegate=0x7fffffffd950) at ../../content/app/content_main_runner.cc:450
#42 0x00005555590a7636 in content::ContentMainRunnerImpl::Run (this=0x7ffff7eb1fa0) at ../../content/app/content_main_runner.cc:754
#43 0x00005555590a5d87 in content::ContentMain (argc=1, argv=0x7fffffffdab8, delegate=0x7fffffffd950)
    at ../../content/app/content_main.cc:35
#44 0x0000555555d323cd in ChromeMain (argc=1, argv=0x7fffffffdab8) at ../../chrome/app/chrome_main.cc:32
#45 0x0000555555d3238c in main (argc=1, argv=0x7fffffffdab8) at ../../chrome/app/chrome_exe_main_gtk.cc:31

Comment 4 by vinodkr@chromium.org, Feb 12, 2013
Labels: -Pri-2 Pri-1 ReleaseBlock-Dev
Owner: csharp@chromium.org
Chris, can you please help with this? This is blocking our dev releases making autofill sync unusable. 
Comment 5 by csharp@chromium.org, Feb 12, 2013
I've got a patch to fix this issue, I'll send it out for review soon.
Comment 6 by vinodkr@google.com, Feb 14, 2013
Status: Assigned
Project Member Comment 7 by bugdroid1@chromium.org, Feb 15, 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=182751

------------------------------------------------------------------------
r182751 | csharp@chromium.org | 2013-02-15T17:48:39.396773Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/autofill/autofill_popup_controller_unittest.cc?r1=182751&r2=182750&pathrev=182751
   M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/renderer_host/render_widget_host_impl.cc?r1=182751&r2=182750&pathrev=182751
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/autofill/autofill_popup_controller_impl.cc?r1=182751&r2=182750&pathrev=182751
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/autofill/autofill_popup_controller_impl.h?r1=182751&r2=182750&pathrev=182751
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/autofill/autofill_external_delegate_unittest.cc?r1=182751&r2=182750&pathrev=182751
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/autofill/autofill_external_delegate.cc?r1=182751&r2=182750&pathrev=182751
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/autofill/autofill_external_delegate.h?r1=182751&r2=182750&pathrev=182751
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/autofill/autofill_external_delegate_browsertest.cc?r1=182751&r2=182750&pathrev=182751

Properly Remove Autofill Keyboard Listener.

Remove the keyboard listener before we implicitly delete the object. Also
update the removal code to catch problems like this if they occur again.

R=estade@chromium.org
BUG= 175454 


Review URL: https://chromiumcodereview.appspot.com/12223106
------------------------------------------------------------------------
Comment 8 by csharp@chromium.org, Feb 15, 2013
Status: Fixed
Project Member Comment 9 by bugdroid1@chromium.org, Feb 15, 2013
Labels: Merge-TBD
Is there a merge required here?
Labels: -Merge-TBD Merge-Requested
Labels: -OS-Android -OS-Linux OS-All
Status: Assigned
Comment 13 by dharani@chromium.org, Feb 16, 2013
Labels: -Merge-Requested Merge-Approved
Project Member Comment 14 by bugdroid1@chromium.org, Feb 19, 2013
Labels: -Merge-Approved merge-merged-1410
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=183210

------------------------------------------------------------------------
r183210 | csharp@chromium.org | 2013-02-19T14:43:58.705144Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/browser/autofill/autofill_external_delegate_browsertest.cc?r1=183210&r2=183209&pathrev=183210
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/browser/ui/autofill/autofill_popup_controller_unittest.cc?r1=183210&r2=183209&pathrev=183210
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/content/browser/renderer_host/render_widget_host_impl.cc?r1=183210&r2=183209&pathrev=183210
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/browser/ui/autofill/autofill_popup_controller_impl.cc?r1=183210&r2=183209&pathrev=183210
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/browser/ui/autofill/autofill_popup_controller_impl.h?r1=183210&r2=183209&pathrev=183210
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/browser/autofill/autofill_external_delegate_unittest.cc?r1=183210&r2=183209&pathrev=183210
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/browser/autofill/autofill_external_delegate.cc?r1=183210&r2=183209&pathrev=183210
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/browser/autofill/autofill_external_delegate.h?r1=183210&r2=183209&pathrev=183210

Merge 182751
> Properly Remove Autofill Keyboard Listener.
> 
> Remove the keyboard listener before we implicitly delete the object. Also
> update the removal code to catch problems like this if they occur again.
> 
> R=estade@chromium.org
> BUG= 175454 
> 
> 
> Review URL: https://chromiumcodereview.appspot.com/12223106

TBR=csharp@chromium.org
Review URL: https://codereview.chromium.org/12288046
------------------------------------------------------------------------
Comment 15 by kamakshi@google.com, Feb 19, 2013
Cc: yfried...@chromium.org
Status: Fixed
Looks like this should be fixed. Tentatively closing. Please re-open if it still repros.
Status: Assigned
Still crashing :( See crbug.com/175454
Comment 18 by csharp@google.com, Mar 4, 2013
I'm not seeing this at tip of tree with the original repo steps, are there new repo steps?
Sorry, I pasted the wrong issue number. See crbug.com/179534
26.0.1410.22 is failing.
Comment 20 by kareng@google.com, Mar 4, 2013
is this on android only now?
Labels: -ReleaseBlock-Dev ReleaseBlock-Stable
Moving the blocker to stable instead of dev.
This Android only, because all the other platforms have browser-side Autofill popup implementation turned off by default.
Comment 23 by kravula@google.com, Mar 4, 2013
Still seeing this crash in 26.0.1410.25 with swiftkey keyboard

Report link: http://go/crash/reportdetail?reportid=ec17a17994a518bf


Labels: -OS-All OS-Android
I still can't repo on linux (with the new Autofill enable). 

This could be possible if the android popup is directly hiding itself, instead of going through the controller. This issue still exists on desktop when the window gets moved, https://codereview.chromium.org/12302034/

I looked through the android code, but I didn't see anything similar, but that is my best guess for what is happening.
from the discussion offline: this is caused by the view destroying itself without going through the parent.
Owner: aurimas@chromium.org
Status: Started
Project Member Comment 29 by bugdroid1@chromium.org, Mar 8, 2013
Labels: Merge-Requested
Need to merge https://chromiumcodereview.appspot.com/12556002 to M26 branch to fix the crashes.
Noticed same crash on M26 - 26.0.1410.30
Report link: http://go/crash/reportdetail?reportid=0e98084eb7032495
Project Member Comment 32 by bugdroid1@chromium.org, Mar 10, 2013
Labels: -Feature-TextInput -Mstone-26 Cr-UI-Input-Text-IME M-26
Comment 33 by k...@google.com, Mar 11, 2013
Labels: -Merge-Requested Merge-Approved
Project Member Comment 34 by bugdroid1@chromium.org, Mar 11, 2013
Labels: -Merge-Approved
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=187368

------------------------------------------------------------------------
r187368 | aurimas@google.com | 2013-03-11T20:35:05.646970Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/browser/ui/android/autofill/autofill_popup_view_android.cc?r1=187368&r2=187367&pathrev=187368
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/android/java/src/org/chromium/chrome/browser/autofill/AutofillPopupGlue.java?r1=187368&r2=187367&pathrev=187368
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/browser/ui/android/autofill/autofill_popup_view_android.h?r1=187368&r2=187367&pathrev=187368
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/android/javatests/src/org/chromium/chrome/browser/test/AutofillTest.java?r1=187368&r2=187367&pathrev=187368
   M http://src.chromium.org/viewvc/chrome/branches/1410/src/chrome/android/java/src/org/chromium/chrome/browser/autofill/AutofillPopup.java?r1=187368&r2=187367&pathrev=187368

Merge 187018
> [android] Always close Autofill popup through controller.
> 
> Make sure that if dismiss is called by phone rotation it requests the
> controller to dismiss the view instead of dismissing itself.
> 
> Dependent on https://chromiumcodereview.appspot.com/12556002
> 
> BUG= 175454 
> NOTRY=true
> 
> Review URL: https://chromiumcodereview.appspot.com/12395028

TBR=aurimas@chromium.org
Review URL: https://codereview.chromium.org/12566022
------------------------------------------------------------------------
Comment 35 by aurimas@chromium.org, Mar 11, 2013
Status: Fixed
Sign in to add a comment