New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 22538 link

Starred by 3 users

Issue metadata

Status: Verified
Owner:
Closed: Oct 2009
Cc:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug
M-4

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Browser crash in TabView MouseDragged - obj_msgSend

Project Member Reported by jeremy@chromium.org, Sep 21 2009

Issue description

Seen in 4.0.211.2:
http://crash/reportdetail?reportid=21b211821d140a58

Stack:
Thread 0 *CRASHED* (EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @0x00000341)

0x90f9e91b	 [libobjc.A.dylib	 + 0x0000591b]	 objc_msgSend
0x00125b65	 [Google Chrome Framework	 - tab_view.mm:323]	 -[TabView mouseDragged:]
0x910edb64	 [Foundation	 + 0x0002cb64]	 __NSFireDelayedPerform
0x93356eed	 [CoreFoundation	 + 0x0003deed]	 __CFRunLoopRun
0x93354d33	 [CoreFoundation	 + 0x0003bd33]	 CFRunLoopRunSpecific
0x93354b60	 [CoreFoundation	 + 0x0003bb60]	 CFRunLoopRunInMode
0x96945feb	 [HIToolbox	 + 0x00034feb]	 RunCurrentEventLoopInMode
0x96945da2	 [HIToolbox	 + 0x00034da2]	 ReceiveNextEventCommon
0x96945c27	 [HIToolbox	 + 0x00034c27]	 BlockUntilNextEventMatchingListInMode
0x9460cc94	 [AppKit	 + 0x00048c94]	 _DPSNextEvent
0x9460c509	 [AppKit	 + 0x00048509]	 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
0x945ce69a	 [AppKit	 + 0x0000a69a]	 -[NSApplication run]
0x0044b522	 [Google Chrome Framework	 - message_pump_mac.mm:482]	 base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*)
0x0044b607	 [Google Chrome Framework	 - message_pump_mac.mm:146]	 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
0x00447f73	 [Google Chrome Framework	 - message_loop.cc:199]	 MessageLoop::Run()
0x000c4779	 [Google Chrome Framework	 - browser_main.cc:190]	 BrowserMain(MainFunctionParams const&)
0x000096d5	 [Google Chrome Framework	 - chrome_dll_main.cc:607]	 ChromeMain
0x00001fc5	 [Google Chrome	 + 0x00000fc5]	
0x00000001	
 
 Issue 23059  has been merged into this issue.
I looked into this one a little and it seems like the draggedController_ member might be 
stale, but the only way I could think that would happen would be if you were dragging a  
window.open'd window and it got closed out from under you. I created a test case and 
that doesn't crash, though it does behave a little weirdly.
Labels: HelpWanted
In fact, from my tests, the controller can't go away while we're dragging (even if told to 
explicitly close, it waits for the autorelease pool, and dragging processed is in a nested 
event loop). I'm at a loss here.
 Issue 23061  has been merged into this issue.
I did find a crasher from this, but its stack is totally unrelated.

From this stack, (as opposed to the dupes), it appears that |self| has gone away, which 
again can't happen because it's in an autorelease pool. Still baffled.
1. Open two windows, one tab in each.
2. Drag one of the tabs around quickly, keeping the mouse button pressed for as little time as possible.  Every 
now and then the app will crash.  Dragging tabs around slowly seems to avoid the crashiness.

The stack traces I'm getting look like use after free problems.  Some are in [NSApplication sendEvent:], others are 
in the mouseUp conditional of [TabView mouseDown].


I can confirm rohitrao's delicious recipe. Here's the top of the stack trace:

#0  0x953bd688 in objc_msgSend ()
#1  0x05bfffba in -[TabController inRapidClosureMode] (self=0x21ccf40,
_cmd=0x724f650) at
/Users/vtl/dev/google/cr-git2/src/chrome/browser/cocoa/tab_controller.mm:243
#2  0x05c07aee in -[TabView mouseDown:] (self=0x189ca0, _cmd=0x953f2918,
theEvent=0x21cb210) at
/Users/vtl/dev/google/cr-git2/src/chrome/browser/cocoa/tab_view.mm:254
#3  0x94095af7 in -[NSWindow sendEvent:] ()
#4  0x940626a5 in -[NSApplication sendEvent:] ()
#5  0x93fbffe7 in -[NSApplication run] ()

(D'oh, it's crashing in my code!) It's crashing because TabController's target_ is
stale and invalid?!? Ideas?

Comment 9 by jrg@chromium.org, Oct 1 2009

 viettrungluu: the essence of the problem here is that, using Rohit's recipe, [TabStripController dealloc] gets 
called.  Thus target_ becomes invalid.  In addition to Rohit's CL, another solution is (in that dealloc) to call 
[controller setTarget:nil].
I broke off  Issue 23591  because I think that is a separate issue.

Giving this bug back to pinkerton, cause he wants it more.
jrg: I think Rohit's Comment 10 is right; see also my comments to his CL. (The
delayed -performSelector: causes worrying out-of-natural-order execution of methods,
but I can't see how it could cause the crash that I saw.)
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=27861 

------------------------------------------------------------------------
r27861 | pinkerton@chromium.org | 2009-10-02 10:59:13 -0700 (Fri, 02 Oct 2009) | 4 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/cocoa/tab_view.mm?r1=27861&r2=27860

Fix several issues with dragging tabs and quickly letting go, including crashes because we get mouseDragged "events" after mouseUp, windows that stay transucent, and windows that vanish entirely but stay in the window list.
BUG= 22266 ,  13594 ,  22538 
TEST=dragging tabs between windows should still work
Review URL: http://codereview.chromium.org/243080
------------------------------------------------------------------------

Status: Fixed
fixed.
Project Member

Comment 14 by crashbot@chromium.org, Oct 5 2009

Labels: Crash-4.0.220.1
This crash was found in 4.0.220.1 and is currently ranked #6 (based on the relative number of reports in the release).  There have been 73 reports from 68 clients.

Report Link: http://crash/reportdetail?reportid=eaf9b8180510164b
http://crash/search?query=Chrome+4.0.220.1+-%5BTabView+mouseDragged%3A%5D
This crash looks like it has re-appeared in 4.0.220.1
Status: Verified
In 4.0.221.6 (Official Build 28091), I couldn't reproduce this using Rohit Rao's steps.
Will reopen if we see the same issue with newer builds.
Labels: -Crash bulkmove Stability-Crash
Seen in 4.0.211.2:
http://crash/reportdetail?reportid=21b211821d140a58

Stack:
Thread 0 *CRASHED* (EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @0x00000341)

0x90f9e91b	 [libobjc.A.dylib	 + 0x0000591b]	 objc_msgSend
0x00125b65	 [Google Chrome Framework	 - tab_view.mm:323]	 -[TabView mouseDragged:]
0x910edb64	 [Foundation	 + 0x0002cb64]	 __NSFireDelayedPerform
0x93356eed	 [CoreFoundation	 + 0x0003deed]	 __CFRunLoopRun
0x93354d33	 [CoreFoundation	 + 0x0003bd33]	 CFRunLoopRunSpecific
0x93354b60	 [CoreFoundation	 + 0x0003bb60]	 CFRunLoopRunInMode
0x96945feb	 [HIToolbox	 + 0x00034feb]	 RunCurrentEventLoopInMode
0x96945da2	 [HIToolbox	 + 0x00034da2]	 ReceiveNextEventCommon
0x96945c27	 [HIToolbox	 + 0x00034c27]	 BlockUntilNextEventMatchingListInMode
0x9460cc94	 [AppKit	 + 0x00048c94]	 _DPSNextEvent
0x9460c509	 [AppKit	 + 0x00048509]	 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
0x945ce69a	 [AppKit	 + 0x0000a69a]	 -[NSApplication run]
0x0044b522	 [Google Chrome Framework	 - message_pump_mac.mm:482]	 base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*)
0x0044b607	 [Google Chrome Framework	 - message_pump_mac.mm:146]	 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
0x00447f73	 [Google Chrome Framework	 - message_loop.cc:199]	 MessageLoop::Run()
0x000c4779	 [Google Chrome Framework	 - browser_main.cc:190]	 BrowserMain(MainFunctionParams const&)
0x000096d5	 [Google Chrome Framework	 - chrome_dll_main.cc:607]	 ChromeMain
0x00001fc5	 [Google Chrome	 + 0x00000fc5]	
0x00000001
Project Member

Comment 17 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Mstone-4 M-4
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Sign in to add a comment