New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 46289 link

Starred by 4 users

Issue metadata

Status: Verified
Owner:
Closed: Jun 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug
M-6

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Chrome browser crash on closing the tabs

Project Member Reported by rohi...@chromium.org, Jun 10 2010

Issue description

Platform:
  Hostname: testings-mac-mini-4.local
  Mac OS X Version 10.6.3 (Build 10D578)
  Processor: 2 Intel 2.33 GHz
  RAM: 2048 MB

Chrome:
  Chrome version: 6.0.431.0 r49370  <<<Release>>>
  QuickTime Player: 7.6.6
  QuickTime PlayerX: 113
  Flash Player: 10.0.42

What steps will reproduce the problem?
1. Have 2-3 windows open with 10-12 tabs(with sites) in each. (I use Safari default bookmarks to open many sites)
2. Press cmd+w continuously to close all tabs from all  windows.

Result:
- At some point, Chrome crashes.

Note:
- We could repro this crash on multiple machines. I have attached the full crash report.



Thread 0 (crashed)
 0 libobjc.A.dylib     0.227.0.0            0x90993ed7 objc_msgSend + 0x17
 1 Google Chrome Framew0.431.0.0            0x001dfe0e CallbackImpl<HistoryMenuBridge, void (HistoryMenuBridge::*)(int, bool, scoped_refptr<RefCountedMemory>, bool, GURL), Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> >::RunWithParams(Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> const&) + 0x2b (tuple.h:447)
 2 Google Chrome Framew0.431.0.0            0x00377bfe 
 3 Google Chrome Framew0.431.0.0            0x0037738a RunnableMethod<CancelableRequest<CallbackRunner<Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> > >, void (CancelableRequest<CallbackRunner<Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> > >::*)(Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> const&), Tuple1<Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> > >::Run() + 0x13 (tuple.h:422)
 4 Google Chrome Framew0.431.0.0            0x0074e7bb MessageLoop::RunTask(Task*) + 0xa (message_loop.cc:340)
 5 Google Chrome Framew0.431.0.0            0x0074e96d MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) + 0xd (message_loop.cc:349)
 6 Google Chrome Framew0.431.0.0            0x0074f89a MessageLoop::DoWork() + 0xb (message_loop.cc:456)
 7 Google Chrome Framew0.431.0.0            0x0072c703 base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 0xa (message_pump_mac.mm:291)
 8 CoreFoundation      0.550.19.0           0x93d93ff0 __CFRunLoopDoSources0 + 0x4b0
 9 CoreFoundation      0.550.19.0           0x93d91c1e __CFRunLoopRun + 0x42e
10 CoreFoundation      0.550.19.0           0x93d910f3 CFRunLoopRunSpecific + 0x1c3
11 CoreFoundation      0.550.19.0           0x93d90f20 CFRunLoopRunInMode + 0x60
12 HIToolbox           0.460.0.0            0x9294b0fb RunCurrentEventLoopInMode + 0x187
13 HIToolbox           0.460.0.0            0x9294aeb0 ReceiveNextEventCommon + 0x161
14 HIToolbox           0.460.0.0            0x9294ad35 BlockUntilNextEventMatchingListInMode + 0x50
15 AppKit              0.1038.29.0          0x91e59134 _DPSNextEvent + 0x34e
16 AppKit              0.1038.29.0          0x91e58975 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0x9b
17 AppKit              0.1038.29.0          0x91e1abee -[NSApplication run] + 0x334
18 Google Chrome Framew0.431.0.0            0x0072c1ac base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 0x19 (message_pump_mac.mm:677)
19 Google Chrome Framew0.431.0.0            0x0072b935 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 0xb (message_pump_mac.mm:213)
20 Google Chrome Framew0.431.0.0            0x0074f223 MessageLoop::Run() + 0xb (message_loop.cc:214)
21 Google Chrome Framew0.431.0.0            0x00138907 BrowserMain(MainFunctionParams const&) + 0x7 (browser_main.cc:200)
22 Google Chrome Framew0.431.0.0            0x0000b443 ChromeMain + 0xd (chrome_dll_main.cc:841)
23 Google Chrome                            0x00001ff7 main + 0x11 (chrome_exe_main.mm:16)
24 Google Chrome                            0x00001fb5 
25 

 
Crash_ClosingTabs.txt
15.7 KB View Download
Labels: -Pri-2 Pri-1 Mstone-6
Status: Assigned
Is this just Mac, or does it repro on other platforms? JRG?

Comment 2 by rsesek@chromium.org, Jun 11 2010

I see HistoryMenuBridge on the top of the stack, which means this is mine and Mac-only.

Comment 3 by sh...@chromium.org, Jun 15 2010

 Issue 46038  has been merged into this issue.

Comment 4 by sh...@chromium.org, Jun 15 2010

Labels: Crash-TopCrasher

Comment 5 by rsesek@chromium.org, Jun 16 2010

I cannot reproduce this locally, but I can imagine a scenario in which this happens.  It would be very helpful to have a full stack trace from GDB of a debug build.  The trace in the description is from a release build with tail call optimization, which has removed some important frames from the top of the stack.
We don't have a debug build but I copied dSym to into Chrome app and got GDB BT for crash and all other threads. All threads bt info is attached.

BT for crash:

(gdb) bt
#0  DebugUtil::BreakDebugger () at /b/slave/chrome-official-mac/build/src/base/debug_util_posix.cc:259
#1  0x00749714 in logging::LogMessage::~LogMessage (this=0xbfffcdd4) at /b/slave/chrome-official-mac/build/src/base/logging.cc:586
#2  0x001f6984 in (anonymous namespace)::LogAndDie (object=0x1f64fc00, aSelector=0x97854458, viaSelector=0x97953ccc) at /b/slave/chrome-official-mac/build/src/chrome/browser/cocoa/objc_zombie.mm:205
#3  0x001f69c4 in -[CrZombie forwardingTargetForSelector:] (self=0x1f64fc00, _cmd=0x97953ccc, aSelector=0x97854458) at /b/slave/chrome-official-mac/build/src/chrome/browser/cocoa/objc_zombie.mm:247
#4  0x965ce416 in __NSGetForwardingTarget ()
#5  0x965ce390 in __forwarding_prep_0___ ()
#6  0x001db971 in HistoryMenuBridge::GotFaviconData (this=0x4207260, handle=619, know_favicon=true, data=@0xbfffcff8, expired=false, url=@0xbfffcfb0) at /b/slave/chrome-official-mac/build/src/chrome/browser/cocoa/history_menu_bridge.mm:433
#7  0x001de5df in ~scoped_refptr [inlined] () at :447
#8  DispatchToMethod<HistoryMenuBridge, void (HistoryMenuBridge::*)(int, bool, scoped_refptr<RefCountedMemory>, bool, GURL), int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> [inlined] () at :447
#9  0x001de5df in CallbackImpl<HistoryMenuBridge, void (HistoryMenuBridge::*)(int, bool, scoped_refptr<RefCountedMemory>, bool, GURL), Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> >::RunWithParams (this=0x1f612e20, params=@0x40399f0) at tuple.h:118
#10 0x0037736f in CancelableRequestBase::NotifyCompleted () at :523
#11 0x0037736f in CancelableRequest<CallbackRunner<Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> > >::ExecuteCallback (this=0x4349660, param=@0x40399f0) at cancelable_request.h:527
#12 0x00376afb in RunnableMethod<CancelableRequest<CallbackRunner<Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> > >, void (CancelableRequest<CallbackRunner<Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> > >::*)(Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> const&), Tuple1<Tuple5<int, bool, scoped_refptr<RefCountedMemory>, bool, GURL> > >::Run (this=0x40399e0) at task.h:296
#13 0x0074c78c in Iterator [inlined] () at :340
#14 0x0074c78c in MessageLoop::RunTask (this=0xbfffe5a8, task=0x40399e0) at /b/slave/chrome-official-mac/build/src/base/message_loop.cc:341
#15 0x0074c93e in MessageLoop::DeferOrRunPendingTask (this=0xbfffe5a8, pending_task=@0xbfffd12c) at /b/slave/chrome-official-mac/build/src/base/message_loop.cc:349
#16 0x0074d86b in MessageLoop::DoWork (this=0xbfffe5a8) at /b/slave/chrome-official-mac/build/src/base/message_loop.cc:456
#17 0x00778b34 in base::MessagePumpCFRunLoopBase::RunWork () at :291
#18 0x00778b34 in base::MessagePumpCFRunLoopBase::RunWorkSource (info=0x4210a40) at /b/slave/chrome-official-mac/build/src/base/message_pump_mac.mm:269
#19 0x96592f91 in __CFRunLoopDoSources0 ()
#20 0x96590bbf in __CFRunLoopRun ()
#21 0x96590094 in CFRunLoopRunSpecific ()
#22 0x9658fec1 in CFRunLoopRunInMode ()
#23 0x96b3df9c in RunCurrentEventLoopInMode ()
#24 0x96b3dd51 in ReceiveNextEventCommon ()
#25 0x96b3dbd6 in BlockUntilNextEventMatchingListInMode ()
#26 0x970c4a89 in _DPSNextEvent ()
#27 0x970c42ca in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#28 0x9708655b in -[NSApplication run] ()
#29 0x007785dd in base::MessagePumpNSApplication::DoRun (this=0x4210a40, delegate=0xbfffe5a8) at /b/slave/chrome-official-mac/build/src/base/message_pump_mac.mm:677
#30 0x00777d66 in base::MessagePumpCFRunLoopBase::Run (this=0x4210a40, delegate=0xbfffe5a8) at /b/slave/chrome-official-mac/build/src/base/message_pump_mac.mm:213
#31 0x0074d1f4 in ~AutoRunState [inlined] () at :214
#32 0x0074d1f4 in MessageLoop::Run (this=0xbfffe5a8) at /b/slave/chrome-official-mac/build/src/base/message_loop.cc:164
#33 0x00136a28 in RunUIMessageLoop [inlined] () at :200
#34 0x00136a28 in BrowserMain (parameters=@0xbffff8c8) at /b/slave/chrome-official-mac/build/src/chrome/browser/browser_main.cc:1329
#35 0x0000b000 in ChromeMain (argc=1, argv=0xbffff9fc) at /b/slave/chrome-official-mac/build/src/chrome/app/chrome_dll_main.cc:861
#36 0x00001ff8 in ?? ()
#37 0x00001fb6 in ?? ()
Current language:  auto; currently c++

All_thread_bt.txt
17.7 KB View Download

Comment 7 by rsesek@chromium.org, Jun 17 2010

Status: Started

Comment 8 by bugdro...@gmail.com, Jun 17 2010

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=50134 

------------------------------------------------------------------------
r50134 | rsesek@chromium.org | 2010-06-17 13:43:19 -0700 (Thu, 17 Jun 2010) | 6 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/cocoa/history_menu_bridge.h?r1=50134&r2=50133
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/cocoa/history_menu_bridge.mm?r1=50134&r2=50133
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/cocoa/history_menu_bridge_unittest.mm?r1=50134&r2=50133

Make the HistoryMenuBridge::HistoryItem co-own the NSMenuItem. This hopefully fixes a top-crash.

BUG= 46289 
TEST=Open 3 windows, with 10-12 tabs in each. Cmd+W rapidly. Chrome doesn't crash. See bug for details.

Review URL: http://codereview.chromium.org/2836008
------------------------------------------------------------------------

Comment 9 by rsesek@chromium.org, Jun 17 2010

Status: Fixed
Status: Verified
Platform:
  Hostname: testings-mac-mini-3.local
  Mac OS X Version 10.6.4 (Build 10F569)
  Processor: 4 Intel 2.66 GHz
  RAM: 2048 MB

Chrome:
  Chrome version: 6.0.443.0 r50322  <<<Release/Debug>>>
  QuickTime Player: 7.6.6
  QuickTime PlayerX: 114
  Flash Player: 10.1.53.64

Comment 11 by hbridge@google.com, Jun 23 2010

Labels: -Crash-TopCrasher Crash-TopFixed
Labels: -Crash bulkmove Stability-Crash
Platform:
  Hostname: testings-mac-mini-4.local
  Mac OS X Version 10.6.3 (Build 10D578)
  Processor: 2 Intel 2.33 GHz
  RAM: 2048 MB

Chrome:
  Chrome version: 6.0.431.0 r49370  &lt;&lt;&lt;Release&gt;&gt;&gt;
  QuickTime Player: 7.6.6
  QuickTime PlayerX: 113
  Flash Player: 10.0.42

What steps will reproduce the problem?
1. Have 2-3 windows open with 10-12 tabs(with sites) in each. (I use Safari default bookmarks to open many sites)
2. Press cmd+w continuously to close all tabs from all  windows.

Result:
- At some point, Chrome crashes.

Note:
- We could repro this crash on multiple machines. I have attached the full crash report.



Thread 0 (crashed)
 0 libobjc.A.dylib     0.227.0.0            0x90993ed7 objc_msgSend + 0x17
 1 Google Chrome Framew0.431.0.0            0x001dfe0e CallbackImpl&lt;HistoryMenuBridge, void (HistoryMenuBridge::*)(int, bool, scoped_refptr&lt;RefCountedMemory&gt;, bool, GURL), Tuple5&lt;int, bool, scoped_refptr&lt;RefCountedMemory&gt;, bool, GURL&gt; &gt;::RunWithParams(Tuple5&lt;int, bool, scoped_refptr&lt;RefCountedMemory&gt;, bool, GURL&gt; const&amp;) + 0x2b (tuple.h:447)
 2 Google Chrome Framew0.431.0.0            0x00377bfe 
 3 Google Chrome Framew0.431.0.0            0x0037738a RunnableMethod&lt;CancelableRequest&lt;CallbackRunner&lt;Tuple5&lt;int, bool, scoped_refptr&lt;RefCountedMemory&gt;, bool, GURL&gt; &gt; &gt;, void (CancelableRequest&lt;CallbackRunner&lt;Tuple5&lt;int, bool, scoped_refptr&lt;RefCountedMemory&gt;, bool, GURL&gt; &gt; &gt;::*)(Tuple5&lt;int, bool, scoped_refptr&lt;RefCountedMemory&gt;, bool, GURL&gt; const&amp;), Tuple1&lt;Tuple5&lt;int, bool, scoped_refptr&lt;RefCountedMemory&gt;, bool, GURL&gt; &gt; &gt;::Run() + 0x13 (tuple.h:422)
 4 Google Chrome Framew0.431.0.0            0x0074e7bb MessageLoop::RunTask(Task*) + 0xa (message_loop.cc:340)
 5 Google Chrome Framew0.431.0.0            0x0074e96d MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&amp;) + 0xd (message_loop.cc:349)
 6 Google Chrome Framew0.431.0.0            0x0074f89a MessageLoop::DoWork() + 0xb (message_loop.cc:456)
 7 Google Chrome Framew0.431.0.0            0x0072c703 base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 0xa (message_pump_mac.mm:291)
 8 CoreFoundation      0.550.19.0           0x93d93ff0 __CFRunLoopDoSources0 + 0x4b0
 9 CoreFoundation      0.550.19.0           0x93d91c1e __CFRunLoopRun + 0x42e
10 CoreFoundation      0.550.19.0           0x93d910f3 CFRunLoopRunSpecific + 0x1c3
11 CoreFoundation      0.550.19.0           0x93d90f20 CFRunLoopRunInMode + 0x60
12 HIToolbox           0.460.0.0            0x9294b0fb RunCurrentEventLoopInMode + 0x187
13 HIToolbox           0.460.0.0            0x9294aeb0 ReceiveNextEventCommon + 0x161
14 HIToolbox           0.460.0.0            0x9294ad35 BlockUntilNextEventMatchingListInMode + 0x50
15 AppKit              0.1038.29.0          0x91e59134 _DPSNextEvent + 0x34e
16 AppKit              0.1038.29.0          0x91e58975 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0x9b
17 AppKit              0.1038.29.0          0x91e1abee -[NSApplication run] + 0x334
18 Google Chrome Framew0.431.0.0            0x0072c1ac base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 0x19 (message_pump_mac.mm:677)
19 Google Chrome Framew0.431.0.0            0x0072b935 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 0xb (message_pump_mac.mm:213)
20 Google Chrome Framew0.431.0.0            0x0074f223 MessageLoop::Run() + 0xb (message_loop.cc:214)
21 Google Chrome Framew0.431.0.0            0x00138907 BrowserMain(MainFunctionParams const&amp;) + 0x7 (browser_main.cc:200)
22 Google Chrome Framew0.431.0.0            0x0000b443 ChromeMain + 0xd (chrome_dll_main.cc:841)
23 Google Chrome                            0x00001ff7 main + 0x11 (chrome_exe_main.mm:16)
24 Google Chrome                            0x00001fb5 
25
Project Member

Comment 13 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-UI -Mstone-6 M-6 Cr-UI
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Sign in to add a comment