Issue 604355 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	rdevlin....@chromium.org
Closed:	Apr 2016
Cc:	ellyjo...@chromium.org mac-bugs-priority@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Mac
Pri:	1
Type:	Bug

crash when mousing over hidden extension icons

Project Member Reported by ellyjo...@chromium.org, Apr 18 2016

Issue description

This crash was not present in Friday's canary but is present in today's, which is 52.0.2711.0.

Steps to reproduce:
1) Have an extension installed with a hidden icon
2) Click on the browser menu button

The browser crashes within a few seconds. This crash is 100% reproducible for me. It seems very similar to https://crbug.com/603241, but the repro steps are much simpler and the stack trace is different.

Sample crash ID: 209ae51200000000
Sample crash stack:

Thread 0 CRASHED [EXC_BAD_INSTRUCTION / 0x00000001 @ 0x000000010bffbe2c ] MAGIC SIGNATURE THREAD
0x000000010bffbe2c	(Google Chrome Framework -objc_zombie.mm:235 )	(anonymous namespace)::ZombieObjectCrash(objc_object*, objc_selector*, objc_selector*)
0x000000010bffbc50	(Google Chrome Framework -objc_zombie.mm:270 )	-[CrZombie forwardingTargetForSelector:]
0x00007fff8e83f20b	(CoreFoundation + 0x0008520b )	___forwarding___
0x00007fff8e83f0f7	(CoreFoundation + 0x000850f7 )	__forwarding_prep_0___
0x000000010eea98b5	(Google Chrome Framework -browser_actions_controller.mm:274 )	(anonymous namespace)::ToolbarActionsBarBridge::IsAnimating() const
0x000000010efe8f4a	(Google Chrome Framework -toolbar_actions_bar.cc:600 )	ToolbarActionsBar::ShowToolbarActionBubble(std::__1::unique_ptr<ToolbarActionsBarBubbleDelegate, std::__1::default_delete<ToolbarActionsBarBubbleDelegate> >)
0x000000010efea2db	(Google Chrome Framework -bind_internal.h:181 )	base::internal::Invoker<base::IndexSequence<0ul, 1ul>, base::internal::BindState<base::internal::RunnableAdapter<void (ToolbarActionsBar::*)(std::__1::unique_ptr<ToolbarActionsBarBubbleDelegate, std::__1::default_delete<ToolbarActionsBarBubbleDelegate> >)>, void (ToolbarActionsBar*, std::__1::unique_ptr<ToolbarActionsBarBubbleDelegate, std::__1::default_delete<ToolbarActionsBarBubbleDelegate> >), base::WeakPtr<ToolbarActionsBar>, base::internal::PassedWrapper<std::__1::unique_ptr<ToolbarActionsBarBubbleDelegate, std::__1::default_delete<ToolbarActionsBarBubbleDelegate> > > >, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (ToolbarActionsBar::*)(std::__1::unique_ptr<ToolbarActionsBarBubbleDelegate, std::__1::default_delete<ToolbarActionsBarBubbleDelegate> >)> >, void ()>::Run(base::internal::BindStateBase*)
0x000000010be7602a	(Google Chrome Framework -callback.h:397 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&)
0x000000010be97a72	(Google Chrome Framework -message_loop.cc:479 )	base::MessageLoop::RunTask(base::PendingTask const&)
0x000000010be97d8b	(Google Chrome Framework -message_loop.cc:488 )	base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&)
0x000000010be981fa	(Google Chrome Framework -message_loop.cc:638 )	base::MessageLoop::DoDelayedWork(base::TimeTicks*)
0x000000010be6b52c	(Google Chrome Framework -message_pump_mac.mm:334 )	base::MessagePumpCFRunLoopBase::RunWork()
0x000000010be8df99	(Google Chrome Framework + 0x00586f99 )	base::mac::CallWithEHFrame(void () block_pointer)
0x000000010be6af13	(Google Chrome Framework -message_pump_mac.mm:306 )	base::MessagePumpCFRunLoopBase::RunWorkSource(void*)
0x00007fff8e864880	(CoreFoundation + 0x000aa880 )	__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x00007fff8e843fbb	(CoreFoundation + 0x00089fbb )	__CFRunLoopDoSources0
0x00007fff8e8434de	(CoreFoundation + 0x000894de )	__CFRunLoopRun
0x00007fff8e842ed7	(CoreFoundation + 0x00088ed7 )	CFRunLoopRunSpecific
0x00007fff8ab5d934	(HIToolbox + 0x00030934 )	RunCurrentEventLoopInMode
0x00007fff8ab5d76e	(HIToolbox + 0x0003076e )	ReceiveNextEventCommon
0x00007fff8ab5d5ae	(HIToolbox + 0x000305ae )	_BlockUntilNextEventMatchingListInModeWithFilter
0x00007fff98303ef9	(AppKit + 0x00048ef9 )	_DPSNextEvent
0x00007fff98303329	(AppKit + 0x00048329 )	-[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:]
0x00007fff982f7e83	(AppKit + 0x0003ce83 )	-[NSApplication run]
0x000000010be6bd25	(Google Chrome Framework -message_pump_mac.mm:665 )	base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*)
0x000000010be6b363	(Google Chrome Framework -message_pump_mac.mm:238 )	base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
0x000000010beaddf2	(Google Chrome Framework -run_loop.cc:35 )	base::RunLoop::Run()
0x000000010b9a24a7	(Google Chrome Framework -chrome_browser_main.cc:1855 )	ChromeBrowserMainParts::MainMessageLoopRun(int*)
0x000000010f205e56	(Google Chrome Framework -browser_main_loop.cc:949 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x000000010f208431	(Google Chrome Framework -browser_main_runner.cc:154 )	content::BrowserMainRunnerImpl::Run()
0x000000010f201c1c	(Google Chrome Framework -browser_main.cc:46 )	content::BrowserMain(content::MainFunctionParams const&)
0x000000010be2de63	(Google Chrome Framework -content_main_runner.cc:742 )	content::ContentMainRunnerImpl::Run()
0x000000010be2d265	(Google Chrome Framework -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const&)
0x000000010b909b91	(Google Chrome Framework -chrome_main.cc:84 )	ChromeMain
0x000000010b6a0d41	(Google Chrome Canary -chrome_exe_main_mac.c:87 )	main
0x000000010b6a0b23	(Google Chrome Canary + 0x00000b23 )	start

Comment 1 by rsesek@chromium.org, Apr 18 2016

zombie: Zombie <BrowserActionsContainerView: 0x7fe9b92adcb0> received -isAnimating
zombie_dealloc_bt:
0x006f53fb [Google Chrome Framework -	 objc_zombie.mm:139] (anonymous namespace)::ZombieDealloc(objc_object*, objc_selector*)
0x0003c084 [AppKit +	 0x3c084] -[NSResponder dealloc]
0x0003a231 [AppKit +	 0x3a231] -[NSView dealloc]
0x000092f4 [libobjc.A.dylib +	 0x92f4] objc_object::sidetable_release(bool)
0x00007ac4 [libobjc.A.dylib +	 0x7ac4] (anonymous namespace)::AutoreleasePoolPage::pop(void*)
0x00048c12 [CoreFoundation +	 0x48c12] _CFAutoreleasePoolPop
0x0001884a [Foundation +	 0x1884a] -[NSAutoreleasePool drain]
0x0003cf57 [AppKit +	 0x3cf57] -[NSApplication run]
0x00564d26 [Google Chrome Framework -	 message_pump_mac.mm:682] base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*)
0x00564364 [Google Chrome Framework -	 message_pump_mac.mm:246] base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
0x005a6df3 [Google Chrome Framework -	 run_loop.cc:36] base::RunLoop::Run()
0x0009b4a8 [Google Chrome Framework -	 chrome_browser_main.cc:1859] ChromeBrowserMainParts::MainMessageLoopRun(int*)
0x038fee57 [Google Chrome Framework -	 browser_main_loop.cc:951] content::BrowserMainLoop::RunMainMessageLoopParts()
0x03901432 [Google Chrome Framework -	 memory:2729] content::BrowserMainRunnerImpl::Run()
0x038fac1d [Google Chrome Framework -	 browser_main.cc:46] content::BrowserMain(content::MainFunctionParams const&)
0x00526e64 [Google Chrome Framework -	 content_main_runner.cc:742] content::ContentMainRunnerImpl::Run()
0x00526266 [Google Chrome Framework -	 content_main.cc:20] content::ContentMain(content::ContentMainParams const&)
0x00002b92 [Google Chrome Framework -	 chrome_main.cc:84] ChromeMain
0x00000d42 [Google Chrome Canary -	 chrome_exe_main_mac.c:91] main

Looks like the ToolbarActionsBarBridge is holding onto a weak reference of BrowserActionsContainerView that gets autoreleased.

Comment 2 by ssdd98...@gmail.com, Apr 18 2016

indonesia
Pada tanggal 18 Apr 2016 22.07, "rsesek@chromium.org via Monorail" <
monorail@chromium.org> menulis:

Project Member

Comment 3 by bugdroid1@chromium.org, Apr 18 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/85d435654b3a9786996c8a67e12185c0a5346652

commit 85d435654b3a9786996c8a67e12185c0a5346652
Author: rdevlin.cronin <rdevlin.cronin@chromium.org>
Date: Mon Apr 18 21:08:40 2016

[Extensions UI Mac] Delete the overflow container when the menu closes

Cocoa menus aren't entirely cleaned up when the menu closes (the
controller persists across opens/closes), but the views are removed.
Explicitly delete the BrowserActionsController from the app menu when
the menu closes to prevent it from using a non-existent view.

BUG= 604355 

Review URL: https://codereview.chromium.org/1895213002

Cr-Commit-Position: refs/heads/master@{#388023}

[modify] https://crrev.com/85d435654b3a9786996c8a67e12185c0a5346652/chrome/browser/ui/cocoa/app_menu/app_menu_controller.mm

Comment 4 by erikc...@chromium.org, Apr 18 2016

Status: Assigned (was: Untriaged)

Comment 5 by rdevlin....@chromium.org, Apr 26 2016

Status: Fixed (was: Assigned)

Not seen after #3.  Closing.

►

Issue 604355 link

Issue metadata

crash when mousing over hidden extension icons

Issue description

Comment 1 by rsesek@chromium.org, Apr 18 2016

Comment 1 Deleted

Comment 2 by ssdd98...@gmail.com, Apr 18 2016

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Apr 18 2016

Comment 3 Deleted

Comment 4 by erikc...@chromium.org, Apr 18 2016

Comment 4 Deleted

Comment 5 by rdevlin....@chromium.org, Apr 26 2016

Comment 5 Deleted

Sign in to add a comment