NOTREACHED in WebRemoteFrameImpl::setCanHaveScrollbars. |
|||||||
Issue descriptionThis repros on a clean profile, with a Debug build. [62755:1295:0517/145353:FATAL:WebRemoteFrameImpl.cpp(116)] Check failed: false. 0 libbase.dylib 0x000000011fba587f _ZN4base5debug10StackTraceC2Ev + 47 1 libbase.dylib 0x000000011fba5943 _ZN4base5debug10StackTraceC1Ev + 35 2 libbase.dylib 0x000000011fc38ca0 _ZN7logging10LogMessageD2Ev + 80 3 libbase.dylib 0x000000011fc36453 _ZN7logging10LogMessageD1Ev + 35 4 libblink_web.dylib 0x000000013766120d _ZN5blink18WebRemoteFrameImpl20setCanHaveScrollbarsEb + 141 5 libblink_web.dylib 0x000000013766127a _ZThn8_N5blink18WebRemoteFrameImpl20setCanHaveScrollbarsEb + 58 6 libcontent.dylib 0x00000001299256ca _ZN7content14RenderViewImpl8OnResizeERKNS_12ResizeParamsE + 458 7 libcontent.dylib 0x0000000129962acf _ZN4base20DispatchToMethodImplIPN7content12RenderWidgetEMS2_FvRKNS1_12ResizeParamsEEJS4_EJLm0EEEEvRKT_T0_RKNSt3__15tupleIJDpT1_EEENS_13IndexSequenceIJXspT2_EEEE + 175 8 libcontent.dylib 0x00000001299629f3 _ZN4base16DispatchToMethodIPN7content12RenderWidgetEMS2_FvRKNS1_12ResizeParamsEEJS4_EEEvRKT_T0_RKNSt3__15tupleIJDpT1_EEE + 83 9 libcontent.dylib 0x000000012996297d _ZN3IPC16DispatchToMethodIN7content12RenderWidgetEMS2_FvRKNS1_12ResizeParamsEEvNSt3__15tupleIJS3_EEEEEvPT_T0_PT1_RKT2_ + 93 10 libcontent.dylib 0x000000012994b637 _ZN3IPC8MessageTI19ViewMsg_Resize_MetaNSt3__15tupleIJN7content12ResizeParamsEEEEvE8DispatchINS4_12RenderWidgetES9_vMS9_FvRKS5_EEEbPKNS_7MessageEPT_PT0_PT1_T2_ + 535 11 libcontent.dylib 0x0000000129949033 _ZN7content12RenderWidget17OnMessageReceivedERKN3IPC7MessageE + 2435 12 libcontent.dylib 0x000000012990c8d7 _ZN7content14RenderViewImpl17OnMessageReceivedERKN3IPC7MessageE + 10759 13 libipc.dylib 0x0000000130498d79 _ZN3IPC13MessageRouter12RouteMessageERKNS_7MessageE + 105 14 libcontent.dylib 0x0000000126730e2e _ZN7content15ChildThreadImpl24ChildThreadMessageRouter12RouteMessageERKN3IPC7MessageE + 46 15 libipc.dylib 0x0000000130498ccc _ZN3IPC13MessageRouter17OnMessageReceivedERKNS_7MessageE + 108 16 libcontent.dylib 0x000000012673a2ec _ZN7content15ChildThreadImpl17OnMessageReceivedERKN3IPC7MessageE + 1964 17 libipc.dylib 0x000000013043fcd6 _ZN3IPC12ChannelProxy7Context17OnDispatchMessageERKNS_7MessageE + 166 18 libipc.dylib 0x00000001304467bc _ZN4base8internal15RunnableAdapterIMN3IPC12ChannelProxy7ContextEFvRKNS2_7MessageEEE3RunIRK13scoped_refptrIS4_EJS7_EEEvOT_DpOT0_ + 156 19 libipc.dylib 0x000000013044665a _ZN4base8internal12InvokeHelperILb0EvNS0_15RunnableAdapterIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEEEE8MakeItSoIJRK13scoped_refptrIS5_ES8_EEEvSB_DpOT_ + 74 20 libipc.dylib 0x00000001304465ec _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1EEEENS0_9BindStateINS0_15RunnableAdapterIMN3IPC12ChannelProxy7ContextEFvRKNS6_7MessageEEEEFvPS8_SB_EJSF_SB_EEENS0_12InvokeHelperILb0EvSE_EEFvvEE3RunEPNS0_13BindStateBaseE + 140 21 libbase.dylib 0x000000011fb76f3f _ZNK4base8CallbackIFvvELNS_8internal8CopyModeE1EE3RunEv + 63 22 libbase.dylib 0x000000011fba776e _ZN4base5debug13TaskAnnotator7RunTaskEPKcRKNS_11PendingTaskE + 654 23 libscheduler.dylib 0x000000013854afa5 _ZN9scheduler16TaskQueueManager24ProcessTaskFromWorkQueueEPNS_8internal9WorkQueueEPNS1_13TaskQueueImpl4TaskE + 1589 24 libscheduler.dylib 0x0000000138547650 _ZN9scheduler16TaskQueueManager6DoWorkEN4base9TimeTicksEb + 992 25 libscheduler.dylib 0x00000001385515d5 _ZN4base8internal15RunnableAdapterIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEE3RunIPS3_JRKS4_RKbEEEvOT_DpOT0_ + 181 26 libscheduler.dylib 0x0000000138551323 _ZN4base8internal12InvokeHelperILb1EvNS0_15RunnableAdapterIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEEEE8MakeItSoINS_7WeakPtrIS4_EEJRKS5_RKbEEEvS8_T_DpOT0_ + 115 27 libscheduler.dylib 0x000000013855127d _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1ELm2EEEENS0_9BindStateINS0_15RunnableAdapterIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEEEFvPS7_S8_bEJNS_7WeakPtrIS7_EES8_bEEENS0_12InvokeHelperILb1EvSB_EEFvvEE3RunEPNS0_13BindStateBaseE + 189 28 libbase.dylib 0x000000011fb76f3f _ZNK4base8CallbackIFvvELNS_8internal8CopyModeE1EE3RunEv + 63 29 libbase.dylib 0x000000011fba776e _ZN4base5debug13TaskAnnotator7RunTaskEPKcRKNS_11PendingTaskE + 654 30 libbase.dylib 0x000000011fc8486d _ZN4base11MessageLoop7RunTaskERKNS_11PendingTaskE + 877 31 libbase.dylib 0x000000011fc84f56 _ZN4base11MessageLoop21DeferOrRunPendingTaskERKNS_11PendingTaskE + 86 32 libbase.dylib 0x000000011fc859f8 _ZN4base11MessageLoop6DoWorkEv + 552 33 libbase.dylib 0x000000011fc99808 _ZN4base24MessagePumpCFRunLoopBase7RunWorkEv + 104 34 libbase.dylib 0x000000011fc9977a ___ZN4base24MessagePumpCFRunLoopBase13RunWorkSourceEPv_block_invoke + 42 35 libbase.dylib 0x000000011fc3c54a _ZN4base3mac15CallWithEHFrameEU13block_pointerFvvE + 10 36 libbase.dylib 0x000000011fc98ae5 _ZN4base24MessagePumpCFRunLoopBase13RunWorkSourceEPv + 101 37 CoreFoundation 0x00007fff97eba881 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 38 CoreFoundation 0x00007fff97e99fbc __CFRunLoopDoSources0 + 556 39 CoreFoundation 0x00007fff97e994df __CFRunLoopRun + 927 40 CoreFoundation 0x00007fff97e98ed8 CFRunLoopRunSpecific + 296 41 Foundation 0x00007fff9d154dd9 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 270 42 libbase.dylib 0x000000011fc9a7a7 _ZN4base20MessagePumpNSRunLoop5DoRunEPNS_11MessagePump8DelegateE + 151 43 libbase.dylib 0x000000011fc993fd _ZN4base24MessagePumpCFRunLoopBase3RunEPNS_11MessagePump8DelegateE + 125 44 libbase.dylib 0x000000011fc8408a _ZN4base11MessageLoop10RunHandlerEv + 298 45 libbase.dylib 0x000000011fd59fb5 _ZN4base7RunLoop3RunEv + 85 46 libbase.dylib 0x000000011fc81a7f _ZN4base11MessageLoop3RunEv + 303 47 libcontent.dylib 0x000000012997efae _ZN7content12RendererMainERKNS_18MainFunctionParamsE + 3758 48 libcontent.dylib 0x0000000129f510b7 _ZN7content23RunNamedProcessTypeMainERKNSt3__112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEERKNS_18MainFunctionParamsEPNS_19ContentMainDelegateE + 599 49 libcontent.dylib 0x0000000129f530b6 _ZN7content21ContentMainRunnerImpl3RunEv + 1462 50 libcontent.dylib 0x0000000129f508cd _ZN7content11ContentMainERKNS_17ContentMainParamsE + 349 51 libchrome_dll.dylib 0x000000010dbf6b53 ChromeMain + 83 52 Chromium Helper 0x000000010d9bbd6f main + 783 53 Chromium Helper 0x000000010d9bba54 start + 52 54 ??? 0x0000000000000017 0x0 + 23
,
May 18 2016
To dcheng@ for investigation or routing.
,
May 18 2016
Ken, mind looking at this one? Looks like we're calling this on a remote frame when we shouldn't be.
,
May 18 2016
Any particular repro instructions? Is this on browser launch?
,
May 19 2016
I built on Mac and have been trying to repro but so far haven't been able to. Somehow a RenderView with a remote main frame is getting a resize message. I am wondering if this is a race condition, and I can speculate a little bit but it is hard to really assess what is happening here without more information. Does this run with any flags?
,
May 19 2016
I happened to glance at this, since the stack has RenderViewImpl::OnResize, which I'm touching for fullscreen. Looks like webview()->mainFrame()->setCanHaveScrollbars() is called only when send_preferred_size_changes_ is true, which seems to only be set in GuestView: https://code.google.com/p/chromium/codesearch#chromium/src/components/guest_view/browser/guest_view_base.cc&sq=package:chromium&type=cs&l=580&rcl=1463656661 Seems like ExtensionOptionsGuest::IsPreferredSizeModeEnabled is the thing that makes this true. Don't really know how ExtensionOptionsGuest is used, but that's the direction I'd probably go for repro steps.
,
May 19 2016
I agree with alexmos@ comment, but I have no idea how a guest view could have a remote main frame. With the separate WebContents, and not allowing OOPIFs inside guest views, we should never have a remote main frame in a guest view.
,
May 19 2016
erikchen@: Can you share what you were doing at the time of the crash?
,
May 24 2016
,
May 24 2016
Have you been trying to repro on a Mac? This crash comes and goes, but when it occurs, it generally happens as soon as I try to navigate to any site. The next time it occurs I'll update this bug. What details do you want? [Basically I build chrome from top of tree, start it with a clean profile, try to navigate, and get hit by this bug. No special flags or anything.]
,
May 24 2016
This just happened to me. I've been doing some WebGL work, so my profile some history in it. I opened Chrome, typed in "WebGL" into the omnibox, selected the "WebGL examples" first entry [saved from history], which loaded a google search for "WebGL examples". I clicked on the first link [which loads an interstitial page that doesn't have any WebGL]. Somewhere between when I first started typing in the omnibox and when I started loading the interstitial page, I saw this error.
,
May 24 2016
I can't always reproduce this. This time, I started up Chrome, typed in "WebGL" into the omnibox, selected the "WebGL examples" first entry [saved from history] and did nothing else.
,
May 24 2016
Okay, I'm able to deterministically reproduce this, kind of. Start the browser, and very quickly do: 1. cmd+L to select omnibox 2. Type: "web" to trigger omnibox dropdowns 3. Press enter. Waiting between (2) and (3) causes the error to disappear. I'm guessing this has to do with prerender?
,
May 24 2016
Just tried this and can verify that I also hit this crash following repro steps in #13 with a fresh profile. This is on ToT debug build on Mac. This happens even without turning on any site isolation modes. I don't think it's prerender, as I passed in --prerender-disabled and --prerender-from-omnibox=disabled and still saw this crash. Interestingly, if I specify the startup page as about:blank on the command line, it doesn't seem to happen, so it's something about the NTP, or more specifically navigating away from it.
,
May 24 2016
Thanks for the additional detail. I think Guestview is used on NTP so that might make sense. I'll have a closer look at this tomorrow.
,
May 24 2016
,
Jun 6 2016
Here is a diagnosis. The GuestView thing is a red herring caused by code search only getting xrefs from Linux builds. WebContentsViewMac::RenderViewCreated() also enables preferred size mode, so this is a normal code path on Mac. The sequence is basically this: - we swap out the main frame of the old page during navigation - new frame sends DidCommitProvisionalLoad, which (via NavigatorImpl::DidNavigate() -> WebContentsImpl:;DidNavigateMainFramePostCommit() -> Browser->DidNavigateMainFramePostCommit()) triggers a state change in the BookmarkBarController - BookmarkBarController seems to be another reason this only happens on a Mac, and also explains why this only seems to happen while navigating away from the NTP - BookmarkBarController through a convoluted call stack ends up sending a resize to the frame it is associated with, causing old RenderViewHostImpl to hvae its OnResize() method called, resulting in this crash due to it having a remote main frame There are a couple of easy potential fixes here, but I'm trying to figure out what is "right" here.
,
Jun 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5fd60fb8a0d4fd287ac6d407eacf40c7c64a565f commit 5fd60fb8a0d4fd287ac6d407eacf40c7c64a565f Author: kenrb <kenrb@chromium.org> Date: Fri Jun 10 17:27:57 2016 Prevent crash when resize is sent to a swapped out main frame On Mac, it is possible for the UI code to trigger a resize on a main frame that is in the process of being navigated and has already been swapped out. This patch prevents a renderer crash in that scenario. BUG= 612606 Review-Url: https://codereview.chromium.org/2044683002 Cr-Commit-Position: refs/heads/master@{#399216} [modify] https://crrev.com/5fd60fb8a0d4fd287ac6d407eacf40c7c64a565f/content/renderer/render_view_impl.cc
,
Jun 10 2016
,
Jun 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5fd60fb8a0d4fd287ac6d407eacf40c7c64a565f commit 5fd60fb8a0d4fd287ac6d407eacf40c7c64a565f Author: kenrb <kenrb@chromium.org> Date: Fri Jun 10 17:27:57 2016 Prevent crash when resize is sent to a swapped out main frame On Mac, it is possible for the UI code to trigger a resize on a main frame that is in the process of being navigated and has already been swapped out. This patch prevents a renderer crash in that scenario. BUG= 612606 Review-Url: https://codereview.chromium.org/2044683002 Cr-Commit-Position: refs/heads/master@{#399216} [modify] https://crrev.com/5fd60fb8a0d4fd287ac6d407eacf40c7c64a565f/content/renderer/render_view_impl.cc |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by tyoshino@chromium.org
, May 18 2016Owner: dcheng@chromium.org