Issue metadata
Sign in to add a comment
|
Regression: Browser gets crashed after removing person.
Reported by
rk...@etouch.net,
May 31 2016
|
||||||||||||||||||||||
Issue descriptionChrome Version: 52.0.2743.19 Revision b25ac237c4e0eee088839ade87facf7b04ee3a16-refs/branch-heads/2743@{#129} OS: Windows(7,8,10), Linux (14.04 LTS) What steps will reproduce the problem? (1) Launch chrome, navigate to chrome://apps and right click on app,select 'Open as window' option. (2) Launch that app, then navigate to chrome://settings and remove that person and observe. Browser gets crashed after removing person. Crash ID 88e05d9a00000000 (e7c4bf79-f83d-42e2-9f75-9e5fdb731302) Browser should never crash. This is a regression issue, broken in 'M-52', below is bisect info: Good Build: 52.0.2718.0 Bad Build: 52.0.2719.0 Narrow Bisect: https://chromium.googlesource.com/chromium/src/+log/f760e7025c61bd64c3a6bdcf22b1af294ebcad90..48a8b848da6e57bb9297a98f682d7dc1cf532210?pretty=fuller&n=30 Suspecting: r390042 Note: Issue is not seen on Mac OS. @kinuko: Please help me to reassign this issue,if your change is not cause for it.
,
May 31 2016
This crash is introduced in M47, below is the historical data in Stable channels. 50.0.2661.102 10.20% 67 49.0.2623.112 19.18% 126 48.0.2564.116 12.79% 84 47.0.2526.110 1.98% 13 Magic Stack =========== Thread 0 CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x0000000100000017 ] MAGIC SIGNATURE THREAD 0x000007fed26a5185 (chrome.dll -xstring:1145 ) std::basic_string<char,std::char_traits<char>,std::allocator<char> >::assign(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,unsigned __int64,unsigned __int64) 0x000007fed30e6598 (chrome.dll -chrome_tab_restore_service_client.cc:104 ) ChromeTabRestoreServiceClient::GetExtensionAppIDForTab(sessions::LiveTab *) 0x000007fed3f8d8f9 (chrome.dll -tab_restore_service_helper.cc:376 ) sessions::TabRestoreServiceHelper::PopulateTab(sessions::TabRestoreService::Tab *,int,sessions::LiveTabContext *,sessions::LiveTab *) 0x000007fed3f8d25f (chrome.dll -tab_restore_service_helper.cc:100 ) sessions::TabRestoreServiceHelper::BrowserClosing(sessions::LiveTabContext *) 0x000007fed38585cd (chrome.dll -browser.cc:709 ) Browser::OnWindowClosing() 0x000007fed38d972f (chrome.dll -unload_controller.cc:288 ) chrome::UnloadController::ProcessPendingTabs() 0x000007fed38d9604 (chrome.dll -unload_controller.cc:364 ) chrome::UnloadController::ClearUnloadState(content::WebContents *,bool) 0x000007fed38d9497 (chrome.dll -unload_controller.cc:41 ) chrome::UnloadController::CanCloseContents(content::WebContents *) 0x000007fed3856910 (chrome.dll -browser.cc:1498 ) Browser::CloseContents(content::WebContents *) 0x000007fed3910195 (chrome.dll -web_contents_impl.cc:4289 ) content::WebContentsImpl::Close(content::RenderViewHost *) 0x000007fed3943029 (chrome.dll -ipc_message_templates.h:121 ) IPC::MessageT<ViewHostMsg_ClosePage_ACK_Meta,std::tuple<>,void>::Dispatch<content::RenderViewHostImpl,content::RenderViewHostImpl,void,void ( content::RenderViewHostImpl::*)(void)>(IPC::Message const *,content::RenderViewHostImpl *,content::RenderViewHostImpl *,void *,void ( content::RenderViewHostImpl::*)(void)) 0x000007fed394730b (chrome.dll -render_view_host_impl.cc:890 ) content::RenderViewHostImpl::OnMessageReceived(IPC::Message const &) 0x000007fed397fde5 (chrome.dll -render_widget_host_impl.cc:432 ) content::RenderWidgetHostImpl::OnMessageReceived(IPC::Message const &) 0x000007fed3930c50 (chrome.dll -render_process_host_impl.cc:1741 ) content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const &) 0x000007fed3281ad7 (chrome.dll -ipc_channel_proxy.cc:284 ) IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &) 0x000007fed2722c2e (chrome.dll -task_annotator.cc:51 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &) 0x000007fed26b86f0 (chrome.dll -message_loop.cc:475 ) base::MessageLoop::RunTask(base::PendingTask const &) 0x000007fed26b96a1 (chrome.dll -message_loop.cc:601 ) base::MessageLoop::DoWork() 0x000007fed2723089 (chrome.dll -message_pump_win.cc:179 ) base::MessagePumpForUI::DoRunLoop() 0x000007fed2722d33 (chrome.dll -message_pump_win.cc:58 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x000007fed26fc77f (chrome.dll -run_loop.cc:35 ) base::RunLoop::Run() 0x000007fed310596b (chrome.dll -chrome_browser_main.cc:1904 ) ChromeBrowserMainParts::MainMessageLoopRun(int *) 0x000007fed39d0509 (chrome.dll -browser_main_loop.cc:972 ) content::BrowserMainLoop::RunMainMessageLoopParts() 0x000007fed39cc322 (chrome.dll -browser_main_runner.cc:154 ) content::BrowserMainRunnerImpl::Run() 0x000007fed39655d2 (chrome.dll -browser_main.cc:46 ) content::BrowserMain(content::MainFunctionParams const &) 0x000007fed31f1786 (chrome.dll -content_main_runner.cc:420 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x000007fed31f15c2 (chrome.dll -content_main_runner.cc:787 ) content::ContentMainRunnerImpl::Run() 0x000007fed31f0a33 (chrome.dll -content_main.cc:20 ) content::ContentMain(content::ContentMainParams const &) 0x000007fed30b092f (chrome.dll -chrome_main.cc:84 ) ChromeMain 0x000000013f50d2e1 (chrome.exe -main_dll_loader_win.cc:185 ) MainDllLoader::Launch(HINSTANCE__ *) 0x000000013f50c44f (chrome.exe -chrome_exe_main_win.cc:263 ) wWinMain 0x000000013f5535d9 (chrome.exe -exe_common.inl:255 ) __scrt_common_main_seh 0x76d859cc (kernel32.dll + 0x000159cc ) BaseThreadInitThunk 0x76fbb980 (ntdll.dll + 0x0002b980 ) RtlUserThreadStart Link to the builds which introduced the crash. ============================================= https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27ChromeTabRestoreServiceClient%3A%3AGetExtensionAppIDForTab%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,+productversion:1000 Possible suspect ================ https://codereview.chromium.org/1345453002, forwarding to CL owner & reviewer. blundell@ is OOO until June 2, so requesting sky@ for a followup. Don't think the CL pointed in #0 is the right suspect.Punting to M53, since M52 is already branched. Will take a merge if the issue gets fixed.
,
May 31 2016
,
May 31 2016
https://codereview.chromium.org/1345453002 is just moving code around, I don't think it triggered the crash. I suspect we've unloaded the app/extension before extension::TabHelper has been destroyed. It looks like this is the result of an attempt to unload, so there could be some async bugs with unload handler as well. I'm passing to rdevlin. Hopefully he has an idea.
,
Jun 2 2016
Can we have an update on this issue?
,
Jun 2 2016
I'll look into it.
,
Jun 2 2016
Yeah, from the repro steps it could be that removing the person (via settings) might disable the extensions, causing problems when the window is closed. Devlin, can you or someone from the extensions team take a look? extensions::TabHelper probably shouldn't be returning a stale Extension in that case, which might be a UaF. With the repro steps, it should be easy to track down.
,
Jun 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1f047f7b10be249ef22ecd45faf053592b4bf0ea commit 1f047f7b10be249ef22ecd45faf053592b4bf0ea Author: rdevlin.cronin <rdevlin.cronin@chromium.org> Date: Mon Jun 06 18:30:18 2016 [Extensions] Observe unloading extensions in the TabHelper The extension TabHelper can have an associated extension if the WebContents holds a hosted app. Watch for that extension being unloaded and reset the reference to the extension if it is so that we don't UAF it. BUG= 616057 BUG=616113 Review-Url: https://codereview.chromium.org/2037873002 Cr-Commit-Position: refs/heads/master@{#398072} [modify] https://crrev.com/1f047f7b10be249ef22ecd45faf053592b4bf0ea/chrome/browser/extensions/tab_helper.cc [modify] https://crrev.com/1f047f7b10be249ef22ecd45faf053592b4bf0ea/chrome/browser/extensions/tab_helper.h [add] https://crrev.com/1f047f7b10be249ef22ecd45faf053592b4bf0ea/chrome/browser/extensions/tab_helper_unittest.cc [modify] https://crrev.com/1f047f7b10be249ef22ecd45faf053592b4bf0ea/chrome/chrome_tests_unit.gypi
,
Jun 6 2016
I think this should be fixed (no longer reproduces for me).
,
Jun 16 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ashej...@chromium.org
, May 31 2016