New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 630402 link

Starred by 3 users
Status: Fixed
Owner:
e...@chromium.org
Last visit > 30 days ago
Closed: Jul 2016
Cc:
sadrul@chromium.org
mustash-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Crash when dragging a window to the side of the screen

Project Member Reported by e...@chromium.org, Jul 21 2016 
On ToT, start mash and drag a window to the side of the screen. You'll see the semi-transparent half-window docking animation. Release the mouse button and crash:

#0 0x7fa9acc74d2e base::debug::StackTrace::StackTrace()
#1 0x7fa9acc7486f base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7fa99aaf1330 <unknown>
#3 0x7fa9ad9c4f6c std::_Rb_tree<>::_S_left()
#4 0x7fa9b3222350 std::_Rb_tree<>::find()
#5 0x7fa9b321cf5f std::__cxx1998::set<>::count()
#6 0x7fa9b3213567 ui::ws::WindowTree::HasRoot()
#7 0x7fa9b31f96e3 ui::ws::WindowManagerState::GetEventTargetClientId()
#8 0x7fa9b3234476 ui::ws::EventDispatcher::DispatchToPointerTarget()
#9 0x7fa9b32357ed ui::ws::EventDispatcher::ProcessLocatedEvent()
#10 0x7fa9b3235084 ui::ws::EventDispatcher::ProcessEvent()
#11 0x7fa9b31f8161 ui::ws::WindowManagerState::ProcessNextEventFromQueue()
#12 0x7fa9b31f7a13 ui::ws::WindowManagerState::OnEventAck()
#13 0x7fa9b3219f02 ui::ws::WindowTree::OnWindowInputEventAck()
#14 0x7fa9af564007 ui::mojom::WindowTreeStub::Accept()
#15 0x7fa9b123312d mojo::InterfaceEndpointClient::HandleValidatedMessage()
#16 0x7fa9b1232be1 mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept()
#17 0x7fa9af5693df ui::mojom::WindowTreeRequestValidator::Accept()
#18 0x7fa9b1234812 mojo::InterfaceEndpointClient::HandleIncomingMessage()
#19 0x7fa9b124194a mojo::internal::MultiplexRouter::ProcessIncomingMessage()
#20 0x7fa9b12411b4 mojo::internal::MultiplexRouter::Accept()
#21 0x7fa9b123def1 mojo::MessageHeaderValidator::Accept()
#22 0x7fa9b122dd88 mojo::Connector::ReadSingleMessage()
#23 0x7fa9b122e83c mojo::Connector::ReadAllAvailableMessages()
#24 0x7fa9b122e763 mojo::Connector::OnHandleReadyInternal()
#25 0x7fa9b122e63b mojo::Connector::OnWatcherHandleReady()
[I cut off the rest]

After doing a bisect, I narrowed it down to https://codereview.chromium.org/2068093002 / 4d3588cbec, which was the patch that added embed event intercepts, and modified GetEventTargetClientId() which is in the stack above.

I added some basic logging inside WindowManagerState::GetEventTargetClientId(). The case which handles |in_nonclient_area| being true isn't handling all cases; |tree| can still be null after looking up GetTreeWithId().
Project Member

Comment 1 by bugdroid1@chromium.org, Jul 22 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c0ddac38d03c1d91290494b5f6ee77347dba1505

commit c0ddac38d03c1d91290494b5f6ee77347dba1505
Author: erg <erg@chromium.org>
Date: Fri Jul 22 17:10:16 2016

mash: Don't crash when dragging a window to the side.

WindowServer::GetTreeWithId can be null in the case of
|in_nonclient_area|. It looks like |tree| was used without check in
4d3588cbec.

BUG= 630402 

Review-Url: https://codereview.chromium.org/2170053003
Cr-Commit-Position: refs/heads/master@{#407181}

[modify] https://crrev.com/c0ddac38d03c1d91290494b5f6ee77347dba1505/services/ui/ws/window_manager_state.cc

Comment 2 by e...@chromium.org, Jul 22 2016

Owner: e...@chromium.org
Status: Fixed (was: Untriaged)

Comment 3 by lafo...@chromium.org, Feb 26 2018

Components: -MUS Internals>Services>WindowService

Sign in to add a comment