New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 631600 link

Starred by 2 users
Status: Fixed
Owner:
lukasza@chromium.org
Closed: Jul 2016
Cc:
nick@chromium.org
creis@chromium.org
dcheng@chromium.org
pasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 336870



Sign in to add a comment

Prerender-related failure to get routing id via RenderFrameImpl::createChildFrame

Project Member Reported by lukasza@chromium.org, Jul 26 2016 
Repro:
1. Launch DCHECKs-enabled build of Chrome
2. Type "d" into omnibox
3. Have omnibox auto-complete into a docs document
   (e.g. ocs.google.com/document/d/1rkc5KV2QNAKwnjCbaomyc_B2EMGN1XvKUEQSf995fjw/edit)

Expected behavior: nothing exciting

Actual behavior: [15368:15368:0726/133545:FATAL:render_frame_impl.cc(2815)] Check failed: false. Failed to allocate routing id for child frame.

blink::WebFrame* RenderFrameImpl::createChildFrame(
...
  // Allocation of routing id failed, so we can't create a child frame. This can
  // happen if the synchronous IPC message above has failed.
  if (child_routing_id == MSG_ROUTING_NONE) {
    NOTREACHED() << "Failed to allocate routing id for child frame.";
    return nullptr;
  }

Comment 1 by lukasza@chromium.org, Jul 26 2016 

The sequence of events is the following:

1. Prerender creates a new renderer process
2. Prerender tears down the renderer process
3. The renderer process calls RenderFrameImpl::createChildFrame (which fails, because there is no longer a corresponding RenderProcessHost / RenderFrameMessageFilter on the browser side).

Callstacks:

1. Prerender creates a new renderer process:

#2 0x7f2fa9f34710 content::RenderFrameMessageFilter::RenderFrameMessageFilter()
#3 0x7f2faa475834 content::RenderProcessHostImpl::CreateMessageFilters()
#4 0x7f2faa473f64 content::RenderProcessHostImpl::Init()
#5 0x7f2fa9f17eb1 content::RenderFrameHostManager::Navigate()
#6 0x7f2fa9ec35f2 content::NavigatorImpl::NavigateToEntry()
#7 0x7f2fa9ec50b0 content::NavigatorImpl::NavigateToPendingEntry()
#8 0x7f2fa9e99245 content::NavigationControllerImpl::NavigateToPendingEntryInternal()
#9 0x7f2fa9e8960c content::NavigationControllerImpl::NavigateToPendingEntry()
#10 0x7f2fa9e8dad5 content::NavigationControllerImpl::LoadURLWithParams()
#11 0x7f2fb51122d6 prerender::PrerenderContents::StartPrerendering()
#12 0x7f2fb512040d prerender::PrerenderManager::AddPrerender()
#13 0x7f2fb5120bc2 prerender::PrerenderManager::AddPrerenderFromOmnibox()
#14 0x7f2fb5941c2f predictors::AutocompleteActionPredictor::StartPrerendering()
#15 0x7f2fb7688417 ChromeOmniboxClient::DoPrerender()
#16 0x7f2fb768807a ChromeOmniboxClient::OnTextChanged()
#17 0x7f2fb7de0741 OmniboxEditModel::OnChanged()
#18 0x7f2fb73656f2 OmniboxViewViews::OnInlineAutocompleteTextMaybeChanged()
#19 0x7f2fb7dec802 OmniboxEditModel::OnPopupDataChanged()
#20 0x7f2fb7deed08 OmniboxEditModel::OnCurrentMatchChanged()
#21 0x7f2fb7e8f11e OmniboxController::OnResultChanged()
#22 0x7f2fb7d795d5 AutocompleteController::UpdateResult()
#23 0x7f2fb7d783ff AutocompleteController::Start()
#24 0x7f2fb7de3806 OmniboxEditModel::StartAutocomplete()
#25 0x7f2fb73650d6 OmniboxViewViews::UpdatePopup()
#26 0x7f2fb7ded6bc OmniboxEditModel::OnAfterPossibleChange()
...

2. Prerender tears down the renderer process (actually there are multiple calls to RenderProcessHostImpl::Cleanup trigerred by the single PrerenderManager::PeriodicCleanup method call - below is the callstack for the last one - the one that actually triggers destruction of the RPH):

[15071:15071:0726/133544:ERROR:render_process_host_impl.cc(1905)] RenderProcessHostImpl::Cleanup; id=6; pid=15368
...
#2 0x7f2faa48916a content::RenderProcessHostImpl::Cleanup()
#3 0x7f2faa47ebbb content::RenderProcessHostImpl::RemoveRoute()
#4 0x7f2faa4caab1 content::RenderWidgetHostImpl::Destroy()
#5 0x7f2faa4cd1f2 content::RenderWidgetHostImpl::ShutdownAndDestroyWidget()
#6 0x7f2faa4c19a9 content::RenderViewHostImpl::ShutdownAndDestroy()
#7 0x7f2fa9e6adce content::FrameTree::ReleaseRenderViewHostRef()
#8 0x7f2fa9ecfc69 content::RenderFrameHostImpl::~RenderFrameHostImpl()
#9 0x7f2fa9ed0b4e content::RenderFrameHostImpl::~RenderFrameHostImpl()
#10 0x7f2fa9f15007 content::RenderFrameHostManager::~RenderFrameHostManager()
#11 0x7f2fa9e72669 content::FrameTreeNode::~FrameTreeNode()
#12 0x7f2fa9e67297 content::FrameTree::~FrameTree()
#13 0x7f2faa812625 content::WebContentsImpl::~WebContentsImpl()
#14 0x7f2faa8133be content::WebContentsImpl::~WebContentsImpl()
#15 0x7f2fb5114164 prerender::PrerenderContents::~PrerenderContents()
#16 0x7f2fb511494e prerender::PrerenderContents::~PrerenderContents()
#17 0x7f2fb512b031 prerender::PrerenderManager::PeriodicCleanup()
#18 0x7f2fb295283a base::Timer::RunScheduledTask()
...

3. The renderer process calls RenderFrameImpl::createChildFrame (all logging below done from RenderFrameImpl::createChildFrame):

[15368:15368:0726/133545:ERROR:render_frame_impl.cc(2808)] Sending FrameHostMsg_CreateChildFrame_Params ...
[15368:15368:0726/133545:ERROR:render_frame_impl.cc(2810)] Sending FrameHostMsg_CreateChildFrame_Params ... done.
[15368:15368:0726/133545:FATAL:render_frame_impl.cc(2815)] Check failed: false. Failed to allocate routing id for child frame.
#0 0x7faf8c400861 __interceptor_backtrace
#1 0x7faf8a87d9b3 base::debug::StackTrace::StackTrace()
#2 0x7faf8a8ebd8c logging::LogMessage::~LogMessage()
#3 0x7faf834e5490 content::RenderFrameImpl::createChildFrame()
#4 0x7faf772fd7a1 blink::WebLocalFrameImpl::createChildFrame()
#5 0x7faf69ade30d blink::HTMLFrameOwnerElement::loadOrRedirectSubframe()
#6 0x7faf69ad6eb8 blink::HTMLFrameElementBase::openURL()
#7 0x7faf69ad86fb blink::HTMLFrameElementBase::setNameAndOpenURL()
#8 0x7faf69589e83 blink::ContainerNode::notifyNodeInserted()
#9 0x7faf69587f64 blink::ContainerNode::updateTreeAfterInsertion()
#10 0x7faf695850dc blink::ContainerNode::appendChild()
#11 0x7faf6979c5ea blink::Node::appendChild()
#12 0x7faf691a55d0 blink::NodeV8Internal::appendChildMethodCallbackForMainWorld()
#13 0x7faf7c43e8d0 v8::internal::FunctionCallbackArguments::Call()
#14 0x7faf7c6d9d6d v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#15 0x7faf7c6d6efe v8::internal::Builtin_Impl_HandleApiCall()
#16 0x7faf7c6d60cf v8::internal::Builtin_HandleApiCall()
#17 0x7faf392063a7 <unknown>

Comment 2 by creis@chromium.org, Jul 26 2016

Cc: pasko@chromium.org
Components: UI>Browser>Navigation Internals>Preload
Owner: lukasza@chromium.org
Status: Started (was: Untriaged)
I agree with lukasza's approach of handling this as a normal case in https://codereview.chromium.org/2182273003/.  The sync IPC will likely fail any time the RenderFrameMessageFilter is gone, including prerender cancel or normal tab closure.
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 27 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c4df88364164c2b0bf8eda3d16a50da716f308e0

commit c4df88364164c2b0bf8eda3d16a50da716f308e0
Author: lukasza <lukasza@chromium.org>
Date: Wed Jul 27 15:40:54 2016

FrameHostMsg_CreateChildFrame can legitimately fail during renderer shutdown.

 https://crbug.com/631600  shows a legitimate scenario where the browser
destroys WebContents (and consequently RenderProcessHost), but the
renderer process keeps running for a while and calls
RenderFrameImpl::createChildFrame.  In this case we expect to fail
sending FrameHostMsg_CreateChildFrame IPC and therefore to exit early
via:
  if (child_routing_id == MSG_ROUTING_NONE)
      return nullptr;

BUG= 631600 

Review-Url: https://codereview.chromium.org/2182273003
Cr-Commit-Position: refs/heads/master@{#408136}

[modify] https://crrev.com/c4df88364164c2b0bf8eda3d16a50da716f308e0/content/renderer/render_frame_impl.cc

Comment 4 by lukasza@chromium.org, Jul 27 2016

Status: Fixed (was: Started)

Sign in to add a comment