New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 633611 link

Starred by 2 users
Status: WontFix
Owner:
bruthig@chromium.org
Last visit > 30 days ago
Closed: Aug 2016
Cc:
flackr@chromium.org
vollick@chromium.org
loyso@chromium.org
sadrul@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

ui::LayerAnimator::SetDelegate

Project Member Reported by rookrishna@chromium.org, Aug 2 2016 
Crash while navigating 

Report ID36a9c57e00000000

Product, versionChrome_ChromeOS, 54.0.2813.0
Process typebrowser
Magic Signature ui::LayerAnimator::SetDelegate
Stable Signature ui::LayerAnimator::SetDelegate
Report TimeTue, 02 Aug 2016 16:12:58 GMT
Uptime167566 ms
Client IDbb922aba81d94337b92c45428f5b4431
Filesminidumpchrome.txti915_error_state.log.xz
In shutdownfalse
Device Modelsamus-signed-mpkeys
Thread 0 CRASHED [SIGSEGV @ 0xffffe3d171fed800 ] MAGIC SIGNATURE THREAD
0x00007fe512e6771c	(chrome -layer_animator.cc:128 )	ui::LayerAnimator::SetDelegate
0x00007fe512e60955	(chrome -layer.cc:226 )	ui::Layer::SetAnimator
0x00007fe512e609ed	(chrome -layer.cc:234 )	ui::Layer::GetAnimator
0x00007fe512e60a9f	(chrome -layer.cc:413 )	ui::Layer::SetVisible
0x00007fe512e34d54	(chrome -ink_drop_highlight.cc:157 )	views::InkDropHighlight::AnimationEndedCallback
0x00007fe512e5bdeb	(chrome -callback.h:389 )	ui::CallbackLayerAnimationObserver::CheckAllSequencesCompleted
0x00007fe512e651db	(chrome -layer_animation_sequence.cc:278 )	ui::LayerAnimationSequence::NotifyAborted
0x00007fe512e68671	(chrome -layer_animator.cc:937 )	ui::LayerAnimator::ClearAnimationsInternal
0x00007fe512e68773	(chrome -layer_animator.cc:66 )	ui::LayerAnimator::~LayerAnimator
0x00007fe512e688d0	(chrome -layer_animator.cc:69 )	ui::LayerAnimator::~LayerAnimator
0x00007fe512e6ae81	(chrome -ref_counted.h:407 )	std::_Rb_tree<scoped_refptr<ui::LayerAnimator>, scoped_refptr<ui::LayerAnimator>, std::_Identity<scoped_refptr<ui::LayerAnimator> >, std::less<scoped_refptr<ui::LayerAnimator> >, std::allocator<scoped_refptr<ui::LayerAnimator> > >::_M_erase
0x00007fe512e6ae6b	(chrome -stl_tree.h:1275 )	std::_Rb_tree<scoped_refptr<ui::LayerAnimator>, scoped_refptr<ui::LayerAnimator>, std::_Identity<scoped_refptr<ui::LayerAnimator> >, std::less<scoped_refptr<ui::LayerAnimator> >, std::allocator<scoped_refptr<ui::LayerAnimator> > >::_M_erase
0x00007fe512e6b1be	(chrome -stl_tree.h:754 )	ui::LayerAnimatorCollection::OnAnimationStep
0x00007fe512e5d10c	(chrome -compositor.cc:460 )	ui::Compositor::BeginMainFrame
0x00007fe512ed6ef1	(chrome -single_thread_proxy.cc:806 )	cc::SingleThreadProxy::DoBeginMainFrame
0x00007fe512ed706e	(chrome -single_thread_proxy.cc:800 )	cc::SingleThreadProxy::BeginMainFrame
0x00007fe510a1c79c	(chrome -callback.h:389 )	base::debug::TaskAnnotator::RunTask
0x00007fe510a09e05	(chrome -message_loop.cc:496 )	base::MessageLoop::DoWork
0x00007fe510a0a572	(chrome -message_pump_libevent.cc:217 )	base::MessagePumpLibevent::Run
0x00007fe5122dd857	(chrome -run_loop.cc:35 )	base::RunLoop::Run

Comment 1 by creis@chromium.org, Aug 2 2016

Cc: vollick@chromium.org loyso@chromium.org sadrul@chromium.org
Components: -UI>Browser>Navigation Blink>Compositing
This is in the compositor, not navigation.  Can you elaborate on the repro steps?

CCing folks who have touched that code to help triage it.

Comment 2 by flackr@chromium.org, Aug 3 2016

Components: -Blink>Compositing UI>Browser
Owner: bruthig@chromium.org
Status: Assigned (was: Untriaged)
It looks like this is related to the InkDropHighlight animation calling SetVisible on a layer which no longer exists.

https://cs.chromium.org/chromium/src/ui/views/animation/ink_drop_highlight.cc?q=ink_drop_highlight%5C.cc&sq=package:chromium&dr&l=157

Comment 3 by bruthig@chromium.org, Aug 9 2016

Cc: flackr@chromium.org
Rob,  I'm not sure how you came to the conclusion that the Layer no longer exists, can you elaborate?

From what I can tell this should not be the case because the InkDropHighlight owns a Layer for it's entire lifetime and I don't see the ~InkDropHighlight() dtor in the call stack.  Also the call to layer_->SetVisible() in InkDropHighlight::AnimationEndedCallback() is guarded by an 'if (layer_)' clause.

Comment 4 by rookrishna@chromium.org, Aug 9 2016

Status: WontFix (was: Assigned)
This is dupe of https://buganizer.corp.google.com/issues/29503765  which is fixed

closing

Comment 5 by flackr@chromium.org, Aug 9 2016 

Looks like this has been fixed, but FYI, re #3:

The crashing line in layer_animator.cc:128: LayerAnimator::SetDelegate(LayerAnimationDelegate* delegate):
  SwitchToLayer(delegate ? delegate->GetCcLayer() : nullptr);

delegate was passed in from the frame above: Layer::SetAnimator 
  animator_->SetDelegate(this);

By which I concluded that "this" object must have been a previously deleted layer (such that calling a method on it caused a seg fault). Looking at InkDropHighlight it does seem to own the layer_ but perhaps something else thinks it owns the layer_ as well? I assumed the "if (layer_)" check only verified we didn't have a nullptr, but that the Layer pointed to had in fact been deleted.

Sign in to add a comment