Unable to reproduce the crash on Mac OS 10.11.5, canary version: 54.0.2817.0 but could repro on Windows-7(crash id: 645182c200000000).

Manual good and Bad Builds:
Good Build: 54.0.2811.0
Bad Build:  54.0.2812.0

CHANGELOG URL::
https://chromium.googlesource.com/chromium/src/+log/537eb21a213e933eadc4cb5261bd33f5b895d08d..bcbb5c0cc4f958677efd66226b2611414a804895

Suspecting https://codereview.chromium.org/2192493002 from Changelog

@alexclarke :  Please feel free to re-assign if its not related to your change

Attaching Expected Video

Deleted: Expected_HistoryTab.ogv 771 KB

	Expected_HistoryTab.ogv 771 KB View Download

I've reproduced this locally.  I added a few prints and can see there's a duff frame pointer which is getting de-referenced.

[0x9def1881830] HTMLDocumentParser::stopBackgroundParser 1 document() 0x4e976ae1830
[0x9def1881830] document()->frame() 0x2c2c2c2c2c2c2c2c

Users experienced this crash on the following builds:

Linux Beta 53.0.2785.34 -  0.35 CPM, 3 reports, 3 clients (signature IdleTaskRunner::run)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Looking into this a bit more I can see the document is getting destructed but the parser doesn't know about that (DocumentParser::detach never got called).

I'm not sure if that's expected or not. 

+yoav@ and kouhei@ Can you please help me find the right fix for this?  It seems weird the HTMLDocumentParser doesn't realize the document has gone away.

Fortunately this bug is easy to reproduce.

For reference here's a callstack from a crash.

#0 0x7fa3c500a08e base::debug::StackTrace::StackTrace()
#1 0x7fa3c5009bcf base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7fa3b2188330 <unknown>
#3 0x7fa3ac7f8455 std::unique_ptr<>::get()
#4 0x7fa3ac7f635c blink::LocalFrame::frameScheduler()
#5 0x7fa3ac27d810 blink::HTMLDocumentParser::stopBackgroundParser()
#6 0x7fa3ac27d506 blink::HTMLDocumentParser::~HTMLDocumentParser()
#7 0x7fa3ab7835e3 blink::GarbageCollectedFinalized<>::finalizeGarbageCollectedObject()
#8 0x7fa3ab7835b5 blink::FinalizerTraitImpl<>::finalize()
#9 0x7fa3abebcdc5 blink::FinalizerTrait<>::finalize()
#10 0x7fa3b74c2ee1 blink::HeapObjectHeader::finalize()
#11 0x7fa3b74c7ae8 blink::NormalPage::sweep()
#12 0x7fa3b74c3da9 blink::BaseArena::sweepUnsweptPage()
#13 0x7fa3b74c4190 blink::BaseArena::completeSweep()
#14 0x7fa3b74cf14a blink::ThreadState::completeSweep()
#15 0x7fa3b74c68b8 blink::NormalPageArena::outOfLineAllocate()
#16 0x7fa3ab76741d blink::NormalPageArena::allocateObject()
#17 0x7fa3ac515416 blink::HeapAllocator::allocateVectorBacking<>()
#18 0x7fa3ac51520f WTF::VectorBufferBase<>::allocateBuffer()
#19 0x7fa3ac5150f2 WTF::Vector<>::reserveCapacity()
#20 0x7fa3ac51507d WTF::Vector<>::expandCapacity()
#21 0x7fa3ac514fb4 WTF::Vector<>::expandCapacity()
#22 0x7fa3ac514e91 WTF::Vector<>::appendSlowCase<>()
#23 0x7fa3ac5111f4 WTF::Vector<>::append<>()
#24 0x7fa3ac50fa59 blink::RuleSet::findBestRuleSetAndAdd()
#25 0x7fa3ac50ffb1 blink::RuleSet::addRule()
#26 0x7fa3ac5102b7 blink::RuleSet::addChildRules()
#27 0x7fa3ac51073c blink::RuleSet::addRulesFromSheet()
#28 0x7fa3ac53edab blink::StyleSheetContents::ensureRuleSet()
#29 0x7fa3ac5b89c2 blink::ScopedStyleResolver::appendCSSStyleSheet()
#30 0x7fa3ac5d7418 blink::StyleResolver::appendCSSStyleSheet()
#31 0x7fa3ac5d766b blink::StyleResolver::appendAuthorStyleSheets()
#32 0x7fa3abff9e4a blink::StyleEngine::appendActiveAuthorStyleSheets()
#33 0x7fa3abffa1fd blink::StyleEngine::createResolver()
#34 0x7fa3abeb3686 blink::StyleEngine::ensureResolver()
#35 0x7fa3abe9a0b4 blink::Document::ensureStyleResolver()
#36 0x7fa3abe9a63c blink::Document::updateStyle()
#37 0x7fa3abe96ba6 blink::Document::updateStyleAndLayoutTree()
#38 0x7fa3ac7b1de7 blink::FrameView::updateStyleAndLayoutIfNeededRecursiveInternal()
#39 0x7fa3ac7b0cab blink::FrameView::updateStyleAndLayoutIfNeededRecursive()
#40 0x7fa3ac7b0153 blink::FrameView::updateLifecyclePhasesInternal()
#41 0x7fa3ac7afeb2 blink::FrameView::updateAllLifecyclePhases()
#42 0x7fa3ac9d704a blink::PageAnimator::updateAllLifecyclePhases()
#43 0x7fa3b6baf9e5 blink::PageWidgetDelegate::updateAllLifecyclePhases()
#44 0x7fa3b6c98278 blink::WebViewImpl::updateAllLifecyclePhases()
#45 0x7fa3bfb7b25a content::RenderWidget::UpdateVisualState()
#46 0x7fa3bf9cfb2a content::RenderWidgetCompositor::UpdateLayerTreeHost()
#47 0x7fa3bc43a88d cc::LayerTreeHost::RequestMainFrameUpdate()
#48 0x7fa3bc4fd8eb cc::ProxyMain::BeginMainFrame()
#49 0x7fa3bc52b058 _ZN4base8internal13FunctorTraitsIMN2cc9ProxyMainEFvSt10unique_ptrINS2_28BeginMainFrameAndCommitStateESt14default_deleteIS5_EEEvE6InvokeIRKNS_7WeakPtrIS3_EEJS8_EEEvSA_OT_DpOT0_
#50 0x7fa3bc52af2f _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN2cc9ProxyMainEFvSt10unique_ptrINS4_28BeginMainFrameAndCommitStateESt14default_deleteIS7_EEERKNS_7WeakPtrIS5_EEJSA_EEEvOT_OT0_DpOT1_
#51 0x7fa3bc52ae98 _ZN4base8internal7InvokerINS0_9BindStateIMN2cc9ProxyMainEFvSt10unique_ptrINS3_28BeginMainFrameAndCommitStateESt14default_deleteIS6_EEEJNS_7WeakPtrIS4_EENS0_13PassedWrapperIS9_EEEEEFvvEE7RunImplIRKSB_RKSt5tupleIJSD_SF_EEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#52 0x7fa3bc52ab9c _ZN4base8internal7InvokerINS0_9BindStateIMN2cc9ProxyMainEFvSt10unique_ptrINS3_28BeginMainFrameAndCommitStateESt14default_deleteIS6_EEEJNS_7WeakPtrIS4_EENS0_13PassedWrapperIS9_EEEEEFvvEE3RunEPNS0_13BindStateBaseE
#53 0x7fa3c4fe9f8e base::Callback<>::Run()
#54 0x7fa3c500fbfe base::debug::TaskAnnotator::RunTask()
#55 0x7fa3b01643a4 scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#56 0x7fa3b0162175 scheduler::TaskQueueManager::DoWork()
#57 0x7fa3b0169948 _ZN4base8internal13FunctorTraitsIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEvE6InvokeIRKNS_7WeakPtrIS3_EEJRKS4_RKbEEEvS6_OT_DpOT0_
#58 0x7fa3b0169804 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbERKNS_7WeakPtrIS5_EEJRKS6_RKbEEEvOT_OT0_DpOT1_
#59 0x7fa3b0169764 _ZN4base8internal7InvokerINS0_9BindStateIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEJNS_7WeakPtrIS4_EES5_bEEEFvvEE7RunImplIRKS7_RKSt5tupleIJS9_S5_bEEJLm0ELm1ELm2EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#60 0x7fa3b016946c _ZN4base8internal7InvokerINS0_9BindStateIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEJNS_7WeakPtrIS4_EES5_bEEEFvvEE3RunEPNS0_13BindStateBaseE
#61 0x7fa3c4fe9f8e base::Callback<>::Run()
  r8: 00007fa3a69b1a40  r9: 00007ffcb6b5c820 r10: 00007fa3b07e9be0 r11: 0000000000000000
 r12: 00007fa3c5c406fc r13: 00007ffcb6b621a0 r14: 0000000000000000 r15: 0000000000000000
  di: 2c2c2c2c2c2c2ccc  si: 0000000000000000  bp: 00007ffcb6b5c7f0  bx: 00007fa3ad239856
  dx: 0000000000000000  ax: 2c2c2c2c2c2c2ccc  cx: ec0855d6ee9a5c00  sp: 00007ffcb6b5c7e0
  ip: 00007fa3ac7f8455 efl: 0000000000010202 cgf: 0000000000000033 erf: 0000000000000000
 trp: 000000000000000d msk: 0000000000000000 cr2: 0000000000000000

The problem is that HTMLDocumentParser's destructor is calling HTMLDocumentParser::stopBackgroundParser, which touches other on-heap objects. Destructors of on-heap objects are not allowed to touch any other on-heap objects.

I have a patch that fixes the crash: https://codereview.chromium.org/2209283002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/61c5d52a6f5366abfec4474bec4b0dd5965abf22

commit 61c5d52a6f5366abfec4474bec4b0dd5965abf22
Author: alexclarke <alexclarke@chromium.org>
Date: Thu Aug 04 16:36:14 2016

Fix HTMLDocumentParser::stopBackgroundParser crash

HTMLDocumentParser::stopBackgroundParser was getting called from
HTMLDocumentParser::~HTMLDocumentParser, this is a problem because it
assumes document() is valid.  That's not always the case since both
HTMLDocumentParser and Document are on the oilpan heap and it's not
allowed to dereference an object like that in the destructor.

As a workaround I've added a pre-finalizer.  This fixes the crash
described in the bug.

BUG= 634244 

Review-Url: https://codereview.chromium.org/2209283002
Cr-Commit-Position: refs/heads/master@{#409806}

[modify] https://crrev.com/61c5d52a6f5366abfec4474bec4b0dd5965abf22/third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp
[modify] https://crrev.com/61c5d52a6f5366abfec4474bec4b0dd5965abf22/third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.h

 Issue 634298  has been merged into this issue.

Retested the above issue on Windows & Ubuntu 14.04 with chrome version - 54.0.2824.0 (Windows) & 54.0.2823.0 (Ubuntu 14.04) and no crash is observed when chrome ://history page is reloaded several times. Hence marking the same as TE-Verified-54.0.2824.0 & TE-Verified-54.0.2823.0.

Attach is the screencast for the same.


Thank you!

Deleted: Retest-9Aug.ogv 2.2 MB

	Retest-9Aug.ogv 2.2 MB View Download