New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 638089 link

Starred by 2 users
Status: Fixed
Owner:
creis@chromium.org
Closed: Oct 2016
Cc:
a...@chromium.org
creis@chromium.org
nasko@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

WebContentsImpl::UpdateTitle DCHECK failing

Project Member Reported by ukai@chromium.org, Aug 16 2016 
Version: 54.0.2830.0 (Developer Build) (64-bit) with dcheck_always_on=1
OS: Linux

What steps will reproduce the problem?
not sure, but
(1) restart chromium and recover tabs.
(2) close some tabs while loading
(3)

What is the expected output?

What do you see instead?

browser crashed
[3401:3401:0816/135931:FATAL:web_contents_impl.cc(4559)] Check failed: entry == new_entry (0xfa567f4b500 vs. 0)
Program received signal SIGABRT, Aborted.
0x00007fffeeaf1c37 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007fffeeaf1c37 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007fffeeaf5028 in __GI_abort () at abort.c:89
#2  0x00007ffff7a73ec2 in base::debug::BreakDebugger() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#3  0x00007ffff7a9a96a in logging::LogMessage::~LogMessage() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#4  0x00007ffff59a00f9 in content::WebContentsImpl::UpdateTitle(content::RenderFrameHost*, int, std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, base::i18n::TextDirection) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#5  0x00007ffff56cfbce in content::RenderFrameHostImpl::OnUpdateTitle(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, blink::WebTextDirection) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#6  0x00007ffff56cf97c in bool IPC::MessageT<FrameHostMsg_UpdateTitle_Meta, std::tuple<std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> >, blink::WebTextDirection>, void>::Dispatch<content::Render
FrameHostImpl, content::RenderFrameHostImpl, void, void (content::RenderFrameHostImpl::*)(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, blink::WebTextDirection)>(IPC::Message const*, content::RenderFrameHostImpl*, content::RenderFrameHostImpl*, void*, void (content::RenderFrameHostImpl::*)(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&, blink::WebTextDirection)) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#7  0x00007ffff56caa07 in content::RenderFrameHostImpl::OnMessageReceived(IPC::Message const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#8  0x00007ffff5885ad6 in content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#9  0x00007ffff499e3a5 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libipc.so
#10 0x00007ffff7a7a706 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#11 0x00007ffff7aa4f95 in base::MessageLoop::RunTask(base::PendingTask const&)    ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#12 0x00007ffff7aa52c8 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#13 0x00007ffff7aa567b in base::MessageLoop::DoWork() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#14 0x00007ffff7aa766a in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#15 0x00007ffff16ece04 in g_main_dispatch (context=0xfa55de39c00)
    at /build/buildd/glib2.0-2.40.2/./glib/gmain.c:3064
#16 g_main_context_dispatch (context=context@entry=0xfa55de39c00)
    at /build/buildd/glib2.0-2.40.2/./glib/gmain.c:3663
#17 0x00007ffff16ed048 in g_main_context_iterate (
    context=context@entry=0xfa55de39c00, block=block@entry=0,
    dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/buildd/glib2.0-2.40.2/./glib/gmain.c:3734
#18 0x00007ffff16ed0ec in g_main_context_iteration (context=0xfa55de39c00,
    may_block=0) at /build/buildd/glib2.0-2.40.2/./glib/gmain.c:3795
#19 0x00007ffff7aa73c6 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#20 0x00007ffff7aa4a91 in base::MessageLoop::RunHandler() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#21 0x00007ffff7ad2c20 in base::RunLoop::Run() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#22 0x000055555603302a in ChromeBrowserMainParts::MainMessageLoopRun(int*) ()
#23 0x00007ffff55d5669 in content::BrowserMainLoop::RunMainMessageLoopParts()    ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#24 0x00007ffff55d8958 in content::BrowserMainRunnerImpl::Run() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#25 0x00007ffff55d0fde in content::BrowserMain(content::MainFunctionParams const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
26 0x00007ffff5eca454 in content::RunNamedProcessTypeMain(std::string const&, content::MainFunctionParams const&, content::ContentMainDelegate*) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#27 0x00007ffff5ecaeb3 in content::ContentMainRunnerImpl::Run() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#28 0x00007ffff5ec9770 in content::ContentMain(content::ContentMainParams const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#29 0x0000555555a38eeb in ChromeMain ()
#30 0x00007fffeeadcf45 in __libc_start_main (main=0x555555a38ea0 <main>,
    argc=2, argv=0x7fffffffdb38, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffdb28) at libc-start.c:287
#31 0x0000555555a38dbd in _start ()

Please use labels and text to provide additional information.
https://chromium.googlesource.com/chromium/src/+/0bfe528899739beaab8587e7c6ee9277209e0c63

Comment 1 by dcheng@chromium.org, Aug 16 2016

Components: -Content>Core Internals>Sandbox>SiteIsolation

Comment 2 by nasko@chromium.org, Aug 16 2016

Cc: a...@chromium.org
Adding avi@, who has done a bunch of work with page_id in the past.

Comment 3 by elawrence@chromium.org, Aug 17 2016 

Hit while refreshing on Chromium 54.0.2832.0 64bit on Windows.

[8928:1504:0817/160544:FATAL:web_contents_impl.cc(4559)] Check failed: entry == new_entry (0000000049B68A10 vs. 0000000000000000)
Backtrace:
base::SupportsUserData::DetachUserDataThread [0x00000000007803A1+427542]
base::SupportsUserData::DetachUserDataThread [0x00000000007E6F31+848294]
IPC::ParamTraits<ViewHostMsg_CreateWorker_Reply>::Read [0x00000000142E656E+38169593]
IPC::ParamTraits<ViewHostMsg_CreateWorker_Reply>::Read [0x000000001366B6E6+25083249]
IPC::ParamTraits<ViewHostMsg_CreateWorker_Reply>::Read [0x000000001363E494+24898335]
IPC::ParamTraits<ViewHostMsg_CreateWorker_Reply>::Read [0x000000001363CA43+24891598]
IPC::ParamTraits<ViewHostMsg_CreateWorker_Reply>::Read [0x000000001363D6C2+24894797]
IPC::ParamTraits<ViewHostMsg_CreateWorker_Reply>::Read [0x0000000013638682+24874253]
IPC::ParamTraits<ViewHostMsg_CreateWorker_Reply>::Read [0x0000000013669099+25073444]
IPC::ParamTraits<ViewHostMsg_CreateWorker_Reply>::Read [0x0000000013E095D7+33070178]
IPC::internal::ChannelReader::ChannelReader [0x00000000188BE962+333575]
IPC::internal::ChannelReader::ChannelReader [0x00000000188B5ABA+297055]
IPC::internal::ChannelReader::ChannelReader [0x00000000188B63C9+299374]
IPC::internal::ChannelReader::ChannelReader [0x00000000188B6963+300808]
IPC::internal::ChannelReader::ChannelReader [0x00000000188BF683+336936]
base::SupportsUserData::DetachUserDataThread [0x000000000072F9B8+97325]
base::SupportsUserData::DetachUserDataThread [0x0000000000787F6F+459236]
base::SupportsUserData::DetachUserDataThread [0x000000000081EB79+1076718]
base::SupportsUserData::DetachUserDataThread [0x000000000081BBCC+1064513]
base::SupportsUserData::DetachUserDataThread [0x000000000081C4E2+1066839]
base::SupportsUserData::DetachUserDataThread [0x0000000000829B91+1121798]
base::SupportsUserData::DetachUserDataThread [0x000000000082C14D+1131458]
base::SupportsUserData::DetachUserDataThread [0x000000000081E776+1075691]

Comment 4 by nasko@chromium.org, Aug 17 2016

Cc: nasko@chromium.org
elawrence@, do you know the URL of the page you were refreshing? Any more details that you can recall?

Comment 5 by creis@chromium.org, Aug 22 2016

Components: UI>Browser>Navigation
Labels: -Pri-3 OS-All Pri-2
Owner: creis@chromium.org
Status: Assigned (was: Untriaged)
Summary: WebContentsImpl::UpdateTitle DCHECK failing (was: FATAL:web_contents_impl.cc(4559)] Check failed: entry == new_entry (0xfa567f4b500 vs. 0))
Yes, this sounds like we're finding another way that page ID and nav_entry_id are disagreeing in UpdateTitle (in non-OOPIF modes).  We've fixed a few of those in  issue 577449  and  issue 616609 .

ukai@ and elawrence@: Thanks for reporting.  Can you provide any more details about how to repro it locally?  That would help us get it fixed.

Comment 6 by creis@chromium.org, Aug 22 2016 

Yes, this sounds like we're finding another way that page ID and nav_entry_id are disagreeing in UpdateTitle (in non-OOPIF modes).  We've fixed a few of those in  issue 577449  and  issue 616609 .

ukai@ and elawrence@: Thanks for reporting.  Can you provide any more details about how to repro it locally?  That would help us get it fixed.

Comment 7 by csharrison@chromium.org, Aug 25 2016 

Hey creis,
I repro'd this locally by navigating to twitter.com and navigating away before the load event. I'm on TOT (#414452).

Let me know if this works for you.

Comment 8 by csharrison@chromium.org, Aug 25 2016 

To update: this is not logged in, with an omnibox navigation away specifically to news.ycombinator.com.

Very strange. I tried a few other urls but only Hacker News repros :P

Comment 9 by creis@chromium.org, Aug 25 2016 

Comments 7-8: Interesting!  It's not reliable for me, but I did see it when leaving twitter for news.ycombinator.com (just after the spinner stopped, in my case).  I'll try to investigate next week.  (Maybe Twitter's replaceStates are involved.)  Thanks!

Comment 10 by creis@chromium.org, Oct 3 2016

Status: Started (was: Assigned)
I finally caught this in a debugger, and I think we're probably doing as well as we can in this case.  We can just remove the DCHECK, or even better, remove page ID entirely.

csharrison@ put together a page that floods the browser with replaceState IPCs.  If you do a cross-process navigation away from that page, you'll get a replaceState commit after the cross-process navigation commits.  We end up ignoring the replaceState commit in RenderFrameHostImpl::OnDidCommitProvisionalLoad (because IsWaitingForUnloadACK returns true), which resets the RFH's nav_entry_id.  This is normally the right thing to do, because the old RFH is not allowed to create new NavigationEntries after the new RFH has committed.

The UpdateTitle IPC arrives shortly after that, with a valid page ID (since replaceState affects an existing NavigationEntry and doesn't create a new one).  Thus, the old page ID logic found the entry and updated the title, but the new nav_entry_id logic can't find the entry.  This means we may not update the title on the entry quite as often as we could in the past, but that should be ok, given that we've already left the page.  (Besides, the check for ignoring the commit happens too early for classifying the navigation as creating a new entry or not.)

Avi, maybe I'll remove the DCHECK before branch cut, and you can remove the whole page ID logic after.

Comment 11 by a...@chromium.org, Oct 4 2016 

You're welcome to remove it.
Project Member

Comment 12 by bugdroid1@chromium.org, Oct 4 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/03e1338d8a29ec8a050fc0d47bde5426bf3d8707

commit 03e1338d8a29ec8a050fc0d47bde5426bf3d8707
Author: creis <creis@chromium.org>
Date: Tue Oct 04 22:47:28 2016

Remove incorrect DCHECK in WebContentsImpl::UpdateTitle.

This may legitimately fail when replaceState IPCs arrive from a
RenderFrameHost that is pending deletion, causing its nav_entry_id
to be reset.  In this case, we'll find a NavigationEntry by page_id
but not by nav_entry_id.

BUG= 638089 
TEST=No debug crash going cross process during replaceState flood.

Review-Url: https://codereview.chromium.org/2394453002
Cr-Commit-Position: refs/heads/master@{#422978}

[modify] https://crrev.com/03e1338d8a29ec8a050fc0d47bde5426bf3d8707/content/browser/web_contents/web_contents_impl.cc

Comment 13 by creis@chromium.org, Oct 4 2016

Status: Fixed (was: Started)

Sign in to add a comment