Repros in 54.2840 as well. This appears to simply be a runaway main thread (perf bug, DoS at worst).

00 (Inline Function) --------`-------- chrome_7fee5cb0000!std::_Tree_unchecked_const_iterator<std::_Tree_val<std::_Tree_simple_types<__int64> >,std::_Iterator_base0>::operator+++0x2a [c:\b\depot_tools\win_toolchain\vs_files\95ddda401ec5678f15eeed01d2bee08fcbc5ee97\vc\include\xtree @ 70]
01 (Inline Function) --------`-------- chrome_7fee5cb0000!std::_Set_intersection+0x117 [c:\b\depot_tools\win_toolchain\vs_files\95ddda401ec5678f15eeed01d2bee08fcbc5ee97\vc\include\algorithm @ 3650]
02 (Inline Function) --------`-------- chrome_7fee5cb0000!std::set_intersection+0x13d [c:\b\depot_tools\win_toolchain\vs_files\95ddda401ec5678f15eeed01d2bee08fcbc5ee97\vc\include\algorithm @ 3663]
03 (Inline Function) --------`-------- chrome_7fee5cb0000!std::set_intersection+0x13d [c:\b\depot_tools\win_toolchain\vs_files\95ddda401ec5678f15eeed01d2bee08fcbc5ee97\vc\include\algorithm @ 3734]
04 00000000`0020b030 000007fe`e84013d2 chrome_7fee5cb0000!base::STLSetIntersection<std::set<__int64,std::less<__int64>,std::allocator<__int64> >,std::set<__int64,std::less<__int64>,std::allocator<__int64> >,std::set<__int64,std::less<__int64>,std::allocator<__int64> > >(class std::set<__int64,std::less<__int64>,std::allocator<__int64> > * a1 = <Value unavailable error>, class std::set<__int64,std::less<__int64>,std::allocator<__int64> > * a2 = <Value unavailable error>)+0x1a2 [c:\b\build\slave\win64-pgo\build\src\base\stl_util.h @ 226]
05 00000000`0020b080 000007fe`e83ffb19 chrome_7fee5cb0000!URLIndexPrivateData::HistoryIDSetFromWords(class std::vector<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::allocator<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > > > * unsorted_words = <Value unavailable error>)+0x12e [c:\b\build\slave\win64-pgo\build\src\components\omnibox\browser\url_index_private_data.cc @ 549]
06 00000000`0020b150 000007fe`e83fcab6 chrome_7fee5cb0000!URLIndexPrivateData::HistoryItemsForTerms(class std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > * search_string = 0x00000000`0020b420 "[](a.com)[]{--trimmedbydev--}(a.com)[, unsigned int64 cursor_position = <Value unavailable error>, class bookmarks::BookmarkModel * bookmark_model = 0x00000000`065cd480, class TemplateURLService * template_url_service = 0x00000000`065d8200)+0x1dd [c:\b\build\slave\win64-pgo\build\src\components\omnibox\browser\url_index_private_data.cc @ 199]
07 (Inline Function) --------`-------- chrome_7fee5cb0000!InMemoryURLIndex::HistoryItemsForTerms+0x51 [c:\b\build\slave\win64-pgo\build\src\components\omnibox\browser\in_memory_url_index.cc @ 130]
08 00000000`0020b3b0 000007fe`e83fc97f chrome_7fee5cb0000!HistoryQuickProvider::DoAutocomplete(void)+0xa2 [c:\b\build\slave\win64-pgo\build\src\components\omnibox\browser\history_quick_provider.cc @ 73]
09 00000000`0020b720 000007fe`e83dfee9 chrome_7fee5cb0000!HistoryQuickProvider::Start(class AutocompleteInput * input = 0x00000000`15dd2910, bool minimal_changes = true)+0x133 [c:\b\build\slave\win64-pgo\build\src\components\omnibox\browser\history_quick_provider.cc @ 63]
0a 00000000`0020b7f0 000007fe`e83df365 chrome_7fee5cb0000!AutocompleteController::Start(class AutocompleteInput * input = 0x00000000`0020c170)+0x1d5 [c:\b\build\slave\win64-pgo\build\src\components\omnibox\browser\autocomplete_controller.cc @ 277]
0b 00000000`0020c060 000007fe`e7e799f4 chrome_7fee5cb0000!AutocompleteClassifier::Classify(class std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > * text = <Value unavailable error>, bool prefer_keyword = <Value unavailable error>, bool allow_exact_keyword_match = <Value unavailable error>, metrics::OmniboxEventProto_PageClassification page_classification = OmniboxEventProto_PageClassification_INVALID_SPEC (0n0), struct AutocompleteMatch * match = 0x00000000`0020c4b0, class GURL * alternate_nav_url = 0x00000000`00000000)+0xfd [c:\b\build\slave\win64-pgo\build\src\components\omnibox\browser\autocomplete_classifier.cc @ 65]
0c 00000000`0020c380 000007fe`e7e7874c chrome_7fee5cb0000!RenderViewContextMenu::AppendSearchProvider(void)+0x118 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\renderer_context_menu\render_view_context_menu.cc @ 1278]
0d 00000000`0020c770 000007fe`e7b93c6b chrome_7fee5cb0000!RenderViewContextMenu::InitMenu(void)+0x320 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\renderer_context_menu\render_view_context_menu.cc @ 786]
0e (Inline Function) --------`-------- chrome_7fee5cb0000!RenderViewContextMenuBase::Init+0x9 [c:\b\build\slave\win64-pgo\build\src\components\renderer_context_menu\render_view_context_menu_base.cc @ 178]
0f 00000000`0020c7a0 000007fe`e7b93d30 chrome_7fee5cb0000!ChromeWebContentsViewDelegateViews::BuildMenu(class content::WebContents * web_contents = <Value unavailable error>, struct content::ContextMenuParams * params = <Value unavailable error>)+0x4f [c:\b\build\slave\win64-pgo\build\src\chrome\browser\ui\views\tab_contents\chrome_web_contents_view_delegate_views.cc @ 130]
10 00000000`0020c7d0 000007fe`e61e9a38 chrome_7fee5cb0000!ChromeWebContentsViewDelegateViews::ShowContextMenu(class content::RenderFrameHost * render_frame_host = <Value unavailable error>, struct content::ContextMenuParams * params = 0x00000000`0020c860)+0x3c [c:\b\build\slave\win64-pgo\build\src\chrome\browser\ui\views\tab_contents\chrome_web_contents_view_delegate_views.cc @ 147]
11 00000000`0020c800 000007fe`e61e06d1 chrome_7fee5cb0000!content::WebContentsViewAura::ShowContextMenu(class content::RenderFrameHost * render_frame_host = 0x00000000`16161000, struct content::ContextMenuParams * params = 0x00000000`0020c860)+0x150 [c:\b\build\slave\win64-pgo\build\src\content\browser\web_contents\web_contents_view_aura.cc @ 876]
12 00000000`0020c840 000007fe`e5fdc32d chrome_7fee5cb0000!content::WebContentsImpl::ShowContextMenu(class content::RenderFrameHost * render_frame_host = 0x00000000`16161000, struct content::ContextMenuParams * params = <Value unavailable error>)+0x61 [c:\b\build\slave\win64-pgo\build\src\content\browser\web_contents\web_contents_impl.cc @ 4068]
13 00000000`0020cd50 000007fe`e5fe3a87 chrome_7fee5cb0000!content::RenderFrameHostImpl::OnContextMenu(struct content::ContextMenuParams * params = <Value unavailable error>)+0xe5 [c:\b\build\slave\win64-pgo\build\src\content\browser\frame_host\render_frame_host_impl.cc @ 1551]

browser DOS is not security issue, especially one that requires so much user interaction.

This will be triaged by the omnibox people

Updating description.  Please tell me if I'm misunderstanding this issue.

It sounds lot like bugs  277732  and 543675, just another surface in which the same underlying issue (omnibox logic behaves badly with large inputs) can be surfaced.

I think you understand the issue correctly.  I tried for an even clearer title.  This is extremely similar to  bug 277732 .  (Bug 543675 sounds different, instant crash versus slow main thread.)

I wonder if dyaroshev's work on  bug 643668  would help any here.  I wonder if thomasanderson@ would have any interested in finding any low-hanging perf fruit here :)

The stack from elware...'s comment suggests that the problem is in iterating over a map in HQP. This is where my fix would help.

However, I can't reproduce this issue as described to try it out. (Maybe because I'm on mac). The only thing that I can reproduce is:
1) select the whole text
2) choose Open URL from a context menu,
3) browser freezes.

It freezes because it tries to open many many tabs. This isn't what this bug is about, is it?
Drag and dropping and copying from context menu work as I would expect.

Deleted: Screen Shot 2016-09-13 at 13.07.12.png 69.5 KB

	Screen Shot 2016-09-13 at 13.07.12.png 69.5 KB View Download

For what it's worth, on Mac, if I select-all and try to open a context menu, I get a spinning beachball for about 7 seconds, then the context menu shows up.  Perhaps the slowdown depends on the user's history, and we don't have particularly problematic histories.

The issue is:

* Select the text
* Right-click the selection.  Showing the context menu itself should take a long time in the buggy case.

Don't actually try to "Open URL" or anything.

Is this eligible for bounty?

What bounty? I think Chromium only has a bounty for security issues and this doesn't seem to be one.

Chrome's bounty program is described here: https://www.google.com/about/appsecurity/chrome-rewards/

Performance and Denial-of-service bugs are out of scope: https://dev.chromium.org/Home/chromium-security/security-faq?pli=1#TOC-Are-denial-of-service-issues-considered-security-bugs-

any hall of fame or swag from chormium?

No.  

Ouch.

This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

manukh@,

Did your fix for  bug 277732  also fix this one?  Note that this is about the "Search for" or "Go to" options in the context menu (which depends on what you have highlighted).  Importantly, it doesn't matter what's in your clipboard.

(If the fix for  bug 277732  didn't fix this, perhaps you can also fix this too?  It should be similar in complexity.)

mpearson@
It appears fixed; I assume because the paste&go/search options in both context menus use the same helper function. I'll double check that's the case and, if so, mark this as `Fixed.`

mpearson@
The fix for  bug 277732  did not fix this bug. Regardless, this bug is fixed in master.

> Regardless, this bug is fixed in master.
manukh@,
Do you know fixed it?  I have a vague memory that was fixed on one platform (Mac maybe) but not others.  Which platform(s) did you test?

mpearson@,
tested on linux debian.

The code flows for the ominbox and web context menus don't seem to overlap; specifically, the function that checks whether the omnibox context menu contains the `paste and go` option (`OmniboxEditModel::CanPasteAndGo`) is not used for the web context menu (`RenderViewContextMenu::AppendSearchProvider`).