Ooh - actually another with a slightly different stack - 52.0.2743.116

http://go/crash/d55e853500000000

objc_msgSend
-[CALayer(CALayerPrivate) implicitAnimationForKeyPath:]
#ERROR!
-[CALayer actionForKey:]
actionForKey(CALayer*, CA::Transaction*, NSString*)
CA::Layer::begin_change(CA::Transaction*, unsigned int, objc_object*&)
-[CALayer setValue:forUndefinedKey:]
-[NSObject(NSKeyValueCoding) setValue:forKey:]
CAObject_setValueForKey
-[NSView(NSInternal) _pauseLayerTreeRenderer]
__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__
_CFXNotificationPost
-[NSNotificationCenter postNotificationName:object:userInfo:]
-[NSWindow _reallyDoOrderWindow:relativeTo:findKey:forCounter:force:isModal:]
-[NSWindow _doOrderWindow:relativeTo:findKey:forCounter:force:isModal:]
-[NSWindow orderWindow:relativeTo:]
-[NativeWidgetMacNSWindow orderWindow:relativeTo:]
gfx::LinearAnimation::Step(base::TimeTicks)
gfx::AnimationContainer::Run()
base::Timer::RunScheduledTask()
base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&)

OK - I think I found a bucket:

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.component%3D%27src%2Fui%2Fviews%2Fcocoa%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27-%5BNativeWidgetMacNSWindow%20orderWindow%3ArelativeTo%3A%5D%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D&stbtiq=&reportid=f8053b1e00000000&index=0

There's also a crash on 53.0.2785.116

Found another bucket checking views::Widget::CanActivate which was being assigned to the wrong bug ( Issue 646634 )

Link (mac): https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27views%3A%3AWidget%3A%3ACanActivate%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000

1115 crashes on Mac, which is quite high. 562 crashes on Windows. 266 crashes on ChromeOS, but they dry up in m54 -- they probably were actually  Issue 646634 .

stack is

Thread 0 CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000000 ] MAGIC SIGNATURE THREAD
0x00000001078e36db	(Google Chrome Framework -widget.cc:1017 )	views::Widget::CanActivate() const
0x00000001078e2f16	(Google Chrome Framework -widget.cc:620 )	views::Widget::Show()
0x00000001085032d1	(Google Chrome Framework -new_back_shortcut_bubble.cc:102 )	NewBackShortcutBubble::AnimationProgressed(gfx::Animation const*)
0x000000010658ea0c	(Google Chrome Framework -linear_animation.cc:81 )	gfx::LinearAnimation::Step(base::TimeTicks)
0x000000010658e504	(Google Chrome Framework -animation_container.cc:75 )	gfx::AnimationContainer::Run()
0x000000010609fc55	(Google Chrome Framework -callback.h:64 )	base::Timer::RunScheduledTask()


Windows: https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27views%3A%3AWidget%3A%3ACanActivate%27%20AND%20product.name%3D%27Chrome%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000

(e.g. http://go/crash/c8a959e300000000 is for this same stack on Windows)

We want to fix this before we ship MacViews dialogs.

Users experienced this crash on the following builds:

Mac Beta 59.0.3071.29 -  0.19 CPM, 1 reports, 1 clients (signature views::Widget::CanActivate)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

I think I've gotten to the bottom of this

-> https://codereview.chromium.org/2850403002/

It only fixes the fullscreen bubble.

Also attaching some stacks from https://codereview.chromium.org/2850403002/#ps1 before the logs get deleted. There I added a CHECK() inside ExclusiveAccessBubbleViews::OnWidgetDestroyed(). This should "never" happen because ~ExclusiveAccessBubbleViews() is what normally closes the Widget and it only does that after removing itself as an observer.

Turns out there are other ways.. Likely these are happening in the wild during an OS Logoff/shutdown that goes around closing all windows.


[7076:6632:0502/013140.132:FATAL:exclusive_access_bubble_views.cc(291)] Check failed: false.
Backtrace:
	base::debug::StackTrace::StackTrace [0x027ECD67+55]
	base::debug::StackTrace::StackTrace [0x027B371A+10]
	ExclusiveAccessBubbleViews::OnWidgetDestroyed [0x055630E2+50]
	views::Widget::OnNativeWidgetDestroyed [0x02E642EF+47]
	views::NativeWidgetAura::OnWindowDestroyed [0x02E7696F+15]
	aura::Window::`scalar deleting destructor' [0x035FFF2B+11]
	wm::TransientWindowManager::OnWindowDestroying [0x037F9FB3+99]
	aura::Window::~Window [0x035FFD34+142]
	aura::Window::`scalar deleting destructor' [0x035FFF2B+11]
	aura::Window::RemoveOrDestroyChildren [0x0360144F+47]
	aura::Window::~Window [0x035FFDB6+272]
	aura::Window::`scalar deleting destructor' [0x035FFF2B+11]
	aura::WindowTreeHost::DestroyDispatcher [0x03602207+17]
	views::DesktopNativeWidgetAura::OnHostClosed [0x02E9E0BF+335]
	gfx::WindowImpl::WndProc [0x03140281+155]
	base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc> [0x0313FBD5+37]
	gapfnScSendMessage [0x754B62FA+818]
	GetDC [0x754B7316+82]
	GetThreadDesktop [0x754B6DE8+389]
	FindWindowW [0x754B9A21+292]
	KiUserCallbackDispatcher [0x7784010A+46]
	base::internal::Invoker<base::internal::BindState<void (__thiscall policy::UserPolicySigninServiceBase::*)(void),base::WeakPtr<policy::UserPolicySigninServiceBase> >,void __cdecl(void)>::RunOnce [0x04C8F483+19]
	base::debug::TaskAnnotator::RunTask [0x027F05B9+409]
	base::MessageLoop::RunTask [0x027761D1+1233]
	base::MessageLoop::DoWork [0x02775235+741]
	base::MessagePumpForUI::DoRunLoop [0x027F187D+93]
	base::MessagePumpWin::Run [0x027F200A+74]
	base::MessageLoop::RunHandler [0x02775CF7+247]
	base::RunLoop::Run [0x027725D4+132]
	content::RunThisRunLoop [0x028CDFDA+27]
	content::RunMessageLoop [0x028CDFB2+23]
	InProcessBrowserTest::QuitBrowsers [0x02820227+136]
	InProcessBrowserTest::PostRunTestOnMainThread [0x0281FFCA+330]

[7365:7365:0502/005737.542877:FATAL:exclusive_access_bubble_views.cc(291)] Check failed: false.
#0 0x000002e7b157 base::debug::StackTrace::StackTrace()
#1 0x000002e93a9d logging::LogMessage::~LogMessage()
#2 0x0000057fd221 ExclusiveAccessBubbleViews::OnWidgetDestroyed()
#3 0x000003e54224 views::Widget::OnNativeWidgetDestroyed()
#4 0x000003e5f78c views::NativeWidgetAura::OnWindowDestroyed()
#5 0x0000049d7cb1 aura::Window::~Window()
#6 0x0000049d82e9 aura::Window::~Window()
#7 0x000004d7b3ee wm::TransientWindowManager::OnWindowDestroying()
#8 0x0000049d7b44 aura::Window::~Window()
#9 0x0000049d82e9 aura::Window::~Window()
#10 0x0000049d7fdf aura::Window::RemoveOrDestroyChildren()
#11 0x0000049d7c0c aura::Window::~Window()
#12 0x0000049d82e9 aura::Window::~Window()
#13 0x0000049e0f23 aura::WindowTreeHost::DestroyDispatcher()
#14 0x000003e61c22 views::DesktopWindowTreeHostX11::~DesktopWindowTreeHostX11()
#15 0x00000587e733 BrowserDesktopWindowTreeHostX11::~BrowserDesktopWindowTreeHostX11()
#16 0x000003e9d003 views::DesktopNativeWidgetAura::OnHostClosed()
#17 0x000003e63a6b views::DesktopWindowTreeHostX11::CloseNow()
#18 0x000000749f87 _ZN4base8internal7InvokerINS0_9BindStateIMN12_GLOBAL__N_116SimpleHttpServer10ConnectionEFvvEJNS_7WeakPtrIS5_EEEEEFvvEE7RunOnceEPNS0_13BindStateBaseE
#19 0x0000006ab461 _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE1ELNS2_10RepeatModeE1EE3RunEv
#20 0x000002f2ba83 base::debug::TaskAnnotator::RunTask()
#21 0x000002e9aa5d base::MessageLoop::RunTask()
#22 0x000002e9ad08 base::MessageLoop::DeferOrRunPendingTask()
#23 0x000002e9b1a6 base::MessageLoop::DoWork()
#24 0x000002e9d009 base::MessagePumpGlib::Run()
#25 0x000002e9a7be base::MessageLoop::RunHandler()
#26 0x000002ec47dc base::RunLoop::Run()
#27 0x00000359fe9c content::RunMessageLoop()
#28 0x000002f594e3 InProcessBrowserTest::QuitBrowsers()

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d62f8027170674b8d057dce514673fe23b5d2a29

commit d62f8027170674b8d057dce514673fe23b5d2a29
Author: tapted <tapted@chromium.org>
Date: Mon May 08 08:33:36 2017

Fix crash under ExclusiveAccessBubbleViews::AnimationProgressed().

The crash stacks suggest that |Widget::widget_delegate_| has been set to
null. That only happens in Widget::OnNativeWidgetDestroyed(), but that
should only be triggered by a `delete popup_;` fired asynchronously from
the ExclusiveAccessBubbleViews destructor. And when that same destructor
completes, it should also be resetting the |animation_| member, which
stops and cancels any animation timers.

What appears to be happening is that the bubble is being closed before
the ExclusiveAccessBubbleViews destructor is invoked. Observing
OnWidgetDestroyed() revealed some shutdown codepaths where this is
possible in existing tests.

Likely these crashes happen in the wild because of a system logoff while
the bubble is showing that causes some uncommon shutdown codepaths, or
window close events directly from the OS, which can't be ignored.

To fix, observe OnWidgetDestroyed() and ask the owner of
ExclusiveAccessBubbleViews to delete it. This will cancel any animation
timers and ensure nothing references the null widget_delegate_.

BUG= 650882 

Review-Url: https://codereview.chromium.org/2850403002
Cr-Commit-Position: refs/heads/master@{#469922}

[modify] https://crrev.com/d62f8027170674b8d057dce514673fe23b5d2a29/chrome/browser/ui/cocoa/browser/exclusive_access_controller_views.h
[modify] https://crrev.com/d62f8027170674b8d057dce514673fe23b5d2a29/chrome/browser/ui/cocoa/browser/exclusive_access_controller_views.mm
[modify] https://crrev.com/d62f8027170674b8d057dce514673fe23b5d2a29/chrome/browser/ui/exclusive_access/fullscreen_controller_test.cc
[modify] https://crrev.com/d62f8027170674b8d057dce514673fe23b5d2a29/chrome/browser/ui/exclusive_access/fullscreen_controller_test.h
[modify] https://crrev.com/d62f8027170674b8d057dce514673fe23b5d2a29/chrome/browser/ui/views/exclusive_access_bubble_views.cc
[modify] https://crrev.com/d62f8027170674b8d057dce514673fe23b5d2a29/chrome/browser/ui/views/exclusive_access_bubble_views.h
[modify] https://crrev.com/d62f8027170674b8d057dce514673fe23b5d2a29/chrome/browser/ui/views/exclusive_access_bubble_views_context.h
[add] https://crrev.com/d62f8027170674b8d057dce514673fe23b5d2a29/chrome/browser/ui/views/exclusive_access_bubble_views_interactive_uitest.cc
[modify] https://crrev.com/d62f8027170674b8d057dce514673fe23b5d2a29/chrome/browser/ui/views/frame/browser_view.cc
[modify] https://crrev.com/d62f8027170674b8d057dce514673fe23b5d2a29/chrome/browser/ui/views/frame/browser_view.h
[modify] https://crrev.com/d62f8027170674b8d057dce514673fe23b5d2a29/chrome/test/BUILD.gn

4 [1] of the 9 [2] crashes under src/ui/views on Mac on m60 or m61 are still this. The fix is in m60, but only addressed the fullscreen bubble. I intentionally left off the backspace-to-go-back bubble.

Checking the 4 crashes, they are all NewBackShortcutBubble::AnimationProgressed(gfx::Animation const*). None for fullscreen, so that's likely fixed.

(if you're curious, for the other of the 9 crashes on m60/m61 see Issue 751940)


[1] https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.file_path%20LIKE%20%27src%2Fui%2Fviews%25%27%20AND%20product.Version%20LIKE%20%276%25%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27views%3A%3AWidget%3A%3ACanActivate%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D
[2] https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.file_path%20LIKE%20%27src%2Fui%2Fviews%25%27%20AND%20product.Version%20LIKE%20%276%25%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

macviews triage: this bug is still live as of now - we should probably fix it before we ship Harmony on Mac, but it's relatively rare.

tapted: do you want to keep owning this? or should it become Available?

This is orthogonal to Harmony, and affects Windows as well.

windows crashes: https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20OMIT%20RECORD%20IF%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27NewBackShortcutBubble%3A%3AAnimationProgressed(gfx%3A%3AAnimation%20const%20*)%27)%20%3D%200&sql_dialect=dremelsql&ignore_case=false&enable_rewrite=true&omit_field_name=CrashedStackTrace.StackFrame.FunctionName&omit_field_value=NewBackShortcutBubble%3A%3AAnimationProgressed(gfx%3A%3AAnimation%20const%20*)&omit_field_opt=%3D#samplereports

mac crashes: https://crash.corp.google.com/browse?q=product.Name%3D%27Chrome_Mac%27%20OMIT%20RECORD%20IF%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27NewBackShortcutBubble%3A%3AAnimationProgressed(gfx%3A%3AAnimation%20const*)%27)%20%3D%200&sql_dialect=dremelsql&ignore_case=false&enable_rewrite=true&omit_field_name=CrashedStackTrace.StackFrame.FunctionName&omit_field_value=NewBackShortcutBubble%3A%3AAnimationProgressed(gfx%3A%3AAnimation%20const*)&omit_field_opt=%3D

(there are a lot more mac crashes tho..)

Matt or I is/am the right owner. NewBackShortcutBubble was never meant to stick around and that influenced its design :/.

Users experienced this crash on the following builds:

Mac Beta 63.0.3239.18 -  0.29 CPM, 1 reports, 1 clients (signature views::Widget::CanActivate)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Hi Ojan,

The NewBackShortcutBubble was supposed to be temporary, but it never got deleted (I think we decided there was no harm leaving it in as it's educational). It is causing crashes so... could we delete it now? If not, we have to do some more problem solving and probably refactoring.

Peter, I heard you're back! Same question as #15.

I don't have any concerns with deleting it. 

Load balancing!

lgrey@, can you remove NewBackShortcutBubble per #15 and #17?

Should this extend to IDC_BACKSPACE_BACK?

That is an interesting question - ojan@ or pkasting@, what do you think?

Removing all callers of MaybeShowNewBackShortcutBubble makes sense to me.

lgrey: Yeah - I think we can remove the command entirely, and any key mappings for it. Its current purpose is only to show this bubble.

I guess that means we should get rid of IDC_BACKSPACE_FORWARD (Shift+Backspace) as well.

Thanks, this would be really helpful. It's been on my plate but I've been busy.

+1 to getting rid of all of the relevant infrastructure.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6b80b5778fce9547d7886ba5088dfb4fa1247ad7

commit 6b80b5778fce9547d7886ba5088dfb4fa1247ad7
Author: Leonard Grey <lgrey@chromium.org>
Date: Wed Jan 17 15:57:46 2018

Remove NewBackShortcutBubble and remaining backspace shortcut plumbing

This was a temporary feature to educate users about the backspace to go
back shortcut being removed. Per the linked bug, it's causing crashes,
so this change removes it and any remaining plumbing from the original
shortcut.

Bug:  650882 
Change-Id: I59fea032470cdc2e94f977ee8a05525f54679e15
Reviewed-on: https://chromium-review.googlesource.com/864744
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Matt Giuca <mgiuca@chromium.org>
Commit-Queue: Leonard Grey <lgrey@chromium.org>
Cr-Commit-Position: refs/heads/master@{#529754}
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/app/chrome_command_ids.h
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/app_mode/app_mode_utils.cc
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/global_keyboard_shortcuts_cocoa_mac.mm
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/ui/BUILD.gn
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/ui/browser_command_controller.cc
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/ui/browser_view_prefs.cc
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/ui/browser_window.h
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/ui/cocoa/browser/exclusive_access_controller_views.h
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/ui/cocoa/browser/exclusive_access_controller_views.mm
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/ui/cocoa/browser_window_cocoa.h
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/ui/cocoa/browser_window_cocoa.mm
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/ui/views/accelerator_table.cc
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/ui/views/frame/browser_view.cc
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/browser/ui/views/frame/browser_view.h
[delete] https://crrev.com/36df3a6bd78fdb1297ad662587997b5d6bed3c9d/chrome/browser/ui/views/new_back_shortcut_bubble.cc
[delete] https://crrev.com/36df3a6bd78fdb1297ad662587997b5d6bed3c9d/chrome/browser/ui/views/new_back_shortcut_bubble.h
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/common/pref_names.cc
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/common/pref_names.h
[modify] https://crrev.com/6b80b5778fce9547d7886ba5088dfb4fa1247ad7/chrome/test/base/test_browser_window.h