New issue
Advanced search Search tips

Issue 653907 link

Starred by 1 user
Status: Fixed
Owner:
a...@chromium.org
Closed: Oct 2016
Cc:
anthonyvd@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Crash in search_engines/util.cc in Debug builds

Project Member Reported by anthonyvd@chromium.org, Oct 7 2016 
search_engines/utils.cc crashes on line 205 in Debug Mode on Mac. This is the stack trace:

thread #1: tid = 0x243f0cc, 0x000000010941a90c libchrome_dll.dylib`TemplateURL::prepopulate_id(this=0x0000000000000000) const + 12 at template_url.h:594, name = 'CrBrowserMain', queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1f8)
  * frame #0: 0x000000010941a90c libchrome_dll.dylib`TemplateURL::prepopulate_id(this=0x0000000000000000) const + 12 at template_url.h:594
    frame #1: 0x000000010941bf61 libchrome_dll.dylib`MergeEnginesFromPrepopulateData(service=0x0000000143373b30, prepopulated_urls=0x00007fff5fbfab38 size=5, default_search_index=0, template_urls=0x000000014df82750 size=14, default_search_provider=0x0000000143851a00, removed_keyword_guids=0x0000000143376880 size=0) + 1889 at util.cc:204
    frame #2: 0x0000000109420a50 libchrome_dll.dylib`GetSearchProvidersUsingLoadedEngines(service=0x0000000143373b30, prefs=0x0000000100189b30, template_urls=0x000000014df82750 size=14, default_search_provider=0x0000000143851a00, search_terms_data=0x00000001433653f0, resource_keyword_version=0x00007fff5fbfbe9c, removed_keyword_guids=0x0000000143376880 size=0) + 608 at util.cc:350
    frame #3: 0x000000010941ff0e libchrome_dll.dylib`GetSearchProvidersUsingKeywordResult(result=0x000000014c0328a0, service=0x0000000143373b30, prefs=0x0000000100189b30, template_urls=0x000000014df82750 size=14, default_search_provider=0x0000000143851a00, search_terms_data=0x00000001433653f0, new_resource_keyword_version=0x00007fff5fbfbe9c, removed_keyword_guids=0x0000000143376880 size=0) + 2606 at util.cc:322
    frame #4: 0x00000001093dc3de libchrome_dll.dylib`TemplateURLService::OnWebDataServiceRequestDone(this=0x0000000143376710, h=7, result=0x000000014c0328a0) + 702 at template_url_service.cc:786
    frame #5: 0x000000012911961d libwebdata_common.dylib`WebDataRequestManager::RequestCompletedOnThread(this=0x0000000143373500, request=unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> > @ 0x00007fff5fbfc620) + 1677 at web_data_request_manager.cc:159
    frame #6: 0x000000012911d8aa libwebdata_common.dylib`void base::internal::FunctorTraits<void (WebDataRequestManager::*)(std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> >), void>::Invoke<scoped_refptr<WebDataRequestManager> const&, std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> > >(method=90 8f 11 29 01 00 00 00 00 00 00 00 00 00 00 00, receiver_ptr=0x000000014c032910, args=0x00007fff5fbfc780)(std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> >), scoped_refptr<WebDataRequestManager> const&&&, std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> >&&) + 522 at bind_internal.h:214
    frame #7: 0x000000012911d5e6 libwebdata_common.dylib`void base::internal::InvokeHelper<false, void>::MakeItSo<void (functor=0x000000014c032900, args=0x000000014c032910, args=0x00007fff5fbfc780)(std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> >), scoped_refptr<WebDataRequestManager> const&, std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> > >(void (WebDataRequestManager::* const&&&)(std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> >), scoped_refptr<WebDataRequestManager> const&&&, std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> >&&) + 86 at bind_internal.h:285
    frame #8: 0x000000012911d4b0 libwebdata_common.dylib`void base::internal::Invoker<base::internal::BindState<void (WebDataRequestManager::*)(std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> >), scoped_refptr<WebDataRequestManager>, base::internal::PassedWrapper<std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> > > >, void ()>::RunImpl<void (functor=0x000000014c032900, bound=0x000000014c032910, (null)=IndexSequence<0, 1> @ 0x00007fff5fbfc6f8)(std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> >), std::__1::tuple<scoped_refptr<WebDataRequestManager>, base::internal::PassedWrapper<std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> > > > const&, 0ul, 1ul>(void (WebDataRequestManager::* const&&&)(std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> >), std::__1::tuple<scoped_refptr<WebDataRequestManager>, base::internal::PassedWrapper<std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> > > > const&&&, base::IndexSequence<0ul, 1ul>) + 160 at bind_internal.h:361
    frame #9: 0x000000012911d36c libwebdata_common.dylib`base::internal::Invoker<base::internal::BindState<void (WebDataRequestManager::*)(std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> >), scoped_refptr<WebDataRequestManager>, base::internal::PassedWrapper<std::__1::unique_ptr<WebDataRequest, std::__1::default_delete<WebDataRequest> > > >, void ()>::Run(base=0x000000014c0328e0) + 44 at bind_internal.h:339
    frame #10: 0x000000011692cb4b libbase.dylib`base::internal::RunMixin<base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> >::Run(this=0x00007fff5fbfcd28) const + 59 at callback.h:64
    frame #11: 0x00000001169701a1 libbase.dylib`base::debug::TaskAnnotator::RunTask(this=0x0000000100115c10, queue_function="MessageLoop::PostTask", pending_task=0x00007fff5fbfcd10) + 673 at task_annotator.cc:54
    frame #12: 0x0000000116a57320 libbase.dylib`base::MessageLoop::RunTask(this=0x0000000100115ae0, pending_task=0x00007fff5fbfcd10) + 864 at message_loop.cc:405
    frame #13: 0x0000000116a578b4 libbase.dylib`base::MessageLoop::DeferOrRunPendingTask(this=0x0000000100115ae0, pending_task=PendingTask @ 0x00007fff5fbfcd10) + 68 at message_loop.cc:414
    frame #14: 0x0000000116a5832d libbase.dylib`base::MessageLoop::DoWork(this=0x0000000100115ae0) + 669 at message_loop.cc:513
    frame #15: 0x0000000116a693c8 libbase.dylib`base::MessagePumpCFRunLoopBase::RunWork(this=0x0000000100132d80) + 104 at message_pump_mac.mm:330
    frame #16: 0x0000000116a6934c libbase.dylib`___ZN4base24MessagePumpCFRunLoopBase13RunWorkSourceEPv_block_invoke(.block_descriptor=<unavailable>) + 28 at message_pump_mac.mm:307
    frame #17: 0x0000000116a092ba libbase.dylib`base::mac::CallWithEHFrame(void () block_pointer) + 10 at call_with_eh_frame_asm.S:36
    frame #18: 0x0000000116a688c5 libbase.dylib`base::MessagePumpCFRunLoopBase::RunWorkSource(info=0x0000000100132d80) + 101 at message_pump_mac.mm:306
    frame #19: 0x00007fff8fb97881 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #20: 0x00007fff8fb76fbc CoreFoundation`__CFRunLoopDoSources0 + 556
    frame #21: 0x00007fff8fb764df CoreFoundation`__CFRunLoopRun + 927
    frame #22: 0x00007fff8fb75ed8 CoreFoundation`CFRunLoopRunSpecific + 296
    frame #23: 0x00007fff83ee9935 HIToolbox`RunCurrentEventLoopInMode + 235
    frame #24: 0x00007fff83ee976f HIToolbox`ReceiveNextEventCommon + 432
    frame #25: 0x00007fff83ee95af HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
    frame #26: 0x00007fff89390df6 AppKit`_DPSNextEvent + 1067
    frame #27: 0x00007fff89390226 AppKit`-[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
    frame #28: 0x00007fff89384d80 AppKit`-[NSApplication run] + 682
    frame #29: 0x0000000116a6a138 libbase.dylib`base::MessagePumpNSApplication::DoRun(this=0x0000000100132d80, delegate=0x0000000100115ae0) + 312 at message_pump_mac.mm:665
    frame #30: 0x0000000116a690aa libbase.dylib`base::MessagePumpCFRunLoopBase::Run(this=0x0000000100132d80, delegate=0x0000000100115ae0) + 122 at message_pump_mac.mm:238
    frame #31: 0x0000000116a56de1 libbase.dylib`base::MessageLoop::RunHandler(this=0x0000000100115ae0) + 289 at message_loop.cc:370
    frame #32: 0x0000000116b21575 libbase.dylib`base::RunLoop::Run(this=0x00007fff5fbfeaa8) + 85 at run_loop.cc:35
    frame #33: 0x0000000103ea6af0 libchrome_dll.dylib`ChromeBrowserMainParts::MainMessageLoopRun(this=0x0000000100715220, result_code=0x0000000100715098) + 400 at chrome_browser_main.cc:2115
    frame #34: 0x000000011cd038f1 libcontent.dylib`content::BrowserMainLoop::RunMainMessageLoopParts(this=0x0000000100715080) + 417 at browser_main_loop.cc:982
    frame #35: 0x000000011cd0dd81 libcontent.dylib`content::BrowserMainRunnerImpl::Run(this=0x0000000100704a00) + 481 at browser_main_runner.cc:155
    frame #36: 0x000000011ccf7885 libcontent.dylib`content::BrowserMain(parameters=0x00007fff5fbff580) + 421 at browser_main.cc:46
    frame #37: 0x000000011ee60947 libcontent.dylib`content::RunNamedProcessTypeMain(process_type="", main_function_params=0x00007fff5fbff580, delegate=0x00007fff5fbffa10) + 599 at content_main_runner.cc:417
    frame #38: 0x000000011ee62836 libcontent.dylib`content::ContentMainRunnerImpl::Run(this=0x000000013c002ae0) + 1462 at content_main_runner.cc:785
    frame #39: 0x000000011ee601ad libcontent.dylib`content::ContentMain(params=0x00007fff5fbff9f0) + 349 at content_main.cc:20
    frame #40: 0x0000000102806879 libchrome_dll.dylib`::ChromeMain(argc=1, argv=0x00007fff5fbffb68) + 105 at chrome_main.cc:97
    frame #41: 0x0000000100000d6c Chromium`main(argc=1, argv=0x00007fff5fbffb68) + 780 at chrome_exe_main_mac.c:85
    frame #42: 0x0000000100000a54 Chromium`start + 52

It looks like the DCHECK is dereferencing the j variable (a unique_ptr) and calling one of its member functions after it was std::move'd.

I can repro this by signing in to a profile with a Google account that is already signed in to another profile. With the Material Design User Menu flag enabled, this brings up a dialog with a "Switch to {other profile}" button. Clicking that button opens the other profile then promptly crashes Chrome.

Assigning to avi@ because the std::move was added in r416291.

Comment 1 by anthonyvd@chromium.org, Oct 7 2016

Cc: anthonyvd@chromium.org

Comment 2 by a...@chromium.org, Oct 7 2016

Status: Started (was: Assigned)
That's clearly wrong. Ouch. Fixing.
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 11 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b350dc8a066204011fe8a6068f9ac6a73e932e6e

commit b350dc8a066204011fe8a6068f9ac6a73e932e6e
Author: avi <avi@chromium.org>
Date: Tue Oct 11 01:48:11 2016

Don't access owning pointers after they've relinquished ownership.

BUG= 653907 
TEST=as in bug

Review-Url: https://codereview.chromium.org/2404593002
Cr-Commit-Position: refs/heads/master@{#424337}

[modify] https://crrev.com/b350dc8a066204011fe8a6068f9ac6a73e932e6e/components/search_engines/util.cc

Comment 4 by a...@chromium.org, Oct 11 2016

Status: Fixed (was: Started)

Sign in to add a comment