New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 654690 link

Starred by 3 users
Status: Assigned
Owner:
creis@chromium.org
Cc:
fdegans@chromium.org
clamy@chromium.org
creis@chromium.org
carlosk@chromium.org
toyoshim@chromium.org
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

FATAL:navigation_controller_impl.cc(815)] Check failed: pending_entry_index_ == -1 || pending_entry_->site_instance() || pending_entry_->restore_type() != RestoreType::NONE.

Project Member Reported by ukai@chromium.org, Oct 11 2016 
Version: 56.0.2887.0 (Developer Build) (64-bit) with dcheck_always_on=1
OS: Linux

What steps will reproduce the problem?
(1) restart chromium, and restore tabs
(2) go back on restored tab?
(3)

What is the expected output?
What do you see instead?

[11938:11938:1011/171135:FATAL:navigation_controller_impl.cc(815)] Check failed: pending_entry_index_ == -1 || pending_entry_->site_instance() || pending_entry_->restore_type() != RestoreType::NONE.

(gdb) bt
#0  0x00007fffee7d8c37 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007fffee7dc028 in __GI_abort () at abort.c:89
#2  0x00007ffff7a6ac72 in base::debug::BreakDebugger() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#3  0x00007ffff7a93afa in logging::LogMessage::~LogMessage() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#4  0x00007ffff56a2b1b in content::NavigationControllerImpl::RendererDidNavigate(content::RenderFrameHostImpl*, FrameHostMsg_DidCommitProvisionalLoad_Params const&, content::LoadCommittedDetails*, bool) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#5  0x00007ffff56b29a0 in content::NavigatorImpl::DidNavigate(content::RenderFrameHostImpl*, FrameHostMsg_DidCommitProvisionalLoad_Params const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#6  0x00007ffff56b9853 in content::RenderFrameHostImpl::OnDidCommitProvisionalLoad(IPC::Message const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#7  0x00007ffff56b7985 in content::RenderFrameHostImpl::OnMessageReceived(IPC::Message const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#8  0x00007ffff5877e26 in content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#9  0x00007ffff4948f35 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libipc.so
#10 0x00007ffff7a72104 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#11 0x00007ffff7a9ecfb in base::MessageLoop::RunTask(base::PendingTask const&)    ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#12 0x00007ffff7a9f078 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#13 0x00007ffff7a9f49b in base::MessageLoop::DoWork() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#14 0x00007ffff7aa1079 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#15 0x00007ffff7a9e9e4 in base::MessageLoop::RunHandler() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#16 0x00007ffff7acbf30 in base::RunLoop::Run() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libbase.so
#17 0x000055555603f4fa in ChromeBrowserMainParts::MainMessageLoopRun(int*) ()
#18 0x00007ffff55b7869 in content::BrowserMainLoop::RunMainMessageLoopParts()    ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#19 0x00007ffff55babff in content::BrowserMainRunnerImpl::Run() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#20 0x00007ffff55b32be in content::BrowserMain(content::MainFunctionParams const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#21 0x00007ffff5cc9c4e in content::RunNamedProcessTypeMain(std::string const&, content::MainFunctionParams const&, content::ContentMainDelegate*) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#22 0x00007ffff5cca6ab in content::ContentMainRunnerImpl::Run() ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#23 0x00007ffff5cc8f40 in content::ContentMain(content::ContentMainParams const&) ()
   from /usr/local/google/home/ukai/src/chromium-git/src/out.0/Release/./libcontent.so
#24 0x0000555555a3948d in ChromeMain ()
#25 0x00007fffee7c3f45 in __libc_start_main (main=0x555555a39440 <main>,
    argc=2, argv=0x7fffffffdb68, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffdb58) at libc-start.c:287
#26 0x0000555555a39369 in _start ()


Please use labels and text to provide additional information.
https://chromium.googlesource.com/chromium/src/+/0df1d3a01bed974dfa51c3375781f155aed7feea

Comment 1 by toyoshim@chromium.org, Oct 11 2016

Owner: creis@chromium.org
Status: Assigned (was: Untriaged)
The check was introduced by https://codereview.chromium.org/1268453003, but the author is no longer working on Chrome.

Charlie, can you own this?

Comment 2 by creis@chromium.org, Oct 11 2016

Cc: nasko@chromium.org
Thanks.  I just hit this on Friday actually, and I have more specific repro steps.  Note that this is a DCHECK, so it doesn't affect users, but we should still get it fixed.

Repro steps:

0) Start a debug build of Chrome (or run with DCHECKs enabled).
1) Visit http://csreis.github.io/tests/cross-site-iframe-nested.html
2) Click "Go cross-site."
3) Navigate innermost frame using "Go same-site" button.
4) Quit and restart (restoring tabs).
5) Go back in innermost frame to default URL.
6) Navigate the main frame to http://csreis.github.io.
7) Go back.

When we go back in step 5, it's to a NavEntry with no SiteInstance, but it's still marked as being restored.  The commit is AUTO_SUBFRAME, so we set the SiteInstance on the subframe FrameNavigationEntry, but we don't touch the main frame's FNE.  This means the main frame's SiteInstance is still missing from the FNE.

When we go away and come back in step 7, the restore type has been cleared, but we still don't have a SiteInstance on the FNE.  As a result, we fail the DCHECK.

The intent of the DCHECK is to make sure that we keep track of the SiteInstance of a NavigationEntry once we've visited it, to avoid privilege escalation by granting bindings to something that didn't have it before.  I think the best way to fix this is to mark the SiteInstances of all FNEs after each commit (if they're missing).

I won't have time to get to it this week, but hopefully next week.

Comment 3 by creis@chromium.org, Oct 14 2016

Cc: carlosk@chromium.org fdegans@chromium.org clamy@chromium.org creis@chromium.org
 Issue 643032  has been merged into this issue.

Comment 4 by carlosk@chromium.org, Feb 15 2017 

Issue 683413 has been merged into this issue.

Comment 5 by creis@chromium.org, Feb 24 2017 

Issue 696002 has been merged into this issue.

Sign in to add a comment