New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 655686 link

Starred by 3 users
Status: Fixed
Owner:
m...@chromium.org
Closed: Oct 2016
Cc:
x...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Chrome: Crash Report - content::WebContents::FromRenderFrameHost

Project Member Reported by nyerramilli@chromium.org, Oct 13 2016 
Product name: Chrome
Magic Signature: content::WebContents::FromRenderFrameHost

This crash : go/crash/c6a91b5900000000, has been found by the last SyzyASAN Canary (56.0.2889.1)

Bad access information:

Error Type: heap-use-after-free
Location: 0x0c39dd27
Access Mode: read
Access Size: 4
User Size : 672

Magic Stack
=============
Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x114ecd31 ] MAGIC SIGNATURE THREAD
0x114ecd31	(chrome.dll -web_contents_impl.cc:306 )	content::WebContents::FromRenderFrameHost(content::RenderFrameHost *)
0x126d44a1	(chrome.dll -cast_remoting_connector.cc:42 )	CastRemotingConnector::FrameRemoterFactory::Create(mojo::InterfacePtr<media::mojom::RemotingSource>,mojo::InterfaceRequest<media::mojom::Remoter>)
0x11707fe6	(chrome.dll -remoting.mojom.cc:99 )	media::mojom::RemoterFactoryStubDispatch::Accept(media::mojom::RemoterFactory *,mojo::internal::SerializationContext *,mojo::Message *)
0x126d3e18	(chrome.dll -remoting.mojom.h:311 )	media::mojom::RemoterFactoryStub<mojo::RawPtrImplRefTraits<media::mojom::RemoterFactory> >::Accept(mojo::Message *)
0x1186934e	(chrome.dll -interface_endpoint_client.cc:339 )	mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message *)
0x118709ed	(chrome.dll -filter_chain.cc:40 )	mojo::FilterChain::Accept(mojo::Message *)
0x1186909f	(chrome.dll -interface_endpoint_client.cc:273 )	mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message *)
0x1186cb9e	(chrome.dll -multiplex_router.cc:824 )	mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::Message *,mojo::internal::MultiplexRouter::ClientCallBehavior,base::SingleThreadTaskRunner *)
0x1186bade	(chrome.dll -multiplex_router.cc:536 )	mojo::internal::MultiplexRouter::Accept(mojo::Message *)
0x118709ed	(chrome.dll -filter_chain.cc:40 )	mojo::FilterChain::Accept(mojo::Message *)
0x1186e970	(chrome.dll -connector.cc:246 )	mojo::Connector::ReadSingleMessage(unsigned int *)
0x1186e89a	(chrome.dll -connector.cc:272 )	mojo::Connector::ReadAllAvailableMessages()
0x1186e765	(chrome.dll -connector.cc:205 )	mojo::Connector::OnHandleReadyInternal(unsigned int)
0x11aa7b3e	(chrome.dll -bind_internal.h:339 )	base::internal::Invoker<base::internal::BindState<void ( net::HttpStreamFactoryImpl::Job::*)(int),base::internal::UnretainedWrapper<net::HttpStreamFactoryImpl::Job> >,void >::Run(base::internal::BindStateBase *,int &&)
0x11872fff	(chrome.dll -watcher.cc:122 )	mojo::Watcher::OnHandleReady(unsigned int)
0x111a4d4c	(chrome.dll -bind_internal.h:305 )	base::internal::InvokeHelper<1,void>::MakeItSo<void ( media::cast::UdpTransport::*const &)(int),base::WeakPtr<media::cast::UdpTransport> const &,int>(void ( media::cast::UdpTransport::*const &)(int),base::WeakPtr<media::cast::UdpTransport> const &,int &&)
0x111a55fa	(chrome.dll -bind_internal.h:339 )	base::internal::Invoker<base::internal::BindState<void ( media::cast::UdpTransport::*)(int),base::WeakPtr<media::cast::UdpTransport>,net::Error>,void >::Run(base::internal::BindStateBase *)
0x10a24b01	(chrome.dll -task_annotator.cc:54 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x109a62a2	(chrome.dll -message_loop.cc:411 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x109a74cf	(chrome.dll -message_loop.cc:513 )	base::MessageLoop::DoWork()
0x10a25402	(chrome.dll -message_pump_win.cc:263 )	base::MessagePumpForUI::DoRunLoop()
0x10a24e88	(chrome.dll -message_pump_win.cc:141 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x109fbb5e	(chrome.dll -run_loop.cc:35 )	base::RunLoop::Run()
0x1175f4fb	(chrome.dll -chrome_browser_main.cc:2118 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x11237d8f	(chrome.dll -browser_main_loop.cc:982 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x112391d9	(chrome.dll -browser_main_runner.cc:155 )	content::BrowserMainRunnerImpl::Run()
0x11233f25	(chrome.dll -browser_main.cc:46 )	content::BrowserMain(content::MainFunctionParams const &)
0x11709de4	(chrome.dll -content_main_runner.cc:411 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x11709d2a	(chrome.dll -content_main_runner.cc:779 )	content::ContentMainRunnerImpl::Run()
0x117091fc	(chrome.dll -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const &)
0x10f6d8b7	(chrome.dll -chrome_main.cc:97 )	ChromeMain
0x001f1448	(chrome.exe -main_dll_loader_win.cc:174 )	MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks)
0x001f0a9c	(chrome.exe -chrome_exe_main_win.cc:245 )	wWinMain
0x00213c62	(chrome.exe -exe_common.inl:253 )	__scrt_common_main_seh
0x76c633a9	(kernel32.dll + 0x000133a9 )	BaseThreadInitThunk
0x77a19f71	(ntdll.dll + 0x00039f71 )	__RtlUserThreadStart
0x77a19f44	(ntdll.dll + 0x00039f44 )	_RtlUserThreadStart

ASAN Free Stack Trace (TID: 6384)
========================================
0x5a46a56f	(syzyasan_rtl.dll -block_heap_manager.cc:304 )	agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *)
0x5a46217d	(syzyasan_rtl.dll -rtl_impl.cc:124 )	asan_HeapFree
0x10f71249	(chrome.dll -winheap_stubs_win.cc:43 )	base::allocator::WinHeapFree(void *)
0x10f711cc	(chrome.dll -allocator_shim_default_dispatch_to_winheap.cc:47 )	`anonymous namespace'::DefaultWinHeapFreeImpl
0x10f710ae	(chrome.dll -allocator_shim.cc:243 )	ShimFree
0x112ed3bb	(chrome.dll + 0x0138d3bb )	content::RenderFrameHostImpl::`scalar deleting destructor'(unsigned int)
0x112f8ec3	(chrome.dll -render_frame_host_manager.cc:83 )	content::RenderFrameHostManager::~RenderFrameHostManager()
0x112d27d5	(chrome.dll -frame_tree_node.cc:130 )	content::FrameTreeNode::~FrameTreeNode()
0x112d12be	(chrome.dll -frame_tree.cc:116 )	content::FrameTree::~FrameTree()
0x114e88c6	(chrome.dll + 0x015888c6 )	content::WebContentsImpl::`scalar deleting destructor'(unsigned int)
0x126dc348	(chrome.dll -tab_manager.cc:743 )	memory::TabManager::DiscardWebContentsAt(int,TabStripModel *)
0x126dc0de	(chrome.dll -tab_manager.cc:348 )	memory::TabManager::DiscardTabById(__int64)
0x126dc142	(chrome.dll -tab_manager.cc:925 )	memory::TabManager::DiscardTabImpl()
0x12730f78	(chrome.dll -oom_memory_details.cc:49 )	memory::OomMemoryDetails::OnDetailsAvailable()
0x1285d7b3	(chrome.dll -memory_details.cc:353 )	MemoryDetails::CollectChildInfoOnUIThread()
0x10a24b02	(chrome.dll -task_annotator.cc:54 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x109a62a3	(chrome.dll -message_loop.cc:412 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x109a74d0	(chrome.dll -message_loop.cc:513 )	base::MessageLoop::DoWork()
0x10a25403	(chrome.dll -message_pump_win.cc:264 )	base::MessagePumpForUI::DoRunLoop()
0x10a24e89	(chrome.dll -message_pump_win.cc:143 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x109fbb5f	(chrome.dll -run_loop.cc:36 )	base::RunLoop::Run()
0x1175f4fc	(chrome.dll -chrome_browser_main.cc:2120 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x11237d90	(chrome.dll -browser_main_loop.cc:984 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x11233f26	(chrome.dll -browser_main.cc:46 )	content::BrowserMain(content::MainFunctionParams const &)
0x11709de5	(chrome.dll -content_main_runner.cc:411 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x11709d2b	(chrome.dll -content_main_runner.cc:779 )	content::ContentMainRunnerImpl::Run()
0x117091fd	(chrome.dll -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const &)
0x10f6d8b8	(chrome.dll -chrome_main.cc:100 )	ChromeMain
0x001f1449	(chrome.exe -main_dll_loader_win.cc:176 )	MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks)
0x001f0a9d	(chrome.exe -chrome_exe_main_win.cc:246 )	wWinMain
0x00213c63	(chrome.exe -exe_common.inl:253 )	__scrt_common_main_seh
0x76c633aa	(kernel32.dll + 0x000133aa )	BaseThreadInitThunk
0x77a19f72	(ntdll.dll + 0x00039f72 )	__RtlUserThreadStart
0x77a19f45	(ntdll.dll + 0x00039f45 )	_RtlUserThreadStart

ASAN Allocation Stack Trace (TID: 6384)
============================================
0x5a46a2ae	(syzyasan_rtl.dll -block_heap_manager.cc:201 )	agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int)
0x5a4620d3	(syzyasan_rtl.dll -rtl_impl.cc:103 )	asan_HeapAlloc
0x10f7128e	(chrome.dll -winheap_stubs_win.cc:36 )	base::allocator::WinHeapMalloc(unsigned int)
0x10f711e8	(chrome.dll -allocator_shim_default_dispatch_to_winheap.cc:15 )	`anonymous namespace'::DefaultWinHeapMallocImpl
0x10f710cd	(chrome.dll -allocator_shim.cc:177 )	ShimMalloc
0x12782529	(chrome.dll -new_scalar.cpp:19 )	operator new(unsigned int)
0x112e837d	(chrome.dll -render_frame_host_factory.cc:33 )	content::RenderFrameHostFactory::Create(content::SiteInstance *,content::RenderViewHostImpl *,content::RenderFrameHostDelegate *,content::RenderWidgetHostDelegate *,content::FrameTree *,content::FrameTreeNode *,int,int,bool)
0x112fab84	(chrome.dll -render_frame_host_manager.cc:1659 )	content::RenderFrameHostManager::CreateRenderFrameHost(content::SiteInstance *,int,int,int,bool)
0x112fa85d	(chrome.dll -render_frame_host_manager.cc:1716 )	content::RenderFrameHostManager::CreateRenderFrame(content::SiteInstance *,bool,int *)
0x112fa51b	(chrome.dll -render_frame_host_manager.cc:1573 )	content::RenderFrameHostManager::CreatePendingRenderFrameHost(content::SiteInstance *,content::SiteInstance *)
0x112ff191	(chrome.dll -render_frame_host_manager.cc:2290 )	content::RenderFrameHostManager::UpdateStateForNavigate(GURL const &,content::SiteInstance *,content::SiteInstance *,ui::PageTransition,bool,bool,content::GlobalRequestID const &,int,bool)
0x112fd229	(chrome.dll -render_frame_host_manager.cc:206 )	content::RenderFrameHostManager::Navigate(GURL const &,content::FrameNavigationEntry const &,content::NavigationEntryImpl const &,bool)
0x112e6a0c	(chrome.dll -navigator_impl.cc:358 )	content::NavigatorImpl::NavigateToEntry(content::FrameTreeNode *,content::FrameNavigationEntry const &,content::NavigationEntryImpl const &,content::ReloadType,bool,bool,bool,scoped_refptr<content::ResourceRequestBodyImpl> const &)
0x112e6dcb	(chrome.dll -navigator_impl.cc:450 )	content::NavigatorImpl::NavigateToPendingEntry(content::FrameTreeNode *,content::FrameNavigationEntry const &,content::ReloadType,bool)
0x112da409	(chrome.dll -navigation_controller_impl.cc:1922 )	content::NavigationControllerImpl::NavigateToPendingEntryInternal(content::ReloadType)
0x112da1a9	(chrome.dll -navigation_controller_impl.cc:1865 )	content::NavigationControllerImpl::NavigateToPendingEntry(content::ReloadType)
0x112d978d	(chrome.dll -navigation_controller_impl.cc:457 )	content::NavigationControllerImpl::LoadEntry(std::unique_ptr<content::NavigationEntryImpl,std::default_delete<content::NavigationEntryImpl> >)
0x112d9f07	(chrome.dll -navigation_controller_impl.cc:788 )	content::NavigationControllerImpl::LoadURLWithParams(content::NavigationController::LoadURLParams const &)
0x12379ea2	(chrome.dll -browser_navigator.cc:290 )	`anonymous namespace'::LoadURLInContents
0x1237a3ad	(chrome.dll -browser_navigator.cc:558 )	chrome::Navigate(chrome::NavigateParams *)
0x1239c374	(chrome.dll -browser_commands.cc:530 )	chrome::OpenCurrentURL(Browser *)
0x123951f6	(chrome.dll -browser_command_controller.cc:337 )	chrome::BrowserCommandController::ExecuteCommandWithDisposition(int,WindowOpenDisposition)
0x1285508f	(chrome.dll -command_updater.cc:50 )	CommandUpdater::ExecuteCommandWithDisposition(int,WindowOpenDisposition)
0x12855041	(chrome.dll -command_updater.cc:43 )	CommandUpdater::ExecuteCommand(int)
0x12ca44e2	(chrome.dll -chrome_omnibox_edit_controller.cc:32 )	ChromeOmniboxEditController::OnAutocompleteAccept(GURL const &,WindowOpenDisposition,ui::PageTransition,AutocompleteMatchType::Type)
0x12bd1691	(chrome.dll -omnibox_edit_model.cc:726 )	OmniboxEditModel::OpenMatch(AutocompleteMatch,WindowOpenDisposition,GURL const &,std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > const &,unsigned int)
0x12bcd334	(chrome.dll -omnibox_view.cc:74 )	OmniboxView::OpenMatch(AutocompleteMatch const &,WindowOpenDisposition,GURL const &,std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > const &,unsigned int)
0x12bce0db	(chrome.dll -omnibox_edit_model.cc:555 )	OmniboxEditModel::AcceptInput(WindowOpenDisposition,bool)
0x1246264f	(chrome.dll -omnibox_view_views.cc:898 )	OmniboxViewViews::HandleKeyEvent(views::Textfield *,ui::KeyEvent const &)
0x1280c747	(chrome.dll -textfield.cc:672 )	views::Textfield::OnKeyPressed(ui::KeyEvent const &)
0x127ce07b	(chrome.dll -view.cc:1001 )	views::View::OnKeyEvent(ui::KeyEvent *)
0x11c56c35	(chrome.dll -event_handler.cc:25 )	ui::EventHandler::OnEvent(ui::Event *)
0x11c5773e	(chrome.dll -event_dispatcher.cc:192 )	ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *)
0x11c57cb3	(chrome.dll -event_dispatcher.cc:140 )	ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *)
0x11c57a8f	(chrome.dll -event_dispatcher.cc:87 )	ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *)
0x11c57826	(chrome.dll -event_dispatcher.cc:58 )	ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *)
0x128b5bbe	(chrome.dll -event_processor.cc:35 )	ui::EventProcessor::OnEventFromSource(ui::Event *)
0x128b5d7e	(chrome.dll -event_source.cc:73 )	ui::EventSource::DeliverEventToProcessor(ui::Event *)
0x128b5e63	(chrome.dll -event_source.cc:52 )	ui::EventSource::SendEventToProcessor(ui::Event *)
0x127d459b	(chrome.dll -widget.cc:1155 )	views::Widget::OnKeyEvent(ui::KeyEvent *)
0x127e28a2	(chrome.dll -desktop_native_widget_aura.cc:1034 )	views::DesktopNativeWidgetAura::OnKeyEvent(ui::KeyEvent *)
0x11c56c35	(chrome.dll -event_handler.cc:25 )	ui::EventHandler::OnEvent(ui::Event *)
0x11c5773e	(chrome.dll -event_dispatcher.cc:192 )	ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *)
0x11c57cb3	(chrome.dll -event_dispatcher.cc:140 )	ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *)
0x11c57a8f	(chrome.dll -event_dispatcher.cc:87 )	ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *)
0x11c57826	(chrome.dll -event_dispatcher.cc:58 )	ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *)
0x128b5bbe	(chrome.dll -event_processor.cc:35 )	ui::EventProcessor::OnEventFromSource(ui::Event *)
0x128b5d7e	(chrome.dll -event_source.cc:73 )	ui::EventSource::DeliverEventToProcessor(ui::Event *)
0x128b5e63	(chrome.dll -event_source.cc:52 )	ui::EventSource::SendEventToProcessor(ui::Event *)
0x11e04f2c	(chrome.dll -window_tree_host.cc:203 )	aura::WindowTreeHost::DispatchKeyEventPostIME(ui::KeyEvent *)
0x12959253	(chrome.dll -input_method_base.cc:125 )	ui::InputMethodBase::DispatchKeyEventPostIME(ui::KeyEvent *)
0x1295bb35	(chrome.dll -input_method_win.cc:202 )	ui::InputMethodWin::ProcessKeyEventDone(ui::KeyEvent *,std::vector<tagMSG,std::allocator<tagMSG> > const *,bool)
0x1295aa3a	(chrome.dll -input_method_win.cc:192 )	ui::InputMethodWin::DispatchKeyEvent(ui::KeyEvent *)
0x1283b130	(chrome.dll -hwnd_message_handler.cc:1559 )	views::HWNDMessageHandler::OnKeyEvent(unsigned int,unsigned int,long)
0x1283e79f	(chrome.dll -hwnd_message_handler.h:367 )	views::HWNDMessageHandler::_ProcessWindowMessage(HWND__ *,unsigned int,unsigned int,long,long &,unsigned long)
0x1283cf79	(chrome.dll -hwnd_message_handler.cc:898 )	views::HWNDMessageHandler::OnWndProc(unsigned int,unsigned int,long)
0x11bcae78	(chrome.dll -window_impl.cc:303 )	gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)
0x11bca5e2	(chrome.dll -wrapped_window_proc.h:76 )	base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)>(HWND__ *,unsigned int,unsigned int,long)
0x764b62fa	(USER32.dll + 0x000162fa )	InternalCallWinProc
0x764b6d3a	(USER32.dll + 0x00016d3a )	UserCallWinProcCheckWow
0x764b77c4	(USER32.dll + 0x000177c4 )	DispatchMessageWorker
0x764b788a	(USER32.dll + 0x0001788a )	DispatchMessageW


This ASAN crash is introduced in latest canary 56.0.2889.1, only 2 instances from 2 client IDs so far.

using codesearch, seeing some changes to 'web_contents_impl.cc' in 
https://chromium.googlesource.com/chromium/src/+/5d3b869bc09c586f076e3d78d8b8966b75dcf6c9

avi@, could you please check and help.

seeing this crash in other OS (Linux & Android), please check the below link ---

https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27content%3A%3AWebContents%3A%3AFromRenderFrameHost%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

Comment 1 by a...@chromium.org, Oct 13 2016

Owner: avayvod@chromium.org
This seems like Cast is getting a message for a deleted frame.

Sending to a Cast person.
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 13 2016

Labels: FoundIn-M-56 Fracas
Users experienced this crash on the following builds:

Win Canary 56.0.2889.0 -  0.25 CPM, 1 reports, 1 clients (signature content::WebContents::FromRenderFrameHost)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Comment 3 by mmoroz@chromium.org, Oct 14 2016

Labels: -Restrict-View-Google -Type-Bug-Regression Security_Impact-Head Security_Severity-High Restrict-View-SecurityTeam Type-Bug-Security
Adding security labels since this is a Use-after-Free bug.

Comment 4 by mmoroz@chromium.org, Oct 14 2016 

 Issue 655830  has been merged into this issue.

Comment 5 by mmoroz@chromium.org, Oct 14 2016

Components: Content>WebApps

Comment 6 by avayvod@chromium.org, Oct 14 2016

Cc: m...@chromium.org
Owner: x...@chromium.org
I believe this comes from the media remoting stack.
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 14 2016

Labels: OS-Mac
Users experienced this crash on the following builds:

Win Canary 56.0.2889.0 -  0.77 CPM, 17 reports, 17 clients (signature CastRemotingConnector::FrameRemoterFactory::Create)
Mac Canary 56.0.2890.0 -  3.02 CPM, 2 reports, 2 clients (signature CastRemotingConnector::FrameRemoterFactory::Create)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Comment 8 by x...@chromium.org, Oct 14 2016

Status: Started (was: Assigned)
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 15 2016

Labels: -Pri-2 Pri-1

Comment 10 by x...@chromium.org, Oct 18 2016

Cc: -m...@chromium.org x...@chromium.org
Owner: m...@chromium.org
Status: Assigned (was: Started)
Crash happened when calling RemoterFactory::Create(). 
miu@: Can you PTAL? Thanks.

Comment 11 by m...@chromium.org, Oct 18 2016

Status: Started (was: Assigned)

Comment 12 by m...@chromium.org, Oct 18 2016 

Looks like a "Mojo Service" object is out living the RenderFrameHost that created it. I can mitigate this by storing the Render Frame ID (i.e., like a weak pointer to a RenderFrameHost) and doing look-ups for the instance before proceeding.
Project Member

Comment 13 by sheriffbot@chromium.org, Oct 19 2016

Labels: FoundIn-M-54
Users experienced this crash on the following builds:

Win Canary 56.0.2891.0 -  3.03 CPM, 254 reports, 242 clients (signature base::SupportsUserData::GetUserData)
Mac Beta 54.0.2840.59 -  0.18 CPM, 9 reports, 9 clients (signature base::SupportsUserData::GetUserData)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas
Project Member

Comment 14 by bugdroid1@chromium.org, Oct 19 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/951fc9d0e3dc2db9666b803eab941bf4c53c0a4d

commit 951fc9d0e3dc2db9666b803eab941bf4c53c0a4d
Author: miu <miu@chromium.org>
Date: Wed Oct 19 11:06:28 2016

Crash fix: Ignore mojo Create() calls after RFH is dead.

Mojo posted tasks to call the RemoterFactory's Create() method; but
while these tasks were posted before the associated RenderFrameHost was
destroyed, they were being run after the RFH was destroyed. This change
solves the problem by storing the process/routing IDs of the RFH and
performing a look-up-by-ID before each use of the RFH.

BUG= 655686 

Review-Url: https://chromiumcodereview.appspot.com/2431513004
Cr-Commit-Position: refs/heads/master@{#426146}

[modify] https://crrev.com/951fc9d0e3dc2db9666b803eab941bf4c53c0a4d/chrome/browser/media/cast_remoting_connector.cc
[modify] https://crrev.com/951fc9d0e3dc2db9666b803eab941bf4c53c0a4d/chrome/browser/media/cast_remoting_connector.h

Comment 15 by m...@chromium.org, Oct 19 2016

Status: Fixed (was: Started)
Fixed. I will examine crash reports tomorrow, and if the above changed fixed the problem, will proceed with merge requests for M54/55.

Comment 16 by m...@chromium.org, Oct 19 2016

Labels: -FoundIn-M-54 Fracas-Wrong FoundIn-M-55
Actually, scratch that for M54. It's not possible for it to have affected M54 since the code was landed well after M54 branch.
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 20 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 18 by m...@chromium.org, Oct 22 2016

Labels: Merge-Request-55
Confirmed: Crash reports are gone now. Requesting M55 merge.

Comment 19 by m...@chromium.org, Oct 22 2016

Labels: -FoundIn-M-55 -Merge-Request-55
Actually, scratch that. Looking at crash reports, there were none in M55. Merge is not needed.
Project Member

Comment 20 by sheriffbot@chromium.org, Jan 26 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment