New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 667708 link

Starred by 1 user
Status: Fixed
Owner:
aval...@chromium.org
Last visit > 30 days ago
Closed: Nov 2016
Cc:
wjmaclean@chromium.org
ajha@chromium.org
kavvaru@chromium.org
brajkumar@chromium.org
durga.behera@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug

Blocking:
issue 412373



Sign in to add a comment

Browser crashes on exiting when sign in overlay is present in chrome://apps page

Project Member Reported by sc00335...@techmahindra.com, Nov 22 2016 
Version: 56.0.2924.0 dev 
OS: Ubuntu 14.04,Windows

Pre-Condition: Enable Cross process frames for guests flag from chrome://flags

What steps will reproduce the problem?
(1)Launch chrome and go to chrome://apps >> Click on sign in link to open sign in overlay 
(2)Click on wrench menu >> select exit and observe

Expected: No crash should be seen on exiting when sign in overlay is present.
Actual: Instead browser crash is seen.

This is Non-regression issue as this behaviour is seen from introduction of Cross process frames for guests flag in 56.0.2924.0 build.

CL: https://chromium.googlesource.com/chromium/src/+log/56.0.2923.0..56.0.2924.0?pretty=fuller&n=10000

Suspecting  https://codereview.chromium.org/2508763002 from changelog.

@avallee: Please confirm the issue.

crash ids: d3b748f700000000 ; 47a7c8f700000000

Comment 1 by sc00335...@techmahindra.com, Nov 22 2016 

Attaching video for reference..
Actual_crash.ogv
1.2 MB View Download

Comment 2 by brajkumar@chromium.org, Nov 22 2016 

Able to reproduce the issue on Ubuntu 14.04 using chrome latest Dev M56-56.0.2924.0 by following steps mentioned in the original comment.

Note: Unable to reproduce this issue on Mac OS 10.12.

Stack Trace:
------------
Thread 0 CRASHED [SIGSEGV @ 0x00000000 ] MAGIC SIGNATURE THREAD
Stack Quality100%Show frame trust levels
0x000055762e80e5ec	(chrome -./out/Release/../../content/browser/frame_host/frame_tree_node.h:86 )	<name omitted>
0x000055762e8495f1	(chrome -./out/Release/../../content/browser/frame_host/render_widget_host_view_child_frame.cc:445 )	<name omitted>
0x000055762eac1157	(chrome -./out/Release/../../content/browser/web_contents/web_contents_impl.cc:2476 )	<name omitted>
0x000055762e7691f5	(chrome -./out/Release/../../content/browser/browser_plugin/browser_plugin_embedder.cc:108 )	<name omitted>
0x00005576307e7d07	(chrome -./out/Release/../../base/callback.h:64 )	<name omitted>
0x000055762e769299	(chrome -./out/Release/../../content/browser/browser_plugin/browser_plugin_embedder.cc:114 )	<name omitted>
0x000055762eac1199	(chrome -./out/Release/../../content/browser/web_contents/web_contents_impl.cc:2480 )	<name omitted>
0x000055762ea61eec	(chrome -./out/Release/../../content/browser/web_contents/web_contents_view_aura.cc:498 )	content::WebContentsViewAura::WindowObserver::OnWindowBoundsChanged(aura::Window*, gfx::Rect const&, gfx::Rect const&)
0x000055762ff93212	(chrome -./out/Release/../../ui/aura/window.cc:1044 )	<name omitted>
0x000055762ffa5405	(chrome -./out/Release/../../ui/compositor/layer.cc:998 )	<name omitted>
0x000055762ff962ab	(chrome -./out/Release/../../ui/aura/window.cc:706 )	<name omitted>
0x000055763039f65f	(chrome -./out/Release/../../ui/views/controls/native/native_view_host_aura.cc:231 )	views::NativeViewHostAura::RemoveClippingWindow()
0x000055763039efe8	(chrome -./out/Release/../../ui/views/controls/native/native_view_host_aura.cc:102 )	views::NativeViewHostAura::NativeViewDetaching(bool)
0x00005576303957a0	(chrome -./out/Release/../../ui/views/controls/native/native_view_host.cc:200 )	views::NativeViewHost::Detach()
0x0000557630cf40eb	(chrome -./out/Release/../../ui/views/controls/webview/webview.cc:348 )	<name omitted>
0x0000557630b2425a	(chrome -./out/Release/../../chrome/browser/ui/views/frame/browser_view.cc:1505 )	BrowserView::TabDetachedAt(content::WebContents*, int)
0x0000557630ab1a38	(chrome -./out/Release/../../chrome/browser/ui/tabs/tab_strip_model.cc:374 )	<name omitted>
0x000055762eab525c	(chrome -./out/Release/../../content/browser/web_contents/web_contents_impl.cc:570 )	content::WebContentsImpl::~WebContentsImpl()
0x000055762eab5a68	(chrome -./out/Release/../../content/browser/web_contents/web_contents_impl.cc:477 )	<name omitted>
0x0000557630ab4b53	(chrome -./out/Release/../../chrome/browser/ui/tabs/tab_strip_model.cc:1230 )	<name omitted>
0x0000557630ab4733	(chrome -./out/Release/../../chrome/browser/ui/tabs/tab_strip_model.cc:1206 )	<name omitted>
0x0000557630ab3fbb	(chrome -./out/Release/../../chrome/browser/ui/tabs/tab_strip_model.cc:514 )	<name omitted>
0x0000557630a8fee6	(chrome -./out/Release/../../chrome/browser/ui/browser.cc:714 )	<name omitted>
0x0000557630abc7be	(chrome -./out/Release/../../chrome/browser/ui/unload_controller.cc:47 )	<name omitted>
0x0000557630a8d9a9	(chrome -./out/Release/../../chrome/browser/ui/browser.cc:1477 )	non-virtual thunk to Browser::CloseContents(content::WebContents*)
0x000055762e99b9c8	(chrome -./out/Release/../../base/tuple.h:144 )	<name omitted>
0x000055762e999558	(chrome -./out/Release/../../content/browser/renderer_host/render_view_host_impl.cc:761 )	<name omitted>
0x000055762e9a595a	(chrome -./out/Release/../../content/browser/renderer_host/render_widget_host_impl.cc:513 )	<name omitted>
0x000055762faec969	(chrome -./out/Release/../../ipc/ipc_channel_proxy.cc:340 )	<name omitted>
0x000055762f21ee5d	(chrome -./out/Release/../../base/callback.h:47 )	<name omitted>
0x000055762f1bf348	(chrome -./out/Release/../../base/message_loop/message_loop.cc:413 )	<name omitted>
0x000055762f1bf687	(chrome -./out/Release/../../base/message_loop/message_loop.cc:422 )	<name omitted>
0x000055762f1bedea	(chrome -./out/Release/../../base/message_loop/message_loop.cc:515 )	<name omitted>
0x000055762f1c0d8c	(chrome -./out/Release/../../base/message_loop/message_pump_glib.cc:313 )	base::MessagePumpGlib::Run(base::MessagePump::Delegate*)
0x000055762f1d977f	(chrome -./out/Release/../../base/run_loop.cc:35 )	<name omitted>
0x000055762f095521	(chrome -./out/Release/../../chrome/browser/chrome_browser_main.cc:1982 )	ChromeBrowserMainParts::MainMessageLoopRun(int*)
0x000055762e7665a7	(chrome -./out/Release/../../content/browser/browser_main_loop.cc:984 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x000055762e76864c	(chrome -./out/Release/../../content/browser/browser_main_runner.cc:141 )	content::BrowserMainRunnerImpl::Run()
0x000055762e761028	(chrome -./out/Release/../../content/browser/browser_main.cc:46 )	content::BrowserMain(content::MainFunctionParams const&)
0x000055762ee4bef3	(chrome -./out/Release/../../content/app/content_main_runner.cc:774 )	content::ContentMainRunnerImpl::Run()
0x000055762ee4aa7d	(chrome -./out/Release/../../content/app/content_main.cc:20 )	content::ContentMain(content::ContentMainParams const&)
0x000055762db6d1cc	(chrome -./out/Release/../../chrome/app/chrome_main.cc:108 )	ChromeMain
0x00007f6523d4bec4	(libc-2.19.so -libc-start.c:287 )	__libc_start_main
0x000055762db6d080	(chrome + 0x00b32080 )	_start

Comment 3 by aval...@chromium.org, Nov 22 2016

Status: Started (was: Assigned)

Comment 4 by aval...@chromium.org, Nov 22 2016

Cc: wjmaclean@chromium.org
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: FoundIn-M-56 Fracas
Users experienced this crash on the following builds:

Linux Dev 56.0.2922.1 -  0.55 CPM, 1 reports, 1 clients (signature content::WebContentsViewAura::WindowObserver::OnWindowBoundsChanged)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Comment 6 by aval...@chromium.org, Nov 22 2016

Labels: -Pri-2 Pri-1
The simplest test case that I could use to reliably repro is to open 2 browser windows, both showing chrome://chrome-signin and closing one of the two windows.
Project Member

Comment 7 by bugdroid1@chromium.org, Nov 26 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9f43b0110e3e4b47064b067fecc30ca2ce2c193e

commit 9f43b0110e3e4b47064b067fecc30ca2ce2c193e
Author: avallee <avallee@chromium.org>
Date: Sat Nov 26 07:02:10 2016

<webview> Fix crash when closing chrome://chrome-signin

This fixes a browser crash with OOPIF-based webviews. When two instances
of chrome://chrome-signin are opened in browser tabs, closing either one
of them leads to a crash.

The embedding WebContentsImpl in its destructor will attempt to update
screen rects for child WebContentsImpl. The children will fail to locate
their parent due to their node Id not being kInvalid despite the node no
longer existing (destroyed earlier in the parent WebContentsImpl dtor).

~ No longer notify children about screen rect changes when being
  destroyed.
+ Add regression test.

BUG= 667708 

Review-Url: https://codereview.chromium.org/2519333007
Cr-Commit-Position: refs/heads/master@{#434570}

[modify] https://crrev.com/9f43b0110e3e4b47064b067fecc30ca2ce2c193e/chrome/browser/apps/guest_view/web_view_browsertest.cc
[modify] https://crrev.com/9f43b0110e3e4b47064b067fecc30ca2ce2c193e/content/browser/web_contents/web_contents_impl.cc

Comment 8 by wjmaclean@chromium.org, Nov 30 2016

Blocking: 412373

Comment 9 by aval...@chromium.org, Nov 30 2016

Status: Fixed (was: Started)
James, can you verify this on canary? Opening two chrome-signin pages in a tab and closing one should not crash. See #c6.

Do we need merge back?

Comment 10 by wjmaclean@chromium.org, Dec 1 2016

Labels: Merge-Request-56

Comment 11 by dimu@chromium.org, Dec 1 2016

Labels: -Merge-Request-56 Merge-Approved-56 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M56 (branch: 2924)
Project Member

Comment 12 by bugdroid1@chromium.org, Dec 1 2016

Labels: -merge-approved-56 merge-merged-2924
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/57e104b5bbebdf3c7319ff89239dc9ebef7fd7c9

commit 57e104b5bbebdf3c7319ff89239dc9ebef7fd7c9
Author: W. James MacLean <wjmaclean@chromium.org>
Date: Thu Dec 01 19:48:16 2016

<webview> Fix crash when closing chrome://chrome-signin

This fixes a browser crash with OOPIF-based webviews. When two instances
of chrome://chrome-signin are opened in browser tabs, closing either one
of them leads to a crash.

The embedding WebContentsImpl in its destructor will attempt to update
screen rects for child WebContentsImpl. The children will fail to locate
their parent due to their node Id not being kInvalid despite the node no
longer existing (destroyed earlier in the parent WebContentsImpl dtor).

~ No longer notify children about screen rect changes when being
  destroyed.
+ Add regression test.

BUG= 667708 

Review-Url: https://codereview.chromium.org/2519333007
Cr-Commit-Position: refs/heads/master@{#434570}
(cherry picked from commit 9f43b0110e3e4b47064b067fecc30ca2ce2c193e)

Review URL: https://codereview.chromium.org/2546523004 .

Cr-Commit-Position: refs/branch-heads/2924@{#257}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/57e104b5bbebdf3c7319ff89239dc9ebef7fd7c9/chrome/browser/apps/guest_view/web_view_browsertest.cc
[modify] https://crrev.com/57e104b5bbebdf3c7319ff89239dc9ebef7fd7c9/content/browser/web_contents/web_contents_impl.cc

Comment 13 by msrchandra@chromium.org, Dec 2 2016

Labels: TE-Verified-M56 TE-Verified-56.0.2924.14
Tested the issue on Chrome Dev# 56.0.2924.14 using Windows and Linux and is no more reproducible.
No Crash is observed on exiting Chrome. Hence adding TE-Verified Labels.
Attaching screen cast for reference.
Thank You.
667708.ogv
940 KB View Download

Sign in to add a comment