New issue
Advanced search Search tips

Issue 674199 link

Starred by 2 users
Status: Assigned
Owner:
dcheng@chromium.org
Cc:
creis@chromium.org
dcheng@chromium.org
alex...@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug



Sign in to add a comment

OOPIF: DCHECK when detaching a document with a Flash object that has active selection

Project Member Reported by alex...@chromium.org, Dec 14 2016 
What steps will reproduce the problem?
(1) With --site-per-process and Flash enabled*, go to http://csreis.github.io/tests/cross-site-iframe.html
(2) From devtools, navFrame("http://www.adobe.com/software/flash/about/")
(3) Allow Flash to run in the permission prompt.  Scroll to the small Flash object that says "You have version 23,0,0,207 installed" (you may need to also click on it to run it)
(4) setTimeout(() => navFrame("about:blank"), 5000);
(5) In the next 5 seconds, select some text inside the Flash object from (3), i.e., "You have version 23,0,0,207 installed".

Once the navigation happens, the subframe process crashes:

[1:1:1214/101715.150921:FATAL:SelectionEditor.cpp(58)] Check failed: m_document. 
#0 0x7f3a9595a1de base::debug::StackTrace::StackTrace()
#1 0x7f3a959c767f logging::LogMessage::~LogMessage()
#2 0x7f3a7beb3602 blink::SelectionEditor::document()
#3 0x7f3a7beb36a0 blink::SelectionEditor::visibleSelection<>()
#4 0x7f3a7be89d61 blink::FrameSelection::visibleSelection<>()
#5 0x7f3a7be89e15 blink::FrameSelection::selection()
#6 0x7f3a859c5c55 blink::FrameSelection::isNone()
#7 0x7f3a859c261e blink::WebFrameWidgetImpl::selectionBounds()
#8 0x7f3a90439f0d content::RenderWidget::GetSelectionBounds()
#9 0x7f3a90434430 content::RenderWidget::UpdateSelectionBounds()
#10 0x7f3a9038ed37 content::RenderFrameImpl::PepperFocusChanged()
#11 0x7f3a9038ebfa content::RenderFrameImpl::PepperInstanceDeleted()
#12 0x7f3a907274bd content::PepperPluginInstanceImpl::~PepperPluginInstanceImpl()
#13 0x7f3a90727ab9 content::PepperPluginInstanceImpl::~PepperPluginInstanceImpl()
#14 0x7f3a8e75641f base::RefCounted<>::Release()
#15 0x7f3a8e7563c9 scoped_refptr<>::Release()
#16 0x7f3a902d52a2 scoped_refptr<>::operator=()
#17 0x7f3a90770d17 content::PepperWebPluginImpl::destroy()
#18 0x7f3a85a0f341 blink::WebPluginContainerImpl::dispose()
#19 0x7f3a7c1a4455 blink::HTMLFrameOwnerElement::UpdateSuspendScope::performDeferredWidgetTreeOperations()
#20 0x7f3a7c1a4a05 blink::HTMLFrameOwnerElement::UpdateSuspendScope::~UpdateSuspendScope()
#21 0x7f3a7bc5eb7e blink::Document::shutdown()
#22 0x7f3a7c80e43f blink::FrameLoader::prepareForCommit()
#23 0x7f3a7c0dea0d blink::LocalFrame::prepareForCommit()
#24 0x7f3a859b3505 blink::WebFrame::swap()
#25 0x7f3a9036e15a content::RenderFrameImpl::OnSwapOut()
#26 0x7f3a903ad115 _ZN4base20DispatchToMethodImplIPN7content15RenderFrameImplEMS2_FvibRKNS1_21FrameReplicationStateEERKSt5tupleIJibS4_EEJLm0ELm1ELm2EEEEvRKT_T0_OT1_NS_13IndexSequenceIJXspT2_EEEE
#27 0x7f3a903ad030 _ZN4base16DispatchToMethodIPN7content15RenderFrameImplEMS2_FvibRKNS1_21FrameReplicationStateEERKSt5tupleIJibS4_EEEEvRKT_T0_OT1_
#28 0x7f3a903acfaf _ZN3IPC16DispatchToMethodIN7content15RenderFrameImplEMS2_FvibRKNS1_21FrameReplicationStateEEvSt5tupleIJibS3_EEEEvPT_T0_PT1_RKT2_
#29 0x7f3a90392af0 _ZN3IPC8MessageTI21FrameMsg_SwapOut_MetaSt5tupleIJibN7content21FrameReplicationStateEEEvE8DispatchINS3_15RenderFrameImplES8_vMS8_FvibRKS4_EEEbPKNS_7MessageEPT_PT0_PT1_T2_
#30 0x7f3a9036ab54 content::RenderFrameImpl::OnMessageReceived()
#31 0x7f3a92900a0b IPC::MessageRouter::RouteMessage()
#32 0x7f3a8e640d28 content::ChildThreadImpl::ChildThreadMessageRouter::RouteMessage()
#33 0x7f3a9290098e IPC::MessageRouter::OnMessageReceived()
#34 0x7f3a8e645391 content::ChildThreadImpl::OnMessageReceived()
#35 0x7f3a928a5be8 IPC::ChannelProxy::Context::OnDispatchMessage()
#36 0x7f3a928ac72f _ZN4base8internal13FunctorTraitsIMN3IPC12ChannelProxy7ContextEFvRKNS2_7MessageEEvE6InvokeIRK13scoped_refptrIS4_EJS7_EEEvS9_OT_DpOT0_
#37 0x7f3a928ac616 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN3IPC12ChannelProxy7ContextEFvRKNS4_7MessageEEJRK13scoped_refptrIS6_ES9_EEEvOT_DpOT0_
#38 0x7f3a928ac5a3 _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEJ13scoped_refptrIS5_ES6_EEEFvvEE7RunImplIRKSA_RKSt5tupleIJSC_S6_EEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#39 0x7f3a928ac4bc _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEJ13scoped_refptrIS5_ES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#40 0x7f3a95960001 _ZNO4base8internal8RunMixinINS_8CallbackIFvvELNS0_8CopyModeE0ELNS0_10RepeatModeE0EEEE3RunEv
#41 0x7f3a9595f9d2 base::debug::TaskAnnotator::RunTask()
#42 0x7f3a86220bda blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#43 0x7f3a8621e601 blink::scheduler::TaskQueueManager::DoWork()
#44 0x7f3a8622709c _ZN4base8internal13FunctorTraitsIMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEvE6InvokeIRKNS_7WeakPtrIS4_EEJRKS5_RKbEEEvS7_OT_DpOT0_
#45 0x7f3a86226f74 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbERKNS_7WeakPtrIS6_EEJRKS7_RKbEEEvOT_OT0_DpOT1_
#46 0x7f3a86226ed4 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEJNS_7WeakPtrIS5_EES6_bEEEFvvEE7RunImplIRKS8_RKSt5tupleIJSA_S6_bEEJLm0ELm1ELm2EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#47 0x7f3a86226dac _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEJNS_7WeakPtrIS5_EES6_bEEEFvvEE3RunEPNS0_13BindStateBaseE
#48 0x7f3a95960001 _ZNO4base8internal8RunMixinINS_8CallbackIFvvELNS0_8CopyModeE0ELNS0_10RepeatModeE0EEEE3RunEv
#49 0x7f3a9595f9d2 base::debug::TaskAnnotator::RunTask()
#50 0x7f3a959f08fa base::MessageLoop::RunTask()
#51 0x7f3a959f0b84 base::MessageLoop::DeferOrRunPendingTask()
#52 0x7f3a959f0e6e base::MessageLoop::DoWork()
#53 0x7f3a95a087c3 base::MessagePumpDefault::Run()
#54 0x7f3a959f047a base::MessageLoop::RunHandler()
#55 0x7f3a95a9d153 base::RunLoop::Run()
#56 0x7f3a9046615c content::RendererMain()
#57 0x7f3a9085bf6e content::RunZygote()
#58 0x7f3a9085c320 content::RunNamedProcessTypeMain()
#59 0x7f3a9085e6f2 content::ContentMainRunnerImpl::Run()
#60 0x7f3a9085b612 content::ContentMain()
#61 0x7f3a967f708b ChromeMain


This might be related to  issue 575737 , which also involves destroying the plugin container on a swap, though it doesn't involve a nested Flash message loop.  The crash isn't actually visible to the user, as it's for the subframe that's just gone away, but if there are other live frames in the same process, those would be affected.

* To enable Flash in a debug build, I used --ppapi-flash-version=23.0.0.207 --ppapi-flash-path=/path/to/home/dir/.config/google-chrome/PepperFlash/23.0.0.207/libpepflashplayer.so
(the version may vary)

Comment 1 by alex...@chromium.org, Dec 14 2016

Summary: OOPIF: DCHECK when detaching a document with a Flash object that has active selection (was: OOPIF: crash when detaching a document with a Flash object that has active selection)
To clarify, this is a DCHECK and not a crash.  I was thinking it might crash in release mode, but apparently it doesn't (tried on Mac canary) - the dereference to a null m_document is itself in a DCHECK in SelectionEditor::visibleSelection.

Comment 2 by dcheng@chromium.org, Dec 19 2016

Owner: dcheng@chromium.org
Status: Assigned (was: Available)
I'm planning on changing the timing of widget detach when shutting down documents, which should resolve this issue.

Comment 3 by lukasza@chromium.org, Aug 23 2017 

Hmmm... I cannot repro in 60.0.3112.101, so I am probably doing something wrong (OTOH, I see OOPIF processes in the task manager and I think I've followed the repro steps correctly).  But... this bug seems very similar to issue 727910 which should be fixed after r477136 (which initially landed in 61.0.3123.0).

Daniel - can you repro in the most recent Canary?  If not, then maybe we can close (or dupe) this bug.

Sign in to add a comment