Issue 676184 link

Starred by 1 user

Issue metadata

Status:	Archived
Owner:	sadrul@chromium.org
Closed:	Dec 2016
Cc:	rjkroege@chromium.org sky@chromium.org mustash-bugs@google.com
Components:	Internals>Services>WindowService
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	1
Type:	Bug
Proj-Mustash-Aura VerifyIn-58 VerifyIn-59 VerifyIn-60 VerifyIn-61

mash: Chrome browser crash after login

Project Member Reported by jamescook@chromium.org, Dec 21 2016

Issue description

Local repro with samus, R57-9105.0.0, chrome 57.0.2956.0

Our test caught this. Test failures started with R57-9096.0.0, chrome 57.0.2954.0. https://wmatrix.googleplex.com/platform/unfiltered?platforms=samus&tests=desktopui_MashLogin&days_back=30

Repro:
* Flash device with a test image
* stop ui
* mount --bind /home/chrome_dev.conf /etc/chrome_dev.conf
* vi /etc/chrome_def.conf
* Add --no-sandbox and --mash to the bottom. Do not add !--login-manager.
* start ui
* Login screen webui appears normally (modulo high-dpi sizing issues)
* Login to test account
* Sometimes browser window frame appears, but contents are black.
* Sometimes no browser window.

Test failure is a timeout after login with --mash, probably because the test framework can't talk to the browser process.

Strangely, at the login screen there are two processes with --process-service-name=content_browser. After login there is only one.

Browser stack:
#0  0x00005a412e18bf12 in (anonymous namespace)::RenderWidgetHostViewAura::RemovingFromRootWindow (this=0x193966321000)
    at ../../content/browser/renderer_host/render_widget_host_view_aura.cc:2187
#1  0x00005a41300cf5ba in (anonymous namespace)::Window::NotifyRemovingFromRootWindow (this=0x193966319dc0, new_root=new_root@entry=0x0) at ../../ui/aura/window.cc:898
#2  0x00005a41300cf60f in (anonymous namespace)::Window::NotifyRemovingFromRootWindow (this=0x193966319840, new_root=new_root@entry=0x0) at ../../ui/aura/window.cc:901
#3  0x00005a41300cf60f in (anonymous namespace)::Window::NotifyRemovingFromRootWindow (this=this@entry=0x193966310568, new_root=new_root@entry=0x0) at ../../ui/aura/window.cc:901
#4  0x00005a41300d0313 in (anonymous namespace)::Window::RemoveChildImpl (this=this@entry=0x193966319000, child=child@entry=0x193966310568, new_parent=new_parent@entry=0x0)
    at ../../ui/aura/window.cc:825
#5  0x00005a41300d03ef in (anonymous namespace)::Window::RemoveChild (this=this@entry=0x193966319000, child=0x193966310568) at ../../ui/aura/window.cc:399
#6  0x00005a41300d049b in (anonymous namespace)::Window::RemoveOrDestroyChildren (this=this@entry=0x193966319000) at ../../ui/aura/window.cc:657
#7  0x00005a41300d0647 in (anonymous namespace)::Window::~Window (this=this@entry=0x193966319000, __in_chrg=<optimized out>) at ../../ui/aura/window.cc:109
#8  0x00005a41300d09f1 in (anonymous namespace)::Window::~Window (this=0x193966319000, __in_chrg=<optimized out>) at ../../ui/aura/window.cc:140
#9  0x00005a41300d048e in (anonymous namespace)::Window::RemoveOrDestroyChildren (this=this@entry=0x193966319580) at ../../ui/aura/window.cc:649
#10 0x00005a41300d0647 in (anonymous namespace)::Window::~Window (this=this@entry=0x193966319580, __in_chrg=<optimized out>) at ../../ui/aura/window.cc:109
#11 0x00005a41300d09f1 in (anonymous namespace)::Window::~Window (this=0x193966319580, __in_chrg=<optimized out>) at ../../ui/aura/window.cc:140
#12 0x00005a41300d048e in (anonymous namespace)::Window::RemoveOrDestroyChildren (this=this@entry=0x193966319160) at ../../ui/aura/window.cc:649
#13 0x00005a41300d0647 in (anonymous namespace)::Window::~Window (this=this@entry=0x193966319160, __in_chrg=<optimized out>) at ../../ui/aura/window.cc:109
#14 0x00005a41300d09f1 in (anonymous namespace)::Window::~Window (this=0x193966319160, __in_chrg=<optimized out>) at ../../ui/aura/window.cc:140
#15 0x00005a41300d6eab in (anonymous namespace)::WindowTreeHost::DestroyDispatcher (this=0x1939662e2550) at ../../ui/aura/window_tree_host.cc:234
#16 0x00005a41300ccd2c in (anonymous namespace)::WindowTreeHostMus::~WindowTreeHostMus (this=0x1939662e2550, __in_chrg=<optimized out>)
    at ../../ui/aura/mus/window_tree_host_mus.cc:103
#17 0x00005a4131454551 in (anonymous namespace)::DesktopWindowTreeHostMus::~DesktopWindowTreeHostMus (this=0x1939662e2540, __in_chrg=<optimized out>)
    at ../../ui/views/mus/desktop_window_tree_host_mus.cc:196
#18 0x00005a413383a9d7 in std::default_delete<aura::WindowTreeHost>::operator() (this=<optimized out>, __ptr=<optimized out>)
    at /w/chrome/.cros_cache/chrome-sdk/tarballs/samus+9095.0.0+target_toolchain/usr/x86_64-pc-linux-gnu/x86_64-cros-linux-gnu/gcc-bin/4.9.x/../../../../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/unique_ptr.h:76
#19 std::unique_ptr<aura::WindowTreeHost, std::default_delete<aura::WindowTreeHost> >::reset (__p=<optimized out>, this=0x193965cba208)
    at /w/chrome/.cros_cache/chrome-sdk/tarballs/samus+9095.0.0+target_toolchain/usr/x86_64-pc-linux-gnu/x86_64-cros-linux-gnu/gcc-bin/4.9.x/../../../../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/unique_ptr.h:344
#20 (anonymous namespace)::DesktopNativeWidgetAura::OnHostClosed (this=0x193965cba180) at ../../ui/views/widget/desktop_aura/desktop_native_widget_aura.cc:316
#21 0x00005a4131454729 in (anonymous namespace)::DesktopWindowTreeHostMus::CloseNow (this=0x1939662e2540) at ../../ui/views/mus/desktop_window_tree_host_mus.cc:328
#22 0x00005a412efb431b in (anonymous namespace)::(anonymous namespace)::RunMixin<base::Callback<void(), (base::internal::CopyMode)0, (base::internal::RepeatMode)0> >::Run (
    this=0x7ffc74e39fb8) at ../../base/callback.h:68
#23 (anonymous namespace)::(anonymous namespace)::TaskAnnotator::RunTask (this=<optimized out>, queue_function=<optimized out>, pending_task=0x7ffc74e39fa0)
    at ../../base/debug/task_annotator.cc:52
#24 0x00005a412ef38b6f in (anonymous namespace)::MessageLoop::RunTask (this=this@entry=0x193965b46c40, pending_task=pending_task@entry=0x7ffc74e39fa0)
    at ../../base/message_loop/message_loop.cc:421
#25 0x00005a412ef38ffe in (anonymous namespace)::MessageLoop::DeferOrRunPendingTask (this=0x193965b46c40, pending_task=...) at ../../base/message_loop/message_loop.cc:430
#26 0x00005a412ef3b4a8 in (anonymous namespace)::MessageLoop::DoWork (this=0x193965b46c40) at ../../base/message_loop/message_loop.cc:523
#27 0x00005a412ef3ba09 in (anonymous namespace)::MessagePumpLibevent::Run (this=0x193965b66600, delegate=0x193965b46c40) at ../../base/message_loop/message_pump_libevent.cc:218
#28 0x00005a412ef388ea in (anonymous namespace)::MessageLoop::RunHandler (this=0x193965b46c40) at ../../base/message_loop/message_loop.cc:386
#29 0x00005a412ef5f2fd in (anonymous namespace)::RunLoop::Run (this=0x7ffc74e3a320) at ../../base/run_loop.cc:37
#30 0x00005a412eb42b33 in ChromeBrowserMainParts::MainMessageLoopRun (this=0x193965b32400, result_code=0x193965b46a98) at ../../chrome/browser/chrome_browser_main.cc:1987
#31 0x00005a412dede230 in (anonymous namespace)::BrowserMainLoop::RunMainMessageLoopParts (this=0x193965b46a80) at ../../content/browser/browser_main_loop.cc:1173
#32 0x00005a412dee2315 in (anonymous namespace)::BrowserMainRunnerImpl::Run (this=0x193965b5e580) at ../../content/browser/browser_main_runner.cc:141
#33 0x00005a412deda439 in (anonymous namespace)::BrowserMain (parameters=...) at ../../content/browser/browser_main.cc:46
#34 0x00005a412eac0d06 in (anonymous namespace)::ContentMainRunnerImpl::Run (this=0x193965b2eea0) at ../../content/app/content_main_runner.cc:793
#35 0x00005a412eac0209 in (anonymous namespace)::ContentMain (params=...) at ../../content/app/content_main.cc:20
#36 0x00005a412cfc47bb in ChromeMain (argc=33, argv=0x7ffc74e3a668) at ../../chrome/app/chrome_main.cc:112

Blamelist:
https://chromium.googlesource.com/chromium/src/+log/57.0.2953.0..57.0.2954.0?pretty=fuller&n=10000

Suspicious CL:
https://codereview.chromium.org/2578893003 Converts chrome to aura-mus

Sadrul, sky@ is out. Can you take a look at this?

Comment 1 by jamescook@chromium.org, Dec 21 2016

Summary: mash: Chrome browser crash after login (was: mash: Chrome browser crash after login on device)

This appears to reproduce on linux desktop (sometimes no browser window, sometimes black window contents) when running with --login-manager --mash.

As above, at the login screen there are two processes with --process-service-name=content_browser. After login there is only one. I think the browser process is crashing, but I don't get a backtrace or a core.

Comment 2 by sadrul@chromium.org, Dec 21 2016

Status: Started (was: Assigned)

I can repro. Seems to a problem with the order of things getting destroyed during teardown.

Project Member

Comment 3 by bugdroid1@chromium.org, Dec 22 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d67bfeade6999acc5160588e8b755a6374bb6a4f

commit d67bfeade6999acc5160588e8b755a6374bb6a4f
Author: sadrul <sadrul@chromium.org>
Date: Thu Dec 22 00:41:19 2016

mus: Unset the cursor client during teardown.

DesktopWindowTreeHostMus owns the cursor client. So it is destroyed before
the ~WindowTreeHostMus is called. But the WindowTreeHostMus teardown can
try to access the cursor client. So it is necessary to unset the cursor
client on the root-window.

BUG= 676184 

Review-Url: https://codereview.chromium.org/2596723002
Cr-Commit-Position: refs/heads/master@{#440283}

[modify] https://crrev.com/d67bfeade6999acc5160588e8b755a6374bb6a4f/ui/views/mus/desktop_window_tree_host_mus.cc
[modify] https://crrev.com/d67bfeade6999acc5160588e8b755a6374bb6a4f/ui/views/mus/desktop_window_tree_host_mus_unittest.cc