Issue metadata
Sign in to add a comment
|
App crashes on tapping on screen after closing tab in tab switcher mode with VoiceOver: ON |
||||||||||||||||||||||||
Issue descriptionApp Version: 56.0.2924.42 dev iOS Version: 10.1.1 only Device: iPads only URL: Chrome Settings Precondition: Device Settings -> General -> Accessibility -> VoiceOver -> On Steps to reproduce: 1. Launch chrome. 2. Tap on tab switcher button. 3. Swipe up and double tap to close the tab. 4. Double tap on the screen. Observed results: App crashes. Crash Log : https://crash.corp.google.com/browse?stbtiq=a1164c0480000000 Expected results: App should not crash. Voiceover cursor should move to another element. Number of times you were able to reproduce: 5/5 Bug reproducible after clean install: Yes Bug reproducible after clearing cache and cookies: Yes Bug reproducible on Chrome Mobile on Android: NA Bug reproducible on Safari/Firefox: Firefox: NA, Safari: NA Bug reproducible on current stable build (App Version, iOS Version): Yes on M55 Bug reproducible on the current beta channel build (App Version, iOS Version): Yes Link to video/image: https://drive.google.com/a/google.com/file/d/0Bz2uwV55gGwDUERBaEhWNnFmMlk/view?usp=sharing STACK TRACE: Thread 0 CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000000 ] MAGIC SIGNATURE THREAD Stack Quality81%Show frame trust levels 0x0000000100445bd4 (Chrome -ref_counted.h:311 ) -[TabSwitcherPanelController deleteButtonPressedForCell:] 0x0000000100445bc8 (Chrome -tab_switcher_panel_controller.mm:278 ) -[TabSwitcherPanelController deleteButtonPressedForCell:] 0x000000019d2f0f08 (UIAccessibility + 0x00020f08 ) -[NSObject(AXPrivCategory) _accessibilityPerformCustomActionWithIdentifier:] 0x000000019d2f7448 (UIAccessibility + 0x00027448 ) -[NSObject(UIStorage) accessibilityPerformAction:withValue:fencePort:] 0x000000019d2d25ec (UIAccessibility + 0x000025ec ) _performActionWithValueCallback 0x000000019c6e4ae8 (AXRuntime + 0x00009ae8 ) _AXXMIGPerformActionWithValue 0x000000019c6df56c (AXRuntime + 0x0000456c ) _XPerformActionWithValue 0x000000019c6ed884 (AXRuntime + 0x00012884 ) mshMIGPerform 0x0000000190df4930 (CoreFoundation + 0x000dd930 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ 0x0000000190df40e4 (CoreFoundation + 0x000dd0e4 ) __CFRunLoopDoSource1 0x0000000190df1bc8 (CoreFoundation + 0x000dabc8 ) __CFRunLoopRun 0x0000000190d20044 (CoreFoundation + 0x00009044 ) CFRunLoopRunSpecific 0x00000001927a6194 (GraphicsServices + 0x0000c194 ) GSEventRunModal 0x0000000196d052f8 (UIKit + 0x0007b2f8 ) -[UIApplication _run] 0x0000000196d00030 (UIKit + 0x00076030 ) UIApplicationMain 0x000000010004d754 (Chrome -chrome_exe_main.mm:79 ) main 0x000000018fd045b4 (libdyld.dylib + 0x000045b4 ) start
,
Jan 3 2017
Only 2 reports: https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_iOS%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27-%5BTabSwitcherPanelController%20deleteButtonPressedForCell%3A%5D%27&ignore_case=false&enable_rewrite=false&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports This includes 1 instance in 55.0.2883.79 (stable) and another instance in 56.0.2924.42 (dev). Looks like this happens rarely, but given that tablet tab switcher was only a partial rollout in M55 and the crash is pointing to some memory management (ref_counted.h), it's worth a look. I'm keeping RBS on this for now.
,
Jan 4 2017
To Sylvain for investigation.
,
Jan 5 2017
,
Jan 5 2017
,
Jan 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e90f8871ccbf3df4fcef6960dd60756c559abcbe commit e90f8871ccbf3df4fcef6960dd60756c559abcbe Author: sdefresne <sdefresne@chromium.org> Date: Thu Jan 05 14:26:30 2017 Fix for voice-over accessibility issue with tab switcher. When a cell is removed from the collection view with a custom action, the accessibility does not drop the custom action. This crashed the application as the -deleteButtonPressedForCell: method assumed that it would only ever be called with cell in the collection. Work-around this by posting a UIAccessibilityScreenChangedNotification which force accessibility to re-inspect everything (thus dropping the selection custom action) and by also resetting the delegate on the cell (not really necessary but cleaner). BUG= 677374 Review-Url: https://codereview.chromium.org/2615883002 Cr-Commit-Position: refs/heads/master@{#441649} [modify] https://crrev.com/e90f8871ccbf3df4fcef6960dd60756c559abcbe/ios/chrome/browser/ui/tab_switcher/tab_switcher_panel_cell.h [modify] https://crrev.com/e90f8871ccbf3df4fcef6960dd60756c559abcbe/ios/chrome/browser/ui/tab_switcher/tab_switcher_panel_cell.mm [modify] https://crrev.com/e90f8871ccbf3df4fcef6960dd60756c559abcbe/ios/chrome/browser/ui/tab_switcher/tab_switcher_panel_controller.mm
,
Jan 5 2017
,
Jan 5 2017
This bug requires manual review: Less than 2 weeks to go before AppStore submit on M56 Please contact the milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 6 2017
vbarigela@ please verify this bug is fixed in the latest canary.
,
Jan 6 2017
Verified. No crashes based on the steps to repro from original bug report. Build: 57.0.2974.0 Canary Device: iPad 4 iOS: 10.1.1
,
Jan 6 2017
,
Jan 9 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/ios_internal.git/+/ba86e79df0137448a06df3ed9405cd072267780d commit ba86e79df0137448a06df3ed9405cd072267780d Author: Sylvain Defresne <sdefresne@google.com> Date: Mon Jan 09 13:17:49 2017
,
Jan 11 2017
Verified on chrome beta version 56.0.2924.58 on iPad Air with iOS 10.1.1 following the steps mentioned in comment #0. No crashes noticed. Voice over cursor moves to Open tabs element. Looks good. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by justincohen@chromium.org
, Dec 29 2016Owner: jif@chromium.org
Status: Assigned (was: Untriaged)