Repro:
1. Run chrome with VK and unified desktop;
e.g.
out/Debug/chrome --user-data-dir=/tmp/chrome_test --ash-host-window-bounds="0+0-1280x768,0+800-800x800" --login-user=stub-user@example.com --login-profile=user --enable-virtual-keyboard --ash-enable-unified-desktop
2. Activate virtual keyboard by clicking on any text field;
3. Change display to trigger DisplayManager to add/remove display,
e.g. Ctrl+F4 to toggle mirror/extended mode;
At step 3 chrome crashes.
Stack:
Received signal 11 SEGV_MAPERR 000000000020
#0 0x7f3ffa32bf9b base::debug::StackTrace::StackTrace()
#1 0x7f3ffa32a66c base::debug::StackTrace::StackTrace()
#2 0x7f3ffa32baaf base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7f3ffa771330 <unknown>
#4 0x7f3feb2a303c std::basic_streambuf<>::pbase()
#5 0x7f3feb620a54 ash::RootWindowController::DeactivateKeyboard()
#6 0x7f3feb6203f6 ash::RootWindowController::CloseChildWindows()
#7 0x7f3feb61ec65 ash::RootWindowController::Shutdown()
#8 0x7f3feb5dcc6d ash::WindowTreeHostManager::DeleteHost()
#9 0x7f3feb5dc6bf ash::WindowTreeHostManager::OnDisplayAdded()
#10 0x7f3fec284993 display::DisplayManager::NotifyDisplayAdded()
#11 0x7f3fec28118f display::DisplayManager::UpdateDisplaysWith()
#12 0x7f3fec28226b display::DisplayManager::ReconfigureDisplays()
#13 0x7f3fec28534c display::DisplayManager::SetMirrorMode()
#14 0x7f3feb5b07e0 ash::DisplayConfigurationController::SetMirrorModeImpl()
====
Happened in AshPopupAlignmentDelegateTest.Unified while working on the SessionStateDelegate replacment CL (https://codereview.chromium.org/2734933004/). The CL makes SessionStateChanged happen during test setup (contrary to TestSessionStateDelegate which silent set its session state), thus WmShellAura::SessionStateChanged->Shell::CreateKeyboard->RootWindowController::ActivateKeyboard is executed. ActivateKeyboard add workspace_controller()->layout_manager() as its observer [1].
However, when display is changed, we do the following in WindowTreeHostManager::DeleteHost [2]:
controller->MoveWindowsTo(GetPrimaryRootWindow());
controller->Shutdown();
In RootWindowController::MoveWindowsTo, we do [3]
workspace_controller_.reset();
But workspace_controller_->layout_manager() is still in the observer list of KeyboardController. After this point, crash happens when KeyboardController needs to notify its observers. Usually, this would happen RootWindowController::Shutdown() where we have Shutdown->CloseChildWindows->DeactivateKeyboard, as observed in the stack above.
[1]: https://cs.chromium.org/chromium/src/ash/root_window_controller.cc?rcl=549709e6de482297978cd245b82f78c900b22515&l=680
[2]: https://cs.chromium.org/chromium/src/ash/display/window_tree_host_manager.cc?rcl=95ff5bc751ba619a7c37155eec85c1adcadb01bc&l=659,662
[3]: https://cs.chromium.org/chromium/src/ash/root_window_controller.cc?rcl=99a36d9c50e75619f5f5203137869009c2b88bbc&l=646
Comment 1 by bugdroid1@chromium.org
, Mar 14 2017