New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 704846 link

Starred by 1 user
Status: Fixed
Owner:
jonr...@chromium.org
Closed: Mar 2017
Cc:
hdodda@chromium.org
nyerramilli@chromium.org
msrchandra@chromium.org
ranjitkan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 2
Type: Bug



Sign in to add a comment

Chrome crashes after closing bookmarks context menu through 'Esc' key.

Reported by avsha...@etouch.net, Mar 24 2017 
Chrome Version : 59.0.3050.0 (Official Build) bf9bcae65b9dc113edb7409c582238d5cbf7acaf-refs/heads/master@{#459323} 32/64-bit
OS: Windows(7,8,8.1,10), Linux (14.04 LTS)

What steps will reproduce the problem?
1. Launch chrome, open NTP, right click on Bookmarks Bar and add a 'New Folder'.
2. Right click on newly added folder and add another 'New Folder' inside it.
3. On Bookmarks bar, click on 'New folder' and again click on 'New Folder' inside it such that "(empty)" message is seen.
4. Now keep mouse cursor on "(empty)" message and (without moving mouse) right click on it twice.
5. Press 'Esc' key and observe.

Actual : Chrome crashes after pressing 'Esc' key.
Expected : Chrome should not crash.

Crash ID 03043416-3c52-4fa6-94aa-388913c7ba9f (Server ID: 97c320d480000000)

This is a Non-Regression issue seen from M-30 build 30.0.1549.0.

Note : Above issue is not reproducible on Mac(10.11.6, 10.12.1, 10.12) OS.
Actual_Crash.mp4
1.4 MB View Download
Crash using _30.0.1549.0 build.mp4
1.2 MB View Download

Comment 1 by ranjitkan@chromium.org, Mar 24 2017

Status: Untriaged (was: Unconfirmed)
Untriaged it so that it gets addressed. Stack trace for crash ID generated:

CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000000 ] MAGIC SIGNATURE THREAD
Stack Quality100%Show frame trust levels
0x00007ffc849936ce	(chrome.dll -menu_controller.cc:2366 )	views::MenuController::SelectByChar(wchar_t)
0x00007ffc84992b48	(chrome.dll -menu_controller.cc:1085 )	views::MenuController::OnWillDispatchKeyEvent(ui::KeyEvent *)
0x00007ffc83d7025d	(chrome.dll -event_handler.cc:25 )	ui::EventHandler::OnEvent(ui::Event *)
0x00007ffc83d70748	(chrome.dll -event_dispatcher.cc:191 )	ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *)
0x00007ffc83d708d2	(chrome.dll -event_dispatcher.cc:170 )	ui::EventDispatcher::DispatchEventToEventHandlers(std::vector<ui::EventHandler *,std::allocator<ui::EventHandler *> > *,ui::Event *)
0x00007ffc83d70b36	(chrome.dll -event_dispatcher.cc:127 )	ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *)
0x00007ffc83d709fd	(chrome.dll -event_dispatcher.cc:86 )	ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *)
0x00007ffc83d707e0	(chrome.dll -event_dispatcher.cc:58 )	ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *)
0x00007ffc84a46e5a	(chrome.dll -event_processor.cc:46 )	ui::EventProcessor::OnEventFromSource(ui::Event *)
0x00007ffc84a46fcb	(chrome.dll -event_source.cc:73 )	ui::EventSource::DeliverEventToSink(ui::Event *)
0x00007ffc84a47069	(chrome.dll -event_source.cc:51 )	ui::EventSource::SendEventToSink(ui::Event *)
0x00007ffc83e65051	(chrome.dll -window_tree_host.cc:197 )	aura::WindowTreeHost::DispatchKeyEventPostIME(ui::KeyEvent *)
0x00007ffc84ac6680	(chrome.dll -input_method_base.cc:130 )	ui::InputMethodBase::DispatchKeyEventPostIME(ui::KeyEvent *)
0x00007ffc84ac896d	(chrome.dll -input_method_win.cc:207 )	ui::InputMethodWin::ProcessKeyEventDone(ui::KeyEvent *,std::vector<tagMSG,std::allocator<tagMSG> > const *,bool)
0x00007ffc84ac7b14	(chrome.dll -input_method_win.cc:196 )	ui::InputMethodWin::DispatchKeyEvent(ui::KeyEvent *)
0x00007ffc849ab874	(chrome.dll -hwnd_message_handler.cc:1568 )	views::HWNDMessageHandler::OnKeyEvent(unsigned int,unsigned __int64,__int64)
0x00007ffc849ae89e	(chrome.dll -hwnd_message_handler.h:366 )	views::HWNDMessageHandler::_ProcessWindowMessage(HWND__ *,unsigned int,unsigned __int64,__int64,__int64 &,unsigned long)
0x00007ffc849ad154	(chrome.dll -hwnd_message_handler.cc:914 )	views::HWNDMessageHandler::OnWndProc(unsigned int,unsigned __int64,__int64)
0x00007ffc83cc741b	(chrome.dll -window_impl.cc:303 )	gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned __int64,__int64)
0x00007ffc83cc6bde	(chrome.dll -wrapped_window_proc.h:76 )	base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned __int64,__int64)>(HWND__ *,unsigned int,unsigned __int64,__int64)
0x00007ffcbc021168	(USER32.dll + 0x00011168 )	UserCallWinProcCheckWow
0x00007ffcbc020c96	(USER32.dll + 0x00010c96 )	DispatchMessageWorker
0x00007ffc82bd3c06	(chrome.dll -message_pump_win.cc:363 )	base::MessagePumpForUI::ProcessMessageHelper(tagMSG const &)
0x00007ffc82bd37df	(chrome.dll -message_pump_win.cc:169 )	base::MessagePumpForUI::DoRunLoop()
0x00007ffc82bd3433	(chrome.dll -message_pump_win.cc:56 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x00007ffc82ba1e1f	(chrome.dll -run_loop.cc:37 )	base::RunLoop::Run()
0x00007ffc838794d3	(chrome.dll -chrome_browser_main.cc:1969 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x00007ffc8330e509	(chrome.dll -browser_main_loop.cc:1190 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x00007ffc8330fac1	(chrome.dll -browser_main_runner.cc:140 )	content::BrowserMainRunnerImpl::Run()
0x00007ffc83309d97	(chrome.dll -browser_main.cc:46 )	content::BrowserMain(content::MainFunctionParams const &)
0x00007ffc8382484a	(chrome.dll -content_main_runner.cc:437 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x00007ffc8382468f	(chrome.dll -content_main_runner.cc:729 )	content::ContentMainRunnerImpl::Run()
0x00007ffc83ed50d1	(chrome.dll -main.cc:179 )	service_manager::Main(service_manager::MainParams const &)
0x00007ffc83823feb	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x00007ffc8301468b	(chrome.dll -chrome_main.cc:121 )	ChromeMain
0x00007ff61e3f093f	(chrome.exe -main_dll_loader_win.cc:201 )	MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks)
0x00007ff61e3efa06	(chrome.exe -chrome_exe_main_win.cc:271 )	wWinMain
0x00007ff61e422142	(chrome.exe -exe_common.inl:253 )	__scrt_common_main_seh
0x00007ffcbc318101	(KERNEL32.DLL + 0x00018101 )	BaseThreadInitThunk
0x00007ffcbc9dc5b3	(ntdll.dll + 0x0005c5b3 )	RtlUserThreadStart

Comment 2 by sky@chromium.org, Mar 24 2017

Owner: jonr...@chromium.org
Status: Assigned (was: Untriaged)

Comment 3 by jonr...@chromium.org, Mar 24 2017

Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Mar 29 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1f74ed2b7c59a6202072a0ceee38bbfb922bfb61

commit 1f74ed2b7c59a6202072a0ceee38bbfb922bfb61
Author: jonross <jonross@chromium.org>
Date: Wed Mar 29 17:54:57 2017

MenuController Do Not SetSelection to Empty Items on Drag

There is a Chrome crash caused by the following:
  - Menu opened
  - Submenu of the above opened, with only an empty menu item
  - Context menu nested above the empty menu item
  - A dragging right-click outside of the context menu, and within the empty
    menu item
  - Pressing ESC once the context menu has relaunched

Empty menu items cannot be set as selection targets, and we do not allow arrow
keys to select them. In a normal mouse over they are ignored.

MenuController::OnMouseDragged however was not handling the result of
GetMenuPart which signified an empty menu item. It would attempt to update the
selection to an invalid state, and would hide the current menu.

The subsequent OnMouseReleased would bring back the context menu, as the drag
was only hiding the menu, not closing.

The subsequent ESC key would then attempt to be processed by the invalid menu
set in OnMouseDragged.

This change update OnMouseDragged to properly ingore mouse targets of empty menu
items. Bringing it inline with the behaviours of OnMouseMoved.

TEST=MenuControllerTest.RepostEventToEmptyMenuItem
BUG= 704846 

Review-Url: https://codereview.chromium.org/2778383002
Cr-Commit-Position: refs/heads/master@{#460449}

[modify] https://crrev.com/1f74ed2b7c59a6202072a0ceee38bbfb922bfb61/ui/views/controls/menu/menu_controller.cc
[modify] https://crrev.com/1f74ed2b7c59a6202072a0ceee38bbfb922bfb61/ui/views/controls/menu/menu_controller_unittest.cc
[modify] https://crrev.com/1f74ed2b7c59a6202072a0ceee38bbfb922bfb61/ui/views/test/menu_test_utils.cc
[modify] https://crrev.com/1f74ed2b7c59a6202072a0ceee38bbfb922bfb61/ui/views/test/menu_test_utils.h

Comment 5 by jonr...@chromium.org, Mar 29 2017

Status: Fixed (was: Started)

Comment 6 by hdodda@chromium.org, Apr 4 2017

Cc: hdodda@chromium.org
Labels: TE-Verified-M59 TE-Verified-59.0.3061.3
Verified the the issue on windows 7  using chrome M59 #59.0.3061.3 and issue is fixed.

Due to the build failure on linux , verified the issue on ubuntu 14.04 using chrome M59 #59.0.3061.0 and issue is fixed.

No crash is seen on pressing esc key .

Attached screencast for reference.

Adding Te-Verified labels.

Thanks!
704846.mp4
613 KB View Download

Sign in to add a comment