New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 712556 link

Starred by 1 user
Status: Fixed
Owner:
ichikawa@chromium.org
Last visit > 30 days ago
Closed: Apr 2017
Cc:
ios-bugs@chromium.org
ichikawa@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 2
Type: Bug



Sign in to add a comment

Crashes on deallocating CWVWebView

Project Member Reported by ichikawa@google.com, Apr 18 2017 
Steps to reproduce: 

1. $ git cl patch 2826633003
2. Run ios_web_view_shell and select [Remove web view] from the menu.

Expected behavior: 

The web view disappears.

Observed behavior: 

Crash.

This is because the SequenceCheckerImpl instance is destructed before calling SequenceCheckerImpl::CalledOnValidSequence().

Here's stack trace when base::SequenceCheckerImpl::~SequenceCheckerImpl() is called:

0   ChromeWebView                       0x00000001040c6d7d base::debug::StackTrace::StackTrace(unsigned long) + 157
1   ChromeWebView                       0x00000001040c6dfd base::debug::StackTrace::StackTrace(unsigned long) + 29
2   ChromeWebView                       0x00000001040c54fc base::debug::StackTrace::StackTrace() + 28
3   ChromeWebView                       0x000000010421003b base::SequenceCheckerImpl::~SequenceCheckerImpl() + 219
4   ChromeWebView                       0x0000000103fa87a5 base::SequenceChecker::~SequenceChecker() + 21
5   ChromeWebView                       0x0000000103fa8745 base::SequenceChecker::~SequenceChecker() + 21
6   ChromeWebView                       0x000000010426ece1 base::SupportsUserData::~SupportsUserData() + 449
7   ChromeWebView                       0x0000000103e6bde3 web::BrowserState::~BrowserState() + 227
8   ChromeWebView                       0x0000000103d85753 ios_web_view::WebViewBrowserState::~WebViewBrowserState() + 259
9   ChromeWebView                       0x0000000103d85775 ios_web_view::WebViewBrowserState::~WebViewBrowserState() + 21
10  ChromeWebView                       0x0000000103d85799 ios_web_view::WebViewBrowserState::~WebViewBrowserState() + 25
11  ChromeWebView                       0x0000000103d807bd -[CWVWebViewConfiguration .cxx_destruct] + 237
12  libobjc.A.dylib                     0x00000001094dd9bc object_cxxDestructFromClass(objc_object*, objc_class*) + 127
13  libobjc.A.dylib                     0x00000001094e9d34 objc_destructInstance + 129
14  libobjc.A.dylib                     0x00000001094e9d66 object_dispose + 22
15  libobjc.A.dylib                     0x00000001094f3b8e objc_object::sidetable_release(bool) + 202
16  ChromeWebView                       0x0000000103d7c188 -[CWVWebView .cxx_destruct] + 136
17  libobjc.A.dylib                     0x00000001094dd9bc object_cxxDestructFromClass(objc_object*, objc_class*) + 127
18  libobjc.A.dylib                     0x00000001094e9d34 objc_destructInstance + 129
19  libobjc.A.dylib                     0x00000001094e9d66 object_dispose + 22
20  UIKit                               0x000000010152e6d1 -[UIResponder dealloc] + 145
21  UIKit                               0x00000001013adfc8 -[UIView dealloc] + 1874
22  libobjc.A.dylib                     0x00000001094f42fa (anonymous namespace)::AutoreleasePoolPage::pop(void*) + 866
23  CoreFoundation                      0x0000000102bb8ef6 _CFAutoreleasePoolPop + 22
24  CoreFoundation                      0x0000000102bf4aec __CFRunLoopRun + 2172
25  CoreFoundation                      0x0000000102bf4016 CFRunLoopRunSpecific + 406
26  GraphicsServices                    0x000000010a6dca24 GSEventRunModal + 62
27  UIKit                               0x00000001013190d4 UIApplicationMain + 159
28  ios_web_view_shell                  0x0000000100cf92bf main + 111
29  libdyld.dylib                       0x000000010d20365d start + 1

Here's stack trace when SequenceCheckerImpl::CalledOnValidSequence() is called:

#0	0x00000001040c5424 in base::debug::BreakDebugger() at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../base/debug/debugger_posix.cc:262
#1	0x0000000104140601 in logging::LogMessage::~LogMessage() at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../base/logging.cc:759
#2	0x000000010413d235 in logging::LogMessage::~LogMessage() at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../base/logging.cc:533
#3	0x0000000104272c1e in base::internal::LockImpl::Lock() at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../base/synchronization/lock_impl_posix.cc:65
#4	0x0000000103eb3fb3 in base::Lock::Acquire() at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../base/synchronization/lock.h:45
#5	0x0000000103eb3f83 in base::AutoLock::AutoLock(base::Lock&) at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../base/synchronization/lock.h:115
#6	0x0000000103ea5ecd in base::AutoLock::AutoLock(base::Lock&) at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../base/synchronization/lock.h:114
#7	0x0000000104210292 in base::SequenceCheckerImpl::CalledOnValidSequence() const at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../base/sequence_checker_impl.cc:64
#8	0x000000010426dfe4 in base::SupportsUserData::GetUserData(void const*) const at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../base/supports_user_data.cc:18
#9	0x0000000103d4f414 in web::WKWebViewConfigurationProvider::FromBrowserState(web::BrowserState*) at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../ios/web/web_state/ui/wk_web_view_configuration_provider.mm:38
#10	0x0000000103d22f01 in ::-[CRWWebController webViewConfigurationProvider]() at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../ios/web/web_state/ui/crw_web_controller.mm:4141
#11	0x0000000103d22407 in ::-[CRWWebController setWebView:](WKWebView *) at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../ios/web/web_state/ui/crw_web_controller.mm:4080
#12	0x0000000103d22e61 in ::-[CRWWebController removeWebViewAllowingCachedReconstruction:](BOOL) at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../ios/web/web_state/ui/crw_web_controller.mm:4130
#13	0x0000000103d019f0 in ::-[CRWWebController close]() at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../ios/web/web_state/ui/crw_web_controller.mm:1215
#14	0x0000000103d56df5 in web::WebStateImpl::~WebStateImpl() at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../ios/web/web_state/web_state_impl.mm:96
#15	0x0000000103d584f5 in web::WebStateImpl::~WebStateImpl() at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../ios/web/web_state/web_state_impl.mm:95
#16	0x0000000103d58539 in web::WebStateImpl::~WebStateImpl() at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../ios/web/web_state/web_state_impl.mm:95
#17	0x0000000103d7c66a in std::__1::default_delete<web::WebState>::operator()(web::WebState*) const [inlined] at /Users/ichikawa/chromium/src/third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2399
#18	0x0000000103d7c645 in std::__1::unique_ptr<web::WebState, std::__1::default_delete<web::WebState> >::reset(web::WebState*) [inlined] at /Users/ichikawa/chromium/src/third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2608
#19	0x0000000103d7c5f2 in std::__1::unique_ptr<web::WebState, std::__1::default_delete<web::WebState> >::~unique_ptr() [inlined] at /Users/ichikawa/chromium/src/third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2576
#20	0x0000000103d7c5f2 in std::__1::unique_ptr<web::WebState, std::__1::default_delete<web::WebState> >::~unique_ptr() [inlined] at /Users/ichikawa/chromium/src/third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2576
#21	0x0000000103d7c5f2 in ::-[CWVWebView .cxx_destruct]() at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../ios/web_view/internal/cwv_web_view.mm:63
#22	0x00000001094dd9bc in object_cxxDestructFromClass(objc_object*, objc_class*) ()
#23	0x00000001094e9d34 in objc_destructInstance ()
#24	0x00000001094e9d66 in object_dispose ()
#25	0x000000010152e6d1 in -[UIResponder dealloc] ()
#26	0x00000001013adfc8 in -[UIView dealloc] ()
#27	0x00000001094f42fa in (anonymous namespace)::AutoreleasePoolPage::pop(void*) ()
#28	0x0000000102bb8ef6 in _CFAutoreleasePoolPop ()
#29	0x0000000102bf4aec in __CFRunLoopRun ()
#30	0x0000000102bf4016 in CFRunLoopRunSpecific ()
#31	0x000000010a6dca24 in GSEventRunModal ()
#32	0x00000001013190d4 in UIApplicationMain ()
#33	0x0000000100cf92bf in main at /Users/ichikawa/chromium/src/out/Debug-iphonesimulator/../../ios/web_view/shell/shell_exe_main.m:15
#34	0x000000010d20365d in start ()
#35	0x000000010d20365d in start ()

Comment 1 by ichikawa@google.com, Apr 18 2017

Labels: -Restrict-View-Google
Project Member

Comment 2 by bugdroid1@chromium.org, Apr 19 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/068120a076d669c081f8c77cc0eccacaac650cb5

commit 068120a076d669c081f8c77cc0eccacaac650cb5
Author: ichikawa <ichikawa@chromium.org>
Date: Wed Apr 19 01:58:18 2017

Fix a crash bug on deallocating CWVWebView.

The cause of the bug was that CWVWebView._configuration was deallocated
before CWVWebView._webState, while the order must be opposite.

I couldn't find a clear documentation of the order of deallocation of
fields, but looks like it's the reverse order of the field definitions
(the same as in C++), while it assumes implicitly defined fields (by
@synthesize) are defined after explicitly defined fields.

The fix here is to define both fields explicitly in |_configuration| ->
|_webState| order so that they are deallocated in |_webState| ->
|_configuration| order.

BUG= 712556 

Review-Url: https://codereview.chromium.org/2826663002
Cr-Commit-Position: refs/heads/master@{#465465}

[modify] https://crrev.com/068120a076d669c081f8c77cc0eccacaac650cb5/ios/web_view/internal/cwv_web_view.mm

Comment 3 by ichikawa@google.com, Apr 19 2017

Status: Fixed (was: Started)

Sign in to add a comment