AutomationManagerAura::SendEvent null pointer access crash |
||||||
Issue descriptionBackground is issue 694384 . Reproduce steps on convertible/tablet devices: (1) Apply the WIP patch from https://codereview.chromium.org/2821303004/ and build (2) play a youtube video from browser (3) press and release side power button Not 100% reproducible, but will happen in a very high rate. Stack trace: #0 ui::AXTreeSerializer<views::AXAuraObjWrapper*, ui::AXNodeData, ui::AXTreeData>::SerializeChanges (this=0x0, node=0x8d530e870f0, out_update=0x7ffc301897c0) at ../../ui/accessibility/ax_tree_serializer.h:327 #1 0x000059ff49af1714 in AutomationManagerAura::SendEvent (this=0x8d52d4ee4b0, context=0x8d52ef9cd40, aura_obj=0x8d530e870f0, event_type=ui::AX_EVENT_CHILDREN_CHANGED) at ../../chrome/browser/ui/aura/accessibility/automation_manager_aura.cc:151 #2 0x000059ff48bae034 in aura::Window::NotifyWindowHierarchyChangeAtReceiver (this=<optimized out>, params=...) at ../../ui/aura/window.cc:915 #3 0x000059ff48bac76b in NotifyWindowHierarchyChangeUp (this=<optimized out>, params=...) at ../../ui/aura/window.cc:900 #4 NotifyWindowHierarchyChange (params=..., this=<optimized out>) at ../../ui/aura/window.cc:883 #5 aura::Window::AddChild (this=0x8d52d37b160, child=0x8d530357580) at ../../ui/aura/window.cc:383 #6 0x000059ff48fee412 in views::NativeWidgetAura::InitNativeWidget (this=0x8d52ed7b500, params=...) at ../../ui/views/widget/native_widget_aura.cc:213 #7 0x000059ff48fe2480 in views::Widget::Init (this=0x8d52ff15dc0, in_params=...) at ../../ui/views/widget/widget.cc:337 #8 0x000059ff4981b0fa in ash::LockWindow::LockWindow (this=0x8d52ff15dc0) at ../../ash/login/ui/lock_window.cc:33 #9 0x000059ff46b29e12 in chromeos::WebUIScreenLocker::LockScreen (this=0x8d530e37380) at ../../chrome/browser/chromeos/login/lock/webui_screen_locker.cc:154 #10 0x000059ff46b25b81 in chromeos::ScreenLocker::Init (this=0x8d52db1a0f0) at ../../chrome/browser/chromeos/login/lock/screen_locker.cc:256 #11 0x000059ff46b272c0 in chromeos::ScreenLocker::Show () at ../../chrome/browser/chromeos/login/lock/screen_locker.cc:554 #12 0x000059ff46b26fc3 in chromeos::ScreenLocker::HandleLockScreenRequest () at ../../chrome/browser/chromeos/login/lock/screen_locker.cc:509 #13 0x000059ff46a81805 in chromeos::ScreenLockServiceProvider::LockScreen(dbus::MethodCall*, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>) (this=0x7ffc30189590, method_call=0x8d52daf9140, response_sender=...) at ../../chrome/browser/chromeos/dbus/screen_lock_service_provider.cc:46 #14 0x000059ff46a80e22 in Invoke<const base::WeakPtr<chromeos::KioskInfoService> &, dbus::MethodCall *, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating> > (method= (void (chromeos::KioskInfoService::*)(chromeos::KioskInfoService * const, dbus::MethodCall *, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>)) 0x59ff46a817e0 <chromeos::ScreenLockServiceProvider::LockScreen(dbus::MethodCall*, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>)>, receiver_ptr=..., args=<optimized out>, args=<optimized out>) at ../../base/bind_internal.h:214 #15 MakeItSo<void (chromeos::KioskInfoService::*const &)(dbus::MethodCall *, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>), const base::WeakPtr<chromeos::KioskInfoService> &, dbus::MethodCall *, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating> > (weak_ptr=..., functor=<optimized out>, args=<optimized out>, args=<optimized out>) at ../../base/bind_internal.h:305 #16 RunImpl<void (chromeos::KioskInfoService::*const &)(dbus::MethodCall *, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>), const std::tuple<base::WeakPtr<chromeos::KioskInfoService> > &, 0> (bound=..., functor=<optimized out>, unbound_args=<optimized out>, unbound_args=<optimized out>) at ../../base/bind_internal.h:361 #17 base::internal::Invoker<base::internal::BindState<void (chromeos::KioskInfoService::*)(dbus::MethodCall*, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>), base::WeakPtr<chromeos::KioskInfoService> >, void (dbus::MethodCall*, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>)>::Run(base::internal::BindStateBase*, dbus::MethodCall*&&, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>&&) ( base=0x8d52d127400, unbound_args=<unknown type in /usr/local/google/home/warx/chromium/src/out_cyan/Release/chrome, CU 0x0, DIE 0x38cf>, unbound_args=<unknown type in /usr/local/google/home/warx/chromium/src/out_cyan/Release/chrome, CU 0x0, DIE 0x38cf>) at ../../base/bind_internal.h:339 #18 0x000059ff485e4a87 in Run (args=<error reading variable: Cannot access memory at address 0x0>, args=<error reading variable: Cannot access memory at address 0x0>, this=<optimized out>) at ../../base/callback.h:80 #19 dbus::ExportedObject::RunMethod(base::Callback<void (dbus::MethodCall*, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>, std::unique_ptr<dbus::MethodCall, std::default_delete<dbus::MethodCall> >, base::TimeTicks) (this=<optimized out>, method_call_callback=..., method_call=..., start_time=...) at ../../dbus/exported_object.cc:248 #20 0x000059ff485e553f in Invoke<const scoped_refptr<dbus::ExportedObject> &, const base::Callback<void (dbus::MethodCall *, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating> &, std::unique_ptr<dbus::MethodCall, std::default_delete<dbus::MethodCall> >, const base::TimeTicks &> ( method=<optimized out>, receiver_ptr=..., args=..., args=..., args=...) at ../../base/bind_internal.h:214 #21 MakeItSo<void (dbus::ExportedObject::*const &)(base::Callback<void (dbus::MethodCall *, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>, std::unique_ptr<dbus::MethodCall, std::default_delete<dbus::MethodCall> >, base::TimeTicks), const scoped_refptr<dbus::ExportedObject> &, const base::Callback<void (dbus::MethodCall *, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating> &, std::unique_ptr<dbus::MethodCall, std::default_delete<dbus::MethodCall> >, const base::TimeTicks &> (functor=<optimized out>, args=..., args=..., args=..., args=...) at ../../base/bind_internal.h:285 #22 RunImpl<void (dbus::ExportedObject::*const &)(base::Callback<void (dbus::MethodCall *, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>, std::unique_ptr<dbus::MethodCall, std::default_delete<dbus::MethodCall> >, base::TimeTicks), const std::tuple<scoped_refptr<dbus::ExportedObject>, base::Callback<void (dbus::MethodCall *, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>, base::internal::PassedWrapper<std::unique_ptr<dbus::MethodCall, std::default_delete<dbus::MethodCall> > >, base::TimeTicks> &, 0, 1, 2, 3> (functor=<optimized out>, bound=...) at ../../base/bind_internal.h:361 #23 base::internal::Invoker<base::internal::BindState<void (dbus::ExportedObject::*)(base::Callback<void (dbus::MethodCall*, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>, std::unique_ptr<dbus::MethodCall, std::default_delete<dbus::MethodCall> >, base::TimeTicks), scoped_refptr<dbus::ExportedObject>, base::Callback<void (dbus::MethodCall*, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>, base::internal::PassedWrapper<std::unique_ptr<dbus::MethodCall, std::default_delete<dbus::MethodCall> > >, base::TimeTicks>, void ()>::Run(base::internal::BindStateBase*) (base=<optimized out>) at ../../base/bind_internal.h:339 #24 0x000059ff47b45846 in Run (this=<optimized out>) at ../../base/callback.h:91 #25 base::debug::TaskAnnotator::RunTask (this=<optimized out>, queue_function=0x59ff4c1b45bc <.L.str.7> "MessageLoop::PostTask", pending_task=0x7ffc3018a9f8) at ../../base/debug/task_annotator.cc:59 #26 0x000059ff47acebfe in base::MessageLoop::RunTask (this=0x8d52d09dd80, pending_task=0x7ffc3018a9f8) at ../../base/message_loop/message_loop.cc:404 #27 0x000059ff47acefaf in base::MessageLoop::DeferOrRunPendingTask (this=0x8d52d09dd80, pending_task=...) at ../../base/message_loop/message_loop.cc:415 #28 0x000059ff47acf2fd in base::MessageLoop::DoWork (this=0x8d52d09dd80) at ../../base/message_loop/message_loop.cc:503 #29 0x000059ff47ad0a49 in base::MessagePumpLibevent::Run (this=0x8d52d100940, delegate=0x8d52d09dd80) at ../../base/message_loop/message_pump_libevent.cc:219 #30 0x000059ff47af0620 in base::RunLoop::Run (this=0x7ffc3018ac70) at ../../base/run_loop.cc:105 #31 0x000059ff47745d02 in ChromeBrowserMainParts::MainMessageLoopRun (this=0x8d52d08ec00, result_code=<optimized out>) at ../../chrome/browser/chrome_browser_main.cc:1961 #32 0x000059ff463a39e4 in content::BrowserMainLoop::RunMainMessageLoopParts (this=0x8d52d099a80) at ../../content/browser/browser_main_loop.cc:1182 #33 0x000059ff463a62f2 in content::BrowserMainRunnerImpl::Run (this=0x8d52d0b89c0) at ../../content/browser/browser_main_runner.cc:141 #34 0x000059ff4639f1fc in content::BrowserMain (parameters=...) at ../../content/browser/browser_main.cc:46 #35 0x000059ff4771d4a4 in content::ContentMainRunnerImpl::Run (this=0x8d52d088d80) at ../../content/app/content_main_runner.cc:705 #36 0x000059ff4773c289 in service_manager::Main (params=...) at ../../services/service_manager/embedder/main.cc:468 #37 0x000059ff4771c381 in content::ContentMain (params=...) at ../../content/app/content_main.cc:19 #38 0x000059ff45e4685e in ChromeMain (argc=30, argv=0x7ffc3018b3a8) at ../../chrome/app/chrome_main.cc:111 #39 0x00007dfabaa4f816 in __libc_start_main (main=0x59ff45e467c0 <main(int, char const**)>, argc=30, argv=0x7ffc3018b3a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc3018b398) at ../csu/libc-start.c:289 #40 0x000059ff45e46679 in _start () Note: crash also happens before mlamouri's two recent CLs, https://codereview.chromium.org/2871583004 and https://codereview.chromium.org/2873983002, when I turned on the chrome flag for "--enable-default-media-session".
,
May 12 2017
Temporarily assigned to me as it is still WIP.
,
May 16 2017
debug build stack trace:
(gdb) bt
#0 0x00007b5859b24eb2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007b5859b26cd6 in __GI_abort () at abort.c:89
#2 0x0000654779df2ecf in std::__replacement_assert (
__file=0x65478d0d4b92 <.L.str.99> "/usr/local/google/home/warx/chromium/.cros_cache/chrome-sdk/tarballs/cyan+9536.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/unique_ptr.h", __line=298,
__function=0x65478d5336f4 <.L__PRETTY_FUNCTION__._ZNKSt10unique_ptrIN2ui16AXTreeSerializerIPN5views16AXAuraObjWrapperENS0_10AXNodeDataENS0_10AXTreeDataEEESt14default_deleteIS7_EEptEv> "std::unique_ptr::pointer std::unique_ptr<ui::AXTre
eSerializer<views::AXAuraObjWrapper *, ui::AXNodeData, ui::AXTreeData>, std::default_delete<ui::AXTreeSerializer<views::AXAuraObjWrapper *, ui::AXNode"..., __condition=0x65478d7942ea <.L.str.99> "get() != pointer()")
at /usr/local/google/home/warx/chromium/.cros_cache/chrome-sdk/tarballs/cyan+9536.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/x86_64-cros-linux-gnu/bits/c++config.h:377
#3 0x00006547860b2156 in std::unique_ptr<ui::AXTreeSerializer<views::AXAuraObjWrapper*, ui::AXNodeData, ui::AXTreeData>, std::default_delete<ui::AXTreeSerializer<views::AXAuraObjWrapper*, ui::AXNodeData, ui::AXTreeData> > >::operator-> (
this=0x1f03def42048) at /usr/local/google/home/warx/chromium/.cros_cache/chrome-sdk/tarballs/cyan+9536.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/unique_ptr.h:298
#4 0x00006547860b1070 in AutomationManagerAura::SendEvent (this=0x1f03def42020, context=0x1f03de891820, aura_obj=0x1f03e504f800, event_type=ui::AX_EVENT_CHILDREN_CHANGED)
at ../../chrome/browser/ui/aura/accessibility/automation_manager_aura.cc:151
#5 0x00006547860b193c in AutomationManagerAura::OnEvent (this=0x1f03def42020, aura_obj=0x1f03e504f800, event_type=ui::AX_EVENT_CHILDREN_CHANGED) at ../../chrome/browser/ui/aura/accessibility/automation_manager_aura.cc:113
#6 0x0000654789c20417 in views::AXAuraObjCache::OnWindowHierarchyChanged (this=0x1f03de97d720, params=...) at ../../ui/views/accessibility/ax_aura_obj_cache.cc:202
#7 0x0000654782f145ab in aura::Window::NotifyWindowHierarchyChangeAtReceiver (this=0x1f03de9778e0, params=...) at ../../ui/aura/window.cc:915
#8 0x0000654782f143a0 in aura::Window::NotifyWindowHierarchyChangeUp (this=0x1f03deb4afe0, params=...) at ../../ui/aura/window.cc:900
#9 0x0000654782f11a8c in aura::Window::NotifyWindowHierarchyChange (this=0x1f03deb4afe0, params=...) at ../../ui/aura/window.cc:883
#10 0x0000654782f119cd in aura::Window::AddChild (this=0x1f03deb4afe0, child=0x1f03e313f260) at ../../ui/aura/window.cc:383
#11 0x0000654783a7d61b in views::NativeWidgetAura::InitNativeWidget (this=0x1f03e24be860, params=...) at ../../ui/views/widget/native_widget_aura.cc:213
#12 0x0000654783a56454 in views::Widget::Init (this=0x1f03e5520b60, in_params=...) at ../../ui/views/widget/widget.cc:337
#13 0x000065478584c345 in ash::LockWindow::LockWindow (this=0x1f03e5520b60) at ../../ash/login/ui/lock_window.cc:33
#14 0x000065477d36184b in chromeos::WebUIScreenLocker::LockScreen (this=0x1f03e15af620) at ../../chrome/browser/chromeos/login/lock/webui_screen_locker.cc:154
#15 0x000065477d355869 in chromeos::ScreenLocker::Init (this=0x1f03e4ed22e0) at ../../chrome/browser/chromeos/login/lock/screen_locker.cc:256
#16 0x000065477d3580d6 in chromeos::ScreenLocker::Show () at ../../chrome/browser/chromeos/login/lock/screen_locker.cc:554
#17 0x000065477d357c7a in chromeos::ScreenLocker::HandleLockScreenRequest () at ../../chrome/browser/chromeos/login/lock/screen_locker.cc:509
#18 0x000065477d0ee736 in chromeos::ScreenLockServiceProvider::LockScreen(dbus::MethodCall*, base::Callback<void (std::unique_ptr<dbus::Response, std::default_delete<dbus::Response> >), (base::internal::CopyMode)1, (base::internal::RepeatM
ode)1>) (this=0x1f03de53ae80, method_call=0x1f03e319aa70, response_sender=...) at ../../chrome/browser/chromeos/dbus/screen_lock_service_provider.cc:46
,
May 17 2017
,
May 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/39ebcbc314998f76d3fd56cdf633ab29ef809d4c commit 39ebcbc314998f76d3fd56cdf633ab29ef809d4c Author: warx <warx@chromium.org> Date: Wed May 17 06:53:19 2017 cros: AutomationManagerAura::SendEvent crash fix Changes: When I am working on suspend/resume media sessions, I could hit AutomationManagerAura::SendEvent crash. It is because current_tree_serializer_ can be NULL with nullptr access (->). BUG= 721557 TEST=tested with WIP CL: https://codereview.chromium.org/2821303004/, crash doesn't happen any more. Review-Url: https://codereview.chromium.org/2893473002 Cr-Commit-Position: refs/heads/master@{#472359} [modify] https://crrev.com/39ebcbc314998f76d3fd56cdf633ab29ef809d4c/chrome/browser/ui/aura/accessibility/automation_manager_aura.cc
,
May 17 2017
,
Aug 1 2017
,
Jan 22 2018
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by warx@chromium.org
, May 11 2017Owner: dmazz...@chromium.org
Status: Assigned (was: Untriaged)