Issue metadata
Sign in to add a comment
|
Regression: Chrome crashes on minimizing emoji palette keyboard of Input methods in shelf. |
||||||||||||||||||||||
Issue descriptionChrome Version: 60.0.3096.0/9542.0.0 dev channel Daisy,Candy,Minnie,Peppy OS: Chrome OS What steps will reproduce the problem? (1)Sign in to chrome >> Navigate to chrome://md-settings/languages (2)Click on Input method section and enable 'Show input options in the shelf' option (3)Go to Input methods in shelf >>Click on Emoji palette option (4)Now click on minimize keyboard icon present at bottom right side and Observe. (Please refer video) Expected: No crash should be seen on clicking on minimize keyboard option. Actual: Instead chrome crash is seen. This is regression issue as no crash is seen in 60.0.3092.0/9539.0.0 dev-channel Candy. Crash id-37ac40dca8000000 Stack Trace: Thread 0 CRASHED [SIGSEGV @ 0x00000000 ] MAGIC SIGNATURE THREAD Stack Quality 96%Show frame trust levels 0x00007f4b3de5dee9 (chrome+ 0x03aaaee9) keyboard::KeyboardController::HideAnimationFinished() 0x00007f4b3da4787b (chrome+ 0x0369487b) ui::LayerAnimationSequence::NotifyEnded() 0x00007f4b3da4a6f6 (chrome+ 0x036976f6) ui::LayerAnimator::FinishAnimation(ui::LayerAnimationSequence*, bool) 0x00007f4b3da4ac31 (chrome+ 0x03697c31) ui::LayerAnimator::Step(base::TimeTicks) 0x00007f4b3da4c017 (chrome+ 0x03699017) ui::LayerAnimatorCollection::OnAnimationStep(base::TimeTicks) 0x00007f4b3da41f62 (chrome+ 0x0368ef62) ui::Compositor::BeginMainFrame(cc::BeginFrameArgs const&) 0x00007f4b3d93c7fe (chrome+ 0x035897fe) cc::SingleThreadProxy::DoBeginMainFrame(cc::BeginFrameArgs const&) 0x00007f4b3d93cea2 (chrome+ 0x03589ea2) cc::SingleThreadProxy::BeginMainFrame(cc::BeginFrameArgs const&) 0x00007f4b3b3088f6 (chrome+ 0x00f558f6) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x00007f4b3b2fb282 (chrome+ 0x00f48282) base::MessageLoop::RunTask(base::PendingTask*) 0x00007f4b3b2fc468 (chrome+ 0x00f49468) base::MessageLoop::DoWork() 0x00007f4b3b2fcc4b (chrome+ 0x00f49c4b) base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) 0x00007f4b3cb86c7f (chrome+ 0x027d3c7f) base::RunLoop::Run() 0x00007f4b3c8c735c (chrome+ 0x0251435c) ChromeBrowserMainParts::MainMessageLoopRun(int*) 0x00007f4b3b875be1 (chrome+ 0x014c2be1) content::BrowserMainLoop::RunMainMessageLoopParts() 0x00007f4b3b877fd9 (chrome+ 0x014c4fd9) content::BrowserMainRunnerImpl::Run() 0x00007f4b3b871ee0 (chrome+ 0x014beee0) content::BrowserMain(content::MainFunctionParams const&) 0x00007f4b3c8a861c (chrome+ 0x024f561c) content::ContentMainRunnerImpl::Run() 0x00007f4b3c8c0706 (chrome+ 0x0250d706) service_manager::Main(service_manager::MainParams const&) 0x00007f4b3c8a7936 (chrome+ 0x024f4936) content::ContentMain(content::ContentMainParams const&) 0x00007f4b3b43a572 (chrome+ 0x01087572) ChromeMain 0x00007f4b38bd5815 (libc-2.23.so -libc-start.c:289) __libc_start_main Attaching screen-cast for reference.
,
May 12 2017
I found the cause. In KeyboardController::HideAnimationFinished(), the observers's OnKeyboardHidden is called and in ImeMenuTray::OnKeyboardHidden(), the KeyboardController is deleted, so after returning the call of OnKeyboardHidden(), the caller is already deleted. This causes SIGSEGV. I will come up with the fix. I paste the stack trace below: #2 0x56afd6ccef16 keyboard::KeyboardController::~KeyboardController() #3 0x56afd6ccef68 keyboard::KeyboardController::ResetInstance() #4 0x56afd7181487 ash::Shell::DeactivateKeyboard() #5 0x56afd4ac03fa chromeos::AccessibilityManager::UpdateVirtualKeyboardFromPref() #6 0x56afd62c9238 PrefNotifierImpl::FireObservers() #7 0x56afd62cc549 PrefValueStore::PrefStoreKeeper::OnPrefValueChanged() #8 0x56afd62c6e90 JsonPrefStore::ReportValueChanged() #9 0x56afd62c6471 JsonPrefStore::SetValue() #10 0x56afd62cae54 PrefService::SetUserPrefValue() #11 0x56afd62caf08 PrefService::SetBoolean() #12 0x56afd4ac02a2 chromeos::AccessibilityManager::EnableVirtualKeyboard() #13 0x56afd718a1ef ash::ImeMenuTray::OnKeyboardHidden() #14 0x56afd6ccf4f3 keyboard::KeyboardController::HideAnimationFinished()
,
May 15 2017
azurewel@: Could you help me to fix this crash? Why do we have to delete KeyboardController in ImeMenuTray::OnKeyboardHidden()?
,
May 15 2017
,
May 15 2017
Observing OnKeyboardHidden is for showing ImeMenuTray. If user shows the menu when vk is visible, we will hide the vk, and show the menu after hidden vk animation finished. Let me debug on why this would cause SIGSEGV. Thanks.
,
May 15 2017
Thank you for taking this over. SIGSEGV is caused by use-after-free in keyboard_controller.cc:L523. KeyboardController is already freed there.
,
May 15 2017
,
May 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e876159e6a71b276bd596c115776623faeba9b47 commit e876159e6a71b276bd596c115776623faeba9b47 Author: azurewei <azurewei@chromium.org> Date: Wed May 17 03:16:46 2017 Post the task of disabling virtual keyboard When show emoji/voice/handwriting vk with opt-in IME menu with virtual keyboard disabled, the virtual keyboard will be forced shown once. Thus, after the virtual keyboard hidden, the menu will disable the vk to make sure it won't automatically brown. The menu listens on KeyboardController::OnKeyboardHidden() event to disable the vk, where SIGSEGV will cause. Fix the issue by posting the task of disabling virtual keyboard. BUG= 721673 TEST=Verified on local build Review-Url: https://codereview.chromium.org/2884873002 Cr-Commit-Position: refs/heads/master@{#472300} [modify] https://crrev.com/e876159e6a71b276bd596c115776623faeba9b47/ash/system/ime_menu/ime_menu_tray.cc [modify] https://crrev.com/e876159e6a71b276bd596c115776623faeba9b47/ash/system/ime_menu/ime_menu_tray.h [modify] https://crrev.com/e876159e6a71b276bd596c115776623faeba9b47/ash/system/ime_menu/ime_menu_tray_unittest.cc
,
May 18 2017
,
May 22 2017
ChromeOS 9574.0.0, 60.0.3105.0 |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by yhanada@chromium.org
, May 12 2017Status: Assigned (was: Untriaged)