New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Verified
Owner:
OOO July 19-22
Closed: Mar 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

CHECK hit in TabContents::NavigateToEntry

Project Member Reported by sky@chromium.org, Feb 7 2011

Issue description

A number of crash reports seems to have this in it on the latest canary (11.0.659.0). Here's the stack:

Thread 0 *CRASHED* ( EXCEPTION_BREAKPOINT @ 0x01d1abd4 )

0x01d1abd4	 [chrome.dll	 - debugger_win.cc:107]	base::debug::BreakDebugger()
0x01d087b5	 [chrome.dll	 - logging.cc:621]	logging::LogMessage::~LogMessage()
0x01e070ef	 [chrome.dll	 - tab_contents.cc:893]	TabContents::NavigateToEntry(NavigationEntry const &,NavigationController::ReloadType)
0x01e0700b	 [chrome.dll	 - tab_contents.cc:872]	TabContents::NavigateToPendingEntry(NavigationController::ReloadType)
0x01e56a75	 [chrome.dll	 - navigation_controller.cc:1087]	NavigationController::NavigateToPendingEntry(NavigationController::ReloadType)
0x01e55ef0	 [chrome.dll	 - navigation_controller.cc:495]	NavigationController::LoadURL(GURL const &,GURL const &,unsigned int)
0x01e6aeb2	 [chrome.dll	 - browser_navigator.cc:430]	browser::Navigate(browser::NavigateParams *)
0x01dd28b4	 [chrome.dll	 - browser.cc:2804]	Browser::OpenURLFromTab(TabContents *,GURL const &,GURL const &,WindowOpenDisposition,unsigned int)
0x01e06ff9	 [chrome.dll	 - tab_contents.cc:867]	TabContents::OpenURL(GURL const &,GURL const &,WindowOpenDisposition,unsigned int)
0x01e0a51a	 [chrome.dll	 - tab_contents.cc:2600]	TabContents::RequestOpenURL(GURL const &,GURL const &,WindowOpenDisposition)
0x01e40df3	 [chrome.dll	 - render_view_host.cc:1114]	RenderViewHost::OnMsgOpenURL(GURL const &,GURL const &,WindowOpenDisposition)
0x01e421f2	 [chrome.dll	 - ipc_message_utils.h:933]	IPC::MessageWithTuple<Tuple3<GURL,GURL,WindowOpenDisposition> >::Dispatch<RenderViewHost,RenderViewHost,void ( RenderViewHost::*)(GURL const &,GURL const &,WindowOpenDisposition)>(IPC::Message const *,RenderViewHost *,RenderViewHost *,void ( RenderViewHost::*)(GURL const &,GURL const &,WindowOpenDisposition))
0x01e402d9	 [chrome.dll	 - render_view_host.cc:763]	RenderViewHost::OnMessageReceived(IPC::Message const &)
0x01d994f1	 [chrome.dll	 - browser_render_process_host.cc:1008]	BrowserRenderProcessHost::OnMessageReceived(IPC::Message const &)
0x01ef932c	 [chrome.dll	 - task.h:331]	RunnableMethod<IPCWebSocketStreamHandleBridge,void ( IPCWebSocketStreamHandleBridge::*)(GURL const &),Tuple1<GURL> >::Run()
0x01d00358	 [chrome.dll	 - message_loop.cc:362]	MessageLoop::RunTask(Task *)
0x01d003df	 [chrome.dll	 - message_loop.cc:371]	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
0x01d0078c	 [chrome.dll	 - message_loop.cc:564]	MessageLoop::DoWork()
0x01d17b25	 [chrome.dll	 - message_pump_win.cc:201]	base::MessagePumpForUI::DoRunLoop()
0x01d1792e	 [chrome.dll	 - message_pump_win.cc:49]	base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)
0x01d002ce	 [chrome.dll	 - message_loop.cc:332]	MessageLoop::RunInternal()
0x01d0025e	 [chrome.dll	 - message_loop.cc:310]	MessageLoop::RunHandler()
0x01d0093c	 [chrome.dll	 - message_loop.cc:679]	MessageLoopForUI::Run(base::MessagePumpWin::Dispatcher *)
0x01d92f8c	 [chrome.dll	 - browser_main.cc:560]	`anonymous namespace'::RunUIMessageLoop(BrowserProcess *)
0x01d95099	 [chrome.dll	 - browser_main.cc:1740]	BrowserMain(MainFunctionParams const &)
0x01c34155	 [chrome.dll	 - chrome_main.cc:977]	ChromeMain
0x00403ed1	 [chrome.exe	 - client_util.cc:280]	MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *)
0x004042b1	 [chrome.exe	 - chrome_exe_main_win.cc:46]	wWinMain
0x00448d4e	 [chrome.exe	 - crt0.c:263]	__tmainCRTStartup
0x7c817076	 [kernel32.dll	 + 0x00017076]	BaseProcessStart

See http://crash/reportdetail?reportid=cc2935a658532e30 for one.

I believe is_allowed_in_dom_ui_renderer is false here.
Assigning to creis since he added the CHECK.
 

Comment 1 by creis@chromium.org, Feb 7 2011

I fixed the known ways for this to happen in  issue 58082  and  issue 69224 .  Those fixes are all present in 11.0.659.0, though.  I'll have to investigate to see if there's another way to hit this check.

(This line is a sanity check to ensure we keep normal URLs out of DOM UI processes.  Failures often mean we've corrupted a navigation entry, possibly by swapping its content state with another entry.)
Labels: -Crash bulkmove Stability-Crash
A number of crash reports seems to have this in it on the latest canary (11.0.659.0). Here's the stack:

Thread 0 *CRASHED* ( EXCEPTION_BREAKPOINT @ 0x01d1abd4 )

0x01d1abd4	 [chrome.dll	 - debugger_win.cc:107]	base::debug::BreakDebugger()
0x01d087b5	 [chrome.dll	 - logging.cc:621]	logging::LogMessage::~LogMessage()
0x01e070ef	 [chrome.dll	 - tab_contents.cc:893]	TabContents::NavigateToEntry(NavigationEntry const &amp;,NavigationController::ReloadType)
0x01e0700b	 [chrome.dll	 - tab_contents.cc:872]	TabContents::NavigateToPendingEntry(NavigationController::ReloadType)
0x01e56a75	 [chrome.dll	 - navigation_controller.cc:1087]	NavigationController::NavigateToPendingEntry(NavigationController::ReloadType)
0x01e55ef0	 [chrome.dll	 - navigation_controller.cc:495]	NavigationController::LoadURL(GURL const &amp;,GURL const &amp;,unsigned int)
0x01e6aeb2	 [chrome.dll	 - browser_navigator.cc:430]	browser::Navigate(browser::NavigateParams *)
0x01dd28b4	 [chrome.dll	 - browser.cc:2804]	Browser::OpenURLFromTab(TabContents *,GURL const &amp;,GURL const &amp;,WindowOpenDisposition,unsigned int)
0x01e06ff9	 [chrome.dll	 - tab_contents.cc:867]	TabContents::OpenURL(GURL const &amp;,GURL const &amp;,WindowOpenDisposition,unsigned int)
0x01e0a51a	 [chrome.dll	 - tab_contents.cc:2600]	TabContents::RequestOpenURL(GURL const &amp;,GURL const &amp;,WindowOpenDisposition)
0x01e40df3	 [chrome.dll	 - render_view_host.cc:1114]	RenderViewHost::OnMsgOpenURL(GURL const &amp;,GURL const &amp;,WindowOpenDisposition)
0x01e421f2	 [chrome.dll	 - ipc_message_utils.h:933]	IPC::MessageWithTuple&lt;Tuple3&lt;GURL,GURL,WindowOpenDisposition&gt; &gt;::Dispatch&lt;RenderViewHost,RenderViewHost,void ( RenderViewHost::*)(GURL const &amp;,GURL const &amp;,WindowOpenDisposition)&gt;(IPC::Message const *,RenderViewHost *,RenderViewHost *,void ( RenderViewHost::*)(GURL const &amp;,GURL const &amp;,WindowOpenDisposition))
0x01e402d9	 [chrome.dll	 - render_view_host.cc:763]	RenderViewHost::OnMessageReceived(IPC::Message const &amp;)
0x01d994f1	 [chrome.dll	 - browser_render_process_host.cc:1008]	BrowserRenderProcessHost::OnMessageReceived(IPC::Message const &amp;)
0x01ef932c	 [chrome.dll	 - task.h:331]	RunnableMethod&lt;IPCWebSocketStreamHandleBridge,void ( IPCWebSocketStreamHandleBridge::*)(GURL const &amp;),Tuple1&lt;GURL&gt; &gt;::Run()
0x01d00358	 [chrome.dll	 - message_loop.cc:362]	MessageLoop::RunTask(Task *)
0x01d003df	 [chrome.dll	 - message_loop.cc:371]	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &amp;)
0x01d0078c	 [chrome.dll	 - message_loop.cc:564]	MessageLoop::DoWork()
0x01d17b25	 [chrome.dll	 - message_pump_win.cc:201]	base::MessagePumpForUI::DoRunLoop()
0x01d1792e	 [chrome.dll	 - message_pump_win.cc:49]	base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)
0x01d002ce	 [chrome.dll	 - message_loop.cc:332]	MessageLoop::RunInternal()
0x01d0025e	 [chrome.dll	 - message_loop.cc:310]	MessageLoop::RunHandler()
0x01d0093c	 [chrome.dll	 - message_loop.cc:679]	MessageLoopForUI::Run(base::MessagePumpWin::Dispatcher *)
0x01d92f8c	 [chrome.dll	 - browser_main.cc:560]	`anonymous namespace'::RunUIMessageLoop(BrowserProcess *)
0x01d95099	 [chrome.dll	 - browser_main.cc:1740]	BrowserMain(MainFunctionParams const &amp;)
0x01c34155	 [chrome.dll	 - chrome_main.cc:977]	ChromeMain
0x00403ed1	 [chrome.exe	 - client_util.cc:280]	MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *)
0x004042b1	 [chrome.exe	 - chrome_exe_main_win.cc:46]	wWinMain
0x00448d4e	 [chrome.exe	 - crt0.c:263]	__tmainCRTStartup
0x7c817076	 [kernel32.dll	 + 0x00017076]	BaseProcessStart

See http://crash/reportdetail?reportid=cc2935a658532e30 for one.

I believe is_allowed_in_dom_ui_renderer is false here.
Assigning to creis since he added the CHECK.
Labels: Mstone-17
I got this crash on 17.0.932.0 (Official Build 108826)/Win7.
Right now, I don't reproducible steps.

The full stack trace can be found @ http://crash/reportdetail?reportid=a6400cb07517bff3#crashing_thread

Comment 4 by creis@chromium.org, Nov 8 2011

That one appears to have happened when clicking the Forward button, while the original report looks like opening a URL from a new window.  Do you remember anything about what you were going forward from and to?  I'm curious if either the source or the destination were a special type of URL, like the NTP or an extension page.

Obviously, if you figure out repro steps, that will help immensely.

Comment 5 by k...@google.com, Dec 19 2011

Labels: -Mstone-17 Mstone-18 MovedFrom-17
Moving bugs marked as Assigned but not blockers from M17 to M18.  Please move back if you think this is a blocker, and add the ReleaseBlock-Stable label.  If you're able.

Comment 6 by creis@chromium.org, Dec 19 2011

Labels: Action-FeedbackNeeded
I still need repro steps to track this one down.  If anyone comes across this crash and can explain how they got there, please report it here.

Comment 7 by kareng@google.com, Feb 7 2012

Labels: MovedFrom18 Mstone-19
Project Member

Comment 8 by bugdroid1@chromium.org, Mar 24 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=128683

------------------------------------------------------------------------
r128683 | creis@chromium.org | Fri Mar 23 21:12:23 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/browser/tab_contents/tab_contents.cc?r1=128683&r2=128682&pathrev=128683

Get more data to diagnose a crash.

BUG= 72235 
TEST=none


Review URL: http://codereview.chromium.org/9834067
------------------------------------------------------------------------

Comment 9 by creis@chromium.org, Mar 26 2012

Status: Started
Fortunately, I've come across some repro steps for this one:
1) In a new tab, visit chrome://about.
2) In the same tab, type in view-source:chrome://chrome-urls/.
3) Go back.
4) Go forward.  Now unexpectedly seeing view-source:swappedout://.
5) Go back.
6) Go forward.  Crash.

It seems to be important that the URLs in step 1 and 2 slightly differ but stil show the same WebUI page.

Comment 10 by laforge@google.com, Mar 27 2012

Labels: -Mstone-19 Mstone-20 MovedFrom-19

Comment 11 by creis@chromium.org, Mar 27 2012

This is an interesting one.  It turns out we were sending UpdateState messages to the browser when we returned to a previously swapped out RenderView, containing the state for the blank swappedout:// URL.  That's bad, but it didn't usually cause problems because it was for a page_id one greater than the browser had ever heard.  That meant we usually just dropped the UpdateState message on the floor.

However, because of  issue 117420 , view-source URLs can end up in the same SiteInstance but a different RenderViewHost than the equivalent normal URL.  As it happens, we start the view-source RVH at a page_id one greater than the current RVH.

This means the errant UpdateState message for swappedout:// was affecting the view-source NavigationEntry.  That explains step 4 in comment 9, which leads to us trying to load a view-source URL in a WebUI renderer in step 6, hitting the CHECK.

The simple fix is to stop sending UpdateState messages for swappedout://, but fixing  issue 117420  is also worthwhile.
Project Member

Comment 12 by bugdroid1@chromium.org, Mar 28 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=129306

------------------------------------------------------------------------
r129306 | creis@chromium.org | Tue Mar 27 16:57:05 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/render_view_browsertest.cc?r1=129306&r2=129305&pathrev=129306
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/render_view_impl.cc?r1=129306&r2=129305&pathrev=129306
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/render_view_impl.h?r1=129306&r2=129305&pathrev=129306

Prevent state updates for kSwappedOutURL.

BUG= 72235 
TEST=See bug, comment 9

Review URL: https://chromiumcodereview.appspot.com/9865010
------------------------------------------------------------------------

Comment 13 by creis@chromium.org, Mar 28 2012

Cc: kareng@google.com lafo...@chromium.org
Status: Fixed
Fixed on trunk.  I'll keep an eye on the crash reports and will see about merging this later in the week.
Labels: -Mstone-20 Mstone-19 Merge-Requested
This fix appears to be effective, judging from the crash reports.   I spotted one remaining report at http://crash/reportdetail?reportid=c1a24802f2ad892c, which turns out to be a different issue.  (I've filed  issue 121497  for it.)

Revision 129306 a simple browser crash fix, and I think it'll be worthwhile to merge to M19 and then M18.  Anthony, ok to merge to M19?
Labels: -Merge-Requested Merge-Approved
Labels: -Mstone-19 -Merge-Approved Mstone-18 Merge-Requested
Heh, the M20 label in comment 10 was misleading.  This revision is actually already on the M19 branch (which occurred at revision 129376), so no merge is required there.

Karen, would you like me to merge this to M18?

Comment 17 by kareng@google.com, Apr 2 2012

Labels: -Merge-Requested Merge-Approved
Project Member

Comment 18 by bugdroid1@chromium.org, Apr 2 2012

Labels: -Merge-Approved merge-merged-1025
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=130251

------------------------------------------------------------------------
r130251 | creis@chromium.org | Mon Apr 02 16:26:09 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/renderer/render_view_browsertest.cc?r1=130251&r2=130250&pathrev=130251
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/renderer/render_view_impl.h?r1=130251&r2=130250&pathrev=130251
 M http://src.chromium.org/viewvc/chrome/branches/1025/src/content/renderer/render_view_impl.cc?r1=130251&r2=130250&pathrev=130251

Merge 129306 - Prevent state updates for kSwappedOutURL.

BUG= 72235 
TEST=See bug, comment 9

Review URL: https://chromiumcodereview.appspot.com/9865010

TBR=creis@chromium.org
Review URL: https://chromiumcodereview.appspot.com/9969072
------------------------------------------------------------------------
Status: Verified
OS: Win7, Linux Ubuntu 10.04, Mac 10.7.3

Verified with steps given in Comment 6 on chrome 18.0.1025.151
Project Member

Comment 20 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 9 2013

Labels: -Action-FeedbackNeeded Needs-Feedback
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-UI -Mstone-18 M-18 Cr-UI
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: hasTestcase

Sign in to add a comment