content::RenderViewHostImpl::RenderWidgetLostFocus uses InterstitialPageImpl::rvh_delegate_view_ after it's deleted |
|||
Issue descriptionThe RenderViewHostDelegateView used in content::RenderViewHostImpl is InterstitialPageRVHDelegateView and is owned by InterstitialPageImpl::rvh_delegate_view_. But it's placed after InterstitialPageImpl::frame_tree_ and got deleted before frame_tree_. So when free_tree_ is deleted and RenderViewHostImpl::RenderWidgetLostFocus() is executed, the rvh_delegate_view_ does not exist any more. ============================================================================ Stack trace: 0x52368cce (chrome.dll -render_view_host_impl.cc:682 ) content::RenderViewHostImpl::RenderWidgetLostFocus() 0x5236c5d8 (chrome.dll -render_widget_host_impl.cc:799 ) content::RenderWidgetHostImpl::Blur() 0x5237cc5a (chrome.dll -render_widget_host_view_aura.cc:1788 ) content::RenderWidgetHostViewAura::OnWindowFocused(aura::Window *,aura::Window *) 0x52fbec9e (chrome.dll -focus_controller.cc:257 ) wm::FocusController::SetFocusedWindow(aura::Window *) 0x52fbeea7 (chrome.dll -focus_controller.cc:347 ) wm::FocusController::WindowLostFocusFromDispositionChange(aura::Window *,aura::Window *) 0x52fbe6dc (chrome.dll -focus_controller.cc:161 ) wm::FocusController::OnWindowDestroying(aura::Window *) 0x52d41894 (chrome.dll -window.cc:86 ) aura::Window::~Window() 0x52d41b43 (chrome.dll + 0x01691b43 ) aura::Window::`scalar deleting destructor'(unsigned int) 0x5237a0d4 (chrome.dll -render_widget_host_view_aura.cc:821 ) content::RenderWidgetHostViewAura::Destroy() 0x5236c9d4 (chrome.dll -render_widget_host_impl.cc:1782 ) content::RenderWidgetHostImpl::Destroy(bool) 0x52373a50 (chrome.dll -render_widget_host_impl.cc:524 ) content::RenderWidgetHostImpl::ShutdownAndDestroyWidget(bool) 0x52369171 (chrome.dll -render_view_host_impl.cc:783 ) content::RenderViewHostImpl::ShutdownAndDestroy() 0x521ff30d (chrome.dll -frame_tree.cc:368 ) content::FrameTree::ReleaseRenderViewHostRef(content::RenderViewHostImpl *) 0x5221febb (chrome.dll -render_frame_host_impl.cc:535 ) content::RenderFrameHostImpl::~RenderFrameHostImpl() 0x522208e6 (chrome.dll + 0x00b708e6 ) content::RenderFrameHostImpl::`scalar deleting destructor'(unsigned int) 0x5222f6da (chrome.dll -render_frame_host_manager.cc:84 ) content::RenderFrameHostManager::~RenderFrameHostManager() 0x522002cc (chrome.dll -frame_tree_node.cc:151 ) content::FrameTreeNode::~FrameTreeNode() 0x521fe995 (chrome.dll -frame_tree.cc:116 ) content::FrameTree::~FrameTree() 0x5220244f (chrome.dll -interstitial_page_impl.cc:184 ) content::InterstitialPageImpl::~InterstitialPageImpl() 0x522024e8 (chrome.dll + 0x00b524e8 ) content::InterstitialPageImpl::`scalar deleting destructor'(unsigned int) 0x522a1e63 (chrome.dll -indexed_db_quota_client.cc:73 ) content::IndexedDBQuotaClient::OnQuotaManagerDestroyed() 0x53c32b04 (chrome.dll -bind_internal.h:214 ) base::internal::FunctorTraits<void ( proximity_auth::MessengerImpl::*)(void),void>::Invoke<base::WeakPtr<proximity_auth::MessengerImpl> const &>(void ( proximity_auth::MessengerImpl::*)(void),base::WeakPtr<proximity_auth::MessengerImpl> const &) 0x53c32b3a (chrome.dll -bind_internal.h:305 ) base::internal::InvokeHelper<1,void>::MakeItSo<void ( proximity_auth::MessengerImpl::*const &)(void),base::WeakPtr<proximity_auth::MessengerImpl> const &>(void ( proximity_auth::MessengerImpl::*const &)(void),base::WeakPtr<proximity_auth::MessengerImpl> const &) 0x53c34104 (chrome.dll -bind_internal.h:339 ) base::internal::Invoker<base::internal::BindState<void ( proximity_auth::MessengerImpl::*)(void),base::WeakPtr<proximity_auth::MessengerImpl> >,void >::Run(base::internal::BindStateBase *) 0x5185ca09 (chrome.dll -task_annotator.cc:59 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *) 0x517f5d11 (chrome.dll -message_loop.cc:409 ) base::MessageLoop::RunTask(base::PendingTask *) 0x517f6fdd (chrome.dll -message_loop.cc:508 ) base::MessageLoop::DoWork() 0x5185d2e9 (chrome.dll -message_pump_win.cc:173 ) base::MessagePumpForUI::DoRunLoop() 0x5185cc6e (chrome.dll -message_pump_win.cc:56 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x51821e8f (chrome.dll -run_loop.cc:111 ) base::RunLoop::Run() 0x5272a1fa (chrome.dll -chrome_browser_main.cc:1963 ) ChromeBrowserMainParts::MainMessageLoopRun(int *) 0x5215305d (chrome.dll -browser_main_loop.cc:1180 ) content::BrowserMainLoop::RunMainMessageLoopParts() 0x5215450f (chrome.dll -browser_main_runner.cc:142 ) content::BrowserMainRunnerImpl::Run() 0x5214ec11 (chrome.dll -browser_main.cc:46 ) content::BrowserMain(content::MainFunctionParams const &) 0x52672326 (chrome.dll -content_main_runner.cc:412 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x52672270 (chrome.dll -content_main_runner.cc:705 ) content::ContentMainRunnerImpl::Run() 0x5268ab6a (chrome.dll -main.cc:469 ) service_manager::Main(service_manager::MainParams const &) 0x52671a29 (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &) 0x51e5f2da (chrome.dll -chrome_main.cc:109 ) ChromeMain 0x000774d5 (chrome.exe -main_dll_loader_win.cc:202 ) MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks) 0x00076a49 (chrome.exe -chrome_exe_main_win.cc:271 ) wWinMain 0x00098a37 (chrome.exe -exe_common.inl:253 ) __scrt_common_main_seh 0x76d23369 (kernel32.dll + 0x00013369 ) 0x776b9901 (ntdll.dll + 0x00039901 ) 0x776b98d4 (ntdll.dll + 0x000398d4 ) ============================================================================ Stack where InterstitialPageImpl::rvh_delegate_view_ is deleted. 0x6cc3b7fb (syzyasan_rtl.dll -block_heap_manager.cc:315 ) agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *) 0x6cc3421d (syzyasan_rtl.dll -rtl_impl.cc:124 ) asan_HeapFree 0x51842f17 (chrome.dll -allocator_shim_default_dispatch_to_winheap.cc:55 ) `anonymous namespace'::DefaultWinHeapFreeImpl 0x5178a76b (chrome.dll -allocator_shim_override_ucrt_symbols_win.h:55 ) free 0x5220251f (chrome.dll + 0x00b5251f ) content::InterstitialPageImpl::InterstitialPageRVHDelegateView::`scalar deleting destructor'(unsigned int) 0x52202436 (chrome.dll -interstitial_page_impl.cc:184 ) content::InterstitialPageImpl::~InterstitialPageImpl() 0x522a1e64 (chrome.dll -indexed_db_quota_client.cc:73 ) content::IndexedDBQuotaClient::OnQuotaManagerDestroyed() 0x53c32b3b (chrome.dll -bind_internal.h:305 ) base::internal::InvokeHelper<1,void>::MakeItSo<void ( proximity_auth::MessengerImpl::*const &)(void),base::WeakPtr<proximity_auth::MessengerImpl> const &>(void ( proximity_auth::MessengerImpl::*const &)(void),base::WeakPtr<proximity_auth::MessengerImpl> const &) 0x53c34105 (chrome.dll -bind_internal.h:339 ) base::internal::Invoker<base::internal::BindState<void ( proximity_auth::MessengerImpl::*)(void),base::WeakPtr<proximity_auth::MessengerImpl> >,void >::Run(base::internal::BindStateBase *) 0x5185ca0a (chrome.dll -task_annotator.cc:59 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *) 0x517f5d12 (chrome.dll -message_loop.cc:410 ) base::MessageLoop::RunTask(base::PendingTask *) 0x517f6fde (chrome.dll -message_loop.cc:508 ) base::MessageLoop::DoWork() 0x5185d2ea (chrome.dll -message_pump_win.cc:174 ) base::MessagePumpForUI::DoRunLoop() 0x5185cc6f (chrome.dll -message_pump_win.cc:58 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x51821e90 (chrome.dll -run_loop.cc:112 ) base::RunLoop::Run() 0x5272a1fb (chrome.dll -chrome_browser_main.cc:1965 ) ChromeBrowserMainParts::MainMessageLoopRun(int *) 0x5215305e (chrome.dll -browser_main_loop.cc:1182 ) content::BrowserMainLoop::RunMainMessageLoopParts() 0x52672327 (chrome.dll -content_main_runner.cc:412 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x52672271 (chrome.dll -content_main_runner.cc:705 ) content::ContentMainRunnerImpl::Run() 0x5268ab6b (chrome.dll -main.cc:469 ) service_manager::Main(service_manager::MainParams const &) 0x52671a2a (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &) 0x51e5f2db (chrome.dll -chrome_main.cc:112 ) ChromeMain 0x000774d6 (chrome.exe -main_dll_loader_win.cc:204 ) MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks) 0x00076a4a (chrome.exe -chrome_exe_main_win.cc:272 ) wWinMain 0x00098a38 (chrome.exe -exe_common.inl:253 ) __scrt_common_main_seh 0x76d2336a (kernel32.dll + 0x0001336a ) 0x776b9902 (ntdll.dll + 0x00039902 ) 0x776b98d5 (ntdll.dll + 0x000398d5 ) So the order of destruction is relevant.
,
May 23 2017
Since the instance of InterstitialPageImpl class itself is the four delegates of the FrameTree, it looks quite wrong to me to randomly destruct frame_tree_. Instead it should ensure frame_tree_ is destructed before other delegates.
,
May 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8da026c9e77facffc5ed46cfb75c2932f09fcc12 commit 8da026c9e77facffc5ed46cfb75c2932f09fcc12 Author: zijiehe <zijiehe@chromium.org> Date: Wed May 24 07:49:53 2017 Fix crash bug http://crbug.com/725594 The order of destruction of frame_tree_ and rvh_delegate_view_ is relevant. This change ensure frame_tree_ is destructed before rvh_delegate_view_. BUG= chromium:725594 , chromium:725402 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation Review-Url: https://codereview.chromium.org/2903593003 Cr-Commit-Position: refs/heads/master@{#474201} [modify] https://crrev.com/8da026c9e77facffc5ed46cfb75c2932f09fcc12/content/browser/frame_host/interstitial_page_impl.cc [modify] https://crrev.com/8da026c9e77facffc5ed46cfb75c2932f09fcc12/content/browser/frame_host/interstitial_page_impl.h
,
May 24 2017
|
|||
►
Sign in to add a comment |
|||
Comment 1 by zijiehe@chromium.org
, May 23 2017