SEGV Crash at ash::ShelfID::operator< when closing an ARC app window. |
||||||||
Issue descriptionChrome Version: 61.0.3119.0 OS: Chrome OS 9618.0.0 (Samus Canary; ARC-N) What steps will reproduce the problem? (1) Launch the Play Store app. (2) Close by the X button. What is the expected result? The window closes What happens instead? http://crash/019bcb2e40000000 Thread 0 (id: 5314) CRASHED [SIGSEGV @ 0xfffffffd3f0f9000 ] 0x0000581e127c9894 (chrome + 0x052d6894 ) ash::ShelfID::operator<(ash::ShelfID const&) const 0x0000581e127c832b (chrome + 0x052d532b ) ash::ShelfModel::SetShelfItemDelegate(ash::ShelfID const&, std::unique_ptr<ash::ShelfItemDelegate, std::default_delete<ash::ShelfItemDelegate> >) 0x0000581e12936064 (chrome + 0x05443064 ) ChromeLauncherController::CloseLauncherItem(ash::ShelfID const&) 0x0000581e12a1ab0a (chrome + 0x05527b0a ) ArcAppWindowLauncherController::OnTaskDestroyed(int) 0x0000581e12a0b773 (chrome + 0x05518773 ) ArcAppListPrefs::OnTaskDestroyed(int) 0x0000581e0f6952f3 (chrome + 0x021a22f3 ) arc::mojom::AppHostStubDispatch::Accept(arc::mojom::AppHost*, mojo::Message*) +ARC Constables, +Yury, could you mind taking a look? I'm seeing this crash both on my recent-ish local builds and canary dogfooding device.
,
Jun 7 2017
Thanks for reporting, I will take a look..
,
Jun 7 2017
,
Jun 7 2017
Bisection showed: 19b30c2c383d https://codereview.chromium.org/2833173002 Mike, could you please take a look (this potentially P0). What I saw, it looks like mem corruption. On my side void ShelfController::ShelfItemDelegateChanged(const ShelfID& id, ShelfItemDelegate* delegate) { supposed to be called but never enter this func.
,
Jun 7 2017
,
Jun 7 2017
I will look ASAP today, is there a way to repro on a linux dev box with chromeos=1? I'll be out tomorrow through June 27, so hopefully fixing this will be easy!
,
Jun 7 2017
Actually, khmel@ if you can repro, can you try my WIP fix for other issues in that same CL? I suspect it may help here too: https://codereview.chromium.org/2927693002/
,
Jun 7 2017
Let me try out #7
,
Jun 7 2017
#7 did not help :( >> I will look ASAP today, is there a way to repro on a linux dev box with chromeos=1? I can try to create some emulation layer but this could take a time.
,
Jun 7 2017
I think #7 might help if I revise the arc controllers similar to the extension controller. I'll ping you when I have a new patch set; it would be great if you can help with testing. I can try to repro on device, but that will also take time (I'm still not good at this...)
,
Jun 7 2017
Yury has a fix at https://chromium-review.googlesource.com/c/527415/ Thanks for your help investigating/fixing/testing!!! Sorry about the inconvenience :-/
,
Jun 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6b3ba8995cb10ed30c7db3333db1be88307cc6c5 commit 6b3ba8995cb10ed30c7db3333db1be88307cc6c5 Author: khmel <khmel@google.com> Date: Wed Jun 07 19:53:42 2017 Fix crash in shelf on ARC App window created. This prevents a memory corruption when ash::ShelfId can be used after its owner is destroyed. TBR=jamescook@chromium.org Bug: 730321 Test: Manually on device Change-Id: I8fb00a38d75075aa1c69d8fe95f365f891bf1eeb Reviewed-on: https://chromium-review.googlesource.com/527415 Reviewed-by: Michael Wasserman <msw@chromium.org> Commit-Queue: Yury Khmel <khmel@google.com> Cr-Commit-Position: refs/heads/master@{#477740} [modify] https://crrev.com/6b3ba8995cb10ed30c7db3333db1be88307cc6c5/ash/public/cpp/shelf_model.cc
,
Jun 7 2017
,
Jun 19 2017
Issue 734775 has been merged into this issue.
,
Sep 6 2017
Verified on build 9765.53.0 |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by yawano@chromium.org
, Jun 7 2017