'Aw snap!' crash calling history.back()
Reported by
a...@scirra.com,
Jul 4 2017
|
|||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3148.0 Safari/537.36 Steps to reproduce the problem: 1. Open https://editor.construct.net/?disable-ui-animations 2. Notice the dialog that says "Welcome to the Construct 3 public beta!" that appears on startup. Click the X in the top-right of that dialog to close it. What is the expected behavior? The dialog should close. What went wrong? The tab crashes with an "Aw snap!" error. By debugging this we traced it to a call to history.back() that crashes. Did this work before? N/A Chrome version: 61.0.3148.0 Channel: canary OS Version: 10.0 Flash Version: We use this to allow the browser back button to close dialogs (mainly useful on mobile, but enabled on desktop too). This means calling history.back() when we want to remove a pushState entry. Unfortunately, this can crash Chrome!
,
Jul 5 2017
,
Jul 5 2017
Able to reproduce the issue on Windows 10, Ubuntu 14.04 and Mac 10.12.5 with Stable #59.0.3071.115, Beta #60.0.3112.50, Dev #61.0.3141.7, Canary #61.0.3148.0 Issue is broken in M-59 branch builds Bisect Info: =========== Good build : 59.0.3071.30, Bad build : 59.0.3071.31, Change Log: ============ https://chromium.googlesource.com/chromium/src/+log/59.0.3071.30..59.0.3071.31?pretty=fuller&n=10000 Suspecting CL: =============== Review-Url: https://codereview.chromium.org/2848903002 fdoray@- Could you please look into this issue, if it's related to your change? if not could you please help us to reassign this issue to the right owner.
,
Jul 12 2017
I tried to run a repro on debug build, it DCHECKS even before closing the dialog. Here are the logs: [32373:32373:0712/110325.428949:ERROR:gl_surface.cc(198)] Not implemented reached in virtual void gl::GLSurface::SetRelyOnImplicitSync(bool) [1:1:0712/110325.740956:ERROR:render_process_impl.cc(173)] WebFrame LEAKED 1 TIMES [32304:32304:0712/110326.311983:INFO:CONSOLE(6)] "SW registered", source: https://www.google.com/_/chrome/newtab?espv=2&ie=UTF-8 (6) [32373:32373:0712/110333.923018:ERROR:gl_surface.cc(198)] Not implemented reached in virtual void gl::GLSurface::SetRelyOnImplicitSync(bool) [32304:32304:0712/110334.237249:INFO:CONSOLE(1)] "[HTMLImports] Using polyfill", source: https://editor.construct.net/r44/loader/htmlimports.js (1) [32304:32304:0712/110334.915866:INFO:CONSOLE(17)] "Registered root service worker on https://editor.construct.net/", source: https://editor.construct.net/register-root-sw.js (17) [32304:32304:0712/110341.516946:INFO:CONSOLE(162)] "%cStop!", source: https://editor.construct.net/r44/main.js (162) [32304:32304:0712/110341.518322:INFO:CONSOLE(162)] "%cThis is a browser feature intended for developers. If someone told you to copy and paste something here to enable a feature or "hack" something, it is a scam and may allow them to steal your account information or your work.", source: https://editor.construct.net/r44/main.js (162) [32373:32373:0712/110341.651549:ERROR:gl_surface.cc(198)] Not implemented reached in virtual void gl::GLSurface::SetRelyOnImplicitSync(bool) [32304:32304:0712/110343.615960:INFO:CONSOLE(162)] "Registered service worker on https://editor.construct.net/r44/", source: https://editor.construct.net/r44/main.js (162) [32304:32346:0712/110345.602835:FATAL:http_stream_factory_impl.cc(267)] Check failed: job_controller->HasPendingAltJob() || job_controller->HasPendingMainJob(). #0 0x7f19023567ed base::debug::StackTrace::StackTrace() #1 0x7f1902354e2c base::debug::StackTrace::StackTrace() #2 0x7f19023e4faa logging::LogMessage::~LogMessage() #3 0x7f18ffc6f38a net::HttpStreamFactoryImpl::AddJobControllerCountToHistograms() #4 0x7f18ffc6e35f net::HttpStreamFactoryImpl::RequestStreamInternal() #5 0x7f18ffc6e26d net::HttpStreamFactoryImpl::RequestStream() #6 0x7f18ffc1353d net::HttpNetworkTransaction::DoCreateStream() #7 0x7f18ffc0bd8a net::HttpNetworkTransaction::DoLoop() #8 0x7f18ffc0b965 net::HttpNetworkTransaction::Start() #9 0x55c5acee616d DevToolsNetworkTransaction::Start() #10 0x7f18ffbdb091 net::HttpCache::Transaction::DoSendRequest() #11 0x7f18ffbd099d net::HttpCache::Transaction::DoLoop() #12 0x7f18ffbcee2b net::HttpCache::Transaction::OnIOComplete() #13 0x7f18ffa7e2e1 _ZN4base8internal13FunctorTraitsIMN10disk_cache11SimpleIndexEFvNS3_22IndexWriteToDiskReasonEEvE6InvokeIRKNS_7WeakPtrIS3_EEJRKS4_EEEvS6_OT_DpOT0_ #14 0x7f18ffbee325 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN3net9HttpCache11TransactionEFviERKNS_7WeakPtrIS6_EEJiEEEvOT_OT0_DpOT1_ #15 0x7f18ffbee2a0 _ZN4base8internal7InvokerINS0_9BindStateIMN3net9HttpCache11TransactionEFviEJNS_7WeakPtrIS5_EEEEEFviEE7RunImplIRKS7_RKNSt3__15tupleIJS9_EEEJLm0EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEEOi #16 0x7f18ffbee1e4 _ZN4base8internal7InvokerINS0_9BindStateIMN3net9HttpCache11TransactionEFviEJNS_7WeakPtrIS5_EEEEEFviEE3RunEPNS0_13BindStateBaseEOi #17 0x7f18ff7fc09c _ZNKR4base8CallbackIFviELNS_8internal8CopyModeE1ELNS2_10RepeatModeE1EE3RunEi #18 0x7f18ffbba146 net::HttpCache::ProcessAddToEntryQueue() #19 0x7f18ffbb9ec9 net::HttpCache::OnProcessQueuedTransactions() #20 0x7f18ffbc9702 _ZN4base8internal13FunctorTraitsIMN3net9HttpCacheEFvPNS3_11ActiveEntryEEvE6InvokeIRKNS_7WeakPtrIS3_EEJRKS5_EEEvS7_OT_DpOT0_ #21 0x7f18ffbc9665 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN3net9HttpCacheEFvPNS5_11ActiveEntryEERKNS_7WeakPtrIS5_EEJRKS7_EEEvOT_OT0_DpOT1_ #22 0x7f18ffbc95dd _ZN4base8internal7InvokerINS0_9BindStateIMN3net9HttpCacheEFvPNS4_11ActiveEntryEEJNS_7WeakPtrIS4_EES6_EEEFvvEE7RunImplIRKS8_RKNSt3__15tupleIJSA_S6_EEEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE #23 0x7f18ffbc94ec _ZN4base8internal7InvokerINS0_9BindStateIMN3net9HttpCacheEFvPNS4_11ActiveEntryEEJNS_7WeakPtrIS4_EES6_EEEFvvEE3RunEPNS0_13BindStateBaseE #24 0x7f1902302161 _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE0ELNS2_10RepeatModeE0EE3RunEv #25 0x7f190235b297 base::debug::TaskAnnotator::RunTask() #26 0x7f1902413ebd base::MessageLoop::RunTask() #27 0x7f1902414147 base::MessageLoop::DeferOrRunPendingTask() #28 0x7f1902414eca base::MessageLoop::DoWork() #29 0x7f190241e7a9 base::MessagePumpLibevent::Run() #30 0x7f19024137e4 base::MessageLoop::Run() #31 0x7f19024c752d base::RunLoop::Run() #32 0x7f1902592544 base::Thread::Run() #33 0x7f18fba2a2f6 content::BrowserThreadImpl::IOThreadRun() #34 0x7f18fba2a5fb content::BrowserThreadImpl::Run() #35 0x7f1902593162 base::Thread::ThreadMain() #36 0x7f1902574391 base::(anonymous namespace)::ThreadFunc() #37 0x7f190299a184 start_thread #38 0x7f18eb25effd clone
,
Jul 12 2017
,
Jul 19 2017
it seems not related to sync.
,
Jul 19 2017
,
Jul 20 2017
Blink>Loader triager here. Bisected between 59.0.3071.30 and 60.0.3112.0 on Linux, found the first bad revision is: https://codereview.chromium.org/2766053002 This is also merged to M-59 release branch, in the range reported by Comment #3. Assigning to ekaramad@, the author of the suspected CL.
,
Jul 20 2017
,
Jul 20 2017
Sample crash report: fe3c16fe40000000 Stack Trace: 0x000000011059ed04 (Google Chrome Framework -WebLocalFrameImpl.cpp:1999 ) <name omitted> 0x00000001105439fd (Google Chrome Framework -ChromeClientImpl.cpp:1103 ) blink::ChromeClientImpl::OnMouseDown(blink::Node&) 0x0000000110d70727 (Google Chrome Framework -EventHandler.cpp:746 ) blink::EventHandler::HandleMousePressEvent(blink::WebMouseEvent const&) 0x000000011055ff6f (Google Chrome Framework -PageWidgetDelegate.cpp:251 ) blink::PageWidgetEventHandler::HandleMouseDown(blink::LocalFrame&, blink::WebMouseEvent const&) 0x00000001105bc436 (Google Chrome Framework -WebViewImpl.cpp:498 ) blink::WebViewImpl::HandleMouseDown(blink::LocalFrame&, blink::WebMouseEvent const&) 0x000000011055fccc (Google Chrome Framework -PageWidgetDelegate.cpp:165 ) blink::PageWidgetDelegate::HandleInputEvent(blink::PageWidgetEventHandler&, blink::WebCoalescedInputEvent const&, blink::LocalFrame*) 0x00000001105bf1f4 (Google Chrome Framework -WebViewImpl.cpp:2251 ) blink::WebViewImpl::HandleInputEvent(blink::WebCoalescedInputEvent const&) 0x00000001117be5e9 (Google Chrome Framework -render_widget_input_handler.cc:315 ) content::RenderWidgetInputHandler::HandleInputEvent(blink::WebCoalescedInputEvent const&, ui::LatencyInfo const&, content::InputEventDispatchType) 0x00000001118437e8 (Google Chrome Framework -render_widget.cc:816 ) content::RenderWidget::OnHandleInputEvent(blink::WebInputEvent const*, std::__1::vector<blink::WebInputEvent const*, std::__1::allocator<blink::WebInputEvent const*> > const&, ui::LatencyInfo const&, content::InputEventDispatchType) 0x0000000111843699 (Google Chrome Framework -tuple.h:77 ) bool IPC::MessageT<InputMsg_HandleInputEvent_Meta, std::__1::tuple<blink::WebInputEvent const*, std::__1::vector<blink::WebInputEvent const*, std::__1::allocator<blink::WebInputEvent const*> >, ui::LatencyInfo, content::InputEventDispatchType>, void>::Dispatch<content::RenderWidget, content::RenderWidget, void, void (content::RenderWidget::*)(blink::WebInputEvent const*, std::__1::vector<blink::WebInputEvent const*, std::__1::allocator<blink::WebInputEvent const*> > const&, ui::LatencyInfo const&, content::InputEventDispatchType)>(IPC::Message const*, content::RenderWidget*, content::RenderWidget*, void*, void (content::RenderWidget::*)(blink::WebInputEvent const*, std::__1::vector<blink::WebInputEvent const*, std::__1::allocator<blink::WebInputEvent const*> > const&, ui::LatencyInfo const&, content::InputEventDispatchType)) 0x000000011184315f (Google Chrome Framework -render_widget.cc:600 ) content::RenderWidget::OnMessageReceived(IPC::Message const&) 0x0000000111835e2d (Google Chrome Framework -render_view_impl.cc:1259 ) content::RenderViewImpl::OnMessageReceived(IPC::Message const&) 0x00000001117b8266 (Google Chrome Framework -callback.h:80 ) content::InputEventFilter::HandleEventOnMainThread(int, blink::WebCoalescedInputEvent const*, ui::LatencyInfo const&, content::InputEventDispatchType) 0x00000001117bc54d (Google Chrome Framework -main_thread_event_queue.cc:137 ) content::(anonymous namespace)::QueuedWebInputEvent::Dispatch(int, content::MainThreadEventQueueClient*) 0x00000001117bbd46 (Google Chrome Framework -main_thread_event_queue.cc:394 ) content::MainThreadEventQueue::DispatchEvents() 0x000000010d9d7b10 (Google Chrome Framework -callback.h:91 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x000000011044726e (Google Chrome Framework -task_queue_manager.cc:539 ) blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) 0x00000001104452c1 (Google Chrome Framework -task_queue_manager.cc:337 ) blink::scheduler::TaskQueueManager::DoWork(bool) 0x000000010d9d7b10 (Google Chrome Framework -callback.h:91 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x000000010da004fa (Google Chrome Framework -message_loop.cc:423 ) base::MessageLoop::RunTask(base::PendingTask*) 0x000000010da0084b (Google Chrome Framework -message_loop.cc:434 ) base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) Seems like for the node passed on to this method GetDocument().GetFrame() is returning nullptr.
,
Jul 20 2017
I also should point out that a DCHECK fires before the crash in Document::SetSequentialFocusNavigationStartingPoint(Node) where the node's document (same node in the crash stack trace) does not belong to the document. I wonder if that is a separate bug. The node is of type SVGGraphicsElemenet. cc-ing tkent@ who has worked on implementing this method. tkent@ Do you know why this hit testing might be working like this?
,
Jul 20 2017
Note our dialog engine involves moving elements between documents when showing and hiding the dialog, which sounds related.
,
Jul 21 2017
> I also should point out that a DCHECK fires before the crash in > Document::SetSequentialFocusNavigationStartingPoint(Node) It's a bug, but I don't think it's related to this crash. Filed Issue 747207 for it.
,
Jul 21 2017
Issue 739306 has been merged into this issue.
,
Jul 21 2017
Reproducible on 59.0.3071.115 (Official Build) (64-bit) so adding the correct label.
,
Jul 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/94db0a33758ba48ae3c6da75b58b2ba480ac9bcf commit 94db0a33758ba48ae3c6da75b58b2ba480ac9bcf Author: EhsanK <ekaramad@chromium.org> Date: Mon Jul 24 19:20:28 2017 Fix a crash due to GetDocument().GetFrame() returning nullptr In ChromeClientImpl::OnMouseDown the node passed might have a document whose frame is nullptr. This was causing crashes when trying to get the AutofillClient from WebLocalFrame associated with the GetFrame(). The new method ChromeClientImpl::AutofillClientFromFrame will now take a nullable frame and returns the AutofillClient corresponding to the associated WebLocalFrame. Bug: 739199 Change-Id: I551db0cd9ee0ff3ac80b47f859fb00716f73e94d Reviewed-on: https://chromium-review.googlesource.com/580294 Reviewed-by: Kent Tamura <tkent@chromium.org> Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Cr-Commit-Position: refs/heads/master@{#489045} [modify] https://crrev.com/94db0a33758ba48ae3c6da75b58b2ba480ac9bcf/third_party/WebKit/Source/core/page/ChromeClientImpl.cpp [modify] https://crrev.com/94db0a33758ba48ae3c6da75b58b2ba480ac9bcf/third_party/WebKit/Source/core/page/ChromeClientImpl.h
,
Jul 25 2017
After the fix the crash is not reproducible on Canary anymore. Marking as fixed and adding merge request for M60.
,
Jul 25 2017
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 27 2017
,
Jul 28 2017
Your change meets the bar and is auto-approved for M61. Please go ahead and merge the CL to branch 3163 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), ketakid @(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28 2017
+bustamante@
,
Jul 28 2017
This change meets the bar (functional regression) and is approved for merge into M60.
,
Jul 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4f826d76f1c5b208ecac42f754424eab5874ba49 commit 4f826d76f1c5b208ecac42f754424eab5874ba49 Author: EhsanK <ekaramad@chromium.org> Date: Fri Jul 28 21:20:53 2017 Fix a crash due to GetDocument().GetFrame() returning nullptr In ChromeClientImpl::OnMouseDown the node passed might have a document whose frame is nullptr. This was causing crashes when trying to get the AutofillClient from WebLocalFrame associated with the GetFrame(). The new method ChromeClientImpl::AutofillClientFromFrame will now take a nullable frame and returns the AutofillClient corresponding to the associated WebLocalFrame. Bug: 739199 TBR=tkent@chromium.org Change-Id: Id5b7fdc1ec1ed27fd43c7cc870a691df80eb9eda Reviewed-on: https://chromium-review.googlesource.com/580294 Reviewed-by: Kent Tamura <tkent@chromium.org> Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Cr-Commit-Position: refs/heads/master@{#489045} (cherry picked from commit 94db0a33758ba48ae3c6da75b58b2ba480ac9bcf) Change-Id: Id5b7fdc1ec1ed27fd43c7cc870a691df80eb9eda Reviewed-on: https://chromium-review.googlesource.com/592408 Reviewed-by: Ehsan Karamad <ekaramad@chromium.org> Cr-Commit-Position: refs/branch-heads/3112@{#692} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/4f826d76f1c5b208ecac42f754424eab5874ba49/third_party/WebKit/Source/web/ChromeClientImpl.cpp [modify] https://crrev.com/4f826d76f1c5b208ecac42f754424eab5874ba49/third_party/WebKit/Source/web/ChromeClientImpl.h
,
Jul 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/55041253e92bd62257f1cfc7536f645d7d359226 commit 55041253e92bd62257f1cfc7536f645d7d359226 Author: EhsanK <ekaramad@chromium.org> Date: Fri Jul 28 21:42:36 2017 Fix a crash due to GetDocument().GetFrame() returning nullptr In ChromeClientImpl::OnMouseDown the node passed might have a document whose frame is nullptr. This was causing crashes when trying to get the AutofillClient from WebLocalFrame associated with the GetFrame(). The new method ChromeClientImpl::AutofillClientFromFrame will now take a nullable frame and returns the AutofillClient corresponding to the associated WebLocalFrame. TBR=tkent@chromium.org (cherry picked from commit 94db0a33758ba48ae3c6da75b58b2ba480ac9bcf) Bug: 739199 Change-Id: Ib9ddc4bba86504c1ad02fd43c4c2f19368d53e9d Reviewed-on: https: //chromium-review.googlesource.com/580294 Reviewed-by: Kent Tamura <tkent@chromium.org> Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#489045} Reviewed-on: https://chromium-review.googlesource.com/592413 Reviewed-by: Ehsan Karamad <ekaramad@chromium.org> Cr-Commit-Position: refs/branch-heads/3163@{#116} Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528} [modify] https://crrev.com/55041253e92bd62257f1cfc7536f645d7d359226/third_party/WebKit/Source/web/ChromeClientImpl.cpp [modify] https://crrev.com/55041253e92bd62257f1cfc7536f645d7d359226/third_party/WebKit/Source/web/ChromeClientImpl.h
,
Jul 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c0510e322a9526540162ca93be933d7a4c2f2100 commit c0510e322a9526540162ca93be933d7a4c2f2100 Author: EhsanK <ekaramad@chromium.org> Date: Sat Jul 29 00:47:30 2017 Fixing a compile error on M60 branch due to missing forward declaration This CL fixes the broken build introduced in https://chromium-review.googlesource.com/c/592413. TBR=ekaramad@chromium.org,tkent@chromium.org Bug: 739199 Change-Id: Ida864688c5bcc254614d169bb03a88a58549c651 Reviewed-on: https://chromium-review.googlesource.com/592525 Reviewed-by: Ehsan Karamad <ekaramad@chromium.org> Cr-Commit-Position: refs/branch-heads/3163@{#127} Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528} [modify] https://crrev.com/c0510e322a9526540162ca93be933d7a4c2f2100/third_party/WebKit/Source/web/ChromeClientImpl.h
,
Jul 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4ff3fa570bab084ce0ceb5d0975e0f930b7807f2 commit 4ff3fa570bab084ce0ceb5d0975e0f930b7807f2 Author: EhsanK <ekaramad@chromium.org> Date: Sat Jul 29 00:54:30 2017 Fixing a compile error on M60 branch due to missing forward declaration This CL fixes the broken build introduced in https://chromium-review.googlesource.com/c/592413. TBR=ekaramad@chromium.org, tkent@chromium.org (cherry picked from commit c0510e322a9526540162ca93be933d7a4c2f2100) Bug: 739199 Change-Id: Ida864688c5bcc254614d169bb03a88a58549c651 Reviewed-on: https://chromium-review.googlesource.com/592525 Reviewed-by: Ehsan Karamad <ekaramad@chromium.org> Cr-Original-Commit-Position: refs/branch-heads/3163@{#127} Cr-Original-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528} Reviewed-on: https://chromium-review.googlesource.com/591922 Cr-Commit-Position: refs/branch-heads/3112@{#694} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/4ff3fa570bab084ce0ceb5d0975e0f930b7807f2/third_party/WebKit/Source/web/ChromeClientImpl.h
,
Aug 1 2017
Verified this issue on Ubuntu 14.04, Windows-10 and Mac OS 10.12.5 using chrome latest Dev #61.0.3163.25 by following steps mentioned in the original comment. Observed no crashes by closing the initial dialog box from the page. Hence adding TE-Verified label for M-61. Thanks!
,
Aug 2 2017
Verified this issue on Ubuntu 14.04, Windows-10 and Mac OS 10.12.5 using chrome latest Stable #60.0.3112.90 and observed no crashes. Hence adding TE-Verified label. Thanks!
,
Sep 5 2017
s/Fixed./Fixed |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by cbiesin...@chromium.org
, Jul 4 2017