Issue 755344 link

Starred by 1 user

Issue metadata

Status:	Untriaged
Owner:	----
Cc:	robliao@chromium.org gab@chromium.org fdoray@chromium.org
Components:	Internals>Core
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	3
Type:	Bug
Stability-Crash Fracas

COM uninitialization at end of main() pumps and can re-enter chrome

Project Member Reported by cr...@system.gserviceaccount.com, Aug 14 2017

Issue description

reporter:gab@google.com

crash_analysis_section:start
crash_analysis_section:end

Magic Signature: base::SequencedTaskRunnerHandle::Get

Crash link: https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%20CONTAINS%20'TaskRunnerHandle'%20AND%20product.Version%20CONTAINS%20'62.0.'%20AND%20ReportID%3D'26c496188fbe0558'%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D'base%3A%3ASequencedTaskRunnerHandle%3A%3AGet'&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#3

-------------------------------------------------------------------------------
Sample Report
-------------------------------------------------------------------------------
Product name: Chrome
Magic Signature : base::SequencedTaskRunnerHandle::Get
Product Version: 62.0.3183.0
Report ID: 26c496188fbe0558
Report Url: https://crash.corp.google.com/26c496188fbe0558
Report Time: 2017-08-12T17:42:03-07:00
Upload Time: 2017-08-12T17:42:12.897-07:00
Uptime: 171000 ms
CumulativeProductUptime: 0 ms
OS Name: Windows NT
OS Version: 10.0.14393 0
CPU Architecture: amd64
CPU Info: family 22 model 48 stepping 1

-------------------------------------------------------------------------------
Crashing thread: Thread index: 0. Stack Quality: 100%. Thread id: 1380.
-------------------------------------------------------------------------------
0x00007ffd72419e46 (chrome.dll - sequenced_task_runner_handle.cc: 57)	base::SequencedTaskRunnerHandle::Get()
0x00007ffd724f1c53 (chrome.dll - post_task_and_reply_impl.cc: 84)	base::internal::PostTaskAndReplyImpl::PostTaskAndReply(tracked_objects::Location const &,base::Callback<void ,0,0>,base::Callback<void ,0,0>)
0x00007ffd729bdccd (chrome.dll - post_task.cc: 83)	base::PostTaskWithTraitsAndReply(tracked_objects::Location const &,base::TaskTraits const &,base::Callback<void ,0,0>,base::Callback<void ,0,0>)
0x00007ffd73775d0b (chrome.dll - post_task.h: 159)	base::PostTaskWithTraitsAndReplyWithResult<std::map<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > >,std::allocator<std::pair<const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > >,std::map<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > >,std::allocator<std::pair<const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > > >
0x00007ffd73774cca (chrome.dll - post_task.h: 178)	base::PostTaskWithTraitsAndReplyWithResult<std::map<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > >,std::allocator<std::pair<const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > >,std::map<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > >,std::allocator<std::pair<const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > > >
0x00007ffd73774bb1 (chrome.dll - color_profile_reader.cc: 67)	display::win::ColorProfileReader::UpdateIfNeeded()
0x00007ffd727225a0 (chrome.dll - screen_win.cc: 518)	display::win::ScreenWin::OnWndProc(HWND__ *,unsigned int,unsigned __int64,__int64)
0x00007ffd729fd84b (chrome.dll - bind_internal.h: 312)	base::internal::Invoker<base::internal::BindState<void (device::TimeZoneMonitorWin::*)(HWND__ *, unsigned int, unsigned long long, long long), base::internal::UnretainedWrapper<device::TimeZoneMonitorWin> >, void (HWND__ *, unsigned int, unsigned long long, long long)>::Run
0x00007ffd72722535 (chrome.dll - singleton_hwnd_observer.cc: 31)	gfx::SingletonHwndObserver::OnWndProc(HWND__ *,unsigned int,unsigned __int64,__int64)
0x00007ffd72476799 (chrome.dll - singleton_hwnd.cc: 25)	gfx::SingletonHwnd::ProcessWindowMessage(HWND__ *,unsigned int,unsigned __int64,__int64,__int64 &,unsigned long)
0x00007ffd724766d8 (chrome.dll - window_impl.cc: 270)	gfx::WindowImpl::OnWndProc(unsigned int,unsigned __int64,__int64)
0x00007ffd72476529 (chrome.dll - wrapped_window_proc.h: 80)	base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned __int64,__int64)>(HWND__ *,unsigned int,unsigned __int64,__int64)
0x00007ffda9d51c23 (USER32.dll + 0x00011c23)	UserCallWinProcCheckWow
0x00007ffda9d51916 (USER32.dll + 0x00011916)	DispatchClientMessage
0x00007ffda9d65f6f (USER32.dll + 0x00025f6f)	_fnINSTRINGNULL
0x00007ffdaa849c53 (ntdll.dll + 0x000a9c53)	KiUserCallbackDispatch
0x00007ffda6f010c3 (win32u.dll + 0x000010c3)	NtUserPeekMessage

reporter:gab@google.com

Magic Signature: base::SequencedTaskRunnerHandle::Get

Crash link: https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%20CONTAINS%20'TaskRunnerHandle'%20AND%20product.Version%20CONTAINS%20'62.0.'%20AND%20ReportID%3D'26c496188fbe0558'%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D'base%3A%3ASequencedTaskRunnerHandle%3A%3AGet'&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#3

-------------------------------------------------------------------------------
Sample Stack
-------------------------------------------------------------------------------
chrome_7ffd723f0000!base::SequencedTaskRunnerHandle::Get+0xc6 [C:\b\c\b\win64_clang\src\base\threading\sequenced_task_runner_handle.cc @ 57]
chrome_7ffd723f0000!base::`anonymous namespace'::PostTaskAndReplyRelay::PostTaskAndReplyRelay+0x1a [C:\b\c\b\win64_clang\src\base\threading\post_task_and_reply_impl.cc @ 36]
chrome_7ffd723f0000!base::internal::PostTaskAndReplyImpl::PostTaskAndReply+0x74 [C:\b\c\b\win64_clang\src\base\threading\post_task_and_reply_impl.cc @ 84]
chrome_7ffd723f0000!base::PostTaskWithTraitsAndReply+0x6e [C:\b\c\b\win64_clang\src\base\task_scheduler\post_task.cc @ 85]
chrome_7ffd723f0000!base::PostTaskWithTraitsAndReplyWithResult<std::map<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > >,std::allocator<std::pair<const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > >,std::map<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > >,std::allocator<std::pair<const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > > >+0x107 [C:\b\c\b\win64_clang\src\base\task_scheduler\post_task.h @ 165]
chrome_7ffd723f0000!base::PostTaskWithTraitsAndReplyWithResult<std::map<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > >,std::allocator<std::pair<const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > >,std::map<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::less<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > >,std::allocator<std::pair<const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > > > >+0x88 [C:\b\c\b\win64_clang\src\base\task_scheduler\post_task.h @ 181]
chrome_7ffd723f0000!display::win::ColorProfileReader::UpdateIfNeeded+0x1d6 [C:\b\c\b\win64_clang\src\ui\display\win\color_profile_reader.cc @ 67]
chrome_7ffd723f0000!display::win::ScreenWin::OnWndProc+0x31 [C:\b\c\b\win64_clang\src\ui\display\win\screen_win.cc @ 518]
chrome_7ffd723f0000!base::internal::FunctorTraits<void (device::TimeZoneMonitorWin::*)(HWND__ *, unsigned int, unsigned long long, long long), void>::Invoke+0x1c [C:\b\c\b\win64_clang\src\base\bind_internal.h @ 196]
chrome_7ffd723f0000!base::internal::InvokeHelper<false, void>::MakeItSo+0x1c [C:\b\c\b\win64_clang\src\base\bind_internal.h @ 265]
chrome_7ffd723f0000!base::internal::Invoker<base::internal::BindState<void (device::TimeZoneMonitorWin::*)(HWND__ *, unsigned int, unsigned long long, long long), base::internal::UnretainedWrapper<device::TimeZoneMonitorWin> >, void (HWND__ *, unsigned int, unsigned long long, long long)>::RunImpl+0x1c [C:\b\c\b\win64_clang\src\base\bind_internal.h @ 340]
chrome_7ffd723f0000!base::internal::Invoker<base::internal::BindState<void (device::TimeZoneMonitorWin::*)(HWND__ *, unsigned int, unsigned long long, long long), base::internal::UnretainedWrapper<device::TimeZoneMonitorWin> >, void (HWND__ *, unsigned int, unsigned long long, long long)>::Run+0x28 [C:\b\c\b\win64_clang\src\base\bind_internal.h @ 323]
chrome_7ffd723f0000!base::Callback<void (HWND__ *, unsigned int, unsigned long long, long long), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>::Run+0x14 [C:\b\c\b\win64_clang\src\base\callback.h @ 80]
chrome_7ffd723f0000!gfx::SingletonHwndObserver::OnWndProc+0x4c [C:\b\c\b\win64_clang\src\ui\gfx\win\singleton_hwnd_observer.cc @ 31]
chrome_7ffd723f0000!gfx::SingletonHwnd::ProcessWindowMessage+0x86 [C:\b\c\b\win64_clang\src\ui\gfx\win\singleton_hwnd.cc @ 24]
chrome_7ffd723f0000!gfx::WindowImpl::OnWndProc+0x5f [C:\b\c\b\win64_clang\src\ui\gfx\win\window_impl.cc @ 270]
chrome_7ffd723f0000!base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc>+0x82 [C:\b\c\b\win64_clang\src\base\win\wrapped_window_proc.h @ 80]
USER32!UserCallWinProcCheckWow+0x274
USER32!DispatchClientMessage+0xa7
USER32!_fnINSTRINGNULL+0x60
ntdll!KiUserCallbackDispatcherContinue
win32u!NtUserPeekMessage+0x14
USER32!PeekMessageW+0xfe
combase!PeekTillDone+0x37 [d:\rs1\onecore\com\combase\dcomrem\chancont.cxx @ 606]
combase!OXIDEntry::WaitForApartmentShutdown+0x28 [d:\rs1\onecore\com\combase\dcomrem\ipidtbl.cxx @ 1510]
combase!OXIDEntry::StopServer+0x77 [d:\rs1\onecore\com\combase\dcomrem\ipidtbl.cxx @ 1436]
combase!CComApartment::StopServer+0x2b [d:\rs1\onecore\com\combase\dcomrem\aprtmnt.cxx @ 1425]
combase!StopThread+0x37 [d:\rs1\onecore\com\combase\class\compobj.cxx @ 2380]
combase!ApartmentUninitialize+0xa1 [d:\rs1\onecore\com\combase\class\compobj.cxx @ 2597]
combase!wCoUninitialize+0xe2 [d:\rs1\onecore\com\combase\class\compobj.cxx @ 4026]
combase!CoUninitialize+0x85 [d:\rs1\onecore\com\combase\class\compobj.cxx @ 3946]
IMM32!CtfImmCoUninitialize+0x3e
MSCTF!TF_Notify+0x1ab
USER32!CtfHookProcWorker+0x20
USER32!CallHookWithSEH+0x29
USER32!_fnHkINDWORD+0x1e
ntdll!KiUserCallbackDispatcherContinue
win32u!NtUserDestroyWindow+0x14
chrome_7ffd723f0000!gfx::SingletonHwnd::~SingletonHwnd+0x31 [C:\b\c\b\win64_clang\src\ui\gfx\win\singleton_hwnd.cc @ 44]
chrome_7ffd723f0000!gfx::SingletonHwnd::~SingletonHwnd+0x10 [C:\b\c\b\win64_clang\src\ui\gfx\win\singleton_hwnd.cc @ 38]
chrome_7ffd723f0000!base::DefaultSingletonTraits<gfx::SingletonHwnd>::Delete+0x10 [C:\b\c\b\win64_clang\src\base\memory\singleton.h @ 59]
chrome_7ffd723f0000!base::Singleton<gfx::SingletonHwnd, base::DefaultSingletonTraits<gfx::SingletonHwnd>, gfx::SingletonHwnd>::OnExit+0x1b [C:\b\c\b\win64_clang\src\base\memory\singleton.h @ 283]
chrome_7ffd723f0000!base::Callback<void (), base::internal::CopyMode::Copyable, base::internal::RepeatMode::Repeating>::Run+0x8 [C:\b\c\b\win64_clang\src\base\callback.h @ 80]
chrome_7ffd723f0000!base::AtExitManager::ProcessCallbacksNow+0x14d [C:\b\c\b\win64_clang\src\base\at_exit.cc @ 88]
chrome_7ffd723f0000!base::AtExitManager::~AtExitManager+0x21 [C:\b\c\b\win64_clang\src\base\at_exit.cc @ 46]
chrome_7ffd723f0000!std::default_delete<base::AtExitManager>::operator()+0x8 [c:\b\c\win_toolchain\vs_files\f53e4598951162bad6330f7a167486c7ae5db1e5\vc\include\memory @ 1195]
chrome_7ffd723f0000!std::unique_ptr<base::AtExitManager, std::default_delete<base::AtExitManager> >::reset+0x18 [c:\b\c\win_toolchain\vs_files\f53e4598951162bad6330f7a167486c7ae5db1e5\vc\include\memory @ 1431]
chrome_7ffd723f0000!content::ContentMainRunnerImpl::Shutdown+0x89 [C:\b\c\b\win64_clang\src\content\app\content_main_runner.cc @ 714]
chrome_7ffd723f0000!service_manager::Main+0x814 [C:\b\c\b\win64_clang\src\services\service_manager\embedder\main.cc @ 492]
chrome_7ffd723f0000!content::ContentMain+0x3e [C:\b\c\b\win64_clang\src\content\app\content_main.cc @ 19]
chrome_7ffd723f0000!ChromeMain+0x12e [C:\b\c\b\win64_clang\src\chrome\app\chrome_main.cc @ 125]
chrome!MainDllLoader::Launch+0x131 [C:\b\c\b\win64_clang\src\chrome\app\main_dll_loader_win.cc @ 199]
chrome!wWinMain+0x775 [C:\b\c\b\win64_clang\src\chrome\app\chrome_exe_main_win.cc @ 275]
chrome!invoke_main+0x21 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 113]
chrome!__scrt_common_main_seh+0x117 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
KERNEL32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

Comment 1 by gab@chromium.org, Aug 14 2017

Description: Show this description

Comment 2 by gab@chromium.org, Aug 14 2017

Cc: robliao@chromium.org fdoray@chromium.org gab@chromium.org
Labels: -Restrict-View-EditIssue
Summary: COM uninitialization at end of main() pumps and can re-enter chrome (was: Chrome: Crash Report - base::SequencedTaskRunnerHandle::Get)

The important bits are:

base::AtExitManager::~AtExitManager
->combase!CoUninitialize
->combase!PeekTillDone
->gfx::SingletonHwndObserver::OnWndProc
->display::win::ColorProfileReader::UpdateIfNeeded

(which results in calling PostTaskAndReply() which uses long gone chrome state).

This is fixed by atomic shutdown FWIW...

Comment 3 by robliao@chromium.org, Aug 14 2017

There is one more thing: This is all because we are destroying an HWND (win32u!NtUserDestroyWindow). That's causing it to hit IME uninitialization, which also uninitializes COM (IMM32 or Input Method Manager). COM STA uninitialization unsurprisingly pumps messages, causing the reentrancy.

Project Member

Comment 4 by sheriffbot@chromium.org, Mar 10 2018

Labels: Fracas



If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Comment 5 by robliao@chromium.org, May 29 2018

Labels: -Pri-2 Pri-3

Triaging to P3.

Comment 6 by dtapu...@chromium.org, Jul 5

Components: Internals>Core

►

Issue 755344 link

Issue metadata

COM uninitialization at end of main() pumps and can re-enter chrome

Issue description

Comment 1 by gab@chromium.org, Aug 14 2017

Comment 1 Deleted

Comment 2 by gab@chromium.org, Aug 14 2017

Comment 2 Deleted

Comment 3 by robliao@chromium.org, Aug 14 2017

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Mar 10 2018

Comment 4 Deleted

Comment 5 by robliao@chromium.org, May 29 2018

Comment 5 Deleted

Comment 6 by dtapu...@chromium.org, Jul 5

Comment 6 Deleted

Sign in to add a comment