New issue
Advanced search Search tips

Issue 757000 link

Starred by 2 users
Status: Untriaged
Owner: ----
Cc:
tdres...@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

WebLocalFrameImpl::StopFinding() can crash

Project Member Reported by maxlg@chromium.org, Aug 18 2017 
Chrome Version: 
Chromium	62.0.3190.0 (Developer Build) (64-bit)
Revision	58528769e6672ca56a03ecb1febb7ae30267f313-
OS	Linux
JavaScript	V8 6.2.281
Flash	(Disabled)
User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3190.0 Safari/537.36
Command Line	./out/Default/chrome --flag-switches-begin --flag-switches-end
Executable Path	/usr/local/google/home/maxlg/Develop/gitRepo/chrome/chromium3/src/out/Default/chrome
Profile Path	/usr/local/google/home/maxlg/.config/chromium/Default
Variations	BackgroundVideoOptimizations:BackgroundOptimizationEnabled1sOrLessMediaSource
BrowserScheduler:RedirectWithDefaultInitParams
CSSExternalScanner:Enabled_ScanAndPreload
CheckerImaging:CheckerImaging
DelayNavigation:DelayNavigation
DisallowFetchForDocWrittenScriptsInMainFrame:DocumentWriteScriptBlockGroup_20161208_Launch
DynamicExpectCT:DynamicExpectCTEnabled
GpuScheduler:Enabled
GuestViewCrossProcessFrames:Enabled
Html5ByDefault:Enabled
IdleTimeSpellChecking:Enabled
IncognitoWindowPromo:Enabled
InstanceID:Enabled
LazyParseCSS:Control
LoadingWithMojo:Enabled
MaxDelayableRequestsNetworkOverride:MaxDelayable4
NTPCaptureThumbnail:Enabled
NTPTilesInInstantService:Enabled
NetDelayableH2AndQuicRequests:Enabled
NetworkSchedulerYielding:Enabled
NewTabInProductHelp:Enabled_1
NoStatePrefetchValidation:NoStatePrefetchWithoutInstant
NonDelayableThrottlesDelayable:NonDelayableWeight2
OffMainThreadFetch:Enabled
OneGoogleBarOnLocalNtp:Enabled
PageRevisitInstrumentation:Enabled
PassiveDocumentEventListeners:Enabled
PassiveEventListenersDueToFling:Enabled
PermissionPromptUIViews:BlockPromptsEnabled
PersistentHistograms:EnabledOnDisk5
PreconnectMore:Enabled
QUIC:Enabled
RafAlignedMouseInput:Enabled
RafAlignedTouchInput:Enabled
ReportingAPI:ReportingEnabled
ResourceLoadScheduler:Enabled_bg_limit_16
SafeBrowsingScoutTransitionStudy:CanShowScoutOptInGroup2
SafeBrowsingThreatDomDetailsTagAttributes:AdIdentifiers
ServiceWorkerScriptStreaming:Enabled
SimpleCacheTrial:ExperimentYes
SocketReadIfReady:Enabled
SubresourceFilter:EnabledForPhishingSites
SyncUSSAutocomplete:Enabled
TLS13Variant:Experiment
TokenBinding:TokenBinding
TranslateRankerModel:Enforcement20170329
TranslateUserEvents:Enabled
UKM:Enabled
V8AsmJSToWasm:AsmJsToWebAssembly
V8CacheStrategiesForCacheStorage:default
V8WasmTrapHandler:WasmTrapHandlerActive
VideoCaptureService:Enabled
VsyncAlignedInput:Enable
WebFontsInterventionV2:Enabled‑3g

OS: Linux

What steps will reproduce the problem?
(1) clone https://github.com/w3c/web-platform-tests
(2) run ./wpt serve
(3) note down the port of the wpt server, for example, xxx
(4) open the chromium
(5) go to 127.0.0.1:xxx
(6) click an arbitrary folder, for example, /page-visibility 

What is the expected result?
It should have entered the folder.

What happens instead?
The tab crashes.

------------------------------------------------------------------
[1:1:0818/142803.198468:FATAL:SelectionTemplate.cpp(105)] Check failed: base_.GetDocument() == document (#document vs. #document)Selection(base: #text "page-visibility/"@offsetInAnchor[0], extent: #text "page-visibility/"@offsetInAnchor[4])
#0 0x7f29a5836d8d base::debug::StackTrace::StackTrace()
#1 0x7f29a583515c base::debug::StackTrace::StackTrace()
#2 0x7f29a58c58da logging::LogMessage::~LogMessage()
#3 0x7f2993f40169 blink::SelectionTemplate<>::AssertValidFor()
#4 0x7f2993f00310 blink::FrameSelection::SetSelectionDeprecated()
#5 0x7f2993f001e7 blink::FrameSelection::SetSelection()
#6 0x7f2993f00ae4 blink::FrameSelection::SetSelection()
#7 0x7f2993f4541e blink::TextFinder::SetFindEndstateFocusAndSelection()
#8 0x7f299424d40a blink::WebLocalFrameImpl::StopFinding()
#9 0x7f29a06e855a content::RenderFrameImpl::OnStopFinding()
#10 0x7f299e0ab85f _ZN4base20DispatchToMethodImplIPN7content27ChildHistogramMessageFilterEMS2_FviERKNSt3__15tupleIJiEEEJLm0EEEEvRKT_T0_OT1_NS6_16integer_sequenceImJXspT2_EEEE
#11 0x7f299e0ab7b0 _ZN4base16DispatchToMethodIPN7content27ChildHistogramMessageFilterEMS2_FviERKNSt3__15tupleIJiEEEEEvRKT_T0_OT1_
#12 0x7f29a072ac8f _ZN3IPC16DispatchToMethodIN7content15RenderFrameImplEMS2_FvNS1_14StopFindActionEEvNSt3__15tupleIJS3_EEEEEvPT_T0_PT1_RKT2_
#13 0x7f29a071b216 _ZN3IPC8MessageTI25FrameMsg_StopFinding_MetaNSt3__15tupleIJN7content14StopFindActionEEEEvE8DispatchINS4_15RenderFrameImplES9_vMS9_FvS5_EEEbPKNS_7MessageEPT_PT0_PT1_T2_
#14 0x7f29a06e031c content::RenderFrameImpl::OnMessageReceived()
#15 0x7f29a3d5198b IPC::MessageRouter::RouteMessage()
#16 0x7f299e0af7c8 content::ChildThreadImpl::ChildThreadMessageRouter::RouteMessage()
#17 0x7f29a3d5190e IPC::MessageRouter::OnMessageReceived()
#18 0x7f299e0b6d0d content::ChildThreadImpl::OnMessageReceived()
#19 0x7f29a3cf6808 IPC::ChannelProxy::Context::OnDispatchMessage()
#20 0x7f29a3cfcddf _ZN4base8internal13FunctorTraitsIMN3IPC12ChannelProxy7ContextEFvRKNS2_7MessageEEvE6InvokeIRK13scoped_refptrIS4_EJS7_EEEvS9_OT_DpOT0_
#21 0x7f29a3cfcd3f _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN3IPC12ChannelProxy7ContextEFvRKNS4_7MessageEEJRK13scoped_refptrIS6_ES9_EEEvOT_DpOT0_
#22 0x7f29a3cfcccd _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEJ13scoped_refptrIS5_ES6_EEEFvvEE7RunImplIRKSA_RKNSt3__15tupleIJSC_S6_EEEJLm0ELm1EEEEvOT_OT0_NSJ_16integer_sequenceImJXspT1_EEEE
#23 0x7f29a3cfcbdc _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEJ13scoped_refptrIS5_ES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#24 0x7f29a57e1fd1 _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE0ELNS2_10RepeatModeE0EE3RunEv
#25 0x7f29a583b9e7 base::debug::TaskAnnotator::RunTask()
#26 0x7f29927e786a blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#27 0x7f29927e2a0a blink::scheduler::TaskQueueManager::DoWork()
#28 0x7f29927ef1b7 _ZN4base8internal13FunctorTraitsIMN5blink9scheduler16TaskQueueManagerEFvbEvE6InvokeIRKNS_7WeakPtrIS4_EEJRKbEEEvS6_OT_DpOT0_
#29 0x7f29927ef115 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink9scheduler16TaskQueueManagerEFvbERKNS_7WeakPtrIS6_EEJRKbEEEvOT_OT0_DpOT1_
#30 0x7f29927ef08d _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvbEJNS_7WeakPtrIS5_EEbEEEFvvEE7RunImplIRKS7_RKNSt3__15tupleIJS9_bEEEJLm0ELm1EEEEvOT_OT0_NSG_16integer_sequenceImJXspT1_EEEE
#31 0x7f29927eef9c _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvbEJNS_7WeakPtrIS5_EEbEEEFvvEE3RunEPNS0_13BindStateBaseE
#32 0x7f29a57e1fd1 _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE0ELNS2_10RepeatModeE0EE3RunEv
#33 0x7f29a583b9e7 base::debug::TaskAnnotator::RunTask()
#34 0x7f29a58f0bc3 base::MessageLoop::RunTask()
#35 0x7f29a58f0e47 base::MessageLoop::DeferOrRunPendingTask()
#36 0x7f29a58f1b34 base::MessageLoop::DoWork()
#37 0x7f29a58f8558 base::MessagePumpDefault::Run()
#38 0x7f29a58f0384 base::MessageLoop::Run()
#39 0x7f29a59a6e9d base::RunLoop::Run()
#40 0x7f29a07d4c8b content::RendererMain()
#41 0x7f29a0c9639c content::RunZygote()
#42 0x7f29a0c97069 content::RunNamedProcessTypeMain()
#43 0x7f29a0c99abe content::ContentMainRunnerImpl::Run()
#44 0x7f29a0c9469d content::ContentServiceManagerMainDelegate::RunEmbedderProcess()
#45 0x7f29a6130905 service_manager::Main()
#46 0x7f29a0c95d3f content::ContentMain()
#47 0x5569c6c4a4ee ChromeMain
#48 0x5569c6c4a402 main
#49 0x7f298ca8ef45 __libc_start_main
#50 0x5569c6c4a2e4 <unknown>

Received signal 6
#0 0x7f29a5836d8d base::debug::StackTrace::StackTrace()
#1 0x7f29a583515c base::debug::StackTrace::StackTrace()
#2 0x7f29a5836745 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7f29a5e90330 <unknown>
#4 0x7f298caa3c37 gsignal
#5 0x7f298caa7028 abort
#6 0x7f29a5832126 base::debug::(anonymous namespace)::DebugBreak()
#7 0x7f29a5832108 base::debug::BreakDebugger()
#8 0x7f29a58c6596 logging::LogMessage::~LogMessage()
#9 0x7f2993f40169 blink::SelectionTemplate<>::AssertValidFor()
#10 0x7f2993f00310 blink::FrameSelection::SetSelectionDeprecated()
#11 0x7f2993f001e7 blink::FrameSelection::SetSelection()
#12 0x7f2993f00ae4 blink::FrameSelection::SetSelection()
#13 0x7f2993f4541e blink::TextFinder::SetFindEndstateFocusAndSelection()
#14 0x7f299424d40a blink::WebLocalFrameImpl::StopFinding()
#15 0x7f29a06e855a content::RenderFrameImpl::OnStopFinding()
#16 0x7f299e0ab85f _ZN4base20DispatchToMethodImplIPN7content27ChildHistogramMessageFilterEMS2_FviERKNSt3__15tupleIJiEEEJLm0EEEEvRKT_T0_OT1_NS6_16integer_sequenceImJXspT2_EEEE
#17 0x7f299e0ab7b0 _ZN4base16DispatchToMethodIPN7content27ChildHistogramMessageFilterEMS2_FviERKNSt3__15tupleIJiEEEEEvRKT_T0_OT1_
#18 0x7f29a072ac8f _ZN3IPC16DispatchToMethodIN7content15RenderFrameImplEMS2_FvNS1_14StopFindActionEEvNSt3__15tupleIJS3_EEEEEvPT_T0_PT1_RKT2_
#19 0x7f29a071b216 _ZN3IPC8MessageTI25FrameMsg_StopFinding_MetaNSt3__15tupleIJN7content14StopFindActionEEEEvE8DispatchINS4_15RenderFrameImplES9_vMS9_FvS5_EEEbPKNS_7MessageEPT_PT0_PT1_T2_
#20 0x7f29a06e031c content::RenderFrameImpl::OnMessageReceived()
#21 0x7f29a3d5198b IPC::MessageRouter::RouteMessage()
#22 0x7f299e0af7c8 content::ChildThreadImpl::ChildThreadMessageRouter::RouteMessage()
#23 0x7f29a3d5190e IPC::MessageRouter::OnMessageReceived()
#24 0x7f299e0b6d0d content::ChildThreadImpl::OnMessageReceived()
#25 0x7f29a3cf6808 IPC::ChannelProxy::Context::OnDispatchMessage()
#26 0x7f29a3cfcddf _ZN4base8internal13FunctorTraitsIMN3IPC12ChannelProxy7ContextEFvRKNS2_7MessageEEvE6InvokeIRK13scoped_refptrIS4_EJS7_EEEvS9_OT_DpOT0_
#27 0x7f29a3cfcd3f _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN3IPC12ChannelProxy7ContextEFvRKNS4_7MessageEEJRK13scoped_refptrIS6_ES9_EEEvOT_DpOT0_
#28 0x7f29a3cfcccd _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEJ13scoped_refptrIS5_ES6_EEEFvvEE7RunImplIRKSA_RKNSt3__15tupleIJSC_S6_EEEJLm0ELm1EEEEvOT_OT0_NSJ_16integer_sequenceImJXspT1_EEEE
#29 0x7f29a3cfcbdc _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEJ13scoped_refptrIS5_ES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#30 0x7f29a57e1fd1 _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE0ELNS2_10RepeatModeE0EE3RunEv
#31 0x7f29a583b9e7 base::debug::TaskAnnotator::RunTask()
#32 0x7f29927e786a blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#33 0x7f29927e2a0a blink::scheduler::TaskQueueManager::DoWork()
#34 0x7f29927ef1b7 _ZN4base8internal13FunctorTraitsIMN5blink9scheduler16TaskQueueManagerEFvbEvE6InvokeIRKNS_7WeakPtrIS4_EEJRKbEEEvS6_OT_DpOT0_
#35 0x7f29927ef115 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink9scheduler16TaskQueueManagerEFvbERKNS_7WeakPtrIS6_EEJRKbEEEvOT_OT0_DpOT1_
#36 0x7f29927ef08d _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvbEJNS_7WeakPtrIS5_EEbEEEFvvEE7RunImplIRKS7_RKNSt3__15tupleIJS9_bEEEJLm0ELm1EEEEvOT_OT0_NSG_16integer_sequenceImJXspT1_EEEE
#37 0x7f29927eef9c _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvbEJNS_7WeakPtrIS5_EEbEEEFvvEE3RunEPNS0_13BindStateBaseE
#38 0x7f29a57e1fd1 _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE0ELNS2_10RepeatModeE0EE3RunEv
#39 0x7f29a583b9e7 base::debug::TaskAnnotator::RunTask()
#40 0x7f29a58f0bc3 base::MessageLoop::RunTask()
#41 0x7f29a58f0e47 base::MessageLoop::DeferOrRunPendingTask()
#42 0x7f29a58f1b34 base::MessageLoop::DoWork()
#43 0x7f29a58f8558 base::MessagePumpDefault::Run()
#44 0x7f29a58f0384 base::MessageLoop::Run()
#45 0x7f29a59a6e9d base::RunLoop::Run()
#46 0x7f29a07d4c8b content::RendererMain()
#47 0x7f29a0c9639c content::RunZygote()
#48 0x7f29a0c97069 content::RunNamedProcessTypeMain()
#49 0x7f29a0c99abe content::ContentMainRunnerImpl::Run()
#50 0x7f29a0c9469d content::ContentServiceManagerMainDelegate::RunEmbedderProcess()
#51 0x7f29a6130905 service_manager::Main()
#52 0x7f29a0c95d3f content::ContentMain()
#53 0x5569c6c4a4ee ChromeMain
#54 0x5569c6c4a402 main
#55 0x7f298ca8ef45 __libc_start_main
#56 0x5569c6c4a2e4 <unknown>
  r8: fffffffffffffed8  r9: fffffffffffffec8 r10: 0000000000000008 r11: 0000000000000202
 r12: 00005569c6c4a2bb r13: 00007fffadf3d0c0 r14: 0000000000000000 r15: 0000000000000000
  di: 0000000000000001  si: 0000000000000001  bp: 00007fffadf32700  bx: 0000000000000000
  dx: 0000000000000006  ax: 0000000000000000  cx: 00007f298caa3c37  sp: 00007fffadf325c8
  ip: 00007f298caa3c37 efl: 0000000000000202 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.
[57891:57891:0818/142827.682959:ERROR:selection_owner.cc(184)] SelectionClear
[57891:57891:0818/142906.401566:ERROR:selection_owner.cc(184)] SelectionClear
[57960:57993:0818/142918.570707:WARNING:x11_util.cc(1349)] X error received: serial 885, error_code 3 (BadWindow), request_code 4, minor_code 0 (Unknown)
[57891:57891:0818/142918.890718:WARNING:CONSOLE(0)] "Styling master document from stylesheets defined in HTML Imports is deprecated, and is planned to be removed in M65, around March 2018. Please refer to https://goo.gl/EGXzpw for possible migration paths.", source:  (0)
[1:1:0818/142926.937675:ERROR:render_process_impl.cc(177)] WebFrame LEAKED 1 TIMES
[57891:57891:0818/142932.046758:ERROR:selection_owner.cc(184)] SelectionClear
[57891:57891:0818/143033.170120:ERROR:selection_owner.cc(184)] SelectionClear
[57891:57891:0818/143233.856463:ERROR:navigation_entry_screenshot_manager.cc(134)] Invalid entry with unique id: 7
[57891:57891:0818/143243.687077:ERROR:navigation_entry_screenshot_manager.cc(134)] Invalid entry with unique id: 17
------------------------------------------------------------------



Please use labels and text to provide additional information.
The crash happens almost every first time I use wpt locally, but I can normally enter the folder after refreshing.

Comment 1 by maxlg@chromium.org, Aug 18 2017 

The issue doesn't appear in Version 60.0.3112.90 (Official Build) (64-bit)

Comment 2 by tdres...@chromium.org, Aug 18 2017

Owner: yosin@chromium.org
Assigning to yosin@.

Looks similar to  crbug.com/719880 ?

Comment 3 by maxlg@chromium.org, Aug 18 2017 

It's "find -> click" that causes the crash.

I've just repeated the steps. I find that the critical point is that I find "page-vi" first and then click the link, which cause the crash. But it doesn't crash if I scroll down and click the link.

Comment 4 by maxlg@chromium.org, Aug 18 2017 

It's similar to that issue 71980 but TOT still crashes with this case.

Comment 5 by yosin@chromium.org, Aug 21 2017

Components: Blink>Editing
Owner: ----
Status: Available (was: Untriaged)
We should check FrameSelection::GetDocument() == TextFind::GetFrame()->GetDocument()
in TextFinder::SetFindEndstateFocusAndSelection().

Comment 6 by yosin@chromium.org, Oct 25 2017

Summary: WebLocalFrameImpl::StopFinding() can crash (was: The tab crashes when using wpt locally)

Comment 7 by xiaoche...@chromium.org, Nov 27 2017 

Issue 788885 has been merged into this issue.

Comment 8 by yosin@chromium.org, Jan 10 2018

Labels: -Pri-1 Pri-3
Lower to Pri-3 since we don't have resources to work this issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Jan 10

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment