Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Mike, can you help to find an owner please?

Hey Trent, could you take a look or pass this on? Thanks!

The clusterfuzz report has "reproducible: NO", but it's pointing pretty specifically to some code in ash::WindowSelector::ContentsChanged(), at

  // If the selection widget is not active, execute a Move() command so that it
  // shows up on the first undimmed item.
  if (grid_list_[selected_grid_index_]->is_selecting())
    return;

(maybe grid_list_ is empty?)

xdai, can you take a look or redirect this? It seems to be in the overview mode code and I see recent changes there for splitview.

The clusterfuzz list of gestures includes an F5 (which would enter overview) and an F1 (browser back, which would cancel overview).

I see back-button support added recently, but that doesn't really look related to me:
https://chromium.googlesource.com/chromium/src/+/f5a3fe328ac5e0837cca7b57f4ae4693e71a8f6d

This is the stack:

#0 0x7fbdd88ebc5d in operator-> buildtools/third_party/libc++/trunk/include/memory:2515:19
#1 0x7fbdd88ebc5d in ash::WindowSelector::ContentsChanged(views::Textfield*, std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&) ash/wm/overview/window_selector.cc:717
#2 0x7fbdd60da87a in views::Textfield::UpdateAfterChange(bool, bool) ui/views/controls/textfield/textfield.cc:1961:20
#3 0x7fbdd60ef0a5 in views::Textfield::DoInsertChar(unsigned short) ui/views/controls/textfield/textfield.cc:1634:3
#4 0x7fbdd60eb78a in views::Textfield::InsertChar(ui::KeyEvent const&) ui/views/controls/textfield/textfield.cc:1367:3
#5 0x7fbdde1cabcc in ui::InputMethodChromeOS::PostProcessUnfilteredKeyPressEvent(ui::KeyEvent*, ui::TextInputClient*, std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > >, bool) ui/base/ime/input_method_chromeos.cc:467:13
#6 0x7fbdde1ce9ca in Invoke<const base::WeakPtr<ui::InputMethodChromeOS> &, ui::KeyEvent *, ui::TextInputClient *const &, std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > >, bool> base/bind_internal.h:194:12
#7 0x7fbdde1ce9ca in MakeItSo<void (ui::InputMethodChromeOS::*const &)(ui::KeyEvent *, ui::TextInputClient *, std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > >, bool), const base::WeakPtr<ui::InputMethodChromeOS> &, ui::KeyEvent *, ui::TextInputClient *const &, std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > >, bool> base/bind_internal.h:297
#8 0x7fbdde1ce9ca in void base::internal::Invoker<base::internal::BindState<void (ui::InputMethodChromeOS::*)(ui::KeyEvent*, ui::TextInputClient*, std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > >, bool), base::WeakPtr<ui::InputMethodChromeOS>, base::internal::OwnedWrapper<ui::KeyEvent>, ui::TextInputClient*, base::internal::PassedWrapper<std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > > > >, void (bool)>::RunImpl<void (ui::InputMethodChromeOS::* const&)(ui::KeyEvent*, ui::TextInputClient*, std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > >, bool), std::__1::tuple<base::WeakPtr<ui::InputMethodChromeOS>, base::internal::OwnedWrapper<ui::KeyEvent>, ui::TextInputClient*, base::internal::PassedWrapper<std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > > > > const&, 0ul, 1ul, 2ul, 3ul>(void (ui::InputMethodChromeOS::* const&)(ui::KeyEvent*, ui::TextInputClient*, std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > >, bool), std::__1::tuple<base::WeakPtr<ui::InputMethodChromeOS>, base::internal::OwnedWrapper<ui::KeyEvent>, ui::TextInputClient*, base::internal::PassedWrapper<std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > > > > const&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>, bool&&) base/bind_internal.h:349
#9 0x7fbdde1c0142 in Run base/callback.h:64:12
#10 0x7fbdde1c0142 in ui::InputMethodBase::DispatchKeyEventPostIME(ui::KeyEvent*, std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > >) const ui/base/ime/input_method_base.cc:147
#11 0x7fbdde1c5eba in ui::InputMethodChromeOS::ProcessUnfilteredKeyPressEvent(ui::KeyEvent*, std::__1::unique_ptr<base::OnceCallback<void (bool)>, std::__1::default_delete<base::OnceCallback<void (bool)> > >) ui/base/ime/input_method_chromeos.cc:428:10
#12 0x7fbdde1c5385 in ui::InputMethodChromeOS::DispatchKeyEvent(ui::KeyEvent*, base::OnceCallback<void (bool)>) ui/base/ime/input_method_chromeos.cc:100:14
#13 0x7fbdde1c6542 in ui::InputMethodChromeOS::DispatchKeyEvent(ui::KeyEvent*) ui/base/ime/input_method_chromeos.cc:161:10
#14 0x7fbdd51e4510 in PreDispatchKeyEvent ui/aura/window_event_dispatcher.cc:1019:54
#15 0x7fbdd51e4510 in aura::WindowEventDispatcher::PreDispatchEvent(ui::EventTarget*, ui::Event*) ui/aura/window_event_dispatcher.cc:570
#16 0x7fbdd2f3ecb5 in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:54:34
#17 0x7fbdddafd9ee in ui::EventProcessor::OnEventFromSource(ui::Event*) ui/events/event_processor.cc:57:17
#18 0x7fbdd2f425be in DeliverEventToSink ui/events/event_source.cc:73:16
#19 0x7fbdd2f425be in ui::EventSource::SendEventToSink(ui::Event*) ui/events/event_source.cc:51
#20 0x7fbdd84d336e in ash::AshWindowTreeHostPlatform::DispatchEvent(ui::Event*) ash/host/ash_window_tree_host_platform.cc:124:3
#21 0x7fbdd2f47bf2 in Run base/callback.h:92:12
#22 0x7fbdd2f47bf2 in ui::DispatchEventFromNativeUiEvent(void* const&, base::RepeatingCallback<void (ui::Event*)>) ui/events/ozone/events_ozone.cc:16
#23 0x7fbdd4741a9c in DispatchEvent ui/platform_window/x11/x11_window_ozone.cc:83:3
#24 0x7fbdd4741a9c in non-virtual thunk to ui::X11WindowOzone::DispatchEvent(void* const&) ui/platform_window/x11/x11_window_ozone.cc:0
#25 0x7fbdd22b6812 in ui::PlatformEventSource::DispatchEvent(void*) ui/events/platform/platform_event_source.cc:93:29
#26 0x7fbdd4710dff in ui::X11EventSourceLibevent::ProcessXEvent(_XEvent*) ui/events/platform/x11/x11_event_source_libevent.cc:169:5
#27 0x7fbdd47136e2 in ui::X11EventSource::ExtractCookieDataDispatchEvent(_XEvent*) ui/events/platform/x11/x11_event_source.cc:241:14
#28 0x7fbdd4713502 in ui::X11EventSource::DispatchXEvents() ui/events/platform/x11/x11_event_source.cc:141:5
#29 0x7fbdd09ee6a3 in OnFileCanReadWithoutBlocking base/message_loop/message_pump_libevent.cc:97:13
#30 0x7fbdd09ee6a3 in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) base/message_loop/message_pump_libevent.cc:342
#31 0x7fbdd0c0b93d in event_process_active base/third_party/libevent/event.c:381:4
#32 0x7fbdd0c0b93d in event_base_loop base/third_party/libevent/event.c:521
#33 0x7fbdd09ef1e1 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:257:9
#34 0x7fbdd0a6f74e in base::RunLoop::Run() base/run_loop.cc:114:14

My guess is that either grid_list_ is empty or selected_grid_index_ is too big.

I tried to repro locally using the clusterfuzz tool, but it didn't repro.

I was able to induce a crash in overview on chromeos-on-linux:
1. Run chrome --user-data-dir=/tmp/udd --ash-dev-shortcuts --ash-debug-shortcuts
2. Have 1 window open
3. Hit F5 to go into overview
4. Hit Ctrl-Shift-D to add a monitor
5. Hit F1 to exit overview

That crashes with a different stack:

[114018:114018:1127/152444.438324:FATAL:backdrop_controller.cc(264)] Check failed: force_hidden_counter_ >= 0 (-1 vs. 0)
#0 0x7f55bc58232c base::debug::StackTrace::StackTrace()
#1 0x7f55bc5a8d1c logging::LogMessage::~LogMessage()
#2 0x7f55b6d5bdcd ash::BackdropController::RemoveForceHidden()
#3 0x7f55b6c8071e ash::Shell::NotifyOverviewModeEnded()
#4 0x7f55b6d31fad ash::WindowSelectorController::OnSelectionEnded()
#5 0x7f55b6d2f6a8 ash::WindowSelector::HandleKeyEvent()
#6 0x7f55b728832e views::Textfield::OnKeyPressed()
#7 0x7f55b72aab7d views::View::OnKeyEvent()
#8 0x7f55b85ec314 ui::EventDispatcher::ProcessEvent()
#9 0x7f55b85ec0a9 ui::EventDispatcherDelegate::DispatchEvent()
#10 0x7f55b85ed81b ui::EventProcessor::OnEventFromSource()
#11 0x7f55b85edcf8 ui::EventSource::SendEventToSink()
#12 0x7f55b72b6a86 views::Widget::OnKeyEvent()
#13 0x7f55b72d2acc views::NativeWidgetAura::OnKeyEvent()
#14 0x7f55b85ec314 ui::EventDispatcher::ProcessEvent()
#15 0x7f55b85ec0a9 ui::EventDispatcherDelegate::DispatchEvent()
#16 0x7f55b85ed81b ui::EventProcessor::OnEventFromSource()
#17 0x7f55b802c41f aura::WindowTreeHost::DispatchKeyEventPostIME()
#18 0x7f55b6bf422b ash::WindowTreeHostManager::DispatchKeyEventPostIME()
#19 0x7f55b811b48e ui::InputMethodBase::DispatchKeyEventPostIME()
#20 0x7f55b811c97c ui::InputMethodChromeOS::ProcessUnfilteredKeyPressEvent()
#21 0x7f55b811c67e ui::InputMethodChromeOS::DispatchKeyEvent()
#22 0x7f55b811cb8c ui::InputMethodChromeOS::DispatchKeyEvent()
#23 0x7f55b8024f4f aura::WindowEventDispatcher::PreDispatchEvent()
#24 0x7f55b85ec047 ui::EventDispatcherDelegate::DispatchEvent()
#25 0x7f55b85ed81b ui::EventProcessor::OnEventFromSource()
#26 0x7f55b802add6 aura::WindowTargeter::ProcessEventIfTargetsDifferentRootWindow()
#27 0x7f55b802af46 aura::WindowTargeter::FindTargetForEvent()
#28 0x7f55b85ed784 ui::EventProcessor::OnEventFromSource()
#29 0x7f55b85edcf8 ui::EventSource::SendEventToSink()
#30 0x7f55b6c0f7de ash::AshWindowTreeHostPlatform::DispatchEvent()

I'm not sure if it's related, though.

Ideas:
* WindowSelector::CancelSelection() could reset selected_grid_index_
* Add more DCHECKs or other assertions about selected_grid_index_ and grid_list_.empty() throughout this class
* Change selected_grid_index_ to be signed, to make it easier to see if it's changing to -1

xdai: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Will try to look into it this week.

xdai: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz testcase 6314225852219392 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot