Issue 792558 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Feb 2018
Cc:	ntfschr@chromium.org
Components:	Mobile>WebView
EstimatedDays:	----
NextAction:	----
OS:	Android
Pri:	3
Type:	----
Needs-Feedback

Previous locations:
monorail:3272

TileManager::OnRasterTaskCompleted crash

Reported by zljj0...@gmail.com, Dec 6 2017

Issue description

What were you doing?
test chromium webview


What happened?
Webview i build by self often crash on TileManager::OnRasterTaskCompleted in image_controller_.UnrefImages


What did you expect instead?
I think this code has danger to crash:
auto images_it = scheduled_draw_images_.find(tile_id);
image_controller_.UnrefImages(images_it->second);

for tile task that do not associated image decode task,
images_it may be end of scheduled_draw_images_, when call images_it->second, there will be crash by nullptr.

Please confirm this.


crash back trace:
    #00 pc 0031645e cc::ImageController::UnrefImages(std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > const&) LINE: image_controller.cc:146
    #01 lr 003209ed std::__ndk1::__bucket_list_deallocator<std::__ndk1::allocator<std::__ndk1::__hash_node<std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, void*>*> >::size() const LINE: __hash_table:710
(inlined by) std::__ndk1::__hash_table<std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, std::__ndk1::__unordered_map_hasher<unsigned long long, std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, std::__ndk1::hash<unsigned long long>, true>, std::__ndk1::__unordered_map_equal<unsigned long long, std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, std::__ndk1::equal_to<unsigned long long>, true>, std::__ndk1::allocator<std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > > > >::bucket_count() const LINE: __hash_table:941
(inlined by) std::__ndk1::__hash_table<std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, std::__ndk1::__unordered_map_hasher<unsigned long long, std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, std::__ndk1::hash<unsigned long long>, true>, std::__ndk1::__unordered_map_equal<unsigned long long, std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, std::__ndk1::equal_to<unsigned long long>, true>, std::__ndk1::allocator<std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > > > >::remove(std::__ndk1::__hash_const_iterator<std::__ndk1::__hash_node<std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, void*>*>) LINE: __hash_table:2221
(inlined by) std::__ndk1::__hash_table<std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, std::__ndk1::__unordered_map_hasher<unsigned long long, std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, std::__ndk1::hash<unsigned long long>, true>, std::__ndk1::__unordered_map_equal<unsigned long long, std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, std::__ndk1::equal_to<unsigned long long>, true>, std::__ndk1::allocator<std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > > > >::erase(std::__ndk1::__hash_const_iterator<std::__ndk1::__hash_node<std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, void*>*>) LINE: __hash_table:2154
(inlined by) std::__ndk1::unordered_map<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> >, std::__ndk1::hash<unsigned long long>, std::__ndk1::equal_to<unsigned long long>, std::__ndk1::allocator<std::__ndk1::pair<unsigned long long const, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > > > >::erase(std::__ndk1::__hash_map_const_iterator<std::__ndk1::__hash_const_iterator<std::__ndk1::__hash_node<std::__ndk1::__hash_value_type<unsigned long long, std::__ndk1::vector<cc::DrawImage, std::__ndk1::allocator<cc::DrawImage> > >, void*>*> >) LINE: unordered_map:948
(inlined by) cc::TileManager::OnRasterTaskCompleted(std::__ndk1::unique_ptr<cc::RasterBuffer, std::__ndk1::default_delete<cc::RasterBuffer> >, unsigned long long, cc::Resource*, bool) LINE: tile_manager.cc:1076

Comment 1 by aga...@chromium.org, Dec 6 2017

Project: chromium

Moved issue monorail:3272 to now be  issue chromium:792558 .

Comment 2 by aga...@chromium.org, Dec 6 2017

Components: Mobile>WebView
Labels: -Via-Feedback
Status: Untriaged (was: New)

Comment 3 Deleted

Comment 4 by zljj0...@gmail.com, Dec 7 2017

Seem that same tile task call TileManager::OnRasterTaskCompleted twice

Comment 5 by ntfschr@chromium.org, Dec 13 2017

Cc: ntfschr@chromium.org
Labels: Needs-Feedback OS-Android Pri-3

This might be a real crash. This looks similar to this https://crash.corp.google.com/browse?q=stable_signature%3D%27cc%3A%3AImageController%3A%3AUnrefImages-1f5a2d6c%27&sql_dialect=googlesql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

A more general search: https://crash.corp.google.com/browse?stbtiq=product%3AAndroidWebView%20cc%3A%3AImageController%3A%3AUnrefImages&sql_dialect=googlesql

I see product versions from 58.0.3029.83 up through 60.0.3112.116, but the specific report says we haven't seen this crash in webview since 59.0.3071.125. zljj0818@, are you on an old branch of WebView?

Comment 6 by ntfschr@chromium.org, Feb 15 2018

Status: WontFix (was: Untriaged)

I don't see that stable signature since in M63 stable, I assume it's no longer relevant.

►

Issue 792558 link

Issue metadata

TileManager::OnRasterTaskCompleted crash

Issue description

Comment 1 by aga...@chromium.org, Dec 6 2017

Comment 1 Deleted

Comment 2 by aga...@chromium.org, Dec 6 2017

Comment 2 Deleted

Comment 3 Deleted

Comment 4 by zljj0...@gmail.com, Dec 7 2017

Comment 4 Deleted

Comment 5 by ntfschr@chromium.org, Dec 13 2017

Comment 5 Deleted

Comment 6 by ntfschr@chromium.org, Feb 15 2018

Comment 6 Deleted

Sign in to add a comment