Chrome_Android: Crash Report - blink::SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded |
|||
Issue descriptionreporter:ranjitkan@google.com Magic Signature: blink::SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded Crash link: https://crash.corp.google.com//browse?q=product.name%3D'Chrome_Android'%20AND%20product.version%3D'63.0.3239.83'%20AND%20custom_data.ChromeCrashProto.channel%3D'stable'%20AND%20custom_data.ChromeCrashProto.ptype%3D'renderer'%20AND%20ReportID%3D'01665f8d32029175'%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D'blink%3A%3ASelectionEditor%3A%3AUpdateCachedVisibleSelectionInFlatTreeIfNeeded'&sql_dialect=googlesql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#3 ------------------------------------------------------------------------------- Sample Report ------------------------------------------------------------------------------- Product name: Chrome_Android Magic Signature : blink::SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded Product Version: 63.0.3239.83 Process type: renderer Report ID: 01665f8d32029175 Report Url: https://crash.corp.google.com/01665f8d32029175 Report Time: 2017-12-11T14:13:25-08:00 Upload Time: 2017-12-11T14:44:57.391-08:00 Uptime: 10543441 ms CumulativeProductUptime: 0 ms OS Name: Android OS Version: 0.0.0 Linux 4.4.21-12461033 #1 SMP PREEMPT Wed Oct 25 17:49:26 KST 2017 armv8l CPU Architecture: arm CPU Info: ARMv1 Qualcomm part(0x51008010) features: half,thumb,fastmult,vfpv2,edsp,neon,vfpv3,tls,vfpv4,idiva,idivt ------------------------------------------------------------------------------- Crashing thread: Thread index: 9. Stack Quality: 26%. Thread id: 20572. ------------------------------------------------------------------------------- 0xd74d916e (libmonochrome.so - Document.h: 991) blink::SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded() const 0xd74d9133 (libmonochrome.so - SelectionEditor.cpp: 89) blink::SelectionEditor::ComputeVisibleSelectionInFlatTree() const 0xd74d25eb (libmonochrome.so - FrameSelection.cpp: 127) blink::FrameSelection::ComputeVisibleSelectionInFlatTree() const 0xd750c60d (libmonochrome.so - TextSuggestionController.cpp: 361) blink::TextSuggestionController::SuggestionMenuTimeoutCallback(unsigned int) 0xd6e6c54b (libmonochrome.so - input_messages.mojom-blink.cc: 386) blink::mojom::blink::TextSuggestionBackendStubDispatch::Accept(blink::mojom::blink::TextSuggestionBackend*, mojo::Message*) 0xd5cd33e3 (libmonochrome.so - multiplex_router.cc: 875) mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) 0xd5cd3185 (libmonochrome.so - multiplex_router.cc: 599) mojo::internal::MultiplexRouter::Accept(mojo::Message*) 0xd5cd2569 (libmonochrome.so - connector.cc: 440) mojo::Connector::ReadSingleMessage(unsigned int*) 0xd5cd2487 (libmonochrome.so - connector.cc: 469) mojo::Connector::ReadAllAvailableMessages() 0xd5cd2449 (libmonochrome.so - bind_internal.h: 349) void base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::RunImpl<void (mojo::Connector::* const&)(unsigned int), std::__ndk1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, 0u>(void (mojo::Connector::* const&&&)(unsigned int), std::__ndk1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&&&, std::__ndk1::integer_sequence<unsigned int, 0u>, unsigned int&&) 0xd5cd242b (libmonochrome.so - callback.h: 92) mojo::SimpleWatcher::DiscardReadyState(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&) 0xd5cd23d9 (libmonochrome.so - callback.h: 92) mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) 0xd5cd234d (libmonochrome.so - bind_internal.h: 297) void base::internal::InvokeHelper<true, void>::MakeItSo<void (content::ServiceWorkerVersion::* const&)(int, content::ServiceWorkerStatusCode, content::ServiceWorkerClientInfo const&), base::WeakPtr<content::ServiceWorkerVersion> const&, int const&, content::ServiceWorkerStatusCode, content::ServiceWorkerClientInfo const&>(void (content::ServiceWorkerVersion::* const&&&)(int, content::ServiceWorkerStatusCode, content::ServiceWorkerClientInfo const&), base::WeakPtr<content::ServiceWorkerVersion> const&&&, int const&&&, content::ServiceWorkerStatusCode&&, content::ServiceWorkerClientInfo const&&&) 0xd5cd2327 (libmonochrome.so - bind_internal.h: 349) void base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::RunImpl<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__ndk1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, 0u, 1u, 2u, 3u>(void (mojo::SimpleWatcher::* const&&&)(int, unsigned int, mojo::HandleSignalsState const&), std::__ndk1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&&&, std::__ndk1::integer_sequence<unsigned int, 0u, 1u, 2u, 3u>) 0xd5aefbf7 (libmonochrome.so - callback.h: 64) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0xd60dd137 (libmonochrome.so - task_queue_manager.cc: 531) blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) 0xd60dc2e5 (libmonochrome.so - task_queue_manager.cc: 322) blink::scheduler::TaskQueueManager::DoWork(bool) 0xd5aefbf7 (libmonochrome.so - callback.h: 64) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0xd5aef7c5 (libmonochrome.so - message_loop.cc: 394) base::MessageLoop::RunTask(base::PendingTask*) 0xd5ca1509 (libmonochrome.so - message_loop.cc: 406) base::MessageLoop::DoWork() 0xd5d71f1f (libmonochrome.so - message_pump_default.cc: 37) base::MessagePumpDefault::Run(base::MessagePump::Delegate*) 0xd5ca1289 (libmonochrome.so - run_loop.cc: 114) <name omitted> 0xd5e1c449 (libmonochrome.so - renderer_main.cc: 220) content::RendererMain(content::MainFunctionParams const&) 0xd5ae6ae9 (libmonochrome.so - content_main_runner.cc: 710) content::ContentMainRunnerImpl::Run() 0xd5ad97f5 (libmonochrome.so - main.cc: 469) service_manager::Main(service_manager::MainParams const&) 0xd5ad9449 (libmonochrome.so - content_main.cc: 41) Java_org_chromium_content_app_ContentMain_nativeStart 0xd094ad55 (base.odex + 0x007dfd55) 0xdd2b487e (dalvik-LinearAlloc_3848_3848 (deleted) + 0x0000487e) 0x12c060fe (dalvik-main space_3848_3848 (deleted) + 0x000060fe) 0xec82294b (libart.so + 0x000e594b) 0xdd2b487e (dalvik-LinearAlloc_3848_3848 (deleted) + 0x0000487e) 0xec7e7141 (libart.so + 0x000aa141) 0xd0607441 (base.odex + 0x0049c441) 0xdd2b487e (dalvik-LinearAlloc_3848_3848 (deleted) + 0x0000487e) 0xd0607441 (base.odex + 0x0049c441) 0xecb71055 (libart.so + 0x00434055) 0x12c65f3e (dalvik-main space_3848_3848 (deleted) + 0x00065f3e) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0x12c65f3e (dalvik-main space_3848_3848 (deleted) + 0x00065f3e) 0xec9f1bf7 (libart.so + 0x002b4bf7) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0x12c65f3e (dalvik-main space_3848_3848 (deleted) + 0x00065f3e) 0x12c5612e (dalvik-main space_3848_3848 (deleted) + 0x0005612e) 0xd067af68 (base.odex + 0x0050ff68) 0xec9eb917 (libart.so + 0x002ae917) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0xdd2b487e (dalvik-LinearAlloc_3848_3848 (deleted) + 0x0000487e) 0xd0607441 (base.odex + 0x0049c441) 0xec7ee9d5 (libart.so + 0x000b19d5) 0xd0607441 (base.odex + 0x0049c441) ... 212 more 0xecb70f4d (libart.so + 0x00433f4d) 0xef9f9a27 (libc.so + 0x00063a27) 0x12c61dbe (dalvik-main space_3848_3848 (deleted) + 0x00061dbe) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0x70593606 (system@framework@boot-core-oj.art + 0x00118606) 0x7125f7a1 (boot-core-oj.oat + 0x002da7a1) 0xec7ee9ab (libart.so + 0x000b19ab) 0x7125f7a1 (boot-core-oj.oat + 0x002da7a1) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0x70593606 (system@framework@boot-core-oj.art + 0x00118606) 0x7125f7a1 (boot-core-oj.oat + 0x002da7a1) 0xeca7e12b (libart.so + 0x0034112b) 0x7125f7a1 (boot-core-oj.oat + 0x002da7a1) 0xef9eb179 (libc.so + 0x00055179) 0xefa05d9f (libc.so + 0x0006fd9f) 0xef9fa497 (libc.so + 0x00064497) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0xecaabfb5 (libart.so + 0x0036efb5) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0xeca97057 (libart.so + 0x0035a057) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0xeca97807 (libart.so + 0x0035a807) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0xeca9ddaf (libart.so + 0x00360daf) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0x70593606 (system@framework@boot-core-oj.art + 0x00118606) 0x7125f7a1 (boot-core-oj.oat + 0x002da7a1) 0x12c61dbe (dalvik-main space_3848_3848 (deleted) + 0x00061dbe) 0xeca7f099 (libart.so + 0x00342099) 0x7125f7a1 (boot-core-oj.oat + 0x002da7a1) 0x7125f7a1 (boot-core-oj.oat + 0x002da7a1) 0x12c61dbe (dalvik-main space_3848_3848 (deleted) + 0x00061dbe) 0xef9fa497 (libc.so + 0x00064497) 0xecb897ff (libart.so + 0x0044c7ff) 0xeca96acb (libart.so + 0x00359acb) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0x70593606 (system@framework@boot-core-oj.art + 0x00118606) 0xecb8a4c7 (libart.so + 0x0044d4c7) 0xecb8a4f8 (libart.so + 0x0044d4f8) 0xecb898c6 (libart.so + 0x0044c8c6) 0xeca973a9 (libart.so + 0x0035a3a9) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01) 0xef9de6ff (libc.so + 0x000486ff) 0xeca97057 (libart.so + 0x0035a057) 0xef9de717 (libc.so + 0x00048717) 0xef9b0455 (libc.so + 0x0001a455) 0xeca97057 (libart.so + 0x0035a057) 0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)
,
Dec 13 2017
It seems to be due to TextSuggestionController calling FrameSelection::ComputeVisibleSelectionInFlatTree() with dirty style/layout.
,
Dec 13 2017
I investigated and it seems we're actually calling TextSuggestionController::SuggestionMenuTimeoutCallback() after the Document has been destroyed. Not sure if the frame has also been destroyed at this point or not (TextSuggestionBackendImpl::SuggestionMenuTimeoutCallback() checks for a non-null frame, but it uses WeakPersistent, so I'm not sure this gets cleared immediately).
,
Dec 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/35e2d8e3d63072b975fa6fbfc183a0cbb71ff353 commit 35e2d8e3d63072b975fa6fbfc183a0cbb71ff353 Author: Ryan Landay <rlanday@chromium.org> Date: Mon Dec 18 22:13:53 2017 Add IsAvailable check to TextSuggestionController::SuggestionMenuTimerCallback() We have a crash in TextSuggestionController in bug 794559 that I have not yet been able to reproduce. However, writing test cases to test various scenarios to try to get a matching stacktrace strongly suggests that the problem is this method is somehow this method is being called after the document is detached. It appears that we actually anticipated this problem when originally adding the Android spell check menu, and even added this check to some of the other methods, but forgot to add it to SuggestionMenuTimerCallback(): https://goo.gl/wXC8Ga So, I am adding the check here now in the hopes that it will fix this crash. Bug: 794559 Change-Id: I32b06d1623f17306c98e1a16a6d8fc54f05ce592 Reviewed-on: https://chromium-review.googlesource.com/826362 Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org> Commit-Queue: Ryan Landay <rlanday@chromium.org> Cr-Commit-Position: refs/heads/master@{#524827} [modify] https://crrev.com/35e2d8e3d63072b975fa6fbfc183a0cbb71ff353/third_party/WebKit/Source/core/editing/suggestion/TextSuggestionController.cpp [modify] https://crrev.com/35e2d8e3d63072b975fa6fbfc183a0cbb71ff353/third_party/WebKit/Source/core/editing/suggestion/TextSuggestionControllerTest.cpp
,
Jan 2 2018
|
|||
►
Sign in to add a comment |
|||
Comment 1 by ranjitkan@chromium.org
, Dec 13 2017Labels: OS-Windows
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)