New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 794559 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android , Windows
Pri: 2
Type: Bug



Sign in to add a comment

Chrome_Android: Crash Report - blink::SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded

Project Member Reported by cr...@system.gserviceaccount.com, Dec 13 2017

Issue description

reporter:ranjitkan@google.com

Magic Signature: blink::SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded

Crash link: https://crash.corp.google.com//browse?q=product.name%3D'Chrome_Android'%20AND%20product.version%3D'63.0.3239.83'%20AND%20custom_data.ChromeCrashProto.channel%3D'stable'%20AND%20custom_data.ChromeCrashProto.ptype%3D'renderer'%20AND%20ReportID%3D'01665f8d32029175'%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D'blink%3A%3ASelectionEditor%3A%3AUpdateCachedVisibleSelectionInFlatTreeIfNeeded'&sql_dialect=googlesql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#3

-------------------------------------------------------------------------------
Sample Report
-------------------------------------------------------------------------------
Product name: Chrome_Android
Magic Signature : blink::SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded
Product Version: 63.0.3239.83
Process type: renderer
Report ID: 01665f8d32029175
Report Url: https://crash.corp.google.com/01665f8d32029175
Report Time: 2017-12-11T14:13:25-08:00
Upload Time: 2017-12-11T14:44:57.391-08:00
Uptime: 10543441 ms
CumulativeProductUptime: 0 ms
OS Name: Android
OS Version: 0.0.0 Linux 4.4.21-12461033 #1 SMP PREEMPT Wed Oct 25 17:49:26 KST 2017 armv8l
CPU Architecture: arm
CPU Info: ARMv1 Qualcomm part(0x51008010) features: half,thumb,fastmult,vfpv2,edsp,neon,vfpv3,tls,vfpv4,idiva,idivt

-------------------------------------------------------------------------------
Crashing thread: Thread index: 9. Stack Quality: 26%. Thread id: 20572.
-------------------------------------------------------------------------------
0xd74d916e (libmonochrome.so - Document.h: 991)	blink::SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded() const
0xd74d9133 (libmonochrome.so - SelectionEditor.cpp: 89)	blink::SelectionEditor::ComputeVisibleSelectionInFlatTree() const
0xd74d25eb (libmonochrome.so - FrameSelection.cpp: 127)	blink::FrameSelection::ComputeVisibleSelectionInFlatTree() const
0xd750c60d (libmonochrome.so - TextSuggestionController.cpp: 361)	blink::TextSuggestionController::SuggestionMenuTimeoutCallback(unsigned int)
0xd6e6c54b (libmonochrome.so - input_messages.mojom-blink.cc: 386)	blink::mojom::blink::TextSuggestionBackendStubDispatch::Accept(blink::mojom::blink::TextSuggestionBackend*, mojo::Message*)
0xd5cd33e3 (libmonochrome.so - multiplex_router.cc: 875)	mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*)
0xd5cd3185 (libmonochrome.so - multiplex_router.cc: 599)	mojo::internal::MultiplexRouter::Accept(mojo::Message*)
0xd5cd2569 (libmonochrome.so - connector.cc: 440)	mojo::Connector::ReadSingleMessage(unsigned int*)
0xd5cd2487 (libmonochrome.so - connector.cc: 469)	mojo::Connector::ReadAllAvailableMessages()
0xd5cd2449 (libmonochrome.so - bind_internal.h: 349)	void base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::RunImpl<void (mojo::Connector::* const&)(unsigned int), std::__ndk1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, 0u>(void (mojo::Connector::* const&&&)(unsigned int), std::__ndk1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&&&, std::__ndk1::integer_sequence<unsigned int, 0u>, unsigned int&&)
0xd5cd242b (libmonochrome.so - callback.h: 92)	mojo::SimpleWatcher::DiscardReadyState(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&)
0xd5cd23d9 (libmonochrome.so - callback.h: 92)	mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&)
0xd5cd234d (libmonochrome.so - bind_internal.h: 297)	void base::internal::InvokeHelper<true, void>::MakeItSo<void (content::ServiceWorkerVersion::* const&)(int, content::ServiceWorkerStatusCode, content::ServiceWorkerClientInfo const&), base::WeakPtr<content::ServiceWorkerVersion> const&, int const&, content::ServiceWorkerStatusCode, content::ServiceWorkerClientInfo const&>(void (content::ServiceWorkerVersion::* const&&&)(int, content::ServiceWorkerStatusCode, content::ServiceWorkerClientInfo const&), base::WeakPtr<content::ServiceWorkerVersion> const&&&, int const&&&, content::ServiceWorkerStatusCode&&, content::ServiceWorkerClientInfo const&&&)
0xd5cd2327 (libmonochrome.so - bind_internal.h: 349)	void base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::RunImpl<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__ndk1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, 0u, 1u, 2u, 3u>(void (mojo::SimpleWatcher::* const&&&)(int, unsigned int, mojo::HandleSignalsState const&), std::__ndk1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&&&, std::__ndk1::integer_sequence<unsigned int, 0u, 1u, 2u, 3u>)
0xd5aefbf7 (libmonochrome.so - callback.h: 64)	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0xd60dd137 (libmonochrome.so - task_queue_manager.cc: 531)	blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*)
0xd60dc2e5 (libmonochrome.so - task_queue_manager.cc: 322)	blink::scheduler::TaskQueueManager::DoWork(bool)
0xd5aefbf7 (libmonochrome.so - callback.h: 64)	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0xd5aef7c5 (libmonochrome.so - message_loop.cc: 394)	base::MessageLoop::RunTask(base::PendingTask*)
0xd5ca1509 (libmonochrome.so - message_loop.cc: 406)	base::MessageLoop::DoWork()
0xd5d71f1f (libmonochrome.so - message_pump_default.cc: 37)	base::MessagePumpDefault::Run(base::MessagePump::Delegate*)
0xd5ca1289 (libmonochrome.so - run_loop.cc: 114)	<name omitted>
0xd5e1c449 (libmonochrome.so - renderer_main.cc: 220)	content::RendererMain(content::MainFunctionParams const&)
0xd5ae6ae9 (libmonochrome.so - content_main_runner.cc: 710)	content::ContentMainRunnerImpl::Run()
0xd5ad97f5 (libmonochrome.so - main.cc: 469)	service_manager::Main(service_manager::MainParams const&)
0xd5ad9449 (libmonochrome.so - content_main.cc: 41)	Java_org_chromium_content_app_ContentMain_nativeStart
0xd094ad55 (base.odex + 0x007dfd55)	
0xdd2b487e (dalvik-LinearAlloc_3848_3848 (deleted) + 0x0000487e)	
0x12c060fe (dalvik-main space_3848_3848 (deleted) + 0x000060fe)	
0xec82294b (libart.so + 0x000e594b)	
0xdd2b487e (dalvik-LinearAlloc_3848_3848 (deleted) + 0x0000487e)	
0xec7e7141 (libart.so + 0x000aa141)	
0xd0607441 (base.odex + 0x0049c441)	
0xdd2b487e (dalvik-LinearAlloc_3848_3848 (deleted) + 0x0000487e)	
0xd0607441 (base.odex + 0x0049c441)	
0xecb71055 (libart.so + 0x00434055)	
0x12c65f3e (dalvik-main space_3848_3848 (deleted) + 0x00065f3e)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0x12c65f3e (dalvik-main space_3848_3848 (deleted) + 0x00065f3e)	
0xec9f1bf7 (libart.so + 0x002b4bf7)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0x12c65f3e (dalvik-main space_3848_3848 (deleted) + 0x00065f3e)	
0x12c5612e (dalvik-main space_3848_3848 (deleted) + 0x0005612e)	
0xd067af68 (base.odex + 0x0050ff68)	
0xec9eb917 (libart.so + 0x002ae917)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0xdd2b487e (dalvik-LinearAlloc_3848_3848 (deleted) + 0x0000487e)	
0xd0607441 (base.odex + 0x0049c441)	
0xec7ee9d5 (libart.so + 0x000b19d5)	
0xd0607441 (base.odex + 0x0049c441)	
... 212 more
0xecb70f4d (libart.so + 0x00433f4d)	
0xef9f9a27 (libc.so + 0x00063a27)	
0x12c61dbe (dalvik-main space_3848_3848 (deleted) + 0x00061dbe)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0x70593606 (system@framework@boot-core-oj.art + 0x00118606)	
0x7125f7a1 (boot-core-oj.oat + 0x002da7a1)	
0xec7ee9ab (libart.so + 0x000b19ab)	
0x7125f7a1 (boot-core-oj.oat + 0x002da7a1)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0x70593606 (system@framework@boot-core-oj.art + 0x00118606)	
0x7125f7a1 (boot-core-oj.oat + 0x002da7a1)	
0xeca7e12b (libart.so + 0x0034112b)	
0x7125f7a1 (boot-core-oj.oat + 0x002da7a1)	
0xef9eb179 (libc.so + 0x00055179)	
0xefa05d9f (libc.so + 0x0006fd9f)	
0xef9fa497 (libc.so + 0x00064497)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0xecaabfb5 (libart.so + 0x0036efb5)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0xeca97057 (libart.so + 0x0035a057)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0xeca97807 (libart.so + 0x0035a807)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0xeca9ddaf (libart.so + 0x00360daf)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0x70593606 (system@framework@boot-core-oj.art + 0x00118606)	
0x7125f7a1 (boot-core-oj.oat + 0x002da7a1)	
0x12c61dbe (dalvik-main space_3848_3848 (deleted) + 0x00061dbe)	
0xeca7f099 (libart.so + 0x00342099)	
0x7125f7a1 (boot-core-oj.oat + 0x002da7a1)	
0x7125f7a1 (boot-core-oj.oat + 0x002da7a1)	
0x12c61dbe (dalvik-main space_3848_3848 (deleted) + 0x00061dbe)	
0xef9fa497 (libc.so + 0x00064497)	
0xecb897ff (libart.so + 0x0044c7ff)	
0xeca96acb (libart.so + 0x00359acb)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0x70593606 (system@framework@boot-core-oj.art + 0x00118606)	
0xecb8a4c7 (libart.so + 0x0044d4c7)	
0xecb8a4f8 (libart.so + 0x0044d4f8)	
0xecb898c6 (libart.so + 0x0044c8c6)	
0xeca973a9 (libart.so + 0x0035a3a9)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	
0xef9de6ff (libc.so + 0x000486ff)	
0xeca97057 (libart.so + 0x0035a057)	
0xef9de717 (libc.so + 0x00048717)	
0xef9b0455 (libc.so + 0x0001a455)	
0xeca97057 (libart.so + 0x0035a057)	
0x1309fc01 (dalvik-main space_3848_3848 (deleted) + 0x0049fc01)	

 
Cc: ranjitkan@chromium.org xiaoche...@chromium.org
Labels: OS-Windows
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)
Following instances of the crash are observed from M59 builds. On current stable# 63.0.3239.83 there are a total of 581 instances reported from multiple client ID's under renderer process for Android OS. Below link gives in detail for the number of instances in which the crash is occurring for associated builds:

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ASelectionEditor%3A%3AUpdateCachedVisibleSelectionInFlatTreeIfNeeded%27&sql_dialect=googlesql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#-property-selector,productversion:1000

The crash is currently ranking 16 under renderer process for Android OS when reported. Using code search suspecting below change could be a possible culprit:

https://chromium.googlesource.com/chromium/src/+/e1f28c830df47f1d907abf8f855aef500b94999a

@ yosin: Assigning to you, request you to please take a look into it. 

Not adding any blocker label, since instances observed from M59. Looping the reviewers since @yosin is OOO till jan.

Instances are reported mostly on Android OS, but seeing traces on Windows as well.
Can this be addressed.

Thanks.!
Cc: yosin@chromium.org
Components: Blink>Editing
Owner: rlanday@chromium.org
It seems to be due to TextSuggestionController calling FrameSelection::ComputeVisibleSelectionInFlatTree() with dirty style/layout.
I investigated and it seems we're actually calling TextSuggestionController::SuggestionMenuTimeoutCallback() after the Document has been destroyed. Not sure if the frame has also been destroyed at this point or not (TextSuggestionBackendImpl::SuggestionMenuTimeoutCallback() checks for a non-null frame, but it uses WeakPersistent, so I'm not sure this gets cleared immediately).
Project Member

Comment 4 by bugdroid1@chromium.org, Dec 18 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/35e2d8e3d63072b975fa6fbfc183a0cbb71ff353

commit 35e2d8e3d63072b975fa6fbfc183a0cbb71ff353
Author: Ryan Landay <rlanday@chromium.org>
Date: Mon Dec 18 22:13:53 2017

Add IsAvailable check to TextSuggestionController::SuggestionMenuTimerCallback()

We have a crash in TextSuggestionController in  bug 794559  that I have not yet
been able to reproduce. However, writing test cases to test various scenarios
to try to get a matching stacktrace strongly suggests that the problem is this
method is somehow this method is being called after the document is detached.

It appears that we actually anticipated this problem when originally adding
the Android spell check menu, and even added this check to some of the other
methods, but forgot to add it to SuggestionMenuTimerCallback():
https://goo.gl/wXC8Ga

So, I am adding the check here now in the hopes that it will fix this crash.

Bug:  794559 
Change-Id: I32b06d1623f17306c98e1a16a6d8fc54f05ce592
Reviewed-on: https://chromium-review.googlesource.com/826362
Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org>
Commit-Queue: Ryan Landay <rlanday@chromium.org>
Cr-Commit-Position: refs/heads/master@{#524827}
[modify] https://crrev.com/35e2d8e3d63072b975fa6fbfc183a0cbb71ff353/third_party/WebKit/Source/core/editing/suggestion/TextSuggestionController.cpp
[modify] https://crrev.com/35e2d8e3d63072b975fa6fbfc183a0cbb71ff353/third_party/WebKit/Source/core/editing/suggestion/TextSuggestionControllerTest.cpp

Labels: -Restrict-View-EditIssue
Status: Fixed (was: Assigned)

Sign in to add a comment