New issue
Advanced search Search tips

Issue 801204 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Jan 2018
Cc:
mthiesse@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug
Proj-XR
Proj-XR-VR



Sign in to add a comment

Back button can trigger a crash

Project Member Reported by cjgrant@chromium.org, Jan 11 2018 
The VR back button is enabled or disabled based on browsing history.  However, it appears that history is not validated again on navigation attempts.

If a "back" triggers a lengthy page load to the first page in the history, then there may be significant delay before the UI receives the "disable back button" request.  During that delay, it's quite possible to hammer the back button and queue multiple navigation requests, triggering a crash when the navigation actually fires and tries to go back too far.

Comment 1 by cjgrant@chromium.org, Jan 11 2018

Labels: Proj-VR

Comment 2 by cjgrant@chromium.org, Jan 11 2018 

signal 6 (SIGABRT), code -6 in tid 18018 (chromium.chrome), pid 18018 (chromium.chrome)
pid: 18018, tid: 18018, name: chromium.chrome  >>> org.chromium.chrome <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
[FATAL:navigation_controller_impl.cc(847)] Check failed: pending_entry_index_ == -1 || pending_entry_->site_instance() || pending_entry_->restore_type() != RestoreType::NONE. 

Stack Trace:
  RELADDR   FUNCTION                                                                                                                                                                                                                                      FILE:LINE
  000a8495  logging::LogMessage::~LogMessage()                                                                                                                                                                                                            /usr/local/google/work
/chromium/src/base/logging.cc:581:29
  008fba1f  content::NavigationControllerImpl::RendererDidNavigate(content::RenderFrameHostImpl*, FrameHostMsg_DidCommitProvisionalLoad_Params const&, content::LoadCommittedDetails*, bool, content::NavigationHandleImpl*)                              /usr/local/google/work
/chromium/src/content/browser/frame_host/navigation_controller_impl.cc:846:3
  0090896f  content::NavigatorImpl::DidNavigate(content::RenderFrameHostImpl*, FrameHostMsg_DidCommitProvisionalLoad_Params const&, std::__ndk1::unique_ptr<content::NavigationHandleImpl, std::__ndk1::default_delete<content::NavigationHandleImpl> >)  /usr/local/google/work
/chromium/src/content/browser/frame_host/navigator_impl.cc:515:36

-----------------------------------------------------

     r0 00000000  r1 00004662  r2 00000006  r3 00000008
     r4 00004662  r5 00004662  r6 fffde3e4  r7 0000010c
     r8 00000000  r9 fffde8d8  sl fffde8dc  fp d27110b8
     ip fffde43c  sp fffde3d0  lr f0e23c89  pc f0e1d772

Stack Trace:
  RELADDR   FUNCTION                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                
                                 FILE:LINE
  0001a772  <UNKNOWN>                                                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                
                                 /system/lib/libc.so
  v------>  base::debug::(anonymous namespace)::DebugBreak()                                                                                                                                                                                                                    
                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                
                                 /usr/local/google/work/chromium/src/base/debug/debugger_posix.cc:228:5
  00096db1  base::debug::BreakDebugger()                                                                                                                                                                                                                                        
                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                
                                 /usr/local/google/work/chromium/src/base/debug/debugger_posix.cc:258:0
  000a869f  logging::LogMessage::~LogMessage()                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                
                                 /usr/local/google/work/chromium/src/base/logging.cc:844:7
  008fba1d  content::NavigationControllerImpl::RendererDidNavigate(content::RenderFrameHostImpl*, FrameHostMsg_DidCommitProvisionalLoad_Params const&, content::LoadCommittedDetails*, bool, content::NavigationHandleImpl*)                                                    
                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                
                                 /usr/local/google/work/chromium/src/content/browser/frame_host/navigation_controller_impl.cc:846:3
  0090896d  content::NavigatorImpl::DidNavigate(content::RenderFrameHostImpl*, FrameHostMsg_DidCommitProvisionalLoad_Params const&, std::__ndk1::unique_ptr<content::NavigationHandleImpl, std::__ndk1::default_delete<content::NavigationHandleImpl> >)                        
                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                
                                 /usr/local/google/work/chromium/src/content/browser/frame_host/navigator_impl.cc:515:36
  00910efb  content::RenderFrameHostImpl::DidCommitProvisionalLoad(std::__ndk1::unique_ptr<FrameHostMsg_DidCommitProvisionalLoad_Params, std::__ndk1::default_delete<FrameHostMsg_DidCommitProvisionalLoad_Params> >, mojo::InterfaceRequest<service_manager::mojom::InterfacePr
ovider>)                                                                                                                                                                                                                                                                        
                                                                                                                                                                                                                                                                                
                                 /usr/local/google/work/chromium/src/content/browser/frame_host/render_frame_host_impl.cc:1699:35
  005bac9b  content::mojom::FrameHostStubDispatch::Accept(content::mojom::FrameHost*, mojo::Message*)

Comment 3 by cjgrant@chromium.org, Jan 15 2018

Cc: mthiesse@chromium.org
Owner: ----
Status: Available (was: Assigned)
Summary: Back button can trigger a crash (was: Back button can trigger a crash due to UI race)
From a discussion with mthiesse@, the Java call to navigate back should be safe from races, and the problem is likely not what I originally suspected.  

I also haven't been able to reproduce this again.

Comment 4 by mthiesse@chromium.org, Jan 16 2018 

Suggest closing if you can't repro. A bug like this was probably fixed immediately.

Comment 5 by cjgrant@chromium.org, Jan 16 2018

Status: WontFix (was: Available)
Well, I wasn't able to reproduce it again, using the same build.  I'll close this, but will keep an eye out.

Comment 6 by dougman@chromium.org, Feb 7 2018

Labels: Test-Complete

Sign in to add a comment