OOPIF: Android renderer process crash while inspecting a page with DevTools. |
|||
Issue descriptionChrome Version: 65.0.3322.0 OS: Android 8.1.0; Pixel 2 Build/OPM1.171019.013 What steps will reproduce the problem? (1) Launch Chrome Canary on Android device, connected through USB debugging to host machine. (2) Navigate to http://csreis.github.io/tests/cross-site-iframe.html (3) Launch DevTools on the host machine, attached to the tab navigated in step 2. (4) Click on the "Go cross-site (simple page)" button and observe navigation to document with content "csreis.github.io". (5) Click on the "Go same-site" button. What is the expected result? Navigation to a document with content "Simple page" successfully completes. What happens instead? There is a process crash and the host DevTools displays "DevTools was disconnected from the page." error. This crash reproduces only with DevTools attached. My host Chrome version is 65.0.3311.3 (Official Build) dev (64-bit) running on Linux. An example crash report is 57f5a2bf6ab06cc6.
,
Jan 17 2018
0xd5bb6dca (libmonochrome.so -WindowProxy.cpp:105 ) blink::WindowProxy::SetGlobalProxy(v8::Local<v8::Object>) 0xd5bb6f01 (libmonochrome.so -WindowProxyManager.cpp:53 ) blink::WindowProxyManager::SetGlobalProxies(WTF::Vector<std::__ndk1::pair<blink::DOMWrapperWorld*, v8::Local<v8::Object> >, 0u, WTF::PartitionAllocator> const&) 0xd5dc1a21 (libmonochrome.so -WebFrame.cpp:126 ) blink::WebFrame::Swap(blink::WebFrame*) 0xd61f28b7 (libmonochrome.so -render_frame_impl.cc:5648 ) content::RenderFrameImpl::SwapIn() 0xd4874931 (libmonochrome.so -render_frame_impl.cc:4221 ) content::RenderFrameImpl::DidCommitProvisionalLoad(blink::WebHistoryItem const&, blink::WebHistoryCommitType, blink::WebGlobalObjectReusePolicy) 0xd48745a5 (libmonochrome.so -LocalFrameClientImpl.cpp:444 ) blink::LocalFrameClientImpl::DispatchDidCommitLoad(blink::HistoryItem*, blink::HistoryCommitType, blink::WebGlobalObjectReusePolicy) 0xd47c3d3b (libmonochrome.so -DocumentLoader.cpp:963 ) blink::DocumentLoader::DidCommitNavigation(blink::WebGlobalObjectReusePolicy) 0xd47af27f (libmonochrome.so -DocumentLoader.cpp:1131 ) blink::DocumentLoader::InstallNewDocument(blink::KURL const&, blink::Document*, blink::WebGlobalObjectReusePolicy, WTF::AtomicString const&, WTF::AtomicString const&, blink::DocumentLoader::InstallNewDocumentReason, blink::ParserSynchronizationPolicy, blink::KURL const&) 0xd47ade65 (libmonochrome.so -DocumentLoader.cpp:689 ) blink::DocumentLoader::CommitNavigation(WTF::AtomicString const&, blink::KURL const&) 0xd47add5b (libmonochrome.so -DocumentLoader.cpp:702 ) blink::DocumentLoader::CommitData(char const*, unsigned int) 0xd486c8b9 (libmonochrome.so -DocumentLoader.cpp:757 ) blink::DocumentLoader::ProcessData(char const*, unsigned int) 0xd486c851 (libmonochrome.so -DocumentLoader.cpp:736 ) blink::DocumentLoader::DataReceived(blink::Resource*, char const*, unsigned int) 0xd486c76d (libmonochrome.so -Resource.cpp:385 ) blink::Resource::AppendData(char const*, unsigned int) 0xd486c219 (libmonochrome.so -web_url_loader_impl.cc:903 ) content::WebURLLoaderImpl::Context::OnReceivedData(std::__ndk1::unique_ptr<content::RequestPeer::ReceivedData, std::__ndk1::default_delete<content::RequestPeer::ReceivedData> >) 0xd486c18f (libmonochrome.so -web_url_loader_impl.cc:1102 ) content::WebURLLoaderImpl::RequestPeerImpl::OnReceivedData(std::__ndk1::unique_ptr<content::RequestPeer::ReceivedData, std::__ndk1::default_delete<content::RequestPeer::ReceivedData> >) 0xd486bf97 (libmonochrome.so -url_response_body_consumer.cc:160 ) content::URLResponseBodyConsumer::OnReadable(unsigned int) 0xd48877ab (libmonochrome.so -bind_internal.h:368 ) void base::internal::Invoker<base::internal::BindState<void (content::URLResponseBodyConsumer::*)(unsigned int), base::internal::UnretainedWrapper<content::URLResponseBodyConsumer> >, void (unsigned int)>::RunImpl<void (content::URLResponseBodyConsumer::* const&)(unsigned int), std::__ndk1::tuple<base::internal::UnretainedWrapper<content::URLResponseBodyConsumer> > const&, 0u>(void (content::URLResponseBodyConsumer::* const&&&)(unsigned int), std::__ndk1::tuple<base::internal::UnretainedWrapper<content::URLResponseBodyConsumer> > const&&&, std::__ndk1::integer_sequence<unsigned int, 0u>, unsigned int&&) 0xd488779d (libmonochrome.so -bind_internal.h:350 ) base::internal::Invoker<base::internal::BindState<void (content::URLResponseBodyConsumer::*)(unsigned int), base::internal::UnretainedWrapper<content::URLResponseBodyConsumer> >, void (unsigned int)>::Run(base::internal::BindStateBase*, unsigned int) 0xd45fbd51 (libmonochrome.so -callback.h:94 ) mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) 0xd45fbcc3 (libmonochrome.so + 0x00506cc3 ) void base::internal::InvokeHelper<true, void>::MakeItSo<void (content::ServiceWorkerVersion::* const&)(int, content::ServiceWorkerStatusCode, blink::mojom::ServiceWorkerClientInfo const&), base::WeakPtr<content::ServiceWorkerVersion> const&, int const&, content::ServiceWorkerStatusCode, blink::mojom::ServiceWorkerClientInfo const&>(void (content::ServiceWorkerVersion::* const&&&)(int, content::ServiceWorkerStatusCode, blink::mojom::ServiceWorkerClientInfo const&), base::WeakPtr<content::ServiceWorkerVersion> const&&&, int const&&&, content::ServiceWorkerStatusCode&&, blink::mojom::ServiceWorkerClientInfo const&&&) 0xd45fbc9d (libmonochrome.so -bind_internal.h:368 ) void base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::RunImpl<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__ndk1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, 0u, 1u, 2u, 3u>(void (mojo::SimpleWatcher::* const&&&)(int, unsigned int, mojo::HandleSignalsState const&), std::__ndk1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&&&, std::__ndk1::integer_sequence<unsigned int, 0u, 1u, 2u, 3u>) 0xd441fb27 (libmonochrome.so -callback.h:65 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0xd4addfeb (libmonochrome.so -task_queue_manager.cc:519 ) blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, blink::scheduler::LazyNow, base::TimeTicks*) 0xd4add367 (libmonochrome.so -task_queue_manager.cc:330 ) blink::scheduler::TaskQueueManager::DoWork(blink::scheduler::internal::Sequence::WorkType) 0xd441fb27 (libmonochrome.so -callback.h:65 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0xd4add113 (libmonochrome.so -thread_controller_impl.cc:99 ) blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::Sequence::WorkType) 0xd441fb27 (libmonochrome.so -callback.h:65 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0xd441f6c3 (libmonochrome.so -message_loop.cc:399 ) base::MessageLoop::RunTask(base::PendingTask*) 0xd45b64cb (libmonochrome.so -message_loop.cc:411 ) base::MessageLoop::DoWork() 0xd46ad7df (libmonochrome.so -message_pump_default.cc:37 ) base::MessagePumpDefault::Run(base::MessagePump::Delegate*) 0xd45b623f (libmonochrome.so -run_loop.cc:130 ) base::RunLoop::Run() 0xd476080d (libmonochrome.so -renderer_main.cc:218 ) content::RendererMain(content::MainFunctionParams const&) 0xd44178b1 (libmonochrome.so -content_main_runner.cc:720 ) content::ContentMainRunnerImpl::Run() 0xd440de6f (libmonochrome.so -main.cc:456 ) service_manager::Main(service_manager::MainParams const&) 0xd440db11 (libmonochrome.so -content_main.cc:42 )
,
Jan 17 2018
I've missed a step in the repro steps above. This requires Site Isolation to be enabled on the Android Chrome. Navigate to chrome://flags#enable-site-per-process and enable this.
,
Jan 17 2018
I can't repro this against 65.0.3323.3, there must be devtools extension polling runtime.evaluate that triggers it.
,
Jan 17 2018
I have also reproduced it with a clean profile without any extensions installed: /opt/google/chrome-unstable/google-chrome --site-per-process --user-data-dir=$HOME/profiles/bug-803240
,
Jan 18 2018
Screencast needs to be enabled to repro it.
,
Jan 19 2018
It looks like we somehow able to evaluate something in provisional frame. runtime.evaluate forces context creation and later we crash with check.
,
Jan 19 2018
I think we should check for existing navigation in RFDTAH constructor.
,
Apr 19 2018
,
May 4 2018
Yeah, I can't repro this with 67.0.3396.10 (Official Build) dev (64-bit) against my Android device, so it does look fixed. I'd leave the honors of closing it to the owner.
,
May 4 2018
Great! Assuming comment 9 is right, thanks to dgozman@ for the fix in r550237! I'll go ahead and close this, just to avoid loose ends. |
|||
►
Sign in to add a comment |
|||
Comment 1 by creis@chromium.org
, Jan 17 2018Summary: OOPIF: Android renderer process crash while inspecting a page with DevTools. (was: OOPIF: Renderer process crash while inspecting a page with DevTools.)