+awhalley@ (Security TPM)

I installed Chrome dev version in Win10 RS4 build and it's working fine. So it might be caused by restoring previous state of my Chrome dev version after the update.

Crash dump.
https://drive.google.com/file/d/1-6lc4n-umU4m8WxNo5WaZ7pRY59aObP0/view?usp=sharing

I left Chrome dev for few days and it started without a problem today. This is most probably because it didn't try to restore previous state (restore previously opened website button didn't appear). I can't check anything now because history is also gone. You can close this case if you can't get any information from crash dump.

+wfh: Could you take a quick look? Per #4, you might be able to just close it.

wfh might (?) be OOO, adding pamg who might be able to suggest another owner.

He'll be back Monday, but in the meantime maybe Bruce can take a look.

Heap corruption is tricky because the place where it is detected is not necessarily anywhere near where it happened. It's possible to run Chrome with Application Verifier enabled (run Application Verifier, add chrome.exe, turn off Handle and TLS checking, then run chrome with --no-sandbox) and that may give much more useful crash reports. It would be great if the original reporter could try that. The heap corruption may still be happening but just not being detected anymore.

I loaded the crash dump with Chrome's symbol server enabled (https://www.chromium.org/developers/how-tos/debugging-on-windows) in order to get a proper call stack. Perhaps a bug in URL parsing? Here is the stack:

00 ntdll!RtlReportCriticalFailure
01 ntdll!RtlpHeapHandleError
02 ntdll!RtlpLogHeapFailure
03 ntdll!RtlFreeHeap
04 chrome!network::`anonymous namespace'::SimpleURLLoaderImpl::RequestState::~RequestState
05 chrome!std::default_delete<network::(anonymous namespace)::SimpleURLLoaderImpl::RequestState>::operator()
06 chrome!std::unique_ptr<network::(anonymous namespace)::SimpleURLLoaderImpl::RequestState,std::default_delete<network::(anonymous namespace)::SimpleURLLoaderImpl::RequestState> >::~unique_ptr
07 chrome!network::`anonymous namespace'::SimpleURLLoaderImpl::~SimpleURLLoaderImpl
08 chrome!network::`anonymous namespace'::SimpleURLLoaderImpl::~SimpleURLLoaderImpl
09 chrome!std::default_delete<network::SimpleURLLoader>::operator()
0a chrome!std::unique_ptr<network::SimpleURLLoader,std::default_delete<network::SimpleURLLoader> >::~unique_ptr
0b chrome!media_router::DialURLFetcher::~DialURLFetcher
0c chrome!media_router::DialURLFetcher::~DialURLFetcher
0d chrome!std::default_delete<media_router::DialURLFetcher>::operator()
0e chrome!std::unique_ptr<media_router::DialURLFetcher,std::default_delete<media_router::DialURLFetcher> >::reset
0f chrome!media_router::DeviceDescriptionFetcher::ProcessResponse
10 chrome!base::OnceCallback<void (const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &)>::Run
11 chrome!media_router::DialURLFetcher::ProcessResponse
12 chrome!base::internal::FunctorTraits<void (DomainReliabilityInternalsUI::*)(std::unique_ptr<base::Value,std::default_delete<base::Value> >) const,void>::Invoke
13 chrome!base::internal::InvokeHelper<0,void>::MakeItSo
14 chrome!base::internal::Invoker<base::internal::BindState<void (DomainReliabilityInternalsUI::*)(std::unique_ptr<base::Value,std::default_delete<base::Value> >) const,base::internal::UnretainedWrapper<const DomainReliabilityInternalsUI> >,void (std::unique_ptr<base::Value,std::default_delete<base::Value> >)>::RunImpl
15 chrome!base::internal::Invoker<base::internal::BindState<void (DomainReliabilityInternalsUI::*)(std::unique_ptr<base::Value,std::default_delete<base::Value> >) const,base::internal::UnretainedWrapper<const DomainReliabilityInternalsUI> >,void (std::unique_ptr<base::Value,std::default_delete<base::Value> >)>::Run
16 chrome!base::OnceCallback<void (std::unique_ptr<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::default_delete<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >)>::Run
17 chrome!network::`anonymous namespace'::SaveToStringBodyHandler::NotifyConsumerOfCompletion
18 chrome!network::`anonymous namespace'::BodyReader::ReadData
19 chrome!base::RepeatingCallback<void (unsigned int, const mojo::HandleSignalsState &)>::Run
1a chrome!mojo::SimpleWatcher::OnHandleReady
1b chrome!base::OnceCallback<void ()>::Run
1c chrome!base::debug::TaskAnnotator::RunTask
1d chrome!base::MessageLoop::RunTask
1e chrome!base::MessageLoop::DeferOrRunPendingTask
1f chrome!base::MessageLoop::DoWork
20 chrome!base::MessagePumpForIO::DoRunLoop
21 chrome!base::MessagePumpWin::Run
22 chrome!base::RunLoop::Run
23 chrome!content::BrowserThreadImpl::IOThreadRun
24 chrome!content::BrowserThreadImpl::Run
25 chrome!base::Thread::ThreadMain
26 chrome!base::`anonymous namespace'::ThreadFunc
27 kernel32!BaseThreadInitThunk
28 ntdll!RtlUserThreadStart

Could this be duplicate of https://bugs.chromium.org/p/chromium/issues/detail?id=816628#c4

Looks like it. I got confused briefly because the reporting user agent was 65.0.3325.146, but that's because Chrome 66 was crashing. I compared the stack to that from bug 818168 (a duplicate of 816628) and I'm reasonably confident that this is a duplicate. Thanks for finding it!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot