macviews: Media router tests segfault at exit |
||
Issue description
The following tests segfault at exit:
MediaRouterDialogControllerWebUIBrowserTest.ShowDialog
MediaRouterIntegrationBrowserTest.OpenLocalMediaFileFailsAndShowsIssue
MediaRouterIntegrationBrowserTest.OpenLocalMediaFileInNewTab
This is ultimately because:
1. MediaRouterUIBase owns a WebContentsDisplayObserver, which is a WidgetObserver
2. This WidgetObserver is observing the top level native widget, which might well outlive the MediaRouterUIBase instance
3. Invoking a freed observer causes crashes
There's a possible spot fix but I think the real sustainable fix to this class of issues is to have WidgetObserver keep track of which Widgets it observes, and unsubscribe from them when it is destroyed.
ASAN stack traces:
==30511==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110003009d0 at pc 0x00012066958d bp 0x7ffee77da2b0 sp 0x7ffee77da2a8
READ of size 8 at 0x6110003009d0 thread T0
#0 0x12066958c in views::Widget::OnNativeWidgetDestroyed() widget.cc:1092
#1 0x120645c65 in views::NativeWidgetMac::OnWindowDestroyed() native_widget_mac.mm:130
#2 0x120461581 in views::BridgedNativeWidget::OnWindowWillClose() bridged_native_widget.mm:649
#3 0x120478085 in -[ViewsNSWindowDelegate windowWillClose:] views_nswindow_delegate.mm:135
#4 0x7fff44cdd61b in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (CoreFoundation:x86_64+0x9761b)
#5 0x7fff44cdd4e9 in _CFXRegistrationPost (CoreFoundation:x86_64+0x974e9)
#6 0x7fff44cdd220 in ___CFXNotificationPost_block_invoke (CoreFoundation:x86_64+0x97220)
#7 0x7fff44c9bd71 in -[_CFXNotificationRegistrar find:object:observer:enumerator:] (CoreFoundation:x86_64+0x55d71)
#8 0x7fff44c9ae02 in _CFXNotificationPost (CoreFoundation:x86_64+0x54e02)
#9 0x7fff46dc48c6 in -[NSNotificationCenter postNotificationName:object:userInfo:] (Foundation:x86_64+0x68c6)
#10 0x7fff42b272e7 in -[NSWindow _finishClosingWindow] (AppKit:x86_64+0x9132e7)
#11 0x7fff424c6ed7 in -[NSWindow _close] (AppKit:x86_64+0x2b2ed7)
#12 0x120478e46 in base::internal::Invoker<base::internal::BindState<void (*)(base::mac::ScopedBlock<void () block_pointer>), base::mac::ScopedBlock<void () block_pointer> >, void ()>::Run(base::internal::BindStateBase*) bind_internal.h:402
#13 0x119949b58 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) callback.h:96
#14 0x1199f689f in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) incoming_task_queue.cc:124
#15 0x119a0245e in base::MessageLoop::RunTask(base::PendingTask*) message_loop.cc:319
#16 0x119a02f50 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) message_loop.cc:329
#17 0x119a03613 in base::MessageLoop::DoWork() message_loop.cc:373
#18 0x119a1028c in base::MessagePumpCFRunLoopBase::RunWork() message_pump_mac.mm:455
#19 0x1199b5ea9 in base::mac::CallWithEHFrame(void () block_pointer) (libbase.dylib:x86_64+0xb6ea9)
#20 0x119a0e785 in base::MessagePumpCFRunLoopBase::RunWorkSource(void*) message_pump_mac.mm:431
#21 0x7fff44ce5d80 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (CoreFoundation:x86_64+0x9fd80)
#22 0x7fff44d9d65b in __CFRunLoopDoSource0 (CoreFoundation:x86_64+0x15765b)
#23 0x7fff44cc8d2f in __CFRunLoopDoSources0 (CoreFoundation:x86_64+0x82d2f)
#24 0x7fff44cc81ac in __CFRunLoopRun (CoreFoundation:x86_64+0x821ac)
#25 0x7fff44cc7a06 in CFRunLoopRunSpecific (CoreFoundation:x86_64+0x81a06)
#26 0x7fff43fa3d95 in RunCurrentEventLoopInMode (HIToolbox:x86_64+0x2fd95)
#27 0x7fff43fa3b05 in ReceiveNextEventCommon (HIToolbox:x86_64+0x2fb05)
#28 0x7fff43fa3883 in _BlockUntilNextEventMatchingListInModeWithFilter (HIToolbox:x86_64+0x2f883)
#29 0x7fff42255a72 in _DPSNextEvent (AppKit:x86_64+0x41a72)
#30 0x7fff429ebe33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (AppKit:x86_64+0x7d7e33)
==30511==WARNING: Can't read from symbolizer at fd 103
#31 0x10d725610 in __71-[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:]_block_invoke chrome_browser_application_mac.mm:233
#32 0x1199b5ea9 in base::mac::CallWithEHFrame(void () block_pointer) (libbase.dylib:x86_64+0xb6ea9)
#33 0x10d7251c1 in -[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:] chrome_browser_application_mac.mm:232
#34 0x7fff4224a884 in -[NSApplication run] (AppKit:x86_64+0x36884)
#35 0x119a137d2 in base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) message_pump_mac.mm:808
#36 0x119a0d5b0 in base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) message_pump_mac.mm:184
#37 0x119a01305 in base::MessageLoop::Run(bool) message_loop.cc:271
#38 0x119abb90c in base::RunLoop::Run() run_loop.cc:131
#39 0x10eaf389e in content::RunMessageLoop() test_utils.cc:123
#40 0x10d58f2b4 in InProcessBrowserTest::QuitBrowsers() in_process_browser_test.cc:553
#41 0x10d58ef2b in InProcessBrowserTest::PostRunTestOnMainThread() in_process_browser_test.cc:529
#42 0x10ea5992b in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop() browser_test_base.cc:408
#43 0x10d73870d in ChromeBrowserMainParts::PreMainMessageLoopRunImpl() callback.h:125
#44 0x10d735a1d in ChromeBrowserMainParts::PreMainMessageLoopRun() chrome_browser_main.cc:1470
#45 0x123861012 in content::BrowserMainLoop::PreMainMessageLoopRun() browser_main_loop.cc:959
#46 0x1248ed68e in content::StartupTaskRunner::RunAllTasksNow() callback.h:125
#47 0x12385ce09 in content::BrowserMainLoop::CreateStartupTasks() browser_main_loop.cc:872
#48 0x123868a4b in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) browser_main_runner.cc:139
#49 0x123855c0b in content::BrowserMain(content::MainFunctionParams const&) browser_main.cc:42
#50 0x125bfa91c in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content_main_runner.cc:640
#51 0x125bfc562 in content::ContentMainRunnerImpl::Run() content_main_runner.cc:943
#52 0x12bb83980 in service_manager::Main(service_manager::MainParams const&) main.cc:452
#53 0x125bfa320 in content::ContentMain(content::ContentMainParams const&) content_main.cc:19
#54 0x10ea581c8 in content::BrowserTestBase::SetUp() browser_test_base.cc:321
#55 0x10d58b3d0 in InProcessBrowserTest::SetUp() in_process_browser_test.cc:243
#56 0x10c187ae4 in testing::Test::Run() gtest.cc
#57 0x10c189ea5 in testing::TestInfo::Run() gtest.cc:2667
#58 0x10c18b306 in testing::TestCase::Run() gtest.cc:2785
#59 0x10c1b0886 in testing::internal::UnitTestImpl::RunAllTests() gtest.cc:5047
#60 0x10c1afd0e in testing::UnitTest::Run() gtest.cc
#61 0x10d5c9a67 in base::TestSuite::Run() test_suite.cc:275
#62 0x10d4e7925 in ChromeTestSuiteRunner::RunTestSuite(int, char**) chrome_test_launcher.cc:65
#63 0x10eae904b in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) test_launcher.cc:625
#64 0x10d4e85df in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) chrome_test_launcher.cc:170
#65 0x10d4e777c in main browser_tests_main.cc:36
#66 0x7fff6d119014 in start (libdyld.dylib:x86_64+0x1014)
0x6110003009d0 is located 16 bytes inside of 216-byte region [0x6110003009c0,0x611000300a98)
freed by thread T0 here:
LLVMSymbolizer: error reading file: No such file or directory
#0 0x13bd57ac2 in
#1 0x1117b974e in media_router::MediaRouterUIBase::~MediaRouterUIBase() memory:2321
#2 0x1118ee4c7 in non-virtual thunk to media_router::MediaRouterUI::~MediaRouterUI() media_router_ui.cc:264
#3 0x124a58801 in content::WebUIImpl::~WebUIImpl() memory:2321
#4 0x124a58aed in content::WebUIImpl::~WebUIImpl() web_ui_impl.cc:90
#5 0x123df9b9f in content::RenderFrameHostManager::ClearWebUIInstances() render_frame_host_manager.cc:467
#6 0x124966bf0 in content::WebContentsImpl::~WebContentsImpl() web_contents_impl.cc:581
#7 0x12496999d in content::WebContentsImpl::~WebContentsImpl() web_contents_impl.cc:549
#8 0x1118a714b in ConstrainedWebDialogDelegateBase::~ConstrainedWebDialogDelegateBase() memory:2321
#9 0x111f7ea41 in (anonymous namespace)::ConstrainedWebDialogDelegateViews::~ConstrainedWebDialogDelegateViews() constrained_web_dialog_delegate_views.cc:186
#10 0x111f7a39d in (anonymous namespace)::ConstrainedDialogWebView::~ConstrainedDialogWebView() memory:2321
#11 0x120610f71 in views::View::~View() view.cc:161
#12 0x1206769ad in views::ClientView::~ClientView() client_view.h:33
#13 0x120610f71 in views::View::~View() view.cc:161
#14 0x12068defc in views::NonClientView::~NonClientView() non_client_view.cc:56
#15 0x12061488d in views::View::DoRemoveChildView(views::View*, bool, bool, bool, views::View*) memory:2321
#16 0x120616cbd in views::View::RemoveAllChildViews(bool) view.cc:299
#17 0x120650aa9 in views::internal::RootView::~RootView() root_view.cc:183
#18 0x120650ccd in views::internal::RootView::~RootView() root_view.cc:179
#19 0x12065c00d in views::Widget::~Widget() memory:2321
#20 0x12065c89d in views::Widget::~Widget() widget.cc:181
#21 0x1206455f4 in views::NativeWidgetMac::~NativeWidgetMac() native_widget_mac.mm:103
#22 0x12064581d in views::NativeWidgetMac::~NativeWidgetMac() native_widget_mac.mm:100
#23 0x120645cb8 in views::NativeWidgetMac::OnWindowDestroyed() native_widget_mac.mm:132
#24 0x120461581 in views::BridgedNativeWidget::OnWindowWillClose() bridged_native_widget.mm:649
#25 0x120478085 in -[ViewsNSWindowDelegate windowWillClose:] views_nswindow_delegate.mm:135
#26 0x7fff44cdd61b in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ (CoreFoundation:x86_64+0x9761b)
#27 0x7fff44cdd4e9 in _CFXRegistrationPost (CoreFoundation:x86_64+0x974e9)
#28 0x7fff44cdd220 in ___CFXNotificationPost_block_invoke (CoreFoundation:x86_64+0x97220)
#29 0x7fff44c9bd71 in -[_CFXNotificationRegistrar find:object:observer:enumerator:] (CoreFoundation:x86_64+0x55d71)
,
May 17 2018
,
May 17 2018
Thank you for writing this fix! |
||
►
Sign in to add a comment |
||
Comment 1 by bugdroid1@chromium.org
, May 16 2018