Issue 841739 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	dgozman@chromium.org
Closed:	Sep 20
Cc:	nyerramilli@chromium.org rbasuvula@chromium.org
Components:	Platform>DevTools
EstimatedDays:	----
NextAction:	----
OS:	Linux , Windows , Mac
Pri:	1
Type:	Bug-Regression
HasTestcase hasbisect-per-revision M-66 RegressedIn-62 FoundIn-66 FoundIn-67 FoundIn-68 ET-MUM-Reported Target-71 TE-Verified-M71 TE-Verified-71.0.3558.0

Regression : Chrome crashes while capturing screenshot of a killed tab.

Reported by avsha...@etouch.net, May 10 2018

Issue description

Chrome Version : 66.0.3359.170 (Official Build) 30c511add11ae3d417d1ca5e010152fce57fa128-refs/branch-heads/3359@{#814} 32/64-bit
OS : Windows(7,8,8.1,10), Mac(10.12.6, 10.13.1, 10.13.5), Linux(14.04 LTS)

What steps will reproduce the problem?
1. Launch chrome, open devtools on NTP and and click on 'Toggle device toolbar' button.
2. Kill the current NTP using chrome://kill command.
3. Now click on 'More options' icon in device toolbar and select 'Capture screenshot' option.
4. Observe.

Actual Result : Chrome crashes while capturing screenshot of a killed tab.

Expected Result : Chrome should not crash while trying to capture screenshot of a killed page.

Crash IDs:
-------------
Crash ID 388eb335bc60c7bd (Local Crash ID: 2352b2dd-ed99-4a01-b557-caca65c218ac)
Crash ID 193cd4615f29cfc0 (Local Crash ID: 70f05fee-cfdc-451a-a291-31b1859408a9)

This is a regression issue, broken in M-62 and providing the bisect using Per-Revision script:
Good Build : 62.0.3166.0 (Revision : 489162)
Bad Build : 62.0.3167.0 (Revision : 489499)

You are probably looking for a change made after 489213 (known good), but no later than 489214 (first known bad).

Change Log URL :
https://chromium.googlesource.com/chromium/src/+log/630ffea24378936a0548890c34bb522c5b3c3c24..452bcd1e19ce87fa9f7bb754d3f202f3780932a6

Suspect : https://chromium.googlesource.com/chromium/src/+/452bcd1e19ce87fa9f7bb754d3f202f3780932a6

@Pavel : Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Note : 
1. Issue is also observed in Beta #67.0.3396.40 and Canary #68.0.3426.0 builds.

	Actual_Result.mp4 822 KB View Download

	Expected_Result.mp4 917 KB View Download

Comment 1 by rbasuvula@chromium.org, May 10 2018

Labels: HasTestcase

Please find the stack trace for the crash id:
---------------------------------------------
Thread 0 (id: 11104) CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000000 ] MAGIC SIGNATURE THREAD
Stack Quality100%Show frame trust levels
0x00007ffa18ab8d8f	(chrome.dll -page_handler.cc:534 )	content::protocol::PageHandler::CaptureScreenshot(content::protocol::Maybe<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,content::protocol::Maybe<int>,content::protocol::Maybe<content::protocol::Page::Viewport>,content::protocol::Maybe<bool>,std::unique_ptr<content::protocol::Page::Backend::CaptureScreenshotCallback,std::default_delete<content::protocol::Page::Backend::CaptureScreenshotCallback> >)
0x00007ffa189ce627	(chrome.dll -page.cc:687 )	content::protocol::Page::DispatcherImpl::captureScreenshot(int,std::unique_ptr<content::protocol::DictionaryValue,std::default_delete<content::protocol::DictionaryValue> >,content::protocol::ErrorSupport *)
0x00007ffa189b7107	(chrome.dll -dom.cc:76 )	content::protocol::Browser::DispatcherImpl::dispatch(int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,std::unique_ptr<content::protocol::DictionaryValue,std::default_delete<content::protocol::DictionaryValue> >)
0x00007ffa189d45bc	(chrome.dll -protocol.cc:822 )	content::protocol::UberDispatcher::dispatch(std::unique_ptr<content::protocol::Value,std::default_delete<content::protocol::Value> >,int *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > *)
0x00007ffa18a9c0b9	(chrome.dll -devtools_session.cc:136 )	content::DevToolsSession::DispatchProtocolMessage(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x00007ffa18a8fb63	(chrome.dll -devtools_agent_host_impl.cc:223 )	content::DevToolsAgentHostImpl::DispatchProtocolMessage(content::DevToolsAgentHostClient *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x00007ffa19c72043	(chrome.dll -devtools_ui_bindings.cc:1021 )	DevToolsUIBindings::DispatchProtocolMessageFromDevToolsFrontend(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x00007ffa19c89bae	(chrome.dll -devtools_embedder_message_dispatcher.cc:91 )	`anonymous namespace'::ParseAndHandle<const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &>
0x00007ffa19c89811	(chrome.dll -devtools_embedder_message_dispatcher.cc:123 )	DispatcherImpl::Dispatch(base::RepeatingCallback<void > const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::ListValue const *)
0x00007ffa19c6f1fd	(chrome.dll -devtools_ui_bindings.cc:562 )	DevToolsUIBindings::HandleMessageFromDevToolsFrontend(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x00007ffa188df2f8	(chrome.dll -devtools_frontend.mojom.cc:356 )	blink::mojom::DevToolsFrontendHostStubDispatch::Accept(blink::mojom::DevToolsFrontendHost *,mojo::Message *)
0x00007ffa191dc848	(chrome.dll -ipc_mojo_bootstrap.cc:799 )	IPC::`anonymous namespace'::ChannelAssociatedGroupController::AcceptOnProxyThread
0x00007ffa191dafed	(chrome.dll -bind_internal.h:586 )	base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message),scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>,base::internal::PassedWrapper<mojo::Message> >,void ()>::Run
0x00007ffa17ff400e	(chrome.dll -task_annotator.cc:61 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x00007ffa17ff3afb	(chrome.dll -message_loop.cc:395 )	base::MessageLoop::RunTask(base::PendingTask *)
0x00007ffa17ff3557	(chrome.dll -message_loop.cc:451 )	base::MessageLoop::DoWork()
0x00007ffa180fdd18	(chrome.dll -message_pump_win.cc:173 )	base::MessagePumpForUI::DoRunLoop()
0x00007ffa1803f3c7	(chrome.dll -message_pump_win.cc:56 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x00007ffa17ff2b24	(chrome.dll -run_loop.cc:133 )	base::RunLoop::Run()
0x00007ffa183d0ee2	(chrome.dll -chrome_browser_main.cc:2190 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x00007ffa183d0cd3	(chrome.dll -browser_main_loop.cc:1103 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x00007ffa183d0c7e	(chrome.dll -browser_main_runner.cc:160 )	content::BrowserMainRunnerImpl::Run()
0x00007ffa17feb069	(chrome.dll -browser_main.cc:46 )	content::BrowserMain(content::MainFunctionParams const &)
0x00007ffa17feaf06	(chrome.dll -content_main_runner.cc:423 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x00007ffa17feadb0	(chrome.dll -content_main_runner.cc:703 )	content::ContentMainRunnerImpl::Run()
0x00007ffa17fd7954	(chrome.dll -main.cc:453 )	service_manager::Main(service_manager::MainParams const &)
0x00007ffa17fd7417	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x00007ffa17fd38a4	(chrome.dll -chrome_main.cc:101 )	ChromeMain
0x00007ff6e526354b	(chrome.exe -main_dll_loader_win.cc:199 )	MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks)
0x00007ff6e526169b	(chrome.exe -chrome_exe_main_win.cc:230 )	wWinMain
0x00007ff6e533c6b2	(chrome.exe -exe_common.inl:283 )	__scrt_common_main_seh
0x00007ffa55431fe3	(KERNEL32.dll + 0x00011fe3 )	BaseThreadInitThunk
0x00007ffa55c5f060	(ntdll.dll + 0x0006f060 )	RtlUserThreadStart

Comment 2 by pfeldman@chromium.org, Sep 19

Owner: dgozman@chromium.org

Project Member

Comment 3 by bugdroid1@chromium.org, Sep 20

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e4673c3f8e181680cad8d8c483ca8c08164516eb

commit e4673c3f8e181680cad8d8c483ca8c08164516eb
Author: Dmitry Gozman <dgozman@chromium.org>
Date: Thu Sep 20 17:57:47 2018

[DevTools] Fix npe when accessing RWHV in PageHandler::CaptureScreenshot

Bug:  841739 
Change-Id: I6e61a5c11253096d80aeafb4b83ce653fbcfa0f0
Reviewed-on: https://chromium-review.googlesource.com/1235119
Commit-Queue: Alexei Filippov <alph@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#592868}
[modify] https://crrev.com/e4673c3f8e181680cad8d8c483ca8c08164516eb/content/browser/devtools/protocol/page_handler.cc

Comment 4 by dgozman@chromium.org, Sep 20

Labels: -Target-66 -Target-67 -Target-68 Target-71
Status: Fixed (was: Assigned)

Comment 5 by avsha...@etouch.net, Sep 21

Labels: TE-Verified-M71 TE-Verified-71.0.3558.0

Update :
---------
Tested above issue in latest Canary build #71.0.3558.0 on Windows (7, 8, 8.1, 10), Linux(14.04 LTS) and Mac(10.12.6, 10.13.1, 10.14, 10.13.6) OS and the issue is fixed. 
Now, Chrome does not crash when capturing screenshot of a killed tab, hence adding TE-Verified labels. Kindly review an attached screen-cast for reference.

Thank you..!

	Canary_Results.mp4 1.2 MB View Download

►

Issue 841739 link

Issue metadata

Regression : Chrome crashes while capturing screenshot of a killed tab.

Issue description

Comment 1 by rbasuvula@chromium.org, May 10 2018

Comment 1 Deleted

Comment 2 by pfeldman@chromium.org, Sep 19

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Sep 20

Comment 3 Deleted

Comment 4 by dgozman@chromium.org, Sep 20

Comment 4 Deleted

Comment 5 by avsha...@etouch.net, Sep 21

Comment 5 Deleted

Sign in to add a comment