New issue
Advanced search Search tips

Issue 864767 link

Starred by 1 user
Status: WontFix
Owner:
tommycli@chromium.org
Closed: Aug 2
Cc:
msw@chromium.org
kkaluri@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: !performing_user_action_ in textfield.cc

Project Member Reported by ClusterFuzz, Jul 17 
Detailed report: https://clusterfuzz.com/testcase?key=5162746258391040

Fuzzer: ifratric_pdf_generic
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !performing_user_action_ in textfield.cc
  views::Textfield::OnBeforeUserAction
  views::Textfield::OnBeforePointerAction
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5162746258391040

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by kkaluri@chromium.org, Jul 19

Cc: kkaluri@chromium.org
Components: UI>Browser>Omnibox
Labels: M-68 Test-Predator-Wrong CF-NeedsTriage
Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.

Thank You...

Comment 2 by tommycli@chromium.org, Jul 23

Components: -UI>Browser>Omnibox Internals>Views
Owner: msw@chromium.org
Status: Available (was: Untriaged)

Comment 3 by msw@chromium.org, Jul 23

Cc: msw@chromium.org
Owner: tommycli@chromium.org
Status: Assigned (was: Available)
Tommy, I'm not actively working on Textfield, can you investigate or find another owner?
Looks like a nested call to OnBeforeUserAction, or a failure to call OnAfterUserAction somewhere.
Nothing appears amiss from a quick look, and my attempts to run clusterfuzz locally didn't repro.
If needed, it might make sense to add some logging at callsites, or record the holder of the lock.

Comment 4 by tommycli@chromium.org, Jul 23 

msw: Sounds good. I'm guessing I'm as good of an owner for this bug as anyone else then.

I will get to this when I have a chance. :)

Comment 5 by tommycli@chromium.org, Jul 25 

Oh boy this is not good.

The root cause is that middle-click triggers a selection-paste on Linux.

The way we implement that, we fire up a RunLoop within ui::SelectionRequestor::BlockTillSelectionNotifyForRequest to make an asynchronous operation blocking.

Then, during this RunLoop, we (unintentionally) process the next user gesture, leading to nested user actions, leading to this crash. 

The sequence of gestures looks like:

Running: xdotool windowactivate --sync 125829121
.
Running: xdotool mouseup -- 1
.
Running: xdotool mousemove --sync -- 730 60
.
Running: xdotool click --repeat 3 -- 2


A root cause fix would be to make selection-paste not fire up an inner run loop.
Project Member

Comment 6 by ClusterFuzz, Jul 29

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 5162746258391040 appears to be flaky, updating reproducibility label.
Project Member

Comment 7 by ClusterFuzz, Aug 2

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5162746258391040 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment