Chrome_iOS: Crash Report - -[CRWNavigationItemHolder initWithBackForwardListItem:] |
|||||||
Issue descriptionThis is a new crash that affects only #slim-navigation-manager. Sample crash report: https://crash.corp.google.com/browse?q=reportid=%27c8f5f8def41ddde0%27 Stacktrace: 0x00000001845894e0 (libobjc.A.dylib + 0x000194e0 ) _object_set_associative_reference 0x00000001845894d4 (libobjc.A.dylib + 0x000194d4 ) _object_set_associative_reference 0x00000001001ccd04 (Chrome -crw_navigation_item_holder.mm:36 ) -[CRWNavigationItemHolder initWithBackForwardListItem:] 0x00000001001ccc64 (Chrome -crw_navigation_item_holder.mm:28 ) +[CRWNavigationItemHolder holderForBackForwardListItem:] 0x00000001001e6384 (Chrome -crw_web_controller.mm:5137 ) -[CRWWebController webViewURLDidChange] 0x00000001001e5bd8 (Chrome -crw_web_controller.mm:4958 ) -[CRWWebController observeValueForKeyPath:ofObject:change:context:] 0x000000018651bcb4 (Foundation + 0x0001bcb4 ) NSKeyValueNotifyObserver 0x000000018651b7dc (Foundation + 0x0001b7dc ) NSKeyValueDidChange 0x000000018650673c (Foundation + 0x0000673c ) -[NSObject(NSKeyValueObserverNotification) didChangeValueForKey:] 0x000000018f233a9c (WebKit + 0x000c1a9c ) WebKit::PageLoadState::commitChanges() 0x000000018f31cae4 (WebKit + 0x001aaae4 ) WebKit::WebPageProxy::didSameDocumentNavigationForFrame(unsigned long long, unsigned long long, unsigned int, WTF::String const&, WebKit::UserData const&) 0x000000018f3376d4 (WebKit + 0x001c56d4 ) void IPC::handleMessage<Messages::WebPageProxy::DidSameDocumentNavigationForFrame, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long long, unsigned long long, unsigned int, WTF::String const&, WebKit::UserData const&)>(IPC::Decoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long long, unsigned long long, unsigned int, WTF::String const&, WebKit::UserData const&)) 0x000000018f1d8e44 (WebKit + 0x00066e44 ) IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) 0x000000018f381874 (WebKit + 0x0020f874 ) WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 0x000000018f19ecfc (WebKit + 0x0002ccfc ) IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) 0x000000018f1a14f4 (WebKit + 0x0002f4f4 ) IPC::Connection::dispatchOneMessage() 0x000000018a385e44 (JavaScriptCore + 0x009a2e44 ) WTF::RunLoop::performWork() 0x000000018a38608c (JavaScriptCore + 0x009a308c ) WTF::RunLoop::performWork(void*) 0x0000000185ac5420 (CoreFoundation + 0x000db420 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x0000000185ac4cf8 (CoreFoundation + 0x000dacf8 ) __CFRunLoopDoSources0 0x0000000185ac299c (CoreFoundation + 0x000d899c ) __CFRunLoopRun 0x00000001859f2d90 (CoreFoundation + 0x00008d90 ) CFRunLoopRunSpecific 0x000000018745c070 (GraphicsServices + 0x0000c070 ) GSEventRunModal 0x000000018bca412c (UIKit + 0x0007512c ) UIApplicationMain 0x000000010002f750 (Chrome -chrome_exe_main.mm:54 ) main 0x0000000184a01598 (libdyld.dylib + 0x00004598 ) start
,
Aug 2
Hi Danyao, any update here?
,
Aug 2
Sorry I don't have update on this one yet. It was failing a low rate (a few crashes a day) so I didn't prioritize this bug. Removed RBS label since we're not going to roll out slim nav in M69.
,
Sep 12
,
Sep 12
,
Sep 12
,
Sep 13
This is quite a lot of crashes for 0.5% experiment. We should probably keep RBS. https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27-%5BCRWNavigationItemHolder+initWithBackForwardListItem%3A%5D%27+AND+EXISTS+%28SELECT+1+FROM+UNNEST%28expanded_custom_data.ChromeCrashProto.experiments.ids%29+expanded_custom_data_ChromeCrashProto_experiments_ids+WHERE+expanded_custom_data_ChromeCrashProto_experiments_ids%3D%27ac4e2bf4-a0545610%27%29#-propertyselector,productname:1000,-magicsignature:50,-magicsignature2:50,-stablesignature:50,+day,-magicsignaturesorted:50
,
Sep 17
Fair enough. The crash is caused by calling [CRWNavigationItemHolder holderForBackForwardListItem] on a nil WKWebView.backForwardList.currentItem. Why currentItem is nil in [CRWWebController webViewURLDidChange] is an issue in WKWebView. The code has a DCHECK for this assertion, but looks like it's an edge case not caught in any of our tests. I'll add a nil check in [CRWWebController webViewURLDidChange].
,
Sep 18
I was able to create a repro case for this crash. In a new tab, click on a link that exercises the following script:
window.open('', 'anything').location.replace('about:blank#');
This does two things:
1) window.open('', 'anything') creates a new child window without URL. This triggers a specific bug in WebKit that results in a WKWebView |backForwardList| is not nil but |backForwardList.currentItem| is nil (crbug.com/809287)
2) location.replace('about:blank#') triggers the crashing code path in [CRWWebController webViewURLDidChange], which was originally added to handle location.replace, but assumes that |webView.backForwardList.currentItem| is always non-null.
It seems that about:blank# is unique in triggering the condition required to generate the crash: webView.isLoading is false at the time of URL KVO. I also tried the following URLs, but for all of them, webView.isLoading is true at time of URL KVO so the crashing code path is not exercised:
- about:blank/#
- about:blank?query
- about:blank/query
- about:anything
A hypothesis is that WebKit may treat about:blank# as a same-document navigation. So it doesn't create a new WKBackForwardListItem, leaving the child window without a |currentItem| as setup by the empty window open. It's not clear to me why "about:blank/#" doesn't behave the same.
,
Sep 18
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/267717811617482c3e927c18dc514992ed1cee17 commit 267717811617482c3e927c18dc514992ed1cee17 Author: Danyao Wang <danyao@chromium.org> Date: Tue Sep 18 20:25:43 2018 [Nav Experiment] Fix crash in [CRWWebController webViewURLDidChange]. This method looks up the current NavigationItem associated with WKBackForwardList.currentItem and updates its URL to handle two edge cases for location.replace. The lookup crashes if WKBackForwardList.currentItem is nil. The correct NavigationItem to update in this case is |self.currentNavItem|. An egtest that triggers this scenario is added; though it's not clear if this is the only case. Bug: 866142 Cq-Include-Trybots: luci.chromium.try:ios-simulator-cronet;luci.chromium.try:ios-simulator-full-configs Change-Id: I5c76ad50296127234f498741a62b796fb4397461 Reviewed-on: https://chromium-review.googlesource.com/1228442 Reviewed-by: Eugene But <eugenebut@chromium.org> Commit-Queue: Danyao Wang <danyao@chromium.org> Cr-Commit-Position: refs/heads/master@{#592175} [modify] https://crrev.com/267717811617482c3e927c18dc514992ed1cee17/ios/chrome/browser/web/window_open_by_dom_egtest.mm [modify] https://crrev.com/267717811617482c3e927c18dc514992ed1cee17/ios/testing/data/http_server_files/window_open.html [modify] https://crrev.com/267717811617482c3e927c18dc514992ed1cee17/ios/web/navigation/wk_based_navigation_manager_impl.mm [modify] https://crrev.com/267717811617482c3e927c18dc514992ed1cee17/ios/web/web_state/ui/crw_web_controller.mm
,
Sep 18
,
Oct 30
Issue 899292 has been merged into this issue.
,
Nov 29
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by danyao@chromium.org
, Jul 20