New issue
Advanced search Search tips

Issue 892898 link

Starred by 1 user
Status: Started
Owner:
jinho.b...@samsung.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug



Sign in to add a comment

A crash might occur when selecting item(e.g. contact info) on payment request UI

Project Member Reported by jinho.b...@samsung.com, Oct 6 
0   libbase.dylib                       0x0000000113d0d1c4 base::debug::StackTrace::StackTrace(unsigned long) + 772
1   libbase.dylib                       0x0000000113d0d5cd base::debug::StackTrace::StackTrace(unsigned long) + 29
2   libbase.dylib                       0x000000011322998a base::debug::StackTrace::StackTrace() + 26
3   libbase.dylib                       0x0000000113d0cbd0 base::debug::(anonymous namespace)::StackDumpSignalHandler(int, __siginfo*, void*) + 3952
4   libsystem_platform.dylib            0x00007fff6634bf5a _sigtramp + 26
5   ???                                 0x0000000115458558 0x0 + 4651844952
6   libsystem_c.dylib                   0x00007fff660e91ae abort + 127
7   libclang_rt.asan_osx_dynamic.dylib  0x000000010e6ea756 __sanitizer_sandbox_on_notify + 1158
8   libclang_rt.asan_osx_dynamic.dylib  0x000000010e6ea0c4 OnPrint + 14212
9   libclang_rt.asan_osx_dynamic.dylib  0x000000010e6d2379 __asan_on_error + 985
10  libclang_rt.asan_osx_dynamic.dylib  0x000000010e6d1b93 __asan_unpoison_intra_object_redzone + 8563
11  libclang_rt.asan_osx_dynamic.dylib  0x000000010e6d2878 __asan_report_load8 + 40
12  libviews.dylib                      0x000000018288bef7 views::View::GetNativeTheme() const + 71
13  libchrome_dll.dylib                 0x000000012bcf1ba5 views::View::GetNativeTheme() + 21
14  libchrome_dll.dylib                 0x000000012b909cc7 payments::PaymentRequestRowView::ShowBottomSeparator() + 295
15  libchrome_dll.dylib                 0x000000012b90b0a8 payments::PaymentRequestRowView::SetIsHighlighted(bool) + 1512
16  libchrome_dll.dylib                 0x000000012b90b1ac payments::PaymentRequestRowView::StateChanged(views::Button::ButtonState) + 108
17  libviews.dylib                      0x00000001824cd43f views::Button::SetState(views::Button::ButtonState) + 1167
18  libviews.dylib                      0x00000001824d1556 views::Button::ViewHierarchyChanged(views::View::ViewHierarchyChangedDetails const&) + 294
19  libviews.dylib                      0x000000018289d7a0 views::View::ViewHierarchyChangedImpl(bool, views::View::ViewHierarchyChangedDetails const&) + 496
20  libviews.dylib                      0x00000001828d8fed views::View::PropagateRemoveNotifications(views::View*, views::View*, bool) + 2109
21  libviews.dylib                      0x0000000182896d51 views::View::DoRemoveChildView(views::View*, bool, bool, bool, views::View*) + 5905
22  libviews.dylib                      0x000000018289e812 views::View::RemoveAllChildViews(bool) + 354
23  libchrome_dll.dylib                 0x000000012b96f598 payments::PaymentRequestSheetController::UpdateContentView() + 88
24  libchrome_dll.dylib                 0x000000012b982b0a payments::PaymentSheetViewController::OnSelectedInformationChanged() + 410
25  libchrome_dll.dylib                 0x000000012cdf930a payments::PaymentRequestState::NotifyOnSelectedInformationChanged() + 458
26  libchrome_dll.dylib                 0x000000012cdf0a84 payments::PaymentRequestState::UpdateIsReadyToPayAndNotifyObservers() + 164
27  libchrome_dll.dylib                 0x000000012cdf09c9 payments::PaymentRequestState::OnSpecUpdated() + 1801
28  libchrome_dll.dylib                 0x000000012cdd0ffa payments::PaymentRequestSpec::NotifyOnSpecUpdated() + 458
29  libchrome_dll.dylib                 0x000000012cdbd0ec payments::PaymentRequestSpec::RecomputeSpecForDetails() + 60
30  libchrome_dll.dylib                 0x000000012cdbcf4f payments::PaymentRequestSpec::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) + 3711
31  libchrome_dll.dylib                 0x000000012cdbbfd8 payments::PaymentRequest::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) + 1592
32  libblink_common.dylib               0x000000016c1a901e payments::mojom::PaymentRequestStubDispatch::Accept(payments::mojom::PaymentRequest*, mojo::Message*) + 9582
33  libchrome_dll.dylib                 0x000000012ce1fb29 payments::mojom::PaymentRequestStub<mojo::RawPtrImplRefTraits<payments::mojom::PaymentRequest> >::Accept(mojo::Message*) + 137
34  libbindings.dylib                   0x0000000114478ae8 mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) + 15080
35  libbindings.dylib                   0x0000000114474ff4 mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message*) + 84
36  libbindings.dylib                   0x000000011446fdb4 mojo::FilterChain::Accept(mojo::Message*) + 2564
37  libbindings.dylib                   0x0000000114481403 mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) + 419
38  libbindings.dylib                   0x00000001144ac44b mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) + 2603
39  libbindings.dylib                   0x00000001144aaf34 mojo::internal::MultiplexRouter::Accept(mojo::Message*) + 1268
40  libbindings.dylib                   0x000000011446fdb4 mojo::FilterChain::Accept(mojo::Message*) + 2564
41  libbindings.dylib                   0x000000011443c9af mojo::Connector::ReadSingleMessage(unsigned int*) + 4047
42  libbindings.dylib                   0x000000011443f929 mojo::Connector::ReadAllAvailableMessages() + 937
43  libbindings.dylib                   0x000000011443f0b0 mojo::Connector::OnHandleReadyInternal(unsigned int) + 448
44  libbindings.dylib                   0x000000011443eedb mojo::Connector::OnWatcherHandleReady(unsigned int) + 27
45  libbindings.dylib                   0x0000000114449ee8 void base::internal::FunctorTraits<void (mojo::Connector::*)(unsigned int), void>::Invoke<void (mojo::Connector::*)(unsigned int), mojo::Connector*, unsigned int>(void (mojo::Connector::*)(unsigned int), mojo::Connector*&&, unsigned int&&) + 808
46  libbindings.dylib                   0x0000000114449b19 void base::internal::InvokeHelper<false, void>::MakeItSo<void (mojo::Connector::* const&)(unsigned int), mojo::Connector*, unsigned int>(void (mojo::Connector::* const&&&)(unsigned int), mojo::Connector*&&, unsigned int&&) + 569
47  libbindings.dylib                   0x0000000114449871 void base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::RunImpl<void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, 0ul>(void (mojo::Connector::* const&&&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&&&, std::__1::integer_sequence<unsigned long, 0ul>, unsigned int&&) + 417
48  libbindings.dylib                   0x00000001144495f5 base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::Run(base::internal::BindStateBase*, unsigned int) + 341
49  libbindings.dylib                   0x000000011442ce72 base::RepeatingCallback<void (unsigned int)>::Run(unsigned int) const & + 466
50  libbindings.dylib                   0x0000000114445def mojo::SimpleWatcher::DiscardReadyState(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&) + 31
51  libbindings.dylib                   0x00000001144462e0 void base::internal::FunctorTraits<void (*)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), void>::Invoke<void (* const&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&>(void (* const&&&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> const&&&, unsigned int&&, mojo::HandleSignalsState const&&&) + 224
52  libbindings.dylib                   0x00000001144461ed void base::internal::InvokeHelper<false, void>::MakeItSo<void (* const&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&>(void (* const&&&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> const&&&, unsigned int&&, mojo::HandleSignalsState const&&&) + 77
53  libbindings.dylib                   0x0000000114446190 void base::internal::Invoker<base::internal::BindState<void (*)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> >, void (unsigned int, mojo::HandleSignalsState const&)>::RunImpl<void (* const&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::RepeatingCallback<void (unsigned int)> > const&, 0ul>(void (* const&&&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::RepeatingCallback<void (unsigned int)> > const&&&, std::__1::integer_sequence<unsigned long, 0ul>, unsigned int&&, mojo::HandleSignalsState const&) + 112
54  libbindings.dylib                   0x0000000114446016 base::internal::Invoker<base::internal::BindState<void (*)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> >, void (unsigned int, mojo::HandleSignalsState const&)>::Run(base::internal::BindStateBase*, unsigned int, mojo::HandleSignalsState const&) + 390
55  libmojo_public_system_cpp.dylib     0x00000001146e5fd0 base::RepeatingCallback<void (unsigned int, mojo::HandleSignalsState const&)>::Run(unsigned int, mojo::HandleSignalsState const&) const + 512
56  libmojo_public_system_cpp.dylib     0x00000001146e59da mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) + 906
57  libmojo_public_system_cpp.dylib     0x00000001146e77d6 void base::internal::FunctorTraits<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), void>::Invoke<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&>(void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&&&, int const&&&, unsigned int const&&&, mojo::HandleSignalsState const&&&) + 950
58  libmojo_public_system_cpp.dylib     0x00000001146e72ec void base::internal::InvokeHelper<true, void>::MakeItSo<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&>(void (mojo::SimpleWatcher::* const&&&)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&&&, int const&&&, unsigned int const&&&, mojo::HandleSignalsState const&&&) + 716
59  libmojo_public_system_cpp.dylib     0x00000001146e7012 void base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::RunImpl<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, 0ul, 1ul, 2ul, 3ul>(void (mojo::SimpleWatcher::* const&&&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>) + 242
60  libmojo_public_system_cpp.dylib     0x00000001146e6e2c base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::Run(base::internal::BindStateBase*) + 44
61  libbase.dylib                       0x00000001131e0826 base::OnceCallback<void ()>::Run() && + 278
62  libbase.dylib                       0x000000011326138c base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) + 2348
63  libbase.dylib                       0x00000001134685b3 base::MessageLoop::RunTask(base::PendingTask*) + 4067
64  libbase.dylib                       0x00000001134694e9 base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) + 361
65  libbase.dylib                       0x000000011346a92b base::MessageLoop::DoWork() + 1867
66  libbase.dylib                       0x0000000113e3b1b7 base::MessagePumpCFRunLoopBase::RunWork() + 791
67  libbase.dylib                       0x0000000113e3ae8c ___ZN4base24MessagePumpCFRunLoopBase13RunWorkSourceEPv_block_invoke + 76
68  libbase.dylib                       0x0000000113e659fa base::mac::CallWithEHFrame(void () block_pointer) + 10
69  libbase.dylib                       0x0000000113e37b8f base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 703
70  CoreFoundation                      0x00007fff3e249a61 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
71  CoreFoundation                      0x00007fff3e30347c __CFRunLoopDoSource0 + 108
72  CoreFoundation                      0x00007fff3e22c4c0 __CFRunLoopDoSources0 + 208
73  CoreFoundation                      0x00007fff3e22b93d __CFRunLoopRun + 1293
74  CoreFoundation                      0x00007fff3e22b1a3 CFRunLoopRunSpecific + 483
75  HIToolbox                           0x00007fff3d511d96 RunCurrentEventLoopInMode + 286
76  HIToolbox                           0x00007fff3d511b06 ReceiveNextEventCommon + 613
77  HIToolbox                           0x00007fff3d511884 _BlockUntilNextEventMatchingListInModeWithFilter + 64
78  AppKit                              0x00007fff3b7c3a73 _DPSNextEvent + 2085
79  AppKit                              0x00007fff3bf59e34 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
80  libchrome_dll.dylib                 0x000000011fd96893 __71-[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:]_block_invoke + 851
81  libbase.dylib                       0x0000000113e659fa base::mac::CallWithEHFrame(void () block_pointer) + 10
82  libchrome_dll.dylib                 0x000000011fd96285 -[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 1925
83  AppKit                              0x00007fff3b7b8885 -[NSApplication run] + 764
84  libbase.dylib                       0x0000000113e3ead4 base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 1140
85  libbase.dylib                       0x0000000113e35db3 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 515
86  libbase.dylib                       0x0000000113466a60 base::MessageLoop::Run(bool) + 1488
87  libbase.dylib                       0x00000001136b0652 base::RunLoop::Run() + 1538
88  libchrome_dll.dylib                 0x000000011cb233e5 ChromeBrowserMainParts::MainMessageLoopRun(int*) + 997
89  libcontent.dylib                    0x0000000150c5ce0d content::BrowserMainLoop::RunMainMessageLoopParts() + 1341
90  libcontent.dylib                    0x0000000150c6df2c content::BrowserMainRunnerImpl::Run() + 844
91  libcontent.dylib                    0x0000000150c3bbc7 content::BrowserMain(content::MainFunctionParams const&) + 1639
92  libcontent.dylib                    0x00000001584a7fa6 content::RunBrowserProcessMain(content::MainFunctionParams const&, content::ContentMainDelegate*) + 662
93  libcontent.dylib                    0x00000001584af96c content::ContentMainRunnerImpl::Run(bool) + 9420
94  libcontent.dylib                    0x00000001584980e1 content::ContentServiceManagerMainDelegate::RunEmbedderProcess() + 321
95  libembedder.dylib                   0x0000000112fe8919 service_manager::Main(service_manager::MainParams const&) + 7369
96  libcontent.dylib                    0x00000001584a7c52 content::ContentMain(content::ContentMainParams const&) + 642
97  libchrome_dll.dylib                 0x00000001154fa1ba ChromeMain + 922
98  Chromium                            0x000000010e66dc98 main + 2808
99  libdyld.dylib                       0x00007fff6603d015 start + 1
100 ???                                 0x0000000000000002 0x0 + 2
[end of stack trace]
Project Member

Comment 1 by bugdroid1@chromium.org, Oct 9 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1d3e779c31369d907d5409ebd15f728d18882971

commit 1d3e779c31369d907d5409ebd15f728d18882971
Author: Jinho Bang <jinho.bang@samsung.com>
Date: Tue Oct 09 02:44:04 2018

PaymentRequest: Fix a crash when updating content view

The previous_row_ field in PaymentRequestRowView might be already free.
When UpdateContentView() called, all children views are removed from the
content view. During removing children views, when the SetHighlighted()
method is called, it will access previous_row_. At this point, the
previous_row_ is not null but it may be no longer valid pointer. Because
no one resets this pointer to nullptr when the previous row is removed.
So, this patch simply makes the field as WeakPtr.

Bug: 892898
Change-Id: Ia574e91ebfa28011ad7c74d46d5aee7e823f4f2d
Reviewed-on: https://chromium-review.googlesource.com/c/1267095
Commit-Queue: Jinho Bang <jinho.bang@samsung.com>
Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#597783}
[modify] https://crrev.com/1d3e779c31369d907d5409ebd15f728d18882971/chrome/browser/ui/views/payments/payment_request_item_list.cc
[modify] https://crrev.com/1d3e779c31369d907d5409ebd15f728d18882971/chrome/browser/ui/views/payments/payment_request_row_view.h
[modify] https://crrev.com/1d3e779c31369d907d5409ebd15f728d18882971/chrome/browser/ui/views/payments/payment_sheet_view_controller.cc

Sign in to add a comment