New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 8942 link

Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Jun 2009
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug
M-4

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Chrome: Crash Report - Stack Signature: URLRequest::~URLRequest()

Reported by mberkowitz@chromium.org, Mar 18 2009

Issue description

Regression of  issue 4749 ?

The full crash report details can be found at:

http://crash/reportview?product=Chrome&version=2.0.169.1&signature=URLRequest%3A%3A~URLRequest()-6A119D

Meta information:

Report Time (UTC): 	2009/03/12 23:38:24, Thu
(Show all crashes by this date for this version)
Uptime: 	11692 sec
Product Name: 	Chrome
Product Version: 	2.0.169.1
OS Name: 	Windows NT
OS Version: 	6.0.6001 Service Pack 1
CPU Architecture: 	x86
CPU Info: 	GenuineIntel family 6 model 15 stepping 13
plat: 	Win32
ptype: 	browser

Stack Trace:

0x61ee7e29 	[chrome.dll 	- url_request.cc:68] 	URLRequest::~URLRequest()
0x61e3ae4f 	[chrome.dll 	- resource_dispatcher_host.cc:708] 
ResourceDispatcherHost::RemovePendingRequest(std::_Tree<std::_Tmap_traits<ResourceDispatcherHost::GlobalRequestID,URLRequest
*,std::less<ResourceDispatcherHost::GlobalRequestID>,std::allocator<std::pair<ResourceDispatcherHost::GlobalRequestID
const ,URLRequest *> >,0> >::iterator const &)
0x61e3ac5b 	[chrome.dll 	- resource_dispatcher_host.cc:654] 
ResourceDispatcherHost::CancelRequestsForRenderView(int,int)
0x61e9440e 	[chrome.dll 	- render_widget_helper.cc:188] 
RenderWidgetHelper::OnCancelResourceRequests(ResourceDispatcherHost *,int)
0x61e9f4bc 	[chrome.dll 	- task.h:308] 	RunnableMethod<SaveFileManager,void
( SaveFileManager::*)(int,int),Tuple2<int,int> >::Run()
0x620b5d09 	[chrome.dll 	- message_loop.cc:308] 	MessageLoop::RunTask(Task *)
0x620b5d40 	[chrome.dll 	- message_loop.cc:316] 
MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
0x620b5ece 	[chrome.dll 	- message_loop.cc:408] 	MessageLoop::DoWork()
0x620cfea9 	[chrome.dll 	- message_pump_win.cc:468] 
base::MessagePumpForIO::DoRunLoop()
0x620cf9cd 	[chrome.dll 	- message_pump_win.cc:52] 
base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate
*,base::MessagePumpWin::Dispatcher *)
0x620cf880 	[chrome.dll 	- message_pump_win.h:78] 
base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x620b5bd5 	[chrome.dll 	- message_loop.cc:197] 	MessageLoop::RunInternal()
0x620b5ba4 	[chrome.dll 	- message_loop.cc:180] 	MessageLoop::RunHandler()
0x620b5b47 	[chrome.dll 	- message_loop.cc:154] 	MessageLoop::Run()
0x620bbfb3 	[chrome.dll 	- thread.cc:156] 	base::Thread::ThreadMain()
0x620bb7bd 	[chrome.dll 	- platform_thread_win.cc:26] 	`anonymous
namespace'::ThreadFunc(void *)
0x76f94910 	[kernel32.dll 	+ 0x00044910] 	BaseThreadInitThunk
0x7714e4b5 	[ntdll.dll 	+ 0x0003e4b5] 	__RtlUserThreadStart
0x7714e488 	[ntdll.dll 	+ 0x0003e488] 	_RtlUserThreadStart

 
Labels: -Pri-1 Pri-2 Crash-2.0.170.0
This crash was found in 2.0.170.0 and is currently ranked #50 (based on the relative number of reports in the release).  There have been 3 reports from 3 clients.
http://crash/search?query=Chrome+2.0.170.0+URLRequest%3A%3A%7EURLRequest%28%29
Labels: -Pri-2 Pri-1 Crash-2.0.171.0
This crash was found in 2.0.171.0 and is currently ranked #16 (based on the relative number of reports in the release).  There have been 7 reports from 7 clients.
http://crash/search?query=Chrome+2.0.171.0+URLRequest%3A%3A%7EURLRequest%28%29

Comment 3 by jon@chromium.org, Mar 26 2009

Labels: -Area-Misc Area-BrowserBackend Mstone-2.0
Status: Available

Comment 4 by huanr@chromium.org, Mar 27 2009

Labels: -Pri-1 Pri-2

Comment 6 by huanr@chromium.org, Mar 27 2009

Relevant code snippet:

URLRequest::~URLRequest() {
  URLREQUEST_COUNT_DTOR();
  Cancel();
  if (job_)
    OrphanJob();
  delete user_data_;  // NULL check unnecessary for delete
}

void URLRequest::OrphanJob() {
  job_->DetachRequest();  // ensures that the job will not call us again
  job_ = NULL;
}

void URLRequestJob::DetachRequest() {
  request_ = NULL;
}

Both OrphanJob() and DetachRequest() are inlined. Here are what happens in crash 
dump:

chrome_683b0000!URLRequest::~URLRequest:
68567e17 56              push    esi
68567e18 57              push    edi
68567e19 8bf0            mov     esi,eax
68567e1b 56              push    esi
68567e1c e8e5020000      call    chrome_683b0000!URLRequest::Cancel (68568106)

                         // eax, [esi] -> job_
68567e21 8b06            mov     eax,dword ptr [esi]
                         // edi -> 0
68567e23 33ff            xor     edi,edi
68567e25 3bc7            cmp     eax,edi

                         // if (job_)
68567e27 7413            je      chrome_683b0000!URLRequest::~URLRequest+0x25 
(68567e3c)

                         // job_->request_ = NULL; 
                         // Crash here.
68567e29 89780c          mov     dword ptr [eax+0Ch],edi

68567e2c 8b06            mov     eax,dword ptr [esi]
68567e2e 3bc7            cmp     eax,edi
68567e30 7408            je      chrome_683b0000!URLRequest::~URLRequest+0x23 
(68567e3a)
68567e32 83c008          add     eax,8
68567e35 e813dae6ff      call    
chrome_683b0000!base::RefCountedThreadSafe<media::StreamSample>::Release (683d584d)

                         // job_ = NULL;
68567e3a 893e            mov     dword ptr [esi],edi

68567e3c 8b8edc010000    mov     ecx,dword ptr [esi+1DCh]
68567e42 53              push    ebx
68567e43 33db            xor     ebx,ebx
68567e45 43              inc     ebx
68567e46 3bcf            cmp     ecx,edi

So we are trying to deref an invalid pointer job_ in URLRequest::~URLRequest. There 
are two possible causes:
(1) Some code path mistakenly deletes url_request_job without going through 
url_request.
(2) Some memory corruption. 

It is more like the second case for the crash I looked at, since eax=00000043 (job_)
0:003> r
Last set context:
eax=00000043 ebx=01da96e8 ecx=06159d40 edx=77759a94 esi=068f98f0 edi=00000000
eip=68567e29 esp=0339f81c ebp=0339f844 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202


Comment 7 by huanr@chromium.org, Mar 27 2009

Looked at a few other dumps. The eax (job_) all look invalid at the time of crash. 
Eax values: 0000030e 000002cd 00000002 0000020a 000000c5

This seems to be a memory corruption.

Comment 8 by jon@chromium.org, Apr 3 2009

Labels: JonMoved Mstone-2.1
Moving from milestone 2 to milestone 2.1.
Labels: Crash-2.0.172.6
This crash was found in 2.0.172.6 and is currently ranked #49 (based on the relative number of reports in the release).  There have been 5 reports from 5 clients.
http://crash/search?query=Chrome+2.0.172.6+URLRequest%3A%3A%7EURLRequest%28%29

Comment 10 by jon@chromium.org, May 21 2009

Status: Assigned
Labels: -jonmoved
Labels: -mstone-2.1 mstone-3
Still found in 3.0.183.3
Correction: Still found in 3.0.182.3
The following stack shows one possible way to have the crash. In RemovePendingRequest 
on the top of the stack, URLRequest will get deleted. As the function returns and 
stack rewinds, we will get to URLRequest::~ URLRequest near the bottom of the stack 
again.


0244fb14 00ee8c6e chrome_be0000!ResourceDispatcherHost::RemovePendingRequest+0x33 
[c:\b\slave\chrome-official-
2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 803]
0244fb40 00ee973b chrome_be0000!ResourceDispatcherHost::RemovePendingRequest+0x46 
[c:\b\slave\chrome-official-
2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 791]
0244fba4 00ee961d chrome_be0000!ResourceDispatcherHost::OnResponseCompleted+0xc1 
[c:\b\slave\chrome-official-
2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 1252]
0244fbc8 011a8e16 chrome_be0000!ResourceDispatcherHost::OnReadCompleted+0xe7 
[c:\b\slave\chrome-official-
2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 1205]
0244fbe4 011aa933 chrome_be0000!URLRequestJob::NotifyReadComplete+0x77 
[c:\b\slave\chrome-official-2\build\src\net\url_request\url_request_job.cc @ 421]
0244fc00 00f1e404 chrome_be0000!URLRequestFileJob::DidRead+0x64 [c:\b\slave\chrome-
official-2\build\src\net\url_request\url_request_file_job.cc @ 276]
0244fc0c 011ad668 chrome_be0000!CallbackImpl<`anonymous 
namespace'::MostVisitedHandler,void (__thiscall 
A0xeafce67f::MostVisitedHandler::*)(Value const *),Tuple1<Value const *> 
>::RunWithParams+0x14 [c:\b\slave\chrome-official-2\build\src\base\task.h @ 571]
0244fc1c 0102cfea chrome_be0000!net::FileStream::AsyncContext::OnIOCompleted+0x4d 
[c:\b\slave\chrome-official-2\build\src\net\base\file_stream_win.cc @ 105]
0244fc48 011ad5a1 chrome_be0000!base::MessagePumpForIO::WaitForIOCompletion+0x80 
[c:\b\slave\chrome-official-2\build\src\base\message_pump_win.cc @ 507]
0244fc78 011ad557 chrome_be0000!net::FileStream::AsyncContext::~AsyncContext+0x36 
[c:\b\slave\chrome-official-2\build\src\net\base\file_stream_win.cc @ 77]
0244fc84 011ad69e chrome_be0000!net::FileStream::AsyncContext::`scalar deleting 
destructor'+0x9
0244fc8c 011aa5e0 chrome_be0000!net::FileStream::Close+0x1b [c:\b\slave\chrome-
official-2\build\src\net\base\file_stream_win.cc @ 132]
0244fc98 011a7f7d chrome_be0000!URLRequestFileJob::Kill+0xf [c:\b\slave\chrome-
official-2\build\src\net\url_request\url_request_file_job.cc @ 127]
0244fca8 011a7efb chrome_be0000!URLRequest::DoCancel+0x59 [c:\b\slave\chrome-
official-2\build\src\net\url_request\url_request.cc @ 316]
0244fcc4 011a7c25 chrome_be0000!URLRequest::Cancel+0x20 [c:\b\slave\chrome-official-
2\build\src\net\url_request\url_request.cc @ 281]
0244fcd8 00ee8cc9 chrome_be0000!URLRequest::~URLRequest+0xb [c:\b\slave\chrome-
official-2\build\src\net\url_request\url_request.cc @ 67]
0244fcfc 00ee8ad5 chrome_be0000!ResourceDispatcherHost::RemovePendingRequest+0x54 
[c:\b\slave\chrome-official-
2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 806]
0244fde0 00fe7fc1 chrome_be0000!ResourceDispatcherHost::CancelRequestsForRoute+0x149 
[c:\b\slave\chrome-official-
2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 742]
0244fdf0 00f6190c chrome_be0000!RenderWidgetHelper::OnCancelResourceRequests+0xf 
[c:\b\slave\chrome-official-
2\build\src\chrome\browser\renderer_host\render_widget_helper.cc @ 196]
0244fdf8 01014c04 chrome_be0000!RunnableMethod<WebDataService,void (__thiscall 
WebDataService::*)(WebDataService::GenericRequest2<base::Time,base::Time> 
*),Tuple1<WebDataService::GenericRequest2<base::Time,base::Time> *> >::Run+0xf 
[c:\b\slave\chrome-official-2\build\src\base\task.h @ 308]
0244fe00 01014c3d chrome_be0000!MessageLoop::RunTask+0x1e [c:\b\slave\chrome-
official-2\build\src\base\message_loop.cc @ 310]
0244fe10 01014dcc chrome_be0000!MessageLoop::DeferOrRunPendingTask+0x2b 
[c:\b\slave\chrome-official-2\build\src\base\message_loop.cc @ 320]
0244fe40 0102cf59 chrome_be0000!MessageLoop::DoWork+0x6e [c:\b\slave\chrome-official-
2\build\src\base\message_loop.cc @ 423]
0244fe54 0102ca5d chrome_be0000!base::MessagePumpForIO::DoRunLoop+0x6f 
[c:\b\slave\chrome-official-2\build\src\base\message_pump_win.cc @ 469]
0244fe70 0102c8a2 chrome_be0000!base::MessagePumpWin::RunWithDispatcher+0x38 
[c:\b\slave\chrome-official-2\build\src\base\message_pump_win.cc @ 54]
0244fe7c 01014ace chrome_be0000!base::MessagePumpWin::Run+0xe [c:\b\slave\chrome-
official-2\build\src\base\message_pump_win.h @ 78]
0244fe88 01014a9d chrome_be0000!MessageLoop::RunInternal+0x2b [c:\b\slave\chrome-
official-2\build\src\base\message_loop.cc @ 199]
0244fec0 01014a40 chrome_be0000!MessageLoop::RunHandler+0x4f [c:\b\slave\chrome-
official-2\build\src\base\message_loop.cc @ 182]
0244fee0 010172f9 chrome_be0000!MessageLoop::Run+0x15 [c:\b\slave\chrome-official-
2\build\src\base\message_loop.cc @ 156]
0244ffb0 010161f4 chrome_be0000!base::Thread::ThreadMain+0x81 [c:\b\slave\chrome-
official-2\build\src\base\thread.cc @ 159]
0244ffb4 7c80b713 chrome_be0000!`anonymous namespace'::ThreadFunc+0x9 
[c:\b\slave\chrome-official-2\build\src\base\platform_thread_win.cc @ 27]
0244ffec 00000000 kernel32!BaseThreadStart+0x37


 Issue 9668  has been merged into this issue.

Comment 17 by wtc@chromium.org, Jun 3 2009

Huan,

Eric Roman is improving the comments that specify the API contracts
of URLRequest::Cancel and URLRequest::Read in
http://codereview.chromium.org/118151.  Please ask Eric Roman to make
sure your fix for this crash meets the API contracts.  Thanks.
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=17560 

------------------------------------------------------------------------
r17560 | huanr@chromium.org | 2009-06-03 16:05:59 -0700 (Wed, 03 Jun 2009) | 6 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/file_stream_posix.cc?r1=17560&r2=17559
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/file_stream_unittest.cc?r1=17560&r2=17559
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/file_stream_win.cc?r1=17560&r2=17559
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/test_completion_callback.h?r1=17560&r2=17559

Avoiding IO completion callback during the closing
of FileStream.

BUG= 8942 

Review URL: http://codereview.chromium.org/112090
------------------------------------------------------------------------

Comment 19 by jon@chromium.org, Jun 5 2009

Labels: mstone4
Moving to milestone 4.  If you fix this quickly and can convince Mark it is 
important you can still get it patched into milestone 3.  Otherwise, the next 
bus is milestone 4.

Comment 20 by jon@chromium.org, Jun 5 2009

Labels: -mstone4 -mstone-3 Mstone-4
Moving to milestone 4.  If you fix this quickly and can convince Mark it is 
important you can still get it patched into milestone 3.  Otherwise, the next 
bus is milestone 4.
Labels: -Pri-2 Pri-1 Crash-3.0.183.1
This crash was found in 3.0.183.1 and is currently ranked #19 (based on the relative number of reports in the release).  There have been 5 reports from 5 clients.
http://crash/search?query=Chrome+3.0.183.1+ResourceDispatcherHost%3A%3AIncrementOutstandingRequestsMemoryCost%28int%2Cint%29
This crash was not found in 3.0.187.1. We last saw it in 3.0.183.1.  Assuming the crash has been fixed, please mark accordingly.

Comment 23 by huanr@chromium.org, Jun 12 2009

Looks like r17560 fixes it.

Comment 24 by huanr@chromium.org, Jun 12 2009

Status: Fixed

Comment 25 by huanr@chromium.org, Jun 12 2009

 Issue 12164  has been merged into this issue.

Comment 26 by huanr@chromium.org, Jun 18 2009

Labels: Merge-Stable
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=19920 

------------------------------------------------------------------------
r19920 | mal@chromium.org | 2009-07-03 16:19:48 -0700 (Fri, 03 Jul 2009) | 7 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/172/src/net/base/file_stream_posix.cc?r1=19920&r2=19919
   M http://src.chromium.org/viewvc/chrome/branches/172/src/net/base/file_stream_unittest.cc?r1=19920&r2=19919
   M http://src.chromium.org/viewvc/chrome/branches/172/src/net/base/file_stream_win.cc?r1=19920&r2=19919
   M http://src.chromium.org/viewvc/chrome/branches/172/src/net/base/test_completion_callback.h?r1=19920&r2=19919

Merge r17560.

Avoiding IO completion callback during the closing
of FileStream.

BUG= 8942 
Review URL: http://codereview.chromium.org/149182
------------------------------------------------------------------------

 Issue 12452  has been merged into this issue.
Labels: -Area-BrowserBackend Area-Internals
Labels: -Crash bulkmove Stability-Crash
Regression of  issue 4749 ?

The full crash report details can be found at:

http://crash/reportview?product=Chrome&amp;version=2.0.169.1&amp;signature=URLRequest%3A%3A~URLRequest()-6A119D

Meta information:

Report Time (UTC): 	2009/03/12 23:38:24, Thu
(Show all crashes by this date for this version)
Uptime: 	11692 sec
Product Name: 	Chrome
Product Version: 	2.0.169.1
OS Name: 	Windows NT
OS Version: 	6.0.6001 Service Pack 1
CPU Architecture: 	x86
CPU Info: 	GenuineIntel family 6 model 15 stepping 13
plat: 	Win32
ptype: 	browser

Stack Trace:

0x61ee7e29 	[chrome.dll 	- url_request.cc:68] 	URLRequest::~URLRequest()
0x61e3ae4f 	[chrome.dll 	- resource_dispatcher_host.cc:708] 
ResourceDispatcherHost::RemovePendingRequest(std::_Tree&lt;std::_Tmap_traits&lt;ResourceDispatcherHost::GlobalRequestID,URLRequest
*,std::less&lt;ResourceDispatcherHost::GlobalRequestID&gt;,std::allocator&lt;std::pair&lt;ResourceDispatcherHost::GlobalRequestID
const ,URLRequest *&gt; &gt;,0&gt; &gt;::iterator const &amp;)
0x61e3ac5b 	[chrome.dll 	- resource_dispatcher_host.cc:654] 
ResourceDispatcherHost::CancelRequestsForRenderView(int,int)
0x61e9440e 	[chrome.dll 	- render_widget_helper.cc:188] 
RenderWidgetHelper::OnCancelResourceRequests(ResourceDispatcherHost *,int)
0x61e9f4bc 	[chrome.dll 	- task.h:308] 	RunnableMethod&lt;SaveFileManager,void
( SaveFileManager::*)(int,int),Tuple2&lt;int,int&gt; &gt;::Run()
0x620b5d09 	[chrome.dll 	- message_loop.cc:308] 	MessageLoop::RunTask(Task *)
0x620b5d40 	[chrome.dll 	- message_loop.cc:316] 
MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &amp;)
0x620b5ece 	[chrome.dll 	- message_loop.cc:408] 	MessageLoop::DoWork()
0x620cfea9 	[chrome.dll 	- message_pump_win.cc:468] 
base::MessagePumpForIO::DoRunLoop()
0x620cf9cd 	[chrome.dll 	- message_pump_win.cc:52] 
base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate
*,base::MessagePumpWin::Dispatcher *)
0x620cf880 	[chrome.dll 	- message_pump_win.h:78] 
base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x620b5bd5 	[chrome.dll 	- message_loop.cc:197] 	MessageLoop::RunInternal()
0x620b5ba4 	[chrome.dll 	- message_loop.cc:180] 	MessageLoop::RunHandler()
0x620b5b47 	[chrome.dll 	- message_loop.cc:154] 	MessageLoop::Run()
0x620bbfb3 	[chrome.dll 	- thread.cc:156] 	base::Thread::ThreadMain()
0x620bb7bd 	[chrome.dll 	- platform_thread_win.cc:26] 	`anonymous
namespace'::ThreadFunc(void *)
0x76f94910 	[kernel32.dll 	+ 0x00044910] 	BaseThreadInitThunk
0x7714e4b5 	[ntdll.dll 	+ 0x0003e4b5] 	__RtlUserThreadStart
0x7714e488 	[ntdll.dll 	+ 0x0003e488] 	_RtlUserThreadStart
Project Member

Comment 31 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 32 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Mstone-4 -Area-Internals M-4 Cr-Internals
Project Member

Comment 33 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Sign in to add a comment