New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 904388 link

Starred by 2 users
Status: Assigned
Owner:
nasko@chromium.org
Out until 24 Jan
Cc:
nyerramilli@chromium.org
rbasuvula@chromium.org
creis@chromium.org
alex...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Regression:Tab crash is seen when clicked on 'Reload' button of FireShot extension page.

Reported by shruti.j...@etouch.net, Nov 12 
Chrome Version: 72.0.3608.0 Revision 13a876533812d5e196bca2b1c60634dc14a79700-refs/branch-heads/3608@{#1}(64 bit)
OS: Windows(7,8,8.1,10) Linux(14.04 LTS) and Mac(10.13.1 , 10.13.6 , 10.14.1) 

Test URL:https://chrome.google.com/webstore/detail/take-webpage-screenshots/mcbpblocgmgfnpjjppndjkmgjaogfceg/related?utm_source=chrome-ntp-icon

Steps to reproduce:
1. Launch chrome and navigate to above URL.
2. Add extension and 'Capture entire page' for screenshot.
3. Bookmark the screenshot page and Remove the extension.
4. Drag the link , click on 'Reload' button and observe.

Actual Result   : Tab crash is seen when clicked on 'Reload' button of page.
Expected Result : Tab should not get crashed when clicked on 'Reload' button of page.

Crash ID:
Uploaded Crash Report ID 99e78e08a1266d25 (Local Crash ID: 30388e9a-75d8-4bd8-8403-bb2186ded82a)

This is a regression issue broken in M-70 and below is the bisect information:
Good Build :70.0.3511.0
Bad Build  :70.0.3512.0

You are probably looking for a change made after 580669 (known good), but no later than 580670 (first known bad).
CHANGELOG URL:
The script might not always return single CL as suspect as some perf builds might get missing due to failure.
  https://chromium.googlesource.com/chromium/src/+log/20fccf32b6f9a1b5afd410407bebf72f4eca2b3e..978c16b82667c84cf6c64c5c917606381267c74d

Suspecting:https://chromium.googlesource.com/chromium/src/+/978c16b82667c84cf6c64c5c917606381267c74d

@Nasko Oskov :Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.	


Kindly refer the attached screencast from drive link:
https://drive.google.com/open?id=1uSOH-_FvSWp1-mSArDSYvvBDq_Lgul-d


Thank You!

Comment 1 by rbasuvula@google.com, Nov 12 

Stack trace for the crash id:
-----------------------------
Thread 0 (id: 0x36dbf) CRASHED [Simulated Exception @ 0x000000010ce2cd5b ] MAGIC SIGNATURE THREAD
Stack Quality84%Show frame trust levels
0x000000010ce2cd5b	(Google Chrome Framework -crashpad.cc:256 )	crash_reporter::DumpWithoutCrashing()
0x000000010a313331	(Google Chrome Framework -dump_without_crashing.cc:23 )	base::debug::DumpWithoutCrashing()
0x0000000108e8c6ba	(Google Chrome Framework -render_process_host_impl.cc:2601 )	content::RenderProcessHostImpl::ShutdownForBadMessage(content::RenderProcessHost::CrashReportMode)
0x0000000108d06aa3	(Google Chrome Framework -render_frame_host_impl.cc )	content::RenderFrameHostImpl::ValidateDidCommitParams(FrameHostMsg_DidCommitProvisionalLoad_Params*)
0x0000000108cf9871	(Google Chrome Framework -render_frame_host_impl.cc:5534 )	content::RenderFrameHostImpl::DidCommitNavigationInternal(FrameHostMsg_DidCommitProvisionalLoad_Params*, bool)
0x0000000108cf932b	(Google Chrome Framework -render_frame_host_impl.cc:1798 )	content::RenderFrameHostImpl::DidCommitProvisionalLoad(std::__1::unique_ptr<FrameHostMsg_DidCommitProvisionalLoad_Params, std::__1::default_delete<FrameHostMsg_DidCommitProvisionalLoad_Params> >, mojo::InterfaceRequest<service_manager::mojom::InterfaceProvider>)
0x00000001087760a1	(Google Chrome Framework -frame.mojom.cc:3299 )	content::mojom::FrameHostStubDispatch::Accept(content::mojom::FrameHost*, mojo::Message*)
0x000000010a961d44	(Google Chrome Framework -ipc_mojo_bootstrap.cc:864 )	IPC::(anonymous namespace)::ChannelAssociatedGroupController::AcceptOnProxyThread(mojo::Message)
0x000000010a960452	(Google Chrome Framework -bind_internal.h:516 )	base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, base::internal::PassedWrapper<mojo::Message> >, void ()>::Run(base::internal::BindStateBase*)
0x000000010a313791	(Google Chrome Framework -callback.h:99 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x000000010a32eecd	(Google Chrome Framework -message_loop.cc:434 )	base::MessageLoop::RunTask(base::PendingTask*)
0x000000010a32f232	(Google Chrome Framework -message_loop.cc:445 )	base::MessageLoop::DoWork()
0x000000010a331769	(Google Chrome Framework -message_pump_mac.mm:455 )	base::MessagePumpCFRunLoopBase::RunWork()
0x000000010a3234b9	(Google Chrome Framework + 0x024204b9 )	base::mac::CallWithEHFrame(void () block_pointer)
0x000000010a3310ce	(Google Chrome Framework -message_pump_mac.mm:431 )	base::MessagePumpCFRunLoopBase::RunWorkSource(void*)
0x00007fff51363a10	(CoreFoundation + 0x000a3a10 )	__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x00007fff5141d42b	(CoreFoundation + 0x0015d42b )	__CFRunLoopDoSource0
0x00007fff5134646f	(CoreFoundation + 0x0008646f )	__CFRunLoopDoSources0
0x00007fff513458ec	(CoreFoundation + 0x000858ec )	__CFRunLoopRun
0x00007fff51345152	(CoreFoundation + 0x00085152 )	CFRunLoopRunSpecific
0x00007fff5062fd95	(HIToolbox + 0x0002fd95 )	RunCurrentEventLoopInMode
0x00007fff5062fb05	(HIToolbox + 0x0002fb05 )	ReceiveNextEventCommon
0x00007fff5062f883	(HIToolbox + 0x0002f883 )	_BlockUntilNextEventMatchingListInModeWithFilter
0x00007fff4e8e0a72	(AppKit + 0x00041a72 )	_DPSNextEvent
0x00007fff4f076e33	(AppKit + 0x007d7e33 )	-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]
0x0000000109f1ef2f	(Google Chrome Framework -chrome_browser_application_mac.mm:242 )	__71-[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:]_block_invoke
0x000000010a3234b9	(Google Chrome Framework + 0x024204b9 )	base::mac::CallWithEHFrame(void () block_pointer)
0x0000000109f1ee63	(Google Chrome Framework -chrome_browser_application_mac.mm:241 )	-[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
0x00007fff4e8d5884	(AppKit + 0x00036884 )	-[NSApplication run]
0x000000010a33202b	(Google Chrome Framework -message_pump_mac.mm:808 )	base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*)
0x000000010a330bdd	(Google Chrome Framework -message_pump_mac.mm:184 )	base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
0x000000010a3538e4	(Google Chrome Framework -run_loop.cc:102 )	<name omitted>
0x0000000109f25c6c	(Google Chrome Framework -chrome_browser_main.cc:2078 )	ChromeBrowserMainParts::MainMessageLoopRun(int*)
0x0000000108b83693	(Google Chrome Framework -browser_main_loop.cc:1030 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x0000000108b85de1	(Google Chrome Framework -browser_main_runner_impl.cc:161 )	content::BrowserMainRunnerImpl::Run()
0x0000000108b800ea	(Google Chrome Framework -browser_main.cc:47 )	content::BrowserMain(content::MainFunctionParams const&)
0x0000000109edc9e1	(Google Chrome Framework -content_main_runner_impl.cc:538 )	content::ContentMainRunnerImpl::Run(bool)
0x000000010bbaa10c	(Google Chrome Framework -main.cc:472 )	service_manager::Main(service_manager::MainParams const&)
0x0000000109edbc63	(Google Chrome Framework -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const&)
0x0000000107f06df2	(Google Chrome Framework -chrome_main.cc:101 )	ChromeMain
0x0000000107ed9dd0	(Google Chrome -chrome_exe_main_mac.cc:101 )	main
0x00007fff79188014	(libdyld.dylib + 0x00001014 )	start
0x00007fff79188014	(libdyld.dylib + 0x00001014 )	start

Note: This issue is similar to issue 866549.

Thank You!

Comment 2 by nasko@chromium.org, Nov 15

Labels: -Pri-1 Pri-2
I was able to reproduce this crash locally on Canary channel, however I don't think it should be a P1 bug.

Comment 3 by nasko@chromium.org, Nov 16 

I've done some debugging to understand what happens. The issue is that once the extension is uninstalled, navigating to its URL is resulting in an error page. Clicking the "Reload" button results in an OpeURL IPC from the renderer process, which fails ShouldAllowOpenURL check and leads to the URL to be rewritten to about:blank. Since we don't allow about:blank to commit in an error page process, we terminate the process due to unexpected commit.

Couple of things that need further investigation - the about:blank case should have been handled, since I've fixed similar case in the past. It might be due to OpenURL or due to the network error being ERR_BLOCKED_BY_CLIENT, as this is considered blocked navigation instead of failed one.

The other is why should_fork was true, causing the renderer to go the OpenURL route instead of the regular BeginNavigation route.

Comment 4 by alex...@chromium.org, Nov 16 

For the should_fork side of things, issue 883549 is relevant here.  In particular, there's a test I've listed in my experiment to remove ShouldFork, ExtensionBrowserTest.WindowOpenInvalidExtension, which might also be about this kind of scenario, though I haven't looked closely.

Comment 5 by alex...@chromium.org, Nov 16

Cc: alex...@chromium.org

Sign in to add a comment