New issue
Advanced search Search tips

Issue 905498 link

Starred by 2 users
Status: Verified
Owner:
taku...@chromium.org
Closed: Dec 10
Cc:
mfo...@chromium.org
phanindra.mandapaka@chromium.org
taku...@chromium.org
powerb@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug


Participants' hotlists:
Harmony-Cast-Dialog


Sign in to add a comment

Quitting Chrome while cast dialog is open crashes Chrome.

Project Member Reported by dbbrooks@chromium.org, Nov 14 
Chrome: 72.0.3608.4
MR: 7218.1112.0.0
OS: Mac

What steps will reproduce the problem?
(1) Open the Cast dialog. (don't need to start casting)
(2) Leaving the cast dialog open, select Chrome > Quit Google Chrome

What is the expected result? Chrome quits without crashing.

What happens instead? Chrome crashes. Happens every time.

Crash ID:
e4215f30e1012a17

Comment 1 by mfo...@chromium.org, Nov 15 

Looks like another widget observer lifetime issue.

Comment 2 by mfo...@chromium.org, Nov 27

Labels: -Pri-3 Target-72 Pri-2
Owner: mfo...@chromium.org
Status: Assigned (was: Untriaged)
We should try to fix for 72.

Comment 3 by mfo...@chromium.org, Dec 5

Cc: -taku...@chromium.org mfo...@chromium.org
Owner: taku...@chromium.org
Handing over to takumif@ as I will be out for some time starting tomorrow
Project Member

Comment 4 by bugdroid1@chromium.org, Dec 7 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f901ed6bd76d11e4484b456d24ea02c02c4b79a9

commit f901ed6bd76d11e4484b456d24ea02c02c4b79a9
Author: Takumi Fujimoto <takumif@chromium.org>
Date: Fri Dec 07 19:44:31 2018

Make sure to unregister MediaRouterDialogControllerViews as widget observer

Use-after-free was happening at shutdown due to
MediaRouterDialogControllerViews getting destroyed without unregistering
itself. We make MRDCV retain a pointer to the dialog widget to make sure
it unregisters itself, because GetCurrentDialogWidget() may become null
before the actual widget is destroyed. Also do all of the cleanup in
OnWidgetClosing() instead of splitting with OnWidgetDestroying().

Bug:  905498 
Change-Id: Idf9da7aaf33cd9db512681b688ebd95d0fae08ca
Reviewed-on: https://chromium-review.googlesource.com/c/1364295
Reviewed-by: Brandon Tolsch <btolsch@chromium.org>
Commit-Queue: Takumi Fujimoto <takumif@chromium.org>
Cr-Commit-Position: refs/heads/master@{#614787}
[modify] https://crrev.com/f901ed6bd76d11e4484b456d24ea02c02c4b79a9/chrome/browser/ui/views/media_router/media_router_dialog_controller_views.cc
[modify] https://crrev.com/f901ed6bd76d11e4484b456d24ea02c02c4b79a9/chrome/browser/ui/views/media_router/media_router_dialog_controller_views.h

Comment 5 by phanindra.mandapaka@chromium.org, Dec 10

Cc: phanindra.mandapaka@chromium.org
Labels: Needs-Feedback
Tried testing this issue on Mac OS 10.14.0 and 10.13.6 on the reported version 72.0.3608.4 and the latest M-73 73.0.3636.0 by following the below steps.

1. Launched Chrome 
2. Clicked on 3 dot menu >> Clicked on cast
3. Selected chrome and clicked on quit chrome and also clicked on command + Q 
4. Opened chrome://crashes  
As we have not seen any chrome crashes 

Attached is the screen cast for reference.

Takumi Fujimoto@ Request you to check and confirm if anything is missed from our end in verifying the issue and help us to verify the issue on the latest M-73 build.

Thanks...
905498.mp4
1.9 MB View Download

Comment 6 by taku...@chromium.org, Dec 10

Labels: Merge-Request-72
Status: Verified (was: Assigned)
phanindra.mandapaka@:
We need the flag #views-cast-dialog to be enabled to reproduce the bug, although that was not mentioned in the bug description.

I've verified on 73.0.3636.0 Canary on Mac that the fix is working. Requesting a merge into M72.
Project Member

Comment 7 by sheriffbot@chromium.org, Dec 11

Labels: -Merge-Request-72 Hotlist-Merge-Approved Merge-Approved-72
Your change meets the bar and is auto-approved for M72. Please go ahead and merge the CL to branch 3626 manually. Please contact milestone owner if you have questions.
Owners: govind@(Android), kariahda@(iOS), djmm@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by bugdroid1@chromium.org, Dec 11

Labels: -merge-approved-72 merge-merged-3626
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/104d6be51923ff122592d9605f8010670b0eb67c

commit 104d6be51923ff122592d9605f8010670b0eb67c
Author: Takumi Fujimoto <takumif@chromium.org>
Date: Tue Dec 11 20:12:55 2018

Make sure to unregister MediaRouterDialogControllerViews as widget observer

Use-after-free was happening at shutdown due to
MediaRouterDialogControllerViews getting destroyed without unregistering
itself. We make MRDCV retain a pointer to the dialog widget to make sure
it unregisters itself, because GetCurrentDialogWidget() may become null
before the actual widget is destroyed. Also do all of the cleanup in
OnWidgetClosing() instead of splitting with OnWidgetDestroying().

TBR=takumif@chromium.org

(cherry picked from commit f901ed6bd76d11e4484b456d24ea02c02c4b79a9)

Bug:  905498 
Change-Id: Idf9da7aaf33cd9db512681b688ebd95d0fae08ca
Reviewed-on: https://chromium-review.googlesource.com/c/1364295
Reviewed-by: Brandon Tolsch <btolsch@chromium.org>
Commit-Queue: Takumi Fujimoto <takumif@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#614787}
Reviewed-on: https://chromium-review.googlesource.com/c/1372553
Reviewed-by: Takumi Fujimoto <takumif@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#260}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
[modify] https://crrev.com/104d6be51923ff122592d9605f8010670b0eb67c/chrome/browser/ui/views/media_router/media_router_dialog_controller_views.cc
[modify] https://crrev.com/104d6be51923ff122592d9605f8010670b0eb67c/chrome/browser/ui/views/media_router/media_router_dialog_controller_views.h

Comment 9 by phanindra.mandapaka@chromium.org, Dec 13

Labels: TE-Verified-M72 TE-Verified-72.0.3626.17
Able to reproduce the issue on Mac 10.14.0 using chrome build without fix 72.0.3608.4.

Verified the fix on Mac 10.14.0 using Chrome version #72.0.3626.17. Attaching screen shot for reference.
Observed that the chrome quits without crashing.
Hence, the issue is working as expected. 
Adding the verified labels.

Thanks..!
905498.mp4
3.8 MB View Download
Project Member

Comment 10 by cr-audit...@appspot.gserviceaccount.com, Dec 19

Labels: Merge-Merged-72-3626
The following revision refers to this bug: 
https://chromium.googlesource.com/chromium/src.git/+/104d6be51923ff122592d9605f8010670b0eb67c

Commit: 104d6be51923ff122592d9605f8010670b0eb67c
Author: takumif@chromium.org
Commiter: takumif@chromium.org
Date: 2018-12-11 20:12:55 +0000 UTC

Make sure to unregister MediaRouterDialogControllerViews as widget observer

Use-after-free was happening at shutdown due to
MediaRouterDialogControllerViews getting destroyed without unregistering
itself. We make MRDCV retain a pointer to the dialog widget to make sure
it unregisters itself, because GetCurrentDialogWidget() may become null
before the actual widget is destroyed. Also do all of the cleanup in
OnWidgetClosing() instead of splitting with OnWidgetDestroying().

TBR=takumif@chromium.org

(cherry picked from commit f901ed6bd76d11e4484b456d24ea02c02c4b79a9)

Bug:  905498 
Change-Id: Idf9da7aaf33cd9db512681b688ebd95d0fae08ca
Reviewed-on: https://chromium-review.googlesource.com/c/1364295
Reviewed-by: Brandon Tolsch <btolsch@chromium.org>
Commit-Queue: Takumi Fujimoto <takumif@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#614787}
Reviewed-on: https://chromium-review.googlesource.com/c/1372553
Reviewed-by: Takumi Fujimoto <takumif@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#260}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}

Sign in to add a comment