New issue
Advanced search Search tips

Issue 915234 link

Starred by 1 user
Status: Assigned
Owner:
sky@chromium.org
Cc:
xiy...@chromium.org
dtapu...@chromium.org
mukai@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Pixel Slate crashed after typing on keyboard

Reported by spiffyt...@gmail.com, Dec 14 
UserAgent: Mozilla/5.0 (X11; CrOS x86_64 11151.33.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.57 Safari/537.36
Platform: 11151.33.0 (Official Build) stable-channel nocturne

Steps to reproduce the problem:
Only happened once

1. Turn on Pixel Slate from standby mode
2. Type on Pixel keyboard
3. Screen went black, came back with Chrome having crashed and asking to restore tabs

What is the expected behavior?

What went wrong?
Chrome crashed

Did this work before? N/A 

Chrome version: 71.0.3578.57  Channel: stable
OS Version: 11151.33.0
Flash Version: 

I've filed a Feedback for this.

Comment 1 by dtapu...@chromium.org, Dec 14

Labels: Needs-Feedback
Is there a server crash report id in chrome://crashes?

Comment 2 by arthurhsu@google.com, Dec 14

Components: UI>Input>Text

Comment 3 by spiffyt...@gmail.com, Dec 15 

I think it's 1683f1b100d9870e. That's the only crash from today. I also put this ticket number in the Feedback text box.
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 15

Cc: dtapu...@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by afakhry@google.com, Dec 19

Owner: sky@chromium.org
Status: Assigned (was: Unconfirmed)
This is crash mentioned in #3: https://crash.corp.google.com/browse?stbtiq=1683f1b100d9870e#0

sky@ it seems you're modified this code recently. Could you please take a look?

0x000057e83df57d6a	(chrome -memory:2607 )	aura::WindowTargeter::ProcessEventIfTargetsDifferentRootWindow(aura::Window*, aura::Window*, ui::Event*)
0x000057e83df57fcc	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/ui/aura/window_targeter.cc:189 )	aura::WindowTargeter::FindTargetForEvent(ui::EventTarget*, ui::Event*)
0x000057e840b207f0	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/ui/events/event_processor.cc:45 )	ui::EventProcessor::OnEventFromSource(ui::Event*)
0x000057e840b20b3b	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/ui/events/event_processor.h )	ui::EventSource::SendEventToSinkFromRewriter(ui::Event*, ui::EventRewriter const*)
0x000057e83ee7f682	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/ui/events/event_source.cc:43 )	ash::AshWindowTreeHostPlatform::DispatchEvent(ui::Event*)
0x000057e83d7d6538	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/callback.h:99 )	ui::DispatchEventFromNativeUiEvent(ui::Event* const&, base::OnceCallback<void (ui::Event*)>)
0x000057e83a455403	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/ui/ozone/platform/drm/host/drm_window_host.cc:200 )	<name omitted>
0x000057e83a4554ac	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/ui/ozone/platform/drm/host/drm_window_host.cc )	non-virtual thunk to ui::DrmWindowHost::DispatchEvent(ui::Event* const&)
0x000057e83d7c6bab	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/ui/events/platform/platform_event_source.cc:91 )	ui::PlatformEventSource::DispatchEvent(ui::Event*)
0x000057e83da6868c	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/callback.h:129 )	ui::KeyboardEvdev::DispatchKey(unsigned int, bool, bool, base::TimeTicks, int)
0x000057e83da5da79	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/ui/events/ozone/evdev/event_factory_evdev.cc:218 )	ui::EventFactoryEvdev::DispatchKeyEvent(ui::KeyEventParams const&)
0x000057e8399639e7	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/callback.h:99 )	base::MessageLoop::DoWork()
0x000057e8399758ee	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/message_loop/message_pump_libevent.cc:210 )	base::MessagePumpLibevent::Run(base::MessagePump::Delegate*)
0x000057e83c95d133	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/run_loop.cc:102 )	<name omitted>
0x000057e83c4eeb3f	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/chrome/browser/chrome_browser_main.cc:2028 )	ChromeBrowserMainParts::MainMessageLoopRun(int*)
0x000057e83a94b84b	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/content/browser/browser_main_loop.cc:998 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x000057e83a94f641	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/content/browser/browser_main_runner_impl.cc:165 )	content::BrowserMainRunnerImpl::Run()
0x000057e83a944691	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/content/browser/browser_main.cc:47 )	content::BrowserMain(content::MainFunctionParams const&)
0x000057e83c4dacc7	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/content/app/content_main_runner_impl.cc:541 )	content::ContentMainRunnerImpl::Run(bool)
0x000057e83c4e2a6d	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/services/service_manager/embedder/main.cc:472 )	service_manager::Main(service_manager::MainParams const&)
0x000057e839ae2a94	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/content/app/content_main.cc:19 )	ChromeMain
0x00007e5870a1c735	(libc-2.23.so -libc-start.c:289 )	__libc_start_main
0x000057e839ac4468	(chrome + 0x00411468 )	_start

Comment 6 by sky@chromium.org, Dec 21

Cc: xiy...@chromium.org mukai@chromium.org
The crash indicates we're in early phases of event dispatch. Specifically EventProcessor is calling to a WindowTargeter to find the target. The initial root was non-null and found by way of:

EventTarget* root = GetRootForEvent(event_to_dispatch);

This is WindowEventDispatcher::GetRootForEvent(), which always returns the root (WindowTreeHost::window()).

EventProcessor then calls:

  targeter = root->GetEventTargeter();

Which returns a non-null and EventProcessor then calls:

  target = targeter->FindTargetForEvent(root, event_to_dispatch);

Which calls to WindowTargeter::FindTargetForEvent(). Based on the trace it seems this is calling WindowTargeter::ProcessEventIfTargetsDifferentRootWindow. I'm a bit hazy on exactly which line is causing problems. That memory.h is listed likely indicates a unique_ptr. My guess is this is a use after free. Maybe the target returned has been deleted?

That the crash mentions typing, my guess is the FocusController has a reference to a deleted Window that is being returned by FindTargetForKeyEvent.

I'm about to be OOO for the holidays, if this needs to be resolved soon maybe someone else can pick it up.

Comment 7 by xiy...@chromium.org, Dec 21 

If my C++ header is not too different from the one used to generate the build, memory:2607 is this:

2605   _LIBCPP_INLINE_VISIBILITY                                                      
2606   pointer get() const _NOEXCEPT {                                                
2607     return __ptr_.first();                                                       
2608   }                                                                              

So we crash in a unique_ptr.get(). Looking at WindowTargeter::ProcessEventIfTargetsDifferentRootWindow, I suspect it is new_root->GetHost()->event_sink() at [1], where WindowTreeHost::event_sink() is implemented in [2] like:

ui::EventSink* WindowTreeHost::event_sink() {
  return dispatcher_.get();
}

Not sure the real cause though. What WindowTreeHost could it be and how could it not have a valid |dispatcher_|? 

[1] https://cs.chromium.org/chromium/src/ui/aura/window_targeter.cc?rcl=a5ce67342c42fd02737585a9ea5a7fe60f5d6b7d&l=200

[2] https://cs.chromium.org/chromium/src/ui/aura/window_tree_host.cc?rcl=a5ce67342c42fd02737585a9ea5a7fe60f5d6b7d&l=138

Sign in to add a comment