CHECK failure: !render_view->main_render_frame_ in render_frame_impl.cc |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5099859690127360 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !render_view->main_render_frame_ in render_frame_impl.cc content::RenderFrameImpl::OnSwapOut bool IPC::MessageT<FrameMsg_SwapOut_Meta, std::__1::tuple<int, bool, content::Fr Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=606035:606041 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5099859690127360 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
,
Dec 27
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/f8840b9771e2686d3054a311440abb48ac636e65 (Keep subframe alive in pending deletion.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jan 7
I minimized the test case:
~~~
<iframe id="iframe"></iframe>
<script>
var iframe = document.querySelector("#iframe");
iframe.contentWindow.onunload = function() {
window.stop();
};
location.href="something";
</script>
~~~
So, window.stop() called in an iframe's unload handler.
I remember having had this problem before. I will take a look.
,
Jan 10
,
Jan 11
Hmmm, I rebased and I can't reproduce anymore. +CC dgozman@: FYI. Let's wait for clusterfuzz to determine which CL fixed this bug.
,
Jan 17
(5 days ago)
Re myself comment 5: No response from clusterfuzz, I think I need to close the bug to make it bisect which CL fixed the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Dec 27Labels: Test-Predator-Auto-Components