Issue metadata
Sign in to add a comment
|
Long press on download link and tap on ‘open in new tab/incognito tab’ in context menu will crash the application |
||||||||||||||||||||||
Issue descriptionApp Version: 73.0.3667.0 Canary iOS Version: 11.4.1, 12.1.1, 12.1.3 beta#3 Device: iPhone and iPad Steps to reproduce: 1. Launch iOS Chrome 2. Load https://developer.apple.com/fonts 3. Long press on ‘Download San Francisco Fonts’ 4. Tap either on ‘Open in new tab’ or ‘Open in New Incognito tab’ Observed results: App crashes Expected results: App shouldn’t crash Number of times you were able to reproduce: 5/5 Bug reproducible after clean install: Yes Bug reproducible after clearing cache and cookies: Yes Bug reproducible on Chrome Mobile on Chrome Desktop: Not tested Bug reproducible on Chrome Mobile on Android: Not tested Bug reproducible on Safari/Firefox: Firefox: NA, Safari: NA Bug reproducible on current stable build (App Version, iOS Version): No on M71 Bug reproducible on the current beta channel build (App Version, iOS Version): No on M72 Beta Revision Number for 73.0.3664.0 (Good Version) - ea459cba924d Revision Number for 73.0.3665.0 (Bad Version) - 629bcca8b1de Link to Video: https://drive.google.com/file/d/1ar1CHmjxLrqSFsyIXaY1-kkUm6HPrTqr/view?usp=sharing Link to Crash log: https://crash.corp.google.com/browse?stbtiq=6e17069192e1e8dd Stack Trace: Thread 0 (id: 0x0x00000303) CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000000 ] MAGIC SIGNATURE THREAD Stack Quality84%Show frame trust levels 0x0000000100dbdcc4 (Chrome -infobar_manager_impl.mm:30 ) InfoBarManagerImpl::DidFinishNavigation(web::WebState*, web::NavigationContext*) 0x0000000100dbdcbc (Chrome -infobar_manager_impl.mm:80 ) InfoBarManagerImpl::DidFinishNavigation(web::WebState*, web::NavigationContext*) 0x0000000100d11cbc (Chrome -web_state_impl.mm:781 ) web::WebStateImpl::OnNavigationFinished(web::NavigationContextImpl*) 0x0000000100cd7dec (Chrome -crw_web_controller.mm:3271 ) -[CRWWebController createDownloadTaskForResponse:HTTPHeaders:] 0x0000000100cde338 (Chrome -crw_web_controller.mm:4581 ) -[CRWWebController webView:decidePolicyForNavigationResponse:decisionHandler:] 0x0000000192d44e10 (WebKit + 0x0008fe10 ) WebKit::NavigationState::NavigationClient::decidePolicyForNavigationResponse(WebKit::WebPageProxy&, WTF::Ref<API::NavigationResponse, WTF::DumbPtrTraits<API::NavigationResponse> >&&, WTF::Ref<WebKit::WebFramePolicyListenerProxy, WTF::DumbPtrTraits<WebKit::WebFramePolicyListenerProxy> >&&, API::Object*) 0x0000000192f03c54 (WebKit + 0x0024ec54 ) WebKit::WebPageProxy::decidePolicyForResponse(unsigned long long, WebCore::SecurityOriginData const&, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, unsigned long long, WebKit::UserData const&) 0x0000000192f03db0 (WebKit + 0x0024edb0 ) WebKit::WebPageProxy::decidePolicyForResponseSync(unsigned long long, WebCore::SecurityOriginData const&, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, unsigned long long, WebKit::UserData const&, bool&, WebCore::PolicyAction&, WebKit::DownloadID&) 0x0000000192f33eb8 (WebKit + 0x0027eeb8 ) void IPC::callMemberFunctionImpl<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long long, WebCore::SecurityOriginData const&, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, unsigned long long, WebKit::UserData const&, bool&, WebCore::PolicyAction&, WebKit::DownloadID&), std::__1::tuple<unsigned long long, WebCore::SecurityOriginData, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, unsigned long long, WebKit::UserData>, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, std::__1::tuple<bool, WebCore::PolicyAction, WebKit::DownloadID>, 0ul, 1ul, 2ul>(WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long long, WebCore::SecurityOriginData const&, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, unsigned long long, WebKit::UserData const&, bool&, WebCore::PolicyAction&, WebKit::DownloadID&), std::__1::tuple<unsigned long long, WebCore::SecurityOriginData, WebCore::ResourceResponse, WebCore::ResourceRequest, bool, unsigned long long, WebKit::UserData>&&, std::__1::tuple<bool, WebCore::PolicyAction, WebKit::DownloadID>&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul>, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul>) 0x0000000192f29b44 (WebKit + 0x00274b44 ) void IPC::handleMessage<Messages::WebPageProxy::DecidePolicyForResponseSync, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(unsigned long long, WebCore::SecurityOriginData const&, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, unsigned long long, WebKit::UserData const&, bool&, WebCore::PolicyAction&, WebKit::DownloadID&)>(IPC::Decoder&, IPC::Encoder&, WebKit::WebPageProxy*, void (WebKit::WebPageProxy::*)(unsigned long long, WebCore::SecurityOriginData const&, WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, bool, unsigned long long, WebKit::UserData const&, bool&, WebCore::PolicyAction&, WebKit::DownloadID&)) 0x0000000192d41dac (WebKit + 0x0008cdac ) IPC::MessageReceiverMap::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) 0x0000000192f8129c (WebKit + 0x002cc29c ) WebKit::WebProcessProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) 0x0000000192d074c8 (WebKit + 0x000524c8 ) IPC::Connection::dispatchSyncMessage(IPC::Decoder&) 0x0000000192d04ce0 (WebKit + 0x0004fce0 ) IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) 0x0000000192d07700 (WebKit + 0x00052700 ) IPC::Connection::dispatchOneMessage() 0x000000018a966128 (JavaScriptCore + 0x00abf128 ) WTF::RunLoop::performWork() 0x000000018a9663e8 (JavaScriptCore + 0x00abf3e8 ) WTF::RunLoop::performWork(void*) 0x00000001832d7400 (CoreFoundation + 0x000ee400 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x00000001832d6c28 (CoreFoundation + 0x000edc28 ) __CFRunLoopDoSources0 0x00000001832d4798 (CoreFoundation + 0x000eb798 ) __CFRunLoopRun 0x00000001831f4da4 (CoreFoundation + 0x0000bda4 ) CFRunLoopRunSpecific 0x00000001851da01c (GraphicsServices + 0x0000b01c ) GSEventRunModal 0x000000018d214754 (UIKit + 0x0031d754 ) UIApplicationMain 0x0000000100adcfcc (Chrome -chrome_exe_main.mm:54 ) main 0x0000000182c85fbc (libdyld.dylib + 0x00000fbc ) start
,
Jan 10
Hey Eugene, the bisect range includes the recent change https://crrev.com/c/1396400 and it seems its crashing there. Could you PTAL?
,
Jan 10
,
Jan 10
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a4b83d821f9bb9bab54497b1fc6709f43ddc33c7 commit a4b83d821f9bb9bab54497b1fc6709f43ddc33c7 Author: Eugene But <eugenebut@google.com> Date: Thu Jan 10 23:49:48 2019 Fix crash in InfoBarManagerImpl::DidFinishNavigation. DidFinishNavigation is called when navigation is committed, replaced, aborted or leads to a download. The code was crashing on download, after dereferencing null pointer for last committed navigation item. The fix makes DidFinishNavigation no-op for replaced, aborted or download navigations, which was the case before regression introduced in https://crrev.com/c/1396400 EG test is added in a separate CL: https://crrev.com/c/1405545 There is no texting fixture for InfoBarManagerImpl, so there is no new unit test. Bug: 920585 Change-Id: Idf71bfe817755b6c9ade90003a432d29f07c4b92 Reviewed-on: https://chromium-review.googlesource.com/c/1405497 Reviewed-by: Sergio Collazos <sczs@chromium.org> Commit-Queue: Eugene But <eugenebut@chromium.org> Cr-Commit-Position: refs/heads/master@{#621805} [modify] https://crrev.com/a4b83d821f9bb9bab54497b1fc6709f43ddc33c7/ios/chrome/browser/infobars/infobar_manager_impl.mm
,
Jan 11
,
Jan 11
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/50dc22723a82fc8831813eb35cb2a4c8b4c38a20 commit 50dc22723a82fc8831813eb35cb2a4c8b4c38a20 Author: Eugene But <eugenebut@google.com> Date: Fri Jan 11 23:07:19 2019 EG test to test 'Open in New Tab' on download link. Add EG test which opens download link in the new tab via context menu. Test is almost identical copy of testContextMenuOpenInNewTab. Bug: 920585 Change-Id: I2ba6ca164545fc3dce56980f9aa67e1493a6225f Reviewed-on: https://chromium-review.googlesource.com/c/1405545 Reviewed-by: Sergio Collazos <sczs@chromium.org> Commit-Queue: Eugene But <eugenebut@chromium.org> Cr-Commit-Position: refs/heads/master@{#622198} [modify] https://crrev.com/50dc22723a82fc8831813eb35cb2a4c8b4c38a20/ios/chrome/browser/ui/download/BUILD.gn [modify] https://crrev.com/50dc22723a82fc8831813eb35cb2a4c8b4c38a20/ios/chrome/browser/ui/download/download_manager_egtest.mm
,
Jan 15
Issue verified Version: Chrome Canary 73.0.3672.0 Device: iPhone 6S iOS: 12.1.2 No crash observed https://drive.google.com/open?id=1llYysYKYsZZo2PhYqddhWULJJfkqai6r |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by thegreenfrog@chromium.org
, Jan 10Owner: sczs@chromium.org
Status: Assigned (was: Untriaged)