(No comment was entered for this change.)

See also  Issue 31856 

Is a heavy crasher.

Perhaps the same:
   http://crash/reportdetail?reportid=78eee210794a421e
Additional stack level:
0x0036affb	 [Google Chrome Framework	 - render_widget_host.cc:380]	RenderWidgetHost::ForwardKeyboardEvent(NativeWebKeyboardEvent const&)
0x00370543	 [Google Chrome Framework	 - render_widget_host_view_mac.mm:430]	RenderWidgetHostViewMac::ShowPopupWithItems(gfx::Rect, int, int, std::vector<WebMenuItem, std::allocator<WebMenuItem> > const&)
0x00369461	 [Google Chrome Framework	 - render_widget_host.cc:802]	RenderWidgetHost::OnMsgShowPopup(ViewHostMsg_ShowPopup_Params const&)
0x0036c1b9	 [Google Chrome Framework	 - ../base/tuple.h:422]	RenderWidgetHost::OnMessageReceived(IPC::Message const&)

There is a collection of crashes which all seem to relate to RenderWidgetHostViewMac::ShowPopupWithItems().  
As a group, these are our biggest browser crasher.  Some of the crashes have signatures which don't work with 
the crash-server dashboard, and I think this is why they don't show up in the Mac-crash summary dashboard.

I've been unsuccessfully trying to find some time to look at it, but haven't managed it.

(No comment was entered for this change.)

(No comment was entered for this change.)

Scott, do you have any repro info, or something you'd like test to bang on?

Nope.  Haven't had time to look into it much, either.  It isn't happening on 249.x channel, so I'm wondering if it's 
something new that's been added (actually, could extensions poke into this for their UI?).

extension related, perhaps?

The only thing I can think of is a SELECT crasher I fixed a while ago:
http://src.chromium.org/viewvc/chrome?view=rev&revision=34136

But that fix has been in for a while.

This continues to happen in 295.0.  It's likely our largest browser crasher (the crash 
server is sketchy, the template arguments appear to conflict with doing searches in 
some cases).  I'm OOT this week and definitely will not get around to looking at it.

I'll take a look.

Promoting to P1

We should fix this for *this* beta, so it's P0.

I haven't been able to repro, but I suspect it's extension-related. Timing-related, 
anyway, with a page navigating or closing just as its <select> control is being closed.

Checking for invalid render_widget_host_ before using it near the affected lines (425 
and 430) will probably prevent the crash. Wish I could repro, to be certain there wasn't 
something more subtle going on. Anyway, when I get back tomorrow I'll put that much 
in.

More eyes also welcome.

(No comment was entered for this change.)

No longer so convinced that the problem is an invalid render_widget_host_ here. Might 
be chrome_view_, although AFAICT that's not used in the second crasher shess posted 
above. 

I'm reluctant to just paper over what *might* be the superficial problem without 
understanding the underlying cause, so in go some diagnostics in the hopes that they'll 
shed more light on this.

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=36790 

------------------------------------------------------------------------
r36790 | pam@chromium.org | 2010-01-21 13:55:40 -0800 (Thu, 21 Jan 2010) | 6 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/render_widget_host_view_mac.h?r1=36790&r2=36789
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/render_widget_host_view_mac.mm?r1=36790&r2=36789

Insert diagnostics in an attempt to track down a crash in popup menus
in RenderWidgetHostViewMac::ShowPopupWithItems().

BUG=31716
TEST=should have no user-visible effect; see crash reports
Review URL: http://codereview.chromium.org/545159
------------------------------------------------------------------------

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=36894 

------------------------------------------------------------------------
r36894 | pam@chromium.org | 2010-01-22 12:59:29 -0800 (Fri, 22 Jan 2010) | 9 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/302/src/chrome/browser/renderer_host/render_widget_host_view_mac.h?r1=36894&r2=36893
   M http://src.chromium.org/viewvc/chrome/branches/302/src/chrome/browser/renderer_host/render_widget_host_view_mac.mm?r1=36894&r2=36893

Merge 36790 - Insert diagnostics in an attempt to track down a crash in popup menus
in RenderWidgetHostViewMac::ShowPopupWithItems().

BUG=31716
TEST=should have no uservisible effect; see crash reports
Review URL: http://codereview.chromium.org/545159

TBR=pam@chromium.org
Review URL: http://codereview.chromium.org/548119
------------------------------------------------------------------------

Tracking note: these diagnostics will be in the next dev release at or after 4.0.302.4.

Presumed fixed and merged. Reopen if that's not the case.

Nope, not fixed. The patch only added diagnostics, since we're still getting crashes 
reported automatically but haven't been able to reproduce them.

Unassigning, at least for now. I'll be out starting the day after tomorrow, and we 
likely won't have crash data from 302.4+ before then.

(No comment was entered for this change.)

Trung, can you look into this?

Wait, we were waiting for the diagnostics that pam put in to make it out to the dev 
channel and into the crash logs (per her comments above). Is there anything we can do 
until then?

Sure, we just wanted to make sure that there's an owner for looking at the info when it 
comes back since Pam will be gone.

This crash, or a similar one, can be caused by an extension killing the tab while the 
menu is showing. I'll investigate whether it can also happen with JS killing the window.

A JavaScript window.close() while the menu is showing will also cause a crash.

shess "volunteered" to take care of this, since he took care of a bunch of similar cases 
before.

(No comment was entered for this change.)

Lovely.  I broke this with  Issue 30147 .

To repro, pull up attached test.html, and bring up the select menu.  When the tab goes away, anything you do 
should crash (if it doesn't, select something).

test.html 302 bytes   View   Download

shess mentioned that pink suggested that things would also break (i.e., crash) if a 
navigation to another page occurred while the menu was up. I verified that this is in fact 
the case.

 Issue 33250 , which I'm about to mark as a dup of this, has some very simple steps to 
reproduce (which I have not tried myself):
"1. Go to amazon.com
2. Submit the search form at the top.
3. Before the next page loads, click on the drop-down to the left to open it.
4. Once the next page loads, click on the page to close the drop-down."

 Issue 33250  has been merged into this issue.

Hoo boy, those steps above certainly work like a charm (he said, waving away the 
clouds of choking black smoke...)

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=37417 

------------------------------------------------------------------------
r37417 | shess@chromium.org | 2010-01-28 10:53:08 -0800 (Thu, 28 Jan 2010) | 6 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/render_widget_host_view_mac.mm?r1=37417&r2=37416

[Mac] Prevent script-initiated tab close while a content select menu is up.

BUG=31716
TEST=test.html from the bug, page shouldn't close while select popup is up.

Review URL: http://codereview.chromium.org/555144
------------------------------------------------------------------------

(No comment was entered for this change.)

Sigh.  I thought I had merged this over to branch 307, but apparently something went wrong.  I think Jens' fix will 
prevent this crash from happening, so I don't think it's at all worth re-spinning the build.  But I'm going to 
merge it over to 307, so that if we end up re-spinning for other reasons it comes along.

Still seeing this in 5.0.307.1 :
http://crash/reportdetail?reportid=10c9cc09d035e23e

The fix is merged over to 307, but isn't present in 307.1, so moving this back to "fixed", assuming that the next 
step is "verified".  Would it be reasonable to have a tracking option on the order of "upstream"?

Since the bot isn't updating the bug, fix is merged at:
   http://src.chromium.org/viewvc/chrome?view=rev&revision=37549

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=37438 

------------------------------------------------------------------------
r37438 | snej@chromium.org | 2010-01-28 13:24:12 -0800 (Thu, 28 Jan 2010) | 6 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/render_widget_host_view_mac.mm?r1=37438&r2=37437

Fix Mac crash when page goes away while a pop-up menu is active.
This may also fix the older related  bug 31716 .
BUG=33250
TEST=see steps to reproduce in the bug report

Review URL: http://codereview.chromium.org/558021
------------------------------------------------------------------------

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=37440 

------------------------------------------------------------------------
r37440 | snej@chromium.org | 2010-01-28 13:30:32 -0800 (Thu, 28 Jan 2010) | 9 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/307/src/chrome/browser/renderer_host/render_widget_host_view_mac.mm?r1=37440&r2=37439

Merge 37438 - Fix Mac crash when page goes away while a popup menu is active.
This may also fix some cases of the older related  bug 31716 .
BUG=33250
TEST=see steps to reproduce in the bug report

Review URL: http://codereview.chromium.org/558021

TBR=snej@chromium.org
Review URL: http://codereview.chromium.org/548191
------------------------------------------------------------------------

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=37549 

------------------------------------------------------------------------
r37549 | shess@chromium.org | 2010-01-29 14:05:34 -0800 (Fri, 29 Jan 2010) | 9 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/307/src/chrome/browser/renderer_host/render_widget_host_view_mac.mm?r1=37549&r2=37548

Merge 37417 - [Mac] Prevent scriptinitiated tab close while a content select menu is up.

BUG=31716
TEST=test.html from the bug, page shouldn't close while select popup is up.

Review URL: http://codereview.chromium.org/555144

TBR=shess@chromium.org
Review URL: http://codereview.chromium.org/549212
------------------------------------------------------------------------

 Issue 33717  has been merged into this issue.

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=37866 

------------------------------------------------------------------------
r37866 | shess@chromium.org | 2010-02-02 12:11:04 -0800 (Tue, 02 Feb 2010) | 11 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/render_widget_host_view_mac.h?r1=37866&r2=37865
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/renderer_host/render_widget_host_view_mac.mm?r1=37866&r2=37865

[Mac] Revert diagnostics for content popup bug.

Revert pamg's commit.

> Insert diagnostics in an attempt to track down a crash in popup menus
> in RenderWidgetHostViewMac::ShowPopupWithItems().

BUG=31716
TEST=none

Review URL: http://codereview.chromium.org/566018
------------------------------------------------------------------------

Verified in 5.0.307.5 (Official Build 37950) dev, Steps followed:

1. Go to amazon.com
2. Submit the search form at the top.
3. Before the next page loads, click on the drop-down to the left to open it.
4. Once the next page loads, click on the page to close the drop-down.

(No comment was entered for this change.)

Merged, verified: removing formerge label.