| Issue 33890: | browser crash in BookmarkMenuBridge::UpdateMenu | |
| 4 people starred this issue and may be notified of changes. | Back to list |
Sign in to add a comment
|
#2 browser crash in 5.0.307.1: http://crash/reportdetail?reportid=b2b97ddf060fe179 Stack: Thread 0 *CRASHED* ( EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @ 0x00000010 ) 0x00134e72 [Google Chrome Framework - stl_vector.h:361] BookmarkMenuBridge::UpdateMenu(NSMenu*) 0x975e2013 [AppKit + 0x0007c013] -[NSMenu _populateWithEventRef:] 0x975e1207 [AppKit + 0x0007b207] -[NSCarbonMenuImpl _carbonPopulateEvent:handlerCallRef:] 0x975e0f78 [AppKit + 0x0007af78] NSSLMMenuEventHandler 0x96243e28 [HIToolbox + 0x00007e28] DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*, HandlerCallRec*) 0x962430ef [HIToolbox + 0x000070ef] SendEventToEventTargetInternal(OpaqueEventRef*, OpaqueEventTargetRef*, HandlerCallRec*) 0x96242f4e [HIToolbox + 0x00006f4e] SendEventToEventTargetWithOptions 0x9628fc41 [HIToolbox + 0x00053c41] SendMenuPopulate(MenuData*, OpaqueEventTargetRef*, unsigned long, double, unsigned long, OpaqueEventRef*, unsigned char*) 0x962baa36 [HIToolbox + 0x0007ea36] PopulateMenu(MenuData*, OpaqueEventTargetRef*, CheckMenuData*, unsigned long, double) 0x962b9fc9 [HIToolbox + 0x0007dfc9] Check1MenuForKeyEvent(MenuData*, CheckMenuData*) 0x962b9662 [HIToolbox + 0x0007d662] CheckMenusForKeyEvent(MenuData*, CheckMenuData*) 0x962b928f [HIToolbox + 0x0007d28f] _IsMenuKeyEvent(MenuData*, OpaqueEventRef*, unsigned long, MenuData**, unsigned short*) 0x962b8f50 [HIToolbox + 0x0007cf50] IsMenuKeyEvent 0x976e5582 [AppKit + 0x0017f582] -[NSCarbonMenuImpl _menuItemWithKeyEquivalentMatchingEventRef:] 0x976e52d4 [AppKit + 0x0017f2d4] _NSFindMenuItemMatchingCommandKeyEvent 0x975da5aa [AppKit + 0x000745aa] _NSHandleCarbonMenuEvent 0x975af075 [AppKit + 0x00049075] _DPSNextEvent 0x975ae305 [AppKit + 0x00048305] -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 0x9757049e [AppKit + 0x0000a49e] -[NSApplication run] 0x005512fc [Google Chrome Framework - message_pump_mac.mm:677] base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) 0x00550a85 [Google Chrome Framework - message_pump_mac.mm:213] base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) 0x00575573 [Google Chrome Framework - message_loop.cc:205] MessageLoop::Run() 0x000f49c2 [Google Chrome Framework - browser_main.cc:165] BrowserMain(MainFunctionParams const&) 0x0000ab7a [Google Chrome Framework - chrome_dll_main.cc:749] ChromeMain 0x00001fc5 [Google Chrome + 0x00000fc5] 0x00000001
,
Feb 1, 2010
stl_vector.h:361 is the method 'const_iterator end() const'. But BookmarkMenuBridge::UpdateMenu doesn't directly call this or any other STL code. The only call to 'end' is in MenuItemForNode.
,
Feb 1, 2010
In every instance of this crash that I've looked at, the Uptime field is below 10ms. So this is happening at launch time. Maybe because the bookmark model hasn't been loaded yet?
,
Feb 1, 2010
chrome/browser/cocoa/bookmark_menu_bridge.mm
BookmarkMenuBridge::UpdateMenu(NSMenu*) winds up with some inlined STL code
at line 60:
if (barNode->GetChildCount()) {
barNode is a BookmarkNode*. BookmarkNode inherits from
TreeNode<BookmarkNode> (chrome/browser/bookmarks/bookmark_mode.h:46).
TreeNode<BookmarkNode>::GetChildCount() comes from
app/tree_node_model.h:111:
int GetChildCount() const {
return static_cast<int>(children_->size());
}
children_ is a ScopedVector<BookmarkNode>, which comes from
base/scoped_vector.h, and whose operations are direct calls through to its underlying
v member, a std::vector<BookmarkNode>.
I haven't examined BookmarkMenuBridge::UpdateMenu for other possible cases
where std::vector code might be inlined, but this one poked out as something that
would plausibly be vector-licious, and the analysis proves it.
This sort of suspicious-looking stack happens easily when inlining and optimizations
come into play.
Cc: m...@chromium.org
,
Feb 1, 2010
snej: so call model->IsLoaded() and do nothing if not? You are correct that early startup has nothing loaded yet; bookmarks are loaded on the IO thread.
,
Feb 1, 2010
OK, I can repro it. I guessed this might happen on first run, so I nuked all my Chromium settings, launched, declined importing bookmarks, then immediately moused down in the menu bar as soon as the browser window appeared. If you wait a second before bringing up the menu, there's no crash. #0 0x069c051d in std::vector<BookmarkNode*, std::allocator<BookmarkNode*> >::begin (this=0xc) at stl_vector.h:343 #1 0x069c05af in std::vector<BookmarkNode*, std::allocator<BookmarkNode*> >::size (this=0xc) at stl_vector.h:403 #2 0x069c05f0 in TreeNode<BookmarkNode>::GetChildCount (this=0x0) at tree_node_model.h:112 #3 0x069ccd92 in BookmarkMenuBridge::UpdateMenu (this=0x1850a900, bookmark_menu=0x13b1c0) at /Volumes/Chromium/src/chrome/browser/cocoa/bookmark_menu_bridge.mm:60 #4 0x069ce1d5 in -[BookmarkMenuCocoaController menuNeedsUpdate:] (self=0x1850a930, _cmd=0x9749e1c8, menu=0x13b1c0) at /Volumes/Chromium/src/chrome/browser/cocoa/bookmark_menu_cocoa_controller.mm: 61 The problem is that GetBookmarkModel()->GetBookmarkBarNode() returns NULL, and UpdateMenu then tries to dereference that. This confirms what mark said up above.
,
Feb 1, 2010
In a flash of brilliance I solved the crash as follows: call model->IsLoaded() and do nothing if not. Sometimes I amaze even myself.
,
Feb 1, 2010
Out for review: http://codereview.chromium.org/557085
,
Feb 1, 2010
Checked into trunk (37736) and 307 branch (37738).
Status: Fixed
,
Feb 2, 2010
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=37736
------------------------------------------------------------------------
r37736 | snej@chromium.org | 2010-02-01 12:39:06 -0800 (Mon, 01 Feb 2010) | 5 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/cocoa/bookmark_menu_bridge.mm?r1=37736&r2=37735
Fix Mac browser crash in BookmarkMenuBridge::UpdateMenu.
BUG=33890
TEST=none (see steps to repro in bug report)
Review URL: http://codereview.chromium.org/557085
------------------------------------------------------------------------
,
Feb 2, 2010
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=37738
------------------------------------------------------------------------
r37738 | snej@chromium.org | 2010-02-01 12:41:53 -0800 (Mon, 01 Feb 2010) | 8 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/branches/307/src/chrome/browser/cocoa/bookmark_menu_bridge.mm?r1=37738&r2=37737
Merge 37736 - Fix Mac browser crash in BookmarkMenuBridge::UpdateMenu.
BUG=33890
TEST=none (see steps to repro in bug report)
Review URL: http://codereview.chromium.org/557085
TBR=snej@chromium.org
Review URL: http://codereview.chromium.org/552264
------------------------------------------------------------------------
,
Feb 3, 2010
Tried crashing using snej@'s steps but couldn't. Verified in 5.0.307.5 (Official Build 37950) dev
Status: Verified
,
Feb 14, 2010
removing formerge label from verified bugs.
Labels: -formerge
,
Mar 18, 2011
#2 browser crash in 5.0.307.1: http://crash/reportdetail?reportid=b2b97ddf060fe179 Stack: Thread 0 *CRASHED* ( EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @ 0x00000010 ) 0x00134e72 [Google Chrome Framework - stl_vector.h:361] BookmarkMenuBridge::UpdateMenu(NSMenu*) 0x975e2013 [AppKit + 0x0007c013] -[NSMenu _populateWithEventRef:] 0x975e1207 [AppKit + 0x0007b207] -[NSCarbonMenuImpl _carbonPopulateEvent:handlerCallRef:] 0x975e0f78 [AppKit + 0x0007af78] NSSLMMenuEventHandler 0x96243e28 [HIToolbox + 0x00007e28] DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*, HandlerCallRec*) 0x962430ef [HIToolbox + 0x000070ef] SendEventToEventTargetInternal(OpaqueEventRef*, OpaqueEventTargetRef*, HandlerCallRec*) 0x96242f4e [HIToolbox + 0x00006f4e] SendEventToEventTargetWithOptions 0x9628fc41 [HIToolbox + 0x00053c41] SendMenuPopulate(MenuData*, OpaqueEventTargetRef*, unsigned long, double, unsigned long, OpaqueEventRef*, unsigned char*) 0x962baa36 [HIToolbox + 0x0007ea36] PopulateMenu(MenuData*, OpaqueEventTargetRef*, CheckMenuData*, unsigned long, double) 0x962b9fc9 [HIToolbox + 0x0007dfc9] Check1MenuForKeyEvent(MenuData*, CheckMenuData*) 0x962b9662 [HIToolbox + 0x0007d662] CheckMenusForKeyEvent(MenuData*, CheckMenuData*) 0x962b928f [HIToolbox + 0x0007d28f] _IsMenuKeyEvent(MenuData*, OpaqueEventRef*, unsigned long, MenuData**, unsigned short*) 0x962b8f50 [HIToolbox + 0x0007cf50] IsMenuKeyEvent 0x976e5582 [AppKit + 0x0017f582] -[NSCarbonMenuImpl _menuItemWithKeyEquivalentMatchingEventRef:] 0x976e52d4 [AppKit + 0x0017f2d4] _NSFindMenuItemMatchingCommandKeyEvent 0x975da5aa [AppKit + 0x000745aa] _NSHandleCarbonMenuEvent 0x975af075 [AppKit + 0x00049075] _DPSNextEvent 0x975ae305 [AppKit + 0x00048305] -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 0x9757049e [AppKit + 0x0000a49e] -[NSApplication run] 0x005512fc [Google Chrome Framework - message_pump_mac.mm:677] base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) 0x00550a85 [Google Chrome Framework - message_pump_mac.mm:213] base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) 0x00575573 [Google Chrome Framework - message_loop.cc:205] MessageLoop::Run() 0x000f49c2 [Google Chrome Framework - browser_main.cc:165] BrowserMain(MainFunctionParams const&) 0x0000ab7a [Google Chrome Framework - chrome_dll_main.cc:749] ChromeMain 0x00001fc5 [Google Chrome + 0x00000fc5] 0x00000001
Labels: -Crash bulkmove Stability-Crash
|
||||||||||
| ► Sign in to add a comment | |||||||||||
Labels: -Pri-2 Pri-0 ReleaseBlock-Beta Mstone-5