My favorites | Sign in
Logo
Project hosting will be READ-ONLY Wednesday at 8am PST due to brief network maintenance.
Project Home
  
Downloads
  
Wiki
  
Issues
    
New issue | Search
for
| Advanced search | Search tips
Issue 4582: Chrome: Crash Report - Stack Signature: WebCore::ScrollView::contentsToWindow(WebCore::IntPoint const &)-E7FC9B
1 person starred this issue and may be notified of changes. Back to list
 
Reported by jasneet@chromium.org, Nov 19, 2008 
The full crash report details can be found at: 
http://go/crash/reportdetail?
reportid=ac85c2c28f1f71a3&product=Chrome&version=0.4.154.22&signature=WebCo
re%3A%3AScrollView%3A%3AcontentsToWindow(WebCore%3A%3AIntPoint+const+%26)-
E7FC9B

Meta information:
Report Time: 2008/11/19 09:02:49, Wed
Uptime: 5 sec
Cumulative Uptime: 0 sec
User Email: 
User Comments: 
Product Name: Chrome
Product Version: 0.4.154.22
OS Name: Windows NT
OS Version: 6.0.6001 Service Pack 1
CPU Architecture: x86
CPU Info: GenuineIntel family 6 model 23 stepping 7
plat: Win32
ptype: renderer

Stack Trace:

Thread 1 *CRASHED*
0x6d8c7136 [chrome.dll] - scrollviewwin.cpp:648 
WebCore::ScrollView::contentsToWindow(WebCore::IntPoint const &)
0x6d5c4d1a [chrome.dll] - scrollview.h:101 
WebCore::ScrollView::contentsToWindow(WebCore::IntRect const &)
0x6da84830 [chrome.dll] - accessiblebase.cpp:445 
AccessibleBase::accLocation(long *,long *,long *,long *,tagVARIANT)
0x6da795d0 [chrome.dll] - glue_accessibility.cc:92 
GlueAccessibility::GetAccessibilityInfo(WebView 
*,ViewMsg_Accessibility_In_Params const 
&,ViewHostMsg_Accessibility_Out_Params *)
0x6d71604b [chrome.dll] - render_view.cc:2522 
RenderView::OnGetAccessibilityInfo(ViewMsg_Accessibility_In_Params const 
&,ViewHostMsg_Accessibility_Out_Params *)
0x6d717b4b [chrome.dll] - ipc_message_utils.h:1160 
IPC::MessageWithReply<ViewMsg_Accessibility_In_Params,Tuple1<ViewHostMsg_Ac
cessibility_Out_Params &> >::Dispatch<RenderView,void ( 
RenderView::*)(ViewMsg_Accessibility_In_Params const 
&,ViewHostMsg_Accessibility_Out_Params *)>(IPC::Message const *,RenderView 
*,void ( RenderView::*)(ViewMsg_Accessibility_In_Params const 
&,ViewHostMsg_Accessibility_Out_Params *))
0x6d7111b0 [chrome.dll] - render_view.cc:370 
RenderView::OnMessageReceived(IPC::Message const &)
0x6d7301c1 [chrome.dll] - message_router.cc:39 
MessageRouter::RouteMessage(IPC::Message const &)
0x6d730194 [chrome.dll] - message_router.cc:30 
MessageRouter::OnMessageReceived(IPC::Message const &)
0x6d70d855 [chrome.dll] - render_thread.cc:181 
RenderThread::OnMessageReceived(IPC::Message const &)
0x6d72c76c [chrome.dll] - ipc_sync_channel.cc:118 
IPC::SyncChannel::ReceivedSyncMsgQueue::DispatchMessages()
0x6d72d277 [chrome.dll] - ipc_sync_channel.cc:444 
IPC::SyncChannel::WaitForReply(void *)
0x6d72d1f7 [chrome.dll] - ipc_sync_channel.cc:428 
IPC::SyncChannel::SendWithTimeout(IPC::Message *,int)
0x6d72d0c3 [chrome.dll] - ipc_sync_channel.cc:394 
IPC::SyncChannel::Send(IPC::Message *)
0x6d927c25 [chrome.dll] - plugin_channel_base.cc:97 
PluginChannelBase::Send(IPC::Message *)
0x6d72262d [chrome.dll] - webplugin_delegate_proxy.cc:255 
WebPluginDelegateProxy::Send(IPC::Message *)
0x6d7221a1 [chrome.dll] - webplugin_delegate_proxy.cc:175 
WebPluginDelegateProxy::PluginDestroyed()
0x6d5ce84d [chrome.dll] - webplugin_impl.cc:1032 
WebPluginImpl::SetContainer(WebPluginContainer *)
0x6d5cc8a7 [chrome.dll] - webplugin_impl.cc:106 
WebPluginContainer::~WebPluginContainer()
0x6d5cc87e [chrome.dll] +0x0002c87e WebPluginContainer::`scalar deleting 
destructor'(unsigned int)
0x6d6d9b4d [chrome.dll] - renderpart.cpp:56 
WebCore::RenderPart::~RenderPart()
0x6d670289 [chrome.dll] +0x000d0289 WebCore::RenderPartObject::`vector 
deleting destructor'(unsigned int)
0x6d61f373 [chrome.dll] - renderobject.cpp:2568 
WebCore::RenderObject::arenaDelete(WebCore::RenderArena *,void *)
0x6d65d2b9 [chrome.dll] - renderwidget.cpp:211 
WebCore::RenderWidget::deref(WebCore::RenderArena *)
0x6d65cfa6 [chrome.dll] - renderwidget.cpp:102 
WebCore::RenderWidget::destroy()
0x6d60a615 [chrome.dll] - node.cpp:873 WebCore::Node::detach()
0x6d63b9a7 [chrome.dll] - containernode.cpp:637 
WebCore::ContainerNode::detach()
0x6d63b9a7 [chrome.dll] - containernode.cpp:637 
WebCore::ContainerNode::detach()
0x6d63b9a7 [chrome.dll] - containernode.cpp:637 
WebCore::ContainerNode::detach()
0x6d63b9a7 [chrome.dll] - containernode.cpp:637 
WebCore::ContainerNode::detach()
0x6d63b9a7 [chrome.dll] - containernode.cpp:637 
WebCore::ContainerNode::detach()
0x6d63b9a7 [chrome.dll] - containernode.cpp:637 
WebCore::ContainerNode::detach()
0x6d5ee47e [chrome.dll] - document.cpp:1350 WebCore::Document::detach()
0x6d5f49d8 [chrome.dll] - frame.cpp:223 
WebCore::Frame::setView(WebCore::FrameView *)
0x6d5cb042 [chrome.dll] - webframe_impl.cc:1404 
WebFrameImpl::CreateFrameView()
0x6d5be733 [chrome.dll] - webframeloaderclient_impl.cc:128 
WebFrameLoaderClient::makeDocumentView()
0x6d5e1e3a [chrome.dll] - frameloader.cpp:2697 
WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::Cached
Page>)
0x6d5e1be5 [chrome.dll] - frameloader.cpp:2592 
WebCore::FrameLoader::commitProvisionalLoad(WTF::PassRefPtr<WebCore::Cached
Page>)
0x6d5e96fa [chrome.dll] - documentloader.cpp:311 
WebCore::DocumentLoader::commitIfReady()
0x6d5e9745 [chrome.dll] - documentloader.cpp:351 
WebCore::DocumentLoader::commitLoad(char const *,int)
0x6d637787 [chrome.dll] - mainresourceloader.cpp:138 
WebCore::MainResourceLoader::addData(char const *,int,bool)
0x6d6388c0 [chrome.dll] - resourceloader.cpp:236 
WebCore::ResourceLoader::didReceiveData(char const *,int,__int64,bool)
0x6d637ce5 [chrome.dll] - mainresourceloader.cpp:299 
WebCore::MainResourceLoader::didReceiveData(char const *,int,__int64,bool)
0x6d638af4 [chrome.dll] - resourceloader.cpp:367 
WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle *,char 
const *,int,int)
0x6d5da77c [chrome.dll] - resource_handle_win.cc:560 
WebCore::ResourceHandleInternal::OnReceivedData(char const *,int)
0x6d72a80a [chrome.dll] - resource_dispatcher.cc:362 
ResourceDispatcher::OnReceivedData(int,void *,int)
0x6d72ab7c [chrome.dll] - resource_dispatcher.cc:462 
ResourceDispatcher::DispatchMessageW(IPC::Message const &)
0x6d72a596 [chrome.dll] - resource_dispatcher.cc:276 
ResourceDispatcher::OnMessageReceived(IPC::Message const &)
0x6d710b8c [chrome.dll] - render_view.cc:308 
RenderView::OnMessageReceived(IPC::Message const &)
0x6d7301c1 [chrome.dll] - message_router.cc:39 
MessageRouter::RouteMessage(IPC::Message const &)
0x6d730194 [chrome.dll] - message_router.cc:30 
MessageRouter::OnMessageReceived(IPC::Message const &)
0x6d70d855 [chrome.dll] - render_thread.cc:181 
RenderThread::OnMessageReceived(IPC::Message const &)
0x6d7da122 [chrome.dll] - task.h:312 
RunnableMethod<CancelableRequest<CallbackRunner<Tuple1<std::vector<Download
CreateInfo,std::allocator<DownloadCreateInfo> > *> > >,void ( 
CancelableRequest<CallbackRunner<Tuple1<std::vector<DownloadCreateInfo,std:
:allocator<DownloadCreateInfo> > *> > 
>::*)(Tuple1<std::vector<DownloadCreateInfo,std::allocator<DownloadCreateIn
fo> > *> const 
&),Tuple1<Tuple1<std::vector<DownloadCreateInfo,std::allocator<DownloadCrea
teInfo> > *> > >::Run()
0x6d5abe93 [chrome.dll] - message_loop.cc:303 MessageLoop::RunTask(Task *)
0x6d5abecf [chrome.dll] - message_loop.cc:311 
MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
0x6d5ac0c4 [chrome.dll] - message_loop.cc:403 MessageLoop::DoWork()
0x6d5b97e5 [chrome.dll] - message_pump_default.cc:50 
base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x6d5abbd3 [chrome.dll] - message_loop.cc:192 MessageLoop::RunInternal()
0x6d5abb42 [chrome.dll] - message_loop.cc:175 MessageLoop::RunHandler()
0x6d5abae5 [chrome.dll] - message_loop.cc:149 MessageLoop::Run()
0x6da36953 [chrome.dll] - thread.cc:156 base::Thread::ThreadMain()
0x6d5ad6aa [chrome.dll] - platform_thread_win.cc:28 `anonymous 
namespace'::ThreadFunc(void *)
0x6db4e62f [chrome.dll] - threadex.c:348 _callthreadstartex
0x6db4e6d4 [chrome.dll] - threadex.c:326 _threadstartex
0x7601e3f2 [kernel32.dll] +0x0008e3f2 BaseThreadInitThunk
0x77c9cfec [ntdll.dll] +0x0007cfec __RtlUserThreadStart
0x77c9d1fe [ntdll.dll] +0x0007d1fe _RtlUserThreadStart
Comment 1 by jasneet@chromium.org, Nov 20, 2008 
(No comment was entered for this change.)
Owner: ---
Comment 2 by laforge@chromium.org, Nov 21, 2008 
The full crash report details can be found at:
http://go/crash/reportdetail?reportid=b929a3c3c4ea352&product=Chrome&version=0.4.154.23&signature=WebCore%3A%3AScrollView%3A%3AcontentsToWindow(WebCore%3A%3AIntPoint+const+%26)-E82C44

Meta information:
Report ID: b929a3c3c4ea352
Report Time: 2008/11/21 16:52:57, Fri
Uptime: 118 sec
Cumulative Uptime: 0 sec
User Email: 
User Comments: 
Product Name: Chrome
Product Version: 0.4.154.23
OS Name: Windows NT
OS Version: 6.0.6001 Service Pack 1
CPU Architecture: x86
CPU Info: GenuineIntel family 6 model 15 stepping 11
plat: Win32
ptype: renderer

Stack Trace:

Thread 1 *CRASHED*
0x69c787e2 [chrome.dll] - scrollviewwin.cpp:648
WebCore::ScrollView::contentsToWindow(WebCore::IntPoint const &)
0x69974bd3 [chrome.dll] - scrollview.h:101
WebCore::ScrollView::contentsToWindow(WebCore::IntRect const &)
0x69e3538e [chrome.dll] - accessiblebase.cpp:445 AccessibleBase::accLocation(long
*,long *,long *,long *,tagVARIANT)
0x69e2a835 [chrome.dll] - glue_accessibility.cc:92
GlueAccessibility::GetAccessibilityInfo(WebView *,ViewMsg_Accessibility_In_Params
const &,ViewHostMsg_Accessibility_Out_Params *)
0x69ac5ccc [chrome.dll] - render_view.cc:2522
RenderView::OnGetAccessibilityInfo(ViewMsg_Accessibility_In_Params const
&,ViewHostMsg_Accessibility_Out_Params *)
0x69ac7762 [chrome.dll] - ipc_message_utils.h:1160
IPC::MessageWithReply<ViewMsg_Accessibility_In_Params,Tuple1<ViewHostMsg_Accessibility_Out_Params
&> >::Dispatch<RenderView,void ( RenderView::*)(ViewMsg_Accessibility_In_Params const
&,ViewHostMsg_Accessibility_Out_Params *)>(IPC::Message const *,RenderView *,void (
RenderView::*)(ViewMsg_Accessibility_In_Params const
&,ViewHostMsg_Accessibility_Out_Params *))
0x69ac0e31 [chrome.dll] - render_view.cc:370
RenderView::OnMessageReceived(IPC::Message const &)
0x69ae00c8 [chrome.dll] - message_router.cc:39
MessageRouter::RouteMessage(IPC::Message const &)
0x69ae009b [chrome.dll] - message_router.cc:30
MessageRouter::OnMessageReceived(IPC::Message const &)
0x69abd52c [chrome.dll] - render_thread.cc:181
RenderThread::OnMessageReceived(IPC::Message const &)
0x69adc747 [chrome.dll] - ipc_sync_channel.cc:118
IPC::SyncChannel::ReceivedSyncMsgQueue::DispatchMessages()
0x69add252 [chrome.dll] - ipc_sync_channel.cc:444 IPC::SyncChannel::WaitForReply(void *)
0x69add1d2 [chrome.dll] - ipc_sync_channel.cc:428
IPC::SyncChannel::SendWithTimeout(IPC::Message *,int)
0x69add09e [chrome.dll] - ipc_sync_channel.cc:394 IPC::SyncChannel::Send(IPC::Message *)
0x69cd8c28 [chrome.dll] - plugin_channel_base.cc:97
PluginChannelBase::Send(IPC::Message *)
0x69ad2318 [chrome.dll] - webplugin_delegate_proxy.cc:255
WebPluginDelegateProxy::Send(IPC::Message *)
0x69ad1e8c [chrome.dll] - webplugin_delegate_proxy.cc:175
WebPluginDelegateProxy::PluginDestroyed()
0x6997e339 [chrome.dll] - webplugin_impl.cc:1032
WebPluginImpl::SetContainer(WebPluginContainer *)
0x6997c398 [chrome.dll] - webplugin_impl.cc:106 WebPluginContainer::~WebPluginContainer()
0x6997c36f [chrome.dll] +0x0002c36f WebPluginContainer::`vector deleting
destructor'(unsigned int)
0x69a89872 [chrome.dll] - renderpart.cpp:56 WebCore::RenderPart::~RenderPart()
0x69a1fe98 [chrome.dll] +0x000cfe98 WebCore::RenderPartObject::`scalar deleting
destructor'(unsigned int)
0x699cee9d [chrome.dll] - renderobject.cpp:2568
WebCore::RenderObject::arenaDelete(WebCore::RenderArena *,void *)
0x69a0cef0 [chrome.dll] - renderwidget.cpp:211
WebCore::RenderWidget::deref(WebCore::RenderArena *)
0x69a0cbcf [chrome.dll] - renderwidget.cpp:102 WebCore::RenderWidget::destroy()
0x699ba0c5 [chrome.dll] - node.cpp:873 WebCore::Node::detach()
0x699eb502 [chrome.dll] - containernode.cpp:637 WebCore::ContainerNode::detach()
0x699eb502 [chrome.dll] - containernode.cpp:637 WebCore::ContainerNode::detach()
0x699eb502 [chrome.dll] - containernode.cpp:637 WebCore::ContainerNode::detach()
0x699eb502 [chrome.dll] - containernode.cpp:637 WebCore::ContainerNode::detach()
0x699eb502 [chrome.dll] - containernode.cpp:637 WebCore::ContainerNode::detach()
0x6999dea5 [chrome.dll] - document.cpp:1350 WebCore::Document::detach()
0x699a4353 [chrome.dll] - frame.cpp:223 WebCore::Frame::setView(WebCore::FrameView *)
0x6997ab2b [chrome.dll] - webframe_impl.cc:1404 WebFrameImpl::CreateFrameView()
0x6996e63f [chrome.dll] - webframeloaderclient_impl.cc:128
WebFrameLoaderClient::makeDocumentView()
0x699917b8 [chrome.dll] - frameloader.cpp:2697
WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::CachedPage>)
0x69991563 [chrome.dll] - frameloader.cpp:2592
WebCore::FrameLoader::commitProvisionalLoad(WTF::PassRefPtr<WebCore::CachedPage>)
0x69998fdc [chrome.dll] - documentloader.cpp:311 WebCore::DocumentLoader::commitIfReady()
0x69999027 [chrome.dll] - documentloader.cpp:351
WebCore::DocumentLoader::commitLoad(char const *,int)
0x699e72e7 [chrome.dll] - mainresourceloader.cpp:138
WebCore::MainResourceLoader::addData(char const *,int,bool)
0x699e8420 [chrome.dll] - resourceloader.cpp:236
WebCore::ResourceLoader::didReceiveData(char const *,int,__int64,bool)
0x699e7845 [chrome.dll] - mainresourceloader.cpp:299
WebCore::MainResourceLoader::didReceiveData(char const *,int,__int64,bool)
0x699e8654 [chrome.dll] - resourceloader.cpp:367
WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle *,char const *,int,int)
0x6998a11f [chrome.dll] - resource_handle_win.cc:560
WebCore::ResourceHandleInternal::OnReceivedData(char const *,int)
0x69ada688 [chrome.dll] - resource_dispatcher.cc:362
ResourceDispatcher::OnReceivedData(int,void *,int)
0x69ada9fa [chrome.dll] - resource_dispatcher.cc:462
ResourceDispatcher::DispatchMessageW(IPC::Message const &)
0x69ada414 [chrome.dll] - resource_dispatcher.cc:276
ResourceDispatcher::OnMessageReceived(IPC::Message const &)
0x69ac080d [chrome.dll] - render_view.cc:308
RenderView::OnMessageReceived(IPC::Message const &)
0x69ae00c8 [chrome.dll] - message_router.cc:39
MessageRouter::RouteMessage(IPC::Message const &)
0x69ae009b [chrome.dll] - message_router.cc:30
MessageRouter::OnMessageReceived(IPC::Message const &)
0x69abd52c [chrome.dll] - render_thread.cc:181
RenderThread::OnMessageReceived(IPC::Message const &)
0x69b8a71c [chrome.dll] - task.h:312 RunnableMethod<history::HistoryBackend,void (
history::HistoryBackend::*)(std::vector<history::URLRow,std::allocator<history::URLRow>
> const &),Tuple1<std::vector<history::URLRow,std::allocator<history::URLRow> > >
>::Run()
0x6995be4c [chrome.dll] - message_loop.cc:303 MessageLoop::RunTask(Task *)
0x6995be88 [chrome.dll] - message_loop.cc:311
MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
0x6995c07d [chrome.dll] - message_loop.cc:403 MessageLoop::DoWork()
0x699697ed [chrome.dll] - message_pump_default.cc:50
base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x6995bb8c [chrome.dll] - message_loop.cc:192 MessageLoop::RunInternal()
0x6995bafb [chrome.dll] - message_loop.cc:175 MessageLoop::RunHandler()
0x6995ba9e [chrome.dll] - message_loop.cc:149 MessageLoop::Run()
0x69de7cec [chrome.dll] - thread.cc:156 base::Thread::ThreadMain()
0x6995d6be [chrome.dll] - platform_thread_win.cc:28 `anonymous
namespace'::ThreadFunc(void *)
0x69efea1f [chrome.dll] - threadex.c:348 _callthreadstartex
0x69efeac4 [chrome.dll] - threadex.c:326 _threadstartex
0x76d74910 [kernel32.dll] +0x00044910 BaseThreadInitThunk
0x7781e4b5 [ntdll.dll] +0x0003e4b5 __RtlUserThreadStart
0x7781e488 [ntdll.dll] +0x0003e488 _RtlUserThreadStart
Labels: Crash-0.4.154.23
Comment 3 by mal.chromium, Nov 22, 2008 
OK, this one is fairly common in 154.23 (top crasher with 5 clients/5 reports). The 
first Chrome frame on the stack is GlueAccessibility::GetAccessibilityInfo.

This is a renderer crash, so not as worrisome as a browser crash. Of course only 
really, really hardcore fans of Sad Tab like even renderer crashes.

Too bad it's just bubbled up to the top of the list today, or we could have been 
looking into this instead of issue 4559.
Status: Assigned
Owner: kl...@chromium.org
Cc: jcam...@chromium.org
Labels: Mstone-1.0
Comment 4 by darin@chromium.org, Nov 23, 2008 
It looks like there is a nested message loop on the stack (note: SyncChannel::Send is 
dispatching a task).  I suspect that may result in some WebKit code being re-entered 
that didn't expect to be re-entered.  This may not be the fault of the a11y code as 
other tasks may also lead to badness in this nested scenario.

However, we might decide that we need to just bulletproof the a11y code to handle 
this situation.  Probably it is crashing because it is messing with the old FrameView 
that is being torn down inside the WebCore::Frame::setView call.
Cc: j...@chromium.org ana...@chromium.org
Comment 5 by ananta@chromium.org, Nov 24, 2008 
(No comment was entered for this change.)
Status: Started
Owner: ana...@chromium.org
Comment 6 by laforge@chromium.org, Nov 24, 2008 
Tied for top crasher in 0.4.154.23
Comment 7 by ananta@chromium.org, Nov 24, 2008 
New Revision: 5927

Log:
Don't reenter Webkit, while it waits for outgoing sync calls to complete. This
fixes bug http://code.google.com/p/chromium/issues/detail?id=4582, which is a crash 
in the renderer process, which occurs when the renderer receives a sync message 
requesting accessibility information from the browser, while it waits
for the PluginDestroyed sync call to unwind.

The ViewMsg_GetAccessibilityInfo has a timeout associated with it, which indicates 
that it is ok for the call to fail. We now turn off the unblock flag on the sync 
message which will ensure that it does not reenter Webkit in this scenario.

R=jcampan
Bug=4582

Review URL: http://codereview.chromium.org/12402

Modified:
  trunk/src/chrome/browser/browser_accessibility_manager.cc
Status: Fixed
Comment 8 by laforge@chromium.org, Nov 25, 2008 
The full crash report details can be found at: http://go/crash/reportdetail?
reportid=ae878195ff324cbf&product=Chrome&version=0.4.154.25&signature=WebCore%3A%3ASc
rollView%3A%3AcontentsToWindow(WebCore%3A%3AIntPoint+const+%26)-E88CCD
Labels: Crash-0.4.154.25
Comment 9 by laforge@chromium.org, Nov 26, 2008 
Merged to release r6055
Comment 10 by jam@chromium.org, Nov 26, 2008 
actually please don't merge this yet, we're still looking into it.
Status: Assigned
Comment 11 by ananta@chromium.org, Nov 26, 2008 
(No comment was entered for this change.)
Status: Started
Comment 12 by ananta@chromium.org, Nov 26, 2008 
Assigning to John as he has a fix for this issue.
Status: Assigned
Owner: j...@chromium.org
Comment 13 by jam@chromium.org, Nov 26, 2008 
committed r6098
Status: Fixed
Comment 14 by laforge@chromium.org, Dec 11, 2008 
Merged into release branch r6855
Comment 15 by laforge@chromium.org, Dec 11, 2008 
Typo, r6856
Sign in to add a comment