The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=50785 

------------------------------------------------------------------------
r50785 | ace@chromium.org | 2010-06-24 16:32:46 -0700 (Thu, 24 Jun 2010) | 7 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/test/data/reliability/known_crashes.txt?r1=50785&r2=50784

Adding stack trace to known crashes list.

Also updating another trace sig to SUBSTRING so that it matches a second relevant trace.

BUG=47439

Review URL: http://codereview.chromium.org/2870024
------------------------------------------------------------------------

(No comment was entered for this change.)

I got this on Mac 6.0.450.1 today. I was on gmail and pressed a key.

Thread 0 (crashed)
 0 Google Chrome Framew0.450.0.1            0x04131601 WebCore::Position::getInlineBoxAndOffset(WebCore::EAffinity, WebCore::TextDirection, WebCore::InlineBox*&, int&) const + 0x0 (Position.cpp:1014)
 1 Google Chrome Framew0.450.0.1            0x041320b6 WebCore::Position::getInlineBoxAndOffset(WebCore::EAffinity, WebCore::TextDirection, WebCore::InlineBox*&, int&) const + 0x20 (Position.cpp:949)
 2 Google Chrome Framew0.450.0.1            0x043ad0b9 WebCore::Frame::firstRectForRange(WebCore::Range*) const + 0x1d (Frame.cpp:311)
 3 Google Chrome Framew0.450.0.1            0x03fc28f1 WebKit::WebViewImpl::caretOrSelectionBounds() + 0x12 (WebViewImpl.cpp:1370)
 4 Google Chrome Framew0.450.0.1            0x034290f9 RenderWidget::UpdateInputMethod() + 0x14 (render_widget.cc:877)
 5 Google Chrome Framew0.450.0.1            0x0342b1f4 RenderWidget::DoDeferredUpdate() + 0x7 (render_widget.cc:525)
 6 Google Chrome Framew0.450.0.1            0x0342b441 RenderWidget::DoDeferredUpdate() + 0x7 (render_widget.cc:426)
 7 Google Chrome Framew0.450.0.1            0x034a9d1b MessageLoop::RunTask(Task*) + 0xa (message_loop.cc:340)
 8 Google Chrome Framew0.450.0.1            0x034a9ecd MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) + 0xd (message_loop.cc:349)
 9 Google Chrome Framew0.450.0.1            0x034ab2da MessageLoop::DoWork() + 0xb (message_loop.cc:460)
10 Google Chrome Framew0.450.0.1            0x034d7383 base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 0xa (message_pump_mac.mm:291)
11 CoreFoundation      0.476.19.0           0x92ac43c4 CFRunLoopRunSpecific + 0xc44
12 CoreFoundation      0.476.19.0           0x92ac4aa7 CFRunLoopRunInMode + 0x57
13 HIToolbox           0.353.0.0            0x9049f2ab RunCurrentEventLoopInMode + 0x11a
14 HIToolbox           0.353.0.0            0x9049f0c4 ReceiveNextEventCommon + 0x175
15 HIToolbox           0.353.0.0            0x9049ef38 BlockUntilNextEventMatchingListInMode + 0x69
16 AppKit              0.949.54.0           0x919be6d4 _DPSNextEvent + 0x290
17 AppKit              0.949.54.0           0x919bdf87 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0x7f
18 AppKit              0.949.54.0           0x919b6f9e -[NSApplication run] + 0x31a
19 Google Chrome Framew0.450.0.1            0x034d6e2c base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 0x19 (message_pump_mac.mm:677)
20 Google Chrome Framew0.450.0.1            0x034d65b5 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 0xb (message_pump_mac.mm:213)
21 Google Chrome Framew0.450.0.1            0x034aabe3 MessageLoop::Run() + 0xb (message_loop.cc:214)
22 Google Chrome Framew0.450.0.1            0x0343623d RendererMain(MainFunctionParams const&) + 0xc (renderer_main.cc:292)
23 Google Chrome Framew0.450.0.1            0x02d44cb6 ChromeMain + 0xd (chrome_dll_main.cc:764)
24 Google Chrome Helper                     0x00001ff7 main + 0x11 (chrome_exe_main.mm:16)
25 Google Chrome Helper                     0x00001fb5 
26 

(No comment was entered for this change.)

Tony, can you take a look?

Cleaning up mstone:6 bugs, default assumption is that bugs w/ no os are os-all

This crash reproducibly happens to me on Win32 in both dev channel and a debug build when triple-clicking any grey comment in a code review (double is usually enough), for example the comment at:
http://codereview.chromium.org/2909001/diff/1/2

Reproduces on linux revision 51273 as well.

Doesn't happen in either windows webkit nightly WebKit-r61877 or WebKit-r62608.

At Position.cpp:1014 where it calls isText():
this	0x0078c064 {m_anchorNode={...} m_offset=0 m_anchorType=0 ...}
affinity	UPSTREAM
primaryDirection	LTR
inlineBox	0xcccccccc
caretOffset	0
renderer	0x00000000 {m_style={...} m_node=??? m_parent=??? ...}
level	204

 	chrome.dll!WebCore::RenderObject::isText()  Line 374 + 0x11 bytes	C++
>	chrome.dll!WebCore::Position::getInlineBoxAndOffset(WebCore::EAffinity affinity=UPSTREAM, WebCore::TextDirection primaryDirection=LTR, WebCore::InlineBox * & inlineBox=0xcccccccc, int & caretOffset=0)  Line 1014 + 0x8 bytes	C++
 	chrome.dll!WebCore::Position::getInlineBoxAndOffset(WebCore::EAffinity affinity=UPSTREAM, WebCore::InlineBox * & inlineBox=0xcccccccc, int & caretOffset=0)  Line 950	C++
 	chrome.dll!WebCore::Frame::firstRectForRange(WebCore::Range * range=0x027d7540)  Line 321 + 0x20 bytes	C++
 	chrome.dll!WebKit::WebViewImpl::caretOrSelectionBounds()  Line 1237 + 0x15 bytes	C++
 	chrome.dll!RenderWidget::UpdateInputMethod()  Line 876 + 0x19 bytes	C++
 	chrome.dll!RenderWidget::DoDeferredUpdate()  Line 527	C++
 	chrome.dll!RenderWidget::CallDoDeferredUpdate()  Line 427	C++
 	chrome.dll!RenderWidget::OnUpdateRectAck()  Line 283	C++
 	chrome.dll!IPC::Message::Dispatch<RenderWidget>(const IPC::Message * msg=0x0258c0a8, RenderWidget * obj=0x01a19800, void (void)* func=0x544fbf00)  Line 134 + 0x1b bytes	C++
 	chrome.dll!RenderWidget::OnMessageReceived(const IPC::Message & msg={...})  Line 143 + 0x38 bytes	C++
 	chrome.dll!RenderView::OnMessageReceived(const IPC::Message & message={...})  Line 735 + 0xc bytes	C++
 	chrome.dll!MessageRouter::RouteMessage(const IPC::Message & msg={...})  Line 40 + 0x13 bytes	C++
 	chrome.dll!MessageRouter::OnMessageReceived(const IPC::Message & msg={...})  Line 31 + 0x13 bytes	C++
 	chrome.dll!ChildThread::OnMessageReceived(const IPC::Message & msg={...})  Line 146 + 0x17 bytes	C++
 	chrome.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message={...})  Line 204 + 0x19 bytes	C++

Merging into the more popular bug.

seen by chromebot at these (and other) urls:

http://search1.taobao.com/browse/50012027/n-7---------------------------------------------g,wtx5zpoe3u----------------40--coefp-0-1,2-50012027.htm
http://search1.taobao.com/browse/50019321/n-1--------------------1--0-----------------------g,23d4jxa----------------40-grid-commend-0-all-50019321.htm

First seen in revision 50625 (cls 50617-50625), not seen in webkit canary build.

Trace:

chrome_2580000!WebCore::Position::getInlineBoxAndOffset+0x1a [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\position.cpp @ 1014] 
chrome_2580000!WebCore::Position::getInlineBoxAndOffset+0x21 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\position.cpp @ 949] 
chrome_2580000!WebCore::Frame::firstRectForRange+0x3c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\page\frame.cpp @ 311] 
chrome_2580000!WebKit::WebViewImpl::caretOrSelectionBounds+0xac [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webkit\chromium\src\webviewimpl.cpp @ 1362] 
chrome_2580000!RenderWidget::UpdateInputMethod+0x55 [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\render_widget.cc @ 877] 
chrome_2580000!RenderWidget::DoDeferredUpdate+0x518 [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\render_widget.cc @ 528] 
chrome_2580000!RenderWidget::OnUpdateRectAck+0x8c [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\render_widget.cc @ 282] 
chrome_2580000!IPC::Message::Dispatch<RenderView>+0x1a [c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_message.h @ 135] 
chrome_2580000!RenderWidget::OnMessageReceived+0x5b [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\render_widget.cc @ 138] 
chrome_2580000!RenderView::OnMessageReceived+0x997 [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\render_view.cc @ 733] 
chrome_2580000!MessageRouter::RouteMessage+0x30 [c:\b\slave\chromium-rel-xp\build\src\chrome\common\message_router.cc @ 40] 
chrome_2580000!MessageRouter::OnMessageReceived+0x2c [c:\b\slave\chromium-rel-xp\build\src\chrome\common\message_router.cc @ 31] 
chrome_2580000!ChildThread::OnMessageReceived+0x8c [c:\b\slave\chromium-rel-xp\build\src\chrome\common\child_thread.cc @ 146] 
chrome_2580000!RunnableMethod<ProfileWriter,void (__thiscall ProfileWriter::*)(std::vector<history::ImportedFavIconUsage,std::allocator<history::ImportedFavIconUsage> > const &),Tuple1<std::vector<history::ImportedFavIconUsage,std::allocator<history::ImportedFavIconUsage> > > >::Run+0x17 [c:\b\slave\chromium-rel-xp\build\src\base\task.h @ 323] 
chrome_2580000!MessageLoop::RunTask+0xff [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 341] 
chrome_2580000!MessageLoop::DoWork+0x176 [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 460] 
chrome_2580000!base::MessagePumpDefault::Run+0x117 [c:\b\slave\chromium-rel-xp\build\src\base\message_pump_default.cc @ 50] 
chrome_2580000!MessageLoop::RunInternal+0x92 [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 214] 
chrome_2580000!MessageLoop::Run+0x5b [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 165] 
chrome_2580000!RendererMain+0x33f [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\renderer_main.cc @ 294] 
chrome_2580000!ChromeMain+0xab2 [c:\b\slave\chromium-rel-xp\build\src\chrome\app\chrome_dll_main.cc @ 760] 
chrome!MainDllLoader::Launch+0x199 [c:\b\slave\chromium-rel-xp\build\src\chrome\app\client_util.cc @ 257] 
chrome!wWinMain+0x97 [c:\b\slave\chromium-rel-xp\build\src\chrome\app\chrome_exe_main.cc @ 47] 
chrome!__tmainCRTStartup+0x112 [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c @ 263]

This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

(No comment was entered for this change.)

(No comment was entered for this change.)

(No comment was entered for this change.)