Issue 8412 - chromium - regression : copying most visited page screenshot and selecting Paste and Go and then Back causes crash

Issue 8412:	regression : copying most visited page screenshot and selecting Paste and Go and then Back causes crash
	3 people starred this issue and may be notified of changes.	Back to list

Status:	WontFix
Owner:	finnur@chromium.org
Closed:	Mar 2009
Cc:	anantha@chromium.org, mal.chromium, laforge@chromium.org
Type-Bug
Pri-1
OS-All
Area-Misc
Regression
Crash
mstone-2.0

Reported by jasneet@chromium.org, Mar 04, 2009

What steps will reproduce the problem?
1. Launch Chrome
2. Visit some webpages to create history
3. Open new tab page
5. Right click on any webpage screenshot under Most Visited 
5. Select Copy image
6. Open a new tab
7. Right click on omnibox and select paste and go

What is the expected output? 
The webpage should open

What do you see instead?
Crash. 

(we have recently added chrome-ui://thumb/ before the url so on copy 
pasting the screenshot under most visited, instead of http://www.google.com/ it is now chrome-ui://thumb/http://www.google.com/)

Call Stack:
(46a0.636c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0199d3a8 ebx=00000000 ecx=00000000 edx=011e0700 esi=0290d5f4 
edi=028d9018
eip=011e0765 esp=0012d950 ebp=0012d9e4 iopl=0         nv up ei pl zr na pe 
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             
efl=00010246
chrome_1000000!DOMUIContents::RenderViewCreated+0x65:
011e0765 8b01            mov     eax,dword ptr [ecx]  ds:0023:00000000=????
????
0:000> g
(46a0.636c): Access violation - code c0000005 (!!! second chance !!!)
eax=0199d3a8 ebx=00000000 ecx=00000000 edx=011e0700 esi=0290d5f4 
edi=028d9018
eip=011e0765 esp=0012d950 ebp=0012d9e4 iopl=0         nv up ei pl zr na pe 
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             
efl=00000246
chrome_1000000!DOMUIContents::RenderViewCreated+0x65:
011e0765 8b01            mov     eax,dword ptr [ecx]  ds:0023:00000000=????
????
0:000> k
ChildEBP RetAddr  
0012d9e4 011235c9 chrome_1000000!DOMUIContents::RenderViewCreated+0x65 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\dom_ui\dom_ui_contents.cc @ 178]
0012dc38 010fd734 chrome_1000000!RenderViewHost::CreateRenderView+0x2d9 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\renderer_host\render_view_host.cc @ 186]
0012dc64 01208379 
chrome_1000000!WebContents::CreateRenderViewForRenderManager+0x24 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\tab_contents\web_contents.cc @ 1475]
0012dc78 0119af56 
chrome_1000000!DOMUIHost::CreateRenderViewForRenderManager+0x19 
[c:\b\slave\chromium-rel-xp\build\src\chrome\browser\dom_ui\dom_ui_host.cc 
@ 40]
0012dd18 0119b0ad 
chrome_1000000!RenderViewHostManager::CreatePendingRenderView+0x96 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\tab_contents\render_view_host_manager.cc @ 391]
0012ddc0 0119b2d3 
chrome_1000000!RenderViewHostManager::UpdateRendererStateNavigate+0x11d 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\tab_contents\render_view_host_manager.cc @ 489]
0012dde0 010fd96d chrome_1000000!RenderViewHostManager::Navigate+0x13 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\tab_contents\render_view_host_manager.cc @ 68]
0012de00 011e06f8 chrome_1000000!WebContents::NavigateToPendingEntry+0x1d 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\tab_contents\web_contents.cc @ 379]
0012de14 010ecbdf chrome_1000000!DOMUIContents::NavigateToPendingEntry+0x18 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\dom_ui\dom_ui_contents.cc @ 231]
0012e15c 010ecd90 
chrome_1000000!NavigationController::NavigateToPendingEntry+0x12f 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\tab_contents\navigation_controller.cc @ 1028]
0012e174 010ed115 chrome_1000000!NavigationController::LoadEntry+0x70 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\tab_contents\navigation_controller.cc @ 260]
0012e184 010d50de chrome_1000000!NavigationController::LoadURL+0x25 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\tab_contents\navigation_controller.cc @ 508]
0012e254 010d007c chrome_1000000!Browser::OpenURLFromTab+0x29e 
[c:\b\slave\chromium-rel-xp\build\src\chrome\browser\browser.cc @ 1593]
0012e270 010d0e3e chrome_1000000!TabContentsDelegate::OpenURL+0x1c 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\tab_contents\tab_contents_delegate.h @ 32]
0012e38c 010d469a chrome_1000000!Browser::OpenCurrentURL+0x7e 
[c:\b\slave\chromium-rel-xp\build\src\chrome\browser\browser.cc @ 610]
0012e42c 01174b3e chrome_1000000!Browser::ExecuteCommand+0xfa 
[c:\b\slave\chromium-rel-xp\build\src\chrome\browser\browser.cc @ 1096]
0012e440 0149ee2e chrome_1000000!CommandUpdater::ExecuteCommand+0x1e 
[c:\b\slave\chromium-rel-xp\build\src\chrome\browser\command_updater.cc @ 
33]
0012e470 018b6c99 chrome_1000000!LocationBarView::OnAutocompleteAccept+0x6e 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\views\location_bar_view.cc @ 291]
0012e494 01183198 chrome_1000000!AutocompleteEditViewWin::OpenURL+0x69 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\autocomplete\autocomplete_edit_view_win.cc @ 
625]
0012e4d4 018b8515 chrome_1000000!AutocompleteEditModel::PasteAndGo+0x48 
[c:\b\slave\chromium-rel-
xp\build\src\chrome\browser\autocomplete\autocomplete_edit.cc @ 220]

Dump:
http://go/crashdumps/jasneet/minidump.dmp

Comment 1 by jasneet@chromium.org, Mar 06, 2009

Issue still reproducible with 2.0.169.0 (Developer Build 11113)

Cc: m...@chromium.org lafo...@chromium.org

Comment 2 by venkataramana@chromium.org, Mar 12, 2009

No repro steps in 2.0.170.0 (Developer Build 11530).
Looks like this issue fixed ?

-Venkat.

Comment 3 by venkataramana@chromium.org, Mar 12, 2009

 Issue 8721  has been merged into this issue.

Comment 4 by jon@chromium.org, Mar 13, 2009

(No comment was entered for this change.)

Labels: mstone-2.0

Comment 5 by jasneet@chromium.org, Mar 13, 2009

Issue reproducible on 2.0.169.1 (Official Build 11427)

Comment 6 by finnur@chromium.org, Mar 13, 2009

(No comment was entered for this change.)

Status: Assigned
Owner: fin...@chromium.org

Comment 7 by finnur@chromium.org, Mar 16, 2009

The bug as stated above is a duplicate of  issue 8546 . However, while verifying this, I found another similar crash, so I will morph this bug to cover that crash. 
The crash occurs because we don't recreate the current_ui_ when pressing Back (after navigating to the thumbnail image) and we then proceed to act on a NULL 
pointer inside ProcessDOMUIMessage. I have a fix in the works.

chrome.dll!DOMUIContents::ProcessDOMUIMessage(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & message="getMostVisited", const 
std::basic_string<char,std::char_traits<char>,std::allocator<char> > & content="")
chrome.dll!RenderViewHost::OnMsgDOMUISend(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & message="getMostVisited", const 
std::basic_string<char,std::char_traits<char>,std::allocator<char> > & content="")
chrome.dll!DispatchToMethod<RenderViewHost,void (__thiscall RenderViewHost::*)(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const 
&,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &),std::basic_string<char,std::char_traits<char>,std::allocator<char> 
>,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >(RenderViewHost * obj=0x05067990, void (const 
std::basic_string<char,std::char_traits<char>,std::allocator<char> > &, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &)* 
method=0x016e1b40, const Tuple2<std::basic_string<char,std::char_traits<char>,std::allocator<char> 
>,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > & arg={...})
chrome.dll!IPC::MessageWithTuple<Tuple2<std::basic_string<char,std::char_traits<char>,std::allocator<char> 
>,std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >::Dispatch<RenderViewHost,void (__thiscall 
RenderViewHost::*)(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> 
> const &)>(const IPC::Message * msg=0x063ebb48, RenderViewHost * obj=0x05067990, void (const std::basic_string<char,std::char_traits<char>,std::allocator<char> > 
&, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &)* func=0x016e1b40)
chrome.dll!RenderViewHost::OnMessageReceived(const IPC::Message & msg={...})
chrome.dll!BrowserRenderProcessHost::OnMessageReceived(const IPC::Message & msg={...})
chrome.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message={...})
chrome.dll!DispatchToMethod<IPC::ChannelProxy::Context,void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const 
&),IPC::Message>(IPC::ChannelProxy::Context * obj=0x064c7c10, void (const IPC::Message &)* method=0x011aa0d0, const Tuple1<IPC::Message> & arg={...})
chrome.dll!RunnableMethod<IPC::ChannelProxy::Context,void (__thiscall IPC::ChannelProxy::Context::*)(IPC::Message const &),Tuple1<IPC::Message> >::Run()
chrome.dll!MessageLoop::RunTask(Task * task=0x063ebb20)
chrome.dll!MessageLoop::DeferOrRunPendingTask(const MessageLoop::PendingTask & pending_task={...})
chrome.dll!MessageLoop::DoWork()
chrome.dll!base::MessagePumpForUI::DoRunLoop()
chrome.dll!base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate * delegate=0x0012f74c, base::MessagePumpWin::Dispatcher * dispatcher=0x0630d8f0)
chrome.dll!MessageLoop::RunInternal()
chrome.dll!MessageLoop::RunHandler()
chrome.dll!MessageLoopForUI::Run(base::MessagePumpWin::Dispatcher * dispatcher=0x0630d8f0)
chrome.dll!`anonymous namespace'::RunUIMessageLoop(BrowserProcess * browser_process=0x003ea900)
chrome.dll!BrowserMain(const MainFunctionParams & parameters={...})
chrome.dll!ChromeMain(HINSTANCE__ * instance=0x00400000, sandbox::SandboxInterfaceInfo * sandbox_info=0x0012fe88, wchar_t * command_line=0x00020a60)
chrome.exe!wWinMain(HINSTANCE__ * instance=0x00400000, HINSTANCE__ * prev_instance=0x00000000, wchar_t * command_line=0x00020a60, int __formal=1)
chrome.exe!__tmainCRTStartup()
chrome.exe!wWinMainCRTStartup()
kernel32.dll!7c817067()

Summary: regression : copying most visited page screenshot and selecting Paste and Go and then Back causes crash

Comment 8 by finnur@chromium.org, Mar 18, 2009

My patch for this crash was made obsolete by Brett's patch and now that I've tested 
this again with his changes in my local tree, it no longer crashes.

Status: WontFix

► Sign in to add a comment