| Issue 8942: | Chrome: Crash Report - Stack Signature: URLRequest::~URLRequest() | |
| 5 people starred this issue and may be notified of changes. | Back to list |
Sign in to add a comment
|
Regression of issue 4749 ? The full crash report details can be found at: http://crash/reportview?product=Chrome&version=2.0.169.1&signature=URLRequest%3A%3A~URLRequest()-6A119D Meta information: Report Time (UTC): 2009/03/12 23:38:24, Thu (Show all crashes by this date for this version) Uptime: 11692 sec Product Name: Chrome Product Version: 2.0.169.1 OS Name: Windows NT OS Version: 6.0.6001 Service Pack 1 CPU Architecture: x86 CPU Info: GenuineIntel family 6 model 15 stepping 13 plat: Win32 ptype: browser Stack Trace: 0x61ee7e29 [chrome.dll - url_request.cc:68] URLRequest::~URLRequest() 0x61e3ae4f [chrome.dll - resource_dispatcher_host.cc:708] ResourceDispatcherHost::RemovePendingRequest(std::_Tree<std::_Tmap_traits<ResourceDispatcherHost::GlobalRequestID,URLRequest *,std::less<ResourceDispatcherHost::GlobalRequestID>,std::allocator<std::pair<ResourceDispatcherHost::GlobalRequestID const ,URLRequest *> >,0> >::iterator const &) 0x61e3ac5b [chrome.dll - resource_dispatcher_host.cc:654] ResourceDispatcherHost::CancelRequestsForRenderView(int,int) 0x61e9440e [chrome.dll - render_widget_helper.cc:188] RenderWidgetHelper::OnCancelResourceRequests(ResourceDispatcherHost *,int) 0x61e9f4bc [chrome.dll - task.h:308] RunnableMethod<SaveFileManager,void ( SaveFileManager::*)(int,int),Tuple2<int,int> >::Run() 0x620b5d09 [chrome.dll - message_loop.cc:308] MessageLoop::RunTask(Task *) 0x620b5d40 [chrome.dll - message_loop.cc:316] MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &) 0x620b5ece [chrome.dll - message_loop.cc:408] MessageLoop::DoWork() 0x620cfea9 [chrome.dll - message_pump_win.cc:468] base::MessagePumpForIO::DoRunLoop() 0x620cf9cd [chrome.dll - message_pump_win.cc:52] base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *) 0x620cf880 [chrome.dll - message_pump_win.h:78] base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x620b5bd5 [chrome.dll - message_loop.cc:197] MessageLoop::RunInternal() 0x620b5ba4 [chrome.dll - message_loop.cc:180] MessageLoop::RunHandler() 0x620b5b47 [chrome.dll - message_loop.cc:154] MessageLoop::Run() 0x620bbfb3 [chrome.dll - thread.cc:156] base::Thread::ThreadMain() 0x620bb7bd [chrome.dll - platform_thread_win.cc:26] `anonymous namespace'::ThreadFunc(void *) 0x76f94910 [kernel32.dll + 0x00044910] BaseThreadInitThunk 0x7714e4b5 [ntdll.dll + 0x0003e4b5] __RtlUserThreadStart 0x7714e488 [ntdll.dll + 0x0003e488] _RtlUserThreadStart |
||||||||||||||||||||||||||||||
,
Mar 19, 2009
This crash was found in 2.0.170.0 and is currently ranked #50 (based on the relative number of reports in the release). There have been 3 reports from 3 clients. http://crash/search?query=Chrome+2.0.170.0+URLRequest%3A%3A%7EURLRequest%28%29
Labels: -Pri-1 Pri-2 Crash-2.0.170.0
|
|||||||||||||||||||||||||||||||
,
Mar 26, 2009
This crash was found in 2.0.171.0 and is currently ranked #16 (based on the relative number of reports in the release). There have been 7 reports from 7 clients. http://crash/search?query=Chrome+2.0.171.0+URLRequest%3A%3A%7EURLRequest%28%29
Labels: -Pri-2 Pri-1 Crash-2.0.171.0
|
|||||||||||||||||||||||||||||||
,
Mar 26, 2009
(No comment was entered for this change.)
Status: Available
Owner: --- Labels: -Area-Misc Area-BrowserBackend Mstone-2.0 |
|||||||||||||||||||||||||||||||
,
Mar 27, 2009
(No comment was entered for this change.)
Owner: hu...@chromium.org
|
|||||||||||||||||||||||||||||||
,
Mar 27, 2009
(No comment was entered for this change.)
Labels: -Pri-1 Pri-2
|
|||||||||||||||||||||||||||||||
,
Mar 27, 2009
Relevant code snippet:
URLRequest::~URLRequest() {
URLREQUEST_COUNT_DTOR();
Cancel();
if (job_)
OrphanJob();
delete user_data_; // NULL check unnecessary for delete
}
void URLRequest::OrphanJob() {
job_->DetachRequest(); // ensures that the job will not call us again
job_ = NULL;
}
void URLRequestJob::DetachRequest() {
request_ = NULL;
}
Both OrphanJob() and DetachRequest() are inlined. Here are what happens in crash
dump:
chrome_683b0000!URLRequest::~URLRequest:
68567e17 56 push esi
68567e18 57 push edi
68567e19 8bf0 mov esi,eax
68567e1b 56 push esi
68567e1c e8e5020000 call chrome_683b0000!URLRequest::Cancel (68568106)
// eax, [esi] -> job_
68567e21 8b06 mov eax,dword ptr [esi]
// edi -> 0
68567e23 33ff xor edi,edi
68567e25 3bc7 cmp eax,edi
// if (job_)
68567e27 7413 je chrome_683b0000!URLRequest::~URLRequest+0x25
(68567e3c)
// job_->request_ = NULL;
// Crash here.
68567e29 89780c mov dword ptr [eax+0Ch],edi
68567e2c 8b06 mov eax,dword ptr [esi]
68567e2e 3bc7 cmp eax,edi
68567e30 7408 je chrome_683b0000!URLRequest::~URLRequest+0x23
(68567e3a)
68567e32 83c008 add eax,8
68567e35 e813dae6ff call
chrome_683b0000!base::RefCountedThreadSafe<media::StreamSample>::Release (683d584d)
// job_ = NULL;
68567e3a 893e mov dword ptr [esi],edi
68567e3c 8b8edc010000 mov ecx,dword ptr [esi+1DCh]
68567e42 53 push ebx
68567e43 33db xor ebx,ebx
68567e45 43 inc ebx
68567e46 3bcf cmp ecx,edi
So we are trying to deref an invalid pointer job_ in URLRequest::~URLRequest. There
are two possible causes:
(1) Some code path mistakenly deletes url_request_job without going through
url_request.
(2) Some memory corruption.
It is more like the second case for the crash I looked at, since eax=00000043 (job_)
0:003> r
Last set context:
eax=00000043 ebx=01da96e8 ecx=06159d40 edx=77759a94 esi=068f98f0 edi=00000000
eip=68567e29 esp=0339f81c ebp=0339f844 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
|
|||||||||||||||||||||||||||||||
,
Mar 27, 2009
Looked at a few other dumps. The eax (job_) all look invalid at the time of crash. Eax values: 0000030e 000002cd 00000002 0000020a 000000c5 This seems to be a memory corruption. |
|||||||||||||||||||||||||||||||
,
Apr 03, 2009
Moving from milestone 2 to milestone 2.1.
Labels: JonMoved Mstone-2.1
|
|||||||||||||||||||||||||||||||
,
Apr 17, 2009
This crash was found in 2.0.172.6 and is currently ranked #49 (based on the relative number of reports in the release). There have been 5 reports from 5 clients. http://crash/search?query=Chrome+2.0.172.6+URLRequest%3A%3A%7EURLRequest%28%29
Labels: Crash-2.0.172.6
|
|||||||||||||||||||||||||||||||
,
May 21, 2009
(No comment was entered for this change.)
Status: Assigned
|
|||||||||||||||||||||||||||||||
,
May 22, 2009
(No comment was entered for this change.)
Labels: -jonmoved
|
|||||||||||||||||||||||||||||||
,
May 22, 2009
(No comment was entered for this change.)
Labels: -mstone-2.1 mstone-3
|
|||||||||||||||||||||||||||||||
,
Jun 01, 2009
Still found in 3.0.183.3 |
|||||||||||||||||||||||||||||||
,
Jun 01, 2009
Correction: Still found in 3.0.182.3 |
|||||||||||||||||||||||||||||||
,
Jun 02, 2009
The following stack shows one possible way to have the crash. In RemovePendingRequest on the top of the stack, URLRequest will get deleted. As the function returns and stack rewinds, we will get to URLRequest::~ URLRequest near the bottom of the stack again. 0244fb14 00ee8c6e chrome_be0000!ResourceDispatcherHost::RemovePendingRequest+0x33 [c:\b\slave\chrome-official- 2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 803] 0244fb40 00ee973b chrome_be0000!ResourceDispatcherHost::RemovePendingRequest+0x46 [c:\b\slave\chrome-official- 2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 791] 0244fba4 00ee961d chrome_be0000!ResourceDispatcherHost::OnResponseCompleted+0xc1 [c:\b\slave\chrome-official- 2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 1252] 0244fbc8 011a8e16 chrome_be0000!ResourceDispatcherHost::OnReadCompleted+0xe7 [c:\b\slave\chrome-official- 2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 1205] 0244fbe4 011aa933 chrome_be0000!URLRequestJob::NotifyReadComplete+0x77 [c:\b\slave\chrome-official-2\build\src\net\url_request\url_request_job.cc @ 421] 0244fc00 00f1e404 chrome_be0000!URLRequestFileJob::DidRead+0x64 [c:\b\slave\chrome- official-2\build\src\net\url_request\url_request_file_job.cc @ 276] 0244fc0c 011ad668 chrome_be0000!CallbackImpl<`anonymous namespace'::MostVisitedHandler,void (__thiscall A0xeafce67f::MostVisitedHandler::*)(Value const *),Tuple1<Value const *> >::RunWithParams+0x14 [c:\b\slave\chrome-official-2\build\src\base\task.h @ 571] 0244fc1c 0102cfea chrome_be0000!net::FileStream::AsyncContext::OnIOCompleted+0x4d [c:\b\slave\chrome-official-2\build\src\net\base\file_stream_win.cc @ 105] 0244fc48 011ad5a1 chrome_be0000!base::MessagePumpForIO::WaitForIOCompletion+0x80 [c:\b\slave\chrome-official-2\build\src\base\message_pump_win.cc @ 507] 0244fc78 011ad557 chrome_be0000!net::FileStream::AsyncContext::~AsyncContext+0x36 [c:\b\slave\chrome-official-2\build\src\net\base\file_stream_win.cc @ 77] 0244fc84 011ad69e chrome_be0000!net::FileStream::AsyncContext::`scalar deleting destructor'+0x9 0244fc8c 011aa5e0 chrome_be0000!net::FileStream::Close+0x1b [c:\b\slave\chrome- official-2\build\src\net\base\file_stream_win.cc @ 132] 0244fc98 011a7f7d chrome_be0000!URLRequestFileJob::Kill+0xf [c:\b\slave\chrome- official-2\build\src\net\url_request\url_request_file_job.cc @ 127] 0244fca8 011a7efb chrome_be0000!URLRequest::DoCancel+0x59 [c:\b\slave\chrome- official-2\build\src\net\url_request\url_request.cc @ 316] 0244fcc4 011a7c25 chrome_be0000!URLRequest::Cancel+0x20 [c:\b\slave\chrome-official- 2\build\src\net\url_request\url_request.cc @ 281] 0244fcd8 00ee8cc9 chrome_be0000!URLRequest::~URLRequest+0xb [c:\b\slave\chrome- official-2\build\src\net\url_request\url_request.cc @ 67] 0244fcfc 00ee8ad5 chrome_be0000!ResourceDispatcherHost::RemovePendingRequest+0x54 [c:\b\slave\chrome-official- 2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 806] 0244fde0 00fe7fc1 chrome_be0000!ResourceDispatcherHost::CancelRequestsForRoute+0x149 [c:\b\slave\chrome-official- 2\build\src\chrome\browser\renderer_host\resource_dispatcher_host.cc @ 742] 0244fdf0 00f6190c chrome_be0000!RenderWidgetHelper::OnCancelResourceRequests+0xf [c:\b\slave\chrome-official- 2\build\src\chrome\browser\renderer_host\render_widget_helper.cc @ 196] 0244fdf8 01014c04 chrome_be0000!RunnableMethod<WebDataService,void (__thiscall WebDataService::*)(WebDataService::GenericRequest2<base::Time,base::Time> *),Tuple1<WebDataService::GenericRequest2<base::Time,base::Time> *> >::Run+0xf [c:\b\slave\chrome-official-2\build\src\base\task.h @ 308] 0244fe00 01014c3d chrome_be0000!MessageLoop::RunTask+0x1e [c:\b\slave\chrome- official-2\build\src\base\message_loop.cc @ 310] 0244fe10 01014dcc chrome_be0000!MessageLoop::DeferOrRunPendingTask+0x2b [c:\b\slave\chrome-official-2\build\src\base\message_loop.cc @ 320] 0244fe40 0102cf59 chrome_be0000!MessageLoop::DoWork+0x6e [c:\b\slave\chrome-official- 2\build\src\base\message_loop.cc @ 423] 0244fe54 0102ca5d chrome_be0000!base::MessagePumpForIO::DoRunLoop+0x6f [c:\b\slave\chrome-official-2\build\src\base\message_pump_win.cc @ 469] 0244fe70 0102c8a2 chrome_be0000!base::MessagePumpWin::RunWithDispatcher+0x38 [c:\b\slave\chrome-official-2\build\src\base\message_pump_win.cc @ 54] 0244fe7c 01014ace chrome_be0000!base::MessagePumpWin::Run+0xe [c:\b\slave\chrome- official-2\build\src\base\message_pump_win.h @ 78] 0244fe88 01014a9d chrome_be0000!MessageLoop::RunInternal+0x2b [c:\b\slave\chrome- official-2\build\src\base\message_loop.cc @ 199] 0244fec0 01014a40 chrome_be0000!MessageLoop::RunHandler+0x4f [c:\b\slave\chrome- official-2\build\src\base\message_loop.cc @ 182] 0244fee0 010172f9 chrome_be0000!MessageLoop::Run+0x15 [c:\b\slave\chrome-official- 2\build\src\base\message_loop.cc @ 156] 0244ffb0 010161f4 chrome_be0000!base::Thread::ThreadMain+0x81 [c:\b\slave\chrome- official-2\build\src\base\thread.cc @ 159] 0244ffb4 7c80b713 chrome_be0000!`anonymous namespace'::ThreadFunc+0x9 [c:\b\slave\chrome-official-2\build\src\base\platform_thread_win.cc @ 27] 0244ffec 00000000 kernel32!BaseThreadStart+0x37 |
|||||||||||||||||||||||||||||||
,
Jun 02, 2009
Issue 9668 has been merged into this issue.
Cc: ero...@chromium.org hu...@chromium.org w...@chromium.org
|
|||||||||||||||||||||||||||||||
,
Jun 03, 2009
Huan, Eric Roman is improving the comments that specify the API contracts of URLRequest::Cancel and URLRequest::Read in http://codereview.chromium.org/118151. Please ask Eric Roman to make sure your fix for this crash meets the API contracts. Thanks.
Cc: rvar...@chromium.org
|
|||||||||||||||||||||||||||||||
,
Jun 03, 2009
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=17560
------------------------------------------------------------------------
r17560 | huanr@chromium.org | 2009-06-03 16:05:59 -0700 (Wed, 03 Jun 2009) | 6 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/file_stream_posix.cc?r1=17560&r2=17559
M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/file_stream_unittest.cc?r1=17560&r2=17559
M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/file_stream_win.cc?r1=17560&r2=17559
M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/test_completion_callback.h?r1=17560&r2=17559
Avoiding IO completion callback during the closing
of FileStream.
BUG=8942
Review URL: http://codereview.chromium.org/112090
------------------------------------------------------------------------
|
|||||||||||||||||||||||||||||||
,
Jun 05, 2009
Moving to milestone 4. If you fix this quickly and can convince Mark it is important you can still get it patched into milestone 3. Otherwise, the next bus is milestone 4.
Labels: mstone4
|
|||||||||||||||||||||||||||||||
,
Jun 05, 2009
Moving to milestone 4. If you fix this quickly and can convince Mark it is important you can still get it patched into milestone 3. Otherwise, the next bus is milestone 4.
Labels: -mstone4 -mstone-3 Mstone-4
|
|||||||||||||||||||||||||||||||
,
Jun 05, 2009
This crash was found in 3.0.183.1 and is currently ranked #19 (based on the relative number of reports in the release). There have been 5 reports from 5 clients. http://crash/search?query=Chrome+3.0.183.1+ResourceDispatcherHost%3A%3AIncrementOutstandingRequestsMemoryCost%28int%2Cint%29
Labels: -Pri-2 Pri-1 Crash-3.0.183.1
|
|||||||||||||||||||||||||||||||
,
Jun 12, 2009
This crash was not found in 3.0.187.1. We last saw it in 3.0.183.1. Assuming the crash has been fixed, please mark accordingly. |
|||||||||||||||||||||||||||||||
,
Jun 12, 2009
Looks like r17560 fixes it. |
|||||||||||||||||||||||||||||||
,
Jun 12, 2009
(No comment was entered for this change.)
Status: Fixed
|
|||||||||||||||||||||||||||||||
,
Jun 12, 2009
Issue 12164 has been merged into this issue. |
|||||||||||||||||||||||||||||||
,
Jun 18, 2009
(No comment was entered for this change.)
Labels: Merge-Stable
|
|||||||||||||||||||||||||||||||
,
Jul 03, 2009
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=19920
------------------------------------------------------------------------
r19920 | mal@chromium.org | 2009-07-03 16:19:48 -0700 (Fri, 03 Jul 2009) | 7 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/branches/172/src/net/base/file_stream_posix.cc?r1=19920&r2=19919
M http://src.chromium.org/viewvc/chrome/branches/172/src/net/base/file_stream_unittest.cc?r1=19920&r2=19919
M http://src.chromium.org/viewvc/chrome/branches/172/src/net/base/file_stream_win.cc?r1=19920&r2=19919
M http://src.chromium.org/viewvc/chrome/branches/172/src/net/base/test_completion_callback.h?r1=19920&r2=19919
Merge r17560.
Avoiding IO completion callback during the closing
of FileStream.
BUG=8942
Review URL: http://codereview.chromium.org/149182
------------------------------------------------------------------------
|
|||||||||||||||||||||||||||||||
,
Jul 30, 2009
Issue 12452 has been merged into this issue. |
|||||||||||||||||||||||||||||||
,
Dec 18, 2009
(No comment was entered for this change.)
Labels: -Area-BrowserBackend Area-Internals
|
|||||||||||||||||||||||||||||||
| ► Sign in to add a comment | |||||||||||||||||||||||||||||||