Updates:
Status: Started
Comment #3 on issue 4749 by [EMAIL PROTECTED]: Crash in
ResourceDispatcherHost::RemovePendingRequest on browser shutdown.
http://code.google.com/p/chromium/issues/detail?id=4749
After adding several debugging CHECKs to resource_dispatcher_host.cc,
I finally caught the culprit in action.
The problem is that the delete iter->second call (iter->second points
to a URLRequest) in ResourceDispatcherHost::RemovePendingRequest may
cause a callback to ResourceDispatcherHost::RemovePendingRequest, resulting
in more than one request being removed from pending_requests_ by the
original ResourceDispatcherHost::RemovePendingRequest call. The call
stack is:
http://go/crash-staging/reportdetail?
reportid=ecf2c814612f8e3b&product=Chromium&version=0.5.155.0-
6628&date=&signature=v8::internal::CPU::DebugBreak()-4E9EA2
Thread 5 *CRASHED* (EXCEPTION_BREAKPOINT @0x0268cdd0)
0x0268cdd0 [chrome.dll - debug_util_win.cc:101]
v8::internal::CPU::DebugBreak()
0x02964cb7 [chrome.dll - logging_chrome.cc:40]
SilentRuntimeAssertHandler
0x0267e400 [chrome.dll - logging.cc:497]
logging::LogMessage::~LogMessage()
0x02754786 [chrome.dll - resource_dispatcher_host.cc:1939]
ResourceDispatcherHost::RemovePendingRequest(std::_Tree<std::_Tmap_traits<ResourceDis
patcherHost::GlobalRequestID,URLRequest
*,std::less<ResourceDispatcherHost::GlobalRequestID>,std::allocator<std::pair<Resourc
eDispatcherHost::GlobalRequestID const ,URLRequest *> >,0> >::iterator
const &)
0x02755895 [chrome.dll - resource_dispatcher_host.cc:1934]
ResourceDispatcherHost::RemovePendingRequest(int,int)
0x027558ec [chrome.dll - resource_dispatcher_host.cc:2287]
ResourceDispatcherHost::OnResponseCompleted(URLRequest *)
0x027571f3 [chrome.dll - resource_dispatcher_host.cc:2255]
ResourceDispatcherHost::OnReadCompleted(URLRequest *,int)
0x027586cc [chrome.dll - resource_dispatcher_host.cc:2041]
ResourceDispatcherHost::OnResponseStarted(URLRequest *)
0x02e8ee0d [chrome.dll - url_request_job.cc:334]
URLRequestJob::NotifyHeadersComplete()
0x02ec4703 [chrome.dll - url_request_http_job.cc:443]
URLRequestHttpJob::NotifyHeadersComplete()
0x02ec4798 [chrome.dll - url_request_http_job.cc:377]
URLRequestHttpJob::OnStartCompleted(int)
0x02826ac6 [chrome.dll - task.h:573]
CallbackImpl<TemplateURLHandler,void
( TemplateURLHandler::*)(Value const *),Tuple1<Value const *>
>::RunWithParams(Tuple1<Value const *> const &)
0x02e9aa42 [chrome.dll - http_cache.cc:561]
net::HttpCache::Transaction::DoCallback(int)
0x02e9aabb [chrome.dll - http_cache.cc:567]
net::HttpCache::Transaction::HandleResult(int)
0x02e9d348 [chrome.dll - http_cache.cc:890]
net::HttpCache::Transaction::OnNetworkInfoAvailable(int)
0x02e9da39 [chrome.dll - http_cache.cc:678]
net::HttpCache::Transaction::BeginNetworkRequest()
0x02e9e2db [chrome.dll - http_cache.cc:542]
net::HttpCache::Transaction::EntryAvailable(net::HttpCache::ActiveEntry *)
0x02e9e396 [chrome.dll - http_cache.cc:1254]
net::HttpCache::AddTransactionToEntry(net::HttpCache::ActiveEntry
*,net::HttpCache::Transaction *)
0x02e9c9bb [chrome.dll - http_cache.cc:519]
net::HttpCache::Transaction::AddToEntry()
0x02e9caf9 [chrome.dll - http_cache.cc:1294]
net::HttpCache::DoneWritingToEntry(net::HttpCache::ActiveEntry *,bool)
0x02e9ce7d [chrome.dll - http_cache.cc:1267]
net::HttpCache::DoneWithEntry(net::HttpCache::ActiveEntry
*,net::HttpCache::Transaction *)
0x02e9ceba [chrome.dll - http_cache.cc:322]
net::HttpCache::Transaction::~Transaction()
0x02e9d59a [chrome.dll + 0x0082d59a]
net::HttpCache::Transaction::`vector
deleting destructor'(unsigned int)
0x02ec3e10 [chrome.dll - url_request_http_job.cc:449]
URLRequestHttpJob::DestroyTransaction()
0x02ec3e40 [chrome.dll - url_request_http_job.cc:102]
URLRequestHttpJob::Kill()
0x02e840f5 [chrome.dll - url_request.cc:65]
URLRequest::~URLRequest()
0x0275485c [chrome.dll - resource_dispatcher_host.cc:1949]
ResourceDispatcherHost::RemovePendingRequest(std::_Tree<std::_Tmap_traits<ResourceDis
patcherHost::GlobalRequestID,URLRequest
*,std::less<ResourceDispatcherHost::GlobalRequestID>,std::allocator<std::pair<Resourc
eDispatcherHost::GlobalRequestID const ,URLRequest *> >,0> >::iterator
const &)
0x027557b9 [chrome.dll - resource_dispatcher_host.cc:1921]
ResourceDispatcherHost::CancelRequestsForRenderView(int,int)
0x02715ab2 [chrome.dll - render_widget_helper.cc:183]
RenderWidgetHelper::OnCancelResourceRequests(ResourceDispatcherHost *,int)
0x027530f5 [chrome.dll - task.h:312]
RunnableMethod<RenderWidgetHelper,void (
RenderWidgetHelper::*)(ResourceDispatcherHost
*,int),Tuple2<ResourceDispatcherHost
*,int> >::Run()
0x02681e8f [chrome.dll - message_loop.cc:308]
MessageLoop::RunTask(Task
*)
0x026829e9 [chrome.dll - message_loop.cc:408] MessageLoop::DoWork()
0x026936dd [chrome.dll - message_pump_win.cc:462]
base::MessagePumpForIO::DoRunLoop()
0x0269331f [chrome.dll - message_pump_win.h:78]
base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x02682566 [chrome.dll - message_loop.cc:197]
MessageLoop::RunInternal()
0x026826ff [chrome.dll - message_loop.cc:180]
MessageLoop::RunHandler()
0x02682f9c [chrome.dll - message_loop.cc:154] MessageLoop::Run()
0x02c03b59 [chrome.dll - thread.cc:153]
base::Thread::ThreadMain()
0x0268b00c [chrome.dll - platform_thread_win.cc:26] `anonymous
namespace'::ThreadFunc(void *)
0x7c80b682 [kernel32.dll + 0x0000b682] BaseThreadStart
The value of the 'result' argument to
HttpCache::Transaction::OnNetworkInfoAvailable is 0, which means
the network_trans_->Start() call in
HttpCache::Transaction::BeginNetworkRequest
returned net::OK.
I need help from someone more familiar with http_cache.cc (Ricardo
or Darin) to come up with the right fix.
Here are my ideas:
1. In ResourceDispatcherHost::RemovePendingRequest, delete the
URLRequest after removing it from pending_requests_ (reversing
the current order).
URLRequest* request = iter->second;
pending_requests_.erase(iter);
delete request;
This may work because in the recursive call to the two-argument
version of ResourceDispatcherHost::RemovePendingRequest, we may
find that the request in question is no longer in pending_requests_
and would just return (with a NOTREACHED assertion failure in
debug build).
2. In HttpCache::Transaction::~Transaction(), set callback_ to
NULL to prevent HttpCache::Transaction::HandleResult from calling
HttpCache::Transaction::DoCallback.
3. In ResourceDispatcherHost::RemovePendingRequest, call
iter->second->set_delegate(NULL) before deleting iter->second.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Chromium-bugs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/chromium-bugs?hl=en
-~----------~----~----~----~------~----~------~--~---
