Updates:
Owner: [email protected]
Comment #6 on issue 27145 by [email protected]: Crash in http cache
while pages are loading
http://code.google.com/p/chromium/issues/detail?id=27145
This crash is the result of memory corruption on the key of a cache entry.
The culprit so far seems to be RenderWidgetHostViewCocoa using a
RenderWidgetHost that was already deleted.
The stack of the code that is corrupting memory:
#0 RenderWidgetHost::ForwardKeyboardEvent (this=0x20fe77b0,
key_eve...@0xbfffddf8) at
chrome/browser/renderer_host/render_widget_host.cc:445
#1 0x06d40408 in -[RenderWidgetHostViewCocoa keyEvent:wasKeyEquivalent:]
(self=0x213544f0, _cmd=0x8459ecd, theEvent=0x20491940, equiv=1 '\001') at
chrome/browser/renderer_host/render_widget_host_view_mac.mm:651
#2 0x06d3ee3b in -[RenderWidgetHostViewCocoa performKeyEquivalent:]
(self=0x213544f0, _cmd=0x95fbba60, theEvent=0x20491940) at
chrome/browser/renderer_host/render_widget_host_view_mac.mm:595
#3 0x06a60796 in -[ChromeEventProcessingWindow performKeyEquivalent:]
(self=0x15f8d0, _cmd=0x95fbba60, event=0x20491940) at
chrome/browser/cocoa/chrome_event_processing_window.mm:60
#4 0x948bec0b in -[NSApplication _handleKeyEquivalent:] ()
#5 0x947dbac7 in -[NSApplication sendEvent:] ()
#6 0x06f8059a in -[CrApplication sendEvent:] (self=0x124970,
_cmd=0x95f6c4b8, event=0x20491940) at base/chrome_application_mac.mm:33
#7 0x94738fe7 in -[NSApplication run] ()
#8 0x06fb0386 in base::MessagePumpNSApplication::DoRun (this=0x131a10,
delegate=0xbfffe6b8) at base/message_pump_mac.mm:677
#9 0x06fb0975 in base::MessagePumpCFRunLoopBase::Run (this=0x131a10,
delegate=0xbfffe6b8) at base/message_pump_mac.mm:213
#10 0x06fa8cca in MessageLoop::RunInternal (this=0xbfffe6b8) at
base/message_loop.cc:205
#11 0x06fa8ce5 in MessageLoop::RunHandler (this=0xbfffe6b8) at
base/message_loop.cc:177
#12 0x06fa8d49 in MessageLoop::Run (this=0xbfffe6b8) at
base/message_loop.cc:155
#13 0x069f3d47 in (anonymous namespace)::RunUIMessageLoop
(browser_process=0x13ebd0) at chrome/browser/browser_main.cc:152
#14 0x069f5db7 in BrowserMain (paramete...@0xbffff1f8) at
chrome/browser/browser_main.cc:880
#15 0x0688c02c in ChromeMain (argc=1, argv=0xbffff67c) at
chrome/app/chrome_dll_main.cc:635
#16 0x00001ffe in main (argc=1, argv=0xbffff67c) at
chrome/app/chrome_exe_main.mm:17
The (already deleted) RenderWidgetHost:
$5 = {
<IPC::Channel::Listener> = {
_vptr$Listener = 0x5043f85a
},
<IPC::Message::Sender> = {
_vptr$Sender = 0x0
},
members of RenderWidgetHost:
renderer_initialized_ = 139,
view_ = 0x0,
process_ = 0x0,
property_bag_ = {},
painting_observer_ = 0x0,
routing_id_ = 0,
is_loading_ = false,
is_hidden_ = false,
repaint_ack_pending_ = false,
resize_ack_pending_ = false,
From the RenderWidgetHostViewCocoa object:
print *self->renderWidgetHostView_
$3 = {
<RenderWidgetHostView> = {
_vptr$RenderWidgetHostView = 0x9669228,
activatable_ = true,
background_ = {}
},
members of RenderWidgetHostViewMac:
render_widget_host_ = 0x0,
about_to_validate_and_paint_ = false,
It is interesting that the code attempts to prevent this case with:
if (renderWidgetHostView_->render_widget_host_) {
RenderWidgetHost* widgetHost =
renderWidgetHostView_->render_widget_host_;
...
widgetHost->ForwardKeyboardEvent(event);
but it crashes because the check was not null (widgetHost is not null) but
at the time of the access the member variable is already null.
Reassigning the bug to someone more familiar with this code.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
