Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
199663004:
Mac: Fix crash when dragging tabs (Closed)
|
Created:
6 years, 9 months ago by Andre Modified:
6 years, 9 months ago Reviewers:
Robert Sesek CC:
chromium-reviews, dcheng Base URL:
https://chromium.googlesource.com/chromium/src.git@master Visibility:
Public. |
DescriptionMac: Fix crash when dragging tabs
When dragging the only tab of a window, and there are other windows that are
potential targets, it was possible in some cases for the window to deallocate
while we still hold a weak reference to it.
BUG=355471
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=259773
Patch Set 1 : #Patch Set 2 : A better fix #
Total comments: 1
Messages
Total messages: 14 (0 generated)
I'm trying to understand why this change caused this crash, especially given the crash stack. Do you understand it? I'm not quite following how the old targetController can go away on line 218 (a JS close?). http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/cocoa/tabs/...
On 2014/03/25 18:22:31, rsesek wrote: > I'm trying to understand why this change caused this crash, especially given the > crash stack. Do you understand it? I'm not quite following how the old > targetController can go away on line 218 (a JS close?). > > http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/cocoa/tabs/... It's strange, I don't understand how the window controller can get deallocated given the steps above. And it apparently only crashes on 10.7.5, byt I was not able to repro on my 10.7.5 VM. But I think retaining it during drag is the right thing to do, anything can happen while running the event loop and there seems to be no advantage from making it weak.
On 2014/03/25 18:30:32, Andre wrote: > On 2014/03/25 18:22:31, rsesek wrote: > > I'm trying to understand why this change caused this crash, especially given > the > > crash stack. Do you understand it? I'm not quite following how the old > > targetController can go away on line 218 (a JS close?). > > > > > http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/cocoa/tabs/... > > It's strange, I don't understand how the window controller can get deallocated > given the steps above. > And it apparently only crashes on 10.7.5, byt I was not able to repro on my > 10.7.5 VM. > But I think retaining it during drag is the right thing to do, anything can > happen while running the event loop and there seems to be no advantage from > making it weak. I was able to repro using modified steps: 1. Open chrome with two tabs 2. Drag out the first of the two tabs into a new window 3. Drag it back in as position 1 Repeat steps 2 and 3 once more if it doesn't crash. It crashes for me within 2 tries. While it's probably fine to add these retains, I'd like to understand why this is happening, because this kind of seems like papering over a fix (i.e. a deeper issue may be present). Also these have been weak pointers since the beginning, so I'm a bit hesitant to just change them without fully understanding the reason for the crash.
On 2014/03/25 21:09:12, rsesek wrote: > On 2014/03/25 18:30:32, Andre wrote: > > On 2014/03/25 18:22:31, rsesek wrote: > > > I'm trying to understand why this change caused this crash, especially given > > the > > > crash stack. Do you understand it? I'm not quite following how the old > > > targetController can go away on line 218 (a JS close?). > > > > > > > > > http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/ui/cocoa/tabs/... > > > > It's strange, I don't understand how the window controller can get deallocated > > given the steps above. > > And it apparently only crashes on 10.7.5, byt I was not able to repro on my > > 10.7.5 VM. > > But I think retaining it during drag is the right thing to do, anything can > > happen while running the event loop and there seems to be no advantage from > > making it weak. > > I was able to repro using modified steps: > > 1. Open chrome with two tabs > 2. Drag out the first of the two tabs into a new window > 3. Drag it back in as position 1 > > Repeat steps 2 and 3 once more if it doesn't crash. It crashes for me within 2 > tries. > > While it's probably fine to add these retains, I'd like to understand why this > is happening, because this kind of seems like papering over a fix (i.e. a deeper > issue may be present). Also these have been weak pointers since the beginning, > so I'm a bit hesitant to just change them without fully understanding the reason > for the crash. Thanks Robert. I'm still not able to repro using your steps, but can repro using these steps: 1. Two windows, each with 1 tab (new tab page is ok). 2. Drag one of the tab up or down (not sideways) and very quickly release. 3. Repeat #2 many times. I think this is what might be what is happening: 1. We drag the only tab of a window. 2. With the new code, we set that window controller as our targetController_ 3. The window controller deallocates because it has no more tabs 4. The next time continueDrag: is invoked, we message the zombie targetController_. Usually #4 will happen before #3, so we get the chance to nil targetController_ first. But sometimes the opposite can happen. After further testing, I also found that the delayed removePlaceholder call makes tab tear-off a little less smooth (very hard to tell). I've fixed that as well. I have uploaded a new fix that the handles the 3 different cases: 1. dragging the only tab of a window 2. dragging the tab horizontally 3. dragging the tab vertically
https://codereview.chromium.org/199663004/diff/80001/chrome/browser/ui/cocoa/... File chrome/browser/ui/cocoa/tabs/tab_strip_drag_controller.mm (left): https://codereview.chromium.org/199663004/diff/80001/chrome/browser/ui/cocoa/... chrome/browser/ui/cocoa/tabs/tab_strip_drag_controller.mm:191: // moving more than 3 pixels. I think this comment is outdated. The distance is specified by kTearDistance above.
LGTM thanks for investigating.
The CQ bit was checked by andresantoso@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/andresantoso@chromium.org/199663004/80001
The CQ bit was unchecked by commit-bot@chromium.org
Commit queue rejected this change because the description was changed between the time the change entered the commit queue and the time it was ready to commit. You can safely check the commit box again.
The CQ bit was checked by andresantoso@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/andresantoso@chromium.org/199663004/80001
Message was sent while issue was closed.
Change committed as 259773 |
