Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2903593003:
Fix crash bug http://crbug.com/725594 (Closed)
|
Created:
3 years, 7 months ago by Hzj_jie Modified:
3 years, 7 months ago Reviewers:
Avi (use Gerrit) CC:
chromium-reviews, jam, nasko+codewatch_chromium.org, darin-cc_chromium.org, creis+watch_chromium.org Target Ref:
refs/heads/master Project:
chromium Visibility:
Public. |
DescriptionFix crash bug http://crbug.com/725594
The order of destruction of frame_tree_ and rvh_delegate_view_ is relevant. This
change ensure frame_tree_ is destructed before rvh_delegate_view_.
BUG=chromium:725594, chromium:725402
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
Review-Url: https://codereview.chromium.org/2903593003
Cr-Commit-Position: refs/heads/master@{#474201}
Committed: https://chromium.googlesource.com/chromium/src/+/8da026c9e77facffc5ed46cfb75c2932f09fcc12
Patch Set 1 #Patch Set 2 : Use std::unique_ptr to control the lifetime of FrameTree obviously #
Total comments: 1
Patch Set 3 : Prefer MakeUnique to raw new operator #
Messages
Total messages: 38 (23 generated)
Description was changed from ========== Fix crash bug http://crbug.com/725594 The order of destruction of frame_tree_ and rvh_delegate_view_ is relevant. This change ensure frame_tree_ is destructed before rvh_delegate_view_. BUG=chromium:725594, chromium:725402 ========== to ========== Fix crash bug http://crbug.com/725594 The order of destruction of frame_tree_ and rvh_delegate_view_ is relevant. This change ensure frame_tree_ is destructed before rvh_delegate_view_. BUG=chromium:725594, chromium:725402 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation ==========
The CQ bit was checked by zijiehe@chromium.org to run a CQ dry run
Description was changed from ========== Fix crash bug http://crbug.com/725594 The order of destruction of frame_tree_ and rvh_delegate_view_ is relevant. This change ensure frame_tree_ is destructed before rvh_delegate_view_. BUG=chromium:725594, chromium:725402 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation ========== to ========== Fix crash bug http://crbug.com/725594 The order of destruction of frame_tree_ and rvh_delegate_view_ is relevant. This change ensure frame_tree_ is destructed before rvh_delegate_view_. BUG=chromium:725594, chromium:725402 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation ==========
zijiehe@chromium.org changed reviewers: + avi@chromium.org
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by zijiehe@chromium.org to run a CQ dry run
Patchset #1 (id:1) has been deleted
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
I wonder if this is indicative of a deeper ownership issue. I don't think I've ever seen DeleteSoon used like this.
On 2017/05/23 21:16:32, Avi (ping after 24h) wrote: > I wonder if this is indicative of a deeper ownership issue. I don't think I've > ever seen DeleteSoon used like this. I think the constructor of the frame_tree_ shows some potential risks: it sends itself four times to the FrameTree, so the order of destruction of the implementations is relevant. But if you are talking about DeleteSoon(unique_ptr.release())? It looks like a very common pattern to ensure an object owned by a unique_ptr can be deleted with expected order. https://cs.chromium.org/search/?q=deletesoon%5C(.*release%5C(%5C)%5C)+package...
On 2017/05/23 21:24:36, Hzj_jie wrote: > On 2017/05/23 21:16:32, Avi (ping after 24h) wrote: > > I wonder if this is indicative of a deeper ownership issue. I don't think I've > > ever seen DeleteSoon used like this. > > I think the constructor of the frame_tree_ shows some potential risks: it sends > itself four times to the FrameTree, so the order of destruction of the > implementations is relevant. > > But if you are talking about DeleteSoon(unique_ptr.release())? It looks like a > very common pattern to ensure an object owned by a unique_ptr can be deleted > with expected order. > https://cs.chromium.org/search/?q=deletesoon%5C(.*release%5C(%5C)%5C)+package... So... 1. Can you file a bug against FrameTree then? That sounds like it is less robust than it could be 2. I personally find that kinda terrifying. :/ LGTM then.
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
On 2017/05/23 21:26:14, Avi (ping after 24h) wrote: > On 2017/05/23 21:24:36, Hzj_jie wrote: > > On 2017/05/23 21:16:32, Avi (ping after 24h) wrote: > > > I wonder if this is indicative of a deeper ownership issue. I don't think > I've > > > ever seen DeleteSoon used like this. > > > > I think the constructor of the frame_tree_ shows some potential risks: it > sends > > itself four times to the FrameTree, so the order of destruction of the > > implementations is relevant. > > > > But if you are talking about DeleteSoon(unique_ptr.release())? It looks like a > > very common pattern to ensure an object owned by a unique_ptr can be deleted > > with expected order. > > > https://cs.chromium.org/search/?q=deletesoon%5C(.*release%5C(%5C)%5C)+package... > > So... > > 1. Can you file a bug against FrameTree then? That sounds like it is less robust > than it could be > 2. I personally find that kinda terrifying. :/ LGTM then. I tend to think this is an issue of InterstitialPageImpl class instead of FrameTree. Since itself is the four delegates of the FrameTree, it looks quite wrong to me to randomly destruct frame_tree_. Instead it should ensure frame_tree_ is destructed before other delegates. I will add more comments in the source code as well as the bug to explain the root cause here.
The CQ bit was checked by zijiehe@chromium.org
CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by zijiehe@chromium.org
On 2017/05/23 21:43:37, commit-bot: I haz the power wrote: > CQ is trying da patch. > > Follow status at: > https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or... I am working on a different solution by replacing "FrameTree frame_tree_" with "std::unique_ptr<FrameTree> frame_tree_", and reset it in the destructor manually.
The CQ bit was checked by zijiehe@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Avi, how about this solution?
Nicer. LGTM with nit. https://codereview.chromium.org/2903593003/diff/40001/content/browser/frame_h... File content/browser/frame_host/interstitial_page_impl.cc (right): https://codereview.chromium.org/2903593003/diff/40001/content/browser/frame_h... content/browser/frame_host/interstitial_page_impl.cc:166: frame_tree_(new FrameTree(new InterstitialPageNavigatorImpl(this, base::MakeUnique<>
On 2017/05/23 22:44:15, Avi (ping after 24h) wrote: > Nicer. LGTM with nit. > > https://codereview.chromium.org/2903593003/diff/40001/content/browser/frame_h... > File content/browser/frame_host/interstitial_page_impl.cc (right): > > https://codereview.chromium.org/2903593003/diff/40001/content/browser/frame_h... > content/browser/frame_host/interstitial_page_impl.cc:166: frame_tree_(new > FrameTree(new InterstitialPageNavigatorImpl(this, > base::MakeUnique<> It seems like there is not benefit by using base::MakeUnique here. IMO, MakeUnique is better for statements like, std::unique_ptr<Type> p = base::MakeUnique<TypeImpl>(...); or even, auto p = base::MakeUnique<Type>(...); or, std::unique_ptr<Type> p; p = base::MakeUnique<TypeImpl>(...); because there is not std::unique_ptr::operator=(T*);
On 2017/05/23 22:57:21, Hzj_jie wrote: > On 2017/05/23 22:44:15, Avi (ping after 24h) wrote: > > Nicer. LGTM with nit. > > > > > https://codereview.chromium.org/2903593003/diff/40001/content/browser/frame_h... > > File content/browser/frame_host/interstitial_page_impl.cc (right): > > > > > https://codereview.chromium.org/2903593003/diff/40001/content/browser/frame_h... > > content/browser/frame_host/interstitial_page_impl.cc:166: frame_tree_(new > > FrameTree(new InterstitialPageNavigatorImpl(this, > > base::MakeUnique<> > > It seems like there is not benefit by using base::MakeUnique here. IMO, > MakeUnique is better for statements like, > std::unique_ptr<Type> p = base::MakeUnique<TypeImpl>(...); > or even, > auto p = base::MakeUnique<Type>(...); > or, > std::unique_ptr<Type> p; > p = base::MakeUnique<TypeImpl>(...); > because there is not std::unique_ptr::operator=(T*); We're trying to move away from raw new calls. https://sites.google.com/a/chromium.org/dev/developers/coding-style/cpp-dos-a...
On 2017/05/23 23:01:39, Avi (ping after 24h) wrote: > On 2017/05/23 22:57:21, Hzj_jie wrote: > > On 2017/05/23 22:44:15, Avi (ping after 24h) wrote: > > > Nicer. LGTM with nit. > > > > > > > > > https://codereview.chromium.org/2903593003/diff/40001/content/browser/frame_h... > > > File content/browser/frame_host/interstitial_page_impl.cc (right): > > > > > > > > > https://codereview.chromium.org/2903593003/diff/40001/content/browser/frame_h... > > > content/browser/frame_host/interstitial_page_impl.cc:166: frame_tree_(new > > > FrameTree(new InterstitialPageNavigatorImpl(this, > > > base::MakeUnique<> > > > > It seems like there is not benefit by using base::MakeUnique here. IMO, > > MakeUnique is better for statements like, > > std::unique_ptr<Type> p = base::MakeUnique<TypeImpl>(...); > > or even, > > auto p = base::MakeUnique<Type>(...); > > or, > > std::unique_ptr<Type> p; > > p = base::MakeUnique<TypeImpl>(...); > > because there is not std::unique_ptr::operator=(T*); > > We're trying to move away from raw new calls. > https://sites.google.com/a/chromium.org/dev/developers/coding-style/cpp-dos-a... Oh, got it. Thank you.
The CQ bit was checked by zijiehe@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
lgtm Thank you.
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_android_rel_ng on master.tryserver.chromium.android (JOB_FAILED, https://build.chromium.org/p/tryserver.chromium.android/builders/linux_androi...)
The CQ bit was checked by zijiehe@chromium.org
CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 60001, "attempt_start_ts": 1495607395481150,
"parent_rev": "b9b069b5a30a07c45fcfd0f1820427df40ebbb10", "commit_rev":
"8da026c9e77facffc5ed46cfb75c2932f09fcc12"}
Message was sent while issue was closed.
Description was changed from ========== Fix crash bug http://crbug.com/725594 The order of destruction of frame_tree_ and rvh_delegate_view_ is relevant. This change ensure frame_tree_ is destructed before rvh_delegate_view_. BUG=chromium:725594, chromium:725402 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation ========== to ========== Fix crash bug http://crbug.com/725594 The order of destruction of frame_tree_ and rvh_delegate_view_ is relevant. This change ensure frame_tree_ is destructed before rvh_delegate_view_. BUG=chromium:725594, chromium:725402 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation Review-Url: https://codereview.chromium.org/2903593003 Cr-Commit-Position: refs/heads/master@{#474201} Committed: https://chromium.googlesource.com/chromium/src/+/8da026c9e77facffc5ed46cfb75c... ==========
Message was sent while issue was closed.
Committed patchset #3 (id:60001) as https://chromium.googlesource.com/chromium/src/+/8da026c9e77facffc5ed46cfb75c... |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
