Issue 996103009: Fix for a crasher in the browser seen while dispatching mouse enter or mouse exit messages via the …

Issue 996103009: Fix for a crasher in the browser seen while dispatching mouse enter or mouse exit messages via the … (Closed)

Created:
5 years, 9 months ago by ananta

Modified:
5 years, 9 months ago

Reviewers:
sadrul

CC:
chromium-reviews, tfarina, tdanderson+views_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Fix for a crasher in the browser seen while dispatching mouse enter or mouse exit messages via the root view. Based on a number of crash dumps I looked at starting from M40 onwards, the crash occurs in the RootView::NotifyEnterExitOfDescendant function while dereferencing a NULL view parameter. The parameter passed as the view, is the mouse_move_handler_ member which is checked for validity before calling this function. However the disassembly in the crash dump clearly suggests that the parameter passed on the stack is NULL. Looking at the code the only way that could happen if we end up in a nested invocation to the root view, which could potentially happen in the context of a modal loop. I could not repro that hypothesis however. Given that this is a browser crash and seems to be occurring frequently enough, I think this warrants a NULL check for the mouse_move_handler_ before calling the RootView::NotifyEnterExitOfDescendant function. I added a CHECK for the view parameter in the NotifyEnterExitOfDescendant function in case there are additional callsites added in the future. BUG=467356 TEST = Covered by views unittest RootViewTest.DeleteViewOnMouseExitDispatch Committed: https://crrev.com/43dc9613e9badb5e0c6a11d25106271d2f23899f Cr-Commit-Position: refs/heads/master@{#321414}

Patch Set 1 #

Total comments: 2

Patch Set 2 : Added a unittest #

Patch Set 3 : Fix build error #

Total comments: 6

Patch Set 4 : Address review comments #

Created: 5 years, 9 months ago

Download [raw] [tar.bz2]

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+91 lines, -8 lines)			Patch
	M	ui/views/widget/root_view.cc	View	1	4 chunks	+28 lines, -8 lines	0 comments	Download
	M	ui/views/widget/root_view_unittest.cc	View	1 2 3	2 chunks	+63 lines, -0 lines	0 comments	Download

Messages

Total messages: 11 (2 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

sadrul

I think any view (with children?) that destroys itself on ET_MOUSE_EXITED would trigger this crash. ...

5 years, 9 months ago (2015-03-17 16:09:14 UTC) #3

ananta

Added a views_unittest RootViewTest.DeleteViewOnMouseExitDispatch which tests that we don't crash on return from the OnMouseExited ...

5 years, 9 months ago (2015-03-18 01:11:06 UTC) #4

sadrul

https://codereview.chromium.org/996103009/diff/40001/ui/views/widget/root_view_unittest.cc File ui/views/widget/root_view_unittest.cc (right): https://codereview.chromium.org/996103009/diff/40001/ui/views/widget/root_view_unittest.cc#newcode382 ui/views/widget/root_view_unittest.cc:382: child->RequestFocus(); Don't need focus, right? https://codereview.chromium.org/996103009/diff/40001/ui/views/widget/root_view_unittest.cc#newcode392 ui/views/widget/root_view_unittest.cc:392: root_view->OnMouseMoved(moved_event); EXPECT_FALSE ...

5 years, 9 months ago (2015-03-18 22:30:00 UTC) #5

ananta

5 years, 9 months ago (2015-03-19 00:02:55 UTC) #6

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/996103009/60001

5 years, 9 months ago (2015-03-19 19:03:36 UTC) #9

commit-bot: I haz the power

5 years, 9 months ago (2015-03-19 20:03:16 UTC) #11

Message was sent while issue was closed.

Patchset 4 (id:??) landed as
https://crrev.com/43dc9613e9badb5e0c6a11d25106271d2f23899f
Cr-Commit-Position: refs/heads/master@{#321414}

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages