Crash when labeling formerly-backgrounded tab/window with newly created label

[stephendonner]

Description

Labeling formerly-backgrounded tab with newly created label from another tab, crashes

Steps to Reproduce

1. install 1.65.90
2. launch Brave
3. open one or two tabs
4. context-click a tab and choose Add tab to group -> New group
5. name it anything and save it
6. open a new window (not tab)
7. context click this new-window's tab strip and add it to the group from step 5

Actual result:

💥

Crashes, in:

[ 00 ] views::Widget::ShouldPaintAsActive() const ( widget.cc:1406 )
[ 01 ] SavedTabGroupButton::UpdateButtonData(SavedTabGroup const&) ( saved_tab_group_button.cc:152 )
[ 02 ] SavedTabGroupBar::SavedTabGroupUpdated(base::Uuid const&) ( saved_tab_group_bar.cc:558 )
[ 03 ] SavedTabGroupModel::AddTabToGroupLocally(base::Uuid const&, SavedTabGroupTab) ( saved_tab_group_model.cc:250 )
[ 04 ] LocalTabGroupListener::AddWebContentsFromLocal(content::WebContents*, TabStripModel*, int) ( local_tab_group_listener.cc:127 )
[ 05 ] SavedTabGroupModelListener::TabGroupedStateChanged(std::__Cr::optional<tab_groups::TabGroupId>, content::WebContents*, int) ( saved_tab_group_model_listener.cc:112 )
[ 06 ] TabStripModel::GroupTab(int, tab_groups::TabGroupId const&) ( tab_strip_model.cc:2492 )
[ 07 ] TabStripModel::MoveTabsAndSetGroupImpl(std::__Cr::vector<int, std::__Cr::allocator<int>> const&, int, std::__Cr::optional<tab_groups::TabGroupId>) ( tab_strip_model.cc:2404 )
[ 08 ] TabStripModel::AddToExistingGroupImpl(std::__Cr::vector<int, std::__Cr::allocator<int>> const&, tab_groups::TabGroupId const&) ( tab_strip_model.cc:2373 )
[ 09 ] TabStripModel::AddToExistingGroup(std::__Cr::vector<int, std::__Cr::allocator<int>> const&, tab_groups::TabGroupId const&) ( tab_strip_model.cc:1119 )
[ 10 ] TabStripModel::ExecuteAddToExistingGroupCommand(int, tab_groups::TabGroupId const&) ( tab_strip_model.cc:1675 )
[ 11 ] ExistingTabGroupSubMenuModel::ExecuteExistingCommand(unsigned long) ( existing_tab_group_sub_menu_model.cc:251 )
[ 12 ] ExistingBaseSubMenuModel::ExecuteCommand(int, int) ( existing_base_sub_menu_model.cc:36 )
[ 13 ] non-virtual thunk to ExistingBaseSubMenuModel::ExecuteCommand(int, int) ( existing_base_sub_menu_model.cc:0 )
[ 14 ] ui::SimpleMenuModel::ActivatedAt(unsigned long, int) ( simple_menu_model.cc:549 )
[ 15 ] -[MenuControllerCocoa itemSelected:] ( menu_controller.mm:303 )
[ 16 ] 0x7ff80cb632b6
[ 17 ] __43-[BrowserCrApplication sendAction:to:from:]_block_invoke ( chrome_browser_application_mac.mm:372 )
[ 18 ] base::apple::CallWithEHFrame(void () block_pointer)
[ 19 ] -[BrowserCrApplication sendAction:to:from:] ( chrome_browser_application_mac.mm:371 )
[ 20 ] 0x7ff80cc4fb51
[ 21 ] 0x7ff80d2b590e
[ 22 ] 0x7ff80cc93347
[ 23 ] 0x7ff80cc932cd
[ 24 ] 0x7ff80d2ab8d5
[ 25 ] 0x7ff80d087f07
[ 26 ] 0x7ff80d087bef
[ 27 ] 0x7ff80d8acbbc
[ 28 ] 0x7ff80d03677b
[ 29 ] 0x7ff80d2b75d0
[ 30 ] 0x7ff80d2bbe6e
[ 31 ] 0x7ff80cd296a0
[ 32 ] ui::ShowContextMenu(NSMenu*, NSEvent*, NSView*, bool, ui::ElementContext) ( menu_utils.mm:83 )
[ 33 ] views::internal::MenuRunnerImplCocoa::RunMenuAt(views::Widget*, views::MenuButtonController*, gfx::Rect const&, views::MenuAnchorPosition, int, gfx::NativeView, std::__Cr::optional<gfx::RoundedCornersF>, std::__Cr::optional<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char>>>) ( menu_runner_impl_cocoa.mm:91 )
[ 34 ] views::internal::MenuRunnerImplMac::RunMenuAt(views::Widget*, views::MenuButtonController*, gfx::Rect const&, views::MenuAnchorPosition, int, gfx::NativeView, std::__Cr::optional<gfx::RoundedCornersF>, std::__Cr::optional<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char>>>) ( menu_runner_impl_mac.mm:61 )
[ 35 ] views::MenuRunner::RunMenuAt(views::Widget*, views::MenuButtonController*, gfx::Rect const&, views::MenuAnchorPosition, ui::MenuSourceType, gfx::NativeView, std::__Cr::optional<gfx::RoundedCornersF>, std::__Cr::optional<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char>>>) ( menu_runner.cc:91 )
[ 36 ] BraveTabContextMenuContents::RunMenuAt(gfx::Point const&, ui::MenuSourceType) ( brave_tab_context_menu_contents.cc:68 )
[ 37 ] views::ContextMenuController::ShowContextMenuForView(views::View*, gfx::Point const&, ui::MenuSourceType) ( context_menu_controller.cc:29 )
[ 38 ] views::View::ProcessMousePressed(ui::MouseEvent const&) ( view.cc:3511 )
[ 39 ] views::View::OnMouseEvent(ui::MouseEvent*) ( view.cc:1558 )
[ 40 ] ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) ( event_dispatcher.cc:187 )
[ 41 ] ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget*, ui::Event*) ( event_dispatcher.cc:82 )
[ 42 ] ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ( event_dispatcher.cc:54 )
[ 43 ] views::internal::RootView::OnMousePressed(ui::MouseEvent const&) ( root_view.cc:487 )
[ 44 ] views::Widget::OnMouseEvent(ui::MouseEvent*) ( widget.cc:1779 )
[ 45 ] views::NativeWidgetMacNSWindowHost::OnMouseEvent(std::__Cr::unique_ptr<ui::Event, std::__Cr::default_delete<ui::Event>>) ( native_widget_mac_ns_window_host.mm:984 )
[ 46 ] non-virtual thunk to views::NativeWidgetMacNSWindowHost::OnMouseEvent(std::__Cr::unique_ptr<ui::Event, std::__Cr::default_delete<ui::Event>>) ( native_widget_mac_ns_window_host.mm:0 )
[ 47 ] -[BridgedContentView mouseEvent:] ( bridged_content_view.mm:654 )
[ 48 ] 0x7ff80cb5d2f3
[ 49 ] 0x7ff80cad60ce
[ 50 ] 0x7ff80cad5d1f
[ 51 ] -[NativeWidgetMacNSWindow sendEvent:] ( native_widget_mac_nswindow.mm:473 )
[ 52 ] 0x7ff80d2852b6
[ 53 ] __34-[BrowserCrApplication sendEvent:]_block_invoke ( chrome_browser_application_mac.mm:420 )
[ 54 ] base::apple::CallWithEHFrame(void () block_pointer)
[ 55 ] -[BrowserCrApplication sendEvent:] ( chrome_browser_application_mac.mm:396 )
[ 56 ] 0x7ff80ce405c2
[ 57 ] 0x7ff80c96802a
[ 58 ] base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) ( message_pump_apple.mm:805 )
[ 59 ] base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) ( message_pump_apple.mm:156 )
[ 60 ] base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, base::TimeDelta) ( thread_controller_with_message_pump_impl.cc:641 )
[ 61 ] non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool, base::TimeDelta) ( thread_controller_with_message_pump_impl.cc:0 )
[ 62 ] base::RunLoop::Run(base::Location const&) ( run_loop.cc:134 )
[ 63 ] content::BrowserMainLoop::RunMainMessageLoop() ( browser_main_loop.cc:1095 )
[ 64 ] content::BrowserMainRunnerImpl::Run() ( browser_main_runner_impl.cc:160 )
[ 65 ] content::BrowserMain(content::MainFunctionParams) ( browser_main.cc:34 )
[ 66 ] content::ContentMainRunnerImpl::RunBrowser(content::MainFunctionParams, bool) ( content_main_runner_impl.cc:708 )
[ 67 ] content::ContentMainRunnerImpl::Run() ( content_main_runner_impl.cc:1144 )
[ 68 ] content::RunContentProcess(content::ContentMainParams, content::ContentMainRunner*) ( content_main.cc:335 )
[ 69 ] content::ContentMain(content::ContentMainParams) ( content_main.cc:348 )
[ 70 ] ChromeMain ( chrome_main.cc:192 )
[ 71 ] main ( chrome_exe_main_mac.cc:216 )
[ 72 ] 0x7ff808ea8366

Expected result:

No crash

Reproduces how often:

100%

Brave version (brave://version info)

Brave   1.65.90 Chromium: 123.0.6312.58 (Official Build) beta (x86_64) 
Revision    f5ca64cd15d0d5c90f17b7d5213b6e2dd725d66a
OS  macOS Version 14.4.1 (Build 23E224)

Version/Channel Information:

• Can you reproduce this issue with the current release? not sure
• Can you reproduce this issue with the beta channel? yes
• Can you reproduce this issue with the nightly channel? yes

cc @rebron @bsclifton @simonhong @brave/qa-team

[iefremov]

See https://share.backtrace.io/api/share/61q8pVotJx1Fr66bNzJeUW3

There is also related but different stack, also should be checked/fixed

[ 00 ] views::Widget::ShouldPaintAsActive() const ( widget.cc:1406 )
[ 01 ] BraveSavedTabGroupButton::UpdateButtonLayout() ( brave_saved_tab_group_button.cc:45 )
[ 02 ] SavedTabGroupModel::OnGroupClosedInTabStrip(tab_groups::TabGroupId const&) ( saved_tab_group_model.cc:505 )
[ 03 ] SavedTabGroupModelListener::DisconnectLocalTabGroup(tab_groups::TabGroupId) ( saved_tab_group_model_listener.cc:226 )
[ 04 ] SavedTabGroupModelListener::WillCloseAllTabs(TabStripModel*) ( saved_tab_group_model_listener.cc:184 )
[ 05 ] TabStripModel::CloseTabs(base::span<content::WebContents* const, 18446744073709551615ul, content::WebContents* const*>, unsigned int) ( tab_strip_model.cc:1971 )
[ 06 ] TabStripModel::CloseAllTabs() ( tab_strip_model.cc:715 )
[ 07 ] UnloadController::ProcessPendingTabs(bool) ( unload_controller.cc:356 )
[ 08 ] UnloadController::CanCloseContents(content::WebContents*) ( unload_controller.cc:53 )
[ 09 ] Browser::CloseContents(content::WebContents*) ( browser.cc:1824 )
[ 10 ] non-virtual thunk to Browser::CloseContents(content::WebContents*) ( browser.cc:0 )
[ 11 ] content::WebContentsImpl::Close() ( web_contents_impl.cc:8117 )
[ 12 ] content::WebContentsImpl::Close() ( web_contents_impl.cc:8117 )
[ 13 ] base::RepeatingCallback<void ()>::Run() const & ( callback.h:344 )
[ 14 ] content::TimeoutMonitor::CheckTimedOut() ( timeout_monitor.cc:109 )
[ 15 ] base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) ( callback.h:156 )
[ 16 ] base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() ( thread_controller_with_message_pump_impl.cc:338 )
[ 17 ] non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() ( thread_controller_with_message_pump_impl.cc:0 )
[ 18 ] base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) ( callback.h:156 )
[ 19 ] base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() ( thread_controller_with_message_pump_impl.cc:338 )
[ 20 ] non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() ( thread_controller_with_message_pump_impl.cc:0 )
[ 21 ] base::MessagePumpCFRunLoopBase::RunWork() ( message_pump_apple.mm:444 )
[ 22 ] invocation function for block in base::MessagePumpCFRunLoopBase::RunWorkSource(void*) ( message_pump_apple.mm:416 )
[ 23 ] base::apple::CallWithEHFrame(void () block_pointer)
[ 24 ] 0x1827f9eac

[GeetaSarvadnya]

Reproduced the issue on Windows 10 x64 - 1.65.114

[simonhong]

Looking now

[MadhaviSeelam]

Reproduced the issue in Win 11 x64 using both 1.67.18 & 1.65.118.

Status: | Uploaded
-- | --
Uploaded Crash Report ID: | 0a4a1900-3218-d60b-0000-000000000000
Upload Time: | Tuesday, April 23, 2024 at 1:20:26 PM

[MadhaviSeelam]

Verification PASSED using

Brave | 1.67.35 Chromium: 124.0.6367.60 (Official Build) nightly (64-bit)
-- | --
Revision | cf6b916e6e68f45b10d6ccebe4530f7319c3d1aa
OS | Windows 11 Version 23H2 (Build 22631.3447)

1. Installed 1.67.35
2. launched Brave
3. open one or two tabs (BBC.com & CNN.com)
4. context-click a tab and choose Add tab to group -> New group
5. name it anything and save it (news)
6. open a new window (not tab) (
7. context click this new-window's tab strip and add it to the group from step 5

Confirmed no crash occurred

https://github.com/brave/brave-browser/assets/98358127/ab37a03c-0d9c-4812-a30d-c99170a69c75

[LaurenWags]

Requires 1.65.120 or higher to test

[GeetaSarvadnya]

Verification PASSED on

Brave | 1.65.120 Chromium: 124.0.6367.60 (Official Build) (64-bit)
-- | --
Revision | e956d45423c37e9f83f250e5a0405bf1fbb40e4d
OS | Windows 10 Version 22H2 (Build 19045.4291)

Verified the STR from the description and confirmed that no crash occurred while adding new windows tab to existing Tab group