search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.99k stars 2.36k forks source link

Crash in TabGroupSyncDelegateDesktop::UpdateLocalTabGroup #41601

Open proxyfoxdev opened 1 month ago

proxyfoxdev commented 1 month ago

IMPORTANT: Your crash has already been automatically reported to our crash system. Please file this bug only if you can provide more information about it.

Brave Version: 1.70.126 Chromium: 129.0.6668.100 Operating System: Windows NT 10.0.22631

URL (if applicable) where crash occurred:

Can you reproduce this crash?

What steps will reproduce this crash? (If it's not reproducible, what were you doing just before the crash?)

  1. Woke laptop from hibernation
  2. Closed a tab
  3. Pressed ctrl+shift+t to reopen tab
  4. Brave crashed

DO NOT CHANGE BELOW THIS LINE Crash ID: crash/b32c2800-1893-b30c-0000-000000000000

iefremov commented 1 month ago

https://share.backtrace.io/api/share/mYux1mwkQx3yJx3JEQx18AuPs1

[ 00 ] __libcpp_hardening_failure() ( __assertion_handler:26 )
[ 01 ] tab_groups::TabGroupSyncDelegateDesktop::UpdateLocalTabGroup(tab_groups::SavedTabGroup const &) ( tab_group_sync_delegate_desktop.cc:140 )
[ 02 ] partition_alloc::ThreadCache::MaybePutInCache(unsigned __int64,unsigned __int64) ( thread_cache.h:492 )
[ 03 ] partition_alloc::PartitionRoot::RawFreeWithThreadCache(unsigned __int64,void *,partition_alloc::internal::SlotSpanMetadata *) ( partition_root.h:1720 )
[ 04 ] partition_alloc::PartitionRoot::FreeNoHooksImmediate(void *,partition_alloc::internal::SlotSpanMetadata *,unsigned __int64) ( partition_root.h:1581 )
[ 05 ] partition_alloc::PartitionRoot::FreeInline(void *) ( partition_root.h:1496 )
[ 06 ] partition_alloc::PartitionRoot::FreeInlineInUnknownRoot(void *) ( partition_root.h:1416 )
[ 07 ] allocator_shim::internal::PartitionFree(void *,void *) ( allocator_shim_default_dispatch_to_partition_alloc.cc:387 )
[ 08 ] 0xa00000004
[ 09 ] tab_groups::TabGroupSyncCoordinatorImpl::ConnectLocalTabGroup(base::Uuid const &,tab_groups::TabGroupId const &) ( tab_group_sync_coordinator_impl.cc:54 )
[ 10 ] common_strnlen_c(unsigned short const * const,unsigned __int64 const) ( strnlen.cpp:76 )
[ 11 ] common_strnlen_simd(unsigned short const * const,unsigned __int64 const) ( strnlen.cpp:130 )
[ 12 ] common_strnlen(unsigned short const * const,unsigned __int64 const) ( strnlen.cpp:189 )
[ 13 ] wcslen(wchar_t const *) ( strnlen.cpp:220 )
[ 14 ] absl::inlined_vector_internal::Storage<ipcz::Ref<ipcz::Router>,4,std::__Cr::allocator<ipcz::Ref<ipcz::Router> > >::~Storage() ( inlined_vector.h:348 )
[ 15 ] absl::InlinedVector<ipcz::Ref<ipcz::Router>,4,std::__Cr::allocator<ipcz::Ref<ipcz::Router> > >::~InlinedVector() ( inlined_vector.h:296 )
[ 16 ] ipcz::RemoteRouterLink::AcceptParcel(std::__Cr::unique_ptr<ipcz::Parcel,std::__Cr::default_delete<ipcz::Parcel> >) ( remote_router_link.cc:366 )
[ 17 ] RtlUnwind
[ 18 ] RtlUnwind
[ 19 ] partition_alloc::ThreadCache::GetFromCache(unsigned __int64,unsigned __int64 *) ( thread_cache.h:573 )
[ 20 ] partition_alloc::PartitionRoot::AllocInternalNoHooks(unsigned __int64,unsigned __int64) ( partition_root.h:2130 )
[ 21 ] partition_alloc::PartitionRoot::AllocInternal(unsigned __int64,unsigned __int64,char const *) ( partition_root.h:2075 )
[ 22 ] partition_alloc::PartitionRoot::AllocInline(unsigned __int64,char const *) ( partition_root.h:508 )
[ 23 ] allocator_shim::internal::PartitionMalloc(unsigned __int64,void *) ( allocator_shim_default_dispatch_to_partition_alloc.cc:204 )
[ 24 ] absl::inlined_vector_internal::Storage<ipcz::Ref<ipcz::Router>,4,std::__Cr::allocator<ipcz::Ref<ipcz::Router> > >::~Storage() ( inlined_vector.h:348 )
[ 25 ] absl::InlinedVector<ipcz::Ref<ipcz::Router>,4,std::__Cr::allocator<ipcz::Ref<ipcz::Router> > >::~InlinedVector() ( inlined_vector.h:296 )
[ 26 ] ipcz::RemoteRouterLink::AcceptParcel(std::__Cr::unique_ptr<ipcz::Parcel,std::__Cr::default_delete<ipcz::Parcel> >) ( remote_router_link.cc:366 )
[ 27 ] 0xde89b00e77a5
[ 28 ] sessions::TabRestoreServiceImpl::RestoreMostRecentEntry(sessions::LiveTabContext *) ( tab_restore_service_impl.cc:1608 )
[ 29 ] chrome::RestoreTab(Browser *) ( browser_tab_restorer.cc:112 )
[ 30 ] RtlUnwind
[ 31 ] chrome::BrowserCommandController::ExecuteCommandWithDisposition(int,WindowOpenDisposition,base::TimeTicks) ( browser_command_controller.cc:535 )
[ 32 ] BraveBrowserView::AcceleratorPressed(ui::Accelerator const &) ( brave_browser_view.cc:1170 )
[ 33 ] ui::AcceleratorManager::AcceleratorTargetInfo::TryProcess(ui::Accelerator const &) ( accelerator_manager.cc:152 )
[ 34 ] ui::AcceleratorManager::Process(ui::Accelerator const &) ( accelerator_manager.cc:83 )
[ 35 ] views::FocusManager::ProcessAccelerator(ui::Accelerator const &) ( focus_manager.cc:483 )
[ 36 ] chrome::BrowserCommandController::IsReservedCommandOrKey(int,input::NativeWebKeyboardEvent const &) ( browser_command_controller.cc:297 )
[ 37 ] BrowserView::PreHandleKeyboardEvent(input::NativeWebKeyboardEvent const &) ( browser_view.cc:3356 )
[ 38 ] content::WebContentsImpl::PreHandleKeyboardEvent(input::NativeWebKeyboardEvent const &) ( web_contents_impl.cc:3899 )
[ 39 ] content::RenderViewHostImpl::MayRenderWidgetForwardKeyboardEvent(input::NativeWebKeyboardEvent const &) ( render_view_host_impl.cc:876 )
[ 40 ] content::RenderWidgetHostImpl::ForwardKeyboardEventWithCommands(input::NativeWebKeyboardEvent const &,ui::LatencyInfo const &,std::__Cr::vector<mojo::InlinedStructPtr<blink::mojom::EditCommand>,std::__Cr::allocator<mojo::InlinedStructPtr<blink::mojom::EditCommand> > >,bool *) ( render_widget_host_impl.cc:1662 )
[ 41 ] partition_alloc::ThreadCache::MaybePutInCache(unsigned __int64,unsigned __int64) ( thread_cache.h:492 )
[ 42 ] partition_alloc::PartitionRoot::RawFreeWithThreadCache(unsigned __int64,void *,partition_alloc::internal::SlotSpanMetadata *) ( partition_root.h:1720 )
[ 43 ] partition_alloc::PartitionRoot::FreeNoHooksImmediate(void *,partition_alloc::internal::SlotSpanMetadata *,unsigned __int64) ( partition_root.h:1581 )
[ 44 ] partition_alloc::PartitionRoot::FreeInline(void *) ( partition_root.h:1496 )
[ 45 ] partition_alloc::PartitionRoot::FreeInlineInUnknownRoot(void *) ( partition_root.h:1416 )
[ 46 ] allocator_shim::internal::PartitionFree(void *,void *) ( allocator_shim_default_dispatch_to_partition_alloc.cc:387 )
[ 47 ] __libcpp_operator_delete(void *) ( new:274 )
[ 48 ] __do_deallocate_handle_size(void *,unsigned __int64) ( new:296 )
[ 49 ] __libcpp_deallocate(void *,unsigned __int64,unsigned __int64) ( new:311 )
[ 50 ] std::__Cr::allocator<base::raw_ptr<content::FrameTreeNode,1> >::deallocate(base::raw_ptr<content::FrameTreeNode,1> *,unsigned __int64) ( allocator.h:118 )
[ 51 ] std::__Cr::allocator_traits<std::__Cr::allocator<base::raw_ptr<content::FrameTreeNode,1> > >::deallocate(std::__Cr::allocator<base::raw_ptr<content::FrameTreeNode,1> > &,base::raw_ptr<content::FrameTreeNode,1> *,unsigned __int64) ( allocator_traits.h:312 )
[ 52 ] std::__Cr::vector<base::raw_ptr<content::FrameTreeNode,1>,std::__Cr::allocator<base::raw_ptr<content::FrameTreeNode,1> > >::__destroy_vector::operator()() ( vector:531 )
[ 53 ] std::__Cr::vector<base::raw_ptr<content::FrameTreeNode,1>,std::__Cr::allocator<base::raw_ptr<content::FrameTreeNode,1> > >::~vector() ( vector:540 )
[ 54 ] content::FrameTree::NodeRange::~NodeRange() ( frame_tree.cc:189 )
[ 55 ] content::FrameTree::FindByID(int) ( frame_tree.cc:262 )
[ 56 ] content::WebContentsImpl::GetFocusedFrameTree() ( web_contents_impl.cc:8352 )
[ 57 ] content::WebContentsImpl::GetFocusedRenderWidgetHost(content::RenderWidgetHostImpl *) ( web_contents_impl.cc:4025 )
[ 58 ] content::RenderWidgetHostViewAura::ForwardKeyboardEventWithLatencyInfo(input::NativeWebKeyboardEvent const &,ui::LatencyInfo const &,bool *) ( render_widget_host_view_aura.cc:2795 )
[ 59 ] content::RenderWidgetHostViewEventHandler::OnKeyEvent(ui::KeyEvent *) ( render_widget_host_view_event_handler.cc:272 )
[ 60 ] base::circular_deque<base::raw_ptr<ui::EventDispatcher,1> >::push_back(base::raw_ptr<ui::EventDispatcher,1> &&) ( circular_deque.h:987 )
[ 61 ] std::__Cr::stack<base::raw_ptr<ui::EventDispatcher,1>,base::circular_deque<base::raw_ptr<ui::EventDispatcher,1> > >::push(base::raw_ptr<ui::EventDispatcher,1> &&) ( stack:241 )
[ 62 ] ui::EventDispatcher::DispatchEventToEventHandlers(std::__Cr::vector<base::raw_ptr<ui::EventHandler,1>,std::__Cr::allocator<base::raw_ptr<ui::EventHandler,1> > > *,ui::Event *) ( event_dispatcher.cc:174 )
[ 63 ] ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *) ( event_dispatcher.cc:137 )
[ 64 ] ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *) ( event_dispatcher.cc:82 )
[ 65 ] ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) ( event_dispatcher.cc:54 )
[ 66 ] ui::EventProcessor::OnEventFromSource(ui::Event *) ( event_processor.cc:21 )
[ 67 ] aura::WindowTreeHost::DispatchKeyEventPostIME(ui::KeyEvent *) ( window_tree_host.cc:312 )
[ 68 ] ui::InputMethodWinBase::ProcessUnhandledKeyEvent(ui::KeyEvent *,std::__Cr::vector<CHROME_MSG,std::__Cr::allocator<CHROME_MSG> > const *) ( input_method_win_base.cc:507 )
[ 69 ] RtlUnwind
[ 70 ] std::__Cr::unique_ptr<HKL__ *[],std::__Cr::default_delete<HKL__ *[]> >::reset(void) ( unique_ptr.h:469 )
[ 71 ] ui::InputMethodWinBase::DispatchKeyEvent(ui::KeyEvent *) ( input_method_win_base.cc:242 )
[ 72 ] RtlUnwind
[ 73 ] operator new(unsigned __int64) ( new_scalar.cpp:36 )
[ 74 ] RtlUnwind
[ 75 ] aura::WindowEventDispatcher::PreDispatchKeyEvent(aura::Window *,ui::KeyEvent *) ( window_event_dispatcher.cc:1110 )
[ 76 ] __libcpp_operator_new(unsigned __int64) ( new:265 )
[ 77 ] __libcpp_allocate(unsigned __int64,unsigned __int64) ( new:289 )
[ 78 ] std::__Cr::allocator<base::raw_ptr<aura::Window,1> >::allocate(unsigned __int64) ( allocator.h:103 )
[ 79 ] __allocate_at_least(std::__Cr::allocator<base::raw_ptr<aura::Window,1> > &,unsigned __int64) ( allocate_at_least.h:41 )
[ 80 ] std::__Cr::__split_buffer<base::raw_ptr<aura::Window,1>,std::__Cr::allocator<base::raw_ptr<aura::Window,1> > &>::__split_buffer(unsigned __int64,unsigned __int64,std::__Cr::allocator<base::raw_ptr<aura::Window,1> > &) ( __split_buffer:353 )
[ 81 ] std::__Cr::vector<base::raw_ptr<aura::Window,1>,std::__Cr::allocator<base::raw_ptr<aura::Window,1> > >::__push_back_slow_path(base::raw_ptr<aura::Window,1> &&) ( vector:1497 )
[ 82 ] std::__Cr::vector<base::raw_ptr<aura::Window,1>,std::__Cr::allocator<base::raw_ptr<aura::Window,1> > >::push_back(base::raw_ptr<aura::Window,1> &&) ( vector:1525 )
[ 83 ] aura::WindowTracker::Add(aura::Window *) ( window_tracker.cc:29 )
[ 84 ] aura::WindowEventDispatcher::PreDispatchMouseEvent(aura::Window *,ui::MouseEvent *) ( window_event_dispatcher.cc:1027 )
[ 85 ] aura::WindowEventDispatcher::PreDispatchEvent(ui::EventTarget *,ui::Event *) ( window_event_dispatcher.cc:566 )
[ 86 ] ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) ( event_dispatcher.cc:51 )
[ 87 ] ui::EventProcessor::OnEventFromSource(ui::Event *) ( event_processor.cc:21 )
[ 88 ] ui::EventSource::DeliverEventToSink(ui::Event *) ( event_source.cc:119 )
[ 89 ] ui::EventSource::SendEventToSinkFromRewriter(ui::Event const *,ui::EventRewriter const *) ( event_source.cc:134 )
[ 90 ] ui::EventSource::SendEventToSink(ui::Event const *) ( event_source.cc:113 )
[ 91 ] views::DesktopWindowTreeHostWin::HandleKeyEvent(ui::KeyEvent *) ( desktop_window_tree_host_win.cc:1127 )
[ 92 ] ui::KeyEvent::KeyEvent(CHROME_MSG const &,int) ( event.cc:789 )
[ 93 ] views::HWNDMessageHandler::OnKeyEvent(unsigned int,unsigned __int64,__int64) ( hwnd_message_handler.cc:2023 )
[ 94 ] RtlUnwind
[ 95 ] views::HWNDMessageHandler::_ProcessWindowMessage(HWND__ *,unsigned int,unsigned __int64,__int64,__int64 &,unsigned long) ( hwnd_message_handler.h:422 )
[ 96 ] views::HWNDMessageHandler::OnWndProc(unsigned int,unsigned __int64,__int64) ( hwnd_message_handler.cc:1078 )
[ 97 ] gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned __int64,__int64) ( window_impl.cc:310 )
[ 98 ] base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc>(HWND__ *,unsigned int,unsigned __int64,__int64) ( wrapped_window_proc.h:77 )
[ 99 ] UserCallWinProcCheckWow
[ 100 ] DispatchMessageWorker
[ 101 ] base::MessagePumpForUI::ProcessMessageHelper(tagMSG const &) ( message_pump_win.cc:615 )
[ 102 ] base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoIdleWork() ( thread_controller_with_message_pump_impl.cc:612 )
[ 103 ] base::MessagePumpForUI::DoRunLoop() ( message_pump_win.cc:245 )
[ 104 ] base::MessagePumpWin::Run(base::MessagePump::Delegate *) ( message_pump_win.cc:84 )
[ 105 ] base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool,base::TimeDelta) ( thread_controller_with_message_pump_impl.cc:657 )
[ 106 ] base::RunLoop::Run(base::Location const &) ( run_loop.cc:136 )
[ 107 ] content::BrowserMainLoop::RunMainMessageLoop() ( browser_main_loop.cc:1101 )
[ 108 ] content::BrowserMainRunnerImpl::Run() ( browser_main_runner_impl.cc:157 )
[ 109 ] content::BrowserMain(content::MainFunctionParams) ( browser_main.cc:34 )
[ 110 ] RunBrowserProcessMain(content::MainFunctionParams,content::ContentMainDelegate *) ( content_main_runner_impl.cc:732 )
[ 111 ] content::ContentMainRunnerImpl::RunBrowser(content::MainFunctionParams,bool) ( content_main_runner_impl.cc:1306 )
[ 112 ] content::ContentMainRunnerImpl::Run() ( content_main_runner_impl.cc:1158 )
[ 113 ] RunContentProcess(content::ContentMainParams,content::ContentMainRunner *) ( content_main.cc:331 )
[ 114 ] content::ContentMain(content::ContentMainParams) ( content_main.cc:344 )
[ 115 ] ChromeMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,__int64,__int64,__int64) ( chrome_main.cc:232 )
[ 116 ] MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks) ( main_dll_loader_win.cc:201 )
[ 117 ] wWinMain(HINSTANCE__ *,HINSTANCE__ *,wchar_t *,int) ( chrome_exe_main_win.cc:351 )
[ 118 ] invoke_main() ( exe_common.inl:118 )
[ 119 ] __scrt_common_main_seh() ( exe_common.inl:288 )
[ 120 ] BaseThreadInitThunk
[ 121 ] RtlUserThreadStart
iefremov commented 1 month ago

@proxyfoxdev do you have Sync enabled?

iefremov commented 1 month ago

also @proxyfoxdev do you have anything on brave://flags toggled?

AlexeyBarabash commented 1 month ago

According to the crash stack, crash happened at 

      web_contents_to_uuid.emplace(
          web_contents,
          group.saved_tabs()[i - tab_range.start()].saved_tab_guid());

source.chromium.org link

It looks like i - tab_range.start() is beyond group.saved_tabs() size or is negative.

There is no any Brave code in this crash stack except BraveBrowserView::AcceleratorPressed which is responsive for Ctrl+Shift+T.

I have also tried to reproduce the crash.

User has 130.1.71.114/Ubuntu

I have 1.71.114 Chromium: 130.0.6723.58 (Official Build) (64-bit)/ Ubuntu 22.04.5 LTS / Ubuntu 24

I have enabled the flags which the user has, and which were disabled by default:

brave://flags/#tab-groups-save-v2
brave://flags/#tab-group-sync-service-desktop-migration
brave://flags/#tab-groups-save-ui-update
brave://flags/#brave-shared-pinned-tabs

Established sync between two different computers, both have tab group sync data type enabled.

Save Group option wasn't available at tab context menu by some reason which is the other bug.

Created a tab group, closed one tab; put 2nd computer into sleep, woke up, ctrl+shift+T.

Got no crash.

Marking the issue Needs more info.

iefremov commented 1 month ago

decreasing the priority as this is a rare crash, but i think we can try to avoid the crash condition and add DumpWithoutCrashing for future debugging

AlexeyBarabash commented 2 weeks ago

I'have created a PR https://github.com/brave/brave-core/pull/26504 to use DumpWithoutCrashing to get more info about the crash before it happens.