C68: crash switching tabs after closing the active one

ltilve commented 6 years ago

When changing to a previously opened tab after closing the visible one, the browser is crashing.

Thread 1 "brave" received signal SIGSEGV, Segmentation fault.
base::SequenceToken::IsValid (this=0x3636363636363636) at ./../../base/sequence_token.cc:37
37    return token_ != kInvalidSequenceToken;
Missing separate debuginfos, use: dnf debuginfo-install GConf2-3.2.6-20.fc28.x86_64 PackageKit-gtk3-module-1.1.10-1.fc28.x86_64 alsa-lib-1.1.6-2.fc28.x86_64 at-spi2-atk-2.26.2-1.fc28.x86_64 at-spi2-core-2.28.0-1.fc28.x86_64 atk-2.28.1-1.fc28.x86_64 avahi-libs-0.7-12.fc28.x86_64 bzip2-libs-1.0.6-26.fc28.x86_64 cairo-1.15.12-2.fc28.x86_64 cairo-gobject-1.15.12-2.fc28.x86_64 cups-libs-2.2.6-15.fc28.x86_64 dbus-glib-0.110-2.fc28.x86_64 dbus-libs-1.12.8-1.fc28.x86_64 dconf-0.28.0-1.fc28.x86_64 expat-2.2.5-3.fc28.x86_64 flac-libs-1.3.2-7.fc28.x86_64 fontconfig-2.13.0-4.fc28.x86_64 freetype-2.8-10.fc28.x86_64 fribidi-1.0.2-1.fc28.x86_64 gdk-pixbuf2-2.36.12-1.fc28.x86_64 glib2-2.56.1-4.fc28.x86_64 gmp-6.1.2-7.fc28.x86_64 gnutls-3.6.2-3.fc28.x86_64 graphite2-1.3.10-5.fc28.x86_64 gsm-1.0.17-5.fc28.x86_64 gtk3-3.22.30-1.fc28.x86_64 gvfs-client-1.36.2-1.fc28.x86_64 harfbuzz-1.7.5-3.fc28.x86_64 keyutils-libs-1.5.10-6.fc28.x86_64 krb5-libs-1.16.1-7.fc28.x86_64 libICE-1.0.9-12.fc28.x86_64 libSM-1.2.2-8.fc28.x86_64 libX11-1.6.5-7.fc28.x86_64 libX11-xcb-1.6.5-7.fc28.x86_64 libXScrnSaver-1.2.2-14.fc28.x86_64 libXau-1.0.8-11.fc28.x86_64 libXcomposite-0.4.4-12.fc28.x86_64 libXcursor-1.1.15-1.fc28.x86_64 libXdamage-1.1.4-12.fc28.x86_64 libXext-1.3.3-8.fc28.x86_64 libXfixes-5.0.3-5.fc28.x86_64 libXi-1.7.9-6.fc28.x86_64 libXinerama-1.1.3-10.fc28.x86_64 libXrandr-1.5.1-5.fc28.x86_64 libXrender-0.9.10-5.fc28.x86_64 libXtst-1.2.3-5.fc28.x86_64 libasyncns-0.8-14.fc28.x86_64 libblkid-2.32-2.fc28.x86_64 libcanberra-0.30-16.fc28.x86_64 libcanberra-gtk3-0.30-16.fc28.x86_64 libcap-2.25-9.fc28.x86_64 libcom_err-1.43.8-2.fc28.x86_64 libdatrie-0.2.9-7.fc28.x86_64 libepoxy-1.5.2-1.fc28.x86_64 libffi-3.1-16.fc28.x86_64 libgcc-8.1.1-1.fc28.x86_64 libgcrypt-1.8.3-1.fc28.x86_64 libgpg-error-1.31-1.fc28.x86_64 libidn2-2.0.5-1.fc28.x86_64 libmount-2.32-2.fc28.x86_64 libogg-1.3.2-10.fc28.x86_64 libpng-1.6.34-3.fc28.x86_64 libsecret-0.18.6-1.fc28.x86_64 libselinux-2.8-1.fc28.x86_64 libsndfile-1.0.28-7.fc28.x86_64 libstdc++-8.1.1-1.fc28.x86_64 libtasn1-4.13-2.fc28.x86_64 libtdb-1.3.15-4.fc28.x86_64 libthai-0.1.27-2.fc28.x86_64 libtool-ltdl-2.4.6-24.fc28.x86_64 libunistring-0.9.10-1.fc28.x86_64 libuuid-2.32-2.fc28.x86_64 libvorbis-1.3.6-1.fc28.x86_64 libwayland-client-1.15.0-1.fc28.x86_64 libwayland-cursor-1.15.0-1.fc28.x86_64 libwayland-egl-1.15.0-1.fc28.x86_64 libxcb-1.13-1.fc28.x86_64 libxcrypt-4.0.1-1.fc28.x86_64 libxkbcommon-0.8.0-2.fc28.x86_64 lz4-libs-1.8.1.2-4.fc28.x86_64 nettle-3.4-2.fc28.x86_64 nspr-4.19.0-1.fc28.x86_64 nss-3.37.3-1.1.fc28.x86_64 nss-mdns-0.14.1-1.fc28.x86_64 nss-softokn-3.37.3-1.1.fc28.x86_64 nss-softokn-freebl-3.37.3-1.1.fc28.x86_64 nss-util-3.37.3-1.0.fc28.x86_64 openssl-libs-1.1.0h-3.fc28.x86_64 p11-kit-0.23.12-1.fc28.x86_64 p11-kit-trust-0.23.12-1.fc28.x86_64 pango-1.42.1-2.fc28.x86_64 pcre-8.42-1.fc28.x86_64 pcre2-10.31-4.fc28.x86_64 pixman-0.34.0-8.fc28.x86_64 pulseaudio-libs-11.1-18.fc28.1.x86_64 sqlite-libs-3.22.0-4.fc28.x86_64 systemd-libs-238-8.git0e0aa59.fc28.x86_64 xz-libs-5.2.4-2.fc28.x86_64 zlib-1.2.11-8.fc28.x86_64
(gdb) bt
#0  0x00007ffff7b60b0c in base::SequenceToken::IsValid() const (this=0x3636363636363636) at ./../../base/sequence_token.cc:37
#1  0x00007ffff7b9dea9 in base::SequenceCheckerImpl::Core::CalledOnValidSequence() const (this=0x3636363636363636) at ./../../base/sequence_checker_impl.cc:21
#2  0x00007ffff7b609a5 in base::SequenceCheckerImpl::CalledOnValidSequence() const (this=0x10c913de8e48) at ./../../base/sequence_checker_impl.cc:43
#3  0x00007ffff7b7b5f3 in base::SupportsUserData::GetUserData(void const*) const (this=0x10c913de8e28, key=0x58a7c28 <content::WebContentsUserData<resource_coordinator::TabLifecycleUnitSource::TabLifecycleUnitHolder>::kLocatorKey>) at ./../../base/supports_user_data.cc:16
#4  0x0000000001d65522 in content::WebContentsUserData<resource_coordinator::TabLifecycleUnitSource::TabLifecycleUnitHolder>::FromWebContents(content::WebContents*) (
    contents=0x10c913de8e20) at ../../content/public/browser/web_contents_user_data.h:47
#5  0x0000000001d64439 in resource_coordinator::TabLifecycleUnitSource::GetTabLifecycleUnit(content::WebContents*) const (this=0x10c90fbd0720, web_contents=0x10c913de8e20)
    at ../../chrome/browser/resource_coordinator/tab_lifecycle_unit_source.cc:98
#6  0x0000000001d645c1 in resource_coordinator::TabLifecycleUnitSource::UpdateFocusedTab() (this=0x10c90fbd0720)
    at ../../chrome/browser/resource_coordinator/tab_lifecycle_unit_source.cc:121
#7  0x0000000001d65389 in resource_coordinator::TabLifecycleUnitSource::OnBrowserSetLastActive(Browser*) (this=0x10c90fbd0720, browser=0x10c90fa9b620)
    at ../../chrome/browser/resource_coordinator/tab_lifecycle_unit_source.cc:212
#8  0x0000000001da65c8 in BrowserTabStripTracker::OnBrowserSetLastActive(Browser*) (this=0x10c90fbd0768, browser=0x10c90fa9b620) at ../../chrome/browser/ui/browser_tab_strip_tracker.cc:96
#9  0x00000000018fb244 in BrowserList::SetLastActive(Browser*) (browser=0x10c90fa9b620) at ../../chrome/browser/ui/browser_list.cc:279
#10 0x00000000020fbcd8 in atom::api::Window::OnWindowFocus() (this=0x10c9107732c0) at ../../electron/atom/browser/api/atom_api_window.cc:204
#11 0x000000000213bc33 in atom::NativeWindow::NotifyWindowFocus() (this=0x10c910597420) at ../../electron/atom/browser/native_window.cc:461
#12 0x00000000011d3d6f in base::internal::FunctorTraits<void (google_apis::UrlFetchRequestBase::*)(), void>::Invoke<void (google_apis::UrlFetchRequestBase::*)(), base::WeakPtr<google_apis::drive::SingleBatchableDelegateRequest> const&>(void (google_apis::UrlFetchRequestBase::*)(), base::WeakPtr<google_apis::drive::SingleBatchableDelegateRequest> const&) (method=(void (google_apis::UrlFetchRequestBase::*)(google_apis::UrlFetchRequestBase * const)) 0x213bbb0 <atom::NativeWindow::NotifyWindowFocus()>, receiver_ptr=...) at ../../base/bind_internal.h:447
#13 0x00000000011d3cea in base::internal::InvokeHelper<true, void>::MakeItSo<void (google_apis::UrlFetchRequestBase::* const&)(), base::WeakPtr<google_apis::drive::SingleBatchableDelegateRequest> const&>(void (google_apis::UrlFetchRequestBase::* const&)(), base::WeakPtr<google_apis::drive::SingleBatchableDelegateRequest> const&) (functor=@0x10c9108be140: (void (google_apis::UrlFetchRequestBase::*)(google_apis::UrlFetchRequestBase * const)) 0x213bbb0 <atom::NativeWindow::NotifyWindowFocus()>, weak_ptr=...) at ../../base/bind_internal.h:567
#14 0x00000000011d3c80 in base::internal::Invoker<base::internal::BindState<void (google_apis::UrlFetchRequestBase::*)(), base::WeakPtr<google_apis::drive::SingleBatchableDelegateRequest> >, void ()>::RunImpl<void (google_apis::UrlFetchRequestBase::* const&)(), std::__1::tuple<base::WeakPtr<google_apis::drive::SingleBatchableDelegateRequest> > const&, 0ul>(void (google_apis::UrlFetchRequestBase::* const&)(), std::__1::tuple<base::WeakPtr<google_apis::drive::SingleBatchableDelegateRequest> > const&, std::__1::integer_sequence<unsigned long, 0ul>) (functor=@0x10c9108be140: (void (google_apis::UrlFetchRequestBase::*)(google_apis::UrlFetchRequestBase * const)) 0x213bbb0 <atom::NativeWindow::NotifyWindowFocus()>, bound=...)
    at ../../base/bind_internal.h:621
#15 0x00000000011d3bcc in base::internal::Invoker<base::internal::BindState<void (google_apis::UrlFetchRequestBase::*)(), base::WeakPtr<google_apis::drive::SingleBatchableDelegateRequest> >, void ()>::Run(base::internal::BindStateBase*) (base=0x10c9108be120) at ../../base/bind_internal.h:603
#16 0x00007ffff7a21e8e in base::OnceCallback<void ()>::Run() && (this=0x7fffffff7b98) at ../../base/callback.h:96
#17 0x00007ffff79eb832 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) (this=0x10c90ef3a868, queue_function=0x7ffff7925f00 "MessageLoop::PostTask", pending_task=0x7fffffff7b98) at ./../../base/debug/task_annotator.cc:101
#18 0x00007ffff7a80acd in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) (this=0x10c90ef3a820, pending_task=0x7fffffff7b98)
    at ./../../base/message_loop/incoming_task_queue.cc:124
#19 0x00007ffff7a8772b in base::MessageLoop::RunTask(base::PendingTask*) (this=0x10c90f258020, pending_task=0x7fffffff7b98) at ./../../base/message_loop/message_loop.cc:319
#20 0x00007ffff7a879a8 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) (this=0x10c90f258020, pending_task=...) at ./../../base/message_loop/message_loop.cc:329
#21 0x00007ffff7a87c99 in base::MessageLoop::DoWork() (this=0x10c90f258020) at ./../../base/message_loop/message_loop.cc:373
#22 0x00007ffff7a8a4ac in base::MessagePumpGlib::HandleDispatch() (this=0x10c90f4aca30) at ./../../base/message_loop/message_pump_glib.cc:263
#23 0x00007ffff7a9da91 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) (source=0x10c90f158e80, unused_func=0x0, unused_data=0x0)
    at ./../../base/message_loop/message_pump_glib.cc:109
#24 0x00007fffdd65b8ad in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#25 0x00007fffdd65bc78 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#26 0x00007fffdd65bd10 in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#27 0x00007ffff7a8a59f in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) (this=0x10c90f4aca30, delegate=0x10c90f258020) at ./../../base/message_loop/message_pump_glib.cc:305
#28 0x00007ffff7a86f13 in base::MessageLoop::Run(bool) (this=0x10c90f258020, application_tasks_allowed=true) at ./../../base/message_loop/message_loop.cc:271
#29 0x00007ffff7b2e2a1 in base::RunLoop::Run() (this=0x7fffffff85a0) at ./../../base/run_loop.cc:102
#30 0x00007ffff0433445 in content::BrowserMainLoop::MainMessageLoopRun() (this=0x7fffcba6d4a0) at ./../../content/browser/browser_main_loop.cc:1507
#31 0x00007ffff0433152 in content::BrowserMainLoop::RunMainMessageLoopParts() (this=0x7fffcba6d4a0) at ./../../content/browser/browser_main_loop.cc:980
#32 0x00007ffff0438648 in content::BrowserMainRunnerImpl::Run() (this=0x10c90ef6f860) at ./../../content/browser/browser_main_runner_impl.cc:169
---Type <return> to continue, or q <return> to quit---
#33 0x00007ffff0425949 in content::BrowserMain(content::MainFunctionParams const&, std::__1::unique_ptr<content::BrowserProcessSubThread, std::__1::default_delete<content::BrowserProcessSubThread> >) (parameters=..., service_manager_thread=...) at ./../../content/browser/browser_main.cc:51
#34 0x00007ffff22b5586 in content::RunBrowserProcessMain(content::MainFunctionParams const&, content::ContentMainDelegate*, std::__1::unique_ptr<content::BrowserProcessSubThread, std::__1::default_delete<content::BrowserProcessSubThread> >) (main_function_params=..., delegate=0x7fffffff9ed0, service_manager_thread=...) at ../../content/app/content_main_runner_impl.cc:620
#35 0x00007ffff22b7793 in content::ContentMainRunnerImpl::Run() (this=0x10c90ef318e0) at ../../content/app/content_main_runner_impl.cc:964
#36 0x00007ffff22ac0a5 in content::ContentServiceManagerMainDelegate::RunEmbedderProcess() (this=0x7fffffff9db0) at ../../content/app/content_service_manager_main_delegate.cc:53
#37 0x00007fffe9816eac in service_manager::Main(service_manager::MainParams const&) (params=...) at ../../services/service_manager/embedder/main.cc:459
#38 0x00007ffff22b2325 in content::ContentMain(content::ContentMainParams const&) (params=...) at ../../content/app/content_main.cc:19
#39 0x000000000106a6f6 in main(int, char const**) (argc=7, argv=0x7fffffffa2a8) at ../../electron/atom/app/atom_main.cc:219

When closing a tab, WebContents is destroyed by GuestViewBase::Destroy() at first. From what we have been investigating, it could be that this destroying timing is too early..

In the case of closing a tab which is not the last on the tab strip, this is error in the console:

[10800:10800:0627/153505.599606:ERROR:CONSOLE(106457)] "Cannot move frame to index 5 from 3 because it is invalid for a frame List of size 5!"

This happens in browser-laptop/app/renderer/reducers/frameReducer.js#200.

ltilve commented 6 years ago

This issue seems also the case for other tests that are failing, as tearing off tabs to a separate window or downloading https://webtorrent.io/torrents/big-buck-bunny.torrent

petemill commented 6 years ago

I've discovered one thing that would cause a lot of issues here is that in the latest muon c68, we are not getting the tab-detached-at event on the window WebContents. (This is expected at https://github.com/brave/browser-laptop/blob/0.23.x/app/browser/windows.js#L296)

This could be the cause of the issue, or a symptom of a more underlying issue, but without it I can't dig deeper as it will certainly cause many JS errors on the b-l side.

ltilve commented 6 years ago

Fixed by https://github.com/brave/muon/pull/618/commits/d0267b0bc661f985c5540ca37a79597c5c80896d

brave / muon

C68: crash switching tabs after closing the active one #625