CEF crashes in OSR when opening pdf for viewing

magreenblatt commented 6 years ago

Original report by Mike Wiedenbauer (Bitbucket: shagkur, GitHub: shagkur).

start 'cefclient --off-screen-rendering-enabled', search for a pdf on google, click the link
Expected: pdf is shown in the view.
Observerd: pdf viewer opens partly, but pdf is not shown. And after hovering over one of the 3 controls in the lower right corner it crashes with a stack trace. Happens on Mac OSX as well as on ubuntu linux
Release 3497
Yes
Previous version (3440) of CEF worked.

The crash, when hovering over the controls also happens with 3440. This is due to a nullptr exception at content/browser/frame_host/render_widget_host_view_guest.cc:376. This seems to be caused because CefRenderWidgetHostViewOSR does not implement/override GetCursorManager() and the base class is returning nullptr.

Stack trace from the crash on Mac OSX

#!c++

VM Regions Near 0x18:
--> 
    __TEXT                 [0000000108aca000 (bb)](https://bitbucket.org/chromiumembedded/cef/commits/0000000108aca000)-0000000108b51000 [  540K] r-x/rwx SM=COW  /Users/USER/*/cefclient.app/Contents/MacOS/cefclient

Thread 0 Crashed:: CrBrowserMain  Dispatch queue: com.apple.main-thread
0   org.chromium.ContentShell.framework 0x000000010bf46aba content::CursorManager::SetTooltipTextForView(content::RenderWidgetHostViewBase const*, std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&) + 10
1   org.chromium.ContentShell.framework 0x000000010bfd0508 content::RenderWidgetHostImpl::OnSetTooltipText(std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, blink::WebTextDirection) + 232
2   org.chromium.ContentShell.framework 0x000000010bfd0333 bool IPC::MessageT<ViewHostMsg_SetTooltipText_Meta, std::__1::tuple<std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> >, blink::WebTextDirection>, void>::Dispatch<content::RenderWidgetHostImpl, content::RenderWidgetHostImpl, void, void (content::RenderWidgetHostImpl::*)(std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, blink::WebTextDirection)>(IPC::Message const*, content::RenderWidgetHostImpl*, content::RenderWidgetHostImpl*, void*, void (content::RenderWidgetHostImpl::*)(std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, blink::WebTextDirection)) + 131
3   org.chromium.ContentShell.framework 0x000000010bfcf7a8 content::RenderWidgetHostImpl::OnMessageReceived(IPC::Message const&) + 776
4   org.chromium.ContentShell.framework 0x000000010ce6b42b IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) + 91
5   org.chromium.ContentShell.framework 0x000000010ca04292 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) + 242
6   org.chromium.ContentShell.framework 0x000000010ca23d5f base::MessageLoop::RunTask(base::PendingTask*) + 479
7   org.chromium.ContentShell.framework 0x000000010ca24228 base::MessageLoop::DoWork() + 424
8   org.chromium.ContentShell.framework 0x000000010ca263fa base::MessagePumpCFRunLoopBase::RunWork() + 42
9   org.chromium.ContentShell.framework 0x000000010ca16a4a base::mac::CallWithEHFrame(void () block_pointer) + 10
10  org.chromium.ContentShell.framework 0x000000010ca25d1f base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 63
11  com.apple.CoreFoundation        0x00007fffa57bb321 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
12  com.apple.CoreFoundation        0x00007fffa579c21d __CFRunLoopDoSources0 + 557
13  com.apple.CoreFoundation        0x00007fffa579b716 __CFRunLoopRun + 934
14  com.apple.CoreFoundation        0x00007fffa579b114 CFRunLoopRunSpecific + 420
15  com.apple.HIToolbox             0x00007fffa4cfbebc RunCurrentEventLoopInMode + 240
16  com.apple.HIToolbox             0x00007fffa4cfbcf1 ReceiveNextEventCommon + 432
17  com.apple.HIToolbox             0x00007fffa4cfbb26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
18  com.apple.AppKit                0x00007fffa3292a54 _DPSNextEvent + 1120
19  com.apple.AppKit                0x00007fffa3a0e7ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
20  com.apple.AppKit                0x00007fffa32873db -[NSApplication run] + 926
21  org.chromium.ContentShell.framework 0x000000010ca26b9c base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 364
22  org.chromium.ContentShell.framework 0x000000010ca2583e base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 110
23  org.chromium.ContentShell.framework 0x000000010ca43d45 base::RunLoop::Run() + 53
24  org.chromium.ContentShell.framework 0x000000010c73d8a0 CefRunMessageLoop() + 64
25  org.cef.cefclient               0x0000000108af7489 client::MainMessageLoopStd::Run() + 9
26  org.cef.cefclient               0x0000000108af8735 main + 1029
27  libdyld.dylib                   0x00007fffbaf21235 start + 1

magreenblatt commented 6 years ago

Original comment by Salvador Diaz Fau (Bitbucket: salvadordf, GitHub: salvadordf).

The Windows version of cefclient with the --off-screen-rendering-enabled switch also freezes with online PDF files.

Tested with CEF 3.3440.1805.gbe070f9 on Windows 7 (64bit) http://opensource.spotify.com/cefbuilds/cef_binary_3.3440.1805.gbe070f9_windows32_client.tar.bz2

magreenblatt commented 6 years ago

Original comment by Mike Wiedenbauer (Bitbucket: shagkur, GitHub: shagkur).

Here's a proposed fix for the "GetCursorManager()" crash (applied against 3440):

#!c++

diff --git a/libcef/browser/osr/render_widget_host_view_osr.cc b/libcef/browser/osr/render_widget_host_view_osr.cc
index [bb0ddbbb (bb)](https://bitbucket.org/chromiumembedded/cef/commits/bb0ddbbb)..0cb2442a [100644 (bb)](https://bitbucket.org/chromiumembedded/cef/commits/100644)
--- a/libcef/browser/osr/render_widget_host_view_osr.cc
+++ b/libcef/browser/osr/render_widget_host_view_osr.cc
@@ -27,6 +27,7 @@
 #include "content/browser/bad_message.h"
 #include "content/browser/compositor/image_transport_factory.h"
 #include "content/browser/frame_host/render_widget_host_view_guest.h"
+#include "content/browser/renderer_host/cursor_manager.h"
 #include "content/browser/renderer_host/dip_util.h"
 #include "content/browser/renderer_host/render_widget_host_delegate.h"
 #include "content/browser/renderer_host/render_widget_host_impl.h"
@@ -277,6 +278,8 @@ CefRenderWidgetHostViewOSR::CefRenderWidgetHostViewOSR(
   if (browser_impl_.get())
     ResizeRootLayer(false);

+  cursor_manager_.reset(new content::CursorManager(this));
+  
   // Do this last because it may result in a call to SetNeedsBeginFrames.
   render_widget_host_->SetView(this);
 }
@@ -632,6 +635,10 @@ void CefRenderWidgetHostViewOSR::UpdateCursor(
 #endif
 }

+content::CursorManager* CefRenderWidgetHostViewOSR::GetCursorManager() {
+  return cursor_manager_.get();
+}
+
 void CefRenderWidgetHostViewOSR::SetIsLoading(bool is_loading) {}

 void CefRenderWidgetHostViewOSR::RenderProcessGone(
diff --git a/libcef/browser/osr/render_widget_host_view_osr.h b/libcef/browser/osr/render_widget_host_view_osr.h
index [a4c466d5 (bb)](https://bitbucket.org/chromiumembedded/cef/commits/a4c466d5)..9b94e672 [100644 (bb)](https://bitbucket.org/chromiumembedded/cef/commits/100644)
--- a/libcef/browser/osr/render_widget_host_view_osr.h
+++ b/libcef/browser/osr/render_widget_host_view_osr.h
@@ -38,6 +38,7 @@ class RenderWidgetHost;
 class RenderWidgetHostImpl;
 class RenderWidgetHostViewGuest;
 class BackingStore;
+class CursorManager;
 }  // namespace content

 class CefBeginFrameTimer;
@@ -147,6 +148,8 @@ class CefRenderWidgetHostViewOSR : public content::RenderWidgetHostViewBase,
   void Destroy() override;
   void SetTooltipText(const base::string16& tooltip_text) override;

+  content::CursorManager* GetCursorManager() override;
+  
   gfx::Size GetRequestedRendererSize() const override;
   gfx::Size GetCompositorViewportPixelSize() const override;
   void CopyFromSurface(
@@ -331,6 +334,9 @@ class CefRenderWidgetHostViewOSR : public content::RenderWidgetHostViewBase,
   std::unique_ptr<ui::XScopedCursor> invisible_cursor_;
 #endif

+  
+  std::unique_ptr<content::CursorManager> cursor_manager_;
+  
   // Used to control the VSync rate in subprocesses when BeginFrame scheduling
   // is enabled.
   std::unique_ptr<CefBeginFrameTimer> begin_frame_timer_;

magreenblatt commented 5 years ago

Original comment by Jordy Boom (Bitbucket: Jordy Boom).

I ran into this error on 3.3396.1786.gd3e36d0 on Windows 7 (x86) regardless of whether OSR is enabled or not.

magreenblatt commented 5 years ago

@jboom_languageline It's probably not the same issue. What is the symbolized call stack for the crash that you're seeing in 3396?

magreenblatt commented 5 years ago

Fixed in master revision c7d187a (bb), 3538 branch revision 006d062 (bb) and 3497 branch revision 004ef91 (bb).

magreenblatt commented 5 years ago

Original comment by Jordy Boom (Bitbucket: Jordy Boom).

libcef.dll!content::CursorManager::SetTooltipTextForView(const content::RenderWidgetHostViewBase * view, const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & tooltip_text) Line 27
    at Y:\work\CEF3_git\chromium\src\content\browser\renderer_host\cursor_manager.cc(27)
libcef.dll!content::RenderWidgetHostViewGuest::SetTooltipText(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & tooltip_text) Line 366
    at Y:\work\CEF3_git\chromium\src\content\browser\frame_host\render_widget_host_view_guest.cc(366)
libcef.dll!content::RenderWidgetHostImpl::OnSetTooltipText(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & tooltip_text, blink::WebTextDirection text_direction_hint) Line 2084
    at Y:\work\CEF3_git\chromium\src\content\browser\renderer_host\render_widget_host_impl.cc(2084)
[Inline Frame] libcef.dll!base::DispatchToMethodImpl(content::RenderWidgetHostImpl * const & method, void(content::RenderWidgetHostImpl::*)(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > &, blink::WebTextDirection)) Line 52
    at Y:\work\CEF3_git\chromium\src\ipc\ipc_message_templates.h(146)
[Inline Frame] libcef.dll!base::DispatchToMethod(content::RenderWidgetHostImpl * const & method, void(content::RenderWidgetHostImpl::*)(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > &, blink::WebTextDirection)) Line 60
    at Y:\work\CEF3_git\chromium\src\ipc\ipc_message_templates.h(146)
[Inline Frame] libcef.dll!IPC::DispatchToMethod(content::RenderWidgetHostImpl * method, void(content::RenderWidgetHostImpl::*)(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > &, blink::WebTextDirection)) Line 51
    at Y:\work\CEF3_git\chromium\src\ipc\ipc_message_templates.h(146)
libcef.dll!IPC::MessageT<ViewHostMsg_SetTooltipText_Meta,std::tuple<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,blink::WebTextDirection>,void>::Dispatch<content::RenderWidgetHostImpl,content::RenderWidgetHostImpl,void,void (content::RenderWidgetHostImpl::*)(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > &, blink::WebTextDirection) __attribute__((thiscall))>(const IPC::Message * msg, content::RenderWidgetHostImpl * obj, content::RenderWidgetHostImpl * sender, void * parameter, void(content::RenderWidgetHostImpl::*)(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > &, blink::WebTextDirection) func) Line 146
    at Y:\work\CEF3_git\chromium\src\ipc\ipc_message_templates.h(146)
libcef.dll!content::RenderWidgetHostImpl::OnMessageReceived(const IPC::Message & msg) Line 625
    at Y:\work\CEF3_git\chromium\src\content\browser\renderer_host\render_widget_host_impl.cc(625)
libcef.dll!content::RenderProcessHostImpl::OnMessageReceived(const IPC::Message & msg) Line 3089
    at Y:\work\CEF3_git\chromium\src\content\browser\renderer_host\render_process_host_impl.cc(3089)
libcef.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message) Line 321
    at Y:\work\CEF3_git\chromium\src\ipc\ipc_channel_proxy.cc(321)
[Inline Frame] libcef.dll!base::internal::FunctorTraits<void (content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) __attribute__((thiscall)),void>::Invoke(void(content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) receiver_ptr, scoped_refptr<content::SpeechRecognizerImpl> && args, content::SpeechRecognizerImpl::FSMEventArgs &&) Line 447
    at Y:\work\CEF3_git\chromium\src\base\bind_internal.h(576)
[Inline Frame] libcef.dll!base::internal::InvokeHelper<0,void>::MakeItSo(void(content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) && args, scoped_refptr<content::SpeechRecognizerImpl> && args, content::SpeechRecognizerImpl::FSMEventArgs &&) Line 530
    at Y:\work\CEF3_git\chromium\src\base\bind_internal.h(576)
[Inline Frame] libcef.dll!base::internal::Invoker<base::internal::BindState<void (content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) __attribute__((thiscall)),scoped_refptr<content::SpeechRecognizerImpl>,content::SpeechRecognizerImpl::FSMEventArgs>,void ()>::RunImpl(void(content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) && bound, std::tuple<scoped_refptr<content::SpeechRecognizerImpl>,content::SpeechRecognizerImpl::FSMEventArgs> &&) Line 604
    at Y:\work\CEF3_git\chromium\src\base\bind_internal.h(576)
libcef.dll!base::internal::Invoker<base::internal::BindState<void (content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) __attribute__((thiscall)),scoped_refptr<content::SpeechRecognizerImpl>,content::SpeechRecognizerImpl::FSMEventArgs>,void ()>::RunOnce(base::internal::BindStateBase * base) Line 576
    at Y:\work\CEF3_git\chromium\src\base\bind_internal.h(576)
[Inline Frame] libcef.dll!base::OnceCallback<void ()>::Run() Line 95
    at Y:\work\CEF3_git\chromium\src\base\debug\task_annotator.cc(101)
libcef.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 101
    at Y:\work\CEF3_git\chromium\src\base\debug\task_annotator.cc(101)
libcef.dll!base::internal::IncomingTaskQueue::RunTask(base::PendingTask * pending_task) Line 125
    at Y:\work\CEF3_git\chromium\src\base\message_loop\incoming_task_queue.cc(125)
libcef.dll!base::MessageLoop::RunTask(base::PendingTask * pending_task) Line 355
    at Y:\work\CEF3_git\chromium\src\base\message_loop\message_loop.cc(355)
libcef.dll!base::MessageLoop::DeferOrRunPendingTask(base::PendingTask pending_task) Line 364
    at Y:\work\CEF3_git\chromium\src\base\message_loop\message_loop.cc(364)
libcef.dll!base::MessageLoop::DoWork() Line 408
    at Y:\work\CEF3_git\chromium\src\base\message_loop\message_loop.cc(408)
libcef.dll!base::MessagePumpForUI::DoRunLoop() Line 175
    at Y:\work\CEF3_git\chromium\src\base\message_loop\message_pump_win.cc(175)
libcef.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 59
    at Y:\work\CEF3_git\chromium\src\base\message_loop\message_pump_win.cc(59)
libcef.dll!base::MessageLoop::Run(bool) Line 306
    at Y:\work\CEF3_git\chromium\src\base\message_loop\message_loop.cc(306)
libcef.dll!base::RunLoop::Run() Line 136
    at Y:\work\CEF3_git\chromium\src\base\run_loop.cc(136)
libcef.dll!base::Thread::Run(base::RunLoop * run_loop) Line 256
    at Y:\work\CEF3_git\chromium\src\base\threading\thread.cc(256)
libcef.dll!base::Thread::ThreadMain() Line 340
    at Y:\work\CEF3_git\chromium\src\base\threading\thread.cc(340)
libcef.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 94
    at Y:\work\CEF3_git\chromium\src\base\threading\platform_thread_win.cc(94)
[External Code]
[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]

I'm using this with CEFSharp (for WPF), reverting to version 65.0.1 (versus 67.0) fixed the issue. That build of CEFSharp (65.0.1) depends on CEF build 3.3325.1758.

magreenblatt commented 6 years ago

Original changes by Mike Wiedenbauer (Bitbucket: shagkur, GitHub: shagkur).

edited description

magreenblatt commented 6 years ago

Original changes by Mike Wiedenbauer (Bitbucket: shagkur, GitHub: shagkur).

edited description

magreenblatt commented 6 years ago

Original changes by Mike Wiedenbauer (Bitbucket: shagkur, GitHub: shagkur).

edited description

magreenblatt commented 6 years ago

Original changes by Mike Wiedenbauer (Bitbucket: shagkur, GitHub: shagkur).

edited description

magreenblatt commented 6 years ago

changed component from "Unclassified" to "Framework-HasFix"

magreenblatt commented 5 years ago

changed state from "new" to "resolved"

chromiumembedded / cef

CEF crashes in OSR when opening pdf for viewing #2488