Crash in extensions::RendererStartupHelper::UntrackProcess

magreenblatt commented 2 years ago

Original report by Michael Merritt (Bitbucket: Michael Merritt).

I am seeing an intermittent crash at shutdown on macOS (multiple versions) with branch 4638. The crash occurs during the CefShutdown() API. The relevant portion of the macOS crash log looks like this:

‌

    ...
    Crashed Thread:        0  CrBrowserMain  Dispatch queue: com.apple.main-thread

    Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
    Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
    Exception Codes:       0x0000000000000001, 0x0000000000000000
    Exception Note:        EXC_CORPSE_NOTIFY

    Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
    Terminating Process:   exc handler [1679]

    VM Region Info: 0 is not in any region.  Bytes before following region: [4513230848 (bb)](https://bitbucket.org/chromiumembedded/cef/commits/4513230848)
          REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
          UNUSED SPACE AT START
    ---> 
          __TEXT                      [10d027000 (bb)](https://bitbucket.org/chromiumembedded/cef/commits/10d027000)-10d2c7000    [ 2688K] r-x/r-x SM=COW  ................

    Thread 0 Crashed:: CrBrowserMain Dispatch queue: com.apple.main-thread
    0   Chromium Embedded Framework             0x1263b4461 extensions::RendererStartupHelper::UntrackProcess(content::RenderProcessHost*) + 49 (renderer_startup_helper.cc:207)
    1   Chromium Embedded Framework             0x1238395e8 content::RenderProcessHostImpl::Cleanup() + 1304 (render_process_host_impl.cc:4005)
    2   Chromium Embedded Framework             0x123833781 content::RenderProcessHostImpl::DecrementKeepAliveRefCount() + 353 (render_process_host_impl.cc:2881)
    3   Chromium Embedded Framework             0x1236fc523 content::(anonymous namespace)::KeepAliveHandleImpl::~KeepAliveHandleImpl() + 73 (keep_alive_handle_factory.cc:42) [inlined]
    4   Chromium Embedded Framework             0x1236fc523 content::(anonymous namespace)::KeepAliveHandleImpl::~KeepAliveHandleImpl() + 73 (keep_alive_handle_factory.cc:36) [inlined]
    5   Chromium Embedded Framework             0x1236fc523 content::(anonymous namespace)::KeepAliveHandleImpl::~KeepAliveHandleImpl() + 83 (keep_alive_handle_factory.cc:36)
    6   Chromium Embedded Framework             0x1236fc0e2 std::__1::default_delete<blink::mojom::KeepAliveHandle>::operator()(blink::mojom::KeepAliveHandle*) const + 6 (unique_ptr.h:54) [inlined]
    7   Chromium Embedded Framework             0x1236fc0e2 std::__1::unique_ptr<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> >::reset(blink::mojom::KeepAliveHandle*) + 23 (unique_ptr.h:315) [inlined]
    8   Chromium Embedded Framework             0x1236fc0e2 std::__1::unique_ptr<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> >::~unique_ptr() + 23 (unique_ptr.h:269) [inlined]
    9   Chromium Embedded Framework             0x1236fc0e2 std::__1::unique_ptr<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> >::~unique_ptr() + 23 (unique_ptr.h:269) [inlined]
    10  Chromium Embedded Framework             0x1236fc0e2 blink::mojom::KeepAliveHandleStub<mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> > >::~KeepAliveHandleStub() + 34 (frame.mojom.h:1737) [inlined]
    11  Chromium Embedded Framework             0x1236fc0e2 blink::mojom::KeepAliveHandleStub<mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> > >::~KeepAliveHandleStub() + 34 (frame.mojom.h:1737) [inlined]
    12  Chromium Embedded Framework             0x1236fc0e2 mojo::internal::BindingState<blink::mojom::KeepAliveHandle, mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> > >::~BindingState() + 46 (binding_state.h:114) [inlined]
    13  Chromium Embedded Framework             0x1236fc0e2 mojo::internal::BindingState<blink::mojom::KeepAliveHandle, mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> > >::~BindingState() + 46 (binding_state.h:114) [inlined]
    14  Chromium Embedded Framework             0x1236fc0e2 mojo::Receiver<blink::mojom::KeepAliveHandle, mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> > >::~Receiver() + 46 (receiver.h:77) [inlined]
    15  Chromium Embedded Framework             0x1236fc0e2 mojo::Receiver<blink::mojom::KeepAliveHandle, mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> > >::~Receiver() + 46 (receiver.h:77) [inlined]
    16  Chromium Embedded Framework             0x1236fc0e2 mojo::ReceiverSetBase<mojo::Receiver<blink::mojom::KeepAliveHandle, mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> > >, void>::ReceiverEntry::~ReceiverEntry() + 56 (receiver_set.h:362) [inlined]
    17  Chromium Embedded Framework             0x1236fc0e2 mojo::ReceiverSetBase<mojo::Receiver<blink::mojom::KeepAliveHandle, mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> > >, void>::ReceiverEntry::~ReceiverEntry() + 56 (receiver_set.h:362) [inlined]
    18  Chromium Embedded Framework             0x1236fc0e2 mojo::ReceiverSetBase<mojo::Receiver<blink::mojom::KeepAliveHandle, mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> > >, void>::ReceiverEntry::~ReceiverEntry() + 66 (receiver_set.h:362)
    19  Chromium Embedded Framework             0x1231dcfaf std::__1::default_delete<mojo::ReceiverSetState::Entry>::operator()(mojo::ReceiverSetState::Entry*) const + 8 (unique_ptr.h:54) [inlined]
    20  Chromium Embedded Framework             0x1231dcfaf std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> >::reset(mojo::ReceiverSetState::Entry*) + 25 (unique_ptr.h:315) [inlined]
    21  Chromium Embedded Framework             0x1231dcfaf std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> >::~unique_ptr() + 25 (unique_ptr.h:269) [inlined]
    22  Chromium Embedded Framework             0x1231dcfaf std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> >::~unique_ptr() + 25 (unique_ptr.h:269) [inlined]
    23  Chromium Embedded Framework             0x1231dcfaf std::__1::pair<unsigned long long const, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >::~pair() + 25 (utility:394) [inlined]
    24  Chromium Embedded Framework             0x1231dcfaf std::__1::pair<unsigned long long const, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >::~pair() + 25 (utility:394) [inlined]
    25  Chromium Embedded Framework             0x1231dcfaf void std::__1::allocator_traits<std::__1::allocator<std::__1::__tree_node<std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >, void*> > >::destroy<std::__1::pair<unsigned long long const, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >, void, void>(std::__1::allocator<std::__1::__tree_node<std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >, void*> >&, std::__1::pair<unsigned long long const, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >*) + 25 (allocator_traits.h:318) [inlined]
    26  Chromium Embedded Framework             0x1231dcfaf std::__1::__tree<std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >, std::__1::__map_value_compare<unsigned long long, std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >, std::__1::less<unsigned long long>, true>, std::__1::allocator<std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > > > >::destroy(std::__1::__tree_node<std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >, void*>*) + 63 (__tree:1801)
    27  Chromium Embedded Framework             0x1254f562f std::__1::__tree<std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >, std::__1::__map_value_compare<unsigned long long, std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >, std::__1::less<unsigned long long>, true>, std::__1::allocator<std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > > > >::~__tree() + 9 (__tree:1789) [inlined]
    28  Chromium Embedded Framework             0x1254f562f std::__1::__tree<std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >, std::__1::__map_value_compare<unsigned long long, std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > >, std::__1::less<unsigned long long>, true>, std::__1::allocator<std::__1::__value_type<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > > > >::~__tree() + 9 (__tree:1786) [inlined]
    29  Chromium Embedded Framework             0x1254f562f std::__1::map<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> >, std::__1::less<unsigned long long>, std::__1::allocator<std::__1::pair<unsigned long long const, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > > > >::~map() + 13 (map:1103) [inlined]
    30  Chromium Embedded Framework             0x1254f562f std::__1::map<unsigned long long, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> >, std::__1::less<unsigned long long>, std::__1::allocator<std::__1::pair<unsigned long long const, std::__1::unique_ptr<mojo::ReceiverSetState::Entry, std::__1::default_delete<mojo::ReceiverSetState::Entry> > > > >::~map() + 13 (map:1101) [inlined]
    31  Chromium Embedded Framework             0x1254f562f mojo::ReceiverSetState::~ReceiverSetState() + 22 (receiver_set.cc:67) [inlined]
    32  Chromium Embedded Framework             0x1254f562f mojo::ReceiverSetState::~ReceiverSetState() + 31 (receiver_set.cc:67)
    33  Chromium Embedded Framework             0x1236fbe45 mojo::ReceiverSetBase<mojo::Receiver<blink::mojom::KeepAliveHandle, mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> > >, void>::~ReceiverSetBase() + 9 (receiver_set.h:172) [inlined]
    34  Chromium Embedded Framework             0x1236fbe45 mojo::ReceiverSetBase<mojo::Receiver<blink::mojom::KeepAliveHandle, mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle, std::__1::default_delete<blink::mojom::KeepAliveHandle> > >, void>::~ReceiverSetBase() + 9 (receiver_set.h:172) [inlined]
    35  Chromium Embedded Framework             0x1236fbe45 content::KeepAliveHandleFactory::Context::~Context() + 28 (keep_alive_handle_factory.cc:60) [inlined]
    36  Chromium Embedded Framework             0x1236fbe45 content::KeepAliveHandleFactory::Context::~Context() + 28 (keep_alive_handle_factory.cc:60) [inlined]
    37  Chromium Embedded Framework             0x1236fbe45 content::KeepAliveHandleFactory::Context::~Context() + 37 (keep_alive_handle_factory.cc:60)
    38  Chromium Embedded Framework             0x1236fc585 std::__1::default_delete<content::KeepAliveHandleFactory::Context>::operator()(content::KeepAliveHandleFactory::Context*) const + 6 (unique_ptr.h:54) [inlined]
    39  Chromium Embedded Framework             0x1236fc585 std::__1::unique_ptr<content::KeepAliveHandleFactory::Context, std::__1::default_delete<content::KeepAliveHandleFactory::Context> >::reset(content::KeepAliveHandleFactory::Context*) + 23 (unique_ptr.h:315) [inlined]
    40  Chromium Embedded Framework             0x1236fc585 std::__1::unique_ptr<content::KeepAliveHandleFactory::Context, std::__1::default_delete<content::KeepAliveHandleFactory::Context> >::~unique_ptr() + 23 (unique_ptr.h:269) [inlined]
    41  Chromium Embedded Framework             0x1236fc585 std::__1::unique_ptr<content::KeepAliveHandleFactory::Context, std::__1::default_delete<content::KeepAliveHandleFactory::Context> >::~unique_ptr() + 23 (unique_ptr.h:269) [inlined]
    42  Chromium Embedded Framework             0x1236fc585 std::__1::__tuple_leaf<0ul, std::__1::unique_ptr<content::KeepAliveHandleFactory::Context, std::__1::default_delete<content::KeepAliveHandleFactory::Context> >, false>::~__tuple_leaf() + 23 (tuple:186) [inlined]
    43  Chromium Embedded Framework             0x1236fc585 std::__1::__tuple_impl<std::__1::__tuple_indices<0ul>, std::__1::unique_ptr<content::KeepAliveHandleFactory::Context, std::__1::default_delete<content::KeepAliveHandleFactory::Context> > >::~__tuple_impl() + 23 (tuple:360) [inlined]
    44  Chromium Embedded Framework             0x1236fc585 std::__1::__tuple_impl<std::__1::__tuple_indices<0ul>, std::__1::unique_ptr<content::KeepAliveHandleFactory::Context, std::__1::default_delete<content::KeepAliveHandleFactory::Context> > >::~__tuple_impl() + 23 (tuple:360) [inlined]
    45  Chromium Embedded Framework             0x1236fc585 std::__1::tuple<std::__1::unique_ptr<content::KeepAliveHandleFactory::Context, std::__1::default_delete<content::KeepAliveHandleFactory::Context> > >::~tuple() + 23 (tuple:446) [inlined]
    46  Chromium Embedded Framework             0x1236fc585 std::__1::tuple<std::__1::unique_ptr<content::KeepAliveHandleFactory::Context, std::__1::default_delete<content::KeepAliveHandleFactory::Context> > >::~tuple() + 23 (tuple:446) [inlined]
    47  Chromium Embedded Framework             0x1236fc585 base::internal::BindState<content::KeepAliveHandleFactory::~KeepAliveHandleFactory()::$_0, std::__1::unique_ptr<content::KeepAliveHandleFactory::Context, std::__1::default_delete<content::KeepAliveHandleFactory::Context> > >::~BindState() + 23 (bind_internal.h:918) [inlined]
    48  Chromium Embedded Framework             0x1236fc585 base::internal::BindState<content::KeepAliveHandleFactory::~KeepAliveHandleFactory()::$_0, std::__1::unique_ptr<content::KeepAliveHandleFactory::Context, std::__1::default_delete<content::KeepAliveHandleFactory::Context> > >::~BindState() + 23 (bind_internal.h:918) [inlined]
    49  Chromium Embedded Framework             0x1236fc585 base::internal::BindState<content::KeepAliveHandleFactory::~KeepAliveHandleFactory()::$_0, std::__1::unique_ptr<content::KeepAliveHandleFactory::Context, std::__1::default_delete<content::KeepAliveHandleFactory::Context> > >::Destroy(base::internal::BindStateBase const*) + 37 (bind_internal.h:921)
    50  Chromium Embedded Framework             0x1255a42f4 std::__1::allocator<base::sequence_manager::Task>::destroy(base::sequence_manager::Task*) + 8 (allocator.h:133) [inlined]
    51  Chromium Embedded Framework             0x1255a42f4 void std::__1::allocator_traits<std::__1::allocator<base::sequence_manager::Task> >::destroy<base::sequence_manager::Task, void>(std::__1::allocator<base::sequence_manager::Task>&, base::sequence_manager::Task*) + 8 (allocator_traits.h:308) [inlined]
    52  Chromium Embedded Framework             0x1255a42f4 std::__1::__vector_base<base::sequence_manager::Task, std::__1::allocator<base::sequence_manager::Task> >::__destruct_at_end(base::sequence_manager::Task*) + 26 (vector:429) [inlined]
    53  Chromium Embedded Framework             0x1255a42f4 std::__1::__vector_base<base::sequence_manager::Task, std::__1::allocator<base::sequence_manager::Task> >::clear() + 26 (vector:372) [inlined]
    54  Chromium Embedded Framework             0x1255a42f4 std::__1::__vector_base<base::sequence_manager::Task, std::__1::allocator<base::sequence_manager::Task> >::~__vector_base() + 31 (vector:466) [inlined]
    55  Chromium Embedded Framework             0x1255a42f4 std::__1::vector<base::sequence_manager::Task, std::__1::allocator<base::sequence_manager::Task> >::~vector() + 31 (vector:558) [inlined]
    56  Chromium Embedded Framework             0x1255a42f4 std::__1::vector<base::sequence_manager::Task, std::__1::allocator<base::sequence_manager::Task> >::~vector() + 31 (vector:553) [inlined]
    57  Chromium Embedded Framework             0x1255a42f4 std::__1::priority_queue<base::sequence_manager::Task, std::__1::vector<base::sequence_manager::Task, std::__1::allocator<base::sequence_manager::Task> >, std::__1::less<base::sequence_manager::Task> >::~priority_queue() + 31 (queue:413) [inlined]
    58  Chromium Embedded Framework             0x1255a42f4 base::sequence_manager::internal::TaskQueueImpl::DelayedIncomingQueue::PQueue::~PQueue() + 31 (task_queue_impl.h:337) [inlined]
    59  Chromium Embedded Framework             0x1255a42f4 base::sequence_manager::internal::TaskQueueImpl::DelayedIncomingQueue::PQueue::~PQueue() + 31 (task_queue_impl.h:337) [inlined]
    60  Chromium Embedded Framework             0x1255a42f4 base::sequence_manager::internal::TaskQueueImpl::DelayedIncomingQueue::~DelayedIncomingQueue() + 31 (task_queue_impl.cc:1336) [inlined]
    61  Chromium Embedded Framework             0x1255a42f4 base::sequence_manager::internal::TaskQueueImpl::DelayedIncomingQueue::~DelayedIncomingQueue() + 31 (task_queue_impl.cc:1336) [inlined]
    62  Chromium Embedded Framework             0x1255a42f4 base::sequence_manager::internal::TaskQueueImpl::UnregisterTaskQueue() + 1220 (task_queue_impl.cc:210)
    63  Chromium Embedded Framework             0x12559719d base::sequence_manager::internal::SequenceManagerImpl::UnregisterTaskQueueImpl(std::__1::unique_ptr<base::sequence_manager::internal::TaskQueueImpl, std::__1::default_delete<base::sequence_manager::internal::TaskQueueImpl> >) + 253 (sequence_manager_impl.cc:413)
    64  Chromium Embedded Framework             0x1255a1f97 base::sequence_manager::TaskQueue::ShutdownTaskQueue() + 535 (task_queue.cc:189)
    65  Chromium Embedded Framework             0x123891371 content::BrowserTaskQueues::~BrowserTaskQueues() + 337 (browser_task_queues.cc:209)
    66  Chromium Embedded Framework             0x123891d1b content::BrowserUIThreadScheduler::~BrowserUIThreadScheduler() + 49 (browser_ui_thread_scheduler.cc:93) [inlined]
    67  Chromium Embedded Framework             0x123891d1b content::BrowserUIThreadScheduler::~BrowserUIThreadScheduler() + 59 (browser_ui_thread_scheduler.cc:93)
    68  Chromium Embedded Framework             0x12389048a std::__1::default_delete<content::BrowserUIThreadScheduler>::operator()(content::BrowserUIThreadScheduler*) const + 8 (unique_ptr.h:54) [inlined]
    69  Chromium Embedded Framework             0x12389048a std::__1::unique_ptr<content::BrowserUIThreadScheduler, std::__1::default_delete<content::BrowserUIThreadScheduler> >::reset(content::BrowserUIThreadScheduler*) + 25 (unique_ptr.h:315) [inlined]
    70  Chromium Embedded Framework             0x12389048a std::__1::unique_ptr<content::BrowserUIThreadScheduler, std::__1::default_delete<content::BrowserUIThreadScheduler> >::~unique_ptr() + 25 (unique_ptr.h:269) [inlined]
    71  Chromium Embedded Framework             0x12389048a std::__1::unique_ptr<content::BrowserUIThreadScheduler, std::__1::default_delete<content::BrowserUIThreadScheduler> >::~unique_ptr() + 25 (unique_ptr.h:269) [inlined]
    72  Chromium Embedded Framework             0x12389048a content::BrowserTaskExecutor::UIThreadExecutor::~UIThreadExecutor() + 58 (browser_task_executor.cc:372)
    73  Chromium Embedded Framework             0x12389050e content::BrowserTaskExecutor::UIThreadExecutor::~UIThreadExecutor() + 5 (browser_task_executor.cc:369) [inlined]
    74  Chromium Embedded Framework             0x12389050e content::BrowserTaskExecutor::UIThreadExecutor::~UIThreadExecutor() + 14 (browser_task_executor.cc:369)
    75  Chromium Embedded Framework             0x12388fdc8 std::__1::default_delete<content::BrowserTaskExecutor::UIThreadExecutor>::operator()(content::BrowserTaskExecutor::UIThreadExecutor*) const + 6 (unique_ptr.h:54) [inlined]
    76  Chromium Embedded Framework             0x12388fdc8 std::__1::unique_ptr<content::BrowserTaskExecutor::UIThreadExecutor, std::__1::default_delete<content::BrowserTaskExecutor::UIThreadExecutor> >::reset(content::BrowserTaskExecutor::UIThreadExecutor*) + 23 (unique_ptr.h:315) [inlined]
    77  Chromium Embedded Framework             0x12388fdc8 content::BrowserTaskExecutor::Shutdown() + 200 (browser_task_executor.cc:284)
    78  Chromium Embedded Framework             0x125114380 content::ContentMainRunnerImpl::Shutdown() + 224 (content_main_runner_impl.cc:1124)
    79  Chromium Embedded Framework             0x1251c30f5 CefMainRunner::FinalizeShutdown(base::OnceCallback<void ()>) + 117 (main_runner.cc:507)
    80  Chromium Embedded Framework             0x1251c2f80 CefMainRunner::Shutdown(base::OnceCallback<void ()>, base::OnceCallback<void ()>) + 336 (main_runner.cc:274)
    81  Chromium Embedded Framework             0x12519963a CefContext::Shutdown() + 250 (context.cc:386)
    82  Chromium Embedded Framework             0x1251994bd CefShutdown() + 125 (context.cc:233)
    83  My App                                  0x103a85528 main + 2168 (main.mm:211)
    84  dyld                                    0x1113274fe start + 462
    ...

The relevant portion of the CEF code looks like this:

    ...
    205 void RendererStartupHelper::UntrackProcess(
    206    content::RenderProcessHost* process) {
    207  if (!ExtensionsBrowserClient::Get()->IsSameContext(
    208          browser_context_, process->GetBrowserContext())) {
    209    return;
    210  }
    211
    212  process->RemoveObserver(this);
    213  process_mojo_map_.erase(process);
    214  pending_active_extensions_.erase(process);
    215  for (auto& extension_process_pair : extension_process_map_)
    216    extension_process_pair.second.erase(process);
    217 }
    ...

Line 207 is given as the failing line, and you can see that ExtensionsBrowserClient::Get() is called to retrieve a pointer that is immediately dereferenced without checking its value. My guess is that the pointer is intermittently NULL, which is what the crash report indicates. The fact that this pointer is used without first checking its value would seem to be a bug. Of course, the next question is why is the pointer NULL, and the answer to that may lead to another more-complicated issue.

Does this seem to be a correct analysis of this intermittent crash, or is there something else I should check?

Thanks in advance for any help you can provide.

magreenblatt commented 2 years ago

Does the crash reproduce with a supported version? Does it reproduce with the CEF sample apps?

magreenblatt commented 2 years ago

Original comment by Michael Merritt (Bitbucket: Michael Merritt).

Branch 4638 specifies macOS 10.11+ deployment, and this has been reproduced in several versions of macOS 11 and 12.

I have not tested this with the CEF sample apps, since it is intermittent.

However, given the crash point and associated code, it seems that the return value of ExtensionsBrowserClient::Get() should be checked before use, since if it is NULL then this exact crash would likely result.

Are there other possibilities here I am missing?

magreenblatt commented 2 years ago

It’s likely something wrong with shutdown ordering, possibly in Chromium code. We ask whether it reproduces with supported CEF versions because you’re using an old version, and the issue may already be fixed in newer versions.

magreenblatt commented 2 years ago

This issue was reported for an old/unsupported version. If the problem reproduces with supported CEF versions then we can re-open.

magreenblatt commented 2 years ago

Original comment by Michael Merritt (Bitbucket: Michael Merritt).

I don’t know about the current status of any CEF-related issues that might be associated with helping to cause the crash, but the crash point itself is definitely in Chromium, and the code is still unchanged:

https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/extensions/browser/renderer_startup_helper.cc

magreenblatt commented 2 years ago

Also reproduces with 4664 on Windows.

magreenblatt commented 2 years ago

The Windows stack trace is somewhat different:

[ 00 ] extensions::RendererStartupHelper::UntrackProcess(content::RenderProcessHost *)
[ 01 ] extensions::RendererStartupHelper::RenderProcessExited(content::RenderProcessHost *,content::ChildProcessTerminationInfo const &)
[ 02 ] content::RenderProcessHostImpl::Cleanup()
[ 03 ] content::RenderProcessHostImpl::DecrementKeepAliveRefCount(unsigned __int64)
[ 04 ] content::`anonymous namespace'::KeepAliveHandleImpl::~KeepAliveHandleImpl
[ 05 ] content::`anonymous namespace'::KeepAliveHandleImpl::~KeepAliveHandleImpl
[ 06 ] mojo::internal::BindingState<blink::mojom::KeepAliveHandle,mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle,std::__1::default_delete<blink::mojom::KeepAliveHandle> > >::~BindingState
[ 07 ] mojo::ReceiverSetBase<mojo::Receiver<blink::mojom::KeepAliveHandle,mojo::UniquePtrImplRefTraits<blink::mojom::KeepAliveHandle,std::__1::default_delete<blink::mojom::KeepAliveHandle> > >,void>::ReceiverEntry::~ReceiverEntry
[ 08 ] autofill::AutofillWebDataBackendImpl::ResetUserData()
[ 09 ] std::__1::unique_ptr<mojo::ReceiverSetState::Entry,std::__1::default_delete<mojo::ReceiverSetState::Entry> >::reset(mojo::ReceiverSetState::Entry *)
[ 10 ] std::__1::__tree<std::__1::__value_type<unsigned long long,std::__1::unique_ptr<mojo::ReceiverSetState::Entry,std::__1::default_delete<mojo::ReceiverSetState::Entry> > >,std::__1::__map_value_compare<unsigned long long,std::__1::__value_type<unsigned long long,std::__1::unique_ptr<mojo::ReceiverSetState::Entry,std::__1::default_delete<mojo::ReceiverSetState::Entry> > >,std::__1::less<unsigned long long>,1>,std::__1::allocator<std::__1::__value_type<unsigned long long,std::__1::unique_ptr<mojo::ReceiverSetState::Entry,std::__1::default_delete<mojo::ReceiverSetState::Entry> > > > >::destroy
[ 11 ] mojo::ReceiverSetState::~ReceiverSetState()
[ 12 ] content::KeepAliveHandleFactory::Context::~Context
[ 13 ] base::internal::BindState<`lambda at ../../chrome/browser/resource_coordinator/tab_manager.cc:175:24',std::__1::unique_ptr<resource_coordinator::TabManager::ResourceCoordinatorSignalObserver,std::__1::default_delete<resource_coordinator::TabManager::ResourceCoordinatorSignalObserver> > >::Destroy
[ 14 ] base::internal::CallbackBase::~CallbackBase()
[ 15 ] base::sequence_manager::internal::TaskQueueImpl::UnregisterTaskQueue()
[ 16 ] base::sequence_manager::internal::SequenceManagerImpl::UnregisterTaskQueueImpl(std::__1::unique_ptr<base::sequence_manager::internal::TaskQueueImpl,std::__1::default_delete<base::sequence_manager::internal::TaskQueueImpl> >)
[ 17 ] base::sequence_manager::TaskQueue::ShutdownTaskQueue()
[ 18 ] content::BrowserTaskQueues::~BrowserTaskQueues()
[ 19 ] content::BrowserUIThreadScheduler::~BrowserUIThreadScheduler()
[ 20 ] std::__1::unique_ptr<content::BrowserUIThreadScheduler,std::__1::default_delete<content::BrowserUIThreadScheduler> >::reset(content::BrowserUIThreadScheduler *)
[ 21 ] content::BrowserTaskExecutor::UIThreadExecutor::~UIThreadExecutor()
[ 22 ] content::BrowserTaskExecutor::UIThreadExecutor::~UIThreadExecutor
[ 23 ] content::BrowserTaskExecutor::Shutdown()
[ 24 ] content::ContentMainRunnerImpl::Shutdown()
[ 25 ] CefMainRunner::FinalizeShutdown(base::OnceCallback<void >)
[ 26 ] CefMainRunner::Shutdown(base::OnceCallback<void >,base::OnceCallback<void >)
[ 27 ] CefContext::Shutdown()
[ 28 ] CefShutdown()

‌

magreenblatt commented 2 years ago

Another possibly related Windows crash from 4664 (`AlloyBrowserContext::extension_system()` is likely invalid):

[ 03 ] extensions::CefExtensionSystem::OnRequestContextDeleted(CefRequestContext *)
[ 04 ] AlloyBrowserContext::RemoveCefRequestContext(CefRequestContextImpl *)
[ 05 ] CefRequestContextImpl::~CefRequestContextImpl()
[ 06 ] [thunk]:CefRequestContextImpl::`vector deleting destructor'`vtordisp{4294967292,0}' (unsigned int)
[ 07 ] content::BrowserThread::DeleteOnThread<content::BrowserThread::UI>::Destruct<CefImageImpl>
[ 08 ] [thunk]:CefRequestContextImpl::Release`vtordisp{4294967292,0}' ()
[ 09 ] CefBrowserHostBase::~CefBrowserHostBase()
[ 10 ] [thunk]:AlloyBrowserHostImpl::`vector deleting destructor'`adjustor{16}' (unsigned int)
[ 11 ] [thunk]:CefBrowserHostBase::Release`vtordisp{4294967292,152}' ()

‌

magreenblatt commented 2 years ago

Testing with M99, it looks like AlloyBrowserMainParts::PostDestroyThreads (which calls extensions::ExtensionsBrowserClient::Set(nullptr)) is being called before ContentMainRunnerImpl::Shutdown. Consequently ExtensionsBrowserClient::Get() will return nullptr if RendererStartupHelper::UntrackProcess is called via Shutdown.

It doesn’t crash more frequently because often process_host is nullptr in ~KeepAliveHandleImpl (here), and consequently RenderProcessHostImpl::DecrementKeepAliveRefCount is not called.

magreenblatt commented 2 years ago

extensions_shell also calls ExtensionsBrowserClient::Set(nullptr) from PostDestroyThreads (same as CEF), whereas Chrome uses ~BrowserProcessImpl and cast uses PostMainMessageLoopRun

magreenblatt commented 2 years ago

alloy: Move ExtensionsBrowserClient ownership to BrowserProcess (fixes issue #3247)

Fixes a shutdown crash due to ExtensionsBrowserClient::Set(nullptr) being called too early. Some code that may occasionally be triggered via content::ContentMainShutdown() is expecting the extensions objects to still be valid.

This new ownership pattern matches the code in chrome/.

→ <<cset 9e5e8208d8e4 (bb)>>

magreenblatt commented 2 years ago

alloy: Move ExtensionsBrowserClient ownership to BrowserProcess (fixes issue #3247)

Fixes a shutdown crash due to ExtensionsBrowserClient::Set(nullptr) being called too early. Some code that may occasionally be triggered via content::ContentMainShutdown() is expecting the extensions objects to still be valid.

This new ownership pattern matches the code in chrome/.

→ <<cset d87e3f41f66a (bb)>>

magreenblatt commented 2 years ago

alloy: Move ExtensionsBrowserClient ownership to BrowserProcess (fixes issue #3247)

Fixes a shutdown crash due to ExtensionsBrowserClient::Set(nullptr) being called too early. Some code that may occasionally be triggered via content::ContentMainShutdown() is expecting the extensions objects to still be valid.

This new ownership pattern matches the code in chrome/.

→ <<cset a00bca5aa590 (bb)>>

magreenblatt commented 2 years ago

alloy: Move ExtensionsBrowserClient ownership to BrowserProcess (fixes issue #3247)

Fixes a shutdown crash due to ExtensionsBrowserClient::Set(nullptr) being called too early. Some code that may occasionally be triggered via content::ContentMainShutdown() is expecting the extensions objects to still be valid.

This new ownership pattern matches the code in chrome/.

→ <<cset 9eb0954cde62 (bb)>>

magreenblatt commented 2 years ago

Filed issue #3276 for the Windows crash which is still reproducing after this fix.

magreenblatt commented 2 years ago

changed state from "new" to "wontfix"

magreenblatt commented 2 years ago

changed state from "wontfix" to "open"

magreenblatt commented 2 years ago

changed title from "macOS intermittent crash with branch 4638" to "Crash in extensions::RendererStartupHelper::UntrackProcess"
changed component from "Unclassified" to "Framework"

magreenblatt commented 2 years ago

changed state from "open" to "resolved"

chromiumembedded / cef

Crash in extensions::RendererStartupHelper::UntrackProcess #3247