CEF crashes in OSR when opening pdf for viewing

Issue #2488 resolved
Mike Wiedenbauer
created an issue
  1. start 'cefclient --off-screen-rendering-enabled', search for a pdf on google, click the link
  2. Expected: pdf is shown in the view.
    Observerd: pdf viewer opens partly, but pdf is not shown. And after hovering over one of the 3 controls in the lower right corner it crashes with a stack trace. Happens on Mac OSX as well as on ubuntu linux
  3. Release 3497
  4. Yes
  5. Previous version (3440) of CEF worked.

The crash, when hovering over the controls also happens with 3440. This is due to a nullptr exception at content/browser/frame_host/render_widget_host_view_guest.cc:376.
This seems to be caused because CefRenderWidgetHostViewOSR does not implement/override GetCursorManager() and the base class is returning nullptr.

Stack trace from the crash on Mac OSX

VM Regions Near 0x18:
--> 
    __TEXT                 0000000108aca000-0000000108b51000 [  540K] r-x/rwx SM=COW  /Users/USER/*/cefclient.app/Contents/MacOS/cefclient

Thread 0 Crashed:: CrBrowserMain  Dispatch queue: com.apple.main-thread
0   org.chromium.ContentShell.framework 0x000000010bf46aba content::CursorManager::SetTooltipTextForView(content::RenderWidgetHostViewBase const*, std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&) + 10
1   org.chromium.ContentShell.framework 0x000000010bfd0508 content::RenderWidgetHostImpl::OnSetTooltipText(std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, blink::WebTextDirection) + 232
2   org.chromium.ContentShell.framework 0x000000010bfd0333 bool IPC::MessageT<ViewHostMsg_SetTooltipText_Meta, std::__1::tuple<std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> >, blink::WebTextDirection>, void>::Dispatch<content::RenderWidgetHostImpl, content::RenderWidgetHostImpl, void, void (content::RenderWidgetHostImpl::*)(std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, blink::WebTextDirection)>(IPC::Message const*, content::RenderWidgetHostImpl*, content::RenderWidgetHostImpl*, void*, void (content::RenderWidgetHostImpl::*)(std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, blink::WebTextDirection)) + 131
3   org.chromium.ContentShell.framework 0x000000010bfcf7a8 content::RenderWidgetHostImpl::OnMessageReceived(IPC::Message const&) + 776
4   org.chromium.ContentShell.framework 0x000000010ce6b42b IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) + 91
5   org.chromium.ContentShell.framework 0x000000010ca04292 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) + 242
6   org.chromium.ContentShell.framework 0x000000010ca23d5f base::MessageLoop::RunTask(base::PendingTask*) + 479
7   org.chromium.ContentShell.framework 0x000000010ca24228 base::MessageLoop::DoWork() + 424
8   org.chromium.ContentShell.framework 0x000000010ca263fa base::MessagePumpCFRunLoopBase::RunWork() + 42
9   org.chromium.ContentShell.framework 0x000000010ca16a4a base::mac::CallWithEHFrame(void () block_pointer) + 10
10  org.chromium.ContentShell.framework 0x000000010ca25d1f base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 63
11  com.apple.CoreFoundation        0x00007fffa57bb321 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
12  com.apple.CoreFoundation        0x00007fffa579c21d __CFRunLoopDoSources0 + 557
13  com.apple.CoreFoundation        0x00007fffa579b716 __CFRunLoopRun + 934
14  com.apple.CoreFoundation        0x00007fffa579b114 CFRunLoopRunSpecific + 420
15  com.apple.HIToolbox             0x00007fffa4cfbebc RunCurrentEventLoopInMode + 240
16  com.apple.HIToolbox             0x00007fffa4cfbcf1 ReceiveNextEventCommon + 432
17  com.apple.HIToolbox             0x00007fffa4cfbb26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
18  com.apple.AppKit                0x00007fffa3292a54 _DPSNextEvent + 1120
19  com.apple.AppKit                0x00007fffa3a0e7ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
20  com.apple.AppKit                0x00007fffa32873db -[NSApplication run] + 926
21  org.chromium.ContentShell.framework 0x000000010ca26b9c base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 364
22  org.chromium.ContentShell.framework 0x000000010ca2583e base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 110
23  org.chromium.ContentShell.framework 0x000000010ca43d45 base::RunLoop::Run() + 53
24  org.chromium.ContentShell.framework 0x000000010c73d8a0 CefRunMessageLoop() + 64
25  org.cef.cefclient               0x0000000108af7489 client::MainMessageLoopStd::Run() + 9
26  org.cef.cefclient               0x0000000108af8735 main + 1029
27  libdyld.dylib                   0x00007fffbaf21235 start + 1

Comments (11)

  1. Mike Wiedenbauer reporter

    Here's a proposed fix for the "GetCursorManager()" crash (applied against 3440):

    diff --git a/libcef/browser/osr/render_widget_host_view_osr.cc b/libcef/browser/osr/render_widget_host_view_osr.cc
    index bb0ddbbb..0cb2442a 100644
    --- a/libcef/browser/osr/render_widget_host_view_osr.cc
    +++ b/libcef/browser/osr/render_widget_host_view_osr.cc
    @@ -27,6 +27,7 @@
     #include "content/browser/bad_message.h"
     #include "content/browser/compositor/image_transport_factory.h"
     #include "content/browser/frame_host/render_widget_host_view_guest.h"
    +#include "content/browser/renderer_host/cursor_manager.h"
     #include "content/browser/renderer_host/dip_util.h"
     #include "content/browser/renderer_host/render_widget_host_delegate.h"
     #include "content/browser/renderer_host/render_widget_host_impl.h"
    @@ -277,6 +278,8 @@ CefRenderWidgetHostViewOSR::CefRenderWidgetHostViewOSR(
       if (browser_impl_.get())
         ResizeRootLayer(false);
    
    +  cursor_manager_.reset(new content::CursorManager(this));
    +  
       // Do this last because it may result in a call to SetNeedsBeginFrames.
       render_widget_host_->SetView(this);
     }
    @@ -632,6 +635,10 @@ void CefRenderWidgetHostViewOSR::UpdateCursor(
     #endif
     }
    
    +content::CursorManager* CefRenderWidgetHostViewOSR::GetCursorManager() {
    +  return cursor_manager_.get();
    +}
    +
     void CefRenderWidgetHostViewOSR::SetIsLoading(bool is_loading) {}
    
     void CefRenderWidgetHostViewOSR::RenderProcessGone(
    diff --git a/libcef/browser/osr/render_widget_host_view_osr.h b/libcef/browser/osr/render_widget_host_view_osr.h
    index a4c466d5..9b94e672 100644
    --- a/libcef/browser/osr/render_widget_host_view_osr.h
    +++ b/libcef/browser/osr/render_widget_host_view_osr.h
    @@ -38,6 +38,7 @@ class RenderWidgetHost;
     class RenderWidgetHostImpl;
     class RenderWidgetHostViewGuest;
     class BackingStore;
    +class CursorManager;
     }  // namespace content
    
     class CefBeginFrameTimer;
    @@ -147,6 +148,8 @@ class CefRenderWidgetHostViewOSR : public content::RenderWidgetHostViewBase,
       void Destroy() override;
       void SetTooltipText(const base::string16& tooltip_text) override;
    
    +  content::CursorManager* GetCursorManager() override;
    +  
       gfx::Size GetRequestedRendererSize() const override;
       gfx::Size GetCompositorViewportPixelSize() const override;
       void CopyFromSurface(
    @@ -331,6 +334,9 @@ class CefRenderWidgetHostViewOSR : public content::RenderWidgetHostViewBase,
       std::unique_ptr<ui::XScopedCursor> invisible_cursor_;
     #endif
    
    +  
    +  std::unique_ptr<content::CursorManager> cursor_manager_;
    +  
       // Used to control the VSync rate in subprocesses when BeginFrame scheduling
       // is enabled.
       std::unique_ptr<CefBeginFrameTimer> begin_frame_timer_;
    
  2. Jordy Boom
    libcef.dll!content::CursorManager::SetTooltipTextForView(const content::RenderWidgetHostViewBase * view, const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & tooltip_text) Line 27
        at Y:\work\CEF3_git\chromium\src\content\browser\renderer_host\cursor_manager.cc(27)
    libcef.dll!content::RenderWidgetHostViewGuest::SetTooltipText(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & tooltip_text) Line 366
        at Y:\work\CEF3_git\chromium\src\content\browser\frame_host\render_widget_host_view_guest.cc(366)
    libcef.dll!content::RenderWidgetHostImpl::OnSetTooltipText(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > & tooltip_text, blink::WebTextDirection text_direction_hint) Line 2084
        at Y:\work\CEF3_git\chromium\src\content\browser\renderer_host\render_widget_host_impl.cc(2084)
    [Inline Frame] libcef.dll!base::DispatchToMethodImpl(content::RenderWidgetHostImpl * const & method, void(content::RenderWidgetHostImpl::*)(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > &, blink::WebTextDirection)) Line 52
        at Y:\work\CEF3_git\chromium\src\ipc\ipc_message_templates.h(146)
    [Inline Frame] libcef.dll!base::DispatchToMethod(content::RenderWidgetHostImpl * const & method, void(content::RenderWidgetHostImpl::*)(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > &, blink::WebTextDirection)) Line 60
        at Y:\work\CEF3_git\chromium\src\ipc\ipc_message_templates.h(146)
    [Inline Frame] libcef.dll!IPC::DispatchToMethod(content::RenderWidgetHostImpl * method, void(content::RenderWidgetHostImpl::*)(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > &, blink::WebTextDirection)) Line 51
        at Y:\work\CEF3_git\chromium\src\ipc\ipc_message_templates.h(146)
    libcef.dll!IPC::MessageT<ViewHostMsg_SetTooltipText_Meta,std::tuple<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,blink::WebTextDirection>,void>::Dispatch<content::RenderWidgetHostImpl,content::RenderWidgetHostImpl,void,void (content::RenderWidgetHostImpl::*)(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > &, blink::WebTextDirection) __attribute__((thiscall))>(const IPC::Message * msg, content::RenderWidgetHostImpl * obj, content::RenderWidgetHostImpl * sender, void * parameter, void(content::RenderWidgetHostImpl::*)(const std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > &, blink::WebTextDirection) func) Line 146
        at Y:\work\CEF3_git\chromium\src\ipc\ipc_message_templates.h(146)
    libcef.dll!content::RenderWidgetHostImpl::OnMessageReceived(const IPC::Message & msg) Line 625
        at Y:\work\CEF3_git\chromium\src\content\browser\renderer_host\render_widget_host_impl.cc(625)
    libcef.dll!content::RenderProcessHostImpl::OnMessageReceived(const IPC::Message & msg) Line 3089
        at Y:\work\CEF3_git\chromium\src\content\browser\renderer_host\render_process_host_impl.cc(3089)
    libcef.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message) Line 321
        at Y:\work\CEF3_git\chromium\src\ipc\ipc_channel_proxy.cc(321)
    [Inline Frame] libcef.dll!base::internal::FunctorTraits<void (content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) __attribute__((thiscall)),void>::Invoke(void(content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) receiver_ptr, scoped_refptr<content::SpeechRecognizerImpl> && args, content::SpeechRecognizerImpl::FSMEventArgs &&) Line 447
        at Y:\work\CEF3_git\chromium\src\base\bind_internal.h(576)
    [Inline Frame] libcef.dll!base::internal::InvokeHelper<0,void>::MakeItSo(void(content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) && args, scoped_refptr<content::SpeechRecognizerImpl> && args, content::SpeechRecognizerImpl::FSMEventArgs &&) Line 530
        at Y:\work\CEF3_git\chromium\src\base\bind_internal.h(576)
    [Inline Frame] libcef.dll!base::internal::Invoker<base::internal::BindState<void (content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) __attribute__((thiscall)),scoped_refptr<content::SpeechRecognizerImpl>,content::SpeechRecognizerImpl::FSMEventArgs>,void ()>::RunImpl(void(content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) && bound, std::tuple<scoped_refptr<content::SpeechRecognizerImpl>,content::SpeechRecognizerImpl::FSMEventArgs> &&) Line 604
        at Y:\work\CEF3_git\chromium\src\base\bind_internal.h(576)
    libcef.dll!base::internal::Invoker<base::internal::BindState<void (content::SpeechRecognizerImpl::*)(const content::SpeechRecognizerImpl::FSMEventArgs &) __attribute__((thiscall)),scoped_refptr<content::SpeechRecognizerImpl>,content::SpeechRecognizerImpl::FSMEventArgs>,void ()>::RunOnce(base::internal::BindStateBase * base) Line 576
        at Y:\work\CEF3_git\chromium\src\base\bind_internal.h(576)
    [Inline Frame] libcef.dll!base::OnceCallback<void ()>::Run() Line 95
        at Y:\work\CEF3_git\chromium\src\base\debug\task_annotator.cc(101)
    libcef.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 101
        at Y:\work\CEF3_git\chromium\src\base\debug\task_annotator.cc(101)
    libcef.dll!base::internal::IncomingTaskQueue::RunTask(base::PendingTask * pending_task) Line 125
        at Y:\work\CEF3_git\chromium\src\base\message_loop\incoming_task_queue.cc(125)
    libcef.dll!base::MessageLoop::RunTask(base::PendingTask * pending_task) Line 355
        at Y:\work\CEF3_git\chromium\src\base\message_loop\message_loop.cc(355)
    libcef.dll!base::MessageLoop::DeferOrRunPendingTask(base::PendingTask pending_task) Line 364
        at Y:\work\CEF3_git\chromium\src\base\message_loop\message_loop.cc(364)
    libcef.dll!base::MessageLoop::DoWork() Line 408
        at Y:\work\CEF3_git\chromium\src\base\message_loop\message_loop.cc(408)
    libcef.dll!base::MessagePumpForUI::DoRunLoop() Line 175
        at Y:\work\CEF3_git\chromium\src\base\message_loop\message_pump_win.cc(175)
    libcef.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 59
        at Y:\work\CEF3_git\chromium\src\base\message_loop\message_pump_win.cc(59)
    libcef.dll!base::MessageLoop::Run(bool) Line 306
        at Y:\work\CEF3_git\chromium\src\base\message_loop\message_loop.cc(306)
    libcef.dll!base::RunLoop::Run() Line 136
        at Y:\work\CEF3_git\chromium\src\base\run_loop.cc(136)
    libcef.dll!base::Thread::Run(base::RunLoop * run_loop) Line 256
        at Y:\work\CEF3_git\chromium\src\base\threading\thread.cc(256)
    libcef.dll!base::Thread::ThreadMain() Line 340
        at Y:\work\CEF3_git\chromium\src\base\threading\thread.cc(340)
    libcef.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 94
        at Y:\work\CEF3_git\chromium\src\base\threading\platform_thread_win.cc(94)
    [External Code]
    [Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]
    

    I'm using this with CEFSharp (for WPF), reverting to version 65.0.1 (versus 67.0) fixed the issue. That build of CEFSharp (65.0.1) depends on CEF build 3.3325.1758.

  3. Log in to comment