Windows: M87 crash in RenderWidgetHostImpl::SetActive on popup window creation

Issue #3040 closed
Andy Tzeng created an issue

What steps will reproduce the problem?

  1. Get official build cef_binary_87.1.1+g9a70877+chromium-87.0.4280.27_windows32_beta_client.tar.bz2 from Download sites
  2. Launch cefclient
  3. Run Popup Window test case

What is the expected output? What do you see instead?

Popup window can be shown without crash

What version of the product are you using? On what operating system?

cef_binary_87.1.1+g9a70877+chromium-87.0.4280.27_windows32_beta_client.tar.bz2 on Window 10 64-bit platform

Does the problem reproduce with the cefclient or cefsimple sample application at the same version? How about with a newer or older version?

It can reproduce on the build from 4280. The previous branch 4240 is workable.

Does the problem reproduce with Google Chrome at the same version? How about with a newer or older version?

No

Here is the crash stack

00 0117dd34 10340a2a 00000001 00000018 05000003 libcef!payments::mojom::PaymentRequestClientProxy::OnAbort+0xb8 (FPO: [1,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\gen\third_party\blink\public\mojom\payments\payment_request.mojom.cc @ 936] 
01 0117e1a0 143744cb 0ee23610 0ee33428 0ee23610 libcef!content::RenderWidgetHostViewAura::OnWindowFocused+0x13a (FPO: [2,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\content\browser\renderer_host\render_widget_host_view_aura.cc @ 1870] 
02 0117e234 14374274 0ee23610 00000001 00000001 libcef!wm::FocusController::SetFocusedWindow+0x211 (FPO: [1,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\ui\wm\core\focus_controller.cc @ 287] 
03 0117e288 14374160 00000000 0ee23610 0117e2a8 libcef!wm::FocusController::FocusAndActivateWindow+0x110 (FPO: [2,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\ui\wm\core\focus_controller.cc @ 244] 
04 0117e298 11afe571 0ee23610 00000000 0117e310 libcef!wm::FocusController::FocusWindow+0x10 (FPO: [1,0,4]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\ui\wm\core\focus_controller.cc @ 100] 
05 0117e2a8 1041ae2a 00000000 0ee3bf98 0ee3bfb0 libcef!aura::Window::Focus+0x17 (FPO: [0,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\ui\aura\window.cc @ 676] 
06 0117e310 1351fb9b 0117e328 0117e364 11eb40b4 libcef!content::WebContentsImpl::Focus+0x3a (FPO: [0,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\content\browser\web_contents\web_contents_impl.cc @ 4618] 
07 0117e31c 11eb40b4 00000001 0ee3d000 05780000 libcef!CefBrowserPlatformDelegateNativeWin::SendFocusEvent+0x1b (FPO: [1,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\cef\libcef\browser\native\browser_platform_delegate_native_win.cc @ 256] 
08 0117e364 11eb2002 00000001 0ee3d110 0117e380 libcef!AlloyBrowserHostImpl::OnSetFocus+0x54 (FPO: [1,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\cef\libcef\browser\alloy\alloy_browser_host_impl.cc @ 938] 
09 0117e3b4 0f58723a 00000001 0ee3d008 00000000 libcef!AlloyBrowserHostImpl::SetFocus+0x42 (FPO: [1,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\cef\libcef\browser\alloy\alloy_browser_host_impl.cc @ 375] 
*** WARNING: Unable to verify checksum for cefclient.exe
0a 0117e3c8 011e6152 0ee3d110 00000001 0117e3e8 libcef!`anonymous namespace'::browser_host_set_focus+0x3a (FPO: [2,0,4]) (CONV: stdcall) [Y:\work\CEF3_git\chromium\src\cef\libcef_dll\cpptoc\browser_host_cpptoc.cc @ 177] 
WARNING: Stack unwind information not available. Following frames may be wrong.
0b 0117e3dc 011a908f 00000001 0ee3d008 32dcbc73 cefclient!Ordinal0+0x66152
0c 0117e3f8 011bbb5e 00000001 0b0a33f0 0117e4d8 cefclient!Ordinal0+0x2908f
0d 0117e408 011bb37d ffffffff ffffffff 00131046 cefclient!Ordinal0+0x3bb5e
0e 0117e4d8 76f15cab 000613ae 00000007 00131046 cefclient!Ordinal0+0x3b37d
0f 0117e504 76f067bc 011bb140 000613ae 00000007 USER32!_InternalCallWinProc+0x2b
10 0117e5e8 76f0635a 011bb140 00000000 00000007 USER32!UserCallWinProcCheckWow+0x3ac (FPO: [SEH])
11 0117e64c 76f1312f 060bb430 00000000 00000007 USER32!DispatchClientMessage+0xea (FPO: [Non-Fpo])
12 0117e688 77542aed 0117e6a4 00000020 0117e7a8 USER32!__fnDWORD+0x3f (FPO: [Non-Fpo])
13 0117e6c0 75db2b9c 76f0811d 000613ae 00000006 ntdll_774d0000!KiUserCallbackDispatcher+0x4d (FPO: [0,0,0])
14 0117e6c4 76f0811d 000613ae 00000006 00000001 win32u!NtUserMessageCall+0xc (FPO: [7,0,0])
15 0117e75c 76f07d84 060bb430 00000000 00480cbc USER32!RealDefWindowProcWorker+0x2cd (FPO: [Non-Fpo])
16 0117e7b8 011bb208 000613ae 00000006 00000001 USER32!DefWindowProcW+0x214 (FPO: [SEH])
17 0117e898 76f15cab 000613ae 00000006 00000001 cefclient!Ordinal0+0x3b208
18 0117e8c4 76f067bc 011bb140 000613ae 00000006 USER32!_InternalCallWinProc+0x2b
19 0117e9a8 76f0635a 011bb140 00000000 00000006 USER32!UserCallWinProcCheckWow+0x3ac (FPO: [SEH])
1a 0117ea0c 76f1312f 060bb430 00000000 00000006 USER32!DispatchClientMessage+0xea (FPO: [Non-Fpo])
1b 0117ea48 77542aed 0117ea64 00000020 0117fc88 USER32!__fnDWORD+0x3f (FPO: [Non-Fpo])
1c 0117ea80 75db309c 011baee9 000613ae 00000001 ntdll_774d0000!KiUserCallbackDispatcher+0x4d (FPO: [0,0,0])
1d 0117ea84 011baee9 000613ae 00000001 0b0a33f0 win32u!NtUserShowWindow+0xc (FPO: [2,0,0])
1e 0117ea9c 011bacdc 00000000 01180000 0b0a33f0 cefclient!Ordinal0+0x3aee9
1f 0117eb88 011bc6df 0117eb9c 00000000 0b0a33f0 cefclient!Ordinal0+0x3acdc
20 0117ec74 01185675 0ee3c190 32dcb31b 0b0a3610 cefclient!Ordinal0+0x3c6df
21 0117ec90 01188d84 0ee3c190 0117eca8 0f586768 cefclient!Ordinal0+0x5675
22 0117ecc4 01188cf8 0ee3c190 0117ecdc 0ee1eb50 cefclient!Ordinal0+0x8d84
23 0117ed28 01204b11 0ee3c190 32dcb2cf 0ee3c080 cefclient!Ordinal0+0x8cf8
24 0117ed44 0f59b71d 0ee3c080 0ee3c108 0117ed54 cefclient!IsSandboxedProcess+0x5591
25 0117ed68 11ebf49b 0ee31e38 0ee3c0c8 4f4cd89d libcef!CefLifeSpanHandlerCToCpp::OnAfterCreated+0x5d (FPO: [1,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\cef\libcef_dll\ctocpp\life_span_handler_ctocpp.cc @ 122] 
26 0117ed88 11eb17f0 0ee2af30 0ee1cfb0 0117edf0 libcef!CefBrowserHostBase::OnAfterCreated+0x55 (FPO: [0,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\cef\libcef\browser\browser_host_base.cc @ 749] 
27 0117edb8 11eb55ac 0117edf0 0117ee08 09eae920 libcef!AlloyBrowserHostImpl::CreateInternal+0x182 (FPO: [11,0,0]) (CONV: cdecl) [Y:\work\CEF3_git\chromium\src\cef\libcef\browser\alloy\alloy_browser_host_impl.cc @ 250] 
28 0117eee0 10414776 09efa000 00000004 00000001 libcef!AlloyBrowserHostImpl::WebContentsCreated+0x1cc (FPO: [6,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\cef\libcef\browser\alloy\alloy_browser_host_impl.cc @ 1426] 
29 0117f154 102fa544 0af49e80 0b0ad6f0 00000000 libcef!content::WebContentsImpl::CreateNewWindow+0x426 (FPO: [5,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\content\browser\web_contents\web_contents_impl.cc @ 3727] 
2a 0117f540 0fddfccf 0b0ad6f0 0af97f78 0117fc88 libcef!content::RenderFrameHostImpl::CreateNewWindow+0x4b4 (FPO: [2,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\content\browser\renderer_host\render_frame_host_impl.cc @ 5045] 
2b 0117f5d0 103062ce 0af49ea0 0117f6c4 00000000 libcef!content::mojom::FrameHostStubDispatch::AcceptWithResponder+0x12f (FPO: [3,0,0]) (CONV: cdecl) [Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\gen\content\common\frame.mojom.cc @ 7074] 
2c 0117f5f4 1177411b 0117f6c4 00000000 0b0350f8 libcef!content::mojom::FrameHostStub<mojo::RawPtrImplRefTraits<content::mojom::FrameHost> >::AcceptWithResponder+0x3e (FPO: [2,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\gen\content\common\frame.mojom.h @ 1025] 
2d 0117f634 11f79199 0117f6c4 0b073020 0b07fdd4 libcef!mojo::InterfaceEndpointClient::HandleValidatedMessage+0x1ef (FPO: [1,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc @ 528] 
2e 0117f658 120e10ed 0117f6c4 0af0f678 0af0f678 libcef!mojo::MessageDispatcher::Accept+0x59 (FPO: [1,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\mojo\public\cpp\bindings\lib\message_dispatcher.cc @ 46] 
2f 0117f764 1055ddd5 00000006 00000000 0117f808 libcef!IPC::`anonymous namespace'::ChannelAssociatedGroupController::AcceptSyncMessage+0x1ed (FPO: [2,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\ipc\ipc_mojo_bootstrap.cc @ 982] 
30 (Inline) -------- -------- -------- -------- libcef!base::internal::FunctorTraits<void (device::SerialIoHandler::*)(int, device::mojom::SerialSendError) __attribute__((thiscall)),void>::Invoke+0xf (Inline Function @ 1055ddd5) (CONV: cdecl) [Y:\work\CEF3_git\chromium\src\base\bind_internal.h @ 498] 
31 (Inline) -------- -------- -------- -------- libcef!base::internal::InvokeHelper<0,void>::MakeItSo+0xf (Inline Function @ 1055ddd5) (CONV: cdecl) [Y:\work\CEF3_git\chromium\src\base\bind_internal.h @ 637] 
32 (Inline) -------- -------- -------- -------- libcef!base::internal::Invoker<base::internal::BindState<void (device::SerialIoHandler::*)(int, device::mojom::SerialSendError) __attribute__((thiscall)),scoped_refptr<device::SerialIoHandler>,int,device::mojom::SerialSendError>,void ()>::RunImpl+0xf (Inline Function @ 1055ddd5) (CONV: cdecl) [Y:\work\CEF3_git\chromium\src\base\bind_internal.h @ 710] 
33 0117f774 116594fb 0ee1c388 00000000 0117f7c0 libcef!base::internal::Invoker<base::internal::BindState<void (device::SerialIoHandler::*)(int, device::mojom::SerialSendError) __attribute__((thiscall)),scoped_refptr<device::SerialIoHandler>,int,device::mojom::SerialSendError>,void ()>::RunOnce+0x15 (FPO: [1,0,4]) (CONV: cdecl) [Y:\work\CEF3_git\chromium\src\base\bind_internal.h @ 683] 
34 (Inline) -------- -------- -------- -------- libcef!base::OnceCallback<void ()>::Run+0x10 (Inline Function @ 116594fb) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\base\callback.h @ 100] 
35 0117f808 11f02c06 15c13766 0af0f678 75db2b3c libcef!base::TaskAnnotator::RunTask+0x12b (FPO: [2,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\base\task\common\task_annotator.cc @ 163] 
36 0117f8e0 11f0289c 0117f908 0117f910 5c201a94 libcef!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl+0x166 (FPO: [2,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc @ 332] 
37 0117f958 11683f8b 0117f970 00000019 5c08b0bd libcef!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork+0xbc (FPO: [1,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc @ 254] 
38 0117f9a4 116836e1 05821c54 ffffff00 00000001 libcef!base::MessagePumpForUI::DoRunLoop+0x5b (FPO: [0,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\base\message_loop\message_pump_win.cc @ 225] 
39 0117f9c4 11f03471 05821c54 00000000 0117fa30 libcef!base::MessagePumpWin::Run+0x51 (FPO: [1,0,4]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\base\message_loop\message_pump_win.cc @ 83] 
3a 0117f9fc 11644a24 00000001 ffffffff 7fffffff libcef!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run+0x141 (FPO: [3,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc @ 454] 
3b 0117fa48 11eaf46d 00000000 00000000 0117fa50 libcef!base::RunLoop::Run+0x184 (FPO: [0,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\base\run_loop.cc @ 126] 
3c 0117fa90 011841c8 0117fc44 011c2936 0000001b libcef!CefMainRunner::RunMessageLoop+0x6f (FPO: [0,0,0]) (CONV: thiscall) [Y:\work\CEF3_git\chromium\src\cef\libcef\browser\main_runner.cc @ 288] 
3d 0117fa98 011c2936 0000001b 057fc028 057fbf78 cefclient!Ordinal0+0x41c8
3e 0117fc44 011c25cb 0117fc98 01264cba 01180000 cefclient!Ordinal0+0x42936
3f 0117fc4c 01264cba 01180000 00000000 057825f6 cefclient!Ordinal0+0x425cb
40 0117fc98 76940419 05485000 76940400 0117fd04 cefclient!GetHandleVerifier+0x3a9ea
41 0117fca8 775366ed 05485000 f8239d26 00000000 KERNEL32!BaseThreadInitThunk+0x19 (FPO: [Non-Fpo])
42 0117fd04 775366bd ffffffff 775553e8 00000000 ntdll_774d0000!__RtlUserThreadStart+0x2f (FPO: [SEH])
43 0117fd14 00000000 01264d40 05485000 00000000 ntdll_774d0000!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

Comments (22)

  1. Marshall Greenblatt

    This is the crash stack trace that I see with a local Debug x86 build:

    [1109/135428.927:FATAL:associated_remote.h(74)] Check failed: is_bound(). Cannot issue Interface method calls on an unbound AssociatedRemote
    
        base.dll!base::debug::BreakDebugger() Line 31   C++
        base.dll!logging::LogMessage::~LogMessage() Line 878    C++
        base.dll!logging::LogMessage::~LogMessage() Line 549    C++
        base.dll!logging::CheckError::~CheckError() Line 104    C++
        content.dll!mojo::AssociatedRemote<blink::mojom::FrameWidget>::get() Line 76    C++
        content.dll!mojo::AssociatedRemote<blink::mojom::FrameWidget>::operator->() Line 80 C++
    >   content.dll!content::RenderWidgetHostImpl::SetActive(bool active) Line 1203 C++
        content.dll!content::RenderWidgetHostViewAura::OnWindowFocused(aura::Window * gained_focus, aura::Window * lost_focus) Line 1868    C++
        wm.dll!wm::FocusController::SetFocusedWindow(aura::Window * window) Line 283    C++
        wm.dll!wm::FocusController::FocusAndActivateWindow(wm::ActivationChangeObserver::ActivationReason reason, aura::Window * window) Line 239   C++
        wm.dll!wm::FocusController::FocusWindow(aura::Window * window) Line 100 C++
        aura.dll!aura::Window::Focus() Line 675 C++
        content.dll!content::RenderWidgetHostViewAura::Focus() Line 548 C++
        content.dll!content::WebContentsViewAura::Focus() Line 832  C++
        content.dll!content::WebContentsImpl::Focus() Line 4620 C++
        libcef.dll!CefBrowserPlatformDelegateNativeWin::SendFocusEvent(bool setFocus) Line 256  C++
        libcef.dll!AlloyBrowserHostImpl::OnSetFocus(<unnamed-tag> source) Line 939  C++
        libcef.dll!AlloyBrowserHostImpl::SetFocus(bool focus) Line 375  C++
        libcef.dll!`anonymous namespace'::browser_host_set_focus(_cef_browser_host_t * self, int focus) Line 177    C++
        cefclient.exe!CefBrowserHostCToCpp::SetFocus(bool focus) Line 141   C++
        cefclient.exe!client::BrowserWindowStdWin::SetFocus(bool focus) Line 109    C++
        cefclient.exe!client::RootWindowWin::OnFocus() Line 630 C++
        cefclient.exe!client::RootWindowWin::RootWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 538    C++
        [External Code] 
        user32.dll![Frames below may be incorrect and/or missing, no symbols loaded for user32.dll] Unknown
        cefclient.exe!client::RootWindowWin::OnActivate(bool active) Line 635   C++
        cefclient.exe!client::RootWindowWin::RootWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 616    C++
        [External Code] 
        cefclient.exe!client::RootWindowWin::CreateRootWindow(const CefStructBase<CefBrowserSettingsTraits> & settings, bool initially_hidden) Line 387 C++
        cefclient.exe!client::RootWindowWin::OnBrowserCreated(scoped_refptr<CefBrowser> browser) Line 991   C++
    

  2. Marshall Greenblatt

    |blink_widget_| is unbound when RenderWidgetHostImpl::InitForFrame is called via this stack trace:

    >   content.dll!content::RenderWidgetHostImpl::InitForFrame() Line 621  C++
        content.dll!content::RenderFrameHostImpl::SetRenderFrameCreated(bool created) Line 2323 C++
        content.dll!content::WebContentsImpl::Init(const content::WebContents::CreateParams & params) Line 2829 C++
        content.dll!content::WebContentsImpl::CreateWithOpener(const content::WebContents::CreateParams & params, content::RenderFrameHostImpl * opener_rfh) Line 1058  C++
        content.dll!content::WebContentsImpl::Create(const content::WebContents::CreateParams & params) Line 515    C++
        content.dll!content::WebContentsImpl::CreateNewWindow(content::RenderFrameHost * opener, const content::mojom::CreateNewWindowParams & params, bool is_new_browsing_instance, bool has_user_gesture, content::SessionStorageNamespace * session_storage_namespace) Line 3673    C++
        content.dll!content::RenderFrameHostImpl::CreateNewWindow(mojo::StructPtr<content::mojom::CreateNewWindowParams> params, base::OnceCallback<void (content::mojom::CreateNewWindowStatus, mojo::StructPtr<content::mojom::CreateNewWindowReply>)> callback) Line 5045    C++
    

    This comment seems relevant:

    // In situations where RenderFrameHostImpl::CreateNewFrame calls this
    // the |blink_widget_| will not be bound before this method is called.
    // However RenderWidgetHostImpl::Init will be called once the widget
    // is shown and these handlers will be bound there.

    So we likely need to wait for RenderWidgetHostImpl::Init to be called before calling WebContentsImpl::Focus.

  3. Marshall Greenblatt

    There is a known bug with the above workaround where the new popup window will not show the cursor in the text field until focus leaves and returns to the browser window (e.g. by clicking into and out of the address bar). We’ll hopefully get a proper fix in Chromium soon.

  4. Yijie Ma

    Hi, we are using CEF version 87.1.12+g03f9336+chromium-87.0.4280.88 and we are seeing the following crash in our browser process on both Windows 7 and Windows 10 through remote desktop. The crash appears to happen when closing a browser window after loading a URL:

    Thread 0 (id: 0x00002824) CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000000 ]
    
    0x00000000106dbd22  (libcef.dll -render_view_host_impl.cc:820)      content::RenderViewHostImpl::OnFocus()
    0x0000000012cdd086  (libcef.dll -hwnd_util_aurawin.cc:19)       views::HWNDForWidget(views::Widget const *)
    0x00000000138d339a  (libcef.dll -browser_platform_delegate_native_win.cc:285)       CefBrowserPlatformDelegateNativeWin::SendFocusEvent(bool)
    0x0000000012264273  (libcef.dll -alloy_browser_host_impl.cc:939)        AlloyBrowserHostImpl::OnSetFocus(cef_focus_source_t)
    0x0000000012262262  (libcef.dll -alloy_browser_host_impl.cc:376)        AlloyBrowserHostImpl::SetFocusInternal(bool)
    0x000000001198b060  (libcef.dll -bind_internal.h:692)       base::internal::Invoker<base::internal::BindState<void ((anonymous namespace)::CefAllowCertificateErrorCallbackImpl::*)(bool) __attribute__((thiscall)),scoped_refptr<(anonymous namespace)::CefAllowCertificateErrorCallbackImpl>,bool>,void ()>::Run
    0x0000000011a0826a  (libcef.dll -task_annotator.cc:163)     base::TaskAnnotator::RunTask(char const *,base::PendingTask *)
    0x00000000122b2e45  (libcef.dll -thread_controller_with_message_pump_impl.cc:332)       base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::sequence_manager::LazyNow *)
    0x00000000122b2adb  (libcef.dll -thread_controller_with_message_pump_impl.cc:252)       base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork()
    0x0000000011a32dfa  (libcef.dll -message_pump_win.cc:225)       base::MessagePumpForUI::DoRunLoop()
    0x0000000011a32550  (libcef.dll -message_pump_win.cc:81)        base::MessagePumpWin::Run(base::MessagePump::Delegate *)
    0x00000000122b36b0  (libcef.dll -thread_controller_with_message_pump_impl.cc:446)       base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool,base::TimeDelta)
    ......
    

    We think this is related to the fix in → <<cset 2a64387259cf>> which adds AlloyBrowserHostImpl::SetFocusInternal.

    We don’t see this crash when using cef_binary_87.1.6+g315d248+chromium-87.0.4280.66_windows64.

  5. Yijie Ma

    I updated the issue and the stacktrace with the new finding. The blank window issue was probably due to GPU acceleration not working through remote desktop, but the above crash still happens after disabling GPU acceleration and even when testing with M88.

  6. Marshall Greenblatt

    @Yijie Ma Are you able to reproduce the crash with a Debug build? That might provide a more detailed stack trace. Thanks.

  7. Marshall Greenblatt

    This crash still reproduces with M87 running cefclient --use-views and selecting Tests > Popup Window. Call stack:

    >   base.dll!base::debug::BreakDebugger() Line 31   C++
        base.dll!logging::LogMessage::~LogMessage() Line 878    C++
        base.dll!logging::LogMessage::~LogMessage() Line 549    C++
        base.dll!logging::CheckError::~CheckError() Line 104    C++
        content.dll!mojo::AssociatedRemote<blink::mojom::FrameWidget>::get() Line 76    C++
        content.dll!mojo::AssociatedRemote<blink::mojom::FrameWidget>::operator->() Line 80 C++
        content.dll!content::RenderWidgetHostImpl::SetActive(bool active) Line 1204 C++
        content.dll!content::RenderWidgetHostViewAura::OnWindowFocused(aura::Window * gained_focus, aura::Window * lost_focus) Line 1868    C++
        wm.dll!wm::FocusController::SetFocusedWindow(aura::Window * window) Line 283    C++
        wm.dll!wm::FocusController::FocusAndActivateWindow(wm::ActivationChangeObserver::ActivationReason reason, aura::Window * window) Line 239   C++
        wm.dll!wm::FocusController::FocusWindow(aura::Window * window) Line 100 C++
        aura.dll!aura::Window::Focus() Line 675 C++
        content.dll!content::RenderWidgetHostViewAura::Focus() Line 548 C++
        content.dll!content::WebContentsViewAura::Focus() Line 832  C++
        content.dll!content::WebContentsImpl::Focus() Line 4629 C++
        webview.dll!views::WebView::OnFocus() Line 256  C++
        libcef.dll!CefViewView<WebViewEx,CefBrowserViewDelegate>::OnFocus() Line 168    C++
        views.dll!views::View::Focus() Line 2071    C++
        views.dll!views::FocusManager::SetFocusedViewWithReason(views::View * view, views::FocusManager::FocusChangeReason reason) Line 378 C++
        views.dll!views::FocusManager::SetFocusedView(views::View * view) Line 391  C++
        views.dll!views::View::RequestFocus() Line 1569 C++
        libcef.dll!CefViewImpl<CefBrowserViewView,CefBrowserView,CefBrowserViewDelegate>::RequestFocus() Line 651   C++
        libcef.dll!`anonymous namespace'::browser_view_request_focus(_cef_view_t * self) Line 842   C++
        cefclient.exe!CefBrowserViewCToCpp::RequestFocus() Line 737 C++
        cefclient.exe!client::ViewsWindow::Show() Line 138  C++
        cefclient.exe!client::ViewsWindow::OnWindowCreated(scoped_refptr<CefWindow> window) Line 520    C++
        cefclient.exe!`anonymous namespace'::window_delegate_on_window_created(_cef_window_delegate_t * self, _cef_window_t * window) Line 40   C++
        libcef.dll!CefWindowDelegateCToCpp::OnWindowCreated(scoped_refptr<CefWindow> window) Line 39    C++
        libcef.dll!CefWindowImpl::Create(scoped_refptr<CefWindowDelegate> delegate) Line 122    C++
        libcef.dll!CefWindow::CreateTopLevelWindow(scoped_refptr<CefWindowDelegate> delegate) Line 111  C++
        libcef.dll!cef_window_create_top_level(_cef_window_delegate_t * delegate) Line 43   C++
        cefclient.exe!CefWindow::CreateTopLevelWindow(scoped_refptr<CefWindowDelegate> delegate) Line 44    C++
        cefclient.exe!client::ViewsWindow::OnPopupBrowserViewCreated(scoped_refptr<CefBrowserView> browser_view, scoped_refptr<CefBrowserView> popup_browser_view, bool is_devtools) Line 359   C++
        cefclient.exe!`anonymous namespace'::browser_view_delegate_on_popup_browser_view_created(_cef_browser_view_delegate_t * self, _cef_browser_view_t * browser_view, _cef_browser_view_t * popup_browser_view, int is_devtools) Line 142   C++
        libcef.dll!CefBrowserViewDelegateCToCpp::OnPopupBrowserViewCreated(scoped_refptr<CefBrowserView> browser_view, scoped_refptr<CefBrowserView> popup_browser_view, bool is_devtools) Line 134 C++
        libcef.dll!CefBrowserPlatformDelegateViews::PopupBrowserCreated(CefBrowserHostBase * new_browser, bool is_devtools) Line 172    C++
        libcef.dll!AlloyBrowserHostImpl::CreateInternal(const CefStructBase<CefBrowserSettingsTraits> & settings, scoped_refptr<CefClient> client, content::WebContents * web_contents, bool own_web_contents, scoped_refptr<CefBrowserInfo> browser_info, scoped_refptr<AlloyBrowserHostImpl> opener, bool is_devtools_popup, scoped_refptr<CefRequestContextImpl> request_context, std::__1::unique_ptr<CefBrowserPlatformDelegate,std::__1::default_delete<CefBrowserPlatformDelegate>> platform_delegate, scoped_refptr<CefExtension> extension) Line 263   C++
        libcef.dll!AlloyBrowserHostImpl::WebContentsCreated(content::WebContents * source_contents, int opener_render_process_id, int opener_render_frame_id, const std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> & frame_name, const GURL & target_url, content::WebContents * new_contents) Line 1427    C++
        content.dll!content::WebContentsImpl::CreateNewWindow(content::RenderFrameHost * opener, const content::mojom::CreateNewWindowParams & params, bool is_new_browsing_instance, bool has_user_gesture, content::SessionStorageNamespace * session_storage_namespace) Line 3736    C++
        content.dll!content::RenderFrameHostImpl::CreateNewWindow(mojo::StructPtr<content::mojom::CreateNewWindowParams> params, base::OnceCallback<void (content::mojom::CreateNewWindowStatus, mojo::StructPtr<content::mojom::CreateNewWindowReply>)> callback) Line 5059    C++
        content.dll!content::mojom::FrameHostStubDispatch::AcceptWithResponder(content::mojom::FrameHost * impl, mojo::Message * message, std::__1::unique_ptr<mojo::MessageReceiverWithStatus,std::__1::default_delete<mojo::MessageReceiverWithStatus>> responder) Line 7074  C++
        content.dll!content::mojom::FrameHostStub<mojo::RawPtrImplRefTraits<content::mojom::FrameHost>>::AcceptWithResponder(mojo::Message * message, std::__1::unique_ptr<mojo::MessageReceiverWithStatus,std::__1::default_delete<mojo::MessageReceiverWithStatus>> responder) Line 1025  C++
        bindings.dll!mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message * message) Line 528    C++
        bindings.dll!mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message * message) Line 140    C++
        bindings.dll!mojo::MessageDispatcher::Accept(mojo::Message * message) Line 46   C++
        bindings.dll!mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message * message) Line 356 C++
        ipc.dll!IPC::`anonymous namespace'::ChannelAssociatedGroupController::Endpoint::OnSyncMessageEventReady() Line 613  C++
        ipc.dll!base::internal::FunctorTraits<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint::*)() __attribute__((thiscall)),void>::Invoke<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint::*)() __attribute__((thiscall)),IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint *>(void(IPC::`anonymous namespace'::ChannelAssociatedGroupController::Endpoint::*)() method, IPC::`anonymous namespace'::ChannelAssociatedGroupController::Endpoint * && receiver_ptr) Line 498    C++
        ipc.dll!base::internal::InvokeHelper<0,void>::MakeItSo<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint::*const &)() __attribute__((thiscall)),IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint *>(void(IPC::`anonymous namespace'::ChannelAssociatedGroupController::Endpoint::*)() & functor, IPC::`anonymous namespace'::ChannelAssociatedGroupController::Endpoint * && args) Line 637    C++
        ipc.dll!base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint::*)() __attribute__((thiscall)),base::internal::UnretainedWrapper<IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint>>,void ()>::RunImpl<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint::*const &)() __attribute__((thiscall)),const std::__1::tuple<base::internal::UnretainedWrapper<IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint>> &,0>(void(IPC::`anonymous namespace'::ChannelAssociatedGroupController::Endpoint::*)() & functor, const std::__1::tuple<base::internal::UnretainedWrapper<IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint>> & bound, std::__1::integer_sequence<unsigned int,0>) Line 710   C++
        ipc.dll!base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint::*)() __attribute__((thiscall)),base::internal::UnretainedWrapper<IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint>>,void ()>::Run(base::internal::BindStateBase * base) Line 692  C++
        bindings.dll!base::RepeatingCallback<void ()>::Run() Line 135   C++
        bindings.dll!mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::OnEventSignaled() Line 222    C++
        bindings.dll!base::internal::FunctorTraits<void (mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::*)() __attribute__((thiscall)),void>::Invoke<void (mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::*)() __attribute__((thiscall)),mojo::SequenceLocalSyncEventWatcher::SequenceLocalState *>(void(mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::*)() method, mojo::SequenceLocalSyncEventWatcher::SequenceLocalState * && receiver_ptr) Line 498  C++
        bindings.dll!base::internal::InvokeHelper<0,void>::MakeItSo<void (mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::*const &)() __attribute__((thiscall)),mojo::SequenceLocalSyncEventWatcher::SequenceLocalState *>(void(mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::*)() & functor, mojo::SequenceLocalSyncEventWatcher::SequenceLocalState * && args) Line 637   C++
        bindings.dll!base::internal::Invoker<base::internal::BindState<void (mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::*)() __attribute__((thiscall)),base::internal::UnretainedWrapper<mojo::SequenceLocalSyncEventWatcher::SequenceLocalState>>,void ()>::RunImpl<void (mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::*const &)() __attribute__((thiscall)),const std::__1::tuple<base::internal::UnretainedWrapper<mojo::SequenceLocalSyncEventWatcher::SequenceLocalState>> &,0>(void(mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::*)() & functor, const std::__1::tuple<base::internal::UnretainedWrapper<mojo::SequenceLocalSyncEventWatcher::SequenceLocalState>> & bound, std::__1::integer_sequence<unsigned int,0>) Line 710    C++
        bindings.dll!base::internal::Invoker<base::internal::BindState<void (mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::*)() __attribute__((thiscall)),base::internal::UnretainedWrapper<mojo::SequenceLocalSyncEventWatcher::SequenceLocalState>>,void ()>::Run(base::internal::BindStateBase * base) Line 692   C++
        bindings.dll!base::RepeatingCallback<void ()>::Run() Line 135   C++
        bindings.dll!base::RepeatingCallbackList<void ()>::RunCallback<>(std::__1::__list_iterator<base::RepeatingCallback<void ()>,void *> it) Line 316    C++
        bindings.dll!base::internal::CallbackListBase<base::RepeatingCallbackList<void ()>>::Notify<>() Line 206    C++
        bindings.dll!mojo::SyncHandleRegistry::Wait(const bool * * should_stop, unsigned int count) Line 147    C++
        bindings.dll!mojo::SyncEventWatcher::SyncWatch(const bool * * stop_flags, unsigned int num_stop_flags) Line 45  C++
        bindings.dll!mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::SyncWatch(const mojo::SequenceLocalSyncEventWatcher * watcher, mojo::`anonymous namespace'::WatcherState * watcher_state, const bool * should_stop) Line 164  C++
        bindings.dll!mojo::SequenceLocalSyncEventWatcher::SyncWatch(const bool * should_stop) Line 286  C++
        bindings.dll!mojo::internal::MultiplexRouter::InterfaceEndpoint::SyncWatch(const bool * should_stop) Line 148   C++
        bindings.dll!mojo::InterfaceEndpointClient::SendMessageWithResponder(mojo::Message * message, bool is_control_message, std::__1::unique_ptr<mojo::MessageReceiver,std::__1::default_delete<mojo::MessageReceiver>> responder) Line 335  C++
        bindings.dll!mojo::InterfaceEndpointClient::AcceptWithResponder(mojo::Message * message, std::__1::unique_ptr<mojo::MessageReceiver,std::__1::default_delete<mojo::MessageReceiver>> responder) Line 247    C++
        host.dll!viz::mojom::FrameSinkManagerProxy::DestroyCompositorFrameSink(const viz::FrameSinkId & param_frame_sink_id) Line 498   C++
        host.dll!viz::HostFrameSinkManager::InvalidateFrameSinkId(const viz::FrameSinkId & frame_sink_id) Line 102  C++
        compositor.dll!ui::Compositor::~Compositor() Line 289   C++
        compositor.dll!ui::Compositor::~Compositor() Line 262   C++
        aura.dll!std::__1::default_delete<ui::Compositor>::operator()(ui::Compositor * __ptr) Line 2378 C++
        aura.dll!std::__1::unique_ptr<ui::Compositor,std::__1::default_delete<ui::Compositor>>::reset(ui::Compositor * __p) Line 2633   C++
        aura.dll!aura::WindowTreeHost::DestroyCompositor() Line 380 C++
        views.dll!views::DesktopWindowTreeHostWin::HandleDestroying() Line 850  C++
        views.dll!views::HWNDMessageHandler::OnDestroy() Line 1646  C++
        views.dll!views::HWNDMessageHandler::_ProcessWindowMessage(HWND__ * hWnd, unsigned int uMsg, unsigned int wParam, long lParam, long & lResult, unsigned long dwMsgMapID) Line 430   C++
        views.dll!views::HWNDMessageHandler::OnWndProc(unsigned int message, unsigned int w_param, long l_param) Line 1003  C++
        gfx.dll!gfx::WindowImpl::WndProc(HWND__ * hwnd, unsigned int message, unsigned int w_param, long l_param) Line 311  C++
        gfx.dll!base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc>(HWND__ * hwnd, unsigned int message, unsigned int wparam, long lparam) Line 74  C++
    

  8. Alex Fusco

    For Yijie’s crash stack, I’m able to reproduce with a debug build but I don’t get a more useful stack.

    It’s clear from inspecting values in the debugger and from the reproduction steps that the |window_widget_| member of CefBrowserPlatformDelegateNativeWin is used after it is freed. It’s likely that the member was invalidated between when the post task to run |SetFocusInternal| was scheduled and when it was actually run. Hope that helps

  9. Sergey Markelov

    I am still getting this crash in libcef.dll 87.1.14+ga29e9a3+chromium-87.0.4280.141 windows 32 on Windows 7, it happens on each second run.
    The call stack of the main thread is cut for some reasons but is very similar to the stacks posted above.

    libcef.dll!6e0c014c()   C++
    libcef.dll!AlloyBrowserHostImpl::OnSetFocus(<unnamed-tag> source) Line 939  C++
    libcef.dll!AlloyBrowserHostImpl::SetFocusInternal(bool focus) Line 376  C++
    [Inline Frame] libcef.dll!base::internal::FunctorTraits<void (CefMenuModelImpl::*)(bool) __attribute__((thiscall)),void>::Invoke(void(CefMenuModelImpl::*)(bool) method, const scoped_refptr<CefMenuModelImpl> & receiver_ptr, const bool & args) Line 498  C++
    [Inline Frame] libcef.dll!base::internal::InvokeHelper<0,void>::MakeItSo(void(CefMenuModelImpl::*)(bool) & functor, const scoped_refptr<CefMenuModelImpl> & args, const bool & args) Line 637   C++
    [Inline Frame] libcef.dll!base::internal::Invoker<base::internal::BindState<void (CefMenuModelImpl::*)(bool) __attribute__((thiscall)),scoped_refptr<CefMenuModelImpl>,bool>,void ()>::RunImpl(void(CefMenuModelImpl::*)(bool) & functor, const std::__1::tuple<scoped_refptr<CefMenuModelImpl>,bool> & bound, std::__1::integer_sequence<unsigned int,0,1>) Line 710   C++
    libcef.dll!base::internal::Invoker<base::internal::BindState<void (CefMenuModelImpl::*)(bool) __attribute__((thiscall)),scoped_refptr<CefMenuModelImpl>,bool>,void ()>::Run(base::internal::BindStateBase * base) Line 695  C++
    [Inline Frame] libcef.dll!base::OnceCallback<void ()>::Run() Line 100   C++
    libcef.dll!base::TaskAnnotator::RunTask(const char * trace_event_name, base::PendingTask * pending_task) Line 163   C++
    libcef.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::sequence_manager::LazyNow * continuation_lazy_now) Line 332  C++
    libcef.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() Line 254 C++
    

  10. Sergey Markelov

    @Marshall Greenblatt Newer CEF versions are not working on macOS 10.10, they are not suitable to our runtime environment.

  11. Log in to comment