Status: Untriaged Owner: b...@chromium.org CC: s...@chromium.org, erik...@chromium.org Labels: Type-Bug Pri-1 OS-All Area-BrowserUI Size-Medium
New issue 18248 by erik...@chromium.org: crash after deleting WidgetWin during event handler http://code.google.com/p/chromium/issues/detail?id=18248 In ExtensionShelf, I'm using a WidgetWin as a container for the expanded or dragging version of a toolstrip. In the expanded view, clicking on the handle (part of the WidgetWin) causes the toolstrip to collapse and be hidden (via OnMouseReleased). If I destroy the WidgetWin during this time, I'll crash shortly afterwards. I'm able to work around the bug by hiding/destroying after a short delay. Here's a Purify dump of the errors: [E] FMR: Free memory read in views::WidgetWin::IsMsgHandled(void)const {1 occurrence} Reading 4 bytes from 0x16512580 (4 bytes at 0x16512580 illegal) Address 0x16512580 is 16 bytes into a 100 byte block at 0x16512570 Address 0x16512580 points to a C++ new block in heap 0x005e0000 Thread ID: 0x21c58 Error location views::WidgetWin::IsMsgHandled(void)const [e:\git\src\views\widget\widget_win.h:112] views::WidgetWin::_ProcessWindowMessage(HWND__ *,UINT,UINT,long,long&,DWORD) [e:\git\src\views\widget\widget_win.h:158] views::WidgetWin::ProcessWindowMessage(HWND__ *,UINT,UINT,long,long&,DWORD) [e:\git\src\views\widget\widget_win.h:112] views::WidgetWin::WndProc(HWND__ *,UINT,UINT,long) [e:\git\src\views\widget\widget_win.cc:1055] return result; // Otherwise we handle everything else. => if (!widget->ProcessWindowMessage(window, message, w_param, l_param, result)) result = DefWindowProc(window, message, w_param, l_param); if (message == WM_NCDESTROY) widget->OnFinalMessage(window); GetWindowLongW [C:\WINDOWS\system32\USER32.DLL] views::AcceleratorHandler::Dispatch(tagMSG const&) [e:\git\src\views\focus\accelerator_handler_win.cc:38] if (process_message) { TranslateMessage(&msg); => DispatchMessage(&msg); } return true; base::MessagePumpForUI::ProcessMessageHelper(tagMSG const&) [e:\git\src\base\message_pump_win.cc:357] base::MessagePumpForUI::ProcessPumpReplacementMessage(void) [e:\git\src\base\message_pump_win.cc:396] base::MessagePumpForUI::ProcessMessageHelper(tagMSG const&) [e:\git\src\base\message_pump_win.cc:352] base::MessagePumpForUI::ProcessNextWindowsMessage(void) [e:\git\src\base\message_pump_win.cc:336] base::MessagePumpForUI::DoRunLoop(void) [e:\git\src\base\message_pump_win.cc:205] base::MessagePumpWin::RunWithDispatcher(Delegate::MessagePump::base *,Dispatcher::MessagePumpWin::base *) [e:\git\src\base\message_pump_win.cc:52] MessageLoop::RunInternal(void) [e:\git\src\base\message_loop.cc:194] MessageLoop::RunHandler(void) [e:\git\src\base\message_loop.cc:181] MessageLoopForUI::Run(Dispatcher::MessagePumpWin::base *) [e:\git\src\base\message_loop.cc:599] ?A0xea436775::RunUIMessageLoop(BrowserProcess *) [e:\git\src\chrome\browser\browser_main.cc:196] BrowserMain(MainFunctionParams const&) [e:\git\src\chrome\browser\browser_main.cc:789] ChromeMain [e:\git\src\chrome\app\chrome_dll_main.cc:540] wWinMain [e:\git\src\chrome\app\chrome_exe_main.cc:102] _tmainCRTStartup [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c:324] Allocation location new(UINT) [f:\dd\vctools\crt_bld\self_x86\crt\src\new.cpp:57] BrowserBubble::InitPopup(void) [e:\git\src\chrome\browser\views\browser_bubble_win.cc:14] void BrowserBubble::InitPopup() { gfx::NativeWindow native_window = frame_->GetWindow()->GetNativeWindow(); => views::WidgetWin* pop = new views::WidgetWin(); pop->set_delete_on_destroy(false); pop->set_window_style(WS_POPUP); #if 0 BrowserBubble::BrowserBubble(View::views *,Widget::views *,Point::gfx const&) [e:\git\src\chrome\browser\views\browser_bubble.cc:22] ExtensionShelf::Toolstrip::GetHandle(void) [e:\git\src\chrome\browser\views\extensions\extension_shelf.cc:356] ExtensionShelf::Toolstrip::DoShowShelfHandle(void) [e:\git\src\chrome\browser\views\extensions\extension_shelf.cc:444] ExtensionShelf::Toolstrip::Expand(int,GURL const&) [e:\git\src\chrome\browser\views\extensions\extension_shelf.cc:469] ExtensionShelf::ToolstripChanged(_Vector_iterator<ToolstripItem::ExtensionShelfModel,allocator<ToolstripItem::ExtensionShel fModel>::std>::std) [e:\git\src\chrome\browser\views\extensions\extension_shelf.cc:703] ExtensionShelfModel::ExpandToolstrip(_Vector_iterator<ToolstripItem::ExtensionShelfModel,allocator<ToolstripItem::Extension ShelfModel>::std>::std,GURL const&,int) [e:\git\src\chrome\browser\extensions\extension_shelf_model.cc:134] ToolstripExpandFunction::RunImpl(void) [e:\git\src\chrome\browser\extensions\extension_toolstrip_api.cc:88] SyncExtensionFunction::Run(void) [e:\git\src\chrome\browser\extensions\extension_function.h:152] ExtensionFunctionDispatcher::HandleRequest(basic_string<char,char_traits<char>::std,allocator<char>::std>::std const&,basic_string<char,char_traits<char>::std,allocator<char>::std>::std const&,int,bool) [e:\git\src\chrome\browser\extensions\extension_function_dispatcher.cc:238] ExtensionHost::ProcessDOMUIMessage(basic_string<char,char_traits<char>::std,allocator<char>::std>::std const&,basic_string<char,char_traits<char>::std,allocator<char>::std>::std const&,int,bool) [e:\git\src\chrome\browser\extensions\extension_host.cc:254] RenderViewHost::OnExtensionRequest(basic_string<char,char_traits<char>::std,allocator<char>::std>::std const&,basic_string<char,char_traits<char>::std,allocator<char>::std>::std const&,int,bool) [e:\git\src\chrome\browser\renderer_host\render_view_host.cc:1590] ?dispatchtomet...@vrenderviewhost@@p...@aexabv?$basic_string@du?$char_tra...@d@std@@V? $alloca...@d@2@@std@@0...@zv23@v...@h_n@@YAXPAVRenderViewHost@@p...@aexabv?$basic_string@du?$char_tra...@d@std@@V? $alloca...@d@2@@std@@1...@zabu?$tuple4@v?$basic_str...@du?$char_traits@d...@std@@v?$alloca...@d@2@@std@@v...@h_n@@@Z [e:\git\src\base\tuple.h:441] ?dispa...@vrenderviewhost@@p...@aexabv?$basic_string@du?$char_tra...@d@std@@v?$alloca...@d@2@@std@@0...@z@? $messagewithtu...@u?$tuple4@v?$basic_str...@du?$char_traits@d...@std@@V? $alloca...@d@2@@std@@v...@h_n@@@IPC@@sa_npbvmess...@1@PAVRenderViewHost@@p...@aexabv?$basic_string@du?$char_tra...@d@std@@V? $alloca...@d@2@@std@@2...@z@Z [e:\git\src\ipc\ipc_message_utils.h:944] RenderViewHost::OnMessageReceived(Message::IPC const&) [e:\git\src\chrome\browser\renderer_host\render_view_host.cc:812] BrowserRenderProcessHost::OnMessageReceived(Message::IPC const&) [e:\git\src\chrome\browser\renderer_host\browser_render_process_host.cc:778] IPC::ChannelProxy::Context::OnDispatchMessage(Message::IPC const&) [e:\git\src\ipc\ipc_channel_proxy.cc:204] ? dispatchtomet...@vcontext@channelpr...@ipc@@p8...@aexabvmessage@3@@ZV43@@@yaxpavcont...@channelproxy@IPC@@p8...@aexabvmessa g...@2@@zabu?$tup...@vmessage@IPC@@@@@Z [e:\git\src\base\tuple.h:422] RunnableMethod<class IPC::ChannelProxy::Context,void ( IPC::ChannelProxy::Context::*)(class IPC::Message const &),struct Tuple1<class IPC::Message> >::Run(void) [e:\git\src\base\task.h:307] MessageLoop::RunTask(Task *) [e:\git\src\base\message_loop.cc:314] MessageLoop::DeferOrRunPendingTask(PendingTask::MessageLoop const&) [e:\git\src\base\message_loop.cc:322] MessageLoop::DoWork(void) [e:\git\src\base\message_loop.cc:429] base::MessagePumpForUI::DoRunLoop(void) [e:\git\src\base\message_pump_win.cc:209] base::MessagePumpWin::RunWithDispatcher(Delegate::MessagePump::base *,Dispatcher::MessagePumpWin::base *) [e:\git\src\base\message_pump_win.cc:52] MessageLoop::RunInternal(void) [e:\git\src\base\message_loop.cc:194] MessageLoop::RunHandler(void) [e:\git\src\base\message_loop.cc:181] MessageLoopForUI::Run(Dispatcher::MessagePumpWin::base *) [e:\git\src\base\message_loop.cc:599] ?A0xea436775::RunUIMessageLoop(BrowserProcess *) [e:\git\src\chrome\browser\browser_main.cc:196] BrowserMain(MainFunctionParams const&) [e:\git\src\chrome\browser\browser_main.cc:789] Free location delete(void *) [f:\dd\vctools\crt_bld\self_x86\crt\src\delete.cpp:23] views::WidgetWin::`vector deleting destructor'(UINT) [E:\GIT\SRC\CHROME\RELEASE\CHROME.DLL] scoped_ptr<Widget::views>::~scoped_ptr<Widget::views>(void) [e:\git\src\base\scoped_ptr.h:72] BrowserBubble::~BrowserBubble(void) [e:\git\src\chrome\browser\views\browser_bubble.cc:34] BrowserBubble::`scalar deleting destructor'(UINT) [E:\GIT\SRC\CHROME\RELEASE\CHROME.DLL] scoped_ptr<BrowserBubble>::reset(BrowserBubble *) [e:\git\src\base\scoped_ptr.h:81] ExtensionShelf::Toolstrip::DoHideShelfHandle(void) [e:\git\src\chrome\browser\views\extensions\extension_shelf.cc:457] ExtensionShelf::Toolstrip::Collapse(GURL const&) [e:\git\src\chrome\browser\views\extensions\extension_shelf.cc:512] ExtensionShelf::ToolstripChanged(_Vector_iterator<ToolstripItem::ExtensionShelfModel,allocator<ToolstripItem::ExtensionShel fModel>::std>::std) [e:\git\src\chrome\browser\views\extensions\extension_shelf.cc:706] ExtensionShelfModel::CollapseToolstrip(_Vector_iterator<ToolstripItem::ExtensionShelfModel,allocator<ToolstripItem::Extensi onShelfModel>::std>::std,GURL const&) [e:\git\src\chrome\browser\extensions\extension_shelf_model.cc:144] ExtensionShelf::CollapseToolstrip(ExtensionHost *,GURL const&) [e:\git\src\chrome\browser\views\extensions\extension_shelf.cc:767] ExtensionShelf::Toolstrip::OnMouseReleased(MouseEvent::views const&,bool) [e:\git\src\chrome\browser\views\extensions\extension_shelf.cc:345] views::View::ProcessMouseReleased(MouseEvent::views const&,bool) [e:\git\src\views\view.cc:503] views::RootView::OnMouseReleased(MouseEvent::views const&,bool) [e:\git\src\views\widget\root_view.cc:453] views::WidgetWin::ProcessMouseReleased(CPoint::WTL const&,UINT) [e:\git\src\views\widget\widget_win.cc:841] views::WidgetWin::OnLButtonUp(UINT,CPoint::WTL const&) [e:\git\src\views\widget\widget_win.cc:611] views::WidgetWin::_ProcessWindowMessage(HWND__ *,UINT,UINT,long,long&,DWORD) [e:\git\src\views\widget\widget_win.h:158] views::WidgetWin::ProcessWindowMessage(HWND__ *,UINT,UINT,long,long&,DWORD) [e:\git\src\views\widget\widget_win.h:112] views::WidgetWin::WndProc(HWND__ *,UINT,UINT,long) [e:\git\src\views\widget\widget_win.cc:1055] GetWindowLongW [C:\WINDOWS\system32\USER32.DLL] views::AcceleratorHandler::Dispatch(tagMSG const&) [e:\git\src\views\focus\accelerator_handler_win.cc:38] base::MessagePumpForUI::ProcessMessageHelper(tagMSG const&) [e:\git\src\base\message_pump_win.cc:357] base::MessagePumpForUI::ProcessPumpReplacementMessage(void) [e:\git\src\base\message_pump_win.cc:396] base::MessagePumpForUI::ProcessMessageHelper(tagMSG const&) [e:\git\src\base\message_pump_win.cc:352] base::MessagePumpForUI::ProcessNextWindowsMessage(void) [e:\git\src\base\message_pump_win.cc:336] base::MessagePumpForUI::DoRunLoop(void) [e:\git\src\base\message_pump_win.cc:205] base::MessagePumpWin::RunWithDispatcher(Delegate::MessagePump::base *,Dispatcher::MessagePumpWin::base *) [e:\git\src\base\message_pump_win.cc:52] MessageLoop::RunInternal(void) [e:\git\src\base\message_loop.cc:194] MessageLoop::RunHandler(void) [e:\git\src\base\message_loop.cc:181] MessageLoopForUI::Run(Dispatcher::MessagePumpWin::base *) [e:\git\src\base\message_loop.cc:599] -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---
