Crash when loading/reloading Google Docs/Sheets (and other sites like Reddit)

[stephendonner]

Description

Crash when loading/reloading Google Docs/Sheets (and other sites like Reddit)

Steps to Reproduce

1. install 1.42.26
2. launch Brave
3. load any large (try our Brave-internal) Google Docs/Sheet in a window
4. open a new window/tab
5. reload the tabs
6. repeat until you crash

Actual result:

Crash report: https://share.backtrace.io/api/share/W1SFx1D3F9yq6E22bIqMwf0

Callstack (missing symbolic info?):

[ 00 ] 0x1079eee4c
[ 01 ] 0x10c81f4a9
[ 02 ] 0x10c82ea7d
[ 03 ] 0x109058b2c
[ 04 ] 0x1087bca61
[ 05 ] 0x1086bb337
[ 06 ] 0x1085767aa
[ 07 ] 0x108142eae
[ 08 ] 0x108142ba4
[ 09 ] 0x10814254b
[ 10 ] 0x108acdacc
[ 11 ] 0x10894553a
[ 12 ] 0x108944ed6
[ 13 ] 0x109e544dc
[ 14 ] 0x1091ab26d
[ 15 ] 0x109e50ed4
[ 16 ] 0x109066562
[ 17 ] 0x1078dbd6c
[ 18 ] 0x1077cb8bd
[ 19 ] 0x109cc45c6
[ 20 ] 0x109c85cdf
[ 21 ] 0x1077331c4
[ 22 ] 0x107780c0e
[ 23 ] 0x10cf63fea
[ 24 ] 0x10773768a
[ 25 ] 0x109c78a2f
[ 26 ] 0x7fff20a04cec
[ 27 ] 0x7fff20a04c54
[ 28 ] 0x7fff20a049d4
[ 29 ] 0x7fff20a033fc
[ 30 ] 0x7fff20a029bc
[ 31 ] 0x7fff21794617
[ 32 ] 0x108f6be9e
[ 33 ] 0x108f6bd94
[ 34 ] 0x1085a658a
[ 35 ] 0x1085a5c6e
[ 36 ] 0x108b622cc
[ 37 ] 0x1088236c9
[ 38 ] 0x108b2ecdc
[ 39 ] 0x107720f97
[ 40 ] 0x1002bf426
[ 41 ] 0x7fff20927f3d

Expected result:

No crash

Reproduces how often:

100%, given time

Brave version (brave://version info)

Brave	1.42.26 Chromium: 103.0.5060.53 (Official Build) nightly (x86_64)
Revision	a1711811edd74ff1cf2150f36ffa3b0dae40b17f-refs/branch-heads/5060@{#853}
OS	macOS Version 11.6.7 (Build 20G630)

Version/Channel Information:

• Can you reproduce this issue with the current release? No
• Can you reproduce this issue with the beta channel? No
• Can you reproduce this issue with the nightly channel? Yes

[stephendonner]

cc @darkdh not to implicate him (since I can't tell from the stack), but because he's awesome, and might have a good idea

[MadhaviSeelam]

++ reproduced the crash in Win 11 x64

[emerick]

My call stack on Windows 11 (Component build with latest master):

Received fatal exception EXCEPTION_ACCESS_VIOLATION
Backtrace:
        RtlTryAcquireSRWLockExclusive [0x00007FF836C6D260+0]
        base::SequenceCheckerImpl::CalledOnValidSequence [0x00007FFFC9FC873E+30] (C:\work\brave-browser\src\base\sequence_checker_impl.cc:91)
        base::internal::WeakReference::Flag::Invalidate [0x00007FFFC9F77F42+50] (C:\work\brave-browser\src\base\memory\weak_ptr.cc:28)
        base::internal::WeakReferenceOwner::Invalidate [0x00007FFFC9F784FA+90] (C:\work\brave-browser\src\base\memory\weak_ptr.cc:92)
        base::WeakPtrFactory<brave_wallet::JSSolanaProvider>::InvalidateWeakPtrs [0x00007FFF7FCE1D0A+92] (C:\work\brave-browser\src\base\memory\weak_ptr.h:370)
        brave_wallet::JSSolanaProvider::~JSSolanaProvider [0x00007FFF7FCE1C30+24] (C:\work\brave-browser\src\brave\components\brave_wallet\renderer\js_solana_provider.cc:58)
        std::__1::unique_ptr<brave_wallet::JSSolanaProvider,std::__1::default_delete<brave_wallet::JSSolanaProvider> >::reset [0x00007FFF7FCFAB6E+24] (C:\work\brave-browser\src\buildtools\third_party\libc++\trunk\include\__memory\unique_ptr.h:315)
        brave_wallet::BraveWalletRenderFrameObserver::~BraveWalletRenderFrameObserver [0x00007FFF7FCFA7AF+63] (C:\work\brave-browser\src\brave\renderer\brave_wallet\brave_wallet_render_frame_observer.cc:25)
        brave_wallet::BraveWalletRenderFrameObserver::~BraveWalletRenderFrameObserver [0x00007FFF7FCFABC0+16] (C:\work\brave-browser\src\brave\renderer\brave_wallet\brave_wallet_render_frame_observer.cc:25)
        content::RenderFrameImpl::~RenderFrameImpl [0x00007FFF7CF766E7+471] (C:\work\brave-browser\src\content\renderer\render_frame_impl.cc:1966)
        content::RenderFrameImpl::~RenderFrameImpl [0x00007FFF7CF91670+16] (C:\work\brave-browser\src\content\renderer\render_frame_impl.cc:1963)
        content::RenderFrameImpl::FrameDetached [0x00007FFF7CF82E9F+559] (C:\work\brave-browser\src\content\renderer\render_frame_impl.cc:3710)
        blink::LocalFrameClientImpl::Detached [0x00007FFF7137B7E4+148] (C:\work\brave-browser\src\third_party\blink\renderer\core\frame\local_frame_client_impl.cc:342)
        blink::Frame::Detach [0x00007FFF7128D3DC+684] (C:\work\brave-browser\src\third_party\blink\renderer\core\frame\frame.cc:160)
        blink::ChildFrameDisconnector::DisconnectCollectedFrameOwners [0x00007FFF70FB4977+167] (C:\work\brave-browser\src\third_party\blink\renderer\core\dom\child_frame_disconnector.cc:58)
        blink::ChildFrameDisconnector::Disconnect [0x00007FFF70FB4329+233] (C:\work\brave-browser\src\third_party\blink\renderer\core\dom\child_frame_disconnector.cc:32)
        blink::LocalFrame::DetachChildren [0x00007FFF712BE2EF+175] (C:\work\brave-browser\src\third_party\blink\renderer\core\frame\local_frame.cc:700)
        blink::FrameLoader::DetachDocument [0x00007FFF71C4BB55+181] (C:\work\brave-browser\src\third_party\blink\renderer\core\loader\frame_loader.cc:1247)
        blink::FrameLoader::CommitNavigation [0x00007FFF71C4B4D6+3414] (C:\work\brave-browser\src\third_party\blink\renderer\core\loader\frame_loader.cc:1091)
        blink::WebLocalFrameImpl::CommitNavigation [0x00007FFF7139FB1A+506] (C:\work\brave-browser\src\third_party\blink\renderer\core\frame\web_local_frame_impl.cc:2422)
        content::RenderFrameImpl::CommitNavigationWithParams [0x00007FFF7CF7DB65+1765] (C:\work\brave-browser\src\content\renderer\render_frame_impl.cc:2927)
        base::internal::FunctorTraits<void (content::RenderFrameImpl::*)(mojo::StructPtr<blink::mojom::CommonNavigationParams>, mojo::StructPtr<blink::mojom::CommitNavigationParams>, std::__1::unique_ptr<blink::PendingURLLoaderFactoryBundle,std::__1::default_dele [0x00007FFF7CF99542+514] (C:\work\brave-browser\src\base\bind_internal.h:541)
        base::internal::Invoker<base::internal::BindState<void (content::RenderFrameImpl::*)(mojo::StructPtr<blink::mojom::CommonNavigationParams>, mojo::StructPtr<blink::mojom::CommitNavigationParams>, std::__1::unique_ptr<blink::PendingURLLoaderFactoryBundle,st [0x00007FFF7CF9931B+219] (C:\work\brave-browser\src\base\bind_internal.h:751)
        base::OnceCallback<void (std::__1::unique_ptr<blink::WebNavigationParams,std::__1::default_delete<blink::WebNavigationParams> >)>::Run [0x00007FFF7CF7DF28+66] (C:\work\brave-browser\src\base\callback.h:144)
        content::RenderFrameImpl::CommitNavigation [0x00007FFF7CF7C8AA+3930] (C:\work\brave-browser\src\content\renderer\render_frame_impl.cc:2824)
        content::NavigationClient::CommitNavigation [0x00007FFF7CF726D4+692] (C:\work\brave-browser\src\content\renderer\navigation_client.cc:61)
        content::mojom::NavigationClientStubDispatch::AcceptWithResponder [0x00007FFF7BEC28A2+1826] (C:\work\brave-browser\src\out\Component\gen\content\common\navigation_client.mojom.cc:1335)
        content::mojom::NavigationClientStub<mojo::RawPtrImplRefTraits<content::mojom::NavigationClient> >::AcceptWithResponder [0x00007FFF7CF72DAA+58] (C:\work\brave-browser\src\out\Component\gen\content\common\navigation_client.mojom.h:191)
        mojo::InterfaceEndpointClient::HandleValidatedMessage [0x00007FFFC933D86A+906] (C:\work\brave-browser\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc:884)
        mojo::MessageDispatcher::Accept [0x00007FFFC934497C+284] (C:\work\brave-browser\src\mojo\public\cpp\bindings\lib\message_dispatcher.cc:43)
        mojo::InterfaceEndpointClient::HandleIncomingMessage [0x00007FFFC933F212+98] (C:\work\brave-browser\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc:664)
        IPC::`anonymous namespace'::ChannelAssociatedGroupController::AcceptOnEndpointThread [0x00007FFFB7C86051+417] (C:\work\brave-browser\src\ipc\ipc_mojo_bootstrap.cc:1010)
        base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message),scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>,mojo::Message>,void ()>::RunOnce [0x00007FFFB7C83039+89] (C:\work\brave-browser\src\base\bind_internal.h:747)
        base::TaskAnnotator::RunTaskImpl [0x00007FFFC9FF9470+384] (C:\work\brave-browser\src\base\task\common\task_annotator.cc:135)
        base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl [0x00007FFFCA028CA5+1029] (C:\work\brave-browser\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:385)
        base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork [0x00007FFFCA028302+162] (C:\work\brave-browser\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:296)
        base::MessagePumpDefault::Run [0x00007FFFC9F78F3A+170] (C:\work\brave-browser\src\base\message_loop\message_pump_default.cc:41)
        base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run [0x00007FFFCA029D21+769] (C:\work\brave-browser\src\base\task\sequence_manager\thread_controller_with_message_pump_impl.cc:500)
        base::RunLoop::Run [0x00007FFFC9FBFAB2+658] (C:\work\brave-browser\src\base\run_loop.cc:143)
        content::RendererMain [0x00007FFF7CFB2D6F+1151] (C:\work\brave-browser\src\content\renderer\renderer_main.cc:298)
        content::RunOtherNamedProcessTypeMain [0x00007FFF7D19C6FF+750] (C:\work\brave-browser\src\content\app\content_main_runner_impl.cc:700)
        content::ContentMainRunnerImpl::Run [0x00007FFF7D19D37A+602] (C:\work\brave-browser\src\content\app\content_main_runner_impl.cc:1039)
        content::RunContentProcess [0x00007FFF7D19BCCC+1692] (C:\work\brave-browser\src\content\app\content_main.cc:407)
        content::ContentMain [0x00007FFF7D19BDE4+84] (C:\work\brave-browser\src\content\app\content_main.cc:435)
        ChromeMain [0x00007FFF7E061287+487] (C:\work\brave-browser\src\chrome\app\chrome_main.cc:177)
        MainDllLoader::Launch [0x00007FF6BA282862+358] (C:\work\brave-browser\src\chrome\app\main_dll_loader_win.cc:167)
        wWinMain [0x00007FF6BA281BE1+3010] (C:\work\brave-browser\src\chrome\app\chrome_exe_main_win.cc:385)
        __scrt_common_main_seh [0x00007FF6BA32F5E6+262] (D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288)
        BaseThreadInitThunk [0x00007FF8360954E0+16]
        RtlUserThreadStart [0x00007FF836C0485B+43]

[rebron]

cc: @iefremov

[stephendonner]

Verified PASSED using

Brave	1.42.49 Chromium: 103.0.5060.70 (Official Build) nightly (x86_64)
Revision	1543faf9f70e61c6f6e9c01ff20a2e3cf2ad55dc-refs/branch-heads/5060_53@{#4}
OS	macOS Version 11.6.7 (Build 20G630)

Followed my original steps to reproduce.

Confirmed no more crashes.

[kjozwiak]

The above will require 1.41.89 or higher for 1.41.x verification 👍

[kjozwiak]

Removing QA Pass-macOS as we should quickly double check that it's also fixed in 1.41.x as brave/brave-core#14000 was a massive uplift.

[srirambv]

Brave	1.41.89 Chromium: 103.0.5060.70 (Official Build) beta (64-bit)
Revision	1543faf9f70e61c6f6e9c01ff20a2e3cf2ad55dc-refs/branch-heads/5060_53@{#4}
OS	☑️ Linux	☑️ Windows 11 Version 21H2 (Build 22000.708)	☑️ macOS Version 12.0.1 (Build 21C52)
Verified steps from issue description Verified loading a GDoc (50 Mb file), scrolling and reloading multiple times doesn't crash the browser/webview Verified loading the file on both normal tabs and private tabs doesn't crash the browser/webview