Chromium Embedded Framework Forum

[codelimit]

Good day, Sirs!

I use
CEF Version: 84.3.8+gc8a556f+chromium-84.0.4147.105
Chromium Version: 84.0.4147.105

I have following case:
0. url is loaded ( with text input field active )
1. I do myBrowser->GetHost()->CloseBrowser(true);
2. I do several CefDoMessageLoopWork()
3. myCefLifeSpanHandler::DoClose() is triggered
4. myCefLifeSpanHandler::OnBeforeClose() is triggered. At this moment I release myCefRenderHandler (i use windowless rendering). I assume that it wont be used anymore as browser is about to close.
5. I got CHECK(handler) failed at CefRenderWidgetHostViewOSR::OnUpdateTextInputStateCalled with following callstack:

Code: Select all

    libcef.dll!CefRenderWidgetHostViewOSR::OnUpdateTextInputStateCalled(content::TextInputManager * text_input_manager, content::RenderWidgetHostViewBase * updated_view, bool did_update_state) Line 1372   C++
    libcef.dll!content::TextInputManager::NotifyObserversAboutInputStateUpdate(content::RenderWidgetHostViewBase * updated_view, bool did_update_state) Line 315   C++
    libcef.dll!content::TextInputManager::Unregister(content::RenderWidgetHostViewBase * view) Line 277   C++
    libcef.dll!content::TextInputManager::~TextInputManager() Line 50   C++
    [Inline Frame] libcef.dll!std::__1::default_delete<content::TextInputManager>::operator()(content::TextInputManager * __ptr) Line 2378   C++
    libcef.dll!std::__1::unique_ptr<content::TextInputManager,std::__1::default_delete<content::TextInputManager>>::reset(content::TextInputManager * __p) Line 2633   C++
    [Inline Frame] libcef.dll!std::__1::unique_ptr<content::TextInputManager,std::__1::default_delete<content::TextInputManager>>::~unique_ptr() Line 2587   C++
    libcef.dll!content::WebContentsImpl::~WebContentsImpl() Line 759   C++
    libcef.dll!content::WebContentsImpl::~WebContentsImpl() Line 639   C++
    [Inline Frame] libcef.dll!std::__1::default_delete<content::WebContents>::operator()(content::WebContents * __ptr) Line 2378   C++
    [Inline Frame] libcef.dll!std::__1::unique_ptr<content::WebContents,std::__1::default_delete<content::WebContents>>::reset(content::WebContents * __p) Line 2633   C++
    libcef.dll!CefBrowserHostImpl::DestroyBrowser() Line 1652   C++
    libcef.dll!CefBrowserHostImpl::CloseContents(content::WebContents * source) Line 2236   C++
    libcef.dll!content::WebContentsImpl::Close(content::RenderViewHost * rvh) Line 5933   C++
    [Inline Frame] libcef.dll!content::RenderViewHostImpl::ClosePageIgnoringUnloadEvents() Line 790   C++
    libcef.dll!content::RenderViewHostImpl::OnPageClosed() Line 961   C++
    [Inline Frame] libcef.dll!base::OnceCallback<void ()>::Run() Line 99   C++
    libcef.dll!content::mojom::FontCacheWin_PreCacheFont_ForwardToCallback::Accept(mojo::Message * message) Line 278   C++
    libcef.dll!mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message * message) Line 549   C++
    libcef.dll!IPC::`anonymous namespace'::ChannelAssociatedGroupController::AcceptOnProxyThread(mojo::Message message) Line 935   C++
    libcef.dll!base::internal::FunctorTraits<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message) __attribute__((thiscall)),void>::Invoke<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message) __attribute__((thiscall)),scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>,mojo::Message>(void(IPC::`anonymous namespace'::ChannelAssociatedGroupController::*)(mojo::Message) method, scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController> && receiver_ptr, mojo::Message && args) Line 497   C++
    [Inline Frame] libcef.dll!base::internal::InvokeHelper<0,void>::MakeItSo(void(IPC::`anonymous namespace'::ChannelAssociatedGroupController::*)(mojo::Message) && functor, scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController> && args, mojo::Message && args) Line 636   C++
    [Inline Frame] libcef.dll!base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message) __attribute__((thiscall)),scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>,mojo::Message>,void ()>::RunImpl(void(IPC::`anonymous namespace'::ChannelAssociatedGroupController::*)(mojo::Message) && functor, std::__1::tuple<scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>,mojo::Message> && bound, std::__1::integer_sequence<unsigned int,0,1>) Line 709   C++
    libcef.dll!base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message) __attribute__((thiscall)),scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>,mojo::Message>,void ()>::RunOnce(base::internal::BindStateBase * base) Line 678   C++
    [Inline Frame] libcef.dll!base::OnceCallback<void ()>::Run() Line 99   C++
    libcef.dll!base::TaskAnnotator::RunTask(const char * trace_event_name, base::PendingTask * pending_task) Line 142   C++
    libcef.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::sequence_manager::LazyNow * continuation_lazy_now) Line 330   C++
    libcef.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() Line 256   C++
    libcef.dll!base::MessagePumpForUI::DoRunLoop() Line 228   C++
    libcef.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 88   C++
    libcef.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool application_tasks_allowed, base::TimeDelta timeout) Line 451   C++
    libcef.dll!base::RunLoop::Run() Line 126   C++
    libcef.dll!CefDoMessageLoopWork() Line 370   C++


6. I understand why it fails. RenderHandler has been already null-ed.

So the question is: Is this situation valid? How can I understand when to free RenderHandler pointer?

I can not reproduce this case in cefclient with windowless rendering enabled.

Any help would be appreciated!

[magreenblatt]

Does the crash reproduce with cefclient, or when using CefRunMessageLoop or CefSettings.multi_threaded_message_loop ?

[codelimit]

I am unable to reproduce the problem in cefclient because ClientHandlerOsr is CefRenderHandler at the same time. Suppose we have following hierarchy

Code: Select all

class MyRenderHandler : public CefRenderHandler
{
    /// RenderHandler methods overrides here
...
    /// Some private stuff here
};

class MyClientHandler : public CefClient
{
public:
    void Init() { renderHandler = new MyRenderHandler; }
    void Shutdown() { renderHandler = nullptr; }

private:
    /// CefClient methods overrides here
     CefRefPtr<CefRenderHandler> GetRenderHandler() override
     {
         return renderHandler;
     }

private:
     CefRefPtr<MyRenderHandler> renderHandler;
};

But it is possible to reproduce the flow

1. Launch cefclient debug session with --off-screen-rendering-enabled ---external-message-pump keys.
2. Goto https://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Login in browser window
3. Set a breakpoint at ClientHandlerOsr::OnBeforeClose (Line: 38 File: client_handler_osr.cc)
4. Close cefclient window Alt+F4
5. p3 breakpoint will hit.
6. At this time set a breakpoint at ClientHandlerOsr::GetRenderHandler() (Line: 86 File: client_handler_osr.h) and press continue debugging.
7. p6 breakpoint will hit with the same callstack as I provided before. This means that even after OnBeforeClose we must have RenderHandler in valid state?

When is a correct time to free RenderHandler? I can't find something like OnAfterClose() method..

[magreenblatt]

As a workaround I suggest not freeing the RenderHandler until the CefClient is deleted. Please also file a bug for this, since there should be no handler callbacks after OnBeforeClose.

[codelimit]

Thanks a lot for your help!

Please check if I did it in a correct way (did it first time) and if it is enough information.
https://bitbucket.org/chromiumembedded/ ... ears-after

[magreenblatt]

The issue looks good, thanks.