Crash in BraveShieldsDataController::HandleItemBlocked

[stephendonner]

Description

Crash in BraveShieldsDataController::HandleItemBlocked

Steps to Reproduce

1. install 1.39.22
2. launch Brave
3. open cnn.com in window a
4. disable Shields for this site
5. open youtube.com in window b (leave Shields on, defaults)
6. play a video in window b
7. back on the cnn.com window a, toggle Shields ON / OFF (might need to repeat a few times)

Actual result:

We crash, in:

[ 00 ] brave_shields::BraveShieldsDataController::HandleItemBlocked(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)
[ 01 ] brave_shields::BraveShieldsWebContentsObserver::DispatchBlockedEventForWebContents(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::WebContents*)
[ 02 ] brave_shields::BraveShieldsWebContentsObserver::DispatchBlockedEvent(GURL const&, int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)
[ 03 ] brave::OnShouldBlockRequestResult(bool, scoped_refptr<base::SequencedTaskRunner>, base::RepeatingCallback<void ()> const&, std::__1::shared_ptr<brave::BraveRequestInfo>, brave::EngineFlags)
[ 04 ] void base::internal::ReplyAdapter<brave::EngineFlags, brave::EngineFlags>(base::OnceCallback<void (brave::EngineFlags)>, std::__1::unique_ptr<brave::EngineFlags, std::__1::default_delete<brave::EngineFlags> >*)
[ 05 ] base::internal::Invoker<base::internal::BindState<void (*)(base::OnceCallback<std::__1::unique_ptr<net::SerialWorker::WorkItem, std::__1::default_delete<net::SerialWorker::WorkItem> > ()>, std::__1::unique_ptr<std::__1::unique_ptr<net::SerialWorker::WorkItem, std::__1::default_delete<net::SerialWorker::WorkItem> >, std::__1::default_delete<std::__1::unique_ptr<net::SerialWorker::WorkItem, std::__1::default_delete<net::SerialWorker::WorkItem> > > >*), base::OnceCallback<std::__1::unique_ptr<net::SerialWorker::WorkItem, std::__1::default_delete<net::SerialWorker::WorkItem> > ()>, base::internal::UnretainedWrapper<std::__1::unique_ptr<std::__1::unique_ptr<net::SerialWorker::WorkItem, std::__1::default_delete<net::SerialWorker::WorkItem> >, std::__1::default_delete<std::__1::unique_ptr<net::SerialWorker::WorkItem, std::__1::default_delete<net::SerialWorker::WorkItem> > > > > >, void ()>::RunOnce(base::internal::BindStateBase*)
[ 06 ] base::internal::Invoker<base::internal::BindState<content::RenderFrameHostImpl::RunBeforeUnloadConfirm(bool, base::OnceCallback<void (bool)>)::$_10, base::OnceCallback<void (bool)> >, void (bool, std::__1::basic_string<char16_t, std::__1::char_traits<char16_t>, std::__1::allocator<char16_t> > const&)>::RunOnce(base::internal::BindStateBase*, bool, std::__1::basic_string<char16_t, std::__1::char_traits<char16_t>, std::__1::allocator<char16_t> > const&)
[ 07 ] base::internal::Invoker<base::internal::BindState<void (*)(base::(anonymous namespace)::PostTaskAndReplyRelay), base::(anonymous namespace)::PostTaskAndReplyRelay>, void ()>::RunOnce(base::internal::BindStateBase*)
[ 08 ] <name omitted>
[ 09 ] non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork()
[ 10 ] invocation function for block in base::MessagePumpCFRunLoopBase::RunWorkSource(void*)
[ 11 ] base::mac::CallWithEHFrame(void () block_pointer)
[ 12 ] base::MessagePumpCFRunLoopBase::RunWorkSource(void*)
[ 13 ] 0x7ff8182daaeb
[ 14 ] 0x7ff8182daa53
[ 15 ] 0x7ff8182da7cd
[ 16 ] 0x7ff8182d91e8
[ 17 ] 0x7ff8182d87ac
[ 18 ] 0x7ff820f5fce6
[ 19 ] 0x7ff820f5fa4a
[ 20 ] 0x7ff820f5f7e5
[ 21 ] 0x7ff81acff5cd
[ 22 ] 0x7ff81acfdc8a
[ 23 ] __71-[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:]_block_invoke
[ 24 ] base::mac::CallWithEHFrame(void () block_pointer)
[ 25 ] -[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
[ 26 ] 0x7ff81acf0339
[ 27 ] base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*)
[ 28 ] base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
[ 29 ] <name omitted>
[ 30 ] <name omitted>
[ 31 ] <name omitted>
[ 32 ] content::BrowserMain(content::MainFunctionParams)
[ 33 ] <name omitted>
[ 34 ] content::ContentMain(content::ContentMainParams)
[ 35 ] ChromeMain
[ 36 ] main
[ 37 ] 0x11b57d51e
[ 38 ] 0x11b57d583
[ 39 ] 0x11b57d5dd
[ 40 ] 0x11b57d567
[ 41 ] 0x11b57d575

Expected result:

Reproduces how often:

100%, given time

Brave version (brave://version info)

Brave	1.39.22 Chromium: 100.0.4896.60 (Official Build) nightly (x86_64)
Revision	6a5d10861ce8de5fce22564658033b43cb7de047-refs/branch-heads/4896@{#875}
OS	macOS Version 12.3 (Build 21E230)

cc @rebron @nullhook @Tonev @MadhaviSeelam

[iefremov]

cc @nullhook

[nullhook]

can't seem to reproduce this

[stephendonner]

Can't reproduce this as written, using

Brave	1.39.39 Chromium: 100.0.4896.79 (Official Build) nightly (x86_64)
Revision	8fb749dcab8700c24213791969e59deb72fee36f-refs/branch-heads/4896@{#1015}
OS	macOS Version 11.6.5 (Build 20G527)

[boocmp]

Member

To reproduce you should play video at lease 30 sec (or just wait)

[simonhong]

I suspect this crash also comes from same cause of #22224

[nullhook]

yes, they all seem related to the iteration of observer list. I'd like to know if this only happens when there's more than one window open?

[simonhong]

@nullhook I think so because chrome::FindLastActiveWithProfile() can give different Browser instance in multiple windows environment.

[kjozwiak]

Above requires 1.38.102 or higher for 1.38.x verification.