Crash Report

[robhull]

IMPORTANT: Your crash has already been automatically reported to our crash system. Please file this bug only if you can provide more information about it.

Brave Version: 1.75.180 Chromium: 133.0.6943.126
Operating System: Windows NT 10.0.22631

URL (if applicable) where crash occurred: https://playscrabble.com/

Can you reproduce this crash? No. Brave has just started crashing randomly over the past few days. It just quits, no message or anything, just suddenly closes. Brave has been very stable for years for me, with approx the same extensions installed and lots of tabs open. I haven't changed anything recently apart from the usual Brave upgrades.

What steps will reproduce this crash? (If it's not reproducible, what were you doing just before the crash?)

1. This crash, I was playing scrabble, other crashes different things including a video call

DO NOT CHANGE BELOW THIS LINE
Crash ID: crash/5bc81700-b339-6c0d-0000-000000000000

[robhull]

I uploaded two other crash reports, one from earlier today 53c81700-b339-6c0d-0000-000000000000 and one from yesterday 23d21700-b339-6c0d-0000-000000000000. Before these three crashes, my last crash was 3 months ago.

[bsclifton]

Thanks for reporting, @robhull!

Seems to be related to drag and drop- will need to dig in more.

Both crashes in your last post seem to have the same call stack. Employees can see this with the following link:
https://brave.sp.backtrace.io/p/brave/debug?filters=JTVCJTVCJTIyX2RlbGV0ZWQlMjIlMkMlMjJlcXVhbCUyMiUyQyUyMjAlMjIlNUQlMkMlNUIlMjJfcnhpZCUyMiUyQyUyMmVxdWFsJTIyJTJDJTIyNTNjODE3MDAtYjMzOS02YzBkLTAwMDAtMDAwMDAwMDAwMDAwJTIyJTVEJTVE&fingerprint=11c9240d3e846066cae956d57dd97d9eee64501ed9251cdab16563fc9c8f13a2&debug=(a43abe0,0,0)

[ 00 ] ui::clipboard_util::GetPlainText(IDataObject *,std::__Cr::basic_string<char16_t,std::__Cr::char_traits<char16_t>,std::__Cr::allocator<char16_t> > *) ( clipboard_util_win.cc:741 )
[ 01 ] ui::OSExchangeDataProviderWin::GetString() ( os_exchange_data_provider_win.cc:581 )
[ 02 ] ui::OSExchangeData::GetString() ( os_exchange_data.cc:73 )
[ 03 ] content::WebContentsViewAura::PrepareDropData(content::DropData *,ui::OSExchangeData const &) ( web_contents_view_aura.cc:712 )
[ 04 ] content::WebContentsViewAura::OnDragEntered(ui::DropTargetEvent const &) ( web_contents_view_aura.cc:1422 )
[ 05 ] views::DesktopDropTargetWin::Translate(IDataObject *,unsigned long,tagPOINT,unsigned long,std::__Cr::unique_ptr<ui::OSExchangeData,std::__Cr::default_delete<ui::OSExchangeData> > *,std::__Cr::unique_ptr<ui::DropTargetEvent,std::__Cr::default_delete<ui::DropTargetEvent> > *,aura::client::DragDropDelegate * *) ( desktop_drop_target_win.cc:159 )
[ 06 ] views::DesktopDropTargetWin::OnDragEnter(IDataObject *,unsigned long,tagPOINT,unsigned long) ( desktop_drop_target_win.cc:71 )
[ 07 ] ui::DropTargetWin::DragEnter(IDataObject *,unsigned long,_POINTL,unsigned long *) ( drop_target_win.cc:53 )
[ 08 ] 0x7ff977bb9227
[ 09 ] 0x7ff977b89eb8
[ 10 ] 0x7ff977bb8ee9
[ 11 ] 0x7ff977bb8f30
[ 12 ] 0x7ff96b5b0000
[ 13 ] InitOnceBeginInitialize
[ 14 ] 0x40100
[ 15 ] 0x7ff977c19e8b
[ 16 ] blink::ScriptState::ForRelevantRealm(v8::Isolate *,v8::Local<v8::Object>) ( script_state.h:154 )
[ 17 ] blink::`anonymous namespace'::v8_readable_stream_byob_reader::ReleaseLockOperationCallback(v8::FunctionCallbackInfo<v8::Value> const &) ( v8_readable_stream_byob_reader.cc:238 )
[ 18 ] 0x22f4e721168
[ 19 ] 0x7ff977bb80c5
[ 20 ] blink::ScriptState::ForRelevantRealm(v8::Isolate *,v8::Local<v8::Object>) ( script_state.h:154 )
[ 21 ] blink::`anonymous namespace'::v8_readable_stream_byob_reader::ReleaseLockOperationCallback(v8::FunctionCallbackInfo<v8::Value> const &) ( v8_readable_stream_byob_reader.cc:238 )
[ 22 ] 0x7ff977c67738
[ 23 ] 0x7ff977c67778
[ 24 ] 0x7ff977c794f0
[ 25 ] base::MessagePumpForUI::HandleNestedNativeLoopWithApplicationTasks(bool) ( message_pump_win.cc:185 )
[ 26 ] 0x3d1c30a4f100
[ 27 ] views::DesktopDragDropClientWin::StartDragAndDrop(std::__Cr::unique_ptr<ui::OSExchangeData,std::__Cr::default_delete<ui::OSExchangeData> >,aura::Window *,aura::Window *,gfx::Point const &,int,ui::mojom::DragEventSource) ( desktop_drag_drop_client_win.cc:98 )
[ 28 ] content::WebContentsViewAura::StartDragging(content::DropData const &,url::Origin const &,blink::DragOperationsMask,gfx::ImageSkia const &,gfx::Vector2d const &,gfx::Rect const &,blink::mojom::DragEventSourceInfo const &,content::RenderWidgetHostImpl *) ( web_contents_view_aura.cc:1167 )
[ 29 ] content::RenderWidgetHostImpl::StartDragging(mojo::StructPtr<blink::mojom::DragData>,url::Origin const &,blink::DragOperationsMask,SkBitmap const &,gfx::Vector2d const &,gfx::Rect const &,mojo::StructPtr<blink::mojom::DragEventSourceInfo>) ( render_widget_host_impl.cc:2816 )
[ 30 ] content::RenderFrameHostImpl::StartDragging(mojo::StructPtr<blink::mojom::DragData>,blink::DragOperationsMask,SkBitmap const &,gfx::Vector2d const &,gfx::Rect const &,mojo::StructPtr<blink::mojom::DragEventSourceInfo>) ( render_frame_host_impl.cc:10296 )
[ 31 ] mojo::Message::mutable_payload() ( message.h:222 )
[ 32 ] blink::mojom::LocalFrameHostStubDispatch::Accept(blink::mojom::LocalFrameHost *,mojo::Message *) ( frame.mojom.cc:9954 )
[ 33 ] mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message *) ( interface_endpoint_client.cc:1051 )
[ 34 ] mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message *) ( interface_endpoint_client.cc:371 )
[ 35 ] mojo::MessageDispatcher::Accept(mojo::Message *) ( message_dispatcher.cc:53 )
[ 36 ] mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message *) ( interface_endpoint_client.cc:724 )
[ 37 ] base::internal::DecayedFunctorTraits<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),IPC::ChannelAssociatedGroupController *&&,mojo::Message &&,IPC::(anonymous namespace)::ScopedUrgentMessageNotification &&>::Invoke((mojo::Message,IPC::`anonymous namespace'::ScopedUrgentMessageNotification),scoped_refptr<IPC::ChannelAssociatedGroupController> &&,mojo::Message &&,IPC::`anonymous namespace'::ScopedUrgentMessageNotification &&) ( bind_internal.h:729 )
[ 38 ] base::internal::InvokeHelper<0,base::internal::FunctorTraits<void (IPC::ChannelAssociatedGroupController::*&&)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),IPC::ChannelAssociatedGroupController *&&,mojo::Message &&,IPC::(anonymous namespace)::ScopedUrgentMessageNotification &&>,void,0,1,2>::MakeItSo((mojo::Message,IPC::`anonymous namespace'::ScopedUrgentMessageNotification) &&,std::__Cr::tuple<scoped_refptr<IPC::ChannelAssociatedGroupController>,mojo::Message,IPC::(anonymous namespace)::ScopedUrgentMessageNotification> &&) ( bind_internal.h:921 )
[ 39 ] base::internal::Invoker<base::internal::FunctorTraits<void (IPC::ChannelAssociatedGroupController::*&&)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),IPC::ChannelAssociatedGroupController *&&,mojo::Message &&,IPC::(anonymous namespace)::ScopedUrgentMessageNotification &&>,base::internal::BindState<1,1,0,void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),scoped_refptr<IPC::ChannelAssociatedGroupController>,mojo::Message,IPC::(anonymous namespace)::ScopedUrgentMessageNotification>,void ()>::RunImpl((mojo::Message,IPC::`anonymous namespace'::ScopedUrgentMessageNotification) &&,std::__Cr::tuple<scoped_refptr<IPC::ChannelAssociatedGroupController>,mojo::Message,IPC::(anonymous namespace)::ScopedUrgentMessageNotification> &&,std::__Cr::integer_sequence<unsigned long long,0,1,2>) ( bind_internal.h:1058 )
[ 40 ] base::internal::Invoker<base::internal::FunctorTraits<void (IPC::ChannelAssociatedGroupController::*&&)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),IPC::ChannelAssociatedGroupController *&&,mojo::Message &&,IPC::(anonymous namespace)::ScopedUrgentMessageNotification &&>,base::internal::BindState<1,1,0,void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification),scoped_refptr<IPC::ChannelAssociatedGroupController>,mojo::Message,IPC::(anonymous namespace)::ScopedUrgentMessageNotification>,void ()>::RunOnce(base::internal::BindStateBase *) ( bind_internal.h:971 )
[ 41 ] base::OnceCallback<void ()>::Run() ( callback.h:156 )
[ 42 ] base::TaskAnnotator::RunTaskImpl(base::PendingTask &) ( task_annotator.cc:210 )
[ 43 ] base::TaskAnnotator::RunTask(perfetto::StaticString,base::PendingTask &,base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl::<lambda_4> &&) ( task_annotator.h:106 )
[ 44 ] base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow *) ( thread_controller_with_message_pump_impl.cc:472 )
[ 45 ] base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() ( thread_controller_with_message_pump_impl.cc:332 )
[ 46 ] base::MessagePumpForUI::DoRunLoop() ( message_pump_win.cc:265 )
[ 47 ] base::MessagePumpWin::Run(base::MessagePump::Delegate *) ( message_pump_win.cc:89 )
[ 48 ] base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool,base::TimeDelta) ( thread_controller_with_message_pump_impl.cc:648 )
[ 49 ] base::RunLoop::Run(base::Location const &) ( run_loop.cc:136 )
[ 50 ] content::BrowserMainLoop::RunMainMessageLoop() ( browser_main_loop.cc:1094 )
[ 51 ] content::BrowserMainRunnerImpl::Run() ( browser_main_runner_impl.cc:156 )
[ 52 ] content::BrowserMain(content::MainFunctionParams) ( browser_main.cc:34 )
[ 53 ] RunBrowserProcessMain(content::MainFunctionParams,content::ContentMainDelegate *) ( content_main_runner_impl.cc:714 )
[ 54 ] content::ContentMainRunnerImpl::RunBrowser(content::MainFunctionParams,bool) ( content_main_runner_impl.cc:1292 )
[ 55 ] content::ContentMainRunnerImpl::Run() ( content_main_runner_impl.cc:1144 )
[ 56 ] RunContentProcess(content::ContentMainParams,content::ContentMainRunner *) ( content_main.cc:348 )
[ 57 ] content::ContentMain(content::ContentMainParams) ( content_main.cc:361 )
[ 58 ] ChromeMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,__int64,__int64,__int64) ( chrome_main.cc:224 )
[ 59 ] MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks) ( main_dll_loader_win.cc:201 )
[ 60 ] wWinMain(HINSTANCE__ *,HINSTANCE__ *,wchar_t *,int) ( chrome_exe_main_win.cc:352 )
[ 61 ] invoke_main() ( exe_common.inl:118 )
[ 62 ] __scrt_common_main_seh() ( exe_common.inl:288 )
[ 63 ] BaseThreadInitThunk
[ 64 ] RtlUserThreadStart
[ 65 ] UnhandledExceptionFilter

[bsclifton]

cc: @iefremov @atuchin-m

[atuchin-m]

I see 126 crashes during last 90 days (it's not so bad). The crash is likely to be trigged by drag-and-drop.
https://share.backtrace.io/api/share/jfJnMbCBuRoKQwfwIx1Z5L1

It's probably an upstream issue started with cr133.

Also there are few hangs with the same callstack: https://share.backtrace.io/api/share/TMTx2SlKVjRWV6afyYe6EV2

[atuchin-m]

There is a recent upstream fix: https://chromium-review.googlesource.com/c/chromium/src/+/6190427
The issue is restricted, no extra info, no cherry-pick of cr134.

@iefremov Do you think it make sense to cherry-pick it before upstream? (just the one line fix, not the test)

[robhull]

Seems to be related to drag and drop- will need to dig in more.

Confirmed. I just tried to drag an image from a browser window to a folder on my desktop and it crashed again.

[iefremov]

given the amount of crashes i'd say we just wait for the upstream to fix

[bsclifton]

I don't have visibility to issue; it's restricted as @atuchin-m shared. But I asked in the CL if they can create a merge request for M134. We can assign this issue to the appropriate milestone (ex: if fixed in 134 we can tie to 1.76, fixed in 135 assign to 1.77, etc)

[rebron]

@iefremov @atuchin-m Same issue causing -> #44312

[atuchin-m]

@rebron
It's not clear to me why the crash you mentioned has the same reason.
I see other things in the call stack (like GetSystemMetricsForDpi).

Anyway if you feel that we should backport the fix, let's do it.