崩溃信息
dump 原始堆栈
WARNING: Continuing a non-continuable exception
(2978.5e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00b5f130 ebx=0b746000 ecx=00000000 edx=00b5f278 esi=0b746000 edi=00b5f220
eip=116b5c90 esp=00b5f0b8 ebp=00b5f0d8 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
libcef!ui::Compositor::SetScaleAndSize+0xe:
116b5c90 f30f1089c4000000 movss xmm1,dword ptr [ecx+0C4h] ds:002b:000000c4=????????
0:000> k
# ChildEBP RetAddr
00 00b5f0d8 116b48a3 libcef!ui::Compositor::SetScaleAndSize+0xe [e:\cef\code\code_3626\chromium_git\chromium\src\ui\compositor\compositor.cc @ 360]
01 00b5f210 1289b9c0 libcef!aura::WindowTreeHost::OnHostResizedInPixels+0xef [e:\cef\code\code_3626\chromium_git\chromium\src\ui\aura\window_tree_host.cc @ 461]
02 00b5f25c 132e4429 libcef!views::DesktopWindowTreeHostWin::HandleClientSizeChanged+0x46 [e:\cef\code\code_3626\chromium_git\chromium\src\ui\views\widget\desktop_aura\desktop_window_tree_host_win.cc @ 874]
03 00b5f294 132e685a libcef!views::HWNDMessageHandler::ClientAreaSizeChanged+0x4f [e:\cef\code\code_3626\chromium_git\chromium\src\ui\views\win\hwnd_message_handler.cc @ 1364]
04 00b5f2a4 132e2885 libcef!views::HWNDMessageHandler::OnWindowPosChanged+0x1e [e:\cef\code\code_3626\chromium_git\chromium\src\ui\views\win\hwnd_message_handler.cc @ 2753]
05 00b5f2e0 132e1a9d libcef!views::HWNDMessageHandler::_ProcessWindowMessage+0xcd9 [e:\cef\code\code_3626\chromium_git\chromium\src\ui\views\win\hwnd_message_handler.h @ 428]
06 00b5f324 11a2b79f libcef!views::HWNDMessageHandler::OnWndProc+0x79 [e:\cef\code\code_3626\chromium_git\chromium\src\ui\views\win\hwnd_message_handler.cc @ 979]
07 00b5f344 11a2b32d libcef!gfx::WindowImpl::WndProc+0x53 [e:\cef\code\code_3626\chromium_git\chromium\src\ui\gfx\win\window_impl.cc @ 303]
08 00b5f384 7754eebb libcef!base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc>+0x50 [e:\cef\code\code_3626\chromium_git\chromium\src\base\win\wrapped_window_proc.h @ 79]
09 00b5f3b0 77545e7a USER32!_InternalCallWinProc+0x2b
0a 00b5f494 77545a7a USER32!UserCallWinProcCheckWow+0x33a
0b 00b5f4f8 7754ce97 USER32!DispatchClientMessage+0xea
0c 00b5f538 77e84e7d USER32!__fnINLPWINDOWPOS+0x37
0d 00b5f588 75db124c ntdll!KiUserCallbackDispatcher+0x4d
0e 00b5f58c 132e1dcd win32u!NtUserSetWindowPos+0xc
0f 00b5f5e0 132e1a9d libcef!views::HWNDMessageHandler::_ProcessWindowMessage+0x221 [e:\cef\code\code_3626\chromium_git\chromium\src\ui\views\win\hwnd_message_handler.h @ 401]
10 00b5f624 11a2b79f libcef!views::HWNDMessageHandler::OnWndProc+0x79 [e:\cef\code\code_3626\chromium_git\chromium\src\ui\views\win\hwnd_message_handler.cc @ 979]
11 00b5f644 11a2b32d libcef!gfx::WindowImpl::WndProc+0x53 [e:\cef\code\code_3626\chromium_git\chromium\src\ui\gfx\win\window_impl.cc @ 303]
12 00b5f684 7754eebb libcef!base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc>+0x50 [e:\cef\code\code_3626\chromium_git\chromium\src\base\win\wrapped_window_proc.h @ 79]
13 00b5f6b0 77545e7a USER32!_InternalCallWinProc+0x2b
14 00b5f794 77543bea USER32!UserCallWinProcCheckWow+0x33a
15 00b5f808 775439b0 USER32!DispatchMessageWorker+0x22a
16 00b5f814 1133bf30 USER32!DispatchMessageW+0x10
17 00b5f880 1133b97f libcef!base::MessagePumpForUI::ProcessMessageHelper+0x2e0 [e:\cef\code\code_3626\chromium_git\chromium\src\base\message_loop\message_pump_win.cc @ 380]
18 00b5f8bc 1133b4c1 libcef!base::MessagePumpForUI::DoRunLoop+0x4f [e:\cef\code\code_3626\chromium_git\chromium\src\base\message_loop\message_pump_win.cc @ 176]
19 00b5f8dc 11a0635f libcef!base::MessagePumpWin::Run+0x41 [e:\cef\code\code_3626\chromium_git\chromium\src\base\message_loop\message_pump_win.cc @ 55]
1a 00b5f8ec 11354e0e libcef!base::MessageLoopImpl::Run+0x1f [e:\cef\code\code_3626\chromium_git\chromium\src\base\message_loop\message_loop_impl.cc @ 302]
1b 00b5f8fc 112b4d36 libcef!base::RunLoop::Run+0x2e [e:\cef\code\code_3626\chromium_git\chromium\src\base\run_loop.cc @ 108]
1c 00b5f924 00dabe95 libcef!CefRunMessageLoop+0x43 [e:\cef\code\code_3626\chromium_git\chromium\src\cef\libcef\browser\context.cc @ 308]
WARNING: Stack unwind information not available. Following frames may be wrong.
omit......
看崩溃当前堆栈,位于 ui 合成器部分 ui::Compositor。
这是一个用于 GPU 合成绘制的类,renderer 进程在生成一帧绘制命令后,交给 browser 进程的 compositor 对象进行 GPU 渲染。
这里 ecx 寄存器为 0,应该是 compositor 对象指针被置空。
跟随堆栈,compositor 对象生命周期由 aura::WindowTreeHost 类管理,
void WindowTreeHost::OnHostResizedInPixels(
const gfx::Size& new_size_in_pixels,
const viz::LocalSurfaceIdAllocation& new_local_surface_id_allocation) {
// ...
ScopedLocalSurfaceIdValidator lsi_validator(window());
compositor_->SetScaleAndSize(device_scale_factor_, new_size_in_pixels,
local_surface_id_allocation);
//...
}
可以看到,这里 compositor_ 指针没有判空,直接导致了崩溃。但是需要排查是什么导致了 compositor 对象在销毁后, window_tree_host 仍然调用了这个 Resize 相应函数。
void DesktopWindowTreeHostWin::HandleClientSizeChanged(
const gfx::Size& new_size) {
CheckForMonitorChange();
if (dispatcher())
OnHostResizedInPixels(new_size);
}
继续跟随堆栈,aura::DesktopWindowTreeHostWin 是 aura::WindowTreeHost 的一个子类,这里只是简单的封装调用。
void DesktopWindowTreeHostWin::HandleDestroying() {
drag_drop_client_->OnNativeWidgetDestroying(GetHWND());
native_widget_delegate_->OnNativeWidgetDestroying();
// Destroy the compositor before destroying the HWND since shutdown
// may try to swap to the window.
DestroyCompositor();
}
另一边,销毁混合器也是简单封装,所以继续向上排查。
在 view::HWNDMessageHandler 类中,WindowTreeHost 作为窗口事件委托,用来处理具体事件。
在这里,compositor 销毁发生在 void HWNDMessageHandler::OnDestroy() 函数调用中,而 Resize 调用发生在 void HWNDMessageHandler::OnWindowPosChanged()。
那么也就是说,这个窗口在收到 WM_DESTROY 消息后,仍然收到了 WM_WINDOWPOSCHANGED 消息。
应该是父窗口被意外关闭,没有同步销毁,导致的这次崩溃。后续转向排查外部调用代码。