Browser crash when refreshing NTP

[srirambv]

Description

Browser crash when refreshing NTP

Steps to Reproduce

1. Open a new tab
2. Refresh the tab
3. Browser crashes

Actual result:

Browser crash when refreshing NTP. Backtrace link https://share.backtrace.io/api/share/x3v8VW5x1jGwOtahRQrjuee1

Expected result:

No crash when NTP is refreshed

Reproduces how often:

Happened once

Brave version (brave://version info)

Brave	1.54.43 Chromium: 114.0.5735.110 (Official Build) nightly (arm64)
Revision	1c828682b85bbc70230a48f5e345489ec447373e-refs/branch-heads/5735_90@{#13}
OS	Windows 11 Version 22H2 (Build 22621.1778)

Version/Channel Information:

• Can you reproduce this issue with the current release? No
• Can you reproduce this issue with the beta channel? No
• Can you reproduce this issue with the nightly channel? Yes

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? NA
• Does the issue resolve itself when disabling Brave Rewards? NA
• Is the issue reproducible on the latest version of Chrome? NA

Miscellaneous Information:

cc: @bsclifton @iefremov

[iefremov]

[ 00 ] ntp_background_images::ViewCounterModel::RegisterPageViewForBrandedImages() ( view_counter_model.cc:114 )
[ 01 ] ntp_background_images::NTPBackgroundImagesService::CheckNTPSIComponentUpdateIfNeeded() ( ntp_background_images_service.cc:150 )
[ 02 ] ntp_background_images::ViewCounterService::RegisterPageView() ( view_counter_service.cc:334 )
[ 03 ] static void BraveNewTabMessageHandler::HandleRegisterNewTabPageView(const class base::Value::List & const) ( brave_new_tab_message_handler.cc:464 )
[ 04 ] content::RenderFrameHostImpl::BeginNavigation(mojo::StructPtr<blink::mojom::CommonNavigationParams>,mojo::StructPtr<blink::mojom::BeginNavigationParams>,mojo::PendingRemote<blink::mojom::BlobURLToken>,mojo::PendingAssociatedRemote<content::mojom::NavigationClient>,mojo::PendingRemote<blink::mojom::PolicyContainerHostKeepAliveHandle>,mojo::PendingReceiver<content::mojom::NavigationRendererCancellationListener>) ( render_frame_host_impl.cc:8640 )
[ 05 ] _tailMerge_esent.dll
[ 06 ] static void base::RepeatingCallback<void (ChromeLabsItemView *)>::Run(class ChromeLabsItemView *) ( callback.h:334 )
[ 07 ] content::WebUIImpl::ProcessWebUIMessage(GURL const &,std::Cr::basic_string<char,std::Cr::char_traits<char>,std::Cr::allocator<char> > const &,base::Value::List) ( web_ui_impl.cc:255 )
[ 08 ] content::ChildProcessSecurityPolicyImpl::HasWebUIBindings(int) ( child_process_security_policy_impl.cc:1501 )
[ 09 ] base::EndsWith(base::BasicStringPiece<char,std::Cr::char_traits<char> >,base::BasicStringPiece<char,std::Cr::char_traits<char> >,base::CompareCase) ( string_util.cc:271 )
[ 10 ] content::WebUIImpl::Send(std::Cr::basic_string<char,std::Cr::char_traits<char>,std::Cr::allocator<char> > const &,base::Value::List) ( web_ui_impl.cc:116 )
[ 11 ] content::responsiveness::Watcher::WillRunTaskOnUIThread(base::PendingTask const *,bool) ( watcher.cc:42 )
[ 12 ] static void * allocator_shim::internal::PartitionMalloc(const struct allocator_shim::AllocatorDispatch *, unsigned __int64, void *) ( allocator_shim_default_dispatch_to_partition_alloc.cc:262 )
[ 13 ] operator new(unsigned __int64) ( new_scalar.cpp:35 )
[ 14 ] base::sequence_manager::internal::SequenceManagerImpl::SelectNextTask(base::LazyNow &,base::sequence_manager::internal::SequencedTaskSource::SelectTaskOption) ( sequence_manager_impl.cc:542 )
[ 15 ] base::Value::List::Append(base::Value &&) ( values.cc:986 )
[ 16 ] mojo::StructTraits<mojo_base::mojom::ListValueDataView,base::Value::List>::Read(mojo_base::mojom::ListValueDataView,base::Value::List *) ( values_mojom_traits.cc:42 )
[ 17 ] content::RenderFrameHostImpl::DidChangeBackForwardCacheDisablingFeatures(std::Cr::vector<mojo::StructPtr<blink::mojom::BlockingDetails>,std::Cr::allocator<mojo::StructPtr<blink::mojom::BlockingDetails> > >) ( render_frame_host_impl.cc:4526 )
[ 18 ] _tailMerge_esent.dll
[ 19 ] content::mojom::WebUIHostStubDispatch::Accept(content::mojom::WebUIHost *,mojo::Message *) ( web_ui.mojom.cc:200 )
[ 20 ] static unsigned int content::mojom::WebUIHost::Send_Sym::IPCStableHash() ( web_ui.mojom.cc:99 )
[ 21 ] mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message *) ( interface_endpoint_client.cc:358 )
[ 22 ] mojo::internal::ArraySerializationHelper<mojo_base::mojom::internal::Value_Data,1,0>::ValidateElements(mojo::internal::ArrayHeader const *,mojo_base::mojom::internal::Value_Data const *,mojo::internal::ValidationContext *,mojo::internal::ContainerValidateParams const *) ( array_internal.h:262 )
[ 23 ] mojo::internal::Array_Data<mojo_base::mojom::internal::Value_Data>::Validate(void const *,mojo::internal::ValidationContext *,mojo::internal::ContainerValidateParams const *) ( array_internal.h:321 )
[ 24 ] mojo_base::mojom::internal::ListValue_Data::Validate(void const *,mojo::internal::ValidationContext *) ( values.mojom-shared.cc:184 )
[ 25 ] _tailMerge_esent.dll
[ 26 ] mojo::internal::ValidateStruct<mojo_base::mojom::internal::ListValue_Data>(mojo::internal::Pointer<mojo_base::mojom::internal::ListValue_Data> const &,mojo::internal::ValidationContext *) ( validation_util.h:196 )
[ 27 ] _tailMerge_esent.dll
[ 28 ] mojo::internal::ValidateRequestGeneric(mojo::Message *,char const *,base::span<std::Cr::pair<unsigned int,mojo::internal::GenericValidationInfo> const ,-1>) ( generated_code_util.cc:98 )
[ 29 ] _tailMerge_esent.dll
[ 30 ] mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message *) ( interface_endpoint_client.cc:696 )
[ 31 ] _tailMerge_esent.dll

[iefremov]

it seems there are following features enabled

commandline-enabled-feature-1
AIChat
commandline-enabled-feature-2
BraveRewardsVerboseLogging
commandline-enabled-feature-3
BraveVerticalTabs
commandline-enabled-feature-4
BraveVerticalTabsStickyPinnedTabs
commandline-enabled-feature-5
BraveWalletPanelV2

[SergeyZhukovsky]

Android crash stack from 1.52.x:

Stack Trace:
  RELADDR   FUNCTION                                                                          FILE:LINE
  v------>  base::ImmediateCrash()                                                            ../../base/immediate_crash.h:146:3
  v------>  std::Cr::__libcpp_verbose_abort(char const*, ...)                                 ../../base/nodebug_assertion.cc:14:3
  00000000024f7cbc  std::Cr::vector<mojo::StructPtr<brave_rewards::mojom::DBValue>, std::Cr::allocator<mojo::StructPtr<brave_rewards::mojom::DBValue>>>::at(unsigned long)  ../../buildtools/third_party/libc++/trunk/include/vector:1461:5
  00000000077f0d9c  ntp_background_images::ViewCounterModel::RegisterPageViewForBrandedImages()       ../../brave/components/ntp_background_images/browser/view_counter_model.cc:102:18
  00000000077f0cd8  ntp_background_images::ViewCounterModel::RegisterPageView()                       ../../brave/components/ntp_background_images/browser/view_counter_model.cc:55:3
  00000000077f1b90  ntp_background_images::ViewCounterService::RegisterPageView()                     ../../brave/components/ntp_background_images/browser/view_counter_service.cc:335:10
  0000000000461554  art_quick_generic_jni_trampoline+148                                              /apex/com.android.art/lib64/libart.so
  0000000000209a9c  nterp_helper+1948                                                                 /apex/com.android.art/lib64/libart.so
  00000000001d2b0e  ??                                                                                ??:0:0
  000000000020a254  nterp_helper+3924                                                                 /apex/com.android.art/lib64/libart.so
  000000000041ba04  vtable for content::NavigationEarlyHintsManager::PreloadURLLoaderClient           ld-temp.o:0:0
  000000000020a254  nterp_helper+3924                                                                 /apex/com.android.art/lib64/libart.so
  00000000004cb062  vtable for blink::LayoutNGRubyText                                                ld-temp.o:0:0
  000000000020a254  nterp_helper+3924                                                                 /apex/com.android.art/lib64/libart.so
  00000000004d4f38  vtable for blink::MojoWatcher                                                     ld-temp.o:0:0
  000000000020b74c  nterp_helper+9292                                                                 /apex/com.android.art/lib64/libart.so
  00000000001b615e  ??                                                                                ??:0:0
  000000000020a254  nterp_helper+3924                                                                 /apex/com.android.art/lib64/libart.so
  00000000002e1708  ??                                                                                ??:0:0
  0000000000d3c568  android.view.View.performClick+152                                                /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat
  0000000000c6fb4c  android.view.View$PerformClick.run+332                                            /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat
  0000000000a94f54  android.os.Handler.dispatchMessage+84                                             /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat
  0000000000a99128  android.os.Looper.loopOnce+1080                                                   /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat
  0000000000a98bbc  android.os.Looper.loop+1148                                                       /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat
  00000000007cf7ec  android.app.ActivityThread.main+1740                                              /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat
  0000000000457e00  art_quick_invoke_static_stub+576                                                  /apex/com.android.art/lib64/libart.so
  000000000048c038  _jobject* art::InvokeMethod<(art::PointerSize)8>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+1560  /apex/com.android.art/lib64/libart.so
  000000000048b9f8  art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*) (.__uniq.165753521025965369065708152063621506277)+48  /apex/com.android.art/lib64/libart.so
  00000000002e7148  art_jni_trampoline+120                                                            /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat
  0000000000cd89f0  com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+144                   /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat
  0000000000ce3b08  com.android.internal.os.ZygoteInit.main+3464                                      /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat
  0000000000457e00  art_quick_invoke_static_stub+576                                                  /apex/com.android.art/lib64/libart.so
  000000000058bbc4  art::JValue art::InvokeWithVarArgs<_jmethodID*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+912  /apex/com.android.art/lib64/libart.so
  0000000000609af8  art::JNI<true>::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+172  /apex/com.android.art/lib64/libart.so
  00000000000c2c04  _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+124                     /system/lib64/libandroid_runtime.so
  00000000000cfc28  android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+924  /system/lib64/libandroid_runtime.so
  0000000000002610  main+1464                                                                         /system/bin/app_process64
  00000000000859b8  __libc_init+100                                                                   /apex/com.android.runtime/lib64/bionic/libc.so

[kjozwiak]

@srirambv I couldn't reproduce the above using 1.54.41 Chromium: 114.0.5735.110 on my Win 11 x64 machine. I opened several NTP and then refreshed right away once opened. Spent ~10min trying to reproduce. Going to verify that everything is still working as expected with the latest Nightly with the above fix before uplifting into 1.52.x via brave/brave-core#18853.

Also added OS/Android as it looks like Android also experienced this crash as per #30938 (comment). @SergeyZhukovsky I don't think there's a way refresh the NTP. The refresh button via the Hamburger menu doesn't do anything while in NTP. Basically going to ensure that opening NTP is still working.

@brave/qa-team one platform should be enough but probably a good idea for @srirambv to verify as well as he originally reported the crash.

[kjozwiak]

The above requires 1.52.125 for 1.52.x verification 👍

[GeetaSarvadnya]

Verification PASSED on

Brave | 1.52.125 Chromium: 114.0.5735.110 (Official Build) (64-bit)
-- | --
Revision | 1c828682b85bbc70230a48f5e345489ec447373e-refs/branch-heads/5735_90@{#13}
OS | Windows 10 Version 22H2 (Build 19045.2965)

Went through the STR/Cases outlined via #30938 (comment) and ensured the following:

• ensured that opening NTP worked without any issues
• ensured that NTP SI are being displayed without any issues
• ensured that you can click on NTP SI without any issues
• ensured that refreshing a NTP doesn't crash/cause any issues
  • used both the refresh button and the CTRL + R shortcut

[hffvld]

Verified on Pixel 7 using version(s):

Device/OS: Pixel 7 [panther_beta-user 14 UPB3.230519.008 release-keys]
Brave build: 1.52.125 
Chromium: 114.0.5735.110 (Official Build) (64-bit)
Revision: 1c828682b85bbc70230a48f5e345489ec447373e-refs/branch-heads/5735_90@{#13}

---

STEPS:

1. Launch Brave
2. Tab tray > Tap + to open NTP > Verify
3. Tap and hold Tab tray > New tab > Verify
4. Tree-dot Menu > New tab > Verify

ACTUAL RESULTS:

• Verified that Brave is not crashing when opening NTP from different entry points
• Verified that NTP SI is shown and user able to open it

timestamp_13-54-00_13-55-22.mp4