Browser crash clicking on New private window with Tor

[stephendonner]

Description

Browser crash clicking on New private window with Tor

Steps to Reproduce

1. new profile
2. launch Brave
3. click on the "hamburger" menu on the top-right of the toolbar
4. click on New private window with Tor

Actual result:

Crash: https://share.backtrace.io/api/share/yAMFx3VwjEPrmYPJfX891h3

[ 00 ] TemplateURLData::TemplateURLData(TemplateURLData const &)
[ 01 ] malloc_base
[ 02 ] TemplateURL::TemplateURL(TemplateURLData const &,TemplateURL::Type)
[ 03 ] operator new(unsigned __int64)
[ 04 ] TorWindowSearchEngineProviderService::TorWindowSearchEngineProviderService(Profile *)
[ 05 ] operator new(unsigned __int64)
[ 06 ] BrowserContextKeyedServiceFactory::BuildServiceInstanceFor(void *)
[ 07 ] _tailMerge_esent.dll
[ 08 ] KeyedServiceFactory::GetServiceForContext(void *,bool)
[ 09 ] _tailMerge_esent.dll
[ 10 ] std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char> >::compare(char const *)
[ 11 ] base::FeatureList::IsEnabled(base::Feature const &)
[ 12 ] RefcountedKeyedServiceFactory::CreateServiceNow(void *)
[ 13 ] DependencyManager::CreateContextServices(void *,bool)
[ 14 ] _tailMerge_esent.dll
[ 15 ] _tailMerge_esent.dll
[ 16 ] _tailMerge_esent.dll
[ 17 ] BrowserContextDependencyManager::DoCreateBrowserContextServices(content::BrowserContext *,bool)
[ 18 ] operator new(unsigned __int64)
[ 19 ] FullBrowserTransitionManager::OnProfileCreated(Profile *)
[ 20 ] profile_metrics::SetBrowserProfileType(base::SupportsUserData *,profile_metrics::BrowserProfileType)
[ 21 ] Profile::CreateOffTheRecordProfile(Profile *,Profile::OTRProfileID const &)
[ 22 ] _tailMerge_esent.dll
[ 23 ] ProfileImpl::HasOffTheRecordProfile(Profile::OTRProfileID const &)
[ 24 ] ProfileImpl::GetOffTheRecordProfile(Profile::OTRProfileID const &,bool)
[ 25 ] _tailMerge_esent.dll
[ 26 ] base::internal::WeakPtrFactoryBase::WeakPtrFactoryBase(unsigned __int64)
[ 27 ] static void base::internal::PartitionFree(const struct base::allocator::AllocatorDispatch *, void *, void *)
[ 28 ] TorProfileManager::SwitchToTorProfile(Profile *,base::RepeatingCallback<void >)
[ 29 ] _tailMerge_esent.dll
[ 30 ] base::StatisticsRecorder::RegisterOrDeleteDuplicate(base::HistogramBase *)
[ 31 ] brave::NewOffTheRecordWindowTor(Browser *)
[ 32 ] _tailMerge_esent.dll
[ 33 ] chrome::BraveBrowserCommandController::ExecuteCommandWithDisposition(int,WindowOpenDisposition,base::TimeTicks)
[ 34 ] static void base::internal::PartitionFree(const struct base::allocator::AllocatorDispatch *, void *, void *)
[ 35 ] _tailMerge_esent.dll
[ 36 ] base::Histogram::FactoryTimeGet(char const *,base::TimeDelta,base::TimeDelta,unsigned int,int)
[ 37 ] KeyedServiceFactory::GetServiceForContext(void *,bool)
[ 38 ] _tailMerge_esent.dll
[ 39 ] base::SampleVectorBase::Accumulate(int,int)
[ 40 ] _tailMerge_esent.dll
[ 41 ] base::`anonymous namespace'::QPCNow()
[ 42 ] _tailMerge_esent.dll
[ 43 ] AppMenuModel::ExecuteCommand(int,int)
[ 44 ] views::MenuItemView::DestroyAllMenuHosts()
[ 45 ] views::internal::MenuRunnerImpl::OnMenuClosed(views::internal::MenuControllerDelegate::NotifyType,views::MenuItemView *,int)
[ 46 ] static void base::internal::PartitionFree(const struct base::allocator::AllocatorDispatch *, void *, void *)
[ 47 ] views::MenuButtonController::PressedLock::~PressedLock()
[ 48 ] void views::MenuController::ExitMenu()
[ 49 ] views::Widget::GetClientAreaBoundsInScreen()
[ 50 ] _tailMerge_esent.dll
[ 51 ] _tailMerge_esent.dll
[ 52 ] void views::MenuController::ExitMenu()
[ 53 ] void views::MenuController::Accept(class views::MenuItemView *, int)
[ 54 ] base::`anonymous namespace'::QPCNow()
[ 55 ] _tailMerge_esent.dll
[ 56 ] views::MenuController::OnMouseReleased(views::SubmenuView *,ui::MouseEvent const &)
[ 57 ] ui::Layer::ConvertPointToLayer(ui::Layer const *,ui::Layer const *,bool,gfx::PointF *)
[ 58 ] aura::Window::GetEventHandlerForPoint(gfx::Point const &)
[ 59 ] gfx::ToFlooredPoint(gfx::PointF const &)
[ 60 ] views::MenuItemView::GetMenuController()
[ 61 ] views::MenuItemView::GetMenuController()
[ 62 ] views::Widget::OnMouseEvent(ui::MouseEvent *)
[ 63 ] views::TooltipManagerAura::UpdateTooltipManagerForCapture(views::Widget *)
[ 64 ] views::TooltipManagerAura::UpdateTooltip()
[ 65 ] _tailMerge_esent.dll
[ 66 ] _tailMerge_esent.dll
[ 67 ] ui::EventHandler::OnEvent(ui::Event *)
[ 68 ] static void * base::internal::PartitionMalloc(const struct base::allocator::AllocatorDispatch *, unsigned __int64, void *)
[ 69 ] _tailMerge_esent.dll
[ 70 ] static void base::internal::PartitionFree(const struct base::allocator::AllocatorDispatch *, void *, void *)
[ 71 ] aura::client::GetEventClient(aura::Window const *)
[ 72 ] class Browser * * std::__1::vector<Browser *,std::__1::allocator<Browser *> >::__swap_out_circular_buffer(struct std::__1::__split_buffer<Browser *,std::__1::allocator<Browser *> &> & const, class Browser * *)
[ 73 ] ui::EventTarget::GetPreTargetHandlers(std::__1::vector<ui::EventHandler *,std::__1::allocator<ui::EventHandler *> > *)
[ 74 ] void ui::EventDispatcher::DispatchEvent(class ui::EventHandler *, class ui::Event *)
[ 75 ] void ui::EventDispatcher::DispatchEvent(class ui::EventHandler *, class ui::Event *)
[ 76 ] _tailMerge_esent.dll
[ 77 ] _tailMerge_esent.dll
[ 78 ] ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *)
[ 79 ] _tailMerge_esent.dll
[ 80 ] ui::EventProcessor::OnEventFromSource(ui::Event *)
[ 81 ] ui::EventSource::SendEventToSinkFromRewriter(ui::Event const *,ui::EventRewriter const *)
[ 82 ] _tailMerge_esent.dll
[ 83 ] ui::LatencyInfo::AddLatencyNumber(ui::LatencyComponentType)
[ 84 ] views::DesktopWindowTreeHostWin::HandleMouseEvent(ui::MouseEvent *)
[ 85 ] ui::IsMouseEventFromTouch(unsigned int)
[ 86 ] __int64 views::HWNDMessageHandler::HandleMouseEventInternal(unsigned int, unsigned __int64, __int64, bool)
[ 87 ] OpenEventW
[ 88 ] APP_DATA::FreeCachedMem
[ 89 ] SysFreeString
[ 90 ] CTabTipEventBase::Open
[ 91 ] _tailMerge_esent.dll

Expected result:

A new private window with Tor is opened; no crash.

Reproduces how often:

100%

Brave version (brave://version info)

Brave	1.28.80 Chromium: 92.0.4515.93 (Official Build) nightly (64-bit)
Revision	6eb43ff7850a1d710c3f827a0555737c74edab5c-refs/branch-heads/4515@{#1378}
OS	Windows 10 OS Version 2009 (Build 22000.65)

/cc @iefremov

[bsclifton]

I wasn't able to reproduce this crash - definitely weird. @stephendonner did you have a particular Country or region set on your computer?

[kjozwiak]

I wasn't able to reproduce this crash - definitely weird. @stephendonner did you have a particular Country or region set on your computer?

@bsclifton I was able to reproduce this pretty easily on Win 10 x64 using the following STR:

• changed the region to Australia via the Windows region settings
• once changed, launched 1.29.8 Chromium: 92.0.4515.101 (new profile)
• opened a new Tor window via the hamburger menu as per Browser crash clicking on New private window with Tor #16950 (comment)

Instant crash every single time. I managed to reproduce this using https://github.com/brave/brave-browser/releases/tag/v1.28.85 as well using the same above STR.

[bsclifton]

@stephendonner @kjozwiak thanks for the input here! I was able to reproduce also. @simonhong found why it can still crash after you set your region back to US.

When the code runs, it will make a call country_codes::GetCountryIDFromPrefs. This will do the lookup the first time and afterwards, return a cached value (not sure how it gets invalidated). If the profile was created in AU/DE/IE/NZ and then changed to USA, you'd definitely experience this issue (even if you exit / re-open)

[GeetaSarvadnya]

Verification passed on

Brave | 1.27.107 Chromium: 92.0.4515.107 (Official Build) (64-bit)
-- | --
Revision | 87a818b10553a07434ea9e2b6dccf3cbe7895134-refs/branch-heads/4515@{#1634}
OS | Windows 10 OS Version 2004 (Build 19041.1110)

• Verified the STR from the description and ensured there is no crash when clicking on New private window with Tor from the hamburger menu.