New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 45002 link

Starred by 8 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jun 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug
M-6

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Huge alert box crashes Chrome

Reported by jjlem...@gmail.com, May 25 2010

Issue description

Chrome Version (from the about:version page):
Is this the most recent version:
OS + version: fedora 12/ 64 bit
CPU architecture (32-bit / 64-bit):

Google Chrome	5.0.375.55 (Official Build 47796) beta
WebKit	533.4
V8	2.1.10.13
User Agent	Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/533.4 
(KHTML, like Gecko) Chrome/5.0.375.55 Safari/533.4
Command Line	 /opt/google/chrome/google-chrome

Window manager:
URLs (if relevant):
Behavior in Linux Firefox: Okay no problem + Seamonkey Okay as well
Behavior in Windows Chrome (if you have access to it):

What steps will reproduce the problem?
1. display the html page attached
2. click on the second button
3.

What is the expected result?
Display part of the string in the alert box as FF does.

What happens instead?
Chrome crashes.

Please provide any additional information below. Attach a screenshot
and backtrace if possible.

Remarks:
(1) this is a stress test.
(2) suggestion: display say 4096 bytes and ignore the rest.
(3) *Warning* this may crash your browser.  

 
bug_alerte1.html
829 bytes View Download
Labels: Pri-1 Crash
Status: Untriaged
Crash reproducible with Chrome on Fedora 11 32 bit but not on Ubuntu 8.04 64 bit 
machine. On Ubuntu, browser hangs. 

Crash report id : 095f2e9069df4fa9 

Stack trace: 
Thread 0 *CRASHED* ( SIGABRT @ 0x00003b5d )
0x00d82416 	[linux-gate.so 	+ 0x00000416] 	
0x001ef049 	[libc-2.10.2.so 	+ 0x0002d049] 	
0x003f6732 	[libglib-2.0.so.0.2000.5 	+ 0x0003f732] 	
0x003f6765 	[libglib-2.0.so.0.2000.5 	+ 0x0003f765] 	
0x009d2f10 	[libgdk-x11-2.0.so.0.1600.6 	+ 0x00056f10] 	
0x00527388 	[libX11.so.6.2.0 	+ 0x0003b388] 	
0x0052d9be 	[libX11.so.6.2.0 	+ 0x000419be] 	
0x0052e3e5 	[libX11.so.6.2.0 	+ 0x000423e5] 	
0x0052e478 	[libX11.so.6.2.0 	+ 0x00042478] 	
0x00506b10 	[libX11.so.6.2.0 	+ 0x0001ab10] 	
0x009b7f29 	[libgdk-x11-2.0.so.0.1600.6 	+ 0x0003bf29] 	
0x009aca01 	[libgdk-x11-2.0.so.0.1600.6 	+ 0x00030a01] 	
0x0633eb70 	[libgtk-x11-2.0.so.0.1600.6 	+ 0x000a6b70] 	
0x0098ff67 	[libgdk-x11-2.0.so.0.1600.6 	+ 0x00013f67] 	
0x003ea530 	[libglib-2.0.so.0.2000.5 	+ 0x00033530] 	
0x003ec307 	[libglib-2.0.so.0.2000.5 	+ 0x00035307] 	
0x003ef9df 	[libglib-2.0.so.0.2000.5 	+ 0x000389df] 	
0x003efb12 	[libglib-2.0.so.0.2000.5 	+ 0x00038b12] 	
0x08688ca4 	[chrome 	- base/message_pump_glib.cc:195] 	
base::MessagePumpForUI::RunWithDispatcher(base::MessagePump::Delegate*, 
base::MessagePumpForUI::Dispatcher*)
0x086888df 	[chrome 	- ./base/message_pump_glib.h:59] 	
base::MessagePumpForUI::Run(base::MessagePump::Delegate*)
0x086687a3 	[chrome 	- base/message_loop.cc:205] 	
MessageLoop::RunInternal()
0x08668811 	[chrome 	- base/message_loop.cc:612] 	
MessageLoopForUI::Run(base::MessagePumpForUI::Dispatcher*)
0x0807292a 	[chrome 	- chrome/browser/browser_main.cc:180] 	(anonymous 
namespace)::RunUIMessageLoop(BrowserProcess*)
0x08076b67 	[chrome 	- chrome/browser/browser_main.cc:1174] 	
BrowserMain(MainFunctionParams const&)
0x0807044c 	[chrome 	- chrome/app/chrome_dll_main.cc:814] 	ChromeMain
0x08070b73 	[chrome 	- chrome/app/chrome_exe_main_gtk.cc:47] 	main
0x001d8a85 	[libc-2.10.2.so 	+ 0x00016a85] 	
0x0806e4a0 	[chrome 	+ 0x000264a0] 	
0x08070b3f 	[chrome 	- atomicity.h:51] 	ChromeMain
0x095530ef 	[chrome 	- 
native_client/src/shared/platform/linux/nacl_semaphore.c:24] 	NaClSemCtor
0x095530df 	[chrome 	- 
native_client/src/shared/platform/linux/nacl_semaphore.c:24] 	NaClSemCtor
0x001ae7df 	[ld-2.10.2.so 	+ 0x0000f7df] 	
Thread 1
0x00d82416 	[linux-gate.so 	+ 0x00000416] 	
0x086736f0 	[chrome 	- base/platform_thread_posix.cc:28] 	
ThreadFunc(void*)
0x0036a8f4 	[libpthread-2.10.2.so 	+ 0x000058f4] 	
0x0029ffcd 	[libc-2.10.2.so 	+ 0x000ddfcd] 	
Thread 2
0x00d82416 	[linux-gate.so 	+ 0x00000416] 	
0x086975ea 	[chrome 	- third_party/libevent/event.c:516] 	
event_base_loop
0x0865499a 	[chrome 	- base/message_pump_libevent.cc:272] 	
base::MessagePumpLibevent::Run(base::MessagePump::Delegate*)
0x086687a3 	[chrome 	- base/message_loop.cc:205] 	
MessageLoop::RunInternal()
0x086688a5 	[chrome 	- base/message_loop.cc:155] 	MessageLoop::Run()
0x0868091e 	[chrome 	- base/thread.cc:156] 	base::Thread::ThreadMain()
0x086736f0 	[chrome 	- base/platform_thread_posix.cc:28] 	
ThreadFunc(void*)
0x0036a8f4 	[libpthread-2.10.2.so 	+ 0x000058f4] 	
0x0029ffcd 	[libc-2.10.2.so 	+ 0x000ddfcd] 	
Labels: -Area-Undefined Area-UI
I got a slightly different stacktrace FWIW:
(32 bit, Fedora 9)

The program 'chrome' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 462399 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)
Locking assertion failure.  Backtrace:
#0 /usr/lib/libxcb-xlib.so.0 [0x647767]
#1 /usr/lib/libxcb-xlib.so.0(xcb_xlib_lock+0x2e) [0x64790e]
#2 /usr/lib/libX11.so.6 [0x2e5e109]
#3 /usr/lib/libX11.so.6(XFreeCursor+0x25) [0x2e38a95]
#4 /usr/lib/libgdk-x11-2.0.so.0 [0x4ed5259]
#5 /usr/lib/libgdk-x11-2.0.so.0(gdk_cursor_unref+0x8e) [0x4ead744]
#6 /home/craig/chromium/src/out/Release/lib.target/libbrowser.so [0x205b9bf]
#7 /lib/libc.so.6(exit+0xdf) [0x7f0327f]
#8 /usr/lib/libgdk-x11-2.0.so.0 [0x4ef34af]
#9 /usr/lib/libX11.so.6(_XError+0x109) [0x2e56a49]
#10 /usr/lib/libX11.so.6 [0x2e5eac8]
#11 /usr/lib/libX11.so.6(_XReply+0x152) [0x2e5ee72]
#12 /usr/lib/libX11.so.6(XSync+0x67) [0x2e521f7]
#13 /usr/lib/libgdk-x11-2.0.so.0(gdk_flush+0x37) [0x4ee73c3]
#14 /usr/lib/libgdk-x11-2.0.so.0 [0x4eb6e60]
#15 /usr/lib/libgdk-x11-2.0.so.0 [0x4eb7095]
#16 /usr/lib/libgdk-x11-2.0.so.0 [0x4ee2ea8]
#17 /usr/lib/libgdk-x11-2.0.so.0 [0x4ee3683]
#18 /usr/lib/libgdk-x11-2.0.so.0(gdk_draw_pixbuf+0x213) [0x4eafca9]
#19 /usr/lib/libgdk-x11-2.0.so.0 [0x4ebd30d]

Haven't looked at it in more detail yet ...

Limiting the size of message_text_ in JavaScriptAppModalDialog::CreateNativeDialog
(chrome/browser/js_modal_dialog_gtk.cc) stops the crash for me.

The string is passed to gtk_message_dialog_new btw.

Now the question is ... what is a good value to limit to? (I used 2000 and the
dialog was still bigger than my screen FWIW).
 Issue 45215  has been merged into this issue.
Labels: Mstone-6
Status: Assigned

Comment 7 by e...@chromium.org, Jun 1 2010

The (interesting) fragment of stack that I get for this:

(lots of stack frames in Pango!)
#44 0x00007ffff50d7033 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#45 0x00007ffff6cb851b in gtk_widget_show () from /usr/lib/libgtk-x11-2.0.so.0
#46 0x0000000000f7ca46 in gtk_util::ShowModalDialogWithMinLocalizedWidth (
    dialog=0x7fffbdc6a190, width_id=7024)
    at chrome/browser/gtk/gtk_util.cc:992
#47 0x0000000001634eb3 in JavaScriptAppModalDialog::CreateAndShowDialog (
    this=0x7fffe2b82500) at chrome/browser/js_modal_dialog_gtk.cc:52
#48 0x000000000124a91d in AppModalDialog::ShowModalDialog (
    this=0x7fffe2b82500) at chrome/browser/app_modal_dialog.cc:28
#49 0x000000000124ae40 in AppModalDialogQueue::ShowModalDialog (
    this=0x7fffe59b8c60, dialog=0x7fffe2b82500)
    at chrome/browser/app_modal_dialog_queue.cc:45
#50 0x000000000124ad78 in AppModalDialogQueue::AddDialog (
    this=0x7fffe59b8c60, dialog=0x7fffe2b82500)
    at chrome/browser/app_modal_dialog_queue.cc:11
#51 0x000000000144f582 in RunJavascriptMessageBox (client=0x7fffba444838, 
    frame_url=..., dialog_flags=9, message_text=..., default_prompt_text=..., 
    display_suppress_checkbox=false, reply_msg=0x7fffe5ee1050)

Assumption: we need to limit the size of strings because pango goes crazy trying to 
lay that string out. Maybe the string wouldn't fit in a message box that was all the 
available area?

Comment 8 by e...@chromium.org, Jun 2 2010

Status: Fixed
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=48751 

------------------------------------------------------------------------
r48751 | erg@chromium.org | 2010-06-02 12:42:42 -0700 (Wed, 02 Jun 2010) | 6 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/js_modal_dialog.cc?r1=48751&r2=48750

Truncate very long javascript alert messages. They can overflow the UI and on Linux cause crashes.

BUG= 45002 
TEST=none

Review URL: http://codereview.chromium.org/2486003
------------------------------------------------------------------------

Comment 10 by evan@chromium.org, Jun 7 2010

Would you mind reporting this bug upstream?  I think they fixed the equivalent bug with overlong tooltips.

Comment 11 by dhw@chromium.org, Jun 9 2010

 Issue 46181  has been merged into this issue.
This hangs the whole desktop on Ubuntu 10.10 Gnome 64bit with the default chromium installation. `sudo restart gdm` required. Mouse works, back button hover, new tab button also works.
Labels: -Crash bulkmove Stability-Crash
Chrome Version (from the about:version page):
Is this the most recent version:
OS + version: fedora 12/ 64 bit
CPU architecture (32-bit / 64-bit):

Google Chrome	5.0.375.55 (Official Build 47796) beta
WebKit	533.4
V8	2.1.10.13
User Agent	Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/533.4 
(KHTML, like Gecko) Chrome/5.0.375.55 Safari/533.4
Command Line	 /opt/google/chrome/google-chrome

Window manager:
URLs (if relevant):
Behavior in Linux Firefox: Okay no problem + Seamonkey Okay as well
Behavior in Windows Chrome (if you have access to it):

What steps will reproduce the problem?
1. display the html page attached
2. click on the second button
3.

What is the expected result?
Display part of the string in the alert box as FF does.

What happens instead?
Chrome crashes.

Please provide any additional information below. Attach a screenshot
and backtrace if possible.

Remarks:
(1) this is a stress test.
(2) suggestion: display say 4096 bytes and ignore the rest.
(3) *Warning* this may crash your browser.
This is not fixed.  I can launch huge alert boxes (ie. alert(<entire html document>)) on Windows 32bit and as soon as you click somewhere you get an infinite flickering back and forth until Windows says you should close the program as it's not responding.
Project Member

Comment 15 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-UI -Mstone-6 M-6 Cr-UI
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Sign in to add a comment