New issue
Advanced search Search tips
Starred by 29 users

Issue metadata

Status: Duplicate
Owner: ----
Closed: Mar 2015
Cc:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Unicode string crashes Mac Chrome tab

Reported by mattc...@gmail.com, Mar 18 2015

Issue description

Chrome Version       : 41.0.2272.89 64 bit
OS version               : 10.95
Behavior in Safari 3.x/4.x : Renders squares/doesn't crash
Behavior in Chrome for Windows: Renders correctly

What steps will reproduce the problem?
1. Any page with ܝܘܚܢܢ ܒܝܬ ܐܦܪܝܡ will crash the chrome tab on a Mac
2. Just create any dummy page with the unicode characters, and the Mac Chrome tab will crash hard

What is the expected result?
Expect it not to crash

What happens instead?
It crashes

Other
This is pretty serious. You could imagine someone spamming this message in hangouts/gmail and just straight-up force crashing all Mac Chrome browsers. Someone could post this on Facebook, and force-crash all Mac Chrome browers that saw it. 
 

Comment 1 by meh...@chromium.org, Mar 18 2015

Labels: Stability-Crash Needs-Feedback
Is there a recent crash id at chrome://crashes ?

Comment 2 by mattc...@gmail.com, Mar 18 2015

Crash id: d043b37f53c2436f

Hit http://collabedit.com/mxftm where I've pasted the characters on Mac Chrome, and it will crash for you

Comment 3 by meh...@chromium.org, Mar 18 2015

Cc: rsesek@chromium.org
Labels: -Needs-Feedback
Thanks for the crash id. 

Comment 4 by rsesek@chromium.org, Mar 18 2015

Mergedinto: 420551
Status: Duplicate
Thread 0 CRASHED [EXC_BAD_INSTRUCTION / 0x00000001 @ 0x000000010ffc5879] MAGIC SIGNATURE THREAD
0x000000010ffc5879	[Google Chrome Framework -Vector.h:625 ]	blink::HarfBuzzShaper::setGlyphPositionsForHarfBuzzRun(blink::HarfBuzzShaper::HarfBuzzRun*, hb_buffer_t*)
0x000000010ffc4d15	[Google Chrome Framework -HarfBuzzShaper.cpp:879 ]	blink::HarfBuzzShaper::shapeHarfBuzzRuns()
0x000000010ffc3dc7	[Google Chrome Framework -HarfBuzzShaper.cpp:566 ]	blink::HarfBuzzShaper::shape(blink::GlyphBuffer*)
0x000000010ffaada3	[Google Chrome Framework -Font.cpp:915 ]	blink::Font::width(blink::TextRun const&, WTF::HashSet<blink::SimpleFontData const*, WTF::PtrHash<blink::SimpleFontData const*>, WTF::HashTraits<blink::SimpleFontData const*>, WTF::DefaultAllocator>*, blink::GlyphOverflow*) const
0x0000000110c64e2e	[Google Chrome Framework -RenderText.cpp:763 ]	blink::RenderText::width(unsigned int, unsigned int, blink::Font const&, float, blink::TextDirection, WTF::HashSet<blink::SimpleFontData const*, WTF::PtrHash<blink::SimpleFontData const*>, WTF::HashTraits<blink::SimpleFontData const*>, WTF::DefaultAllocator>*, blink::GlyphOverflow*) const
0x0000000110ba2a85	[Google Chrome Framework -RenderBlockLineLayout.cpp:443 ]	blink::RenderBlockFlow::computeInlineDirectionPositionsForSegment(blink::RootInlineBox*, blink::LineInfo const&, blink::ETextAlign, float&, float&, blink::BidiRun*, blink::BidiRun*, WTF::HashMap<blink::InlineTextBox const*, std::pair<WTF::Vector<blink::SimpleFontData const*, 0ul, WTF::DefaultAllocator>, blink::GlyphOverflow>, WTF::PtrHash<blink::InlineTextBox const*>, WTF::HashTraits<blink::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<blink::SimpleFontData const*, 0ul, WTF::DefaultAllocator>, blink::GlyphOverflow> >, WTF::DefaultAllocator>&, blink::VerticalPositionCache&, WTF::Vector<blink::WordMeasurement, 64ul, WTF::DefaultAllocator>&)
0x0000000110ba1d6b	[Google Chrome Framework -RenderBlockLineLayout.cpp:573 ]	blink::RenderBlockFlow::computeInlineDirectionPositionsForLine(blink::RootInlineBox*, blink::LineInfo const&, blink::BidiRun*, blink::BidiRun*, bool, WTF::HashMap<blink::InlineTextBox const*, std::pair<WTF::Vector<blink::SimpleFontData const*, 0ul, WTF::DefaultAllocator>, blink::GlyphOverflow>, WTF::PtrHash<blink::InlineTextBox const*>, WTF::HashTraits<blink::InlineTextBox const*>, WTF::HashTraits<std::pair<WTF::Vector<blink::SimpleFontData const*, 0ul, WTF::DefaultAllocator>, blink::GlyphOverflow> >, WTF::DefaultAllocator>&, blink::VerticalPositionCache&, WTF::Vector<blink::WordMeasurement, 64ul, WTF::DefaultAllocator>&)
0x0000000110ba31d8	[Google Chrome Framework -RenderBlockLineLayout.cpp:701 ]	blink::RenderBlockFlow::createLineBoxesFromBidiRuns(unsigned int, blink::BidiRunList<blink::BidiRun>&, blink::InlineIterator const&, blink::LineInfo&, blink::VerticalPositionCache&, blink::BidiRun*, WTF::Vector<blink::WordMeasurement, 64ul, WTF::DefaultAllocator>&)
0x0000000110ba4830	[Google Chrome Framework -RenderBlockLineLayout.cpp:861 ]	blink::RenderBlockFlow::layoutRunsAndFloatsInRange(blink::LineLayoutState&, blink::BidiResolver<blink::InlineIterator, blink::BidiRun>&, blink::InlineIterator const&, blink::BidiStatus const&)
0x0000000110ba3652	[Google Chrome Framework -RenderBlockLineLayout.cpp:773 ]	blink::RenderBlockFlow::layoutRunsAndFloats(blink::LineLayoutState&)
0x0000000110ba7ec9	[Google Chrome Framework -RenderBlockLineLayout.cpp:1598 ]	blink::RenderBlockFlow::layoutInlineChildren(bool, blink::LayoutUnit&, blink::LayoutUnit&, blink::LayoutUnit)
0x0000000110ba009d	[Google Chrome Framework -RenderBlockFlow.cpp:436 ]	blink::RenderBlockFlow::layoutBlockFlow(bool, blink::LayoutUnit&, blink::SubtreeLayoutScope&)
0x0000000110b9631f	[Google Chrome Framework -RenderBlockFlow.cpp:361 ]	blink::RenderBlockFlow::layoutBlock(bool)
0x0000000110b7fea1	[Google Chrome Framework -RenderBlock.cpp:1363 ]	blink::RenderBlock::layout()
0x0000000110b969ff	[Google Chrome Framework -RenderBlockFlow.cpp:599 ]	blink::RenderBlockFlow::layoutBlockChild(blink::RenderBox*, blink::MarginInfo&, blink::LayoutUnit&)
0x0000000110b9a7e9	[Google Chrome Framework -RenderBlockFlow.cpp:1060 ]	blink::RenderBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit)
0x0000000110ba00c2	[Google Chrome Framework -RenderBlockFlow.cpp:438 ]	blink::RenderBlockFlow::layoutBlockFlow(bool, blink::LayoutUnit&, blink::SubtreeLayoutScope&)
0x0000000110b9631f	[Google Chrome Framework -RenderBlockFlow.cpp:361 ]	blink::RenderBlockFlow::layoutBlock(bool)
0x0000000110b7fea1	[Google Chrome Framework -RenderBlock.cpp:1363 ]	blink::RenderBlock::layout()
0x00000001109b5762	[Google Chrome Framework -FrameView.cpp:838 ]	blink::FrameView::performLayout(blink::RenderObject*, bool)
0x00000001109b6871	[Google Chrome Framework -FrameView.cpp:997 ]	blink::FrameView::layout(bool)
0x00000001105b1a0f	[Google Chrome Framework -Document.cpp:1929 ]	blink::Document::updateLayout()
0x00000001105b1bd5	[Google Chrome Framework -Document.cpp:1985 ]	blink::Document::updateLayoutIgnorePendingStylesheets(blink::Document::RunPostLayoutTasks)
0x0000000110965371	[Google Chrome Framework -VisiblePosition.cpp:572 ]	blink::VisiblePosition::canonicalPosition(blink::Position const&)
0x0000000110965211	[Google Chrome Framework -VisiblePosition.cpp:65 ]	blink::VisiblePosition::init(blink::Position const&, blink::EAffinity)
0x0000000110952afa	[Google Chrome Framework -VisibleSelection.h:76 ]	blink::SpellChecker::spellCheckOldSelection(blink::VisibleSelection const&, blink::VisibleSelection const&)
0x00000001109527e6	[Google Chrome Framework -SpellChecker.cpp:804 ]	blink::SpellChecker::respondToChangedSelection(blink::VisibleSelection const&, unsigned int)
0x000000011091b857	[Google Chrome Framework -Editor.cpp:1265 ]	blink::Editor::respondToChangedSelection(blink::VisibleSelection const&, unsigned int)
0x000000011092221b	[Google Chrome Framework -FrameSelection.cpp:287 ]	blink::FrameSelection::setSelection(blink::VisibleSelection const&, unsigned int, blink::FrameSelection::CursorAlignOnScroll, blink::TextGranularity)
0x00000001106d96a1	[Google Chrome Framework -HTMLTextFormControlElement.cpp:386 ]	blink::HTMLTextFormControlElement::setSelectionRange(int, int, blink::TextFieldSelectionDirection, blink::HTMLTextFormControlElement::SelectionOption)
0x00000001106d6b1e	[Google Chrome Framework -HTMLTextAreaElement.cpp:393 ]	blink::HTMLTextAreaElement::setValueCommon(WTF::String const&, blink::TextFieldEventBehavior, blink::HTMLTextAreaElement::SetValueCommonOption)
0x00000001106d5aaa	[Google Chrome Framework -HTMLTextAreaElement.cpp:346 ]	blink::HTMLTextAreaElement::setValue(WTF::String const&, blink::TextFieldEventBehavior)
0x0000000110e34313	[Google Chrome Framework -V8HTMLTextAreaElement.cpp:513 ]	blink::HTMLTextAreaElementV8Internal::valueAttributeSetterCallback(v8::Local<v8::String>, v8::Local<v8::Value>, v8::PropertyCallbackInfo<void> const&)
0x000000011014d8a6	[Google Chrome Framework -arguments.cc:89 ]	v8::internal::PropertyCallbackArguments::Call(void (*)(v8::Local<v8::Name>, v8::Local<v8::Value>, v8::PropertyCallbackInfo<void> const&), v8::Local<v8::Name>, v8::Local<v8::Value>)
0x00000001103ae539	[Google Chrome Framework -objects.cc:506 ]	v8::internal::Object::SetPropertyWithAccessor(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Object>, v8::internal::StrictMode)
0x00000001103747c6	[Google Chrome Framework -ic.cc:1414 ]	v8::internal::StoreIC::Store(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::Object::StoreFromKeyed)
0x0000000110377484	[Google Chrome Framework -ic.cc:2166 ]	v8::internal::StoreIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*)
0x000000ced7d06b7a		
0x000000ced7f8d5e7		
0x000000ced7f81d67		
0x000000ced7d39865		
0x000000ced7e9ef58		
0x000000ced7f7e66d		
0x000000ced7efd1e9		
0x000000ced7d06a74		
0x000000ced7d3681b		
0x000000ced7d31030		
0x0000000110247d6d	[Google Chrome Framework -execution.cc:103 ]	v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*)
0x000000011013c8a0	[Google Chrome Framework -api.cc:4216 ]	v8::Function::Call(v8::Handle<v8::Value>, int, v8::Handle<v8::Value>*)
0x0000000110dcec9d	[Google Chrome Framework -V8ScriptRunner.cpp:231 ]	blink::V8ScriptRunner::callFunction(v8::Handle<v8::Function>, blink::ExecutionContext*, v8::Handle<v8::Value>, int, v8::Handle<v8::Value>*, v8::Isolate*)
0x0000000110d9c1fb	[Google Chrome Framework -ScriptController.cpp:171 ]	blink::ScriptController::callFunction(blink::ExecutionContext*, v8::Handle<v8::Function>, v8::Handle<v8::Value>, int, v8::Handle<v8::Value>*, v8::Isolate*)
0x0000000110d9be96	[Google Chrome Framework -ScriptController.cpp:154 ]	blink::ScriptController::callFunction(v8::Handle<v8::Function>, v8::Handle<v8::Value>, int, v8::Handle<v8::Value>*)
0x0000000110dbfdd3	[Google Chrome Framework -V8EventListener.cpp:88 ]	blink::V8EventListener::callListenerFunction(v8::Handle<v8::Value>, blink::Event*)
0x0000000110db9b5f	[Google Chrome Framework -V8AbstractEventListener.cpp:128 ]	blink::V8AbstractEventListener::invokeEventHandler(blink::Event*, v8::Local<v8::Value>)
0x0000000110db9a2b	[Google Chrome Framework -V8AbstractEventListener.cpp:98 ]	blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*)
0x0000000110644531	[Google Chrome Framework -EventTarget.cpp:352 ]	blink::EventTarget::fireEventListeners(blink::Event*, blink::EventTargetData*, WTF::Vector<blink::RegisteredEventListener, 1ul, WTF::DefaultAllocator>&)
0x0000000110643f26	[Google Chrome Framework -EventTarget.cpp:288 ]	blink::EventTarget::fireEventListeners(blink::Event*)
0x0000000110643da3	[Google Chrome Framework -EventTarget.cpp:198 ]	blink::EventTarget::dispatchEvent(WTF::PassRefPtr<blink::Event>)
0x0000000110b5a412	[Google Chrome Framework -XMLHttpRequestProgressEventThrottle.cpp:106 ]	blink::XMLHttpRequestProgressEventThrottle::dispatchReadyStateChangeEvent(WTF::PassRefPtr<blink::Event>, blink::XMLHttpRequestProgressEventThrottle::DeferredEventAction)
0x0000000110b52973	[Google Chrome Framework -XMLHttpRequest.cpp:528 ]	blink::XMLHttpRequest::dispatchReadyStateChangeEvent()
0x0000000110b56e5a	[Google Chrome Framework -XMLHttpRequest.cpp:1380 ]	blink::XMLHttpRequest::didFinishLoadingInternal()
0x000000011098e2c5	[Google Chrome Framework -Resource.cpp:213 ]	blink::Resource::checkNotify()
0x000000011098e991	[Google Chrome Framework -Resource.cpp:272 ]	blink::Resource::finish()
0x000000011099ef1f	[Google Chrome Framework -ResourceLoader.cpp:484 ]	blink::ResourceLoader::didFinishLoading(blink::WebURLLoader*, double, long long)
0x00000001124b08a9	[Google Chrome Framework -web_url_loader_impl.cc:732 ]	content::WebURLLoaderImpl::Context::OnCompletedRequest(int, bool, bool, std::string const&, base::TimeTicks const&, long long)
0x000000011249acdc	[Google Chrome Framework -resource_dispatcher.cc:572 ]	content::ResourceDispatcher::OnRequestComplete(int, ResourceMsg_RequestCompleteData const&)
0x00000001124998ad	[Google Chrome Framework -tuple.h:555 ]	content::ResourceDispatcher::DispatchMessage(IPC::Message const&)
0x0000000112498f08	[Google Chrome Framework -resource_dispatcher.cc:324 ]	content::ResourceDispatcher::OnMessageReceived(IPC::Message const&)
0x0000000112457d1c	[Google Chrome Framework -child_thread.cc:469 ]	content::ChildThread::OnMessageReceived(IPC::Message const&)
0x000000010f3dfa37	[Google Chrome Framework -ipc_channel_proxy.cc:274 ]	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&)
0x000000010ef1c343	[Google Chrome Framework -callback.h:401 ]	base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&)
0x000000010ef4dc1e	[Google Chrome Framework -message_loop.cc:446 ]	base::MessageLoop::RunTask(base::PendingTask const&)
0x000000010ef4e03e	[Google Chrome Framework -message_loop.cc:456 ]	base::MessageLoop::DoWork()
0x000000010ef063c0	[Google Chrome Framework -message_pump_mac.mm:325 ]	base::MessagePumpCFRunLoopBase::RunWork()
0x00007fff919245b0	[CoreFoundation + 0x0007f5b0 ]	__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x00007fff91915c61	[CoreFoundation + 0x00070c61 ]	__CFRunLoopDoSources0
0x00007fff919153ee	[CoreFoundation + 0x000703ee ]	__CFRunLoopRun
0x00007fff91914e74	[CoreFoundation + 0x0006fe74 ]	CFRunLoopRunSpecific
0x00007fff8c82c16b	[Foundation + 0x0006916b ]	-[NSRunLoop(NSRunLoop) runMode:beforeDate:]
0x000000010ef06823	[Google Chrome Framework -message_pump_mac.mm:592 ]	base::MessagePumpNSRunLoop::DoRun(base::MessagePump::Delegate*)
0x000000010ef0622b	[Google Chrome Framework -message_pump_mac.mm:235 ]	base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*)
0x000000010ef62eb2	[Google Chrome Framework -run_loop.cc:55 ]	base::RunLoop::Run()
0x000000010ef4d53c	[Google Chrome Framework -message_loop.cc:308 ]	base::MessageLoop::Run()
0x0000000112596a7f	[Google Chrome Framework -renderer_main.cc:234 ]	content::RendererMain(content::MainFunctionParams const&)
0x000000010eee8953	[Google Chrome Framework -content_main_runner.cc:789 ]	content::ContentMainRunnerImpl::Run()
0x000000010eee7fa5	[Google Chrome Framework -content_main.cc:19 ]	content::ContentMain(content::ContentMainParams const&)
0x000000010e8827f1	[Google Chrome Framework -chrome_main.cc:57 ]	ChromeMain
0x000000010e874f38	[Google Chrome Helper -chrome_exe_main_mac.cc:16 ]	main
0x000000010e874f23	[Google Chrome Helper + 0x00000f23 ]	start

Comment 6 by maxo...@gmail.com, Mar 21 2015

A work-around for this particular bug is to install a Syriac font (such as found here: http://www.bethmardutho.org/index.php/resources/fonts.html) on one's Mac. Not only does the browser not crash but the text renders correctly (instead of in boxes).

Comment 7 by Deleted ...@, Mar 21 2015

CACA
how-to-create-theme-for-google-chrome.html
49.0 KB View Download
recording-1355528968.amr
9.5 KB Download
download (34).html
7.6 KB View Download

Comment 9 Deleted

Comment 10 by Deleted ...@, Mar 23 2015

guys,

I have entered this page, to test this problem:

http://collabedit.com/mxftm

I am on linux, it shows me something like this...

“/
tar -xvf tor-browser-linux32-4.0.4_en-US.tar.xz
start-tor-browser
fuk.. dont work!! lol

open lol

./start-tor.browser
ls
chown -R root *

oh yes!!
./start-tor-browser

:) see you!

cmd
diskpart
”

is this a trojan, or something...cuz i don't understand that language!

but I do understand the chown -R root *, etc...

I have been folowing a link of a site to this...I am a litle bit scared...I am um linux!

By the way, where is the pwd of "./start-tor-browser"??

regards
FYI: this issue is fixed and pushing out to M41 Mac stable as of this morning (41.0.2272.104). 
For reference, can you link to the change that fixed it?

Comment 13 Deleted

I Sexeybabe1@gmail.com and I will be faithful to the top right corner of the year in advance 
mms_img903690190.jpg
71.1 KB View Download
fee4d44e-6224-482a-977c-d6f6d846ba51_20150327040816533.jpg
122 KB View Download
Well, now I've noticed that there's no "report spam" button in Google code.

Sign in to add a comment