Issue metadata
Sign in to add a comment
|
Security: UNKNOWN in extensions::ChromeExtensionsBrowserClient::GetOriginalContext
Reported by
chromium...@gmail.com,
Apr 16 2016
|
||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 52.0.2709.0 canary Operating System: Windows 7 REPRODUCTION CASE 1. Install the extension. 2. Lunch chrome and open a new incognito window and visit http://csreis.github.io/tests/cross-site-iframe-simple.html 3. Close the tab. 4. Crash. (Please watch the video 'actual.mp4') FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: browser eax=003eaba0 ebx=06444778 ecx=feeefeee edx=5e632ff0 esi=00000000 edi=00000000 eip=5cc06087 esp=0034f294 ebp=0034f294 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 chrome_5ca10000!extensions::ChromeExtensionsBrowserClient::GetOriginalContext+0x6: 5cc06087 8b01 mov eax,dword ptr [ecx] ds:0023:feeefeee=???????? 0:000> k ChildEBP RetAddr 0034f294 5cc04a96 chrome_5ca10000!extensions::ChromeExtensionsBrowserClient::GetOriginalContext+0x6 [c:\b\build\slave\win\build\src\chrome\browser\extensions\chrome_extensions_browser_client.cc @ 118] 0034f2e8 5cc13620 chrome_5ca10000!KeyedServiceFactory::GetServiceForContext+0x95 [c:\b\build\slave\win\build\src\components\keyed_service\core\keyed_service_factory.cc @ 65] 0034f2f8 5cc3dfa7 chrome_5ca10000!extensions::ExtensionPrefsFactory::GetForBrowserContext+0x14 [c:\b\build\slave\win\build\src\extensions\browser\extension_prefs_factory.cc @ 24] 0034f30c 5cc04bbb chrome_5ca10000!ToolbarActionsModelFactory::BuildServiceInstanceFor+0x20 [c:\b\build\slave\win\build\src\chrome\browser\ui\toolbar\toolbar_actions_model_factory.cc @ 43] 0034f318 5cc04b3a chrome_5ca10000!BrowserContextKeyedServiceFactory::BuildServiceInstanceFor+0xb [c:\b\build\slave\win\build\src\components\keyed_service\content\browser_context_keyed_service_factory.cc @ 93] 0034f370 5cce273b chrome_5ca10000!KeyedServiceFactory::GetServiceForContext+0x139 [c:\b\build\slave\win\build\src\components\keyed_service\core\keyed_service_factory.cc @ 91] 0034f380 5cd79ec7 chrome_5ca10000!ToolbarActionsModelFactory::GetForProfile+0x14 [c:\b\build\slave\win\build\src\chrome\browser\ui\toolbar\toolbar_actions_model_factory.cc @ 20] 0034f38c 5cd79e99 chrome_5ca10000!extensions::ExtensionMessageBubbleController::~ExtensionMessageBubbleController+0x1a [c:\b\build\slave\win\build\src\chrome\browser\extensions\extension_message_bubble_controller.cc @ 111] 0034f398 5e373336 chrome_5ca10000!extensions::ExtensionMessageBubbleController::`scalar deleting destructor'+0xb 0034f3a4 5e373349 chrome_5ca10000!ExtensionMessageBubbleBridge::~ExtensionMessageBubbleBridge+0x16 [c:\b\build\slave\win\build\src\chrome\browser\ui\extensions\extension_message_bubble_bridge.cc @ 15] 0034f3b0 5e0345af chrome_5ca10000!ExtensionMessageBubbleBridge::`scalar deleting destructor'+0xb 0034f3cc 5ca93a76 chrome_5ca10000!base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall safe_browsing::IncidentReportingService::*)(std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> >)>,void __cdecl(safe_browsing::IncidentReportingService *,std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> >),base::WeakPtr<safe_browsing::IncidentReportingService>,base::internal::PassedWrapper<std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> > > >,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall safe_browsing::IncidentReportingService::*)(std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> >)> >,void __cdecl(void)>::Run+0x47 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 375] 0034f430 5ca937d9 chrome_5ca10000!base::debug::TaskAnnotator::RunTask+0x16b [c:\b\build\slave\win\build\src\base\debug\task_annotator.cc @ 51] 0034f6ac 5ca9215d chrome_5ca10000!base::MessageLoop::RunTask+0x20f [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 480] 0034f704 5cb45224 chrome_5ca10000!base::MessageLoop::DoDelayedWork+0xd0 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 638] 0034f740 5ca91516 chrome_5ca10000!base::MessagePumpForUI::DoRunLoop+0x79 [c:\b\build\slave\win\build\src\base\message_loop\message_pump_win.cc @ 177] 0034f75c 5ca90ce9 chrome_5ca10000!base::MessagePumpWin::Run+0x36 [c:\b\build\slave\win\build\src\base\message_loop\message_pump_win.cc @ 56] 0034f78c 5cd65a87 chrome_5ca10000!base::RunLoop::Run+0x94 [c:\b\build\slave\win\build\src\base\run_loop.cc @ 36] 0034f7c0 5cd659b2 chrome_5ca10000!ChromeBrowserMainParts::MainMessageLoopRun+0x95 [c:\b\build\slave\win\build\src\chrome\browser\chrome_browser_main.cc @ 1857] 0034f7d4 5cd65957 chrome_5ca10000!content::BrowserMainLoop::RunMainMessageLoopParts+0x50 [c:\b\build\slave\win\build\src\content\browser\browser_main_loop.cc @ 950]
,
Apr 18 2016
This looks likely to be a dupe of https://bugs.chromium.org/p/chromium/issues/detail?id=412090 ?
,
Apr 18 2016
,
Apr 18 2016
Hmm. None of the steps given here are reproing for me on ToT. Maybe there's another factor involved?
,
Apr 18 2016
I believe this is a security regression issue, it doesn't repro on 52.0.2707.0, so it's probably a recent change. Good Build : 52.0.2707.0 Bad Build : 52.0.2708.0 ... Bad bluid : 52.0.2711.0
,
Apr 18 2016
Tried with 52.0.2711.0, 52.0.2709.0, and 52.0.2708.0. None of them repro, though I just noticed the report was for Windows and I've been building on Linux. I wouldn't expect it to matter but I'll try Windows builds now.
,
Apr 18 2016
I have tried 52.0.2711.0 on Windows as well with no repro.
,
Apr 18 2016
I am still able to repro this issue on 52.0.2711.0 canary. Note: This crach doesn't repro on ASan bluid.
,
Apr 18 2016
Khalil: can you double-check that you don't have any other extensions installed?
,
Apr 18 2016
Also, does it repro with a clean profile? i.e. with --user-data-dir=somethingnew
,
Apr 18 2016
I've checked there is no extensions installed and there is no need to switch a profile or something like that, I've made a video to see how I repro this crash as well on windows.
,
Apr 18 2016
,
Apr 18 2016
What I mean is, have you actually tried this with a clean profile? I've already followed the steps in your report and video, and I cannot repro the crash on Windows Canary (52.0.2711.0), so there is some piece missing here. Can you please try your own steps on a clean profile and see if it still crashes?
,
Apr 18 2016
Hmm understood, I tried on a clean profile and it still crashes. Also, I tried on another machine windows and I am still able to repro.
,
Apr 19 2016
I reproduce this on Windows 7 with Version 52.0.2712.0 canary (64-bit) https://crash.corp.google.com/browse?stbtiq=79086c6200000000 Steps: Drop two files from the ZIP in C:\src\dummyExt Use chrome://extensions/ to load unpacked extension Open an Incognito window from that window Close the Incognito window
,
Apr 19 2016
,
Apr 19 2016
,
Apr 19 2016
Yeah, still can't repro. I only have a Windows 10 box to test on, so maybe that has something to do with it. Anyone on extensions able to repro this?
,
Apr 19 2016
Ken, Did you try to repro on Windows 7?
,
Apr 19 2016
I can repro this at will in Windows 10 14316 and Chrome 52.0.2712.0. https://crash.corp.google.com/browse?stbtiq=06d91c6200000000 Is it possible that there's some experiment (maybe one of the process isolation ones?) that accounts for the difference in our ability to repro?
,
Apr 19 2016
Re #20: I don't have the means to test on Windows 7 at this time, but it sounds like that shouldn't matter. Re #21: That's plausible. Hopefully someone from the extensions team can also repro this.
,
Apr 19 2016
When you tried to repro, did you get the "Disable Developer Extensions?" info bubble? Based on prior issues here and the stack trace in https://crash.corp.google.com/browse?stbtiq=06d91c6200000000, is the problem that we've unloaded the profile but then we try to touch it in the destructor for the info bubble? https://chromium.googlesource.com/chromium/src/+/5251920ddf61989a550ba9e49c8d1663a824a81f%5E%21/chrome/browser/extensions/extension_message_bubble_controller.cc
,
Apr 19 2016
I just tried reproducing with "52.0.2712.0 (Official Build) canary (64-bit)" running against a blank profile on a windows 7 machine and wasn't able to. elawrence - can you provide the Variations value from chrome://version so we can see if there is indeed an experiment at play here?
,
Apr 19 2016
Ok, I take it back - I was just playing with it again, and this time I was able to reproduce the crash by doing the following: -making sure to check the "allow in Incognito" checkbox on chrome://extensions -I used the "New Incognito Window" menu item from the hamburger menu to open the window, instead of using CTL-SHIFT-N I'll kick off a local build and see if I can repro in a Debug binary
,
Apr 19 2016
Sorry, my mistake, I failed to mention "Tick allow incognito" in my repro steps. Notably, this bug still repros if the content script is just "console.log("nothing");", so this bug isn't likely to be about anything that the script contains.
My variations, if relevant, are: Variations 16e0dd70-3f4a17df b3888d8d-bb338302 6345b824-3f4a17df 7c1bc906-ff96eb58 c4455df5-4ad60575 f049a919-3f4a17df 775ebbd7-65bced95 31362330-3f4a17df f15c1c09-ca7d8d80 9ffc5535-301ba80c dd4da2fc-3f4a17df fd02e767-f23d1dea 93731dca-3f4a17df 9e5c75f1-7491430a 2c3080ba-3f4a17df 64cbdfc2-ca7d8d80 7ea1191-82bd42b5 f79cb77b-3f4a17df 23a898eb-ca7d8d80 4ea303a6-f23d1dea d5b671a5-3f4a17df 4117e878-23622c9b 7aa46da5-4995b330 9736de91-3f4a17df 535ce4f1-f23d1dea ad6d27cc-7075cd8 ca314179-ca7d8d80 69bf80fa-f23d1dea a35118-3f4a17df 867c4c68-3d47f4f4 5e3f6590-ca7d8d80 12a73824-3d47f4f4 d747916f-e510b2e9 6844d8aa-669a04e0 3ac60855-3ec2a267 f296190c-5c63917a 4442aae2-4ad60575 ed1d377-e1cc0f14 75f0f0a0-e1cc0f14 e2b18481-cdc3d902 e7e71889-e1cc0f14 b39ea213-d1372334 46567c16-f23d1dea
,
Apr 19 2016
Re #23, I think you're right. I'm able to repro consistently by including --force-fieldtrials=ExtensionDeveloperModeWarning/Enabled. So this is most likely not a dupe of bug 412090. Over to Devlin who AFAIK worked on the bubble code.
,
Apr 19 2016
,
Apr 19 2016
hmm... looks like this could be a dupe of issue 604003, which should be fixed as of a couple hours ago. Let's try this on tomorrow's (or maybe Thursday's, depending on cut off's) canary.
,
Apr 19 2016
This medium+ severity security issue is a regression on trunk. Please fix this asap. If you are unable to look into this soon, please revert your change. - Your friendly ClusterFuzz
,
Apr 20 2016
Verified, seems like fixed on 52.0.2713.0.
,
Apr 20 2016
Agreed. Okay in Version 52.0.2713.0 canary (64-bit). Should resolve as dupe?
,
Apr 20 2016
,
Jul 28 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by chromium...@gmail.com
, Apr 17 2016