Page crashes "Aw, Snap!" when typing on a form filled in Chrome Dev
Reported by
zana...@gmail.com,
May 3 2016
|
||||||||||||
Issue descriptionDevice name: Samsung A5 From "Settings > About Chrome" Application version: Chrome Dev 52.0.2718.2 OS: Android 5.0.2; SM-A500F Build/LRX22G URLs (if applicable): https://m.elbotola.com/user/login/ Behavior in Android Browser (if applicable): Steps to reproduce: (1) Tap on first input field. (2) Type 2 letters or more Expected result: Input field shows what the user typed. Actual result: Page crash with a message saying : "Aw, Snap ! Something went wrong while displaying this webpage" Thank you
,
May 4 2016
,
May 4 2016
0x9471b10a (libchrome.so -api.cc:4734 ) v8::String::ContainsOnlyOneByte 0xb36dc246 0x9471ae8b (libchrome.so -V8StringResource.cpp:128 ) blink::v8StringToWebCoreString<WTF::AtomicString> 0x9568e465 (libchrome.so -V8Binding.h:402 ) blink::HTMLFormElementV8Internal::namedPropertyGetterCallback 0x95447585 (libchrome.so -api-arguments.h:128 ) v8::internal::PropertyCallbackArguments::Call 0x954477d5 (libchrome.so -ic.cc:2814 ) v8::internal::Runtime_LoadPropertyWithInterceptorOnly @verwaest Would you please take a look?
,
May 4 2016
How come the two crashes mentioned in comment 1 has 2 different magic sigantures?
,
May 4 2016
0x62634223 (libchrome.so -PartitionAlloc.cpp:326 ) WTF::partitionOutOfMemory 0x626341f7 (libchrome.so -PartitionAlloc.cpp:316 ) WTF::partitionOutOfMemory 0x63aa7d5a (libchrome.so -PartitionAlloc.cpp:838 ) WTF::partitionAllocSlowPath 0x63ae95c5 (libchrome.so -objects-inl.h:2009 ) v8::internal::JSObject::GetHeaderSize 0x611585df 0x6286d304 (libchrome.so -allocator_shim.cc:227 ) ShimFree 0x65e43a1b (RELRO:libchrome.so (deleted) + 0x00005a1b ) 0x6286d2ec (libchrome.so -allocator_shim.cc:225 ) ShimFree 0x6781b618
,
May 4 2016
Issue started from 51.0.2674.0 build
,
May 6 2016
,
May 6 2016
,
May 6 2016
Also reproduces on Linux ia32 in content shell 52.0.2718.2 (I didn't try TOT and x64 yet). The problem seems to be that we cast name to v8::String here: https://code.google.com/p/chromium/codesearch#chromium/src/out/Debug/gen/blink/bindings/core/v8/V8HTMLFormElement.cpp&l=419 while the name is actually a v8::Symbol. Jochen, could you please help me to find the right owner?
,
May 9 2016
A friendly reminder that M51 Stable is launching soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch by May 17. All changes MUST be merged into the release branch by 5pm on May 20 to make into the desktop Stable final build cut. Thanks!
,
May 9 2016
,
May 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/544ea1e08ba0f678208e3c468aa576358ab542fb commit 544ea1e08ba0f678208e3c468aa576358ab542fb Author: jochen <jochen@chromium.org> Date: Tue May 10 08:49:58 2016 Always check that a Name is a String before converting it. BUG= 608662 R=haraken@chromium.org Review-Url: https://codereview.chromium.org/1967453002 Cr-Commit-Position: refs/heads/master@{#392567} [modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp [modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/core/v8/custom/V8CSSStyleDeclarationCustom.cpp [modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp [modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/templates/interface.cpp [modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterface.cpp [modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterface2.cpp [modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterfaceCheckSecurity.cpp [modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestObject.cpp [modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestSpecialOperations.cpp [modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestSpecialOperationsNotEnumerable.cpp [modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/modules/V8TestInterface5.cpp
,
May 10 2016
,
May 11 2016
,
May 11 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
May 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3feb071cc34b00e29a2a3e96b7766777d23d1703 commit 3feb071cc34b00e29a2a3e96b7766777d23d1703 Author: Jochen Eisinger <jochen@chromium.org> Date: Wed May 11 11:00:25 2016 Always check that a Name is a String before converting it. BUG= 608662 R=haraken@chromium.org Review-Url: https://codereview.chromium.org/1967453002 Cr-Commit-Position: refs/heads/master@{#392567} (cherry picked from commit 544ea1e08ba0f678208e3c468aa576358ab542fb) Review URL: https://codereview.chromium.org/1966183002 . Cr-Commit-Position: refs/branch-heads/2704@{#496} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp [modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/core/v8/custom/V8CSSStyleDeclarationCustom.cpp [modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp [modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/templates/interface.cpp [modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterface.cpp [modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterface2.cpp [modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterfaceCheckSecurity.cpp [modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestObject.cpp [modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestSpecialOperations.cpp [modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestSpecialOperationsNotEnumerable.cpp [modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/modules/V8TestInterface5.cpp |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by krav...@chromium.org
, May 4 2016Labels: Stability-Sheriff-Android Type-Bug