New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 608662 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , All
Pri: 1
Type: Bug



Sign in to add a comment

Page crashes "Aw, Snap!" when typing on a form filled in Chrome Dev

Reported by zana...@gmail.com, May 3 2016

Issue description

Device name: Samsung A5

From "Settings > About Chrome"
Application version: Chrome Dev 52.0.2718.2
OS: Android 5.0.2; SM-A500F Build/LRX22G

URLs (if applicable): https://m.elbotola.com/user/login/

Behavior in Android Browser (if applicable): 



Steps to reproduce:
(1) Tap on first input field.
(2) Type 2 letters or more

Expected result: 

Input field shows what the user typed.


Actual result:

Page crash with a message saying :

"Aw, Snap !
Something went wrong while displaying this webpage"


Thank you

 
Cc: aelias@chromium.org
Labels: Stability-Sheriff-Android Type-Bug
Getting crash as soon as launch the url "https://m.elbotola.com/user/login/" on Beta and Dev builds 
Nexus 6/MTC19T
crash link-https://crash.corp.google.com/browse?stbtiq=23c2ea1200000000

Zenfone(T00J)/JSS15J
Crash link :https://crash.corp.google.com/browse?stbtiq=3368ea1200000000#

Labels: ReleaseBlock-Stable M-51

Comment 3 by hzl@chromium.org, May 4 2016

Cc: verwa...@chromium.org
0x9471b10a	(libchrome.so -api.cc:4734 )	v8::String::ContainsOnlyOneByte
0xb36dc246		
0x9471ae8b	(libchrome.so -V8StringResource.cpp:128 )	blink::v8StringToWebCoreString<WTF::AtomicString>
0x9568e465	(libchrome.so -V8Binding.h:402 )	blink::HTMLFormElementV8Internal::namedPropertyGetterCallback
0x95447585	(libchrome.so -api-arguments.h:128 )	v8::internal::PropertyCallbackArguments::Call
0x954477d5	(libchrome.so -ic.cc:2814 )	v8::internal::Runtime_LoadPropertyWithInterceptorOnly

@verwaest Would you please take a look?

Comment 4 by hzl@chromium.org, May 4 2016

How come the two crashes mentioned in comment 1 has 2 different magic sigantures?

Comment 5 by hzl@chromium.org, May 4 2016

Cc: ishell@chromium.org
	0x62634223	(libchrome.so -PartitionAlloc.cpp:326 )	WTF::partitionOutOfMemory
0x626341f7	(libchrome.so -PartitionAlloc.cpp:316 )	WTF::partitionOutOfMemory
0x63aa7d5a	(libchrome.so -PartitionAlloc.cpp:838 )	WTF::partitionAllocSlowPath
0x63ae95c5	(libchrome.so -objects-inl.h:2009 )	v8::internal::JSObject::GetHeaderSize
0x611585df		
0x6286d304	(libchrome.so -allocator_shim.cc:227 )	ShimFree
0x65e43a1b	(RELRO:libchrome.so (deleted) + 0x00005a1b )	
0x6286d2ec	(libchrome.so -allocator_shim.cc:225 )	ShimFree
0x6781b618		


Issue started from 51.0.2674.0 build
Cc: jkummerow@chromium.org
Owner: ishell@chromium.org
Status: Started (was: Unconfirmed)

Comment 8 by hzl@chromium.org, May 6 2016

Cc: hzl@chromium.org
Labels: -Stability-Sheriff-Android
Labels: OS-Linux OS-All
Owner: jochen@chromium.org
Status: Assigned (was: Started)
Also reproduces on Linux ia32 in content shell 52.0.2718.2 (I didn't try TOT and x64 yet).

The problem seems to be that we cast name to v8::String here:

https://code.google.com/p/chromium/codesearch#chromium/src/out/Debug/gen/blink/bindings/core/v8/V8HTMLFormElement.cpp&l=419

while the name is actually a v8::Symbol.

Jochen, could you please help me to find the right owner?
A friendly reminder that M51 Stable is launching soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch by May 17. All changes MUST be merged into the release branch by 5pm on May 20 to make into the desktop Stable final build cut. Thanks!
Labels: -Pri-3 Pri-1
Project Member

Comment 12 by bugdroid1@chromium.org, May 10 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/544ea1e08ba0f678208e3c468aa576358ab542fb

commit 544ea1e08ba0f678208e3c468aa576358ab542fb
Author: jochen <jochen@chromium.org>
Date: Tue May 10 08:49:58 2016

Always check that a Name is a String before converting it.

BUG= 608662 
R=haraken@chromium.org

Review-Url: https://codereview.chromium.org/1967453002
Cr-Commit-Position: refs/heads/master@{#392567}

[modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp
[modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/core/v8/custom/V8CSSStyleDeclarationCustom.cpp
[modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
[modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/templates/interface.cpp
[modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterface.cpp
[modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterface2.cpp
[modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterfaceCheckSecurity.cpp
[modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestObject.cpp
[modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestSpecialOperations.cpp
[modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/core/V8TestSpecialOperationsNotEnumerable.cpp
[modify] https://crrev.com/544ea1e08ba0f678208e3c468aa576358ab542fb/third_party/WebKit/Source/bindings/tests/results/modules/V8TestInterface5.cpp

Status: Fixed (was: Assigned)
Labels: Merge-Request-51

Comment 15 by tin...@google.com, May 11 2016

Labels: -Merge-Request-51 Merge-Approved-51 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M51 (branch: 2704)
Project Member

Comment 16 by bugdroid1@chromium.org, May 11 2016

Labels: -merge-approved-51 merge-merged-2704
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3feb071cc34b00e29a2a3e96b7766777d23d1703

commit 3feb071cc34b00e29a2a3e96b7766777d23d1703
Author: Jochen Eisinger <jochen@chromium.org>
Date: Wed May 11 11:00:25 2016

Always check that a Name is a String before converting it.

BUG= 608662 
R=haraken@chromium.org

Review-Url: https://codereview.chromium.org/1967453002
Cr-Commit-Position: refs/heads/master@{#392567}
(cherry picked from commit 544ea1e08ba0f678208e3c468aa576358ab542fb)

Review URL: https://codereview.chromium.org/1966183002 .

Cr-Commit-Position: refs/branch-heads/2704@{#496}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp
[modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/core/v8/custom/V8CSSStyleDeclarationCustom.cpp
[modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
[modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/templates/interface.cpp
[modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterface.cpp
[modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterface2.cpp
[modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestInterfaceCheckSecurity.cpp
[modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestObject.cpp
[modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestSpecialOperations.cpp
[modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/core/V8TestSpecialOperationsNotEnumerable.cpp
[modify] https://crrev.com/3feb071cc34b00e29a2a3e96b7766777d23d1703/third_party/WebKit/Source/bindings/tests/results/modules/V8TestInterface5.cpp

Sign in to add a comment