New issue
Advanced search Search tips

Issue 613363 link

Starred by 2 users
Status: Verified
Owner:
skyos...@chromium.org
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Blink crash in blink::EventHandlerRegistry::checkConsistency: ASSERTION FAILED: node->document().frameHost()

Project Member Reported by michae...@chromium.org, May 19 2016 
Version: 52.0.2741.0 Debug
OS: Chrome

What steps will reproduce the problem?
(1) visit a webui page I made a bunch of changes to which probably has JS errors
(2) blink immediately crashes

ASSERTION FAILED: node->document().frameHost()
../../third_party/WebKit/Source/core/frame/EventHandlerRegistry.cpp(290) : void blink::EventHandlerRegistry::checkConsistency() const
1   0x7fe3958a88b0 blink::EventHandlerRegistry::checkConsistency() const
2   0x7fe3958a8d9c blink::EventHandlerRegistry::hasEventHandlers(blink::EventHandlerRegistry::EventHandlerClass) const
3   0x7fe3958a921c blink::EventHandlerRegistry::notifyHasHandlersChanged(blink::EventHandlerRegistry::EventHandlerClass, bool)
4   0x7fe3958a90bc blink::EventHandlerRegistry::updateEventHandlerInternal(blink::EventHandlerRegistry::ChangeOperation, blink::EventHandlerRegistry::EventHandlerClass, blink::EventTarget*)
5   0x7fe3958a96a9 blink::EventHandlerRegistry::didRemoveAllEventHandlers(blink::EventTarget&)
6   0x7fe3958a964d blink::EventHandlerRegistry::didMoveOutOfFrameHost(blink::EventTarget&)
7   0x7fe3951663f9 blink::Node::didMoveToNewDocument(blink::Document&)
8   0x7fe3950f8537 blink::Element::didMoveToNewDocument(blink::Document&)
9   0x7fe3951eaa47
10  0x7fe3951ea0f1
11  0x7fe3951e7565
12  0x7fe3951e6277 blink::TreeScope::adoptIfNeeded(blink::Node&)
13  0x7fe39505269d blink::ContainerNode::appendChild(blink::Node*, blink::ExceptionState&)
14  0x7fe39515f55a blink::Node::appendChild(blink::Node*, blink::ExceptionState&)
15  0x7fe394f37ee1
16  0x7fe394f34345
17  0x7fe3a307e84e
18  0x7fe3a3108a41
19  0x7fe3a313ab97
20  0x7fe3a31144ed
21  0xd8e84208bc7
Received signal 11 SEGV_MAPERR 0000fbadbeef
#0 0x7fe3acba267e base::debug::StackTrace::StackTrace()
#1 0x7fe3acba21bf base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7fe39866d340 <unknown>
#3 0x7fe3958a88b7 blink::EventHandlerRegistry::checkConsistency()
#4 0x7fe3958a8d9c blink::EventHandlerRegistry::hasEventHandlers()
#5 0x7fe3958a921c blink::EventHandlerRegistry::notifyHasHandlersChanged()
#6 0x7fe3958a90bc blink::EventHandlerRegistry::updateEventHandlerInternal()
#7 0x7fe3958a96a9 blink::EventHandlerRegistry::didRemoveAllEventHandlers()
#8 0x7fe3958a964d blink::EventHandlerRegistry::didMoveOutOfFrameHost()
#9 0x7fe3951663f9 blink::Node::didMoveToNewDocument()
#10 0x7fe3950f8537 blink::Element::didMoveToNewDocument()
#11 0x7fe3951eaa47 blink::TreeScopeAdopter::moveNodeToNewDocument()
#12 0x7fe3951ea0f1 blink::TreeScopeAdopter::moveTreeToNewScope()
#13 0x7fe3951e7565 blink::TreeScopeAdopter::execute()
#14 0x7fe3951e6277 blink::TreeScope::adoptIfNeeded()
#15 0x7fe39505269d blink::ContainerNode::appendChild()
#16 0x7fe39515f55a blink::Node::appendChild()
#17 0x7fe394f37ee1 blink::NodeV8Internal::appendChildMethodForMainWorld()
#18 0x7fe394f34345 blink::NodeV8Internal::appendChildMethodCallbackForMainWorld()
#19 0x7fe3a307e84e v8::internal::FunctionCallbackArguments::Call()
#20 0x7fe3a3108a41 v8::internal::(anonymous namespace)::HandleApiCallHelper()
#21 0x7fe3a313ab97 v8::internal::Builtin_Impl_HandleApiCall()
#22 0x7fe3a31144ed v8::internal::Builtin_HandleApiCall()
#23 0x0d8e84208bc7 <unknown>
  r8: 00007fe3914ee900  r9: 0000000000000001 r10: 00007fe398654be0 r11: 0000000000000000
 r12: 00007fe394f34330 r13: 00007fffdf118268 r14: 0000000000000000 r15: 00003b681ae33020
  di: 0000000000000000  si: 00000000fbadbeef  bp: 00007fffdf116f00  bx: 00007fe3acf2c47f
  dx: 00000000ffffffff  ax: 0000000000000015  cx: 00000000fbadbeef  sp: 00007fffdf116e50
  ip: 00007fe3958a88b7 efl: 0000000000010206 cgf: 0000000000000033 erf: 0000000000000006
 trp: 000000000000000e msk: 0000000000000000 cr2: 00000000fbadbeef
[end of stack trace]

Comment 1 by tkent@chromium.org, May 20 2016

Labels: Needs-Feedback
> (1) visit a webui page I made a bunch of changes to which probably has JS errors

Please provide a concrete step.

Comment 2 by michae...@chromium.org, May 20 2016

Labels: -Needs-Feedback
1. Apply the attached patch
2. Build chrome with GN args:

is_component_build = true
is_debug = false
enable_nacl = false
use_goma = true
target_os = "chromeos"

3. Launch chrome with a stub user (chrome --user-data-dir=/tmp/foo123)

4. Visit chrome://device-emulator

The page never finishes loading, but instead crashes rather quickly as above.
613363.diff
13.7 KB Download
Project Member

Comment 3 by ClusterFuzz, May 23 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5594653424615424

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: node->document().frameHost()
  blink::EventHandlerRegistry::checkConsistency
  blink::EventHandlerRegistry::hasEventHandlers
  

Minimized Testcase (0.77 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Ow32L94hdMKmCdpYW6AoijHPLFgzrSf8yGRja3fLw_OTa5iDXURefn8Y7DY19Px_SKr2Vlqec6igvqJYrVRxX7gm0DMwIVZYhQDlibOhXjMWvotkc5dpWMJ87PKR9FA2hKuWf8PSpWvh7Ir1l4-hF34tidw

Filer: pucchakayala

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 4 by pucchakayala@chromium.org, May 23 2016

Labels: OS-Chrome OS-Linux
Status: Assigned (was: Untriaged)

Comment 5 by tkent@chromium.org, Sep 1 2016 

Smaller repro:

<script>
var tCF7 = document.createElementNS("http://www.w3.org/2000/svg", "altGlyphItem");
tCF7.addEventListener("load", function () {});
tCF7.addEventListener("touchstart", function () {});
var tCFDoc664 = document.implementation.createDocument("http://www.w3.org/1999/xhtml", "html");
tCFDoc664.documentElement.remove();
tCFDoc664.appendChild(tCF7);
</script>

skyostil@, please fix this.  You added the ASSERT.
Project Member

Comment 6 by ClusterFuzz, Sep 23 2016 

ClusterFuzz has detected this issue as fixed in range 420372:420465.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5594653424615424

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  node->document().frameHost()
  blink::EventHandlerRegistry::checkConsistency
  blink::EventHandlerRegistry::hasEventHandlers
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=373822:373918
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=420372:420465

Minimized Testcase (0.77 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96R7og_U1w9HwwJkUluXfdV8nXxmcrS28DZnPant2kG1ARb9FDpZTeMMIXgmMd_7iJVEjmS1xybi-7i0i52RSL8GnsFsHZWDCDHnviul7ckRCV593D8yIH-hGjDq21XZgn_JJDDLFh1OQX0yCheYP3PG-Po5Q?testcase_id=5594653424615424

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Sep 23 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment