Access Violation while CSS is trying to SetText
Reported by
akj...@microsoft.com,
Jul 28 2016
|
|||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Steps to reproduce the problem: Not Available What is the expected behavior? Page renders normally What went wrong? Crash occurred while rendering the page in the app. Desktop App is using Chromium via CefSharp/CEF Crashed report ID: No How much crashed? Just one tab Is it a problem with a plugin? No Did this work before? N/A Chrome version: 47.0.2526.80 Channel: n/a OS Version: 10.0.10586.0 Flash Version: Not Applicable Stack Trace: > libcef.dll!WTF::partitionsOutOfMemoryUsing512M() Line 155 C++ libcef.dll!WTF::Partitions::handleOutOfMemory() Line 210 C++ libcef.dll!WTF::partitionOutOfMemory(const WTF::PartitionRootBase * root) Line 324 C++ libcef.dll!WTF::partitionAllocSlowPath(WTF::PartitionRootBase * root, int flags, unsigned int size, WTF::PartitionBucket * bucket) Line 846 C++ libcef.dll!WTF::StringImpl::operator new(unsigned int size) Line 264 C++ libcef.dll!WTF::VectorBuffer<blink::Attribute,4,WTF::DefaultAllocator>::allocateExpandedBuffer(unsigned int newCapacity) Line 541 C++ libcef.dll!WTF::Vector<blink::CSSProperty,4,WTF::DefaultAllocator>::reserveCapacity(unsigned int newCapacity) Line 1055 C++ libcef.dll!blink::MutableStylePropertySet::addParsedProperties(const WTF::Vector<blink::CSSProperty,256,WTF::DefaultAllocator> & properties) Line 310 C++ libcef.dll!blink::CSSParserImpl::parseDeclarationList(blink::MutableStylePropertySet * declaration, const WTF::String & string, const blink::CSSParserContext & context) Line 110 C++ libcef.dll!blink::MutableStylePropertySet::parseDeclarationList(const WTF::String & styleDeclaration, blink::StyleSheetContents * contextStyleSheet) Line 304 C++ libcef.dll!blink::AbstractPropertySetCSSStyleDeclaration::setCSSText(const WTF::String & text, blink::ExceptionState & __formal) Line 167 C++ libcef.dll!blink::CSSStyleDeclarationV8Internal::cssTextAttributeSetter(v8::Local<v8::Value> v8Value, const v8::FunctionCallbackInfo<v8::Value> & info) Line 65 C++ libcef.dll!blink::CSSStyleDeclarationV8Internal::cssTextAttributeSetterCallback(const v8::FunctionCallbackInfo<v8::Value> & info) Line 74 C++ 1b636674() Unknown [Frames below may be incorrect and/or missing] libcef.dll!v8::internal::`anonymous namespace'::Invoke(v8::internal::Isolate * isolate, bool is_construct, v8::internal::Handle<v8::internal::Object> target, v8::internal::Handle<v8::internal::Object> receiver, int argc, v8::internal::Handle<v8::internal::Object> * args, v8::internal::Handle<v8::internal::Object> new_target) Line 99 C++ libcef.dll!v8::internal::Execution::Call(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::Object> callable, v8::internal::Handle<v8::internal::Object> receiver, int argc, v8::internal::Handle<v8::internal::Object> * argv) Line 168 C++ libcef.dll!v8::Script::Run(v8::Local<v8::Context> context) Line 1702 C++ libcef.dll!blink::V8ScriptRunner::runCompiledScript(v8::Isolate * isolate, v8::Local<v8::Script> script, blink::ExecutionContext * context) Line 393 C++ libcef.dll!blink::ScriptController::executeScriptAndReturnValue(v8::Local<v8::Context> context, const blink::ScriptSourceCode & source, blink::AccessControlStatus accessControlStatus, double * compilationFinishTime) Line 190 C++ libcef.dll!blink::ScriptController::evaluateScriptInMainWorld(const blink::ScriptSourceCode & sourceCode, blink::AccessControlStatus accessControlStatus, blink::ScriptController::ExecuteScriptPolicy policy, double * compilationFinishTime) Line 569 C++ libcef.dll!blink::ScriptController::executeScriptInMainWorld(const blink::ScriptSourceCode & sourceCode, blink::AccessControlStatus accessControlStatus, double * compilationFinishTime) Line 540 C++ libcef.dll!blink::ScriptLoader::executeScript(const blink::ScriptSourceCode & sourceCode, double * compilationFinishTime) Line 401 C++ libcef.dll!blink::ScriptLoader::execute() Line 421 C++ libcef.dll!blink::ScriptRunner::executeScripts() Line 197 C++ libcef.dll!scheduler::WebTaskRunnerImpl::runTask(scoped_ptr<blink::WebTaskRunner::Task,base::DefaultDeleter<blink::WebTaskRunner::Task> > task) Line 46 C++ libcef.dll!base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<media::VideoCaptureMachine,base::DefaultDeleter<media::VideoCaptureMachine> >)>::Run(scoped_ptr<media::VideoCaptureMachine,base::DefaultDeleter<media::VideoCaptureMachine> > <args_0>) Line 157 C++ libcef.dll!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<disk_cache::Backend::Iterator,base::DefaultDeleter<disk_cache::Backend::Iterator> >)>,base::internal::TypeList<scoped_ptr<disk_cache::Backend::Iterator,base::DefaultDeleter<disk_cache::Backend::Iterator> > > >::MakeItSo(base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<disk_cache::Backend::Iterator,base::DefaultDeleter<disk_cache::Backend::Iterator> >)> runnable, scoped_ptr<disk_cache::Backend::Iterator,base::DefaultDeleter<disk_cache::Backend::Iterator> > <args_0>) Line 294 C++ libcef.dll!base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<disk_cache::Backend::Iterator,base::DefaultDeleter<disk_cache::Backend::Iterator> >)>,void __cdecl(scoped_ptr<disk_cache::Backend::Iterator,base::DefaultDeleter<disk_cache::Backend::Iterator> >),base::internal::TypeList<base::internal::PassedWrapper<scoped_ptr<disk_cache::Backend::Iterator,base::DefaultDeleter<disk_cache::Backend::Iterator> > > > >,base::internal::TypeList<base::internal::UnwrapTraits<base::internal::PassedWrapper<scoped_ptr<disk_cache::Backend::Iterator,base::DefaultDeleter<disk_cache::Backend::Iterator> > > > >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<disk_cache::Backend::Iterator,base::DefaultDeleter<disk_cache::Backend::Iterator> >)>,base::internal::TypeList<scoped_ptr<disk_cache::Backend::Iterator,base::DefaultDeleter<disk_cache::Backend::Iterator> > > >,void __cdecl(void)>::Run(base::internal::BindStateBase * base) Line 346 C++ libcef.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, const base::PendingTask & pending_task) Line 51 C++ libcef.dll!scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::TaskQueueImpl * queue, scheduler::internal::TaskQueueImpl::Task * out_previous_task) Line 369 C++ libcef.dll!scheduler::TaskQueueManager::DoWork(bool decrement_pending_dowork_count) Line 293 C++ libcef.dll!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall disk_cache::BackendImpl::*)(bool)>,base::internal::TypeList<base::WeakPtr<disk_cache::BackendImpl> const &,bool const &> >::MakeItSo(base::internal::RunnableAdapter<void (__thiscall disk_cache::BackendImpl::*)(bool)> runnable, const base::WeakPtr<disk_cache::BackendImpl> & weak_ptr, const bool & <args_0>) Line 303 C++ libcef.dll!base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall disk_cache::BackendImpl::*)(bool)>,void __cdecl(disk_cache::BackendImpl *,bool),base::internal::TypeList<base::WeakPtr<disk_cache::BackendImpl>,bool> >,base::internal::TypeList<base::internal::UnwrapTraits<base::WeakPtr<disk_cache::BackendImpl> >,base::internal::UnwrapTraits<bool> >,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall disk_cache::BackendImpl::*)(bool)>,base::internal::TypeList<base::WeakPtr<disk_cache::BackendImpl> const &,bool const &> >,void __cdecl(void)>::Run(base::internal::BindStateBase * base) Line 346 C++ libcef.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, const base::PendingTask & pending_task) Line 51 C++ libcef.dll!base::MessageLoop::RunTask(const base::PendingTask & pending_task) Line 477 C++ libcef.dll!base::MessageLoop::DoWork() Line 597 C++ libcef.dll!base::MessagePumpDefault::Run(base::MessagePump::Delegate * delegate) Line 33 C++ libcef.dll!base::MessageLoop::RunHandler() Line 440 C++ libcef.dll!base::RunLoop::Run() Line 56 C++ libcef.dll!base::MessageLoop::Run() Line 283 C++ libcef.dll!content::RendererMain(const content::MainFunctionParams & parameters) Line 209 C++ libcef.dll!content::RunNamedProcessTypeMain(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & process_type, const content::MainFunctionParams & main_function_params, content::ContentMainDelegate * delegate) Line 378 C++ libcef.dll!content::ContentMainRunnerImpl::Run() Line 798 C++ libcef.dll!content::ContentMain(const content::ContentMainParams & params) Line 19 C++ libcef.dll!CefExecuteProcess(const CefMainArgs & args, CefRefPtr<CefApp> application, void * windows_sandbox_info) Line 99 C++ libcef.dll!cef_execute_process(const _cef_main_args_t * args, _cef_app_t * application, void * windows_sandbox_info) Line 145 C++ CefSharp.BrowserSubprocess.Core.dll!0f7ddd29() Unknown 016065ce() Unknown 016065ce() Unknown 01604cf0() Unknown clr.dll!_CallDescrWorkerInternal@4() Unknown clr.dll!CallDescrWorkerWithHandler(struct CallDescrData *,int) Unknown clr.dll!MethodDescCallSite::CallTargetWorker(unsigned __int64 const *) Unknown clr.dll!RunMain(class MethodDesc *,short,int *,class PtrArray * *) Unknown clr.dll!Assembly::ExecuteMainMethod(class PtrArray * *) Unknown clr.dll!SystemDomain::ExecuteMainMethod(struct HINSTANCE__ *,unsigned short *) Unknown clr.dll!ExecuteEXE(struct HINSTANCE__ *) Unknown clr.dll!__CorExeMainInternal@0() Unknown clr.dll!__CorExeMain@0() Unknown mscoreei.dll!__CorExeMain@0() Unknown mscoree.dll!__CorExeMain_Exported@0() Unknown kernel32.dll!@BaseThreadInitThunk@12() Unknown ntdll.dll!__RtlUserThreadStart() Unknown ntdll.dll!__RtlUserThreadStart@8() Unknown
,
Aug 1 2016
(Pardon me if my reply below is repetetive as the other bugs I filed. Please let me know if it okay to be repetitive for comprehensive discussion on each bug or we can have a discussion with relation to other bugs.) We are using CEF and can only upgrade to odd versions of Chromium as CEF updates for odd versions only. The best we can do is update to 51 which we plan to do soon. https://www.chromium.org/developers/calendar talks about the release schedule. Is there a link which describes Chromium's deprecation schedule ? Repro steps are not available in this case as the browser crashed randomly while the user was interacting with the application (PowerBI Desktop : https://powerbi.microsoft.com/en-us/desktop/?WT.srch=1&WT.mc_id=SEM_RH1j4ixt&utm_source=Bing&utm_medium=CPC&utm_term=power%20bi%20desktop&utm_campaign=Power_BI). What more information can we provide to help you out ? We are encountering lot of crashes which are random in nature. They are not specific to an OS/bitness/user action in the application. Would some diagnosis on the nature of the problem be possible using the dump file ?
,
Aug 2 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6523618580496384 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x6377f66e Crash State: v8::internal::Execution::Call v8::internal::Execution::Call v8::Script::Run Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=408734:408781 Minimized Testcase (0.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv977sB0Br8F4Z4TVEAnJETr0VKdhw9KvA6sW3LtcCa2r2AO9bblp2J15kJSeZnDWPmxKADocVY7LVOtTM9tCqnVRmfM0_f0CoeQwrIbHXGjQ2Prvy2KezJk-WN0zsPk5KnJWO-ke9MWApeLAkvVrgeMqRgUIZA?testcase_id=6523618580496384 Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 5 2016
,
Aug 7 2016
,
Aug 8 2016
@tanin - I don't understand why this clusterfuzz issue was filed against this bug? The stacktraces appear very different.
,
Aug 15 2016
Thank you for providing more feedback. Adding "Needs-Review" label for tracking. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 16 2016
Waiting on tanin@ to advise on clusterfuzz issue relevance
,
Aug 16 2016
My bad. I thought the 3 frames Call(), Call(), and Run() from https://cluster-fuzz.appspot.com/testcase?key=6523618580496384 match the trace here. It seems the top frames are from <unknown module>. I apologise for that.
,
Aug 16 2016
@akjana, the stack trace indicates that memory was exhausted, is that an unlikely possibility?
,
Aug 18 2016
,
Aug 22 2016
Sorry for the delayed response. @dstockwell, its somewhat unlikely because if it was bad code trying to set a super big css text, it should reproduce every time but our customer reported it as being flaky.
,
Aug 23 2016
Hi akjana, I don't think we can fix this unless we have a reliable repro case, sorry. The stacktrace/dump just looks like it's out of memory, which can have multiple causes. I realise it's an unsatisfactory answer - but if you do find a reliable repro please reopen this bug! Regards, Eddy
,
Aug 23 2016
Thanks for the dicussion |
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by ranjitkan@chromium.org
, Jul 29 2016Labels: Needs-Feedback