New issue
Advanced search Search tips

Issue 665391 link

Starred by 5 users
Status: WontFix
Owner: ----
Closed: Nov 2016
Cc:
cbruni@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Accessing undeclared global variables in v8::Extensions causes crash on RenderThread

Reported by dawid.ch...@gmail.com, Nov 15 2016 
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0

Steps to reproduce the problem:
I am not sure this is intended, as the crash does not directly point at that issue. What is more interesting, is that troublesome code is in benchmarking_extension.cc (apparently it is always loaded after some other extension defines global 'chrome'), and even code from v8 unit test (https://cs.chromium.org/chromium/src/v8/test/cctest/test-api.cc?rcl=1478765818&l=7405) is causing problems!

Similar problem reported in CEF: https://bitbucket.org/chromiumembedded/cef/issues/1944/js-extension-crashing-disabling-renderer

Easies path to reproduce:
1. Add following globals inside chrome_content_renderer_client.cc:

const char kFakeExtName[] = "v8/Fake.js";
const char kFakeExtScript[] = "(function() {"
        "  var x = 42;"
        "  function e() {"
        "    with ({x:87}) { return x; }"
        "  }"
        "  this.UseWith2 = e;"
        "})()";

In ChromeContentRendererClient::RenderThreadStarted add:
thread->RegisterExtension(new v8::Extension(kFakeExtName, kFakeExtScript));

2. Wait for crash on page load.

What is the expected behavior?
Not to crash, or list some meaningful error if this is forbidden.

What went wrong?
Callstack:

1   0x7f05325bba08
2   0x7f0541399e38
3   0x7f05413c37e1 v8::Object::SlowGetAlignedPointerFromInternalField(int)
4   0x7f05324d896a
5   0x7f05324d87bd
6   0x7f05324d38ad
7   0x7f053250162e
8   0x7f0533d09f0d
9   0x7f0541938aae
10  0x7f05419da0b3
11  0x7f05419f0398
12  0x7f05419f0116
13  0x7f0541929cbe
14  0x7f054193142f
15  0x7f0541930fca
16  0x370a393043a7
Received signal 4 ILL_ILLOPN 7f05325bba08
#0 0x7f054c492a5e base::debug::StackTrace::StackTrace()
#1 0x7f054c49259f base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f054c8dd3e0 <unknown>
#3 0x7f05325bba08 blink::reportFatalErrorInMainThread()
#4 0x7f0541399e38 v8::Utils::ReportApiFailure()
#5 0x7f05413c37e1 v8::Object::SlowGetAlignedPointerFromInternalField()
#6 0x7f05324d896a blink::getInternalField<>()
#7 0x7f05324d87bd blink::toScriptWrappable()
#8 0x7f05324d38ad blink::V8CSSStyleDeclaration::toImpl()
#9 0x7f053250162e blink::V8Window::namedPropertyGetterCustom()
#10 0x7f0533d09f0d blink::DOMWindowV8Internal::namedPropertyGetterCallback()
#11 0x7f0541938aae v8::internal::PropertyCallbackArguments::Call()
#12 0x7f05419da0b3 v8::internal::(anonymous namespace)::GetPropertyAttributesWithInterceptorInternal()
#13 0x7f05419f0398 v8::internal::Object::SetPropertyInternal()
#14 0x7f05419f0116 v8::internal::Object::SetProperty()
#15 0x7f0541929cbe v8::internal::StoreIC::Store()
#16 0x7f054193142f v8::internal::__RT_impl_Runtime_StoreIC_Miss()
#17 0x7f0541930fca v8::internal::Runtime_StoreIC_Miss()
#18 0x370a393043a7 <unknown>
  r8: 00007f052b447a80  r9: 0000000000000013 r10: 0000000000000000 r11: 0000000000000000
 r12: 00007ffee8ad6b70 r13: 00000ed3e3d80020 r14: 00007f0541e02be1 r15: 00007f0541e012f7
  di: 0000000000000000  si: 00000000efcdab90  bp: 00007ffee8ad6850  bx: 00000ed3e3d80020
  dx: 0000000000000000  ax: 255c5643d03ac800  cx: 255c5643d03ac800  sp: 00007ffee8ad66a0
  ip: 00007f05325bba08 efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000006 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

Crashed report ID: 

How much crashed? Just one tab

Is it a problem with a plugin? No 

Did this work before? Yes 51.xx

Chrome version: 56.0.2920.0 (Developer Build) (64-bit)  Channel: n/a
OS Version: Ubuntu 16.04
Flash Version: 

Workaround: use Object.defineProperty, this.hasOwnProperty(), declare global variable with var.

Comment 1 by manoranj...@chromium.org, Nov 16 2016

Components: Blink>JavaScript
Labels: M-56

Comment 2 by brajkumar@chromium.org, Nov 18 2016

Cc: cbruni@chromium.org
Status: Available (was: Unconfirmed)
Since this is a v8 crash marking it as available and adding stability sheriff for more updates on this issue.

Comment 3 by yangguo@chromium.org, Nov 21 2016

Status: WontFix (was: Available)
I don't think this is an actual issue. The stack trace suggests that there is an interceptor installed on the global object, which tries to set an internal field. I'm pretty sure that would be API abuse.

This is not an actual crash in the wild, but only happens with a custom build of Chromium.

Comment 4 by dawid.ch...@gmail.com, Nov 21 2016 

I would not agree that using a code from an unit test, or registering just a BenchmarkingExtension is an API abuse. It is a pity you don't think this way, especially since it is a regression (after I updated my project to new chromium sources is stopped working), and other embedders are facing this problem too: https://bitbucket.org/chromiumembedded/cef/issues/1944/js-extension-crashing-disabling-renderer.

Anyway, thank you for your comment.

Sign in to add a comment