New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 667521 link

Starred by 1 user
Status: Fixed
Owner: ----
Closed: Nov 2016
Cc:
kcc@chromium.org
krasin@chromium.org
bokan@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Calling a virtual method on a nil document object in FrameView::lifecycle

Project Member Reported by krasin@chromium.org, Nov 21 2016 
Version: tip of tree
OS: Linux x86-64

What steps will reproduce the problem?
(1) Compile components_browsertests with ubsan vptr:
$ gn gen out/ubsan '--args=is_debug=false is_ubsan_no_recover=true is_ubsan_vptr=true symbol_level=2 dcheck_always_on=true' --check
$ ninja -C out/ubsan components_browser_tests
(2) Run the test case:
$ ./out/ubsan/components_browsertests --gtest_filter=DomDistillerJsTest.RunJsTests --single_process --no_sandbox

(3) Observe the segfault due to the pointer to m_frame->document() being null:

Received signal 11 SEGV_MAPERR 000000000000
#0 0x0000026e62e6 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#1 0x7f4580013330 <unknown>
#2 0x0000062db780 blink::FrameView::lifecycle()
#3 0x0000062df688 blink::FrameView::shouldThrottleRendering()
#4 0x0000062ef284 blink::FrameView::forAllNonThrottledFrameViews<>()
#5 0x0000062ef1e8 blink::FrameView::updateBackgroundRecursively()
#6 0x0000063534a7 blink::LocalFrame::createView()
#7 0x00000563ac3f blink::WebLocalFrameImpl::createFrameView()
#8 0x000006d21a5a blink::FrameLoader::commitProvisionalLoad()
#9 0x000006ce1c33 blink::DocumentLoader::finishedLoading()
#10 0x000006ce8216 blink::DocumentLoader::maybeLoadEmpty()
#11 0x000006ce842c blink::DocumentLoader::startLoadingMainResource()
#12 0x000006d104e6 blink::FrameLoader::init()
#13 0x000005637f9e blink::WebLocalFrameImpl::initializeCoreFrame()
#14 0x00000563963f blink::WebLocalFrameImpl::createChildFrame()
#15 0x00000644490f blink::HTMLFrameOwnerElement::loadOrRedirectSubframe()
#16 0x00000643d385 blink::HTMLFrameElementBase::openURL()
#17 0x000005e236c3 blink::ContainerNode::insertNodeVector<>()
#18 0x000005e1f5b6 blink::ContainerNode::appendChild()
#19 0x0000061d7661 blink::replaceChildrenWithFragment()
#20 0x000005f0e94a blink::Element::setInnerHTML()
#21 0x00000588325b blink::ElementV8Internal::innerHTMLAttributeSetterCallback()
#22 0x1eeb6aa9e42b <unknown>
  r8: 0000000000000001  r9: 0000000000000007 r10: 000037d983c0da80 r11: 0000000000000246
 r12: 0000000000000000 r13: 000000000d68b3f0 r14: 9ddfea08eb382d69 r15: 000000000d68b3f0
  di: 000018fd366ef040  si: 00007ffd1155b7d0  bp: 00007ffd1155b750  bx: 4114e0f81ca77551
  dx: e046be6099b645eb  ax: 0000000000000000  cx: cfe84d192943b5e3  sp: 00007ffd1155b730
  ip: 00000000062db780 efl: 0000000000010202 cgf: 0000000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000

This was detected by UBsanVptr Linux bot:
https://build.chromium.org/p/chromium.fyi/builders/UBSanVptr%20Linux/builds/1553/steps/components_browsertests/logs/DomDistillerJsTest.RunJsTests

The tentative fix is https://codereview.chromium.org/2521543004/
Project Member

Comment 1 by bugdroid1@chromium.org, Nov 21 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ed07d372b9ec31e3b47074e5b95941c52c9c9fca

commit ed07d372b9ec31e3b47074e5b95941c52c9c9fca
Author: krasin <krasin@chromium.org>
Date: Mon Nov 21 23:23:24 2016

Avoid calling a virtual method on a null document in lifecycle().

The bug was found by UBSan Vptr bot.

BUG= 667521 

Review-Url: https://codereview.chromium.org/2521543004
Cr-Commit-Position: refs/heads/master@{#433688}

[modify] https://crrev.com/ed07d372b9ec31e3b47074e5b95941c52c9c9fca/third_party/WebKit/Source/core/frame/FrameView.cpp

Comment 2 by ajha@chromium.org, Nov 22 2016

Labels: M-57

Comment 4 by krasin@chromium.org, Nov 22 2016

Status: Fixed (was: Untriaged)

Sign in to add a comment