Issue metadata
Sign in to add a comment
|
Security: Crash in blink::TraceTrait
Reported by
chromium...@gmail.com,
Dec 13 2016
|
||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 57.0.2950.0 canary (64-bit) Operating System: Windows 7 REPRODUCTION CASE This crash happened when I was watching a "live streaming video" on Facebook. Crash ID 7e6af9c6-911c-4582-aab6-85e1a9bd14ba rax=00000007feefe0e8 rbx=000004e7db1e0000 rcx=0000045377981839 rdx=000004e7db1e0000 rsi=0000000000000001 rdi=000001197cd17ac0 rip=000007feee8f0cbd rsp=00000000041eda90 rbp=00000000041edab0 r8=0000000000000000 r9=0000045377981839 r10=000007feecefa0fc r11=00000000041eda60 r12=0000000000000000 r13=000007feecabab00 r14=00000000000000e8 r15=00000000041edfb0 iopl=0 nv up ei pl nz na po nc cs=0033 ss=0000 ds=0000 es=0000 fs=0053 gs=002b efl=00010206 *** WARNING: Unable to verify checksum for chrome_child.dll chrome_child!blink::TraceTrait<blink::FetchEvent>::trace+0x1cd: 000007fe`ee8f0cbd ff5078 call qword ptr [rax+78h] ds:00000007`feefe160=???????????????? 0:009> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`041eda90 000007fe`ee8f01f3 chrome_child!blink::TraceTrait<blink::FetchEvent>::trace+0x1cd [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\tracetraits.h @ 236] 00000000`041edae0 000007fe`ecc9aab4 chrome_child!blink::VisitorHelper<blink::Visitor>::mark<blink::FetchEvent>+0x53 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\visitor.h @ 152] 00000000`041edb10 000007fe`ecc9a852 chrome_child!v8::internal::GlobalHandles::IterateAllRootsWithClassIds+0x254 [c:\b\build\slave\win64-pgo\build\src\v8\src\global-handles.cc @ 1122] 00000000`041edf90 000007fe`ecc9a827 chrome_child!v8::Isolate::VisitHandlesWithClassIds+0x26 [c:\b\build\slave\win64-pgo\build\src\v8\src\api.cc @ 8540] 00000000`041edfd0 000007fe`ecc9a7cf chrome_child!blink::V8GCController::traceDOMWrappers+0x1f [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\bindings\core\v8\v8gccontroller.cpp @ 490] 00000000`041ee010 000007fe`ecc99cbf chrome_child!blink::ThreadState::visitPersistents+0x5f [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\threadstate.cpp @ 461] 00000000`041ee080 000007fe`ece80338 chrome_child!blink::ThreadHeap::visitPersistentRoots+0x7f [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\heap.cpp @ 602] 00000000`041ee100 000007fe`ecab5493 chrome_child!blink::ThreadState::collectGarbage+0x11c [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\threadstate.cpp @ 1726] 00000000`041ee200 000007fe`ecab3f50 chrome_child!blink::NormalPageArena::outOfLineAllocate+0x8b [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\heappage.cpp @ 816] 00000000`041ee230 000007fe`ed01c4ef chrome_child!blink::ThreadHeap::allocateOnArenaIndex+0xa0 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\heap.h @ 606] 00000000`041ee260 000007fe`ef20ffbd chrome_child!blink::ScriptPromisePropertyBase::operator new+0x47 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\bindings\core\v8\scriptpromisepropertybase.h @ 29] 00000000`041ee2a0 000007fe`ef125da9 chrome_child!blink::FetchEvent::FetchEvent+0x51 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\modules\serviceworkers\fetchevent.cpp @ 75] 00000000`041ee310 000007fe`eea12666 chrome_child!blink::ServiceWorkerGlobalScopeProxy::dispatchFetchEvent+0x249 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\web\serviceworkerglobalscopeproxy.cpp @ 182] 00000000`041ee5c0 000007fe`ed9d3982 chrome_child!content::ServiceWorkerContextClient::DispatchFetchEvent+0x3ee [c:\b\build\slave\win64-pgo\build\src\content\renderer\service_worker\service_worker_context_client.cc @ 1039] 00000000`041eea60 000007fe`ecd0d707 chrome_child!content::mojom::ServiceWorkerEventDispatcherStubDispatch::AcceptWithResponder+0x49a [c:\b\build\slave\win64-pgo\build\src\out\release_x64\gen\content\common\service_worker\service_worker_event_dispatcher.mojom.cc @ 694] 00000000`041eedf0 000007fe`ecb5ec9e chrome_child!mojo::InterfaceEndpointClient::HandleValidatedMessage+0x16b [c:\b\build\slave\win64-pgo\build\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc @ 314] 00000000`041eee70 000007fe`ecd8a992 chrome_child!mojo::FilterChain::Accept+0x7a [c:\b\build\slave\win64-pgo\build\src\mojo\public\cpp\bindings\lib\filter_chain.cc @ 40] 00000000`041eeea0 000007fe`ecd8b7a8 chrome_child!mojo::internal::MultiplexRouter::ProcessIncomingMessage+0xb2 [c:\b\build\slave\win64-pgo\build\src\mojo\public\cpp\bindings\lib\multiplex_router.cc @ 838] 00000000`041eeee0 000007fe`ecb5ec80 chrome_child!mojo::internal::MultiplexRouter::Accept+0x64 [c:\b\build\slave\win64-pgo\build\src\mojo\public\cpp\bindings\lib\multiplex_router.cc @ 547] 00000000`041eef30 000007fe`ecb66e5f chrome_child!mojo::FilterChain::Accept+0x5c [c:\b\build\slave\win64-pgo\build\src\mojo\public\cpp\bindings\lib\filter_chain.cc @ 41]
,
Dec 16 2016
Crash ID 77e928ea-0f48-4741-9a25-1f3e4e426125 (Server ID: 66f9d50080000000).
,
Dec 16 2016
Crash log suggests maybe the same root cause as Issue 655926
,
Dec 19 2016
Thanks for the report. A dump alone is much less useful for us to make progress than some kind of reproduction case, but it may still be helpful. As noted in c#3, this does look like a dup of issue 655926 .
,
Mar 28 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by chromium...@gmail.com
, Dec 15 2016