FieldTrialList::PreLockedFind; stack_end=0x7fffffffddd8) at ../csu/libc-start.c:291
Reported by
mishra.d...@gmail.com,
Dec 22 2016
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 Steps to reproduce the problem: Hi , Buy running the attached file (sock.html) make the browser crash at /csu/libc-start.c:291 However, I can reproduce this in Windows, Linux OS with various version like Chrome, Chrome Beta, Chromium. By running the sock.html file in Windows OS; in Chrome takes the System usage to 100% Please find the GDB log/trace for Chromium in Linux and for repro please open (sock.html) file in any platform and versions of chrome. What is the expected behavior? What went wrong? ftw@root:~/Desktop$ chromium-browser --debug sock.html # Env: # LD_LIBRARY_PATH=/usr/lib/chromium-browser:/usr/lib/chromium-browser/libs # PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # GTK_PATH= # CHROMIUM_USER_FLAGS= # CHROMIUM_FLAGS= --enable-pinch /usr/bin/gdb /usr/lib/chromium-browser/chromium-browser -x /tmp/chromiumargs.iXX1MG GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/lib/chromium-browser/chromium-browser...(no debugging symbols found)...done. (gdb) run Starting program: /usr/lib/chromium-browser/chromium-browser --enable-pinch sock.html [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffe27e6700 (LWP 5462)] [New Thread 0x7fffe1fe5700 (LWP 5467)] [New Thread 0x7fffdb184700 (LWP 5468)] [New Thread 0x7fffda983700 (LWP 5469)] [New Thread 0x7fffda182700 (LWP 5470)] [New Thread 0x7fffd8fd0700 (LWP 5471)] [New Thread 0x7fffc7fff700 (LWP 5473)] [New Thread 0x7fffc77fe700 (LWP 5474)] [New Thread 0x7fffc6ffd700 (LWP 5475)] [New Thread 0x7fffc67fc700 (LWP 5476)] [New Thread 0x7fffc5ffb700 (LWP 5477)] [New Thread 0x7fffc57fa700 (LWP 5478)] [New Thread 0x7fffd96ce700 (LWP 5479)] [New Thread 0x7fffc4ff9700 (LWP 5480)] [New Thread 0x7fffa2ea0700 (LWP 5481)] [New Thread 0x7fffa269f700 (LWP 5482)] [New Thread 0x7fffa1e9e700 (LWP 5483)] [New Thread 0x7fffa169d700 (LWP 5484)] [New Thread 0x7fffa0e9c700 (LWP 5485)] [New Thread 0x7fff8bfff700 (LWP 5486)] [New Thread 0x7fff8b7fe700 (LWP 5487)] [New Thread 0x7fff8affd700 (LWP 5488)] [New Thread 0x7fff8a7fc700 (LWP 5489)] [New Thread 0x7fff898c4700 (LWP 5490)] [New Thread 0x7fff88e40700 (LWP 5509)] [New Thread 0x7fff67ffd700 (LWP 5510)] [New Thread 0x7fff677fc700 (LWP 5511)] [New Thread 0x7fff66ffb700 (LWP 5512)] [New Thread 0x7fff659d8700 (LWP 5515)] [New Thread 0x7fff661d9700 (LWP 5514)] [Thread 0x7fff659d8700 (LWP 5515) exited] [New Thread 0x7fff651d7700 (LWP 5516)] [New Thread 0x7fff4ffff700 (LWP 5517)] [Thread 0x7fffd8fd0700 (LWP 5471) exited] [New Thread 0x7fffd8fd0700 (LWP 5554)] [Thread 0x7fffc7fff700 (LWP 5473) exited] ^C Thread 1 "chromium-browse" received signal SIGINT, Interrupt. 0x00007ffff7abd934 in base::FieldTrialList::PreLockedFind(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () from /usr/lib/chromium-browser/libs/libbase.so (gdb) bt #0 0x00007ffff7abd934 in base::FieldTrialList::PreLockedFind(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () from /usr/lib/chromium-browser/libs/libbase.so #1 0x00007ffff7abda1b in base::FieldTrialList::Find(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () from /usr/lib/chromium-browser/libs/libbase.so #2 0x00007ffff7abda7c in base::FieldTrialList::FindFullName(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () from /usr/lib/chromium-browser/libs/libbase.so #3 0x0000555556a60cb3 in ?? () #4 0x0000555556a61092 in ?? () #5 0x0000555556a6135b in ?? () #6 0x0000555555aba0ec in ?? () #7 0x0000555556a6f0fc in ?? () #8 0x0000555556a6fd4e in ?? () #9 0x0000555555a7848d in ?? () #10 0x0000555555a7a25f in ?? () #11 0x0000555555a7a7a0 in ?? () #12 0x0000555555a7a8dd in ?? () #13 0x0000555555a7aa56 in ?? () #14 0x0000555556167ef9 in ?? () #15 0x00007ffff5d8ef85 in content::NavigatorImpl::DiscardPendingEntryOnFailureIfNeeded(content::NavigationHandleImpl*) () from /usr/lib/chromium-browser/libs/libcontent.so #16 0x00007ffff5d8f2ef in content::NavigatorImpl::DidFailProvisionalLoadWithError(content::RenderFrameHostImpl*, FrameHostMsg_DidFailProvisionalLoadWithError_Params const&) () from /usr/lib/chromium-browser/libs/libcontent.so #17 0x00007ffff5da07e7 in ?? () from /usr/lib/chromium-browser/libs/libcontent.so #18 0x00007ffff5f05b47 in ?? () from /usr/lib/chromium-browser/libs/libcontent.so #19 0x00007ffff4a2fe64 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) () from /usr/lib/chromium-browser/libs/libipc.so #20 0x00007ffff7acc2c9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) () from /usr/lib/chromium-browser/libs/libbase.so #21 0x00007ffff7aef971 in base::MessageLoop::RunTask(base::PendingTask const&) () from /usr/lib/chromium-browser/libs/libbase.so #22 0x00007ffff7af060d in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) () from /usr/lib/chromium-browser/libs/libbase.so #23 0x00007ffff7af08d9 in base::MessageLoop::DoWork() () from /usr/lib/chromium-browser/libs/libbase.so #24 0x00007ffff7abc181 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) () from /usr/lib/chromium-browser/libs/libbase.so #25 0x00007ffff7b0f9b8 in base::RunLoop::Run() () from /usr/lib/chromium-browser/libs/libbase.so #26 0x0000555555c9aaec in ?? () #27 0x00007ffff5cbe3fa in content::BrowserMainLoop::RunMainMessageLoopParts() () from /usr/lib/chromium-browser/libs/libcontent.so #28 0x00007ffff5cc0b3d in ?? () from /usr/lib/chromium-browser/libs/libcontent.so #29 0x00007ffff5cb98b1 in content::BrowserMain(content::MainFunctionParams const&) () from /usr/lib/chromium-browser/libs/libcontent.so #30 0x00007ffff5c29f4d in ?? () from /usr/lib/chromium-browser/libs/libcontent.so #31 0x00007ffff5c29141 in content::ContentMain(content::ContentMainParams const&) () from /usr/lib/chromium-browser/libs/libcontent.so #32 0x0000555555a4b19a in ChromeMain () #33 0x00007fffec72f830 in __libc_start_main (main=0x555555a492e0, argc=3, argv=0x7fffffffdde8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffddd8) at ../csu/libc-start.c:291 #34 0x0000555555a4b049 in _start () (gdb) info registers rax 0x0 0 rbx 0x555558163aa0 93825038432928 rcx 0x0 0 rdx 0x0 0 rsi 0x7fffffffbb70 140737488337776 rdi 0x555558171af0 93825038490352 rbp 0x1a 0x1a rsp 0x7fffffffbac0 0x7fffffffbac0 r8 0x555558171af0 93825038490352 r9 0x0 0 r10 0x555558a23d20 93825047608608 r11 0x7fffec8a3390 140737161868176 r12 0xe 14 r13 0x7fffffffbb80 140737488337792 r14 0x555558171b20 93825038490400 r15 0x555558171b20 93825038490400 rip 0x7ffff7abd934 0x7ffff7abd934 <base::FieldTrialList::PreLockedFind(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)+84> eflags 0x206 [ PF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) Did this work before? N/A Chrome version: 56.0.2924.21 (Official Build) Channel: n/a OS Version: V8 5.6.326.21 Flash Version: Shockwave Flash 11.2 r202
,
Dec 26 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6283559963983872
,
Dec 26 2016
,
Dec 27 2016
Thanks for the report. I'm able to reproduce this quite easily and it looks like something we will want to fix. As a denial of service, this isn't something we'd consider a security bug, though. Flipping some labels around to remove it from the security queue.
,
Jan 6 2017
This seems more likely to be a crash in something listening to the NotifyNavigationStateChanged(INVALIDATE_TYPE_URL), not in navigation logic itself. Hard to tell, though, since I'm not seeing the crash happen, either on Windows 55.0.2883.87 or Linux 57.0.2972.0 (debug build). The browser just stays unresponsive after several minutes. mbarbella@, did you see the crash itself? Do you have a crash ID for it? If this is just denial of service, I suspect there's not much that can be done until issue 672370 is resolved.
,
Jan 6 2017
It's not a crash. The stack in c#0 is a SIGINT from ^C.
,
May 29 2017
WontFix per comment 6 |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by penny...@chromium.org
, Dec 23 2016Components: UI>Browser>Navigation
Labels: -OS-Linux Stability-Crash OS-All
Owner: creis@chromium.org
Status: Assigned (was: Unconfirmed)