New issue
Advanced search Search tips

Issue 694248 link

Starred by 1 user
Status: Verified
Owner:
rdevlin....@chromium.org
Closed: Feb 2017
Cc:
omrilio@chromium.org
calamity@chromium.org
tapted@chromium.org
yhanada@chromium.org
benwells@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug

Blocking:
issue 692286



Sign in to add a comment

Chrome crashes when -0 is set to innerBounds.left of AppWindow.

Project Member Reported by oka@chromium.org, Feb 20 2017 
Chrome Version: 58.0.3001.0
OS: 9202.7.0
What steps will reproduce the problem?
(1) Open Files app (or any other chrome app), and open device console with Ctrl-Shift-I.
(2) Type chrome.app.window.current().innerBounds.left = -0 .
(3) Hit Enter key.

What is the expected result?
Window moves.

What happens instead?
Chrome crashes.

This happens on Chrome OS on Linux too.
This is the cause of  crbug.com/692286 .

The log shows crash happens on CHECK(params.get()); inside AppCurrentWindowInternalSetBoundsFunction.
  
Added owners of app_current_window_internal to CC.

Comment 1 by calamity@chromium.org, Feb 21 2017

Owner: rdevlin....@chromium.org
Status: Assigned (was: Untriaged)
This is happening because -0 is not being normalized to 0 when inside an object arguments. In schema_utils.js:121, there's code that turns -0 into 0 but only runs on top level arguments.

Once this -0 is sent to Chrome, it's treated as a double, which defies the schema and fails parsing.

Assigning to rdevlin.cronin for triage.
Project Member

Comment 2 by bugdroid1@chromium.org, Feb 24 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f88f9bc261af492194bc6d3b2e3536adc2a34904

commit f88f9bc261af492194bc6d3b2e3536adc2a34904
Author: rdevlin.cronin <rdevlin.cronin@chromium.org>
Date: Fri Feb 24 17:09:30 2017

[Content] Allow V8ValueConverter to convert -0 to an integer

V8ValueConverter currently converts -0 to a double, because it is not
considered an int32 (or a uint32), even though it is === 0 (which is
considered an int). This causes nastiness in extensions because we
evaluate it as an integer, but the V8ValueConverter converts it to a
bool, and breaks our expectations.

Add a configuration method, SetConvertNegativeZeroToInt(), to
V8ValueConverter to specify that -0 should be converted to an
int.

Add tests for both scenarios (with and without the configuration).

BUG= 694248 

Review-Url: https://codereview.chromium.org/2709103004
Cr-Commit-Position: refs/heads/master@{#452854}

[modify] https://crrev.com/f88f9bc261af492194bc6d3b2e3536adc2a34904/chrome/test/data/extensions/platform_apps/window_api/test.js
[modify] https://crrev.com/f88f9bc261af492194bc6d3b2e3536adc2a34904/content/child/v8_value_converter_impl.cc
[modify] https://crrev.com/f88f9bc261af492194bc6d3b2e3536adc2a34904/content/child/v8_value_converter_impl.h
[modify] https://crrev.com/f88f9bc261af492194bc6d3b2e3536adc2a34904/content/child/v8_value_converter_impl_unittest.cc
[modify] https://crrev.com/f88f9bc261af492194bc6d3b2e3536adc2a34904/content/public/child/v8_value_converter.h
[modify] https://crrev.com/f88f9bc261af492194bc6d3b2e3536adc2a34904/extensions/renderer/resources/schema_utils.js
[modify] https://crrev.com/f88f9bc261af492194bc6d3b2e3536adc2a34904/extensions/renderer/send_request_natives.cc

Comment 3 by rdevlin....@chromium.org, Feb 24 2017

Status: Fixed (was: Assigned)
Should be fixed on ToT.

Comment 4 by dchan@google.com, Apr 17 2017

Labels: VerifyIn-59

Comment 5 by helenzhang@google.com, May 12 2017

Status: Verified (was: Fixed)
Verified in Chrome OS 9544.0.0, 60.0.3096.0.

Sign in to add a comment