Issue 704291 link

Starred by 2 users

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Mar 2017
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	3
Type:	Bug

postMessage with ArrayBuffer crashes tab

Project Member Reported by rtoy@chromium.org, Mar 22 2017

Issue description

Chrome Version: 59.0.3049.0 (Developer Build) (64-bit)
OS: Linux

What steps will reproduce the problem?
(1) Open a dev console and enter
b = new ArrayBuffer(1000)
postMessage('', '*', [b])

(2)
(3)

What is the expected result?

Nothing bad happens.

What happens instead?

Aw snap.

Don't know if the bit of code is valid or not, but Javascript code shouldn't cause a crash.

Here's the stack trace that I get from a ToT chromium build from earlier today:

[1:1:0322/134330.853030:FATAL:ArrayBuffer.h(146)] Check failed: contents.dataMaybeShared(). 
#0 0x7fe357da0b37 base::debug::StackTrace::StackTrace()
#1 0x7fe357dbce5b logging::LogMessage::~LogMessage()
#2 0x7fe34a40378e WTF::ArrayBuffer::create()
#3 0x7fe34a4021bd blink::V8ScriptValueDeserializer::transfer()
#4 0x7fe34a401fcf blink::V8ScriptValueDeserializer::deserialize()
#5 0x7fe3496fce38 blink::SerializedScriptValueForModulesFactory::deserialize()
#6 0x7fe34a3b5f2a blink::V8MessageEvent::dataAttributeGetterCustom()
#7 0x143d0b404141 <unknown>

Received signal 6
#0 0x7fe357da0b37 base::debug::StackTrace::StackTrace()
#1 0x7fe357da06af base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7fe357acf330 <unknown>
#3 0x7fe34ecffc37 gsignal
#4 0x7fe34ed03028 abort
#5 0x7fe357d9e722 base::debug::BreakDebugger()
#6 0x7fe357dbd162 logging::LogMessage::~LogMessage()
#7 0x7fe34a40378e WTF::ArrayBuffer::create()
#8 0x7fe34a4021bd blink::V8ScriptValueDeserializer::transfer()
#9 0x7fe34a401fcf blink::V8ScriptValueDeserializer::deserialize()
#10 0x7fe3496fce38 blink::SerializedScriptValueForModulesFactory::deserialize()
#11 0x7fe34a3b5f2a blink::V8MessageEvent::dataAttributeGetterCustom()
#12 0x143d0b404141 <unknown>
  r8: ffffa81dc6cb8938  r9: ffffa81dc6cb8928 r10: 0000000000000008 r11: 0000000000000202
 r12: 0000000000000000 r13: 00007ffede3168a8 r14: 00007ffede316448 r15: 00007ffede316438
  di: 0000000000000001  si: 0000000000000001  bp: 0000281ca4e1d000  bx: 0000000000000000
  dx: 0000000000000006  ax: 0000000000000000  cx: ffffffffffffffff  sp: 00007ffede315e98
  ip: 00007fe34ecffc37 efl: 0000000000000202 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

Comment 1 by rtoy@chromium.org, Mar 23 2017

Status: WontFix (was: Untriaged)

Unable to reproduce with today's ToT chromium build.

Closing: can't repro

►

Issue 704291 link

Issue metadata

postMessage with ArrayBuffer crashes tab

Issue description

Comment 1 by rtoy@chromium.org, Mar 23 2017

Comment 1 Deleted

Sign in to add a comment