Issue 713435 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Owner:	keishi@chromium.org
Closed:	Apr 2017
Components:	Blink>Loader Blink>MemoryAllocator>GarbageCollection
EstimatedDays:	----
NextAction:	----
OS:	Linux , Android , Windows , Chrome , Mac
Pri:	1
Type:	Bug-Security
Security_Severity-Medium allpublic

Security: Crash in blink::Resource::CachedMetadataHandlerImpl::Trace

Reported by chromium...@gmail.com, Apr 19 2017

Issue description

Chrome Version: Canary 60.0.3074.0
Operating System: Windows 7

REPRODUCTION CASE

I opened chrome with new tab and I visited gmail.com >> render crash.

Crash/efbdfb5e90000000.

rax=00000000002de001 rbx=0000000005d728e0 rcx=000000000108a9e8
rdx=00000433092469c0 rsi=0000000005d728e0 rdi=00000432092469c0
rip=000007feedbcd8af rsp=00000000002de090 rbp=0000000000000098
 r8=00000432092469c0  r9=0000000005d728e0 r10=0000000005d728e0
r11=00000000002de268 r12=0000000000000098 r13=00000000000000f3
r14=000007feee170a14 r15=0000000000000098
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010202
*** WARNING: Unable to verify checksum for chrome_child.dll
chrome_child!blink::Resource::CachedMetadataHandlerImpl::Trace+0x2b:
000007fe`edbcd8af f642fc01        test    byte ptr [rdx-4],1 ds:00000433`092469bc=??
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`002de090 000007fe`edbaa0a4 chrome_child!blink::Resource::CachedMetadataHandlerImpl::Trace+0x2b [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\loader\fetch\resource.cpp @ 136]
00000000`002de0c0 000007fe`edc297cb chrome_child!blink::Resource::Trace+0x58 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\loader\fetch\resource.cpp @ 352]
00000000`002de0f0 000007fe`edb3e614 chrome_child!blink::TraceTrait<blink::ResourceLoader>::Trace+0x5f [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\tracetraits.h @ 222]
00000000`002de120 000007fe`edb3e5cd chrome_child!blink::Visitor::Trace<blink::ResourceLoader>+0x3c [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\visitor.h @ 150]
00000000`002de150 000007fe`edbac979 chrome_child!WTF::HashTable<blink::Member<blink::ResourceLoader>,blink::Member<blink::ResourceLoader>,WTF::IdentityExtractor,WTF::MemberHash<blink::ResourceLoader>,WTF::HashTraits<blink::Member<blink::ResourceLoader> >,WTF::HashTraits<blink::Member<blink::ResourceLoader> >,blink::HeapAllocator>::Trace<blink::Visitor * __ptr64>+0x89 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\wtf\hashtable.h @ 2139]
00000000`002de180 000007fe`edad200c chrome_child!blink::ResourceFetcher::Trace+0x71 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\loader\fetch\resourcefetcher.cpp @ 1581]
00000000`002de1b0 000007fe`edad2273 chrome_child!blink::DocumentLoader::Trace+0x28 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\loader\documentloader.cpp @ 160]
00000000`002de1e0 000007fe`edb59f31 chrome_child!blink::FrameLoader::Trace+0xaf [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\loader\frameloader.cpp @ 203]
00000000`002de210 000007fe`edbaecf9 chrome_child!blink::LocalFrame::Trace+0x65 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\frame\localframe.cpp @ 362]
00000000`002de240 000007fe`edbaed72 chrome_child!blink::WebLocalFrameImpl::Trace+0x139 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\web\weblocalframeimpl.cpp @ 1634]
00000000`002de270 000007fe`edbaed38 chrome_child!blink::WebFrame::TraceFrame+0x32 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\web\webframe.cpp @ 311]
00000000`002de2a0 000007fe`edbf5da9 chrome_child!blink::WebFrame::TraceFrames+0x38 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\web\webframe.cpp @ 317]
00000000`002de2d0 000007fe`edbb718c chrome_child!blink::NavigatorContentUtils::Trace+0x49 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\modules\navigatorcontentutils\navigatorcontentutils.cpp @ 237]
00000000`002de300 000007fe`ed9a7e27 chrome_child!blink::NavigatorContentUtils::AdjustAndMark+0x18 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\modules\navigatorcontentutils\navigatorcontentutils.h @ 45]
00000000`002de330 000007fe`edae14a8 chrome_child!WTF::HashTable<char const * __ptr64,WTF::KeyValuePair<char const * __ptr64,blink::Member<blink::Supplement<blink::LocalDOMWindow> > >,WTF::KeyValuePairKeyExtractor,WTF::PtrHash<char const >,WTF::HashMapValueTraits<WTF::HashTraits<char const * __ptr64>,WTF::HashTraits<blink::Member<blink::Supplement<blink::LocalDOMWindow> > > >,WTF::HashTraits<char const * __ptr64>,blink::HeapAllocator>::Trace<blink::Visitor * __ptr64>+0x93 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\wtf\hashtable.h @ 2139]
00000000`002de360 000007fe`ed6ad22c chrome_child!blink::LocalDOMWindow::Trace+0x1e8 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\frame\localdomwindow.cpp @ 1675]
00000000`002de390 000007fe`edadfee1 chrome_child!blink::Document::Trace+0x2e4 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\document.cpp @ 6570]
00000000`002de3e0 000007fe`edadfd39 chrome_child!blink::TreeScope::Trace+0xfd [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\treescope.cpp @ 534]
00000000`002de410 000007fe`edbb2ef0 chrome_child!blink::ShadowRoot::Trace+0x59 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\shadow\shadowroot.cpp @ 367]
00000000`002de440 000007fe`ed6ab8a6 chrome_child!blink::ElementShadow::Trace+0x7c [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\shadow\elementshadow.cpp @ 166]

Comment 1 by mea...@chromium.org, Apr 20 2017

Components: Blink>MemoryAllocator>GarbageCollection Blink>Loader
Owner: keishi@chromium.org
Status: Assigned (was: Unconfirmed)

keishi@chromium.org: This looks similar to bug 709201. Can you please take a look and dupe as necessary? Thanks.

Comment 2 by chromium...@gmail.com, Apr 24 2017

Still repro this on 60.0.3079.0 Canary.

Comment 3 by palmer@chromium.org, Apr 25 2017

Labels: Security_Severity-Medium OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows Pri-1

Friendly ping keishi. :)

Comment 4 by palmer@chromium.org, Apr 25 2017

I cannot reproduce this on Canary on Windows 10, btw.

Comment 5 by chromium...@gmail.com, Apr 26 2017

I just repro this again on 60.0.3080.0 Canary. Crash/6928dcf590000000.

Comment 6 by chromium...@gmail.com, Apr 26 2017

I don't think this is similar to issue 709201 since it's already fixed.

Comment 7 by chromium...@gmail.com, Apr 26 2017

	Recording #6.mp4 534 KB View Download

Comment 8 by palmer@chromium.org, Apr 27 2017

Mergedinto: 709201
Status: Duplicate (was: Assigned)

This looks like a duplicate of 709201 to me. It's not already fixed, although keishi is working on it.

Project Member

Comment 9 by sheriffbot@chromium.org, May 21 2018

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 713435 link

Issue metadata

Security: Crash in blink::Resource::CachedMetadataHandlerImpl::Trace

Issue description

Comment 1 by mea...@chromium.org, Apr 20 2017

Comment 1 Deleted

Comment 2 by chromium...@gmail.com, Apr 24 2017

Comment 2 Deleted

Comment 3 by palmer@chromium.org, Apr 25 2017

Comment 3 Deleted

Comment 4 by palmer@chromium.org, Apr 25 2017

Comment 4 Deleted

Comment 5 by chromium...@gmail.com, Apr 26 2017

Comment 5 Deleted

Comment 6 by chromium...@gmail.com, Apr 26 2017

Comment 6 Deleted

Comment 7 by chromium...@gmail.com, Apr 26 2017

Comment 7 Deleted

Comment 8 by palmer@chromium.org, Apr 27 2017

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, May 21 2018

Comment 9 Deleted

Sign in to add a comment