Issue 714408 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Owner:	----
Closed:	Apr 2017
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: Crash in blink::TraceTrait<blink::MediaQuerySet>::Trace

Reported by chromium...@gmail.com, Apr 22 2017

Issue description

VERSION
Chrome Version: Canary 60.0.3078.0
Operating System: Windows 7

REPRODUCTION CASE
1. Visit https://www.pinterest.com/pin/156992736989839641/

Crash/142dcfd640000000.


rax=000007fef06b2470 rbx=000007fef06b2470 rcx=00000000003ae560
rdx=00000287be2ad028 rsi=000000000607bee0 rdi=00000287be2ad028
rip=000007feede0b1b4 rsp=00000000003ae590 rbp=0000000000000098
 r8=000007feed9d906c  r9=000004a6e027ee10 r10=000004a6e0220060
r11=00000000003aea38 r12=0000000000000001 r13=000004a6e0a9cfe8
r14=0000000000000098 r15=0000000000000098
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010246
*** WARNING: Unable to verify checksum for chrome_child.dll
chrome_child!blink::TraceTrait<blink::MediaQuerySet>::Trace+0x3c:
000007fe`ede0b1b4 8348fc01        or      dword ptr [rax-4],1 ds:000007fe`f06b246c=000007fe
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`003ae590 000007fe`eddb6308 chrome_child!blink::TraceTrait<blink::MediaQuerySet>::Trace+0x3c [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\tracetraits.h @ 222]
00000000`003ae5c0 000007fe`ede75849 chrome_child!blink::CSSStyleSheet::Trace+0xf4 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\css\cssstylesheet.cpp @ 445]
00000000`003ae5f0 000007fe`eddd2793 chrome_child!blink::TraceTrait<std::pair<blink::Member<blink::CSSStyleSheet>,blink::Member<blink::RuleSet> > >::Trace<blink::Visitor * __ptr64>+0x45 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\tracetraits.h @ 311]
00000000`003ae620 000007fe`edd84006 chrome_child!blink::StyleSheetCollection::Trace+0x8f [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\stylesheetcollection.cpp @ 67]
00000000`003ae650 000007fe`ed9e0bd7 chrome_child!blink::StyleEngine::Trace+0x7e [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\styleengine.cpp @ 1161]
00000000`003ae6a0 000007fe`edd527bd chrome_child!blink::Document::Trace+0x25f [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\document.cpp @ 6642]
00000000`003ae6e0 000007fe`edea5047 chrome_child!blink::HTMLFormControlElement::AdjustAndMark+0x1d [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\html\htmlformcontrolelement.h @ 49]
00000000`003ae710 000007fe`edea59c2 chrome_child!WTF::Vector<blink::Member<blink::ListedElement>,0,blink::HeapAllocator>::Trace<blink::Visitor * __ptr64>+0x5b [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\wtf\vector.h @ 1915]
00000000`003ae740 000007fe`edd52939 chrome_child!blink::HTMLFormElement::Trace+0x46 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\html\htmlformelement.cpp @ 89]
00000000`003ae780 000007fe`edd528c9 chrome_child!blink::ListedElement::Trace+0x59 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\html\listedelement.cpp @ 61]
00000000`003ae7b0 000007fe`ede75224 chrome_child!blink::HTMLFormControlElement::Trace+0x19 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\html\htmlformcontrolelement.cpp @ 70]
00000000`003ae7e0 000007fe`edd84327 chrome_child!WTF::HashTable<WTF::ListHashSetNode<blink::Member<blink::HTMLFormControlElementWithState>,blink::HeapListHashSetAllocator<blink::Member<blink::HTMLFormControlElementWithState>,64> > * __ptr64,WTF::ListHashSetNode<blink::Member<blink::HTMLFormControlElementWithState>,blink::HeapListHashSetAllocator<blink::Member<blink::HTMLFormControlElementWithState>,64> > * __ptr64,WTF::IdentityExtractor,WTF::ListHashSetNodeHashFunctions<WTF::MemberHash<blink::HTMLFormControlElementWithState> >,WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::HTMLFormControlElementWithState>,blink::HeapListHashSetAllocator<blink::Member<blink::HTMLFormControlElementWithState>,64> > * __ptr64>,WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::HTMLFormControlElementWithState>,blink::HeapListHashSetAllocator<blink::Member<blink::HTMLFormControlElementWithState>,64> > * __ptr64>,blink::HeapAllocator>::Trace<blink::Visitor * __ptr64>+0x94 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\wtf\hashtable.h @ 2139]
00000000`003ae810 000007fe`edc9aa7d chrome_child!blink::DocumentLoader::Trace+0xc3 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\loader\documentloader.cpp @ 150]
00000000`003ae840 000007fe`ed9e2a90 chrome_child!blink::FrameLoader::Trace+0x89 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\loader\frameloader.cpp @ 261]
00000000`003ae870 000007fe`edc9b3c8 chrome_child!blink::LocalFrame::Trace+0x74 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\frame\localframe.cpp @ 362]
00000000`003ae8a0 000007fe`edc9a5e5 chrome_child!blink::Visitor::Trace<blink::LocalFrame>+0x3c [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\visitor.h @ 150]
00000000`003ae8d0 000007fe`ede0d50d chrome_child!blink::FrameView::Trace+0x2d [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\frame\frameview.cpp @ 238]
00000000`003ae910 000007fe`ed9e24e7 chrome_child!blink::FrameView::AdjustAndMark+0x19 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\frame\frameview.h @ 108]
00000000`003ae940 000007fe`edc9a449 chrome_child!blink::AdjustAndMarkTrait<blink::TreeScope,1>::Mark<blink::Visitor * __ptr64>+0x17 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\tracetraits.h @ 112]
00000000`003ae970 000007fe`eded71d8 chrome_child!blink::Scrollbar::Trace+0x21 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\scroll\scrollbar.cpp @ 88]

Comment 1 by chromium...@gmail.com, Apr 24 2017

Another crash with using https://www.pinterest.com/pin/229120699768080570. Actually this seems like pretty hard to repro this crash because I couldn't repro this continuously.

Note: This is non regression issue seen from M-58.

Crash/a1f65a4930000000.

Windbg output:

rax=0000000000000000 rbx=0000000000000000 rcx=0000000005578648
rdx=00000000e2270001 rsi=0000000005578648 rdi=0000048ae37ee0b8
rip=000007feed26d016 rsp=00000000003dc6a8 rbp=00000000003dc700
 r8=0000030eb11a1868  r9=0000030eb11a1878 r10=0000010b6ee14434
r11=00000000003dc760 r12=0000030eb112cef0 r13=0000048ae37ee0b8
r14=0000030eb11a1878 r15=0000030eb11a1868
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010202
*** WARNING: Unable to verify checksum for chrome_child.dll
chrome_child!WTF::String::IsEmpty+0xa:
000007fe`ed26d016 394204          cmp     dword ptr [rdx+4],eax ds:00000000`e2270005=????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`003dc6a8 000007fe`ed52770a chrome_child!WTF::String::IsEmpty+0xa [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\wtf\text\wtfstring.h @ 113]
00000000`003dc6b0 000007fe`ed5274c9 chrome_child!blink::MediaQueryEvaluator::MediaTypeMatch+0x22 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\css\mediaqueryevaluator.cpp @ 104]
00000000`003dc720 000007fe`ed527467 chrome_child!blink::MediaQueryEvaluator::Eval+0x31 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\css\mediaqueryevaluator.cpp @ 118]
00000000`003dc790 000007fe`ed527391 chrome_child!blink::MediaQueryEvaluator::Eval+0x57 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\css\mediaqueryevaluator.cpp @ 159]
00000000`003dc7c0 000007fe`ed5272d9 chrome_child!blink::CSSStyleSheet::MatchesMediaQueries+0x49 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\css\cssstylesheet.cpp @ 223]
00000000`003dc7f0 000007fe`ed527039 chrome_child!blink::StyleEngine::RuleSetForSheet+0x2d [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\styleengine.cpp @ 429]
00000000`003dc890 000007fe`ed526ed9 chrome_child!blink::DocumentStyleSheetCollection::CollectStyleSheetsFromCandidates+0xfd [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\documentstylesheetcollection.cpp @ 83]
00000000`003dc910 000007fe`ed52651d chrome_child!blink::DocumentStyleSheetCollection::CollectStyleSheets+0x55 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\documentstylesheetcollection.cpp @ 98]
00000000`003dc980 000007fe`ed0b6be0 chrome_child!blink::DocumentStyleSheetCollection::UpdateActiveStyleSheets+0x55 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\documentstylesheetcollection.cpp @ 111]
00000000`003dc9e0 000007fe`ed225456 chrome_child!blink::StyleEngine::UpdateActiveStyleSheets+0x7c [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\styleengine.cpp @ 331]
00000000`003dcad0 000007fe`ed2253a1 chrome_child!blink::StyleEngine::UpdateActiveStyle+0x26 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\styleengine.cpp @ 367]
00000000`003dcb00 000007fe`ed0efc19 chrome_child!blink::Document::UpdateActiveStyle+0x35 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\document.cpp @ 2071]
00000000`003dcb70 000007fe`ed0ef543 chrome_child!blink::Document::UpdateStyleAndLayoutTree+0xf5 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\document.cpp @ 2026]
00000000`003dcbf0 000007fe`ed0ef4cc chrome_child!blink::Document::UpdateStyleAndLayoutTreeIgnorePendingStylesheets+0x43 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\document.cpp @ 2313]
00000000`003dcc30 000007fe`ed0c867d chrome_child!blink::Document::UpdateStyleAndLayoutIgnorePendingStylesheets+0x14 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\document.cpp @ 2318]
00000000`003dcc60 000007fe`ed78b559 chrome_child!blink::Document::UpdateStyleAndLayoutIgnorePendingStylesheetsForNode+0x1d [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\document.cpp @ 2208]
00000000`003dcc90 000007fe`ed78b49d chrome_child!blink::Element::clientHeight+0x5d [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\core\dom\element.cpp @ 764]
00000000`003dccd0 000007fe`ed070768 chrome_child!blink::ElementV8Internal::clientHeightAttributeGetter+0x39 [c:\b\build\slave\win64-pgo\build\src\out\release_x64\gen\blink\bindings\core\v8\v8element.cpp @ 444]
00000000`003dcd00 000007fe`ed019d78 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>+0x308 [c:\b\build\slave\win64-pgo\build\src\v8\src\builtins\builtins-api.cc @ 111]
00000000`003dcf50 000007fe`ed074a74 chrome_child!v8::internal::Builtins::InvokeApiFunction+0x160 [c:\b\build\slave\win64-pgo\build\src\v8\src\builtins\builtins-api.cc @ 216]

Comment 2 by mea...@chromium.org, Apr 25 2017

Mergedinto: 709213
Status: Duplicate (was: Unconfirmed)

Thanks for the report. This seems to be tracked in bug 709213.

Project Member

Comment 3 by sheriffbot@chromium.org, May 21 2018

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 714408 link

Issue metadata

Security: Crash in blink::TraceTrait<blink::MediaQuerySet>::Trace

Issue description

Comment 1 by chromium...@gmail.com, Apr 24 2017

Comment 1 Deleted

Comment 2 by mea...@chromium.org, Apr 25 2017

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, May 21 2018

Comment 3 Deleted

Sign in to add a comment