New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 719709 link

Starred by 1 user
Status: Duplicate
Owner:
keishi@chromium.org
Closed: May 2017
Cc:
sigbjo...@opera.com
haraken@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Crash in blink::TraceIfEnabled<blink::Member<blink::EditCommand>,1>::Trace<blink::Visitor

Reported by chromium...@gmail.com, May 8 2017 
VERSION
Chrome Version: Canary 
Operating System: Windows 7

REPRODUCTION CASE
Crash/b63c622f50000000


rax=000000000675d601 rbx=0000000000000001 rcx=00000000067cb0f0
rdx=000003c00b536000 rsi=00000000067cb0f0 rdi=000003c00b536000
rip=000007feef770d00 rsp=000000000675d690 rbp=0000000005556e80
 r8=000007feef770cac  r9=000002d73ec1add8 r10=00000000067cb0f0
r11=000000000675d790 r12=000007feed72d864 r13=0000000000000000
r14=000007feed20dd4c r15=000007feed6e8b88
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010206
*** WARNING: Unable to verify checksum for chrome_child.dll
chrome_child!blink::TraceIfEnabled<blink::Member<blink::EditCommand>,1>::Trace<blink::Visitor * __ptr64>+0x4:
000007fe`ef770d00 4c8b0a          mov     r9,qword ptr [rdx] ds:000003c0`0b536000=????????????????
0:012> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`0675d690 000007fe`ef770ce1 chrome_child!blink::TraceIfEnabled<blink::Member<blink::EditCommand>,1>::Trace<blink::Visitor * __ptr64>+0x4 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\heap\tracetraits.h @ 133]
00000000`0675d6c0 000007fe`ed20dc13 chrome_child!blink::TraceTrait<blink::HeapVectorBacking<blink::Member<blink::EditCommand>,WTF::VectorTraits<blink::Member<blink::EditCommand> > > >::Trace<blink::Visitor * __ptr64>+0x35 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\heap\tracetraits.h @ 262]
00000000`0675d6f0 000007fe`ed2b97c1 chrome_child!blink::ThreadHeap::ProcessMarkingStack+0x153 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\heap\heap.cpp @ 329]
00000000`0675d7a0 000007fe`ed4891b9 chrome_child!blink::ThreadState::CollectGarbage+0x151 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\heap\threadstate.cpp @ 1503]
00000000`0675d8b0 000007fe`ed2bbf82 chrome_child!blink::BaseArena::AllocateLargeObject+0x45 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\heap\heappage.cpp @ 349]
00000000`0675d8e0 000007fe`ed1c0163 chrome_child!blink::NormalPageArena::OutOfLineAllocate+0xb2 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\heap\heappage.cpp @ 891]
00000000`0675d910 000007fe`ef552895 chrome_child!blink::ThreadHeap::AllocateOnArenaIndex+0x2b [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\heap\heap.h @ 600]
00000000`0675d940 000007fe`ef55416e chrome_child!blink::HeapAllocator::AllocateHashTableBacking<blink::Member<blink::DOMArrayBufferBase>,WTF::HashTable<blink::Member<blink::DOMArrayBufferBase>,blink::Member<blink::DOMArrayBufferBase>,WTF::IdentityExtractor,WTF::MemberHash<blink::DOMArrayBufferBase>,WTF::HashTraits<blink::Member<blink::DOMArrayBufferBase> >,WTF::HashTraits<blink::Member<blink::DOMArrayBufferBase> >,blink::HeapAllocator> >+0x59 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\heap\heapallocator.h @ 118]
00000000`0675d980 000007fe`ef552e08 chrome_child!WTF::HashTable<blink::Member<blink::DOMArrayBufferBase>,blink::Member<blink::DOMArrayBufferBase>,WTF::IdentityExtractor,WTF::MemberHash<blink::DOMArrayBufferBase>,WTF::HashTraits<blink::Member<blink::DOMArrayBufferBase> >,WTF::HashTraits<blink::Member<blink::DOMArrayBufferBase> >,blink::HeapAllocator>::Rehash+0x42 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\wtf\hashtable.h @ 1774]
00000000`0675d9b0 000007fe`ef554a5f chrome_child!WTF::HashTable<blink::Member<blink::DOMArrayBufferBase>,blink::Member<blink::DOMArrayBufferBase>,WTF::IdentityExtractor,WTF::MemberHash<blink::DOMArrayBufferBase>,WTF::HashTraits<blink::Member<blink::DOMArrayBufferBase> >,WTF::HashTraits<blink::Member<blink::DOMArrayBufferBase> >,blink::HeapAllocator>::insert<WTF::IdentityHashTranslator<WTF::MemberHash<blink::DOMArrayBufferBase> >,blink::DOMArrayBufferBase * __ptr64 const & __ptr64,blink::DOMArrayBufferBase * __ptr64 & __ptr64>+0x148 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\wtf\hashtable.h @ 1292]
00000000`0675d9f0 000007fe`edb783af chrome_child!blink::SerializedScriptValue::TransferArrayBufferContents+0x223 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\bindings\core\v8\serialization\serializedscriptvalue.cpp @ 476]
00000000`0675daf0 000007fe`ed153469 chrome_child!blink::V8ScriptValueSerializer::FinalizeTransfer+0xa24df3 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\bindings\core\v8\serialization\v8scriptvalueserializer.cpp @ 135]
00000000`0675db50 000007fe`ed1531ae chrome_child!blink::V8ScriptValueSerializer::Serialize+0xe9 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\bindings\core\v8\serialization\v8scriptvalueserializer.cpp @ 89]
00000000`0675dbf0 000007fe`ed152ffd chrome_child!blink::SerializedScriptValueForModulesFactory::Create+0x19e [c:\b\c\b\win64_pgo\src\third_party\webkit\source\bindings\modules\v8\serialization\serializedscriptvalueformodulesfactory.cpp @ 22]
00000000`0675dd10 000007fe`ed4fdad8 chrome_child!blink::SerializedScriptValue::Serialize+0x4d [c:\b\c\b\win64_pgo\src\third_party\webkit\source\bindings\core\v8\serialization\serializedscriptvalue.cpp @ 73]
00000000`0675dd50 000007fe`ed259fd0 chrome_child!blink::DedicatedWorkerGlobalScopeV8Internal::postMessageImpl+0xe4 [c:\b\c\b\win64_pgo\src\out\release_x64\gen\blink\bindings\core\v8\v8dedicatedworkerglobalscope.cpp @ 146]
00000000`0675de80 000007fe`ed259ba1 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>+0x2e0 [c:\b\c\b\win64_pgo\src\v8\src\builtins\builtins-api.cc @ 112]
00000000`0675e090 000007fe`ed259ab2 chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0xe1 [c:\b\c\b\win64_pgo\src\v8\src\builtins\builtins-api.cc @ 142]
00000000`0675e130 00000302`6fc04861 chrome_child!v8::internal::Builtin_HandleApiCall+0x32 [c:\b\c\b\win64_pgo\src\v8\src\builtins\builtins-api.cc @ 130]
00000000`0675e170 00000000`0675e1b8 0x302`6fc04861
test case.html
1.3 KB View Download

Comment 1 by aarya@google.com, May 9 2017

Status: WontFix (was: Unconfirmed)
Can't reproduce on tip-of-tree trunk, closing. Please provide a reproducible testcase for this issue.

Comment 2 by chromium...@gmail.com, May 9 2017 

- You have to keep pressing on the button as in the video.
Recording #13.mp4
179 KB View Download

Comment 3 by chromium...@gmail.com, May 9 2017 

Note: Unable to repro this under ASan build.

Comment 4 by chromium...@gmail.com, May 10 2017 

Still able to reproduce the crash on Win7 (also on Linux) 60.0.3095.0 (Developer Build) by following the steps.

1) Lunch the testcase.
2) Keep pressing on the button
3) Render crash.
Recording #14.mp4
160 KB View Download

Comment 5 by aarya@google.com, May 10 2017

Cc: haraken@chromium.org sigbjo...@opera.com
Components: Blink>MemoryAllocator>GarbageCollection
Labels: Security_Severity-Medium Security_Impact-Stable OS-All Pri-1
Owner: keishi@chromium.org
Status: Assigned (was: WontFix)
Ok can reproduce after keeping to press button many times. Keishi@, can you please take a look.

Comment 6 by aarya@google.com, May 11 2017

Labels: M-58

Comment 7 by keishi@chromium.org, May 11 2017

Mergedinto: 719634
Status: Duplicate (was: Assigned)
This is the same bug report as Bug 719634
It should be fixed in the next Canary
Project Member

Comment 8 by sheriffbot@chromium.org, Aug 17 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment