New issue
Advanced search Search tips

Issue 739816 link

Starred by 4 users
Status: Fixed
Owner:
lfg@chromium.org
Closed: Jul 2017
Cc:
kenrb@chromium.org
wjmaclean@chromium.org
creis@chromium.org
lfg@chromium.org
mcnee@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug
Team-Security-UX



Sign in to add a comment

Navigating back from an interstitial in a WebView causes a browser crash.

Project Member Reported by wjmaclean@chromium.org, Jul 6 2017 
Chrome Version:  61.0.3149.0 (Developer Build) (64-bit)
OS: Linux (but probably also others)

What steps will reproduce the problem?
(1) Install "Browser Sample"
    https://chrome.google.com/webstore/detail/browser-sample/edggnmnajhcbhlnpjnogkjpghaikidaa?utm_source=chrome-app-launcher-info-dialog
(2) Open Browser Sample, and navigate to https://badssl.com
(3) Click on "Expired" (or some other red link)
(4) On the subsequent interstitial page, click "Back to Safety".

What is the expected result?

The WebView should navigate back to badssl.com

What happens instead?

The browser crashes.

From the stack-trace below, we seem to be hitting

https://chromium.googlesource.com/chromium/src/+blame/a9cead1e264677911624e27d3d0a47c951b783ea/content/browser/web_contents/web_contents_impl.cc#1893

which was last changed by lfg@.

Please use labels and text to provide additional information.

Stack Trace from crash:

[34664:34803:0706/144126.392753:ERROR:cert_verify_proc_nss.cc(902)] CERT_PKIXVerifyCert for expired.badssl.com failed err=-8181
Received signal 11 SEGV_MAPERR 000000000000
#0 0x7f7ef5b71417 base::debug::StackTrace::StackTrace()
#1 0x7f7ef5b70f8f base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f7ef5cf4330 <unknown>
#3 0x7f7ef3099a98 content::InterstitialPageImpl::GetView()
#4 0x7f7ef33de07f content::WebContentsImpl::GetRenderWidgetHostViewsInTree()
#5 0x7f7ef33dfe79 content::WebContentsImpl::RenderWidgetWasResized()
#6 0x7f7ef32cc5b4 content::RenderWidgetHostImpl::WasResized()
#7 0x7f7ef30ea7d4 content::RenderWidgetHostViewChildFrame::SetBounds()
#8 0x7f7ef308f6c3 content::CrossProcessFrameConnector::SetRect()
#9 0x7f7ef30e168c content::RenderFrameHostManager::SetRWHViewForInnerContents()
#10 0x7f7ef33e4670 content::WebContentsImpl::DetachInterstitialPage()
#11 0x7f7ef3098731 content::InterstitialPageImpl::Hide()
#12 0x7f7ef3099952 content::InterstitialPageImpl::DontProceed()
#13 0x560cd6aa02d2 security_interstitials::SSLErrorUI::HandleCommand()
#14 0x560cd6161224 SSLBlockingPage::CommandReceived()
#15 0x7f7ef3098e2a content::InterstitialPageImpl::OnDomOperationResponse()
#16 0x7f7ef3098ca7 _ZN3IPC8MessageTI38FrameHostMsg_DomOperationResponse_MetaNSt3__15tupleIJNS2_12basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEEEEEvE8DispatchIN7content20InterstitialPageImplESE_NSD_19RenderFrameHostImplEMSE_FvPSF_RKS9_EEEbPKNS_7MessageEPT_PT0_PT1_T2_
#17 0x7f7ef3098ba0 content::InterstitialPageImpl::OnMessageReceived()
#18 0x7f7ef30bade7 content::RenderFrameHostImpl::OnMessageReceived()
#19 0x7f7ef32b0539 content::RenderProcessHostImpl::OnMessageReceived()
#20 0x7f7ef4cda405 IPC::ChannelProxy::Context::OnDispatchMessage()
#21 0x7f7ef4cdd280 _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvRKNS3_7MessageEEJ13scoped_refptrIS5_ES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#22 0x7f7ef5b5dcd5 _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE0ELNS2_10RepeatModeE0EE3RunEv
#23 0x7f7ef5b71c5b base::debug::TaskAnnotator::RunTask()
#24 0x7f7ef5ba5d5d base::MessageLoop::RunTask()
#25 0x7f7ef5ba60a2 base::MessageLoop::DeferOrRunPendingTask()
#26 0x7f7ef5ba648f base::MessageLoop::DoWork()
#27 0x7f7ef5ba877a base::(anonymous namespace)::WorkSourceDispatch()
#28 0x7f7eebb8ce04 g_main_context_dispatch
#29 0x7f7eebb8d048 <unknown>
#30 0x7f7eebb8d0ec g_main_context_iteration
#31 0x7f7ef5ba84d6 base::MessagePumpGlib::Run()
#32 0x7f7ef5ba591f base::MessageLoop::Run()
#33 0x7f7ef5bd9d67 base::RunLoop::Run()
#34 0x560cd61e25ff ChromeBrowserMainParts::MainMessageLoopRun()
#35 0x7f7ef2f7d682 content::BrowserMainLoop::RunMainMessageLoopParts()
#36 0x7f7ef2f8072b content::BrowserMainRunnerImpl::Run()
#37 0x7f7ef2f78c28 content::BrowserMain()
#38 0x7f7ef37ec36c content::RunNamedProcessTypeMain()
#39 0x7f7ef37eceed content::ContentMainRunnerImpl::Run()
#40 0x7f7ef60b03e1 service_manager::Main()
#41 0x7f7ef37eb782 content::ContentMain()
#42 0x560cd5b4aee4 ChromeMain
#43 0x7f7eeac47f45 __libc_start_main
#44 0x560cd5b4ad3f <unknown>
  r8: 0000000000000000  r9: 0000000000000001 r10: 000023c40d36ec54 r11: 0000000000000246
 r12: 00007ffc43f708d0 r13: 000023c40fb8c000 r14: 0000000000000001 r15: 000023c40f4ca900
  di: 0000000000000000  si: 000023c40f4ca900  bp: 00007ffc43f708c8  bx: 000023c40f4ca900
  dx: 00007f7ef43427b8  ax: 000023c40f87ef00  cx: c117dd922c7b8300  sp: 00007ffc43f70850
  ip: 00007f7ef3099a98 efl: 0000000000010206 cgf: 0000000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.

Comment 1 by wjmaclean@chromium.org, Jul 6 2017 

lfg@ - could you please take a look? If it's not your change, please assign back to me.
Project Member

Comment 2 by bugdroid1@chromium.org, Jul 10 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/69b609190a722d6ba77fba8fa807b6dc5672d0fe

commit 69b609190a722d6ba77fba8fa807b6dc5672d0fe
Author: Lucas Furukawa Gadani <lfg@chromium.org>
Date: Mon Jul 10 17:08:34 2017

Fix crash when detaching interstitial from guest view.

Bug:  739816 
Change-Id: I73ac3e7b68f5918a3f4749896d0ed7cf26d739df
Reviewed-on: https://chromium-review.googlesource.com/562856
Commit-Queue: Lucas Gadani <lfg@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: James MacLean <wjmaclean@chromium.org>
Cr-Commit-Position: refs/heads/master@{#485300}
[modify] https://crrev.com/69b609190a722d6ba77fba8fa807b6dc5672d0fe/chrome/browser/apps/guest_view/web_view_browsertest.cc
[modify] https://crrev.com/69b609190a722d6ba77fba8fa807b6dc5672d0fe/chrome/test/data/extensions/platform_apps/web_view/interstitial_teardown/embedder.js
[modify] https://crrev.com/69b609190a722d6ba77fba8fa807b6dc5672d0fe/content/browser/web_contents/web_contents_impl.cc

Comment 3 by lfg@chromium.org, Jul 10 2017

Status: Fixed (was: Assigned)

Sign in to add a comment