Browser reliably crashes when viewing a link in Chrome + OS X + web telegram client
Reported by
bdow...@gmail.com,
Jul 10 2017
|
|||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Steps to reproduce the problem: 1. Install telegram web client 2. This is going to be weird: In telegram, you can 'reply' to a message with a location. By default it picks your initial position, but it gives you a marker to select coordinates. It then renders this as a google map insert -- which when copied is just a google maps link. But when *this widge is clicked* 3. Crashes chrome I tested this on three friends, all running modern OS X flavors + Chrome + telegram web. 3. All chrome instances crash 3. What is the expected behavior? This is a google maps link. In context, it should load a maps link with these coordinates. What went wrong? Chrome crashed. Crashed report ID: bc6dfde5-2eea-422e-b762-674c9281a50c How much crashed? Whole browser Is it a problem with a plugin? Yes https://github.com/zhukov/webogram 0.5.7.1 Did this work before? N/A Chrome version: 59.0.3071.115 Channel: stable OS Version: OS X 10.12.5 Flash Version: Happy to help replicate -- since this is weird.
,
Jul 11 2017
Server ID: 0c1aad3708000000
,
Jul 11 2017
Thank you for providing more feedback. Adding requester "patricialor@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 11 2017
[mac bug triage] Adding Internals > Core and Internals > Sandbox > SiteIsolation (the components that RenderWidgetHelper and RenderFrameHostImpl belong to), and CCing asvitkine for help in triaging - would you know who this should go to? Thanks. Stack trace: 0x000000010e5d5def (Google Chrome Framework -web_contents_impl.cc:2093 ) content::WebContentsImpl::CreateNewWindow(content::SiteInstance*, int, int, int, content::mojom::CreateNewWindowParams const&, content::SessionStorageNamespace*) 0x000000010e371893 (Google Chrome Framework -render_frame_host_impl.cc:1135 ) content::RenderFrameHostImpl::OnCreateNewWindow(int, int, int, content::mojom::CreateNewWindowParams const&, content::SessionStorageNamespace*) 0x000000010e4edd71 (Google Chrome Framework -render_widget_helper.cc:139 ) content::RenderWidgetHelper::OnCreateNewWindowOnUI(mojo::StructPtr<content::mojom::CreateNewWindowParams>, int, int, int, content::SessionStorageNamespace*) 0x000000010e4ee1cf (Google Chrome Framework -bind_internal.h:214 ) base::internal::Invoker<base::internal::BindState<void (content::RenderWidgetHelper::*)(mojo::StructPtr<content::mojom::CreateNewWindowParams>, int, int, int, content::SessionStorageNamespace*), scoped_refptr<content::RenderWidgetHelper>, base::internal::PassedWrapper<mojo::StructPtr<content::mojom::CreateNewWindowParams> >, int, int, int, base::internal::RetainedRefWrapper<content::SessionStorageNamespace> >, void ()>::Run(base::internal::BindStateBase*) 0x000000010f7f4b10 (Google Chrome Framework -callback.h:91 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x000000010f81d4fa (Google Chrome Framework -message_loop.cc:423 ) base::MessageLoop::RunTask(base::PendingTask*) 0x000000010f81d84b (Google Chrome Framework -message_loop.cc:434 ) base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) 0x000000010f81dc02 (Google Chrome Framework -message_loop.cc:527 ) base::MessageLoop::DoWork() 0x000000010f821019 (Google Chrome Framework -message_pump_mac.mm:420 ) base::MessagePumpCFRunLoopBase::RunWork() 0x000000010f811a19 (Google Chrome Framework + 0x01a70a19 ) base::mac::CallWithEHFrame(void () block_pointer) 0x000000010f820a3e (Google Chrome Framework -message_pump_mac.mm:396 ) base::MessagePumpCFRunLoopBase::RunWorkSource(void*) 0x00007fff9d7ff320 (CoreFoundation + 0x000a7320 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x00007fff9d7e021c (CoreFoundation + 0x0008821c ) __CFRunLoopDoSources0 0x00007fff9d7df715 (CoreFoundation + 0x00087715 ) __CFRunLoopRun 0x00007fff9d7df113 (CoreFoundation + 0x00087113 ) CFRunLoopRunSpecific 0x00007fff9cd40ebb (HIToolbox + 0x00030ebb ) RunCurrentEventLoopInMode 0x00007fff9cd40cf0 (HIToolbox + 0x00030cf0 ) ReceiveNextEventCommon 0x00007fff9cd40b25 (HIToolbox + 0x00030b25 ) _BlockUntilNextEventMatchingListInModeWithFilter 0x00007fff9b2d9a53 (AppKit + 0x00046a53 ) _DPSNextEvent 0x00007fff9ba557ed (AppKit + 0x007c27ed ) -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] 0x000000010f3a9a0f (Google Chrome Framework -chrome_browser_application_mac.mm:187 ) __71-[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:]_block_invoke 0x000000010f811a19 (Google Chrome Framework + 0x01a70a19 ) base::mac::CallWithEHFrame(void () block_pointer) 0x000000010f3a9953 (Google Chrome Framework -chrome_browser_application_mac.mm:186 ) -[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 0x00007fff9b2ce3da (AppKit + 0x0003b3da ) -[NSApplication run] 0x000000010f82185d (Google Chrome Framework -message_pump_mac.mm:755 ) base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) 0x000000010f820e7b (Google Chrome Framework -message_pump_mac.mm:292 ) base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) 0x000000010f83efd2 (Google Chrome Framework -run_loop.cc:37 ) base::RunLoop::Run() 0x000000010f3af734 (Google Chrome Framework -chrome_browser_main.cc:1977 ) ChromeBrowserMainParts::MainMessageLoopRun(int*) 0x000000010e270a63 (Google Chrome Framework -browser_main_loop.cc:1179 ) content::BrowserMainLoop::RunMainMessageLoopParts() 0x000000010e2732b1 (Google Chrome Framework -browser_main_runner.cc:140 ) content::BrowserMainRunnerImpl::Run() 0x000000010e26c93b (Google Chrome Framework -browser_main.cc:46 ) content::BrowserMain(content::MainFunctionParams const&) 0x000000010f363c9a (Google Chrome Framework -content_main_runner.cc:740 ) content::ContentMainRunnerImpl::Run() 0x0000000110b2165b (Google Chrome Framework -main.cc:179 ) service_manager::Main(service_manager::MainParams const&) 0x000000010f363073 (Google Chrome Framework -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const&) 0x000000010dda4576 (Google Chrome Framework -chrome_main.cc:123 ) ChromeMain 0x00000001098e4d99 (Google Chrome -chrome_exe_main_mac.c:85 ) main 0x00007fffb2f59234 (libdyld.dylib + 0x00005234 ) start 0x00007fffb2f59234 (libdyld.dylib + 0x00005234 ) start
,
Jul 11 2017
Given it's hitting: CHECK(session_storage_namespace_impl->IsFromContext(dom_storage_context)); cc'ing content/browser/dom_storage/OWNERS
,
Jul 12 2017
Naively, it seems to me that the code determining the site instance in render_frame_host_impl.cc:2725 and web_contents_impl.cc:2227 need to match, and they don't in this case?
,
Jul 13 2017
,
Jul 26 2017
,
Aug 4 2017
Link to the list of the builds with this magic signature on Mac: ================================================================= https://goto.google.com/apvqm As per the crash server data not seeing any crashes on Mac on the latest M-60,M-61 or M-62 builds. bdowney@: Could you please check this on the latest stable(60.0.3112.90) and confirm if this crash is seen as per the scenario mentioned in C#0. Note: Unable to test this manually, as don't have telephone number(for testing purpose) available as of now to complete the registration on telegram web client.
,
Aug 4 2017
Confirm crash still on 60.0.03112.90. Repro by using the original crashing telegram 'location', and then I generated a new one on the mobile client (telegram for android 4.1.1). - Brandon
,
Aug 4 2017
Thank you for providing more feedback. Adding requester "ajha@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 7 2017
Tested on latest stable #60.0.3112.90 and Canary #62.0.3178.0 on Mac 10.12.5 and unable to reproduce the issue mentioned. Please refer the screencast links (https://drive.google.com/open?id=0B3Nz6WzbhmLRTlJxM1NDbVBrNlE). Observations -- 1. When tried to reply, it seems that automatically device location is sent but there is no option to edit location. 2. When Google link is copied and pasted no crash is observed (https://drive.google.com/open?id=0B3Nz6WzbhmLRLWstMm9MZGZzOFk). @bdowney -- Could you please share your device GPU and provide screen-cast for the further investigation of the issue. Please let us know if we have missed anything. Thanks in advance.
,
Feb 5 2018
Mac triage: this crash still appears as recently as M64 (i.e., current stable). For example, see report ID 0be9a19da948d25a. I'm considering this confirmed by the crash reports we have and marking for triage.
,
Mar 12 2018
Mac triage: assigning directly to mek@ (one of the dom_storage OWNERs)
,
Mar 12 2018
dmurph@ is probably a better owner as he is actively working refactoring session storage code. Although unfortunately I don't think his refactoring would actually fix this...
,
Jan 3
|
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by patricia...@chromium.org
, Jul 11 2017