Issue 773639 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	kouhei@chromium.org
Closed:	Oct 2017
Cc:	ajha@chromium.org kouhei@chromium.org neis@chromium.org hirosh...@chromium.org
Components:	Blink>HTML>Script
EstimatedDays:	----
NextAction:	----
OS:	Linux , Windows , Mac
Pri:	1
Type:	Bug-Regression
Stability-Crash Arch-x86_64 ReleaseBlock-Stable hasbisect-per-revision Via-Wizard-Crashes M-63 Needs-Triage-M63

Crash when using dynamic import with data URL

Reported by s.h.h.n....@gmail.com, Oct 11 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce the problem:
1. Go to https://test.shhnjk.com/dynam.html

What is the expected behavior?
No crash.

What went wrong?
Don't know

Crashed report ID: 57cc2be0-e35e-4188-8dc0-be636be01e1f

How much crashed? Just one tab

Is it a problem with a plugin? N/A 

Did this work before? N/A 

Chrome version: 63  Channel: dev
OS Version: 10.0
Flash Version:

Comment 1 by ajha@chromium.org, Oct 11 2017

Cc: ajha@chromium.org
Components: Blink>HTML>Script
Labels: -Type-Bug -Pri-2 hasbisect-per-revision ReleaseBlock-Stable M-63 Needs-Triage-M63 OS-Linux OS-Mac Pri-1 Type-Bug-Regression
Owner: kouhei@chromium.org
Status: Assigned (was: Unconfirmed)

Able to reproduce the issue on the latest canary(63.0.3236.0) on Windows-10, Mac OS 10.12.6 and Linux Ubuntu 14.04. Works fine on the latest beta(62.0.3202.45).

This is regression issue broken in M-63.

Last good build: 63.0.3227.0 
First bad build: 63.0.3228.0

Changelog: 
https://chromium.googlesource.com/chromium/src/+log/6802ffe8616e2846744c2132f18200653f07aed0..4e3e2998d214b6d8a0a009ca71b623d09f187b9e

kouhei@: Could you please take a look at this.

Thank you!

Stack trace of the crash id af9ae31d9e99d276: 

Thread 0 (id: 739828) CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000008 ] MAGIC SIGNATURE THREAD
Stack Quality100%Show frame trust levels
0x00007ff9283ac8d3	(chrome_child.dll -sharedpersistent.h:55 )	blink::SharedPersistent<v8::Value>::NewLocal(v8::Isolate *)
0x00007ff92a32a4bd	(chrome_child.dll -scriptmodule.cpp:194 )	blink::ScriptModule::V8Namespace(v8::Isolate *)
0x00007ff92a33a8a0	(chrome_child.dll -dynamicmoduleresolver.cpp:118 )	blink::`anonymous namespace'::DynamicImportTreeClient::NotifyModuleTreeLoadFinished
0x00007ff92a136c08	(chrome_child.dll -moduletreelinker.cpp:142 )	blink::ModuleTreeLinker::AdvanceState(blink::ModuleTreeLinker::State)
0x00007ff92a137557	(chrome_child.dll -moduletreelinker.cpp:404 )	blink::ModuleTreeLinker::Instantiate()
0x00007ff92a137317	(chrome_child.dll -moduletreelinker.cpp:366 )	blink::ModuleTreeLinker::FinalizeFetchDescendantsForOneModuleScript()
0x00007ff92a1370eb	(chrome_child.dll -moduletreelinker.cpp:272 )	blink::ModuleTreeLinker::FetchDescendants(blink::ModuleScript *)
0x00007ff92a1376b2	(chrome_child.dll -moduletreelinker.cpp:245 )	blink::ModuleTreeLinker::NotifyModuleLoadFinished(blink::ModuleScript *)
0x00007ff9278d9901	(chrome_child.dll -task_annotator.cc:57 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x00007ff9277fe159	(chrome_child.dll -task_queue_manager.cc:531 )	blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue *,bool,blink::scheduler::LazyNow,base::TimeTicks *)
0x00007ff9278d9132	(chrome_child.dll -task_queue_manager.cc:322 )	blink::scheduler::TaskQueueManager::DoWork(bool)
0x00007ff92794f75e	(chrome_child.dll -bind_internal.h:331 )	base::internal::Invoker<base::internal::BindState<void ( blink::scheduler::TaskQueueManager::*)(bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,bool>,void >::Run(base::internal::BindStateBase *)
0x00007ff9278d9901	(chrome_child.dll -task_annotator.cc:57 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x00007ff9277fd1dc	(chrome_child.dll -message_loop.cc:406 )	base::MessageLoop::RunTask(base::PendingTask *)
0x00007ff927c9f447	(chrome_child.dll -message_loop.cc:417 )	base::MessageLoop::DeferOrRunPendingTask(base::PendingTask)
0x00007ff9278d9f2c	(chrome_child.dll -message_loop.cc:524 )	base::MessageLoop::DoWork()
0x00007ff9278d8f47	(chrome_child.dll -message_pump_default.cc:37 )	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x00007ff9278fc394	(chrome_child.dll -run_loop.cc:118 )	base::RunLoop::Run()
0x00007ff927971694	(chrome_child.dll -renderer_main.cc:220 )	content::RendererMain(content::MainFunctionParams const &)
0x00007ff9279e9709	(chrome_child.dll -content_main_runner.cc:424 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x00007ff927c1a6db	(chrome_child.dll -content_main_runner.cc:704 )	content::ContentMainRunnerImpl::Run()
0x00007ff927c1cdc5	(chrome_child.dll -main.cc:469 )	service_manager::Main(service_manager::MainParams const &)
0x00007ff927c1dd9e	(chrome_child.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x00007ff927c1dfc1	(chrome_child.dll -chrome_main.cc:123 )	ChromeMain
0x00007ff643977163	(chrome.exe -main_dll_loader_win.cc:199 )	MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks)
0x00007ff64397256d	(chrome.exe -chrome_exe_main_win.cc:230 )	wWinMain
0x00007ff643a46382	(chrome.exe -exe_common.inl:283 )	__scrt_common_main_seh
0x00007ff96ef48363	(KERNEL32.DLL + 0x00008363 )	BaseThreadInitThunk
0x00007ff96fcb7090	(ntdll.dll + 0x00067090 )	RtlUserThreadStart

Comment 2 by s.h.h.n....@gmail.com, Oct 11 2017

Is this exploitable Read AV?

Comment 3 by jmukthavaram@chromium.org, Oct 17 2017

kouhei@,
Could you please take a look into this issue & update the thread accordingly as it is marked as stable blocker issue.
Thanks..!

Comment 4 by kouhei@chromium.org, Oct 18 2017

This is fixed at https://chromium-review.googlesource.com/c/chromium/src/+/711634

Comment 5 by kouhei@chromium.org, Oct 18 2017

Status: Fixed (was: Assigned)

Project Member

Comment 6 by blocker...@chrome-infra-auth.iam.gserviceaccount.com, Oct 18 2017

Labels: Merge-TBD

[Auto-generated comment by a script] We noticed that this issue is targeted for M-63; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-63 label, otherwise remove Merge-TBD label. Thanks.

Comment 7 by kouhei@chromium.org, Oct 18 2017

Labels: -Merge-TBD

Should be fine per:
https://storage.googleapis.com/chromium-find-releases-static/b2f.html#b2f553ded0e6e4b194910cf33247c7e81e1f06b2

►

Issue 773639 link

Issue metadata

Crash when using dynamic import with data URL

Issue description

Comment 1 by ajha@chromium.org, Oct 11 2017

Comment 1 Deleted

Comment 2 by s.h.h.n....@gmail.com, Oct 11 2017

Comment 2 Deleted

Comment 3 by jmukthavaram@chromium.org, Oct 17 2017

Comment 3 Deleted

Comment 4 by kouhei@chromium.org, Oct 18 2017

Comment 4 Deleted

Comment 5 by kouhei@chromium.org, Oct 18 2017

Comment 5 Deleted

Comment 6 by blocker...@chrome-infra-auth.iam.gserviceaccount.com, Oct 18 2017

Comment 6 Deleted

Comment 7 by kouhei@chromium.org, Oct 18 2017

Comment 7 Deleted

Sign in to add a comment