Headless Chrome target crashes on a specific page (+seg fault bonus)
Reported by
xivans1...@gmail.com,
Feb 12 2018
|
||||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/63.0.3239.132 Chrome/63.0.3239.132 Safari/537.36
Steps to reproduce the problem:
1. Run the following commands through dev-tools web socket:
=> {"method":"Page.enable","id":1}
<= {"id":1,"result":{}}
=> {"params":{"url":"http://5cplucom.com/"},"method":"Page.navigate","id":2}
<= {"id":2,"result":{"frameId":"(8338AF30BAABE313704AE31D5AA67DB6)","loaderId":"(D4892938A943EA9E98AB7DD759E35FEA)"}}
<= {"method":"Page.frameStartedLoading","params":{"frameId":"(8338AF30BAABE313704AE31D5AA67DB6)"}}
<= {"method":"Page.frameNavigated","params":{"frame":{"id":"(8338AF30BAABE313704AE31D5AA67DB6)","loaderId":"(F117AF2DDB2F44475ACEDD36B2DD74A6)","url":"http://5cplucom.com/","securityOrigin":"http://5cplucom.com","mimeType":"text/html"}}}
<= {"method":"Inspector.targetCrashed","params":{}}
Observe - Inspector.targetCrashed event was fired.
2. Almost same as p.1 but with segmentation fault:
=> {"method":"Page.enable","id":1}
<= {"id":1,"result":{}}
=> {"params":{"deviceScaleFactor":1,"height":600,"screenWidth":800,"screenHeight":600,"mobile":false,"width":800},"method":"Emulation.setDeviceMetricsOverride","id":2}
<= {"id":2,"result":{}}
=> {"params":{"url":"http://5cplucom.com/"},"method":"Page.navigate","id":3}
<= {"id":3,"result":{"frameId":"(DDE62C2C4A91DD4177B8295EABC22C7D)","loaderId":"(F56816BAA8BB54F771C352B4A3C9A8EA)"}}
<= {"method":"Page.frameStartedLoading","params":{"frameId":"(DDE62C2C4A91DD4177B8295EABC22C7D)"}}
<= {"method":"Page.frameNavigated","params":{"frame":{"id":"(DDE62C2C4A91DD4177B8295EABC22C7D)","loaderId":"(B1B15542AF1FED12612A620393E9B45E)","url":"http://5cplucom.com/","securityOrigin":"http://5cplucom.com","mimeType":"text/html"}}}
<= {"method":"Inspector.targetCrashed","params":{}}
=> {"params":{},"method":"Page.captureScreenshot","id":4}
Note: Emulation.setDeviceMetricsOverride call (#2) is required to reproduce seg fault.
Observe - Chrome process has exited with error:
<--- Last few GCs --->
[6575:0x3eafdb9c8000] 75640 ms: Scavenge 6.4 (11.9) -> 5.7 (12.4) MB, 0.8 / 0.0 ms idle task
[6575:0x3eafdb9c8000] 75709 ms: Scavenge 8.5 (12.9) -> 7.4 (13.9) MB, 2.1 / 0.2 ms allocation failure
[6575:0x3eafdb9c8000] 82961 ms: Mark-sweep 1729.0 (1734.3) -> 613.3 (624.8) MB, 92.1 / 0.1 ms (+ 10.8 ms in 6 steps since start of marking, biggest step 2.4 ms, walltime since start of marking 6361 ms) allocation failure GC in old space requested
<--- JS stacktrace --->
==== JS stack trace =========================================
Security context: 0x3dc60d973d49 <String[19]: http://5cplucom.com>
1: /* anonymous */(aka /* anonymous */) [http://5cplucom.com/jquery.sly.js:~96] [pc=0x3d32641c374a](this=0x203f486822d1 <undefined>)
3: /* anonymous */(aka /* anonymous */) [http://5cplucom.com/jquery.sly.js:1077] [bytecode=0x2f7c41e6fe9 offset=303](this=0x203f486822d1 <undefined>)
5: new Plugin [http://5cplucom.com/jquery.sly.js:1343] [bytecode=0x2f7c41e63a1 o...
Failed to generate minidump.Received signal 11 SEGV_MAPERR 000000000000
#0 0x5557b5942757 base::debug::StackTrace::StackTrace()
#1 0x5557b59422cf base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f7a4f81d390 <unknown>
#3 0x5557b4832475 content::protocol::PageHandler::CaptureScreenshot()
#4 0x5557b472a587 content::protocol::Page::DispatcherImpl::captureScreenshot()
#5 0x5557b470f7ef content::protocol::Browser::DispatcherImpl::dispatch()
#6 0x5557b4730ae3 content::protocol::UberDispatcher::dispatch()
#7 0x5557b4812a1f content::DevToolsSession::Dispatch()
#8 0x5557b484a08c content::RenderFrameDevToolsAgentHost::DispatchProtocolMessage()
#9 0x5557b480a376 content::DevToolsHttpHandler::OnWebSocketMessage()
#10 0x5557b5942e8b base::debug::TaskAnnotator::RunTask()
#11 0x5557b595ac1b base::MessageLoop::RunTask()
#12 0x5557b595b28b base::MessageLoop::DoWork()
#13 0x5557b595c8aa base::(anonymous namespace)::WorkSourceDispatch()
#14 0x7f7a4e779197 g_main_context_dispatch
#15 0x7f7a4e7793f0 <unknown>
#16 0x7f7a4e77949c g_main_context_iteration
#17 0x5557b595c796 base::MessagePumpGlib::Run()
#18 0x5557b5979630 base::RunLoop::Run()
#19 0x5557b47c5a64 content::BrowserMainLoop::MainMessageLoopRun()
#20 0x5557b47c585e content::BrowserMainLoop::RunMainMessageLoopParts()
#21 0x5557b47c82ed content::BrowserMainRunnerImpl::Run()
#22 0x5557b9352a1a headless::HeadlessContentMainDelegate::RunProcess()
#23 0x5557b5649737 content::RunNamedProcessTypeMain()
#24 0x5557b564a18d content::ContentMainRunnerImpl::Run()
#25 0x5557b5651d34 service_manager::Main()
#26 0x5557b5648cd2 content::ContentMain()
#27 0x5557b80d8b15 headless::(anonymous namespace)::RunContentMain()
#28 0x5557b80d8b8c headless::HeadlessBrowserMain()
#29 0x5557b564fb17 headless::HeadlessShellMain()
#30 0x5557b421d2fe ChromeMain
#31 0x7f7a4948e830 __libc_start_main
#32 0x5557b421d150 <unknown>
r8: 0000000000000000 r9: 00007ffc9bf2c058 r10: 0000000000000000 r11: 00007f7a49602f90
r12: 000019188fe15b80 r13: 0000000000000000 r14: 000019188fd09400 r15: 0000000000000050
di: 000019188fd09440 si: 00001918901a6640 bp: 00007ffc9bf2c001 bx: 00007ffc9bf2c060
dx: 0000000000000000 ax: 0000000000000000 cx: 000019188fd09400 sp: 00007ffc9bf2be30
ip: 00005557b4832475 efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000004
trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.
What is the expected behavior?
Chrome target should not be crashed.
Chrome should not die with seg fault.
What went wrong?
Chrome crashed.
Did this work before? No
Chrome version: 64.0.3282.119 Channel: stable
OS Version: Ubuntu 16.04
Flash Version:
Also reproducible on 62.0.3195.0.
,
Feb 12 2018
xivans123x can you share the script you're using to reproduce this crash? It looks like you're taking a screenshot after you know the target has crashed. I'm assuming it's that (exacerbated with the device emulation) that triggers the segfault. We can fix the segfault, but you shouldn't expect to take a screenshot of a page after it's crashed. :) Are you primarily filing the bug to sort out why headless is crashing after loading this URL?
,
Feb 13 2018
>> xivans123x can you share the script you're using to reproduce this crash? I haven't any scripts which automates reproduction of this (but you can manually open web socket and send commands above). If the 'script' is really required i can build a simple JVM jar for you. >> We can fix the segfault, but you shouldn't expect to take a screenshot of a page after it's crashed. :) I already fixed my app to not do anything if event 'Inspector.tagetCrashed' was fired. >> Are you primarily filing the bug to sort out why headless is crashing after loading this URL? Actually i want both issues to be fixed. Even if i don't call captureScreenshot after targetCrashed now, i have spent a few hours figuring out why my app is crashing.
,
Feb 13 2018
Same behavior can be also reproduced on 'http://solang.su/'.
,
Feb 14 2018
,
Mar 3 2018
,
Dec 19
I don't see any crashes with chrome 73.0.3638.0; considering this fixed. |
||||
►
Sign in to add a comment |
||||
Comment 1 by krajshree@chromium.org
, Feb 12 2018