New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 814494 link

Starred by 1 user
Status: Assigned
Owner:
robertphillips@chromium.org
Cc:
danakj@chromium.org
bsalomon@chromium.org
sandeepkumars@chromium.org
thomasanderson@chromium.org
piman@chromium.org
pbomm...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

texture_manager.ccc(3416) generates a GL_OUT_OF_MEMORY error in Chrome (64.0.3282.167) and Chromium (64.0.3282.140) leading to a segmentation fault

Reported by prjeavon...@googlemail.com, Feb 21 2018 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce the problem:
1. Start Linux Mint 17.3 64-bit. I used VMWare 12 Pro (12.5.4 build-5192485). 2 processors, 8GB ram.
2. Install Chrome (64.0.3282.167) or Chromium (64.0.3282.140)
3. Run either browser with crash_0.html from the console

What is the expected behavior?
When you launch the browser, you get some text to the console (screenshot attached for both) describing what is going on, ending in GL_OUT_OF_MEMORY : glTexImage2d.

It may send a report (if my network is behaving) then the whole browser disappears.

You don't need to interact to make it happen, for me it worked after a few seconds.

What went wrong?
Browser disappears due to some weird HTML (came out of a fuzzer). From the basic error message just looked like it was trying to allocate something huge somehow? I've not looked at the html.

Crashed report ID: c15e7fcc460ba91d

How much crashed? Whole browser

Is it a problem with a plugin? N/A 

Did this work before? N/A 

Chrome version: 64.0.3282.167  Channel: n/a
OS Version: 17.3 (Linux Mint)
Flash Version: 24.0.0.189

I "found" it because I was on a fuzzing course by Richard Johnson and I launched a fuzzer against chrome and within 50-60 test cases it had caused a segmentation fault. 

I've sent in multiple Report IDs while I was checking its reliability, and the one published is one I sent to a friend who works at Google to see if you guys had it.
crash_0.html
473 KB View Download
vulndev-training-OC2018-2018-02-21-22-10-04.png
287 KB View Download
vulndev-training-OC2018-2018-02-21-22-10-27.png
212 KB View Download

Comment 1 by sandeepkumars@chromium.org, Mar 7 2018

Cc: sandeepkumars@chromium.org
Components: Internals
Labels: Needs-Milestone Needs-Feedback
Tested the issue using #65.0.3325.146 on Linux debian rodete and couldn't reproduce the Crash as per the steps mentioned in original comment.

Crash I'd: c15e7fcc460ba91d

Stack trace
===========
Thread 0 (id: 82189) CRASHED [SIGSEGV @ 0x00000004 ] MAGIC SIGNATURE THREAD
Stack Quality99%Show frame trust levels
0x0000555559947bb9	(chrome -gl_renderer.cc:1368 )	viz::GLRenderer::UpdateRPDQTexturesForSampling(viz::DrawRenderPassDrawQuadParams*)
0x0000555559946341	(chrome -gl_renderer.cc:1151 )	viz::GLRenderer::DrawRenderPassQuadInternal(viz::DrawRenderPassDrawQuadParams*)
0x000055555994187d	(chrome -gl_renderer.cc:1123 )	viz::GLRenderer::DoDrawQuad(viz::DrawQuad const*, gfx::QuadF const*)
0x00005555599341a6	(chrome -direct_renderer.cc:561 )	viz::DirectRenderer::DrawRenderPassAndExecuteCopyRequests(viz::RenderPass*)
0x00005555599338d1	(chrome -direct_renderer.cc:329 )	viz::DirectRenderer::DrawFrame(std::__1::vector<std::__1::unique_ptr<viz::RenderPass, std::__1::default_delete<viz::RenderPass> >, std::__1::allocator<std::__1::unique_ptr<viz::RenderPass, std::__1::default_delete<viz::RenderPass> > > >*, float, gfx::Size const&)
0x000055555992fcb3	(chrome -display.cc:342 )	viz::Display::DrawAndSwap()
0x0000555559939e1f	(chrome -display_scheduler.cc:202 )	viz::DisplayScheduler::AttemptDrawAndSwap()
0x0000555559939729	(chrome -display_scheduler.cc:489 )	viz::DisplayScheduler::OnBeginFrameDeadline()
0x00005555586ff42e	(chrome -callback.h:65 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x000055555871875a	(chrome -message_loop.cc:391 )	base::MessageLoop::RunTask(base::PendingTask*)
0x0000555558718db4	(chrome -message_loop.cc:403 )	base::MessageLoop::DoWork()
0x000055555871b48c	(chrome -message_pump_glib.cc:309 )	base::MessagePumpGlib::Run(base::MessagePump::Delegate*)
0x000055555873ba23	(chrome -run_loop.cc:114 )	<name omitted>
0x000055555843c5b8	(chrome -chrome_browser_main.cc:1939 )	ChromeBrowserMainParts::MainMessageLoopRun(int*)
0x000055555740b1a0	(chrome -browser_main_loop.cc:1199 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x000055555740d591	(chrome -browser_main_runner.cc:140 )	content::BrowserMainRunnerImpl::Run()
0x0000555557406519	(chrome -browser_main.cc:46 )	content::BrowserMain(content::MainFunctionParams const&)
0x000055555841cbf7	(chrome -content_main_runner.cc:427 )	content::ContentMainRunnerImpl::Run()
0x0000555558426614	(chrome -main.cc:456 )	service_manager::Main(service_manager::MainParams const&)
0x000055555841b9b0	(chrome -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const&)
0x0000555556d2b3fb	(chrome -chrome_main.cc:130 )	ChromeMain
0x00007ffff1ad7f44	(libc-2.19.so + 0x00021f44 )	
0x0000555556d2b35f	(chrome + 0x017d735f )	
0x0000555556c18fff	(chrome + 0x016c4fff )	
0x00007ffff7dea3c2	(ld-2.19.so + 0x000103c2 )	
0x0000555556c18fff	(chrome + 0x016c4fff )	
0x0000555556c19029	(chrome + 0x016c5029 )	_start
0x00007fffffffdef7		

Note:
1. Unable to test this in mint OS flavour as it isn't available with us
2. Unable to find the exact culprit from the above log

@prjeavons98: Could you please update your Chrome to latest version #65.0.3325.146 and check if you still face the issue? If so attach a Crash I'd from chrome://crashes?

Thanks!!

Comment 2 by pbomm...@chromium.org, Mar 8 2018

Cc: pbomm...@chromium.org thomasanderson@chromium.org

Comment 3 by thomasanderson@chromium.org, Mar 8 2018

Cc: piman@chromium.org

Comment 4 by piman@chromium.org, Mar 8 2018

Components: -Internals Internals>Compositing
Owner: danakj@chromium.org
Status: Assigned (was: Unconfirmed)
Is the GL_OUT_OF_MEMORY (which should trigger a lost context) causing issues in GLRenderer?

Comment 5 by piman@chromium.org, Mar 8 2018

Cc: bsalomon@chromium.org danakj@chromium.org
Owner: robertphillips@chromium.org
->robertphillips per git blame, looks like getTextureHandle might return NULL in some conditions?

Comment 6 by prjeavon...@googlemail.com, Mar 8 2018 

Sorry for the delay. I updated my chrome to the latest and checked the
version it still crashes. The report ID is below.Uploaded Crash Report ID
4fe0f4bf3e0fc233 (Local Crash ID: Chrome)

Crash report uploaded on Thursday, March 8, 2018 at 4:13:00 PM

If it is useful I can try it out on other similar VMs to see if it is
specific to Mint?

Comment 7 by alexi...@gmail.com, May 28 2018 

i've found the same problem on linux platform with you. have you already fixed it? thanks.

Sign in to add a comment