Issue 850223 link

Starred by 1 user

Issue metadata

Status:	Assigned
Owner:	ekaramad@chromium.org
Cc:	dcheng@chromium.org wfh@chromium.org creis@chromium.org
Components:	Blink>HTML>Object Internals>Sandbox>SiteIsolation
EstimatedDays:	----
NextAction:	----
OS:	Linux , Android , Windows , Chrome , Mac
Pri:	3
Type:	Bug

Security DCHECK in <object> showing fallback content.

Project Member Reported by ekaramad@chromium.org, Jun 6 2018

Issue description

Chrome Version: 69.0.3450.0 (Developer Build) (64-bit)


What steps will reproduce the problem?
(1) On a local server, navigate a 'dcheck-always-on' chrome to:
http://127.0.0.1:80/page1.html

where:

page1.html:
 <object src="foo"> <b> Fallback </b> </object>
 <script> 
   window.setTimeout(crashIt, 1000);
   function crashIt() {
      document.querySelector("object").contentDocument.defaultView.location.href = "https://127.0.0.2:80/page2.html";

page2.html:
<script>
  window.setTimeout( () => window.location.href = "http://127.0.0.1:80/something.html", 1000);
</script>

(2) Wait for crash.

This goes back to an <object> with fallback content ending up with a frame. It probably shouldn't.

Comment 1 by ekaramad@chromium.org, Jun 6 2018

[1:1:0606/142817.086210:FATAL:layout_embedded_content.h(95)] Security DCHECK failed: !object || (object->IsLayoutEmbeddedContent()). 
#0 0x7fe1c4ed104c base::debug::StackTrace::StackTrace()
#1 0x7fe1c4e1a6db logging::LogMessage::~LogMessage()
#2 0x7fe1bd2663fe blink::HTMLFrameOwnerElement::SetEmbeddedContentView()
#3 0x7fe1bd011020 blink::WebFrame::Swap()
#4 0x7fe1c2c89f99 content::RenderFrameImpl::SwapIn()
#5 0x7fe1c2c97651 content::RenderFrameImpl::DidCommitProvisionalLoad()
#6 0x7fe1bcff62a2 blink::LocalFrameClientImpl::DispatchDidCommitLoad()
#7 0x7fe1bd6794e9 blink::DocumentLoader::DidCommitNavigation()
#8 0x7fe1bd67834f blink::DocumentLoader::InstallNewDocument()
#9 0x7fe1bd677f4f blink::DocumentLoader::CommitNavigation()
#10 0x7fe1bd676936 blink::DocumentLoader::CommitData()
#11 0x7fe1bd6788c1 blink::DocumentLoader::ProcessData()
#12 0x7fe1bd67883d blink::DocumentLoader::DataReceived()
#13 0x7fe1bb9ddd22 blink::Resource::AppendData()
#14 0x7fe1bb9d7955 blink::RawResource::AppendData()
#15 0x7fe1bba087cb blink::ResourceLoader::DidReceiveData()
#16 0x7fe1c2b68be4 content::WebURLLoaderImpl::Context::OnReceivedData()
#17 0x7fe1c2b697c7 content::WebURLLoaderImpl::RequestPeerImpl::OnReceivedData()
#18 0x7fe1c2b61c9d content::URLResponseBodyConsumer::OnReadable()
#19 0x7fe1c2b61098 content::URLLoaderClientImpl::OnStartLoadingResponseBody()
#20 0x7fe1c1e62eb8 network::mojom::URLLoaderClientStubDispatch::Accept()
#21 0x7fe1c40e6262 mojo::InterfaceEndpointClient::HandleValidatedMessage()
#22 0x7fe1c40e5b46 mojo::FilterChain::Accept()
#23 0x7fe1c40e7772 mojo::InterfaceEndpointClient::HandleIncomingMessage()
#24 0x7fe1c40ee61d mojo::internal::MultiplexRouter::ProcessIncomingMessage()
#25 0x7fe1c40ed9e0 mojo::internal::MultiplexRouter::Accept()
#26 0x7fe1c40e5b46 mojo::FilterChain::Accept()
#27 0x7fe1c40e03fb mojo::Connector::ReadSingleMessage()
#28 0x7fe1c40e0fc4 mojo::Connector::ReadAllAvailableMessages()
#29 0x7fe1c40e0e26 mojo::Connector::OnHandleReadyInternal()
#30 0x7fe1c40e17d4 mojo::SimpleWatcher::DiscardReadyState()
#31 0x7fe1c40a2293 mojo::SimpleWatcher::OnHandleReady()
#32 0x7fe1c40a280e _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo13SimpleWatcherEFvijRKNS3_18HandleSignalsStateEEJNS_7WeakPtrIS4_EEijS5_EEEFvvEE7RunImplIRKS9_RKNSt3__15tupleIJSB_ijS5_EEEJLm0ELm1ELm2ELm3EEEEvOT_OT0_NSI_16integer_sequenceImJXspT1_EEEE
#33 0x7fe1c4dfaf40 base::debug::TaskAnnotator::RunTask()
#34 0x7fe1bba43f5d base::sequence_manager::internal::ThreadControllerImpl::DoWork()
#35 0x7fe1bba45ea8 _ZN4base8internal7InvokerINS0_9BindStateIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS5_8WorkTypeEEJNS_7WeakPtrIS5_EES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#36 0x7fe1c4dfaf40 base::debug::TaskAnnotator::RunTask()
#37 0x7fe1c4e26c96 base::internal::IncomingTaskQueue::RunTask()
#38 0x7fe1c4e2a8c7 base::MessageLoop::RunTask()
#39 0x7fe1c4e2acda base::MessageLoop::DeferOrRunPendingTask()
#40 0x7fe1c4e2af6e base::MessageLoop::DoWork()
#41 0x7fe1c4e2d246 base::MessagePumpDefault::Run()
#42 0x7fe1c4e2a1f1 base::MessageLoop::Run()
#43 0x7fe1c4e5de26 base::RunLoop::Run()
#44 0x7fe1c2ce5af5 content::RendererMain()
#45 0x7fe1c2dc1e25 content::RunZygote()
#46 0x7fe1c2dc2780 content::RunOtherNamedProcessTypeMain()
#47 0x7fe1c2dc3493 content::ContentMainRunnerImpl::Run()
#48 0x7fe1c51426bf service_manager::Main()
#49 0x7fe1c2dc12b4 content::ContentMain()
#50 0x55a5bdf241b3 ChromeMain
#51 0x7fe1b7b432b1 __libc_start_main
#52 0x55a5bdf2402a _start

Received signal 6
#0 0x7fe1c4ed104c base::debug::StackTrace::StackTrace()
#1 0x7fe1c4ed0b21 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7fe1b9cc20c0 <unknown>
#3 0x7fe1b7b55fcf gsignal
#4 0x7fe1b7b573fa abort
#5 0x7fe1c4ecf925 base::debug::BreakDebugger()
#6 0x7fe1c4e1aaea logging::LogMessage::~LogMessage()
#7 0x7fe1bd2663fe blink::HTMLFrameOwnerElement::SetEmbeddedContentView()
#8 0x7fe1bd011020 blink::WebFrame::Swap()
#9 0x7fe1c2c89f99 content::RenderFrameImpl::SwapIn()
#10 0x7fe1c2c97651 content::RenderFrameImpl::DidCommitProvisionalLoad()
#11 0x7fe1bcff62a2 blink::LocalFrameClientImpl::DispatchDidCommitLoad()
#12 0x7fe1bd6794e9 blink::DocumentLoader::DidCommitNavigation()
#13 0x7fe1bd67834f blink::DocumentLoader::InstallNewDocument()
#14 0x7fe1bd677f4f blink::DocumentLoader::CommitNavigation()
#15 0x7fe1bd676936 blink::DocumentLoader::CommitData()
#16 0x7fe1bd6788c1 blink::DocumentLoader::ProcessData()
#17 0x7fe1bd67883d blink::DocumentLoader::DataReceived()
#18 0x7fe1bb9ddd22 blink::Resource::AppendData()
#19 0x7fe1bb9d7955 blink::RawResource::AppendData()
#20 0x7fe1bba087cb blink::ResourceLoader::DidReceiveData()
#21 0x7fe1c2b68be4 content::WebURLLoaderImpl::Context::OnReceivedData()
#22 0x7fe1c2b697c7 content::WebURLLoaderImpl::RequestPeerImpl::OnReceivedData()
#23 0x7fe1c2b61c9d content::URLResponseBodyConsumer::OnReadable()
#24 0x7fe1c2b61098 content::URLLoaderClientImpl::OnStartLoadingResponseBody()
#25 0x7fe1c1e62eb8 network::mojom::URLLoaderClientStubDispatch::Accept()
#26 0x7fe1c40e6262 mojo::InterfaceEndpointClient::HandleValidatedMessage()
#27 0x7fe1c40e5b46 mojo::FilterChain::Accept()
#28 0x7fe1c40e7772 mojo::InterfaceEndpointClient::HandleIncomingMessage()
#29 0x7fe1c40ee61d mojo::internal::MultiplexRouter::ProcessIncomingMessage()
#30 0x7fe1c40ed9e0 mojo::internal::MultiplexRouter::Accept()
#31 0x7fe1c40e5b46 mojo::FilterChain::Accept()
#32 0x7fe1c40e03fb mojo::Connector::ReadSingleMessage()
#33 0x7fe1c40e0fc4 mojo::Connector::ReadAllAvailableMessages()
#34 0x7fe1c40e0e26 mojo::Connector::OnHandleReadyInternal()
#35 0x7fe1c40e17d4 mojo::SimpleWatcher::DiscardReadyState()
#36 0x7fe1c40a2293 mojo::SimpleWatcher::OnHandleReady()
#37 0x7fe1c40a280e _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo13SimpleWatcherEFvijRKNS3_18HandleSignalsStateEEJNS_7WeakPtrIS4_EEijS5_EEEFvvEE7RunImplIRKS9_RKNSt3__15tupleIJSB_ijS5_EEEJLm0ELm1ELm2ELm3EEEEvOT_OT0_NSI_16integer_sequenceImJXspT1_EEEE
#38 0x7fe1c4dfaf40 base::debug::TaskAnnotator::RunTask()
#39 0x7fe1bba43f5d base::sequence_manager::internal::ThreadControllerImpl::DoWork()
#40 0x7fe1bba45ea8 _ZN4base8internal7InvokerINS0_9BindStateIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS5_8WorkTypeEEJNS_7WeakPtrIS5_EES6_EEEFvvEE3RunEPNS0_13BindStateBaseE
#41 0x7fe1c4dfaf40 base::debug::TaskAnnotator::RunTask()
#42 0x7fe1c4e26c96 base::internal::IncomingTaskQueue::RunTask()
#43 0x7fe1c4e2a8c7 base::MessageLoop::RunTask()
#44 0x7fe1c4e2acda base::MessageLoop::DeferOrRunPendingTask()
#45 0x7fe1c4e2af6e base::MessageLoop::DoWork()
#46 0x7fe1c4e2d246 base::MessagePumpDefault::Run()
#47 0x7fe1c4e2a1f1 base::MessageLoop::Run()
#48 0x7fe1c4e5de26 base::RunLoop::Run()
#49 0x7fe1c2ce5af5 content::RendererMain()
#50 0x7fe1c2dc1e25 content::RunZygote()
#51 0x7fe1c2dc2780 content::RunOtherNamedProcessTypeMain()
#52 0x7fe1c2dc3493 content::ContentMainRunnerImpl::Run()
#53 0x7fe1c51426bf service_manager::Main()
#54 0x7fe1c2dc12b4 content::ContentMain()
#55 0x55a5bdf241b3 ChromeMain
#56 0x7fe1b7b432b1 __libc_start_main
#57 0x55a5bdf2402a _start
  r8: 0000000000000000  r9: 00007ffe2d086980 r10: 0000000000000008 r11: 0000000000000246
 r12: 00007ffe2d087098 r13: 00007ffe2d087088 r14: 00007ffe2d087090 r15: 00007ffe2d086c19
  di: 0000000000000002  si: 00007ffe2d086980  bp: 00007ffe2d086bc0  bx: 0000000000000006
  dx: 0000000000000000  ax: 0000000000000000  cx: 00007fe1b7b55fcf  sp: 00007ffe2d0869f8
  ip: 00007fe1b7b55fcf efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

Comment 2 by ekaramad@chromium.org, Jun 6 2018

Cc: dcheng@chromium.org
Components: Blink>HTML>Object Internals>Sandbox>SiteIsolation
Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows

Chrome Version: 69.0.3450.0 (Developer Build) (64-bit)


What steps will reproduce the problem?
(0) Use site-per-process.
(1) On a local server, navigate a 'dcheck-always-on' chrome to:
http://127.0.0.1:80/page1.html

where:

page1.html:
 <object src="foo"> <b> Fallback </b> </object>
 <script> 
   window.setTimeout(crashIt, 1000);
   function crashIt() {
      document.querySelector("object").contentDocument.defaultView.location.href = "https://127.0.0.2:80/page2.html";

page2.html:
<script>
  window.setTimeout( () => window.location.href = "http://127.0.0.1:80/something.html", 1000);
</script>

(2) Wait for crash.

This goes back to an <object> with fallback content ending up with a frame. It probably shouldn't.

Comment 3 by benhenry@chromium.org, Aug 2

Status: Assigned (was: Available)

►

Issue 850223 link

Issue metadata

Security DCHECK in <object> showing fallback content.

Issue description

Comment 1 by ekaramad@chromium.org, Jun 6 2018

Comment 1 Deleted

Comment 2 by ekaramad@chromium.org, Jun 6 2018

Comment 2 Deleted

Comment 3 by benhenry@chromium.org, Aug 2

Comment 3 Deleted

Sign in to add a comment