Issue metadata
Sign in to add a comment
|
Chrome: Crash Report - content::WebContentsImpl::NotifySwappedFromRenderManager |
||||||||||||||||||||||
Issue descriptionFiling this manually as facing issue creating bug from go/crash due to b/111623637. Stack trace of 7f2ea872bbd8d2ed Thread 0 (id: 0x20a4) CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000000 ] MAGIC SIGNATURE THREAD Stack Quality100%Show frame trust levels 0x00007ffe67f3a997 (chrome.dll -web_contents_impl.cc:5749 ) content::WebContentsImpl::NotifySwappedFromRenderManager(content::RenderFrameHost *,content::RenderFrameHost *,bool) 0x00007ffe67f8ad10 (chrome.dll -render_frame_host_manager.cc:2166 ) content::RenderFrameHostManager::CommitPending() 0x00007ffe688c6806 (chrome.dll -render_frame_host_manager.cc:265 ) content::RenderFrameHostManager::CommitPendingIfNecessary(content::RenderFrameHostImpl *,bool,bool) 0x00007ffe688c673a (chrome.dll -render_frame_host_manager.cc:230 ) content::RenderFrameHostManager::DidNavigateFrame(content::RenderFrameHostImpl *,bool,bool) 0x00007ffe68248d93 (chrome.dll -navigator_impl.cc:449 ) content::NavigatorImpl::DidNavigate(content::RenderFrameHostImpl *,FrameHostMsg_DidCommitProvisionalLoad_Params const &,std::unique_ptr<content::NavigationHandleImpl,std::default_delete<content::NavigationHandleImpl> >,bool) 0x00007ffe68244d2c (chrome.dll -render_frame_host_impl.cc:5253 ) content::RenderFrameHostImpl::DidCommitNavigationInternal(FrameHostMsg_DidCommitProvisionalLoad_Params *,bool) 0x00007ffe682448a6 (chrome.dll -render_frame_host_impl.cc:1711 ) content::RenderFrameHostImpl::DidCommitProvisionalLoad(std::unique_ptr<FrameHostMsg_DidCommitProvisionalLoad_Params,std::default_delete<FrameHostMsg_DidCommitProvisionalLoad_Params> >,mojo::InterfaceRequest<service_manager::mojom::InterfaceProvider>) 0x00007ffe68233312 (chrome.dll -frame.mojom.cc:2533 ) content::mojom::FrameHostStubDispatch::Accept(content::mojom::FrameHost *,mojo::Message *) 0x00007ffe692747f0 (chrome.dll -ipc_mojo_bootstrap.cc:847 ) IPC::`anonymous namespace'::ChannelAssociatedGroupController::AcceptOnProxyThread 0x00007ffe69272cd5 (chrome.dll -bind_internal.h:603 ) base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message),scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>,base::internal::PassedWrapper<mojo::Message> >,void ()>::Run 0x00007ffe67c60094 (chrome.dll -task_annotator.cc:101 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *) 0x00007ffe67c5fb6b (chrome.dll -message_loop.cc:319 ) base::MessageLoop::RunTask(base::PendingTask *) 0x00007ffe67c5f5b7 (chrome.dll -message_loop.cc:373 ) base::MessageLoop::DoWork() 0x00007ffe67d53a58 (chrome.dll -message_pump_win.cc:177 ) base::MessagePumpForUI::DoRunLoop() 0x00007ffe67ca4c47 (chrome.dll -message_pump_win.cc:56 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x00007ffe67c5f110 (chrome.dll -run_loop.cc:102 ) base::RunLoop::Run() 0x00007ffe67feca51 (chrome.dll -chrome_browser_main.cc:2153 ) ChromeBrowserMainParts::MainMessageLoopRun(int *) 0x00007ffe67fec847 (chrome.dll -browser_main_loop.cc:978 ) content::BrowserMainLoop::RunMainMessageLoopParts() 0x00007ffe67fec7f2 (chrome.dll -browser_main_runner_impl.cc:169 ) content::BrowserMainRunnerImpl::Run() 0x00007ffe687dae52 (chrome.dll -browser_main.cc:51 ) content::BrowserMain(content::MainFunctionParams const &,std::unique_ptr<content::BrowserProcessSubThread,std::default_delete<content::BrowserProcessSubThread> >) 0x00007ffe68d21b3a (chrome.dll -content_main_runner_impl.cc:620 ) content::RunBrowserProcessMain(content::MainFunctionParams const &,content::ContentMainDelegate *,std::unique_ptr<content::BrowserProcessSubThread,std::default_delete<content::BrowserProcessSubThread> >) 0x00007ffe67c55985 (chrome.dll -content_main_runner_impl.cc:964 ) content::ContentMainRunnerImpl::Run() 0x00007ffe67c45172 (chrome.dll -main.cc:459 ) service_manager::Main(service_manager::MainParams const &) 0x00007ffe67c44a07 (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &) 0x00007ffe67c41af1 (chrome.dll -chrome_main.cc:101 ) ChromeMain 0x00007ff6e59635d5 (chrome.exe -main_dll_loader_win.cc:201 ) MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks) 0x00007ff6e5961698 (chrome.exe -chrome_exe_main_win.cc:230 ) wWinMain 0x00007ff6e5a3be35 (chrome.exe -exe_common.inl:283 ) __scrt_common_main_seh 0x00007ffeb1f33033 (KERNEL32.DLL + 0x00013033 ) BaseThreadInitThunk 0x00007ffeb47d1430 (ntdll.dll + 0x00071430 ) RtlUserThreadStart Link to the crashes: ==================== https://crash.corp.google.com/browse?q=product_name%3D%27Chrome%27+AND+expanded_custom_data.ChromeCrashProto.channel%3D%27beta%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27browser%27+AND+expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27content%3A%3AWebContentsImpl%3A%3ANotifySwappedFromRenderManager%27#-productname:1000,-magicsignature:50,+filepath,-magicsignature2:50,-stablesignature:50,-magicsignaturesorted:50 Crash data on other channels: ----------------------------- 69.0.3493.3 3.52% 5 - Dev 68.0.3440.68 22.54% 32 - Beta 67.0.3396.99 14.08% 20 - Stable Note: ===== 1. This issue starting seen on M64-64.0.3282.167. But, recently spiked in latest Beta M68 - 68.0.3440.68 2. This is 'Browser' crash listed under Beta build 68.0.3440.68 for Windows on 30 different client ID's. 3. Currently this crash is ranked as number #9 with 31 instances. 4. Most of the crashes are observed on Windows 10 OS. 5. Since there is sudden spike in crashes in latest Beta, marking this crash as RB-Stable, please feel free to edit if this is not the case. 6. Crashes are not observed on Mac, Linux and Android. Regression Range: 68.0.3440.59 - Good 68.0.3440.68 - Bad From the above regression range, suspecting the change https://chromium.googlesource.com/chromium/src/+/8da446508bb2890542a71ea6814cc1ef24951a34 creis@ -- Could you please take a look into this issue. From the code search for the file 'render_frame_host_impl.cc', also suspecting the change - https://chromium.googlesource.com/chromium/src/+/d3bfdb09875f6b6cdadd5075d7c1f7305b5118ec clamy@ - Could you also take a look into this crash. Thanks!
,
Jul 24
I don't see a connection with the merge of the beforeunload fix in r575133, but maybe Alex can spot one? Doesn't seem like it could have been clamy@'s r574553, since that landed in 69.0.3491.0 and wasn't merged to M68.
,
Jul 24
There might be a connection. Looking at some crash dumps, I see that the navigating frame's RFHI becomes nullptr somewhere along the road from entering RFHI::DidCommitProvisionalLoad() to the NotifySwappedFromRenderManager() call in RFHM::CommitPending(). This is also happening in the main frame. The most likely explanation is that in CommitPending(), slightly before NotifySwappedFromRenderManager() we call frame_tree_node_->ResetForNewProcess(). As part of that, a subframe's destruction might trigger a beforeunload ACK to an ancestor frame, which we know from issue 866382 can cause a reentrant call to TabStripModel::CloseWebContentses() (if there's a pending tab close in parallel with the navigation), which might destroy the WebContentsImpl, RFHM, and main frame RFHI. After we unwind the stack, we'll come back to CommitPending() with the freed WebContentsImpl/RFHM/RFHI (which is what I see in the crash dumps with |this| being null), and crash when we try to dereference something -- in this case, this is probably new_host->GetRenderViewHost() in NotifySwappedFromRenderManager(), where |new_host| is null. I think the fix for issue 866382 of scheduling the beforeunload ACK when destroying a subframe's RFHI should fix this issue as well.
,
Jul 24
,
Jul 24
Proactively marking Restrict-View-Security given the discussion of returning to freed objects, in case there's a UaF here. Alex thinks the repro steps at least require user interaction, which would be a mitigating factor if so.
,
Jul 25
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fe000eecfd314aff088f7d981f96b19a80a20515 commit fe000eecfd314aff088f7d981f96b19a80a20515 Author: Alex Moshchuk <alexmos@chromium.org> Date: Wed Jul 25 00:01:13 2018 Schedule OnBeforeUnloadACK to prevent reentrancy when destroying a RFHI. Previously, it was possible that in the middle of closing a tab and shutting down the main frame's process, we could call ResetForNewProcess() to clear the main frame's children, but destroying a child's RenderFrameHostImpl could reenter TabStripModel::CloseWebContentses if the main frame was also waiting for that child's beforeunload ACK. This could result in freeing state such as the WebContents or main frame's RFHM and RFHI, and then later unwinding the stack to proceed with the first CloseWebContentses and running into crashes when trying to dereference pointers which were already freed or nulled out. To prevent this reentrancy, schedule the beforeunload ACK in the cases where it's used for tab close. This is similar to a fix for issue 851400, but addresses a new way to get the reentrant calls that became possible after r575133. Bug: 866382 , 866365 Change-Id: Id20068cb24f457f1fae1005050d46441dac78d9a Reviewed-on: https://chromium-review.googlesource.com/1148775 Reviewed-by: Charlie Reis <creis@chromium.org> Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#577736} [modify] https://crrev.com/fe000eecfd314aff088f7d981f96b19a80a20515/chrome/browser/chrome_site_per_process_browsertest.cc [modify] https://crrev.com/fe000eecfd314aff088f7d981f96b19a80a20515/content/browser/frame_host/render_frame_host_impl.cc [modify] https://crrev.com/fe000eecfd314aff088f7d981f96b19a80a20515/content/browser/frame_host/render_frame_host_impl.h
,
Jul 26
This appears to be fixed by r577736. We're monitoring the crashes and will request merge in issue 866382 .
,
Jul 27
,
Jul 27
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/838874422ea8a995a120ac284e386b209ce4c533 commit 838874422ea8a995a120ac284e386b209ce4c533 Author: Alex Moshchuk <alexmos@chromium.org> Date: Fri Jul 27 17:22:48 2018 Schedule OnBeforeUnloadACK to prevent reentrancy when destroying a RFHI (Merge to M69) Previously, it was possible that in the middle of closing a tab and shutting down the main frame's process, we could call ResetForNewProcess() to clear the main frame's children, but destroying a child's RenderFrameHostImpl could reenter TabStripModel::CloseWebContentses if the main frame was also waiting for that child's beforeunload ACK. This could result in freeing state such as the WebContents or main frame's RFHM and RFHI, and then later unwinding the stack to proceed with the first CloseWebContentses and running into crashes when trying to dereference pointers which were already freed or nulled out. To prevent this reentrancy, schedule the beforeunload ACK in the cases where it's used for tab close. This is similar to a fix for issue 851400, but addresses a new way to get the reentrant calls that became possible after r575133. TBR=alexmos@chromium.org (cherry picked from commit fe000eecfd314aff088f7d981f96b19a80a20515) Bug: 866382 , 866365 Change-Id: Id20068cb24f457f1fae1005050d46441dac78d9a Reviewed-on: https://chromium-review.googlesource.com/1148775 Reviewed-by: Charlie Reis <creis@chromium.org> Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#577736} Reviewed-on: https://chromium-review.googlesource.com/1153366 Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/branch-heads/3497@{#162} Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753} [modify] https://crrev.com/838874422ea8a995a120ac284e386b209ce4c533/chrome/browser/chrome_site_per_process_browsertest.cc [modify] https://crrev.com/838874422ea8a995a120ac284e386b209ce4c533/content/browser/frame_host/render_frame_host_impl.cc [modify] https://crrev.com/838874422ea8a995a120ac284e386b209ce4c533/content/browser/frame_host/render_frame_host_impl.h
,
Jul 27
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3cccf1a40279cf1f5d789358f80c15deb6c884c2 commit 3cccf1a40279cf1f5d789358f80c15deb6c884c2 Author: Charlie Reis <creis@chromium.org> Date: Fri Jul 27 18:31:35 2018 Merge to M68: Schedule OnBeforeUnloadACK to prevent reentrancy when destroying a RFHI. Previously, it was possible that in the middle of closing a tab and shutting down the main frame's process, we could call ResetForNewProcess() to clear the main frame's children, but destroying a child's RenderFrameHostImpl could reenter TabStripModel::CloseWebContentses if the main frame was also waiting for that child's beforeunload ACK. This could result in freeing state such as the WebContents or main frame's RFHM and RFHI, and then later unwinding the stack to proceed with the first CloseWebContentses and running into crashes when trying to dereference pointers which were already freed or nulled out. To prevent this reentrancy, schedule the beforeunload ACK in the cases where it's used for tab close. This is similar to a fix for issue 851400, but addresses a new way to get the reentrant calls that became possible after r575133. Bug: 866382 , 866365 Change-Id: Id20068cb24f457f1fae1005050d46441dac78d9a Reviewed-on: https://chromium-review.googlesource.com/1148775 Reviewed-by: Charlie Reis <creis@chromium.org> Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#577736} Reviewed-on: https://chromium-review.googlesource.com/1153223 Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/branch-heads/3440@{#761} Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733} [modify] https://crrev.com/3cccf1a40279cf1f5d789358f80c15deb6c884c2/chrome/browser/chrome_site_per_process_browsertest.cc [modify] https://crrev.com/3cccf1a40279cf1f5d789358f80c15deb6c884c2/content/browser/frame_host/render_frame_host_impl.cc [modify] https://crrev.com/3cccf1a40279cf1f5d789358f80c15deb6c884c2/content/browser/frame_host/render_frame_host_impl.h
,
Nov 2
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by bhthompson@google.com
, Jul 23