New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 870829 link

Starred by 5 users
Status: Assigned
Owner:
nasko@chromium.org
Out until 24 Jan
Cc:
rsesek@chromium.org
battre@chromium.org
pbomm...@chromium.org
vasi...@chromium.org
alex...@chromium.org
wfh@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android , Chrome
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Chrome_Android: Crash Report - [Renderer kill] password_manager::bad_message::`anonymous namespace'::ReceivedBadMessage

Project Member Reported by crash-fe...@system.gserviceaccount.com, Aug 3 
reporter:pbommana@google.com

Magic Signature: [Renderer kill] password_manager::bad_message::`anonymous namespace'::ReceivedBadMessage

Crash link: https://crash.corp.google.com/browse?q=product_name%3D%27Chrome_Android%27+AND+expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BRenderer+kill%5D+password_manager%3A%3Abad_message%3A%3A%60anonymous+namespace%5C%27%3A%3AReceivedBadMessage%27&stbtiq=&reportid=&index=0

-------------------------------------------------------------------------------
Sample Report
-------------------------------------------------------------------------------
Product name: Chrome_Android
Magic Signature : [Renderer kill] password_manager::bad_message::`anonymous namespace'::ReceivedBadMessage
Product Version: 70.0.3505.0
Process type: renderer
Report ID: 4cdc1ad40dfea15d
Report Url: https://crash.corp.google.com/4cdc1ad40dfea15d
Report Time: 2018-08-03T03:16:06-07:00
Upload Time: 2018-08-03T03:16:51.242-07:00
Uptime: 94177 ms
OS Name: Android
OS Version: 0.0.0 Linux 3.4.0-4745659 #1 SMP PREEMPT Mon Aug 3 16:10:12 KST 2015 armv7l
CPU Architecture: arm
CPU Info: ARMv7 Qualcomm Krait features: swp,half,thumb,fastmult,vfpv2,edsp,neon,vfpv3,tls,vfpv4

-------------------------------------------------------------------------------
Crashing thread: Thread index: 0. Stack Quality: 99%. Thread id: 9680.
-------------------------------------------------------------------------------
0xa0e6457d (libchrome.so - exception_handler.cc: 679)	google_breakpad::ExceptionHandler::WriteMinidump()
0xa1c5a1a5 (libchrome.so - breakpad_linux.cc: 758)	breakpad::(anonymous namespace)::DumpProcess()
0xa0b7a151 (libchrome.so - dump_without_crashing.cc: 23)	base::debug::DumpWithoutCrashing()
0xa05c5f7f (libchrome.so - render_process_host_impl.cc: 2416)	content::RenderProcessHostImpl::ShutdownForBadMessage(content::RenderProcessHost::CrashReportMode)
0xa1c3de57 (libchrome.so - bad_message.cc: 29)	password_manager::bad_message::(anonymous namespace)::ReceivedBadMessage(content::RenderProcessHost*, password_manager::BadMessageReason)
0xa1c3dd9d (libchrome.so - bad_message.cc)	password_manager::bad_message::(anonymous namespace)::CheckChildProcessSecurityPolicyForURL(content::RenderFrameHost*, GURL const&, password_manager::BadMessageReason)
0xa1c3dcf7 (libchrome.so - bad_message.cc: 64)	password_manager::bad_message::CheckChildProcessSecurityPolicy(content::RenderFrameHost*, autofill::PasswordForm const&, password_manager::BadMessageReason)
0xa11b7e61 (libchrome.so - bad_message.cc: 75)	password_manager::bad_message::CheckChildProcessSecurityPolicy(content::RenderFrameHost*, std::__ndk1::vector<autofill::PasswordForm, std::__ndk1::allocator<autofill::PasswordForm> > const&, password_manager::BadMessageReason)
0xa0ae68e7 (libchrome.so - chrome_password_manager_client.cc: 891)	ChromePasswordManagerClient::PasswordFormsParsed(std::__ndk1::vector<autofill::PasswordForm, std::__ndk1::allocator<autofill::PasswordForm> > const&)
0xa11b783d (libchrome.so - autofill_driver.mojom.cc: 2165)	autofill::mojom::PasswordManagerDriverStubDispatch::Accept(autofill::mojom::PasswordManagerDriver*, mojo::Message*)
0xa0f7651b (libchrome.so - interface_endpoint_client.cc: 423)	mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message*)
0xa0d4ba3b (libchrome.so - ipc_mojo_bootstrap.cc: 864)	IPC::(anonymous namespace)::ChannelAssociatedGroupController::AcceptOnProxyThread(mojo::Message)
0xa10dd7cf (libchrome.so - bind_internal.h: 516)	base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, base::internal::PassedWrapper<mojo::Message> >, void ()>::Run(base::internal::BindStateBase*)
0xa0f450df (libchrome.so - callback.h: 99)	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0xa0f44d5d (libchrome.so - message_loop.cc: 427)	base::MessageLoop::RunTask(base::PendingTask*)
0xa0f1de5d (libchrome.so - message_loop.cc: 438)	base::MessageLoop::DoWork()
0xa0f447ef (libchrome.so - message_pump_android.cc: 145)	base::MessagePumpForUI::OnNonDelayedLooperCallback()
0xa0f447c7 (libchrome.so - message_pump_android.cc: 61)	base::(anonymous namespace)::NonDelayedLooperCallback(int, int, void*)
0xb6c5a30f (libutils.so + 0x0001030f)	android::SimpleLooperCallback::handleEvent(int, int, void*)
0xb6c5af6f (libutils.so + 0x00010f6f)	android::Looper::pollInner(int)
0xb6c5cc84 (libutils.so + 0x00012c84)	virtual thunk to android::WeakMessageHandler::~WeakMessageHandler()
0x714d3706 (system@framework@boot.art + 0x0068e706)	
0x32c0e3fe (dalvik-main space (deleted) + 0x2000e3fe)	
0x7225ae66 (system@framework@boot.art + 0x01415e66)	
0x775e945d (boot.oat + 0x0426545d)	
0x7225ae66 (system@framework@boot.art + 0x01415e66)	
0x32c21c7e (dalvik-main space (deleted) + 0x20021c7e)	
0x32c983be (dalvik-main space (deleted) + 0x200983be)	
0x32c0e3fe (dalvik-main space (deleted) + 0x2000e3fe)	
0x32c9865e (dalvik-main space (deleted) + 0x2009865e)	
0x72254876 (system@framework@boot.art + 0x0140f876)	
0x88aa95ae (dalvik-non moving space (deleted) + 0x00ad85ae)	
0x775da451 (boot.oat + 0x04256451)	
0x72254876 (system@framework@boot.art + 0x0140f876)	
0x88aa95ae (dalvik-non moving space (deleted) + 0x00ad85ae)	
0xb4ca1017 (libart.so + 0x000a3017)	
0x721e149e (system@framework@boot.art + 0x0139c49e)	
0x32c9c6be (dalvik-main space (deleted) + 0x2009c6be)	
0x77562159 (boot.oat + 0x041de159)	
0x7202dd76 (system@framework@boot.art + 0x011e8d76)	
0xa3d6bc5b (dalvik-allocspace main rosalloc space live-bitmap 3 (deleted) + 0x004ebc5b)	
0x721e28ee (system@framework@boot.art + 0x0139d8ee)	
0xa3d6bc5b (dalvik-allocspace main rosalloc space live-bitmap 3 (deleted) + 0x004ebc5b)	
0x32c0209e (dalvik-main space (deleted) + 0x2000209e)	
0xb4eec88e (libart.so + 0x002ee88e)	
0xb4ebf126 (libart.so + 0x002c1126)	
0x32c0209e (dalvik-main space (deleted) + 0x2000209e)	
0xb4ebf126 (libart.so + 0x002c1126)	
0xb4ebe9f2 (libart.so + 0x002c09f2)	
0xb4ebe9ca (libart.so + 0x002c09ca)	
... 327 more
0x72616a2c (system@framework@boot.art + 0x017d1a2c)	
0x4c45524e (dalvik-main space (deleted) + 0x3985524e)	
0x3d44414d (dalvik-main space (deleted) + 0x2a84414d)	
0x7362696a (boot.oat + 0x002a296a)	
0x2e6e695f (dalvik-main space (deleted) + 0x1bae695f)	
0x7257736b (system@framework@boot.art + 0x0173236b)	
0x732e705f (system@framework@boot.art + 0x024a205f)	
0x4e524552 (dalvik-main space (deleted) + 0x3b924552)	
0x41524f52 (dalvik-main space (deleted) + 0x2e924f52)	
0x2f3d4545 (dalvik-main space (deleted) + 0x1c7d4545)	
0x726f7471 (system@framework@boot.art + 0x018b2471)	
0x2f65675f (dalvik-main space (deleted) + 0x1ca5675f)	
0x4c554d43 (dalvik-main space (deleted) + 0x39954d43)	
0x4445543f (dalvik-main space (deleted) + 0x3185543f)	
0x4f54535d (dalvik-main space (deleted) + 0x3c94535d)	
0x45474150 (dalvik-main space (deleted) + 0x32874150)	
0x3d454350 (dalvik-main space (deleted) + 0x2a854350)	
0x746e6d2d (boot.oat + 0x01362d2d)	
0x4c554d43 (dalvik-main space (deleted) + 0x39954d43)	
0x4445543f (dalvik-main space (deleted) + 0x3185543f)	
0x4f54535d (dalvik-main space (deleted) + 0x3c94535d)	
0x45474150 (dalvik-main space (deleted) + 0x32874150)	
0x5241545d (dalvik-main space (deleted) + 0x3f81545d)	
0x3d544545 (dalvik-main space (deleted) + 0x2a944545)	
0x756d652d (boot.oat + 0x0235252d)	
0x45530062 (dalvik-main space (deleted) + 0x32930062)	
0x444e4f41 (dalvik-main space (deleted) + 0x318e4f41)	
0x524f5451 (dalvik-main space (deleted) + 0x3f8f5451)	
0x3d45473f (dalvik-main space (deleted) + 0x2a85473f)	
0x7478652d (boot.oat + 0x0140252d)	
0x4d006470 (dalvik-main space (deleted) + 0x3a406470)	
0x4e454b4d (dalvik-main space (deleted) + 0x3b854b4d)	
0x4b007364 (dalvik-main space (deleted) + 0x38407364)	
0x524f5451 (dalvik-main space (deleted) + 0x3f8f5451)	
0x3d45473f (dalvik-main space (deleted) + 0x2a85473f)	
0x7461642d (boot.oat + 0x0129242d)	
0x735f7476 (boot.oat + 0x00273476)	
0x72616362 (system@framework@boot.art + 0x017d1362)	
0x4e410062 (dalvik-main space (deleted) + 0x3b810062)	
0x494f5242 (dalvik-main space (deleted) + 0x368f5242)	
0x52505f42 (dalvik-main space (deleted) + 0x3f905f42)	
0x5245504d (dalvik-main space (deleted) + 0x3f85504d)	
0x4543414e (dalvik-main space (deleted) + 0x3283414e)	
0x302c383b (dalvik-main space (deleted) + 0x1d6c383b)	
0x444e40fe (dalvik-main space (deleted) + 0x318e40fe)	
0x44494f50 (dalvik-main space (deleted) + 0x31894f50)	
0x434f535d (dalvik-main space (deleted) + 0x308f535d)	
0x393d6572 (dalvik-main space (deleted) + 0x267d6572)	
0x79732efe (data@app@com.chrome.canary-2@base.apk@classes.dex + 0x00cc0efe)	
0x73736561 (boot.oat + 0x003b2561)	

-------------------------------------------------------------------------------
Manual regression range finder link
-------------------------------------------------------------------------------
https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BRenderer+kill%5D+password_manager%3A%3Abad_message%3A%3A%60anonymous+namespace%5C%27%3A%3AReceivedBadMessage%27#-property-selector,-samplereports,+productname,+productversion:1000,+directory,-clientid,+operatingsystem,+url,+simplifiedurl,+extensions

Comment 1 by pbomm...@chromium.org, Aug 3

Cc: pbomm...@chromium.org battre@chromium.org
Components: Internals>Sandbox>SiteIsolation
Labels: -Type-Bug RegressedIn-69 M-69 Target-70 M-70 FoundIn-70 Target-69 FoundIn-69 OS-Chrome Type-Bug-Regression
Owner: vasi...@chromium.org
Status: Assigned (was: Untriaged)
This is a new regression which started since Chrome version 69.0.3475.0 and been crashing on all M69 and M70 builds since then, relatively crash rate is in single digits apart from few builds.

Please find crash impact on Chrome versions here: https://goto.google.com/lktlj


Suspecting Cl : https://chromium.googlesource.com/chromium/src.git/+/329c827741377f2367a2bc02f82d1ad9a791c095


Note : Since low crash rate not tagging with any blocker labels as of now, if crash rate spikes will up the priority and tag stable blocker.

Comment 2 by pbomm...@chromium.org, Aug 3

Labels: TE-CrashTriage

Comment 3 by vasi...@chromium.org, Aug 6

Cc: vasi...@chromium.org
Owner: alex...@chromium.org
Hi Alex, some time ago I strengthened a check in ChildProcessSecurityPolicy for the password manager after discussion with you. Here is the crash caught.
What do you do in such cases?

Comment 4 by alex...@chromium.org, Aug 6

Cc: alex...@chromium.org
Owner: nasko@chromium.org
Most likely, this crash likely means that we are committing a site into the wrong renderer process (locked to another site), and then kill the renderer process when it tries to request passwords.  We typically debug this by looking at minidumps and crash keys set in the crash reports.  Since this seems Android-specific, we can really only look at crash keys and try to add debugging code to catch this earlier, when a site commits to an incorrect process.

Looking at the crashes here, 145 out of 146 have killed_process_origin_lock set to chrome-error://chromewebdata/ (the lone exception is 569e3ada5ff5b942 and probably has --site-per-process enabled through Finch).  This means this is probably related to error page isolation and the cookie kills in issue 866549, which Nasko is investigating right now, so I'll reassign to him for now.

Comment 5 by jmukthavaram@chromium.org, Sep 12 

Issue 882392 has been merged into this issue.

Comment 6 by rsesek@chromium.org, Sep 21

Cc: rsesek@chromium.org
Issue 887914 has been merged into this issue.

Comment 7 by rsesek@chromium.org, Sep 21

Labels: -Restrict-View-EditIssue
Issue 887914 reports that this happens with Blob URLs with <input type=password>

Sign in to add a comment