devtool console crashes with Reporting Observer API
Reported by
s.h.h.n....@gmail.com,
Aug 4
|
||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36
Steps to reproduce the problem:
1. Open attached file.
2. Open console.
3. Run following scripts
document.body.appendChild(document.createElement("iframe")).src="/";
document.origin;
What is the expected behavior?
nothing happens
What went wrong?
crash
Crashed report ID:
How much crashed? Just one tab
Is it a problem with a plugin? N/A
Did this work before? N/A
Chrome version: 69 Channel: dev
OS Version: OS X 10.13.6
Flash Version:
,
Aug 6
""" 0x0000000103ce672e (Google Chrome Framework -handles.h:57 ) v8::Function::GetScriptOrigin() const 0x0000000107f729b6 (Google Chrome Framework -ad_tracker.cc:76 ) blink::AdTracker::Will(blink::probe::CallFunction const&) 0x000000010850a6ca (Google Chrome Framework -CoreProbesImpl.cpp:1679 ) blink::probe::CallFunction::CallFunction(blink::ExecutionContext*, v8::Local<v8::Function>, int) 0x0000000107761ccc (Google Chrome Framework -v8_script_runner.cc:399 ) blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) 0x00000001077bb8b8 (Google Chrome Framework -v8_reporting_observer_callback.cc:88 ) blink::V8ReportingObserverCallback::Invoke(blink::ScriptWrappable*, blink::HeapVector<blink::Member<blink::Report>, 0u> const&, blink::ReportingObserver*) 0x00000001077bba0d (Google Chrome Framework -v8_reporting_observer_callback.cc:110 ) <name omitted> 0x0000000107fe0c1a (Google Chrome Framework -reporting_observer.cc:37 ) blink::ReportingObserver::ReportToCallback() 0x0000000104b3f7c1 (Google Chrome Framework -callback.h:99 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x0000000104ba862e (Google Chrome Framework -thread_controller_impl.cc:169 ) base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) 0x0000000104b3f7c1 (Google Chrome Framework -callback.h:99 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x0000000104b5d94e (Google Chrome Framework -message_loop.cc:431 ) base::MessageLoop::RunTask(base::PendingTask*) 0x0000000104b5ddf2 (Google Chrome Framework -message_loop.cc:442 ) base::MessageLoop::DoWork() 0x0000000104b60669 (Google Chrome Framework -message_pump_mac.mm:455 ) base::MessagePumpCFRunLoopBase::RunWork() 0x0000000104b519c9 (Google Chrome Framework + 0x023639c9 ) base::mac::CallWithEHFrame(void () block_pointer) 0x0000000104b5ff8e (Google Chrome Framework -message_pump_mac.mm:431 ) base::MessagePumpCFRunLoopBase::RunWorkSource(void*) """ Blink? v8?
,
Aug 8
ReportingObserver V8 crash. Was able to Repro on Linux 70.0.3516 (ToT)
,
Aug 8
This looks like a bindings issue, not one internal to V8: the v8::Local<v8::Function> handle is null, so likely a lifetime issue in ReportingObserver.
,
Aug 8
This looks a lot like a crash paulmeyer@ recently investigated (wrapper tracing issues with ReportingObserver). Assigning to him for now?
,
Aug 9
,
Aug 9
Yeah, it looks like this is the same issue that I was seeing (and was able to fix locally as part of another CL I was working on). I'll split the fix out and have that CL up shortly.
,
Aug 13
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/52caf3be7af82054c47426dd7c567afb71ebec83 commit 52caf3be7af82054c47426dd7c567afb71ebec83 Author: Paul Meyer <paulmeyer@chromium.org> Date: Mon Aug 13 16:59:43 2018 Fix crash in DevTools when using ReportingObserver. This crash was caused by incorrect wrapper tracing with ReportingObserver. This CL fixes this by making ReportingObserver ActiveScriptWrappable. Bug: 870930 Change-Id: Ie46db964c98b028c96d9deb2066c7db9ca0d449f Reviewed-on: https://chromium-review.googlesource.com/1169434 Commit-Queue: Paul Meyer <paulmeyer@chromium.org> Reviewed-by: Nate Chapin <japhet@chromium.org> Cr-Commit-Position: refs/heads/master@{#582620} [modify] https://crrev.com/52caf3be7af82054c47426dd7c567afb71ebec83/third_party/WebKit/LayoutTests/reporting-observer/resources/deprecation.js [modify] https://crrev.com/52caf3be7af82054c47426dd7c567afb71ebec83/third_party/blink/renderer/core/frame/reporting_observer.cc [modify] https://crrev.com/52caf3be7af82054c47426dd7c567afb71ebec83/third_party/blink/renderer/core/frame/reporting_observer.h [modify] https://crrev.com/52caf3be7af82054c47426dd7c567afb71ebec83/third_party/blink/renderer/core/frame/reporting_observer.idl
,
Aug 13
,
Aug 13
,
Aug 13
Pls apply appropriate OSs label.
,
Aug 14
This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 14
As this is Blink change, adding Android, Desktop and Chrome OS labels. Before we approve merge to M69, please answer followings: * Is this M69 regression? Is it critical? (Currently marked as P2) * Is the change well baked/verified in Canary, having enough automation tests coverage and safe to merge to M69? * Any other important details to justify the merge. Please note M69 is already in Beta, so merge bar is very high. Thank you.
,
Aug 14
Sorry, yes, it should have been a P1. ReportingObserver is in M69, and and I believe that these crashes are a serious problem, so this fix should really go with the ReportingObserver feature in M69.
,
Aug 14
Thank you, How safe is the change to merge?
,
Aug 14
In my opinion, very safe, since the change is small, and I've updated the test to test that the fix is working properly.
,
Aug 14
Approving merge to M69 branch 3497 based on comment #14, #16 and per offline chat with paulmeyer@.
,
Aug 15
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0e4b2bd8ac4a7c8c0eb78c1fbd6f4c2df7dd64a4 commit 0e4b2bd8ac4a7c8c0eb78c1fbd6f4c2df7dd64a4 Author: Paul Meyer <paulmeyer@chromium.org> Date: Wed Aug 15 18:03:39 2018 Fix crash in DevTools when using ReportingObserver. This crash was caused by incorrect wrapper tracing with ReportingObserver. This CL fixes this by making ReportingObserver ActiveScriptWrappable. Bug: 870930 Change-Id: Ie46db964c98b028c96d9deb2066c7db9ca0d449f Reviewed-on: https://chromium-review.googlesource.com/1169434 Commit-Queue: Paul Meyer <paulmeyer@chromium.org> Reviewed-by: Nate Chapin <japhet@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#582620}(cherry picked from commit 52caf3be7af82054c47426dd7c567afb71ebec83) Reviewed-on: https://chromium-review.googlesource.com/1174778 Reviewed-by: Paul Meyer <paulmeyer@chromium.org> Cr-Commit-Position: refs/branch-heads/3497@{#649} Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753} [modify] https://crrev.com/0e4b2bd8ac4a7c8c0eb78c1fbd6f4c2df7dd64a4/third_party/WebKit/LayoutTests/reporting-observer/resources/deprecation.js [modify] https://crrev.com/0e4b2bd8ac4a7c8c0eb78c1fbd6f4c2df7dd64a4/third_party/blink/renderer/core/frame/reporting_observer.cc [modify] https://crrev.com/0e4b2bd8ac4a7c8c0eb78c1fbd6f4c2df7dd64a4/third_party/blink/renderer/core/frame/reporting_observer.h [modify] https://crrev.com/0e4b2bd8ac4a7c8c0eb78c1fbd6f4c2df7dd64a4/third_party/blink/renderer/core/frame/reporting_observer.idl
,
Aug 17
Issue 873623 has been merged into this issue.
,
Aug 17
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Aug 17
oh, was this a security bug? |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by s.h.h.n....@gmail.com
, Aug 4