CHECK at WTF::Vector<blink::Member<blink::SimpleEditCommand>,0,blink::HeapAllocator>::ReserveCapacity
Reported by
quoccuon...@gmail.com,
Nov 4
|
|||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Steps to reproduce the problem: 1. Open the attached html file 2. Get crash What is the expected behavior? Not crash What went wrong? Chrome work normally Did this work before? N/A Chrome version: 70.0.3538.77 Channel: stable OS Version: 10.0 Flash Version: Some information from the crash dump rax=0000000001377bee rbx=0000540dea6ca4d0 rcx=0000540dea6ca4d0 rdx=0000000001377bee rsi=0000540dea6ca4d0 rdi=0000000001377bee rip=00007ff92f1b24d9 rsp=0000008b7f1fb2f0 rbp=0000008b7f1fb310 r8=0000008b7f1fb6d8 r9=0000000000000001 r10=0000000000000000 r11=0000321834161038 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=00004daf115a1040 iopl=0 nv up ei pl nz na po nc cs=0033 ss=0000 ds=0000 es=0000 fs=0053 gs=002b efl=00000206 chrome_child!WTF::Vector,0,blink::HeapAllocator>::ReserveCapacity+0x149: 00007ff9`2f1b24d9 cc int 3 Call Stack # Child-SP RetAddr Call Site 00 0000008b`7f1fb2f0 00007ff9`2f1b2358 chrome_child!WTF::Vector<blink::Member<blink::SimpleEditCommand>,0,blink::HeapAllocator>::ReserveCapacity+0x149 [C:\b\c\b\win64_clang\src\third_party\blink\renderer\platform\wtf\vector.h @ 1653] 01 0000008b`7f1fb350 00007ff9`2f1b2025 chrome_child!WTF::Vector<blink::Member<blink::SimpleEditCommand>,0,blink::HeapAllocator>::AppendSlowCase<blink::SimpleEditCommand *&>+0x38 [C:\b\c\b\win64_clang\src\third_party\blink\renderer\platform\wtf\vector.h @ 1785] 02 0000008b`7f1fb390 00007ff9`2eb83262 chrome_child!blink::UndoStep::Append+0x65 [C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\editing\commands\undo_step.cc @ 134] 03 0000008b`7f1fb3d0 00007ff9`2eb8c8ba chrome_child!blink::CompositeEditCommand::ApplyCommandToComposite+0xf2 [C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\editing\commands\composite_edit_command.cc @ 217] 04 0000008b`7f1fb420 00007ff9`2eb8a739 chrome_child!blink::TypingCommand::MakeEditableRootEmpty+0x9a [C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\editing\commands\typing_command.cc @ 742] 05 0000008b`7f1fb4d0 00007ff9`2eb83105 chrome_child!blink::TypingCommand::DeleteKeyPressed+0x759 [C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\editing\commands\typing_command.cc @ 840] 06 0000008b`7f1fb6b0 00007ff9`2eb89fa4 chrome_child!blink::CompositeEditCommand::Apply+0x115 [C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\editing\commands\composite_edit_command.cc @ 163] 07 0000008b`7f1fb740 00007ff9`2e44310d chrome_child!blink::TypingCommand::DeleteKeyPressed+0x174 [C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\editing\commands\typing_command.cc @ 249] 08 0000008b`7f1fb7a0 00007ff9`2e93af29 chrome_child!blink::ExecuteDelete+0x3d [C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\editing\commands\editor_command.cc @ 407] 09 0000008b`7f1fb7d0 00007ff9`2e24a852 chrome_child!blink::Document::execCommand+0x189 [C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\editing\commands\document_exec_command.cc @ 98] 0a 0000008b`7f1fb840 00007ff9`2c4c13ac chrome_child!blink::V8Document::execCommandMethodCallback+0x392 [C:\b\c\b\win64_clang\src\out\Release_x64\gen\third_party\blink\renderer\bindings\core\v8\v8_document.cc @ 7106] 0b 0000008b`7f1fb930 00007ff9`2d1b43cd chrome_child!v8::internal::FunctionCallbackArguments::Call+0x23c [C:\b\c\b\win64_clang\src\v8\src\api-arguments-inl.h @ 118] 0c 0000008b`7f1fba50 00007ff9`2d1b3ed1 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>+0x1ed [C:\b\c\b\win64_clang\src\v8\src\builtins\builtins-api.cc @ 111] 0d 0000008b`7f1fbb50 00007ff9`2c4c0ef1 chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0x111 [C:\b\c\b\win64_clang\src\v8\src\builtins\builtins-api.cc @ 0] 0e 0000008b`7f1fbc10 00007ff9`2d7aa6d2 chrome_child!v8::internal::Builtin_HandleApiCall+0x31 [C:\b\c\b\win64_clang\src\v8\src\builtins\builtins-api.cc @ 127] 0f 0000008b`7f1fbc70 00000000`00000018 chrome_child!v8::internal::NativesCollection<v8::internal::EXPERIMENTAL_EXTRAS>::GetScriptName+0x92f42
,
Nov 5
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5758331811266560.
,
Nov 5
Thanks for your report! We can't edit posts, but don't worry, we know what you mean. :) Is there any chance you can develop a more minimal reproduction case? Thanks!
,
Nov 5
Testcase 5758331811266560 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5758331811266560.
,
Nov 6
Yeah, it looks like we'll need a minimized and/or more reproducible test case. You might also try using an ASan build (https://dev.chromium.org/developers/testing/addresssanitizer).
,
Nov 6
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5685828199907328.
,
Nov 6
Testcase 5758331811266560 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5758331811266560.
,
Nov 6
Testcase 5685828199907328 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5685828199907328.
,
Nov 6
I'm working on analyzing the crash dump You can get it here.
,
Nov 6
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 7
Here's a crash report ID from Windows: e33bda4f62ccb11c
,
Nov 7
Another crash ID: 60e6e1d1e780dd4a This doesn't look like a security bug, it is hitting a CHECK in the HeapAllocator when the vector tries to expand too much. This might be a Blink bug but a hard renderer crash like this doesn't have security risks.
,
Nov 8
Thanks you, i confirmed that isn't a security bug
,
Nov 13
It seems Blink enters infinite loop to push UndoStep into undo stack. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by quoccuon...@gmail.com
, Nov 4