Browser crash afer "a breakpoint has been reached"
Reported by
brian.ca...@gmail.com,
Jan 2
|
||||||||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Steps to reproduce the problem:
While fuzzing Chrome 71.0.3578.98 (x64) with Domato, crash was caught after a "breakpoint" was reached. I've attached the report generated during the crash which contains stack and register information, plus the testcases that were created by Domato.
What is the expected behavior?
No crash.
What went wrong?
chrome_child.dll!WTF::Vector<blink::Member<blink::AXObject>,0,blink::HeapAllocator>::insert<const blink::Member<blink::AXObject> &> + 0x67 (id: 4ee) [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\platform\wtf\vector.h @ 1827]]
chrome_child.dll!blink::AXNodeObject::AddChild + ? (the exact offset is not known) (id: 917) [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\modules\accessibility\ax_node_object.cc @ 2242]]
chrome_child.dll!blink::AXLayoutObject::AddChildren + 0x14E [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\modules\accessibility\ax_layout_object.cc @ 2018]]
chrome_child.dll!blink::AXObject::Children + 0x11 [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\modules\accessibility\ax_object.cc @ 2107]]
chrome_child.dll!blink::WebAXObject::ChildCount + 0x34 [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\modules\exported\web_ax_object.cc @ 191]]
chrome_child.dll!content::BlinkAXTreeSource::GetChildren + 0xE0 [[C:\b\c\b\win64_clang\src\content\renderer\accessibility\blink_ax_tree_source.cc @ 387]]
chrome_child.dll!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::AnyDescendantWasReparented + 0x90 [[C:\b\c\b\win64_clang\src\ui\accessibility\ax_tree_serializer.h @ 319]]
chrome_child.dll!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::AnyDescendantWasReparented + 0x1B5 [[C:\b\c\b\win64_clang\src\ui\accessibility\ax_tree_serializer.h @ 343]]
chrome_child.dll!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::SerializeChanges + 0x149 [[C:\b\c\b\win64_clang\src\ui\accessibility\ax_tree_serializer.h @ 391]]
chrome_child.dll!content::RenderAccessibilityImpl::SendPendingAccessibilityEvents + 0x5E1 [[C:\b\c\b\win64_clang\src\content\renderer\accessibility\render_accessibility_impl.cc @ 501]]
chrome_child.dll!IPC::MessageT<AccessibilityMsg_EventBundle_ACK_Meta,std::tuple<int>,void>::Dispatch<content::RenderAccessibilityImpl,content::RenderAccessibilityImpl,void,void (content::RenderAccessibilityImpl::*)(int)> + 0x85 [[C:\b\c\b\win64_clang\src\ipc\ipc_message_templates.h @ 146]]
chrome_child.dll!content::RenderAccessibilityImpl::OnMessageReceived + 0xF3 [[C:\b\c\b\win64_clang\src\content\renderer\accessibility\render_accessibility_impl.cc @ 193]]
chrome_child.dll!content::RenderFrameImpl::OnMessageReceived + 0x21D [[C:\b\c\b\win64_clang\src\content\renderer\render_frame_impl.cc @ 2033]]
chrome_child.dll!IPC::ChannelProxy::Context::OnDispatchMessage + 0x24 [[C:\b\c\b\win64_clang\src\ipc\ipc_channel_proxy.cc @ 321]]
chrome_child.dll!base::debug::TaskAnnotator::RunTask + 0x120 [[C:\b\c\b\win64_clang\src\base\debug\task_annotator.cc @ 99]]
chrome_child.dll!base::sequence_manager::internal::ThreadControllerImpl::DoWork + 0x1C2 [[C:\b\c\b\win64_clang\src\base\task\sequence_manager\thread_controller_impl.cc @ 197]]
chrome_child.dll!base::debug::TaskAnnotator::RunTask + 0x120 [[C:\b\c\b\win64_clang\src\base\debug\task_annotator.cc @ 99]]
chrome_child.dll!base::MessageLoop::RunTask + 0xDF [[C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 436]]
chrome_child.dll!base::MessageLoop::DoWork + 0x185 [[C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 517]]
chrome_child.dll!base::MessagePumpDefault::Run + 0x99 [[C:\b\c\b\win64_clang\src\base\message_loop\message_pump_default.cc @ 37]]
chrome_child.dll!base::RunLoop::Run + 0x31 [[C:\b\c\b\win64_clang\src\base\run_loop.cc @ 108]]
chrome_child.dll!content::RunOtherNamedProcessTypeMain + ? (the exact offset is not known) [[C:\b\c\b\win64_clang\src\content\renderer\renderer_main.cc @ 203]]
chrome_child.dll!content::ContentMainRunnerImpl::Run + 0x171 [[C:\b\c\b\win64_clang\src\content\app\content_main_runner_impl.cc @ 904]]
chrome_child.dll!service_manager::Main + 0x333 [[C:\b\c\b\win64_clang\src\services\service_manager\embedder\main.cc @ 472]]
chrome_child.dll!content::ContentMain + 0x3E [[C:\b\c\b\win64_clang\src\content\app\content_main.cc @ 19]]
chrome_child.dll!ChromeMain + 0x118 [[C:\b\c\b\win64_clang\src\chrome\app\chrome_main.cc @ 0]]
chrome.exe!MainDllLoader::Launch + 0x26C [[C:\b\c\b\win64_clang\src\chrome\app\main_dll_loader_win.cc @ 201]]
chrome.exe!wWinMain + 0x5F0 [[C:\b\c\b\win64_clang\src\chrome\app\chrome_exe_main_win.cc @ 229]]
chrome.exe!__scrt_common_main_seh + 0x106 [[f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283]]
KERNEL32.DLL!BaseThreadInitThunk + 0x14
ntdll.dll!RtlUserThreadStart + 0x21
Crashed report ID: N/A
How much crashed? Whole browser
Is it a problem with a plugin? No
Did this work before? N/A
Chrome version: 71.0.3578.98 (x64) Channel: stable
OS Version: Enterprise 10 (Build 17134.rs4_release.180410-1804)
Flash Version: N/A
Command line flags:
'--enable-experimental-accessibility-features', '--enable-experimental-canvas-features', '--enable-experimental-input-view-features', '--enable-experimental-web-platform-features', '--enable-logging=stdout', '--enable-usermedia-screen-capturing', '--enable-viewport', '--enable-webgl-draft-extensions', '--enable-webvr', '--expose-internals-for-testing', '--disable-popup-blocking', '--disable-prompt-on-repost', '--force-renderer-accessibility', '--javascript-harmony', '--js-flags="--expose-gc"', '--no-sandbox', 'file://C:\\Fuzzing\\Tests\\index.html'
,
Jan 3
The testcase(s) created by Domato which triggered this crash are in the zip file I attached to the original report.
,
Jan 3
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 8
Tested this issue on windows 10 using chrome 71.0.3578.98 and no browser crash was observed. Steps: 1. Launched chrome 2. opened index.html file 3. No crash was observed Attaching screen-cast for reference. @Reporter: Could you please look into the screen cast and let us know if anything is missed.Also please provide the crash id from chrome://crashes which would help us to triage the issue further. Thanks!
,
Jan 8
I see in your screen cast that the command line flags don't match the ones in my original report. I just re-tested with the command line flags that I supplied and the fuzz-0.html in the zip file triggers the breakpoint and crashes:
A bug was detected
Id @ Location: Breakpoint 4ee.917 @ chrome.exe!chrome_child.dll!WTF::Vector<...>::insert<...> │
Source: C:\b\c\b\win64_clang\src\third_party\blink\renderer\platform\wtf\vector.h @ 1827
Description: A breakpoint has been reached.
Security impact: Denial of Service
Version: chrome.exe 71.0.3578.98 (x64)
chrome_child.dll 71.0.3578.98 (x64)
Bug report: Breakpoint 4ee.917 @ chrome.exe!chrome_child.dll!WTF..Vector[...]..insert[...].html (110806 bytes)
Crash detected!
Repro and report already saved after previous test detected the same issue.
I don't see anything in chrome://crashes.
,
Jan 8
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by rbasuvula@google.com
, Jan 3Labels: Needs-Triage-M71 Needs-Feedback