New issue
Advanced search Search tips

Issue 922878 link

Starred by 2 users

Issue metadata

Status: Duplicate
Owner: ----
Closed: Jan 17
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Regression



Sign in to add a comment

usatoday.com crashes; issue involves about:srcdoc URL

Project Member Reported by erik.and...@microsoft.com, Jan 17 (5 days ago)

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3662.0 Safari/537.36

Steps to reproduce the problem:
We're observing the main page of usatoday.com reliably crashing on the latest Chrome Canary builds.

After reviewing a crash dump, it appears that a stack involving network::mojom::URLLoaderFactoryStubDispatch::Accept+ eventually hits content::BrowserMessageFilter::ShutdownForBadMessage which is in turn killing the renderer. The URL in the dump is about:srcdoc.

100% reproducible repro:
1. Load a page with this: <iframe src="about:srcdoc"></iframe> (or go to usatoday.com)

2. Result: crashes

What is the expected behavior?
Page doesn't crash.

What went wrong?
After reviewing the repro on various builds with bisect-builds.py, I received this output:

You are probably looking for a change made after 620151 (known good), but no later than 620159 (first known bad).
CHANGELOG URL:
  https://chromium.googlesource.com/chromium/src/+log/ad3c8c91a0d1d07a4e81dbc29beadfad382fcf3f..02f9f417506bc968be221423ffdc998c46803bc6

The commit labeled, "DocumentLoader: make srcdoc navigations async," looks directly related:
https://chromium.googlesource.com/chromium/src/+/4cd2ca13715b4d1c25c183be3e981ba26354121f
https://chromium-review.googlesource.com/c/chromium/src/+/1390259

Crashed report ID: 

How much crashed? Just one tab

Is it a problem with a plugin? No 

Did this work before? Yes 

Chrome version: 73.0.3662.0  Channel: n/a
OS Version: 10.0
Flash Version:
 
test.html
109 bytes View Download

Comment 1 by yhirano@chromium.org, Jan 17 (5 days ago)

Cc: dgozman@chromium.org
Components: Blink>Loader
+dgozman@

Comment 2 by erik.and...@microsoft.com, Jan 17 (5 days ago)

Crash report ID: fd03e175c4ae8e79

Comment 3 by falken@chromium.org, Jan 17 (5 days ago)

Mergedinto: 919839
Status: Duplicate (was: Unconfirmed)
Thanks for the debugging and repro. Looks like this is issue 919839.

Comment 4 by woxxom@gmail.com, Jan 17 (5 days ago)

The fix is crrev.com/c/1409809 (currently WIP).

Sign in to add a comment