search

MicrosoftEdge / WebView2Feedback

Feedback and discussions about Microsoft Edge WebView2
https://aka.ms/webview2
449 stars 55 forks source link

[Problem/Bug]: Application Crashes on Post call from webview2 #4308

Open sshenoyofficial opened 9 months ago

sshenoyofficial commented 9 months ago

What happened?

We have a react application hosted in a webview2 (version 98.0.1108.62) launched from MFC desktop application. Occassionally, the application crashes when making a Post API call using axios library.

Note: We have seen this crash on webview2 version (118.0.2088.69) as well

Below is the call stack. We have address sanitizer configured which reports "Deallocation Of freed memory" exception during the crash.

KernelBase.dll!_RaiseException@16() OurAppWebView.ocx!vcasan::OnAsanReport(const char description, const char report, bool throw) Line 600 at D:\a_work\1\s\src\vctools\crt\asan\vcasan\vcasan.cpp(600) OurAppWebView.ocx!vcasan::ReportCallback(const char * szReport) Line 324 at D:\a_work\1\s\src\vctools\crt\asan\vcasan\vcasan.cpp(324) clang_rt.asan_dbg_dynamic-i386.dll!__asan::ScopedInErrorReport::~ScopedInErrorReport(void) clang_rt.asan_dbg_dynamic-i386.dll!asan::ReportDoubleFree(unsigned long,struct sanitizer::BufferedStackTrace ) clang_rt.asan_dbg_dynamic-i386.dll!__asan::Allocator::Deallocate(void ,unsigned long,unsigned long,struct sanitizer::BufferedStackTrace *,enum asan::AllocType) clang_rt.asan_dbg_dynamic-i386.dll!asan::asan_free(void ,struct __sanitizer::BufferedStackTrace ,enum asan::AllocType) clang_rt.asan_dbgdynamic-i386.dll!asan_wrap_RtlFreeHeap@12() combase.dll!CRetailMalloc_Free(IMalloc pThis, void pv) Line 658 at onecore\com\combase\class\memapi.cxx(658) oleaut32.dll!APP_DATA::FreeCachedMem() oleaut32.dll!VariantClear() EmbeddedBrowserWebView.dll!base::win::ScopedVariant::~ScopedVariant(void) EmbeddedBrowserWebView.dll!embedded_browser_webview_current::EmbeddedBrowserHost::PostMethodCall(int,class std::1::basic_string<char,struct std::__1::char_traits,class std::1::allocator > const &,class std::1::basic_string<char,struct std::__1::char_traits,class std::1::allocator > const &,class absl::optional<class std::1::basic_string<char,struct std::__1::char_traits,class std::1::allocator > > const &,int) EmbeddedBrowserWebView.dll!embedded_browser_webview_current::EmbeddedBrowserHost::PostMethodCallSync(int,class std::1::basic_string<char,struct std::__1::char_traits,class std::1::allocator > const &,class std::1::basic_string<char,struct std::__1::char_traits,class std::1::allocator > const &,class absl::optional<class std::1::basic_string<char,struct std::__1::char_traits,class std::1::allocator > > const &,int,class base::OnceCallback) EmbeddedBrowserWebView.dll!embedded_browser::mojom::HostStubDispatch::AcceptWithResponder(class embedded_browser::mojom::Host ,class mojo::Message ,class std::1::unique_ptr<class mojo::MessageReceiverWithStatus,struct std::__1::default_delete >) EmbeddedBrowserWebView.dll!embedded_browser::mojom::HostStub<struct mojo::RawPtrImplRefTraits >::AcceptWithResponder(class mojo::Message *,class std::1::unique_ptr<class mojo::MessageReceiverWithStatus,struct std::1::default_delete >) EmbeddedBrowserWebView.dll!mojo::InterfaceEndpointClient::HandleValidatedMessage() EmbeddedBrowserWebView.dll!mojo::MessageDispatcher::Accept(class mojo::Message ) EmbeddedBrowserWebView.dll!mojo::InterfaceEndpointClient::HandleIncomingMessage(class mojo::Message ) EmbeddedBrowserWebView.dll!mojo::internal::MultiplexRouter::ProcessIncomingMessage() EmbeddedBrowserWebView.dll!mojo::internal::MultiplexRouter::Accept(class mojo::Message ) EmbeddedBrowserWebView.dll!mojo::MessageDispatcher::Accept(class mojo::Message ) EmbeddedBrowserWebView.dll!mojo::Connector::DispatchMessageW() EmbeddedBrowserWebView.dll!mojo::Connector::ReadAllAvailableMessages() EmbeddedBrowserWebView.dll!mojo::Connector::OnHandleReadyInternal() EmbeddedBrowserWebView.dll!base::internal::Invoker<base::internal::BindState<void (embedded_browser::mojom::EmbeddedBrowserClient_OnPermissionRequest_ProxyToResponder::)(embedded_browser::mojom::PermissionState) attribute((thiscall)),std::1::unique_ptr<embedded_browser::mojom::EmbeddedBrowserClient_OnPermissionRequest_ProxyToResponder,std::1::default_delete>>,void (embedded_browser::mojom::PermissionState)>::RunOnce() EmbeddedBrowserWebView.dll!mojo::SimpleWatcher::DiscardReadyState() EmbeddedBrowserWebView.dll!base::internal::Invoker<base::internal::BindState<void ()(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),base::RepeatingCallback<void (unsigned int)>>,void (unsigned int, const mojo::HandleSignalsState &)>::Run() EmbeddedBrowserWebView.dll!mojo::SimpleWatcher::OnHandleReady() EmbeddedBrowserWebView.dll!base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, const mojo::HandleSignalsState &) attribute((thiscall)),base::WeakPtr,int,unsigned int,mojo::HandleSignalsState>,void ()>::RunOnce() EmbeddedBrowserWebView.dll!base::TaskAnnotator::RunTaskImpl(struct base::PendingTask &) EmbeddedBrowserWebView.dll!base::TaskAnnotator::RunTask<>() EmbeddedBrowserWebView.dll!embedded_browser_webview::internal::AppTaskRunner::DoWork() EmbeddedBrowserWebView.dll!embedded_browser_webview::internal::AppTaskRunner::MessageCallback() EmbeddedBrowserWebView.dll!base::internal::Invoker<base::internal::BindState<bool (embedded_browser_webview::internal::AppTaskRunner::)(unsigned int, unsigned int, long, long ) attribute((thiscall)),base::internal::UnretainedWrapper>,bool (unsigned int, unsigned int, long, long *)>::Run() EmbeddedBrowserWebView.dll!base::win::MessageWindow::WindowProc() EmbeddedBrowserWebView.dll!base::win::WrappedWindowProc<&base::win::MessageWindow::WindowProc>() user32.dll!InternalCallWinProc@20() user32.dll!UserCallWinProcCheckWow() user32.dll!DispatchMessageWorker() user32.dll!_DispatchMessageA@4() mfc140d.dll!AfxInternalPumpMessage() Line 181 at D:\a_work\1\s\src\vctools\VC7Libs\Ship\ATLMFC\Src\MFC\thrdcore.cpp(181) mfc140d.dll!CWinThread::PumpMessage() Line 900 at D:\a_work\1\s\src\vctools\VC7Libs\Ship\ATLMFC\Src\MFC\thrdcore.cpp(900) mfc140d.dll!CWinThread::Run() Line 629 at D:\a_work\1\s\src\vctools\VC7Libs\Ship\ATLMFC\Src\MFC\thrdcore.cpp(629) OurApp.dll!COurAppThrd::Run() Line 439 at C:\code\OurApp\OurApp.cpp(439) mfc140d.dll!_AfxThreadEntry(void pParam) Line 122 at D:\a_work\1\s\src\vctools\VC7Libs\Ship\ATLMFC\Src\MFC\thrdcore.cpp(122) ucrtbased.dll!thread_start<unsigned int (__stdcall)(void ),1>(void const parameter) Line 97 at minkernel\crts\ucrt\src\appcrt\startup\thread.cpp(97) clang_rt.asan_dbg_dynamic-i386.dll!asan::AsanThread::ThreadStart(unsigned int64,struct __sanitizer::atomic_uintptr_t *) clang_rt.asan_dbg_dynamic-i386.dll!asan_thread_start() kernel32.dll!@BaseThreadInitThunk@12() ntdll.dll!RtlUserThreadStart() ntdll.dll!RtlUserThreadStart@8()

Importance

Important. My app's user experience is significantly compromised.

Runtime Channel

Stable release (WebView2 Runtime)

Runtime Version

98.0.1108.62

SDK Version

1.0.1108.44

Framework

Win32

Operating System

Windows 10, Windows 11, Windows Server

OS Version

No response

Repro steps

An API call is made via axios Post method like below:

const service = async () => {
    console.log("CustomPost"+payload.uri);
    return axiosInstance.post(payload.uri, payload.data);
};

The api call does reach our service layer, but the hosting application crashes before the call completes.

Repros in Edge Browser

Not Applicable

Regression

No, this never worked

Last working version (if regression)

No response

github-actions[bot] commented 9 months ago

Hi, @sshenoyofficial!

It seems that your issue contains the word "crash". If you have not already, could you attach a crash dump as a comment?

WV2 crash dumps are located in a subfolder of the app's user data folder (UDF): <UDF>\EBWebView\Crashpad\reports\. By default, the user data folder is created in the app's folder with a name like <App Exe Name>.exe.WebView2. Refer to Crash Diagnostics for more information.

Thank you for your cooperation!

sshenoyofficial commented 9 months ago

Hi, @sshenoyofficial!

It seems that your issue contains the word "crash". If you have not already, could you attach a crash dump as a comment?

WV2 crash dumps are located in a subfolder of the app's user data folder (UDF): <UDF>\EBWebView\Crashpad\reports\. By default, the user data folder is created in the app's folder with a name like <App Exe Name>.exe.WebView2. Refer to Crash Diagnostics for more information.

Thank you for your cooperation!

No files were added into \EBWebView\Crashpad\reports\ when the application crashes. We have the ETW trace which we can share it over email if needed.

vbryh-msft commented 9 months ago

Hi we have rewritten implementation for Host objects since version 98. I see last crashes spiking in EmbeddedBrowserHost::PostMethodCall in version 100. Do you able to repro it in latest stable, which is 120? Could you please share the dump from the latest versions - it will save us a lot of time?

sshenoyofficial commented 9 months ago

We tested with version 120.0.2210.144 and the crash still happens. Please find below the callstack

ntdll.dll!_RtlReportCriticalFailure@12() ntdll.dll!_RtlpReportHeapFailure@4() ntdll.dll!_RtlpHpHeapHandleError@12() ntdll.dll!_RtlpLogHeapFailure@24() ntdll.dll!RtlSizeHeap() combase.dll!CRetailMalloc_GetSize(IMalloc pThis, void pv) Line 681 at onecore\com\combase\class\memapi.cxx(681) oleaut32.dll!APP_DATA::FreeCachedMem() oleaut32.dll!VariantClear() EmbeddedBrowserWebView.dll!base::win::ScopedVariant::~ScopedVariant(void) EmbeddedBrowserWebView.dll!embedded_browser_webview_current::EmbeddedBrowserHost::PostMethodCallCommon() EmbeddedBrowserWebView.dll!embedded_browser_webview_current::EmbeddedBrowserHost::PostMethodCallSync(int,class std::Cr::basic_string<char,struct std::__Cr::char_traits,class std::Cr::allocator > const &,class std::Cr::basic_string<char,struct std::__Cr::char_traits,class std::Cr::allocator > const &,class std::Cr::optional<class std::Cr::basic_string<char,struct std::Cr::char_traits,class std::Cr::allocator > > const &,int,class base::OnceCallback) EmbeddedBrowserWebView.dll!embedded_browser::mojom::HostStubDispatch::AcceptWithResponder(class embedded_browser::mojom::Host ,class mojo::Message ,class std::Cr::unique_ptr<class mojo::MessageReceiverWithStatus,struct std::Cr::default_delete >) EmbeddedBrowserWebView.dll!embedded_browser::mojom::HostStub<struct mojo::RawPtrImplRefTraits >::AcceptWithResponder(class mojo::Message ,class std::__Cr::unique_ptr<class mojo::MessageReceiverWithStatus,struct std::__Cr::default_delete >) EmbeddedBrowserWebView.dll!mojo::InterfaceEndpointClient::HandleValidatedMessage() EmbeddedBrowserWebView.dll!mojo::MessageDispatcher::Accept(class mojo::Message ) EmbeddedBrowserWebView.dll!mojo::InterfaceEndpointClient::HandleIncomingMessage(class mojo::Message ) EmbeddedBrowserWebView.dll!mojo::internal::MultiplexRouter::ProcessIncomingMessage() EmbeddedBrowserWebView.dll!mojo::internal::MultiplexRouter::Accept(class mojo::Message ) EmbeddedBrowserWebView.dll!mojo::MessageDispatcher::Accept(class mojo::Message ) EmbeddedBrowserWebView.dll!mojo::Connector::DispatchMessageW() EmbeddedBrowserWebView.dll!mojo::Connector::ReadAllAvailableMessages() EmbeddedBrowserWebView.dll!mojo::Connector::OnHandleReadyInternal() EmbeddedBrowserWebView.dll!mojo::Connector::OnWatcherHandleReady() EmbeddedBrowserWebView.dll!base::internal::Invoker<base::internal::BindState<void (mojo::Connector::)(const char , unsigned int) attribute((thiscall)),base::internal::UnretainedWrapper<mojo::Connector,base::unretained_traits::MayNotDangle,0>,base::internal::UnretainedWrapper<const char,base::unretained_traits::MayNotDangle,0>>,void (unsigned int)>::Run() EmbeddedBrowserWebView.dll!base::RepeatingCallback::Run(class std::Cr::basic_string<char,struct std::__Cr::char_traits,class std::Cr::allocator > const &) EmbeddedBrowserWebView.dll!mojo::SimpleWatcher::DiscardReadyState() EmbeddedBrowserWebView.dll!base::internal::Invoker<base::internal::BindState<void ()(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),base::RepeatingCallback<void (unsigned int)>>,void (unsigned int, const mojo::HandleSignalsState &)>::Run() EmbeddedBrowserWebView.dll!base::RepeatingCallback<void (IUnknown , embedded_browser_webview::internal::ResourceState)>::Run() EmbeddedBrowserWebView.dll!mojo::SimpleWatcher::OnHandleReady() EmbeddedBrowserWebView.dll!base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::)(int, unsigned int, const mojo::HandleSignalsState &) attribute((thiscall)),base::WeakPtr,int,unsigned int,mojo::HandleSignalsState>,void ()>::RunOnce() EmbeddedBrowserWebView.dll!base::TaskAnnotator::RunTaskImpl(struct base::PendingTask &) EmbeddedBrowserWebView.dll!base::TaskAnnotator::RunTask<>() EmbeddedBrowserWebView.dll!embedded_browser_webview::internal::AppTaskRunner::DoWork() EmbeddedBrowserWebView.dll!embedded_browser_webview::internal::AppTaskRunner::MessageCallback() EmbeddedBrowserWebView.dll!base::internal::Invoker<base::internal::BindState<bool (embedded_browser_webview::internal::AppTaskRunner::)(unsigned int, unsigned int, long, long ) attribute((thiscall)),base::internal::UnretainedWrapper<embedded_browser_webview::internal::AppTaskRunner,base::unretained_traits::MayNotDangle,0>>,bool (unsigned int, unsigned int, long, long )>::Run() EmbeddedBrowserWebView.dll!base::win::MessageWindow::WindowProc() EmbeddedBrowserWebView.dll!base::win::WrappedWindowProc<&base::win::MessageWindow::WindowProc>() user32.dll!__InternalCallWinProc@20() user32.dll!UserCallWinProcCheckWow() user32.dll!DispatchMessageWorker() user32.dll!_DispatchMessageA@4() mfc140d.dll!AfxInternalPumpMessage() Line 181 at D:\a_work\1\s\src\vctools\VC7Libs\Ship\ATLMFC\Src\MFC\thrdcore.cpp(181) mfc140d.dll!CWinThread::PumpMessage() Line 900 at D:\a_work\1\s\src\vctools\VC7Libs\Ship\ATLMFC\Src\MFC\thrdcore.cpp(900) mfc140d.dll!CWinThread::Run() Line 629 at D:\a_work\1\s\src\vctools\VC7Libs\Ship\ATLMFC\Src\MFC\thrdcore.cpp(629) OurApp.dll!COurAppThrd::Run() Line 439 at C:\code\OurApp\OurApp.cpp(439) mfc140d.dll!_AfxThreadEntry(void pParam) Line 122 at D:\a_work\1\s\src\vctools\VC7Libs\Ship\ATLMFC\Src\MFC\thrdcore.cpp(122) ucrtbased.dll!thread_start<unsigned int (stdcall)(void ),1>(void * const parameter) Line 97 at minkernel\crts\ucrt\src\appcrt\startup\thread.cpp(97) kernel32.dll!@BaseThreadInitThunk@12() ntdll.dll!RtlUserThreadStart() ntdll.dll!__RtlUserThreadStart@8()

vbryh-msft commented 9 months ago

@sshenoyofficial could you please share the dump itself?

sshenoyofficial commented 9 months ago

@sshenoyofficial could you please share the dump itself?

Is there an email address to which I can send the dump as it may contain details of our application.?

sshenoyofficial commented 9 months ago

@sshenoyofficial - please send it to email. Thank you!

Crash dump sent via email. Thank you

vbryh-msft commented 9 months ago

I have checked the dump - ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

Our data says that all reports are from your app. I would try to isolate the problem on your side - remove lines of the code till the issue stop happening and try to repro it in our SampleApp with your findings for us to understand which use-case can corrupt the memory.