search

chromiumembedded / cef

Chromium Embedded Framework (CEF). A simple framework for embedding Chromium-based browsers in other applications.
https://bitbucket.org/chromiumembedded/cef/
Other
3.27k stars 456 forks source link

CEF crashes due dangling pointer detection #3693

Closed tomaszkunicki closed 4 months ago

tomaszkunicki commented 5 months ago

*Description When program re-renders image before previous is loaded CEF crashes.

Steps To Reproduce Steps to reproduce the behavior:

  1. Open CefClient.exe
  2. Open file:///test.html
  3. Program crashes

Expected behavior Showing google logo. It works sometimes but mostly crashes.

Screenshots Debug view output with stack trace. image

Test program test.zip

Versions (please complete the following information):

Additional context It is reproducible, version 123 works fine.

Chrome in the same version works fine.

magreenblatt commented 5 months ago

Likely needs to be disabled for Windows, same as was done for MacOS/Linux in commit b537fc929b.

magreenblatt commented 5 months ago

Note that this is only enabled for non-Official builds. Incorrect, see below.

magreenblatt commented 4 months ago

I'm not able to reproduce this crash with a local Debug build of M125.

@tomaszkunicki can you provide more details about your local build configuration (GN_DEFINES, Debug vs Release)?

tomaszkunicki commented 4 months ago

@magreenblatt I was testing an official release build 125.0.2 Windows 32 - as it is a propably race condition it depends on time and machine speed. I'm able to reproduce this crash everytime with second timer set between 0 and 3. If the second timer is set to more than 3ms it works. Try to decrease the second timer value.

magreenblatt commented 4 months ago

Thanks, I can reproduce with cef_binary_124.3.2+gb6e819b+chromium-124.0.6367.119_windows32_client. Symbolized stack trace:

>   libcef.dll!base::allocator::UnretainedDanglingRawPtrDetectedCrash(unsigned int id) Line 768 C++
    [Inline Frame] libcef.dll!partition_alloc::internal::InSlotMetadata::ReportIfDangling() Line 306    C++
    libcef.dll!base::internal::RawPtrBackupRefImpl<1,0>::ReportIfDanglingInternal(unsigned int address) Line 73 C++
    [Inline Frame] libcef.dll!base::internal::RawPtrBackupRefImpl<1,0>::ReportIfDangling(network::ResourceRequest * wrapped_ptr) Line 424   C++
    [Inline Frame] libcef.dll!base::raw_ptr<network::ResourceRequest,1>::ReportIfDangling() Line 923    C++
    [Inline Frame] libcef.dll!base::internal::UnretainedWrapper<network::ResourceRequest,base::unretained_traits::MayNotDangle,0>::GetInternal(const base::raw_ptr<network::ResourceRequest,1> & ptr) Line 172  C++
    [Inline Frame] libcef.dll!base::internal::UnretainedWrapper<network::ResourceRequest,base::unretained_traits::MayNotDangle,0>::get() Line 154   C++
    [Inline Frame] libcef.dll!base::BindUnwrapTraits<base::internal::UnretainedWrapper<network::ResourceRequest,base::unretained_traits::MayNotDangle,0>>::Unwrap(const base::internal::UnretainedWrapper<network::ResourceRequest,base::unretained_traits::MayNotDangle,0> & o) Line 1953  C++
    [Inline Frame] libcef.dll!base::internal::Unwrap(base::internal::UnretainedWrapper<network::ResourceRequest,base::unretained_traits::MayNotDangle,0> && o) Line 435 C++
    [Inline Frame] libcef.dll!base::internal::InvokeHelper<1,base::internal::FunctorTraits<void (net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper::*&&)(int, network::ResourceRequest *, base::OnceCallback<void ()>, int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>) __attribute__((thiscall)),base::WeakPtr<net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper> &&,int &&,network::ResourceRequest *&&,base::OnceCallback<void ()> &&>,void,0,1,2,3>::MakeItSo(void(net_service::`anonymous namespace'::InterceptedRequestHandlerWrapper::*)(int, network::ResourceRequest *, base::OnceCallback<void ()>, int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>) && functor, std::__Cr::tuple<base::WeakPtr<net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper>,int,base::internal::UnretainedWrapper<network::ResourceRequest,base::unretained_traits::MayNotDangle,0>,base::OnceCallback<void ()>> && bound, int && args, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>> && args) Line 954  C++
    [Inline Frame] libcef.dll!base::internal::Invoker<base::internal::FunctorTraits<void (net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper::*&&)(int, network::ResourceRequest *, base::OnceCallback<void ()>, int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>) __attribute__((thiscall)),base::WeakPtr<net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper> &&,int &&,network::ResourceRequest *&&,base::OnceCallback<void ()> &&>,base::internal::BindState<1,1,0,void (net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper::*)(int, network::ResourceRequest *, base::OnceCallback<void ()>, int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>) __attribute__((thiscall)),base::WeakPtr<net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper>,int,base::internal::UnretainedWrapper<network::ResourceRequest,base::unretained_traits::MayNotDangle,0>,base::OnceCallback<void ()>>,void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>::RunImpl(void(net_service::`anonymous namespace'::InterceptedRequestHandlerWrapper::*)(int, network::ResourceRequest *, base::OnceCallback<void ()>, int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>) && functor, std::__Cr::tuple<base::WeakPtr<net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper>,int,base::internal::UnretainedWrapper<network::ResourceRequest,base::unretained_traits::MayNotDangle,0>,base::OnceCallback<void ()>> && bound, std::__Cr::integer_sequence<unsigned int,0,1,2,3>, int && unbound_args, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>> && unbound_args) Line 1067   C++
    libcef.dll!base::internal::Invoker<base::internal::FunctorTraits<void (net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper::*&&)(int, network::ResourceRequest *, base::OnceCallback<void ()>, int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>) __attribute__((thiscall)),base::WeakPtr<net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper> &&,int &&,network::ResourceRequest *&&,base::OnceCallback<void ()> &&>,base::internal::BindState<1,1,0,void (net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper::*)(int, network::ResourceRequest *, base::OnceCallback<void ()>, int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>) __attribute__((thiscall)),base::WeakPtr<net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper>,int,base::internal::UnretainedWrapper<network::ResourceRequest,base::unretained_traits::MayNotDangle,0>,base::OnceCallback<void ()>>,void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>::RunOnce(base::internal::BindStateBase * base, int unbound_args, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>> && unbound_args) Line 980    C++
    libcef.dll!base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>::Run(int args, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>> args) Line 156  C++
    libcef.dll!net_service::cookie_helper::`anonymous namespace'::ContinueWithLoadedCookies(const base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> & allow_cookie_callback, base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)> done_callback, const std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> & cookies) Line 100    C++
    [Inline Frame] libcef.dll!base::internal::DecayedFunctorTraits<void (*)(const base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &, base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>, const std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &),base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &&,base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)> &&,std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &&>::Invoke(void(*)(const base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &, base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>, const std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &) && function, base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> && args, base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)> && args, std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> && args) Line 671    C++
    [Inline Frame] libcef.dll!base::internal::InvokeHelper<0,base::internal::FunctorTraits<void (*&&)(const base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &, base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>, const std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &),base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &&,base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)> &&,std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &&>,void,0,1,2>::MakeItSo(void(*)(const base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &, base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>, const std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &) && functor, std::__Cr::tuple<base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)>,base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>,std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>>> && bound) Line 930    C++
    [Inline Frame] libcef.dll!base::internal::Invoker<base::internal::FunctorTraits<void (*&&)(const base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &, base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>, const std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &),base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &&,base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)> &&,std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &&>,base::internal::BindState<0,1,0,void (*)(const base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &, base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>, const std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &),base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)>,base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>,std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>>>,void ()>::RunImpl(void(*)(const base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &, base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>, const std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &) && functor, std::__Cr::tuple<base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)>,base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>,std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>>> && bound, std::__Cr::integer_sequence<unsigned int,0,1,2>) Line 1067  C++
    libcef.dll!base::internal::Invoker<base::internal::FunctorTraits<void (*&&)(const base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &, base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>, const std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &),base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &&,base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)> &&,std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &&>,base::internal::BindState<0,1,0,void (*)(const base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)> &, base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>, const std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>> &),base::RepeatingCallback<void (const net::CanonicalCookie &, bool *)>,base::OnceCallback<void (int, std::__Cr::vector<net::CanonicalCookie,std::__Cr::allocator<net::CanonicalCookie>>)>,std::__Cr::vector<net::CookieWithAccessResult,std::__Cr::allocator<net::CookieWithAccessResult>>>,void ()>::RunOnce(base::internal::BindStateBase * base) Line 980  C++
    [Inline Frame] libcef.dll!base::OnceCallback<void ()>::Run() Line 156   C++
    libcef.dll!base::TaskAnnotator::RunTaskImpl(base::PendingTask & pending_task) Line 203  C++
    [Inline Frame] libcef.dll!base::TaskAnnotator::RunTask(perfetto::StaticString event_name, base::PendingTask & pending_task, base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl::<lambda_4> && args) Line 90  C++
    [Inline Frame] libcef.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow * continuation_lazy_now) Line 473 C++
    libcef.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() Line 338 C++
    libcef.dll!base::MessagePumpForIO::DoRunLoop() Line 733 C++
    libcef.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 80    C++
    libcef.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool application_tasks_allowed, base::TimeDelta timeout) Line 641 C++
    libcef.dll!base::RunLoop::Run(const base::Location & location) Line 136 C++
    libcef.dll!base::Thread::Run(base::RunLoop * run_loop) Line 338 C++
    libcef.dll!content::BrowserProcessIOThread::IOThreadRun(base::RunLoop * run_loop) Line 121  C++
    libcef.dll!base::Thread::ThreadMain() Line 410  C++
    libcef.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 133  C++
magreenblatt commented 4 months ago

It looks like the enable_dangling_raw_ptr_checks GN arg is ignored for InstallUnretainedDanglingRawPtrChecks (vs InstallDanglingRawPtrChecks) and you need to instead run with --disable-features=PartitionAllocUnretainedDanglingPtr to disable this check.

> gn args out\Release_GN_x86 --list=enable_dangling_raw_ptr_checks
enable_dangling_raw_ptr_checks
    Current value (from the default) = false
      From //base/allocator/partition_allocator/partition_alloc.gni:202
>   base_allocator_partition_allocator_src_partition_alloc_allocator_core.dll!partition_alloc::SetUnretainedDanglingRawPtrCheckEnabled(bool enabled) Line 51    C++
    base.dll!base::allocator::InstallUnretainedDanglingRawPtrChecks() Line 779  C++
    base.dll!base::allocator::PartitionAllocSupport::ReconfigureAfterFeatureListInit(const std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>> & process_type, bool configure_dangling_pointer_detector) Line 1053    C++
    content.dll!content::ContentMainRunnerImpl::RunBrowser(content::MainFunctionParams main_params, bool start_minimal_browser) Line 1287   C++
    content.dll!content::ContentMainRunnerImpl::Run() Line 1144 C++
    content.dll!content::ContentMainRun(content::ContentMainRunner * content_main_runner) Line 324  C++
    libcef.dll!CefMainRunner::ContentMainRun(bool * initialized, base::OnceCallback<void ()> context_initialized) Line 510  C++
    libcef.dll!CefMainRunner::Initialize(CefStructBase<CefSettingsTraits> * settings, scoped_refptr<CefApp> application, const CefMainArgs & args, void * windows_sandbox_info, bool * initialized, base::OnceCallback<void ()> context_initialized) Line 291   C++
    libcef.dll!CefContext::Initialize(const CefMainArgs & args, const CefStructBase<CefSettingsTraits> & settings, scoped_refptr<CefApp> application, void * windows_sandbox_info) Line 491 C++
    libcef.dll!CefInitialize(const CefMainArgs & args, const CefStructBase<CefSettingsTraits> & settings, scoped_refptr<CefApp> application, void * windows_sandbox_info) Line 314  C++
    libcef.dll!cef_initialize(const _cef_main_args_t * args, const _cef_settings_t * settings, _cef_app_t * application, void * windows_sandbox_info) Line 113  C++
    cefclient.exe!CefInitialize(const CefMainArgs & args, const CefStructBase<CefSettingsTraits> & settings, scoped_refptr<CefApp> application, void * windows_sandbox_info) Line 102   C++
    cefclient.exe!client::MainContextImpl::Initialize(const CefMainArgs & args, const CefStructBase<CefSettingsTraits> & settings, scoped_refptr<CefApp> application, void * windows_sandbox_info) Line 301 C++
    cefclient.exe!client::`anonymous namespace'::RunMain(HINSTANCE__ * hInstance, int nCmdShow) Line 101    C++
    cefclient.exe!wWinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpCmdLine, int nCmdShow) Line 158    C++
magreenblatt commented 4 months ago

We're seeing these crashes starting in M124 because https://crrev.com/dafc4e5205 has changed the config to crash by default.

magreenblatt commented 4 months ago

This particular error will be fixed in #3239, and the crash-by-default behavior will be restored.