search

chromiumembedded / cef

Chromium Embedded Framework (CEF). A simple framework for embedding Chromium-based browsers in other applications.
https://bitbucket.org/chromiumembedded/cef/
Other
3.09k stars 450 forks source link

cefclient.exe crashes on file download #3720

Closed omerbalash closed 5 days ago

omerbalash commented 6 days ago

Describe the bug

cefclient.exe crashes after selecting the location for file download. I have tried with my own application and neither selecting true nor false on show_dialog resolves the issue. the process crashes regardless if the show_dialog is selected. it seems any call to CefBeforeDownloadCallback continue will crash the process.

To Reproduce Launch cefclient.exe Navigate to any page with a file download attempt to download the file

Expected behavior No crash after file open dialog and the file downloaded successfully.

Screenshots If applicable, add screenshots to help explain your problem.

Versions (please complete the following information):

Additional context Does the problem reproduce with the cefclient or cefsimple sample application at the same version? - Yes.

omerbalash commented 6 days ago

I have verified that using --disable-features=PartitionAllocDanglingPtr,PartitionAllocUnretainedDanglingPtr indeed prevents the crash. so this seems to be another dangling pointer like the other issues

magreenblatt commented 5 days ago

I'm able to reproduce this with 126.2.7+g300bb05+chromium-126.0.6478.115. Symbolized call stack:

    libcef.dll!logging::LogMessage::HandleFatal(unsigned __int64 stack_start, const std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>> & str_newline) Line 1048  C++
    [Inline Frame] libcef.dll!logging::LogMessage::Flush::<lambda_0>::operator()() Line 748 C++
    [Inline Frame] libcef.dll!absl::cleanup_internal::Storage<`lambda at ..\..\base\logging.cc:746:40'>::InvokeCallback() Line 87   C++
    [Inline Frame] libcef.dll!absl::Cleanup<absl::cleanup_internal::Tag,`lambda at ..\..\base\logging.cc:746:40'>::~Cleanup() Line 106  C++
    libcef.dll!logging::LogMessage::Flush() Line 931    C++
    libcef.dll!logging::LogMessageFatal::~LogMessageFatal() Line 1053   C++
    libcef.dll!base::allocator::UnretainedDanglingRawPtrDetectedCrash(unsigned __int64 id) Line 807 C++
    [Inline Frame] libcef.dll!partition_alloc::internal::InSlotMetadata::ReportIfDangling() Line 315    C++
    libcef.dll!base::internal::RawPtrBackupRefImpl<1,0>::ReportIfDanglingInternal(unsigned __int64 address) Line 70 C++
    [Inline Frame] libcef.dll!base::internal::RawPtrBackupRefImpl<1,0>::ReportIfDangling(ui::SelectFileDialog::Listener * wrapped_ptr) Line 430 C++
    [Inline Frame] libcef.dll!base::raw_ptr<ui::SelectFileDialog::Listener,1>::ReportIfDangling() Line 974  C++
    [Inline Frame] libcef.dll!base::internal::UnretainedWrapper<ui::SelectFileDialog::Listener,base::unretained_traits::MayNotDangle,0>::GetInternal(const base::raw_ptr<ui::SelectFileDialog::Listener,1> & ptr) Line 172  C++
    [Inline Frame] libcef.dll!base::internal::UnretainedWrapper<ui::SelectFileDialog::Listener,base::unretained_traits::MayNotDangle,0>::get() Line 154 C++
    [Inline Frame] libcef.dll!base::BindUnwrapTraits<base::internal::UnretainedWrapper<ui::SelectFileDialog::Listener,base::unretained_traits::MayNotDangle,0>>::Unwrap(const base::internal::UnretainedWrapper<ui::SelectFileDialog::Listener,base::unretained_traits::MayNotDangle,0> & o) Line 1953  C++
    [Inline Frame] libcef.dll!base::internal::Unwrap(base::internal::UnretainedWrapper<ui::SelectFileDialog::Listener,base::unretained_traits::MayNotDangle,0> && o) Line 435   C++
    [Inline Frame] libcef.dll!base::internal::InvokeHelper<1,base::internal::FunctorTraits<void (CefFileDialogManager::*&&)(ui::SelectFileDialog::Listener *, bool),base::WeakPtr<CefFileDialogManager> &&,ui::SelectFileDialog::Listener *&&,bool &&>,void,0,1,2>::MakeItSo(void(CefFileDialogManager::*)(ui::SelectFileDialog::Listener *, bool) && functor, std::__Cr::tuple<base::WeakPtr<CefFileDialogManager>,base::internal::UnretainedWrapper<ui::SelectFileDialog::Listener,base::unretained_traits::MayNotDangle,0>,bool> && bound) Line 954  C++
    [Inline Frame] libcef.dll!base::internal::Invoker<base::internal::FunctorTraits<void (CefFileDialogManager::*&&)(ui::SelectFileDialog::Listener *, bool),base::WeakPtr<CefFileDialogManager> &&,ui::SelectFileDialog::Listener *&&,bool &&>,base::internal::BindState<1,1,0,void (CefFileDialogManager::*)(ui::SelectFileDialog::Listener *, bool),base::WeakPtr<CefFileDialogManager>,base::internal::UnretainedWrapper<ui::SelectFileDialog::Listener,base::unretained_traits::MayNotDangle,0>,bool>,void ()>::RunImpl(void(CefFileDialogManager::*)(ui::SelectFileDialog::Listener *, bool) && functor, std::__Cr::tuple<base::WeakPtr<CefFileDialogManager>,base::internal::UnretainedWrapper<ui::SelectFileDialog::Listener,base::unretained_traits::MayNotDangle,0>,bool> && bound, std::__Cr::integer_sequence<unsigned long long,0,1,2>) Line 1067  C++
    libcef.dll!base::internal::Invoker<base::internal::FunctorTraits<void (CefFileDialogManager::*&&)(ui::SelectFileDialog::Listener *, bool),base::WeakPtr<CefFileDialogManager> &&,ui::SelectFileDialog::Listener *&&,bool &&>,base::internal::BindState<1,1,0,void (CefFileDialogManager::*)(ui::SelectFileDialog::Listener *, bool),base::WeakPtr<CefFileDialogManager>,base::internal::UnretainedWrapper<ui::SelectFileDialog::Listener,base::unretained_traits::MayNotDangle,0>,bool>,void ()>::RunOnce(base::internal::BindStateBase * base) Line 980    C++
    libcef.dll!base::OnceCallback<void ()>::Run() Line 156  C++
    [Inline Frame] libcef.dll!CefSelectFileDialogListener::Destroy() Line 257   C++
    libcef.dll!CefSelectFileDialogListener::FileSelected(const ui::SelectedFileInfo & file, int index, void * params) Line 238  C++
    libcef.dll!ui::`anonymous namespace'::SelectFileDialogImpl::OnSelectFileExecuted(ui::SelectFileDialog::Type type, std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>> run_state, void * params, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> & paths, int index) Line 309 C++
    [Inline Frame] libcef.dll!base::internal::DecayedFunctorTraits<void (ui::(anonymous namespace)::SelectFileDialogImpl::*)(ui::SelectFileDialog::Type, std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>, void *, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> &, int),ui::(anonymous namespace)::SelectFileDialogImpl *&&,ui::SelectFileDialog::Type &&,std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>> &&,void *&&>::Invoke(void(ui::`anonymous namespace'::SelectFileDialogImpl::*)(ui::SelectFileDialog::Type, std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>, void *, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> &, int) method, scoped_refptr<ui::(anonymous namespace)::SelectFileDialogImpl> && receiver_ptr, ui::SelectFileDialog::Type && args, std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>> && args, void * && args, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> & args, int && args) Line 738    C++
    [Inline Frame] libcef.dll!base::internal::InvokeHelper<0,base::internal::FunctorTraits<void (ui::(anonymous namespace)::SelectFileDialogImpl::*&&)(ui::SelectFileDialog::Type, std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>, void *, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> &, int),ui::(anonymous namespace)::SelectFileDialogImpl *&&,ui::SelectFileDialog::Type &&,std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>> &&,void *&&>,void,0,1,2,3>::MakeItSo(void(ui::`anonymous namespace'::SelectFileDialogImpl::*)(ui::SelectFileDialog::Type, std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>, void *, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> &, int) && functor, std::__Cr::tuple<scoped_refptr<ui::(anonymous namespace)::SelectFileDialogImpl>,ui::SelectFileDialog::Type,std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>,base::internal::UnretainedWrapper<void,base::unretained_traits::MayNotDangle,0>> && bound, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> & args, int && args) Line 930 C++
    [Inline Frame] libcef.dll!base::internal::Invoker<base::internal::FunctorTraits<void (ui::(anonymous namespace)::SelectFileDialogImpl::*&&)(ui::SelectFileDialog::Type, std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>, void *, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> &, int),ui::(anonymous namespace)::SelectFileDialogImpl *&&,ui::SelectFileDialog::Type &&,std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>> &&,void *&&>,base::internal::BindState<1,1,0,void (ui::(anonymous namespace)::SelectFileDialogImpl::*)(ui::SelectFileDialog::Type, std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>, void *, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> &, int),scoped_refptr<ui::(anonymous namespace)::SelectFileDialogImpl>,ui::SelectFileDialog::Type,std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>,base::internal::UnretainedWrapper<void,base::unretained_traits::MayNotDangle,0>>,void (const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> &, int)>::RunImpl(void(ui::`anonymous namespace'::SelectFileDialogImpl::*)(ui::SelectFileDialog::Type, std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>, void *, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> &, int) && functor, std::__Cr::tuple<scoped_refptr<ui::(anonymous namespace)::SelectFileDialogImpl>,ui::SelectFileDialog::Type,std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>,base::internal::UnretainedWrapper<void,base::unretained_traits::MayNotDangle,0>> && bound, std::__Cr::integer_sequence<unsigned long long,0,1,2,3>, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> & unbound_args, int && unbound_args) Line 1067  C++
    libcef.dll!base::internal::Invoker<base::internal::FunctorTraits<void (ui::(anonymous namespace)::SelectFileDialogImpl::*&&)(ui::SelectFileDialog::Type, std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>, void *, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> &, int),ui::(anonymous namespace)::SelectFileDialogImpl *&&,ui::SelectFileDialog::Type &&,std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>> &&,void *&&>,base::internal::BindState<1,1,0,void (ui::(anonymous namespace)::SelectFileDialogImpl::*)(ui::SelectFileDialog::Type, std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>, void *, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> &, int),scoped_refptr<ui::(anonymous namespace)::SelectFileDialogImpl>,ui::SelectFileDialog::Type,std::__Cr::unique_ptr<ui::BaseShellDialogImpl::RunState,std::__Cr::default_delete<ui::BaseShellDialogImpl::RunState>>,base::internal::UnretainedWrapper<void,base::unretained_traits::MayNotDangle,0>>,void (const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> &, int)>::RunOnce(base::internal::BindStateBase * base, const std::__Cr::vector<base::FilePath,std::__Cr::allocator<base::FilePath>> & unbound_args, int unbound_args) Line 980 C++
    libcef.dll!base::OnceCallback<void (const std::__Cr::vector<media::SupportedVideoDecoderConfig,std::__Cr::allocator<media::SupportedVideoDecoderConfig>> &, media::VideoDecoderType)>::Run(const std::__Cr::vector<media::SupportedVideoDecoderConfig,std::__Cr::allocator<media::SupportedVideoDecoderConfig>> & args, media::VideoDecoderType args) Line 156  C++
    [Inline Frame] libcef.dll!base::internal::DecayedFunctorTraits<base::OnceCallback<void (const std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &, blink::ServiceWorkerStatusCode)>,std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &&,blink::ServiceWorkerStatusCode &&>::Invoke(base::OnceCallback<void (const std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &, blink::ServiceWorkerStatusCode)> && callback, std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> && args, blink::ServiceWorkerStatusCode && args) Line 813   C++
    [Inline Frame] libcef.dll!base::internal::InvokeHelper<0,base::internal::FunctorTraits<base::OnceCallback<void (const std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &, blink::ServiceWorkerStatusCode)> &&,std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &&,blink::ServiceWorkerStatusCode &&>,void,0,1>::MakeItSo(base::OnceCallback<void (const std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &, blink::ServiceWorkerStatusCode)> && functor, std::__Cr::tuple<std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>>,blink::ServiceWorkerStatusCode> && bound) Line 930   C++
    [Inline Frame] libcef.dll!base::internal::Invoker<base::internal::FunctorTraits<base::OnceCallback<void (const std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &, blink::ServiceWorkerStatusCode)> &&,std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &&,blink::ServiceWorkerStatusCode &&>,base::internal::BindState<0,1,1,base::OnceCallback<void (const std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &, blink::ServiceWorkerStatusCode)>,std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>>,blink::ServiceWorkerStatusCode>,void ()>::RunImpl(base::OnceCallback<void (const std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &, blink::ServiceWorkerStatusCode)> && functor, std::__Cr::tuple<std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>>,blink::ServiceWorkerStatusCode> && bound, std::__Cr::integer_sequence<unsigned long long,0,1>) Line 1067 C++
    libcef.dll!base::internal::Invoker<base::internal::FunctorTraits<base::OnceCallback<void (const std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &, blink::ServiceWorkerStatusCode)> &&,std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &&,blink::ServiceWorkerStatusCode &&>,base::internal::BindState<0,1,1,base::OnceCallback<void (const std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>> &, blink::ServiceWorkerStatusCode)>,std::__Cr::vector<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>,std::__Cr::allocator<std::__Cr::pair<long long,std::__Cr::basic_string<char,std::__Cr::char_traits<char>,std::__Cr::allocator<char>>>>>,blink::ServiceWorkerStatusCode>,void ()>::RunOnce(base::internal::BindStateBase * base) Line 980    C++
    libcef.dll!base::OnceCallback<void ()>::Run() Line 156  C++
magreenblatt commented 5 days ago 
UnretainedWrapper<ui::SelectFileDialog::Listener,base::unretained_traits::MayNotDangle,0>

Likely problem is the binding of |listener| here. Same type of problem as https://github.com/chromiumembedded/cef/issues/3717#issuecomment-2183065401.