search

chromiumembedded / cef

Chromium Embedded Framework (CEF). A simple framework for embedding Chromium-based browsers in other applications.
https://bitbucket.org/chromiumembedded/cef/
Other
3.38k stars 467 forks source link

Crash when adding overlay view since CEF 125 due to invalid static_cast #3784

Closed Taronyu closed 2 months ago

Taronyu commented 2 months ago

Describe the bug Since CEF 125, when adding an overlay view the code will crash due to an illegal memory access. I did some debugging with a modified cefclient application. I think it comes down to an invalid static_cast.

When the overlay view is added, eventually CefBrowserView::AddedToWidget is called. This will call CefWidget::GetForWidget on the supplied widget and there is a check if the view is using Alloy style or Chrome style. In my case the widget is cast to ChromeBrowserFrame but according to the debugger the widget is of type ThemeCopyingWidget. The cast result in an invalid _vfptr pointer, which is then dereferenced by the caller, causing the crash.

To Reproduce Steps to reproduce the behavior:

  1. Apply my provided patch file cefclient_testcode.patch. This will add an overlay view to the cefclient application.
  2. Launch the modified cefclient with the following args --use-views --hide-frame --hide-controls
  3. cefclient.exe will crash in CefBrowserViewImpl::AddedToWidget

Expected behavior Application must not crash.

Screenshots Exception: Note that cef_widget is a valid pointer but its _vfptr is null. code1

Invalid type cast: Note that widget is of type ThemeCopyingWidget and cast to ChromeBrowserFrame code2

Versions (please complete the following information):

Additional context cefclient_testcode.patch

Taronyu commented 2 months ago

Thanks for the quick fix. While the cefclient example doesn't crash anymore, I have now the issue that the overlay browser is not created. Is this a new issue or am I using it wrong? As far as I see, there is no browser instance created. According to the documentation, the browser instance is created when the overlay view is added to the views hierarchy, which I assumed whould happen when adding the view to the window. See code below (taken from the provided patch file)

// Browser view
CefBrowserSettings settings = {};
browser_view_ = CefBrowserView::CreateBrowserView(
    nullptr, "https://bitbucket.org/chromiumembedded/cef/", settings, nullptr,
    nullptr, nullptr);
browser_view_controller_ =
    window->AddOverlayView(browser_view_, CEF_DOCKING_MODE_CUSTOM, true);

I can create a new issue with the same patch file if it's a new one.

magreenblatt commented 2 months ago

I have now the issue that the overlay browser is not created.

We don't currently test the usage of browser views in overlays. Please add a new issue.

Taronyu commented 2 months ago

Ok, I created #3790