CEF crashes inside WebCore::Performance::addResourceTiming line 234

[GoogleCodeExporter]

short version:
CEF crashes inside WebCore::Performance::addResourceTiming line 234
I'm using the latest version, cef_binary_3.1650.1562_windows32, running on Win8 
x64.
Crash happens after a custom ResourceHandler returns a redirect(302/307, and 
set both Location header and redirect_url) to XMLHttpRequest.
Further dignose(disasmemble without source code) suggested that it may be a 
NullPointerException.
It's unlikely to be a Chromium/Webkit bug, since requesting a network resource 
302 won't trigger this crash.

long version:
How to reproduce this BUG:
start a new project,
implement a custom CefResourceHandler,
return 302 to redirect http://example/test to http://example/test/.
now navigate to http://example/test,
the browser got redirected to http://example/test/,
works fine.
open devTools:
var x=new XMLHttpRequest();
x.open("GET","/test");
x.send();
you see that both original request(302) and the actual request(/test/) 
completed,
but the program immediately crashes,
showing that it accessed memory 0x00000050, which is not accessable(0xC0000005).

If you can't reproduce this bug, contact me and I'll provide a binary 
executable(win32>=xp) along with that source that will crash.
Please contact mailto://caoyunbin001@126.com, instead of gmail, since I'm in 
China, gmail is sometimes blocked.

Here is the stack trace and localvaribles when crashes,
I can't find the correct version of source code for Performance.cpp, so, only 
these.

>   libcef.dll!WebCore::Performance::addResourceTiming(const 
WebCore::ResourceTimingInfo & info={...}, WebCore::Document * 
initiatorDocument=0x436447a8) 行 234   C++
    libcef.dll!WebCore::ResourceFetcher::didLoadResource(WebCore::Resource * resource=0x436447a8) 行 958   C++
    libcef.dll!WebCore::ResourceLoader::releaseResources() 行 91   C++
    libcef.dll!WebCore::ResourceLoader::didFinishLoading(WebKit::WebURLLoader * __formal=0x009c0e00, double finishTime=574793.24699999997) 行 364  C++
    libcef.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(int error_code=0, bool was_ignored_by_handler=false, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & security_info={...}, const base::TimeTicks & completion_time={...}) 行 624 C++
    libcef.dll!content::ResourceDispatcher::OnRequestComplete(int request_id=8, int error_code=0, bool was_ignored_by_handler=false, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & security_info={...}, const base::TimeTicks & browser_completion_time={...}) 行 541   C++
    libcef.dll!ResourceMsg_RequestComplete::Dispatch<content::ResourceDispatcher,content::ResourceDispatcher,void (__thiscall content::ResourceDispatcher::*)(int,int,bool,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::TimeTicks const &)>(const IPC::Message * msg=0x0f0036d4, content::ResourceDispatcher * obj=0x009a4050, content::ResourceDispatcher * sender=0x009a4050, void (int, int, bool, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &, const base::TimeTicks &) * func=0x52b77d90) 行 272   C++
    libcef.dll!content::ResourceDispatcher::DispatchMessageW(const IPC::Message & message={...}) 行 649    C++
    libcef.dll!content::ResourceDispatcher::OnMessageReceived(const IPC::Message & message={...}) 行 314   C++
    libcef.dll!content::ChildThread::OnMessageReceived(const IPC::Message & msg={...}) 行 320  C++
    libcef.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message={...}) 行 270    C++
    libcef.dll!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall net::DhcpProxyScriptAdapterFetcher::DhcpQuery::*)(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>,void __cdecl(net::DhcpProxyScriptAdapterFetcher::DhcpQuery *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &),void __cdecl(net::DhcpProxyScriptAdapterFetcher::DhcpQuery *,std::basic_string<char,std::char_traits<char>,std::allocator<char> >)>,void __cdecl(net::DhcpProxyScriptAdapterFetcher::DhcpQuery *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>::Run(base::internal::BindStateBase * base=0x0f0036c0) 行 1253  C++
    libcef.dll!base::MessageLoop::RunTask(const base::PendingTask & pending_task={...}) 行 493 C++
    libcef.dll!base::MessageLoop::DoWork() 行 618  C++
    libcef.dll!base::MessagePumpForUI::DoRunLoop() 行 244  C++
    libcef.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate=0x009bd4e0) 行 48  C++
    libcef.dll!base::MessageLoop::RunInternal() 行 441 C++
    libcef.dll!base::RunLoop::Run() 行 48  C++
    libcef.dll!base::MessageLoop::Run() 行 312 C++
    libcef.dll!base::Thread::Run(base::MessageLoop * message_loop=0x009bd4e0) 行 160   C++
    libcef.dll!base::Thread::ThreadMain() 行 223   C++
    libcef.dll!base::`anonymous namespace'::ThreadFunc(void * params=0x00000554) 行 78 C++
    kernel32.dll!766a8543() 未知
    [下面的框架可能不正确和/或缺失，没有为 kernel32.dll 加载符号] 
    ntdll.dll!77e1ac69()    未知
    ntdll.dll!77e1ac3c()    未知

+       this    0x0ef84a00 {m_eventTargetData={eventListenerMap={m_entries={...} } 
firingEventIterators={m_ptr=0x00000000 <NULL> } } ...}  WebCore::Performance *
+       info    {m_type={m_string={m_impl={m_ptr=0x8b00a07a {...} } } } 
m_initialTime=-5.4582580994163564e-057 m_loadFinishTime=...}    const 
WebCore::ResourceTimingInfo &
+       initiatorDocument   0x436447a8 
{m_namedItemCounts={m_impl={m_impl={m_table=0x00000000 <NULL> m_tableSize=0 
m_tableSizeMask=...} } } ...}   WebCore::Document *
        allowRedirectDetails    true    bool
        startTime   574793.24199999997  double
        lastRedirectEndTime 8.5382674696793064e-264 double
        allowTimingDetails  true    bool

Original issue reported on code.google.com by caoyunbi...@gmail.com on 28 Apr 2014 at 3:00

[GoogleCodeExporter]

This crash may already be fixed. Can you test with a newer 1650 branch build 
from http://cefbuilds.com?

Original comment by magreenb...@gmail.com on 6 May 2014 at 5:30

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

NOT fixed in cef_binary_3.1916.1703_windows32
which is the latest version that I can find
but the crash seems changed:
now crashes at libcef.dll!WebCore::Performance::addResourceTiming line 226
look at the deassembly, it shows that 
content::RenderProcessImpl::GetEnabledBindings returns 0
which a later instruction: movsd xmm0,mmword ptr [eax+50h] triggers the crash

Original comment by caoyunbi...@gmail.com on 9 May 2014 at 7:12

[GoogleCodeExporter]

CefResourceRequestJob should implement GetLoadTimingInfo, as WebKit expects 
timing information to be present.

Attaching a fix as a patch sitting on top of patch for issue #1070 (line 
numbers will not be coherent if you don't apply #1070 patch for yet another 
issue with CefResourceRequestJob).

Original comment by pgu...@gmail.com on 26 Jun 2014 at 3:05

Attachments:

• cef3_add_minimum_timing_info.diff

[GoogleCodeExporter]

Original comment by magreenb...@gmail.com on 26 Jun 2014 at 3:20

• Changed state: Accepted
• Added labels: NextRelease

[GoogleCodeExporter]

@#4: Thanks, fixed in trunk revision 1763 and 1916 branch revision 1764 with 
style changes.

@caoyunbin001: Can you verify that it fixes the crash for you? A new build with 
the change should be available from http://cefbuilds.con in a few days.

Original comment by magreenb...@gmail.com on 10 Jul 2014 at 5:39

• Changed state: Fixed

[GoogleCodeExporter]

We are running into this exact issue as well.  Is there a workaround for it?

Original comment by ext.jfug...@riotgames.com on 17 Jul 2014 at 1:21

[GoogleCodeExporter]

Fixed in 1750 branch revision 1805.

Original comment by magreenb...@gmail.com on 11 Aug 2014 at 8:27