Status: Untriaged Owner: [email protected] CC: [email protected] Labels: Type-Bug Pri-2 OS-All Area-BrowserBackend
New issue 7487 by [email protected]: Browser crash on URLRequestHttpJob::ReadRawData http://code.google.com/p/chromium/issues/detail?id=7487 from http://crash/reportdetail?reportid=7c916b702e059ce7&product=Chrome&version=2.0.160.0 also, reliability tests report id 280d7b08df3f3a7c Thread 5 *CRASHED* (EXCEPTION_ACCESS_VIOLATION @0x02210000) 0x02ba64ea [chrome.dll - memcpy.asm:188] memcpy 0x02ea949e [chrome.dll - http_network_transaction.cc:728] net::HttpNetworkTransaction::DoReadBody() 0x02eac2bf [chrome.dll - http_network_transaction.cc:374] net::HttpNetworkTransaction::DoLoop(int) 0x02eac6e6 [chrome.dll - http_network_transaction.cc:149] net::HttpNetworkTransaction::Read(net::IOBuffer *,int,CallbackRunner<Tuple1<int> > *) 0x02e8ea49 [chrome.dll - http_cache.cc:437] net::HttpCache::Transaction::Read(net::IOBuffer *,int,CallbackRunner<Tuple1<int> > *) 0x02ea1220 [chrome.dll - url_request_http_job.cc:359] URLRequestHttpJob::ReadRawData(net::IOBuffer *,int,int *) 0x02e7c253 [chrome.dll - url_request_job.cc:112] URLRequestJob::Read(net::IOBuffer *,int,int *) 0x02e7512c [chrome.dll - url_request.cc:272] URLRequest::Read(net::IOBuffer *,int,int *) 0x026b2839 [chrome.dll - resource_dispatcher_host.cc:1046] ResourceDispatcherHost::Read(URLRequest *,int *) 0x026b457a [chrome.dll - resource_dispatcher_host.cc:788] ResourceDispatcherHost::OnResponseStarted(URLRequest *) 0x02e7bfcd [chrome.dll - url_request_job.cc:337] URLRequestJob::NotifyHeadersComplete() 0x02ea18e3 [chrome.dll - url_request_http_job.cc:457] URLRequestHttpJob::NotifyHeadersComplete() 0x02ea197f [chrome.dll - url_request_http_job.cc:389] URLRequestHttpJob::OnStartCompleted(int) 0x0278cad6 [chrome.dll - task.h:573] CallbackImpl<BrowsingHistoryHandler,void ( BrowsingHistoryHandler::*)(Value const *),Tuple1<Value const *> >::RunWithParams(Tuple1<Value const *> const &) 0x02e8c152 [chrome.dll - http_cache.cc:564] net::HttpCache::Transaction::DoCallback(int) 0x02e8c1cb [chrome.dll - http_cache.cc:570] net::HttpCache::Transaction::HandleResult(int) 0x02e8e468 [chrome.dll - http_cache.cc:895] net::HttpCache::Transaction::OnNetworkInfoAvailable(int) 0x0278caf2 [chrome.dll - task.h:573] CallbackImpl<MetricsHandler,void ( MetricsHandler::*)(Value const *),Tuple1<Value const *> >::RunWithParams(Tuple1<Value const *> const &) 0x02ea8ceb [chrome.dll - http_network_transaction.cc:282] net::HttpNetworkTransaction::DoCallback(int) 0x02eac71b [chrome.dll - http_network_transaction.cc:288] net::HttpNetworkTransaction::OnIOComplete(int) 0x0278caf2 [chrome.dll - task.h:573] CallbackImpl<MetricsHandler,void ( MetricsHandler::*)(Value const *),Tuple1<Value const *> >::RunWithParams(Tuple1<Value const *> const &) 0x02eb9ea2 [chrome.dll - tcp_client_socket_win.cc:291] net::TCPClientSocket::DoCallback(int) 0x02ebabf9 [chrome.dll - tcp_client_socket_win.cc:343] net::TCPClientSocket::DidCompleteIO() 0x02ebac99 [chrome.dll - tcp_client_socket_win.cc:355] net::TCPClientSocket::OnObjectSignaled(void *) 0x02bd03e3 [chrome.dll - object_watcher.cc:30] base::ObjectWatcher::Watch::Run() 0x0266230f [chrome.dll - message_loop.cc:308] MessageLoop::RunTask(Task *) 0x02662e69 [chrome.dll - message_loop.cc:408] MessageLoop::DoWork() 0x02673d5d [chrome.dll - message_pump_win.cc:468] base::MessagePumpForIO::DoRunLoop() 0x0267399f [chrome.dll - message_pump_win.h:78] base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x026629e6 [chrome.dll - message_loop.cc:197] MessageLoop::RunInternal() 0x02662b7f [chrome.dll - message_loop.cc:180] MessageLoop::RunHandler() 0x0266341c [chrome.dll - message_loop.cc:154] MessageLoop::Run() 0x02bc98b9 [chrome.dll - thread.cc:156] base::Thread::ThreadMain() 0x0266b4ac [chrome.dll - platform_thread_win.cc:26] `anonymous namespace'::ThreadFunc(void *) 0x7c80b682 [kernel32.dll + 0x0000b682] BaseThreadStart From the dump, we crash accessing the buffer: // We may have some data remaining in the header buffer. if (header_buf_.get() && header_buf_body_offset_ < header_buf_len_) { int n = std::min(read_buf_len_, header_buf_len_ - header_buf_body_offset_); memcpy(read_buf_->data(), header_buf_.get() + header_buf_body_offset_, n); header_buf_body_offset_ += n; the buffer has a ref count of 3, and looks ok, but the actual data (0x02210000) is invalid. The object is a SharedIOBuffer so the shared section was probably closed while for some reason the buffer was still in use. AsyncResourceHandler::OnReadCompleted closes the section regardless of the actual reference count on the object, but the idea is that if the read completes nobody should be still using the buffer. I still have to see what's going on... -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---
