stack overflow with ui::AXPlatformNodeWin::accHitTest

27 views
Skip to first unread message

Demetrios Tsillas

unread,
Sep 12, 2018, 9:38:10 AM9/12/18
to Chromium-dev
Hi folks,

I am reporting this crash in case it is a known problem.

I am building 32 bit Chromium for Windows using 68.0.3440.106.

I saw a crash for stack overflow (using a call to _chkstk). I cannot reproduce the problem.

This appears to be caused by an overflow during the recursive calls to ui::AXPlatformNodeWin::accHitTest

The call to _chkstk happens in code I added. Here is the top levels of the call stack (my code is Instrumentation::AcquireSample and InstTraceFunctor::operator()).

  chrome.dll!_chkstk() Line 99 Unknown
> chrome.dll!Instrumentation::AcquireSample(InstItemData * instItem, char * & argptr) Line 1424 C++
  chrome.dll!InstTraceFunctor::operator()(const char * format, ...) Line 121 C++
  chrome.dll!base::debug::TaskAnnotator::DidQueueTask(const char * queue_function, const base::PendingTask & pending_task) Line 41 C++
  chrome.dll!base::internal::IncomingTaskQueue::PostPendingTaskLockRequired(base::PendingTask * pending_task) Line 334 C++
  chrome.dll!base::internal::IncomingTaskQueue::PostPendingTask(base::PendingTask * pending_task) Line 291 C++
  chrome.dll!base::internal::IncomingTaskQueue::AddToIncomingQueue(const base::Location & delay, base::OnceCallback<void ()> nestable, base::TimeDelta) Line 86 C++
  chrome.dll!base::internal::MessageLoopTaskRunner::PostDelayedTask(const base::Location &) Line 31 C++
  chrome.dll!content::`anonymous namespace'::PostTaskHelper(content::BrowserThread::ID identifier, const base::Location & task, base::OnceCallback<void ()> nestable, base::TimeDelta) Line 156 C++
  chrome.dll!content::BrowserThread::PostDelayedTask(content::BrowserThread::ID identifier, const base::Location & from_here, base::OnceCallback<void ()>) Line 289 C++
  chrome.dll!content::`anonymous namespace'::BrowserThreadTaskRunner::PostDelayedTask(const base::Location &) Line 40 C++
  chrome.dll!base::TaskRunner::PostTask(const base::Location &) Line 44 C++
  chrome.dll!IPC::ChannelProxy::Context::Send(IPC::Message * message) Line 396 C++
  chrome.dll!IPC::ChannelProxy::Send(IPC::Message * message) Line 527 C++
  chrome.dll!content::RenderProcessHostImpl::Send(IPC::Message * msg) Line 3031 C++
  [External Code]
  chrome.dll!content::BrowserAccessibilityManager::HitTest(const gfx::Point & point) Line 745 C++
  chrome.dll!content::BrowserAccessibilityManager::CachingAsyncHitTest(const gfx::Point & screen_point) Line 1247 C++
  chrome.dll!content::BrowserAccessibilityManager::CachingAsyncHitTest(const gfx::Point & screen_point) Line 1236 C++
  chrome.dll!content::BrowserAccessibility::HitTestSync(int x, int y) Line 928 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 422 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
  chrome.dll!ui::AXPlatformNodeWin::accHitTest(long x_left, long y_top, tagVARIANT * child) Line 440 C++
        <continues past the size of dump file>


Daniel Bratell

unread,
Sep 12, 2018, 10:06:20 AM9/12/18
to Chromium-dev, Demetrios Tsillas
There seems to be some knowledge about it in the bug tracker through https://crbug.com/837080 which is unfortunately not publicly readable, but there doesn't seem to be anyone working on it (added some people to CC in the bug).

The way that Blink is designed, with many recursive algorithms, crashing the renderer process with an exhausted stack is almost by design so such crashes don't get much attention.

If you can trigger/reproduce the crash on "normal" inputs, it will make the crash immediately more interesting.

/Daniel
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/05f0cf73-9e0d-4455-acb3-442116f74f26%40chromium.org.



--
/* Opera Software, Linköping, Sweden: CEST (UTC+2) */
Reply all
Reply to author
Forward
0 new messages