Chromium Embedded Framework Forum

[RangelReale]

I am building branch 3904 on Ubuntu 16.04 x64, with ffmpeg enabled.
When running my application with the compiled library, loading a XML using XMLHttpRequest is causing a crash everytime on the renderer process. The code is as simple as this:

===================
text = "<bookstore><book>" +
"<title>Everyday Italian</title>" +
"<author>Giada De Laurentiis</author>" +
"<year>2005</year>" + "</book></bookstore>";
const parser = new DOMParser();
console.log(parser.parseFromString(text, "text/xml"));
===================

Here is the stack trace:
=============================
Thread 1 "procedgebrowser" received signal SIGILL, Illegal instruction.
xmlInitCharEncodingHandlers () at ../../third_party/libxml/src/encoding.c:1404
1404 xmlMalloc(MAX_ENCODING_HANDLERS * sizeof(xmlCharEncodingHandlerPtr));
(gdb) bt
#0 xmlInitCharEncodingHandlers () at ../../third_party/libxml/src/encoding.c:1404
#1 0x00007fe946ccec95 in xmlInitParser () at ../../third_party/libxml/src/parser.c:14718
#2 0x00007fe9492e0165 in blink::InitializeLibXMLIfNecessary ()
at ../../third_party/blink/renderer/core/xml/parser/xml_document_parser.cc:665
#3 blink::XMLParserContext::CreateStringParser (handlers=0x7ffc2d0888b8, user_data=0x120b66e8e488)
at ../../third_party/blink/renderer/core/xml/parser/xml_document_parser.cc:675
#4 0x00007fe9492e15fa in blink::XMLDocumentParser::InitializeParserContext (this=0x120b66e8e488, chunk=...)
at ../../third_party/blink/renderer/core/xml/parser/xml_document_parser.cc:1527
#5 0x00007fe9492de3f9 in blink::XMLDocumentParser::DoWrite (this=0x120b66e8e488, parse_string=...)
at ../../third_party/blink/renderer/core/xml/parser/xml_document_parser.cc:826
#6 blink::XMLDocumentParser::Append (this=0x120b66e8e488, input_source=...)
at ../../third_party/blink/renderer/core/xml/parser/xml_document_parser.cc:338
#7 0x00007fe94851fdd0 in blink::Document::SetContent (this=0x3d412a264068, content=...)
at ../../third_party/blink/renderer/core/dom/document.cc:1953
#8 0x00007fe949302ba7 in blink::XMLHttpRequest::responseXML (this=0x120b66e8bad8, exception_state=...)
at ../../third_party/blink/renderer/core/xmlhttprequest/xml_http_request.cc:392
#9 0x00007fe947e94336 in blink::xml_http_request_v8_internal::ResponseXMLAttributeGetter (info=...)
at gen/third_party/blink/renderer/bindings/core/v8/v8_xml_http_request.cc:274
#10 blink::V8XMLHttpRequest::ResponseXMLAttributeGetterCallback (info=...)
at gen/third_party/blink/renderer/bindings/core/v8/v8_xml_http_request.cc:627
#11 0x00007fe9433c2912 in v8::internal::FunctionCallbackArguments::Call (this=0x7ffc2d088ee8, handler=...)
at ../../v8/src/api/api-arguments-inl.h:158
#12 v8::internal::(anonymous namespace)::HandleApiCallHelper<false> (isolate=0xb8c53f86000, function=..., new_target=...,
fun_data=..., receiver=..., args=...) at ../../v8/src/builtins/builtins-api.cc:111
#13 0x00007fe9433c0b6e in v8::internal::Builtins::InvokeApiFunction (isolate=0xb8c53f86000, is_construct=<optimized out>,
function=..., receiver=..., argc=0, args=0x0, new_target=...) at ../../v8/src/builtins/builtins-api.cc:227
#14 0x00007fe943898114 in v8::internal::Object::GetPropertyWithAccessor (it=<optimized out>)
at ../../v8/src/objects/objects.cc:1453
#15 0x00007fe943897917 in v8::internal::Object::GetProperty (it=0x7ffc2d0892a0,
on_non_existent=v8::internal::OnNonExistent::kReturnUndefined) at ../../v8/src/objects/objects.cc:1088
#16 0x00007fe9436312ba in v8::internal::LoadIC::Load (this=0x7ffc2d089388, object=..., name=...)
at ../../v8/src/ic/ic.cc:448
---Type <return> to continue, or q <return> to quit---
#17 0x00007fe94363f4c3 in v8::internal::__RT_impl_Runtime_LoadIC_Miss (args=..., isolate=0xb8c53f86000) at ../../v8/src/ic/ic.cc:2186
#18 0x00007fe94363eed1 in v8::internal::Runtime_LoadIC_Miss (args_length=4, args_object=0x7ffc2d089550, isolate=0xb8c53f86000)
at ../../v8/src/ic/ic.cc:2158
#19 0x00007fe940ed40e0 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit ()
from /home/rreale/Documents/prog/work/edgecontents4/ebclient2/build/bin/libcef.so
#20 0x00007fe9410e7445 in Builtins_LdaNamedPropertyHandler () from /home/rreale/Documents/prog/work/edgecontents4/ebclient2/build/bin/libcef.so
#21 0x000034d9da4804b1 in ?? ()
#22 0x0000000600000000 in ?? ()
#23 0x00002db9054a7521 in ?? ()
#24 0x00001ece0cc9bc19 in ?? ()
#25 0x000034d9da4804b1 in ?? ()
#26 0x000034d9da4804b1 in ?? ()
#27 0xae5aa5dc808aa300 in ?? ()
#28 0x0000000000000005 in ?? ()
#29 0xae5aa5dc808aa300 in ?? ()
#30 0x0000000000000028 in ?? ()
#31 0xae5aa5dc808aa300 in ?? ()
#32 0x00001ece0cc9b5d1 in ?? ()
#33 0x0000000000000057 in ?? ()
#34 0x00002db9054b00e9 in ?? ()
#35 0x0000285bce53e829 in ?? ()
#36 0x00007ffc2d089600 in ?? ()
#37 0x0000000000000002 in ?? ()
#38 0x0000000000000006 in ?? ()
#39 0x00001ece0cc9b5d1 in ?? ()
#40 0x00002db9054a7521 in ?? ()
#41 0x00001ece0cc9bc19 in ?? ()
#42 0x0000000000000060 in ?? ()
#43 0x00007ffc2d089660 in ?? ()
#44 0x00000b8c53fd5410 in ?? ()
#45 0x000000000000001a in ?? ()
#46 0x00007ffc2d089660 in ?? ()
#47 0x00007fe940c0a992 in Builtins_InterpreterEntryTrampoline () from /home/rreale/Documents/prog/work/edgecontents4/ebclient2/build/bin/libcef.so
#48 0x000034d9da4804b1 in ?? ()
#49 0x000034d9da4804b1 in ?? ()
#50 0x000034d9da4804b1 in ?? ()
#51 0x000034d9da4804b1 in ?? ()
#52 0x000034d9da4804b1 in ?? ()
#53 0x00001ece0cc9bc19 in ?? ()
#54 0x0000006000000000 in ?? ()
#55 0x00002db9054b00e9 in ?? ()
#56 0x00002db9054af8c9 in ?? ()
#57 0x00001ece0cc9b5d1 in ?? ()
#58 0x00007ffc2d089698 in ?? ()
#59 0x00007fe940bef679 in Builtins_ArgumentsAdaptorTrampoline () from /home/rreale/Documents/prog/work/edgecontents4/ebclient2/build/bin/libcef.so
#60 0x00001ece0cc9bc19 in ?? ()
#61 0x0000000000000000 in ?? ()
================
I couldn't find anything about a error in libxml. Any thougjhts?

[magreenblatt]

Are you using a Debug or Release build? Does the problem reproduce with the CEF sample applications? Does the problem reproduce with Google Chrome at the same version?

[RangelReale]

Are you using a Debug or Release build? Does the problem reproduce with the CEF sample applications? Does the problem reproduce with Google Chrome at the same version?

I am using a Debug build.

In Chrome 78.0.3904.70, it works fine.
Using cefsimple from the same build directory, loading the XML does not crash, but the main process always crash on close, with this backtrace:

==============
Thread 1 "cefsimple" received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff1b6b447 in logging::LogMessage::~LogMessage()::$_2::operator()() const (this=<optimized out>) at ../../base/logging.cc:950
950 IMMEDIATE_CRASH();
(gdb) bt
#0 0x00007ffff1b6b447 in logging::LogMessage::~LogMessage()::$_2::operator()() const (this=<optimized out>) at ../../base/logging.cc:950
#1 logging::LogMessage::~LogMessage (this=0x7fffffffd210) at ../../base/logging.cc:950
#2 0x00007ffff3387b3e in cc::SingleThreadTaskGraphRunner::Shutdown (this=0xa047b6ef240) at ../../cc/raster/single_thread_task_graph_runner.cc:39
#3 0x00007ffff011390a in content::VizProcessTransportFactory::~VizProcessTransportFactory (this=0xa047b6a9900)
at ../../content/browser/compositor/viz_process_transport_factory.cc:126
#4 0x00007ffff01139e5 in non-virtual thunk to content::VizProcessTransportFactory::~VizProcessTransportFactory() ()
at ../../content/browser/compositor/viz_process_transport_factory.cc:122
#5 0x00007ffff011003a in content::ImageTransportFactory::Terminate () at ../../content/browser/compositor/image_transport_factory.cc:25
#6 0x00007fffef9bfd15 in content::BrowserMainLoop::ShutdownThreadsAndCleanUp (this=0xa047b6efb40) at ../../content/browser/browser_main_loop.cc:1094
#7 0x00007fffef9c1cc8 in content::BrowserMainRunnerImpl::Shutdown (this=0xa047b777d20) at ../../content/browser/browser_main_runner_impl.cc:177
#8 0x00007ffff1ab5447 in CefMainDelegate::ShutdownBrowser (this=0xa047b6e4f00) at ../../cef/libcef/common/main_delegate.cc:811
#9 0x00007ffff19ed5dc in CefContext::FinalizeShutdown (this=0xa047b6e3b80) at ../../cef/libcef/browser/context.cc:630
#10 0x00007ffff19ec4d6 in CefContext::Shutdown (this=0xa047b6e3b80) at ../../cef/libcef/browser/context.cc:486
#11 CefShutdown () at ../../cef/libcef/browser/context.cc:269
#12 0x0000555555575e66 in main (argc=<optimized out>, argv=<optimized out>) at ../../cef/tests/cefsimple/cefsimple_linux.cc:78
=============

There were some errors on run:

=================
[1028/161128.245644:INFO:CONSOLE(7)] "[object XMLDocument]", source: http://localhost:13199/WWW/test.html (7)
[1028/161128.272494:ERROR:buffer_manager.cc(488)] [.DisplayCompositor]GL ERROR :GL_INVALID_OPERATION : glBufferData: <- error from previous GL command
[1028/161200.792752:WARNING:cefsimple_linux.cc(17)] X error received: type 0, serial 555, error_code 3, request_code 20, minor_code 0
[1028/161200.842810:FATAL:single_thread_task_graph_runner.cc(39)] Check failed: !work_queue_.HasAnyNamespaces().
=========================

[RangelReale]

I managed to debug a little more, and the crash is happening on the xmlAlloc call inside the function xmlInitCharEncodingHandlers(), called from blink::InitializeLibXMLIfNecessary.
Searching online, this seems to be a memory curruption from other part of the application that is making libxml crash.

This is a very strange error, and it happens always on the same function, is there any way to debug this type of memory corruption in CEF?

[magreenblatt]

You could try building/running with AddressSanitizer. There's documentation available here, but it's likely somewhat out of date. For example, you'll need to add the GN args documented here to GN_DEFINES instead of using GYP_DEFINES as described in the first link.

[ndesktop]

Not that libxml should cash, but looks like the error is triggered by the missing declaration in XML:

Code: Select all

<?xml version="1.0" encoding="UTF-8" standalone="no" ?>

[RangelReale]

Looking at my build, I found that I enabled exceptions and RTTI so I could integrate it on my application, can this be a source of this kind of error?

string(REPLACE "-fno-exceptions" "-fexceptions" EC_CEF_CXX_COMPILER_FLAGS "${CEF_CXX_COMPILER_FLAGS}")
string(REPLACE "-fno-rtti" "-frtti" EC_CEF_CXX_COMPILER_FLAGS "${EC_CEF_CXX_COMPILER_FLAGS}")

[RangelReale]

Now I am trying to find the problem at the assembly level, the crash happens at a instruction named "ud2", which looks like is made to crash on undefined condiition. Stepping into gdb tui, the crash happens on xmlInitCharEncodingHandlers, on the xmlMalloc at 1404.
I don't know assembly, but stepping into it, the xmlAlloc function call seems to be at 0x7fd7e8549196.
The "cmp" at 0x7fd7e85491ae does something so that the "ja" at 0x7fd7e85491b5 does the jump to 0x7fd7e85492c6, which is directly a "ud2" instruction, which does the crash.

┌──../../third_party/libxml/src/encoding.c─────────────────────────────────────────────────────────────────────────────────────────────────────────┐
B+ │1401 if (handlers != NULL) return; │
│1402 │
│1403 handlers = (xmlCharEncodingHandlerPtr *) │
>│1404 xmlMalloc(MAX_ENCODING_HANDLERS * sizeof(xmlCharEncodingHandlerPtr)); │
│1405 │
11 │1406 if (*ptr == 0x12) xmlLittleEndian = 0; │
│1407 else if (*ptr == 0x34) xmlLittleEndian = 1; │
│1408 else { │
│1409 xmlEncodingErr(XML_ERR_INTERNAL_ERROR, │
│1410 "Odd problem at endianness detection\n", NULL); │
│1411 } │
│1412 │
│1413 if (handlers == NULL) { │
19 │1414 xmlEncodingErrMemory("xmlInitCharEncodingHandlers : out of memory !\n"); │
│1415 return; │
┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│0x7fd7e8549186 <xmlInitCharEncodingHandlers+6> push %rbx │
B+ │0x7fd7e8549187 <xmlInitCharEncodingHandlers+7> cmpq $0x0,0x3bd9c91(%rip) # 0x7fd7ec122e20 <handlers> │
│0x7fd7e854918f <xmlInitCharEncodingHandlers+15> je 0x7fd7e8549196 <xmlInitCharEncodingHandlers+22> │
│0x7fd7e8549191 <xmlInitCharEncodingHandlers+17> pop %rbx │
│0x7fd7e8549192 <xmlInitCharEncodingHandlers+18> pop %r14 │
│0x7fd7e8549194 <xmlInitCharEncodingHandlers+20> pop %rbp │
│0x7fd7e8549195 <xmlInitCharEncodingHandlers+21> retq │
>│0x7fd7e8549196 <xmlInitCharEncodingHandlers+22> mov 0x3a5f7bb(%rip),%rax # 0x7fd7ebfa8958 <xmlMalloc> │
│0x7fd7e854919d <xmlInitCharEncodingHandlers+29> lea -0x595b0c4(%rip),%rcx # 0x7fd7e2bee0e0 <__typeid__ZTSFPvmE_global_addr> │
│0x7fd7e85491a4 <xmlInitCharEncodingHandlers+36> mov %rax,%rdx │
│0x7fd7e85491a7 <xmlInitCharEncodingHandlers+39> sub %rcx,%rdx │
│0x7fd7e85491aa <xmlInitCharEncodingHandlers+42> ror $0x3,%rdx │
33 │0x7fd7e85491ae <xmlInitCharEncodingHandlers+46> cmp $0x7,%rdx │
│0x7fd7e85491b5 <xmlInitCharEncodingHandlers+53> ja 0x7fd7e85492c6 <xmlInitCharEncodingHandlers+326> │
35 │0x7fd7e85491bb <xmlInitCharEncodingHandlers+59> mov $0x190,%edi │
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
multi-thre Thread 0x7fd7ec33cb In: xmlInitCharEncodingHandlers L1404 PC: 0x7fd7e8549196



====================
0x7fd7e85492a8 <xmlInitCharEncodingHandlers+296> lea -0x68ea969(%rip),%r8 # 0x7fd7e1c5e946 │
│0x7fd7e85492af <xmlInitCharEncodingHandlers+303> mov $0x1b,%edi │
│0x7fd7e85492b4 <xmlInitCharEncodingHandlers+308> mov $0x2,%esi │
│0x7fd7e85492b9 <xmlInitCharEncodingHandlers+313> xor %edx,%edx │
│0x7fd7e85492bb <xmlInitCharEncodingHandlers+315> xor %ecx,%ecx │
│0x7fd7e85492bd <xmlInitCharEncodingHandlers+317> pop %rbx │
│0x7fd7e85492be <xmlInitCharEncodingHandlers+318> pop %r14 │
│0x7fd7e85492c0 <xmlInitCharEncodingHandlers+320> pop %rbp │
│0x7fd7e85492c1 <xmlInitCharEncodingHandlers+321> jmpq 0x7fd7e854ed30 <__xmlSimpleError> │
>│0x7fd7e85492c6 <xmlInitCharEncodingHandlers+326> ud2 │
│0x7fd7e85492c8 int3

[RangelReale]

This looks like this other report: https://www.magpcss.org/ceforum/viewtopic.php?f=6&t=17134

[RangelReale]

SOLVED: adding the flags "use_sysroot=true use_allocator=none symbol_level=1 is_cfi=false use_thin_lto=false" solved this crash in Ubuntu 16.04 x64.