NetworkService crash on upload in CefPostDataElementImpl::Set

Issue #2765 resolved
Marshall Greenblatt created an issue

What steps will reproduce the problem?

Load https://speedtest.net in cefclient and click the “Go” button. Wait for the upload portion of the test to begin.

What is the expected output? What do you see instead?

The upload test should complete successfully. Instead, the application crashes with the following stack trace:

[0920/124524.116:FATAL:request_impl.cc(1572)] Check failed: false. 
>   base.dll!base::debug::BreakDebugger() Line 28   C++
    base.dll!logging::LogMessage::~LogMessage() Line 942    C++
    libcef.dll!CefPostDataElementImpl::Set(const network::DataElement & element) Line 1569  C++
    libcef.dll!CefPostDataImpl::Set(const network::ResourceRequestBody & body) Line 1294    C++
    libcef.dll!CefRequestImpl::Set(const network::ResourceRequest * request, unsigned __int64 identifier) Line 513  C++
    libcef.dll!net_service::`anonymous namespace'::InterceptedRequestHandlerWrapper::MakeRequest(const network::ResourceRequest * request, __int64 request_id, bool read_only) Line 1145    C++
    libcef.dll!net_service::`anonymous namespace'::InterceptedRequestHandlerWrapper::GetHandler(const net_service::RequestId & id, network::ResourceRequest * request, bool * intercept_only, scoped_refptr<CefRequestImpl> & requestPtr) Line 1038 C++
    libcef.dll!net_service::`anonymous namespace'::InterceptedRequestHandlerWrapper::OnBeforeRequest(const net_service::RequestId & id, network::ResourceRequest * request, bool request_was_redirected, base::OnceCallback<void (bool, bool)> callback, base::OnceCallback<void (int)> cancel_callback) Line 446   C++
    libcef.dll!net_service::InterceptedRequest::Restart() Line 365  C++
    libcef.dll!net_service::ProxyURLLoaderFactory::CreateLoaderAndStart(mojo::InterfaceRequest<network::mojom::URLLoader> loader, int routing_id, int request_id, unsigned int options, const network::ResourceRequest & request, mojo::InterfacePtr<network::mojom::URLLoaderClient> client, const net::MutableNetworkTrafficAnnotationTag & traffic_annotation) Line 1168 C++
    libcef.dll!network::mojom::URLLoaderFactoryStubDispatch::Accept(network::mojom::URLLoaderFactory * impl, mojo::Message * message) Line 217  C++
    libcef.dll!network::mojom::URLLoaderFactoryStub<mojo::RawPtrImplRefTraits<network::mojom::URLLoaderFactory> >::Accept(mojo::Message * message) Line 128 C++
    bindings.dll!mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message * message) Line 437    C++
    bindings.dll!mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message * message) Line 133    C++
    bindings.dll!mojo::FilterChain::Accept(mojo::Message * message) Line 40 C++
    bindings.dll!mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message * message) Line 320 C++
    bindings.dll!mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper * message_wrapper, mojo::internal::MultiplexRouter::ClientCallBehavior client_call_behavior, base::SequencedTaskRunner * current_task_runner) Line 872 C++
    bindings.dll!mojo::internal::MultiplexRouter::Accept(mojo::Message * message) Line 594  C++
    bindings.dll!mojo::FilterChain::Accept(mojo::Message * message) Line 40 C++
    bindings.dll!mojo::Connector::DispatchMessageW(mojo::Message message) Line 508  C++
    bindings.dll!mojo::Connector::ReadAllAvailableMessages() Line 584   C++
    bindings.dll!mojo::Connector::OnHandleReadyInternal(unsigned int result) Line 421   C++
    bindings.dll!mojo::Connector::OnWatcherHandleReady(unsigned int result) Line 381    C++
    bindings.dll!base::internal::FunctorTraits<void (mojo::Connector::*)(unsigned int) __attribute__((thiscall)),void>::Invoke<void (mojo::Connector::*)(unsigned int) __attribute__((thiscall)),mojo::Connector *,unsigned int>(void(mojo::Connector::*)(unsigned int) method, mojo::Connector * && receiver_ptr, unsigned int && args) Line 499   C++
    bindings.dll!base::internal::InvokeHelper<0,void>::MakeItSo<void (mojo::Connector::*const &)(unsigned int) __attribute__((thiscall)),mojo::Connector *,unsigned int>(void(mojo::Connector::*)(unsigned int) & functor, mojo::Connector * && args, unsigned int && args) Line 599    C++
    bindings.dll!base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int) __attribute__((thiscall)),base::internal::UnretainedWrapper<mojo::Connector> >,void (unsigned int)>::RunImpl<void (mojo::Connector::*const &)(unsigned int) __attribute__((thiscall)),const std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > &,0>(void(mojo::Connector::*)(unsigned int) & functor, const std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > & bound, std::__1::integer_sequence<unsigned int,0>, unsigned int && unbound_args) Line 672   C++
    bindings.dll!base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int) __attribute__((thiscall)),base::internal::UnretainedWrapper<mojo::Connector> >,void (unsigned int)>::Run(base::internal::BindStateBase * base, unsigned int unbound_args) Line 654   C++
    bindings.dll!base::RepeatingCallback<void (unsigned int)>::Run(unsigned int args) Line 136  C++
    bindings.dll!mojo::SimpleWatcher::DiscardReadyState(const base::RepeatingCallback<void (unsigned int)> & callback, unsigned int result, const mojo::HandleSignalsState & state) Line 195    C++
    bindings.dll!base::internal::FunctorTraits<void (*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),void>::Invoke<void (*const &)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),const base::RepeatingCallback<void (unsigned int)> &,unsigned int,const mojo::HandleSignalsState &>(void(*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &) & function, const base::RepeatingCallback<void (unsigned int)> & args, unsigned int && args, const mojo::HandleSignalsState & args) Line 399    C++
    bindings.dll!base::internal::InvokeHelper<0,void>::MakeItSo<void (*const &)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),const base::RepeatingCallback<void (unsigned int)> &,unsigned int,const mojo::HandleSignalsState &>(void(*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &) & functor, const base::RepeatingCallback<void (unsigned int)> & args, unsigned int && args, const mojo::HandleSignalsState & args) Line 599 C++
    bindings.dll!base::internal::Invoker<base::internal::BindState<void (*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),base::RepeatingCallback<void (unsigned int)> >,void (unsigned int, const mojo::HandleSignalsState &)>::RunImpl<void (*const &)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),const std::__1::tuple<base::RepeatingCallback<void (unsigned int)> > &,0>(void(*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &) & functor, const std::__1::tuple<base::RepeatingCallback<void (unsigned int)> > & bound, std::__1::integer_sequence<unsigned int,0>, unsigned int && unbound_args, const mojo::HandleSignalsState & unbound_args) Line 672   C++
    bindings.dll!base::internal::Invoker<base::internal::BindState<void (*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),base::RepeatingCallback<void (unsigned int)> >,void (unsigned int, const mojo::HandleSignalsState &)>::Run(base::internal::BindStateBase * base, unsigned int unbound_args, const mojo::HandleSignalsState & unbound_args) Line 654   C++
    mojo_public_system_cpp.dll!base::RepeatingCallback<void (unsigned int, const mojo::HandleSignalsState &)>::Run(unsigned int args, const mojo::HandleSignalsState & args) Line 136   C++
    mojo_public_system_cpp.dll!mojo::SimpleWatcher::OnHandleReady(int watch_id, unsigned int result, const mojo::HandleSignalsState & state) Line 293   C++
    mojo_public_system_cpp.dll!mojo::SimpleWatcher::Context::Notify(unsigned int result, MojoHandleSignalsState signals_state, unsigned int flags) Line 119 C++
    mojo_public_system_cpp.dll!mojo::SimpleWatcher::Context::CallNotify(const MojoTrapEvent * event) Line 57    C++
    mojo_core_embedder_internal.dll!mojo::core::WatcherDispatcher::InvokeWatchCallback(unsigned int context, unsigned int result, const mojo::core::HandleSignalsState & state, unsigned int flags) Line 95 C++
    mojo_core_embedder_internal.dll!mojo::core::Watch::InvokeCallback(unsigned int result, const mojo::core::HandleSignalsState & state, unsigned int flags) Line 78    C++
    mojo_core_embedder_internal.dll!mojo::core::RequestContext::~RequestContext() Line 72   C++
    mojo_core_embedder_internal.dll!mojo::core::NodeChannel::OnChannelMessage(const void * payload, unsigned int payload_size, std::__1::vector<mojo::PlatformHandle,std::__1::allocator<mojo::PlatformHandle> > handles) Line 700  C++
    mojo_core_embedder_internal.dll!mojo::core::Channel::TryDispatchMessage(base::span<const char,4294967295> buffer, unsigned int * size_hint) Line 791    C++
    mojo_core_embedder_internal.dll!mojo::core::Channel::OnReadComplete(unsigned int bytes_read, unsigned int * next_read_size_hint) Line 688   C++
    mojo_core_embedder_internal.dll!mojo::core::`anonymous namespace'::ChannelWin::OnReadDone(unsigned int bytes_read) Line 248 C++
    mojo_core_embedder_internal.dll!mojo::core::`anonymous namespace'::ChannelWin::OnIOCompleted(base::MessagePumpForIO::IOContext * context, unsigned long bytes_transfered, unsigned long error) Line 234 C++
    base.dll!base::MessagePumpForIO::WaitForIOCompletion(unsigned long timeout, base::MessagePumpForIO::IOHandler * filter) Line 688    C++
    base.dll!base::MessagePumpForIO::DoRunLoop() Line 636   C++
    base.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 77  C++
    base.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool application_tasks_allowed, base::TimeDelta timeout) Line 466   C++
    base.dll!base::RunLoop::RunWithTimeout(base::TimeDelta timeout) Line 161    C++
    base.dll!base::RunLoop::Run() Line 129  C++
    base.dll!base::Thread::Run(base::RunLoop * run_loop) Line 242   C++
    content.dll!content::BrowserProcessSubThread::IOThreadRun(base::RunLoop * run_loop) Line 158    C++
    content.dll!content::BrowserProcessSubThread::Run(base::RunLoop * run_loop) Line 110    C++
    base.dll!base::Thread::ThreadMain() Line 312    C++
    base.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 99 C++

What version of the product are you using? On what operating system?

CEF 76.1.10 on Windows 10.

In this case element.type is kDataPipe so the NOTREACHED() is triggered in CefPostDataElementImpl::Set.

Comments (5)

  1. Marshall Greenblatt reporter

    Since this is a Debug-only assertion we should probably just remove the NOTREACHED(). In this case HasExcludedElements() should be true. Providing access to these types of elements in discussed in issue #1896.

  2. Riku Palomäki

    This also happens in youtube.com in CEF 3904 when you just click on the top-right corner “REVIEW” button in the privacy reminder bar. Element type is also kDataPipe, but the callstack is slightly different:

    [1101/082354.736411:FATAL:request_impl.cc(1367)] Check failed: false. 
    #0 0x7f93f37acaf9 base::debug::CollectStackTrace()
    #1 0x7f93f369e763 base::debug::StackTrace::StackTrace()
    #2 0x7f93f36bdc73 logging::LogMessage::~LogMessage()
    #3 0x7f93f735e026 CefPostDataElementImpl::Set()
    #4 0x7f93f7359efd CefPostDataImpl::Set()
    #5 0x7f93f7359b89 CefRequestImpl::Set()
    #6 0x7f93f72f5209 net_service::(anonymous namespace)::InterceptedRequestHandlerWrapper::OnBeforeRequest()
    #7 0x7f93f72e6b4d net_service::InterceptedRequest::Restart()
    #8 0x7f93f72ec7aa net_service::ProxyURLLoaderFactory::CreateLoaderAndStart()
    #9 0x7f93f6d33ad8 network::mojom::URLLoaderFactoryStubDispatch::Accept()
    #10 0x7f93f8a8ea97 mojo::InterfaceEndpointClient::HandleValidatedMessage()
    #11 0x7f93f8a8e336 mojo::FilterChain::Accept()
    #12 0x7f93f8a901e5 mojo::InterfaceEndpointClient::HandleIncomingMessage()
    #13 0x7f93f8a97312 mojo::internal::MultiplexRouter::ProcessIncomingMessage()
    #14 0x7f93f8a967d0 mojo::internal::MultiplexRouter::Accept()
    #15 0x7f93f8a8e336 mojo::FilterChain::Accept()
    #16 0x7f93f8a86510 mojo::Connector::DispatchMessage()
    #17 0x7f93f8a87364 mojo::Connector::ReadAllAvailableMessages()
    #18 0x7f93f8a86ee6 mojo::Connector::OnHandleReadyInternal()
    #19 0x7f93f8a87b84 mojo::SimpleWatcher::DiscardReadyState()
    #20 0x7f93f8a40c66 mojo::SimpleWatcher::OnHandleReady()
    #21 0x7f93f8a4119b mojo::SimpleWatcher::Context::Notify()
    #22 0x7f93f8a3fd00 mojo::SimpleWatcher::Context::CallNotify()
    #23 0x7f93dc83dc77 mojo::core::WatcherDispatcher::InvokeWatchCallback()
    #24 0x7f93dc83d408 mojo::core::Watch::InvokeCallback()
    #25 0x7f93dc837ed2 mojo::core::RequestContext::~RequestContext()
    #26 0x7f93dc8284cd mojo::core::NodeChannel::OnChannelMessage()
    #27 0x7f93dc812d63 mojo::core::Channel::TryDispatchMessage()
    #28 0x7f93dc812a75 mojo::core::Channel::OnReadComplete()
    #29 0x7f93dc842fa9 mojo::core::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking()
    #30 0x7f93f37d4510 base::MessagePumpLibevent::OnLibeventNotification()
    #31 0x7f93f37e8c9d event_base_loop
    #32 0x7f93f37d483c base::MessagePumpLibevent::Run()
    #33 0x7f93f3746687 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run()
    #34 0x7f93f37014db base::RunLoop::Run()
    #35 0x7f93f37708ed base::Thread::Run()
    #36 0x7f93f1c2ca14 content::BrowserProcessSubThread::IOThreadRun()
    #37 0x7f93f1c2c95f content::BrowserProcessSubThread::Run()
    #38 0x7f93f3770d0a base::Thread::ThreadMain()
    #39 0x7f93f37c4668 base::(anonymous namespace)::ThreadFunc()
    #40 0x7f93f591c6db start_thread
    #41 0x7f93f392688f clone
    

  3. Log in to comment