cef
cef copied to clipboard
chromiumembedded
win: Crash in autofill::ShowSaveBubble
Describe the bug When running a .NET 4.8 WinForms application using the CefSharp ChromiumWebBrowser control and navigating to a html page containing inputs for Street, Town and Postcode, typing any value in all these fields then submitting the form, the hosting application crashes with a fault in libcef.dll
To Reproduce I have created a sample repo at https://github.com/mattwildgoose/CefSharpIssue. This contains both a sample WinForms app and a web app with a simple html file used to reproduce the issue.
Steps to reproduce the behavior:
- Create a simple WinForms app with a form containing a CefSharp browser control
- Ensure you set the CefSettings.Locale value to "en-GB" (I used current culture but that's the value that's being set)
- Navigate to a page containing inputs with Street, Town and Postcode in their names and a submit button
- Type a dot into each field and click the submit button
- The browser's hosting application crashes
Expected behavior The form should submit successfully and browser remain functional
Versions (please complete the following information):
- OS: Windows 11
- CEF Version: Issue started in CefSharp 126.2.180 but also tested with 128.4.90 and issue persists
Additional context Does the problem reproduce with the cefclient or cefsimple sample application at the same version? I tried to reproduce with the cefclient trying each of the following command lines but could not reproduce with any .\cefclient.exe --multi-threaded-message-loop --no-sandbox --use-alloy-style .\cefclient.exe --multi-threaded-message-loop --no-sandbox --use-alloy-style --lang=en-GB .\cefclient.exe --multi-threaded-message-loop --no-sandbox --use-alloy-style --enable-chrome-runtime --lang=en-GB
With the cefclient after submitting the form it opens the dialog asking if you want to save the address against your profile, this isn't available when using CefSharp to my knowledge.
Does the problem reproduce with Google Chrome at the same version? The problem does not reproduce in Google Chrome which opens the same dialog as cefclient asking about saving the address
Add any other context about the problem here. The problem appears to have come in with the switch from Alloy to Chrome Bootstrap and reverting to Alloy resolves the problem. Also if you don't set the CefSettings.Locale and leave as default (en-US) then you don't get the issue either.
On the CefSharp issue related to the change to the Chrome Bootstrap it requests to log related issues here, hence why I'm raising here rather than in the CefSharp repo.
The exception you get is Unhandled exception at 0x00007FFE050B86D4 (libcef.dll) in Browser.exe.43284.dmp: 0xC0000005: Access violation reading location 0x00000000000001F8.
Stack Trace: StackTrace.txt
From the call stack (and code here) it looks like another instance of https://github.com/chromiumembedded/cef/issues/3763#issuecomment-2273914241 (the part about FindBrowserWithTab).
You can disable autofill as described at https://www.magpcss.org/ceforum/viewtopic.php?f=6&t=19898&start=10#p55813
@mattwildgoose Can you provide the HTML (or URL) for reproducing these steps?
Navigate to a page containing inputs with Street, Town and Postcode in their names and a submit button Type a dot into each field and click the submit button
Can you provide the HTML (or URL) for reproducing these steps?
Thanks, found it at https://github.com/mattwildgoose/CefSharpIssue/blob/main/WebApp/wwwroot/Profile.html
I'm also unable to reproduce this crash in cefclient (M130). The autofill bubble works as expected with --use-alloy-style [--use-native].
Looks like the autocomplete code was substantially rewritten in https://issuetracker.google.com/issues/40281981 (~M129 timeframe), and this crashing code path is no longer triggered.
@mattwildgoose Can you test if this issue is resolved for you in M129? Thanks.
I had a similar problem using M129: On my page was a Field called "IBAN" and if you enter a valid IBAN number the whole application would crash. We assume that the problem is that the chromium autofill for payments was triggered.
Starting up with the --disable-features flag did not work.
My workaround was to disable the settings in an CustomLifespanHandler.
internal class CustomLIfeSpanHandler : CefSharp.Handler.LifeSpanHandler, ILifeSpanHandler
{
protected override void OnAfterCreated(IWebBrowser chromiumWebBrowser, IBrowser browser)
{
var context = Cef.GetGlobalRequestContext();
string errorString = null;
context.SetPreference("autofill.save_data", false, out errorString);
context.SetPreference("autofill.credit_card_enabled", false, out errorString);
context.SetPreference("autofill.profile_enabled", false, out errorString);
context.SetPreference("autofill.save_data", false, out errorString);
context.SetPreference("payments.can_make_payment_enabled", false, out errorString);
context.SetPreference("search.suggest_enabled", false, out errorString);
context.SetPreference("url_keyed_anonymized_data_collection.enabled", false, out errorString);
}
}
Maybe this helps someone.
Another potentially related crash in M130: https://magpcss.org/ceforum/viewtopic.php?f=6&t=20088&p=56658
This happens to me too. I couldn't replicate using OP's instructions since it looks like you need to enter some address-looking information to make it crash. Here is the HTML I used:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Profile</title>
</head>
<body>
<form novalidate="">
<label for="customerFirstName">First Name</label>
<input type="text" name="customerFirstName" id="customerFirstName" tabindex="0" data-qa="input-customerFirstName" autocomplete="given-name" aria-required="true" aria-invalid="true" aria-disabled="false" aria-errormessage="customerFirstName_error">
<br>
<label for="customerLastName">Last Name</label>
<input type="text" name="customerLastName" id="customerLastName" tabindex="0" data-qa="input-customerLastName" autocomplete="family-name" aria-required="true" aria-invalid="true" aria-disabled="false" aria-errormessage="customerLastName_error">
<br>
<label for="customerStreetAndNo">Street Address</label>
<input type="text" name="customerStreetAndNo" id="customerStreetAndNo" tabindex="0" data-qa="input-customerStreetAndNo" autocomplete="street-address" aria-required="true" aria-invalid="true" aria-disabled="false" aria-errormessage="customerStreetAndNo_error">
<br>
<label for="customerPostalCode">Postcode</label>
<input type="text" name="customerPostalCode" id="customerPostalCode" tabindex="0" data-qa="input-customerPostalCode" autocomplete="postal-code" aria-required="true" aria-invalid="true" aria-disabled="false" aria-errormessage="customerPostalCode_error">
<br>
<label for="customerCity">City</label>
<input type="text" name="customerCity" id="customerCity" tabindex="0" data-qa="input-customerCity" autocomplete="address-level2" aria-required="true" aria-invalid="true" aria-disabled="false" aria-errormessage="customerCity_error">
<br>
<label for="customerCountry">Country</label>
<input type="text" name="customerCountry" id="customerCountry" tabindex="0" data-qa="input-customerCountry" autocomplete="country-name" aria-required="true" aria-invalid="true" aria-disabled="false" aria-errormessage="customerCountry_error">
<br>
<input type="submit" value="Submit">
</form>
</body>
</html>
I served this HTML on localhost and entered this details:
- First Name: John
- Last Name: Smith
- Street Address: 123 Main Street
- Postcode: MN12 3OP
- City: London
- Country: United Kingdom
I did this with the current release version 131 using the WinForms.Example project with no changes to the code at all.
zelpnir's workaround fixed it for me. I wonder if that preference list is all it takes or there are some other we should also disable to avoid crashes in other situations.
Got the same crash with IBAN autofill.
Could not minimize this, but I think the example below will do.
Repro:
- ./cefclient.exe --multi-threaded-message-loop --no-sandbox --use-alloy-style --enable-chrome-runtime
- Go to https://gta5majestic.com/donate
- Select server Berlin
- Select payment method "Direct banking"
- Enter some random email
- Enter kin4stat login
- Enter amount(10 euro for example)
- Press the agree button
- Proceed to Payment
- Enter random first name( John for example)
- Enter random last name( Smith for example)
- Enter random email([email protected])
- Press pay 10 euro
- Select Austria
- Select Addiko Bank
- Enter AT968550182446891854 IBAN (Generated with iban generator for example)
- Proceed
- Crash
Happening for me on 134.3.6+g96006d1+chromium-134.0.6998.118
Saw this at one point chrome::FindBrowserWithTab(...) returned nullptr.
Disable autofill as suggested partially fixing it - bah, must have another issue somewhere.
Hi, I can reproduce this behavior with libcef.dll 135.0.21+gd008a99+chromium-135.0.7049.96 by setting the locale to something other than "en-US":
- OS: Windows 11
- cefclient.exe: 135.0.21.0 (x86)
Steps to reproduce:
- Host the following HTML file ("input-sample.html") on a web server:
<!-- input-sample.html -->
<!DOCTYPE html>
<html>
<body>
<form method="post" action="" onsubmit="return false;">
<div>
<input type="text" name="name" placeholder="Name" />
</div>
<div>
<input type="text" name="street" placeholder="Street" />
</div>
<div>
<input type="text" name="postcode" placeholder="Post Code" />
<input type="text" name="city" placeholder="City" />
</div>
<div>
<button>Submit</button>
</div>
</form>
</body>
</html>
- Run cefclient.exe with this command line:
cefclient --use-alloy-style --lang=en-GB - Navigate to the HTML file, e.g.
http://localhost/input-sample.html - Fill the form (writing a dot in each input is enough)
- Submit the form
- The app crashes to desktop
The event log states an access violation and these are the exception details from the crash dump:
CONTEXT:
eax=00000000 ebx=087ce744 ecx=2b68d0e7 edx=00000000 esi=42a9b400 edi=43579d80
eip=1526a1e8 esp=087ce740 ebp=087ce75c iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212
libcef!base::raw_ptr<BrowserWindow,1>::GetForExtraction [inlined in libcef!autofill::`anonymous namespace'::ShowSaveBubble+0x68]:
1526a1e8 8b9804010000 mov ebx,dword ptr [eax+104h] ds:002b:00000104=????????
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 1526a1e8 (libcef!base::raw_ptr<BrowserWindow,1>::GetForExtraction)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000104
Attempt to read from address 00000104
PROCESS_NAME: cefclient.exe
READ_ADDRESS: 00000104
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%p verwies auf Arbeitsspeicher bei 0x%p. Der Vorgang %s konnte im Arbeitsspeicher nicht durchgef hrt werden.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000104
STACK_TEXT:
087ce75c 1526ab5f 43579ed8 00000000 42a9b400 libcef!autofill::`anonymous namespace'::ShowSaveBubble+0x68
087ce798 1526aa29 43579ec0 42a9b400 00000000 libcef!base::internal::Invoker<base::internal::FunctorTraits<autofill::AutofillBubbleBase *(*const &)(const autofill::AutofillProfile &, bool, content::WebContents *, bool, base::WeakPtr<autofill::AddressBubbleControllerDelegate>),const autofill::AutofillProfile &,const bool &>,base::internal::BindState<0,1,0,autofill::AutofillBubbleBase *(*)(const autofill::AutofillProfile &, bool, content::WebContents *, bool, base::WeakPtr<autofill::AddressBubbleControllerDelegate>),autofill::AutofillProfile,bool>,autofill::AutofillBubbleBase *(content::WebContents *, bool, base::WeakPtr<autofill::AddressBubbleControllerDelegate>)>::Run+0x6f
087ce7bc 1526a9ba 42a9b400 00000000 00000000 libcef!base::RepeatingCallback<autofill::AutofillBubbleBase *(content::WebContents *, bool, base::WeakPtr<autofill::AddressBubbleControllerDelegate>)>::Run+0x39
087ce7ec 15266000 087ce83c 087ce828 087ce820 libcef!autofill::AddressBubblesController::DoShowBubble+0x5a
087ce7fc 1526a389 43566a14 231438ff 087ce844 libcef!autofill::AutofillBubbleControllerBase::Show+0x20
087ce820 1526a0db 00000000 437a0000 00000012 libcef!autofill::AddressBubblesController::SetUpAndShowBubble+0x89
087ce864 15267ea1 42a9b400 42a92ab0 00000000 libcef!autofill::AddressBubblesController::SetUpAndShowSaveOrUpdateAddressBubble+0x10b
087ce894 16e95adb 42a92ab0 00000000 00000000 libcef!autofill::ChromeAutofillClient::ConfirmSaveAddressProfile+0x41
087ce8d8 16e957b2 00000000 107273d0 42a92880 libcef!autofill::AddressProfileSaveManager::OfferSavePrompt+0xfb
087ce904 16e956d5 42a92880 43628fa8 087ce94c libcef!autofill::AddressProfileSaveManager::MaybeOfferSavePrompt+0xb2
087ce938 16250303 4318dcc0 42944094 4318ddc8 libcef!autofill::AddressProfileSaveManager::ImportProfileFromForm+0x75
087ce9d0 1624fc24 087cebc0 00000001 00000031 libcef!autofill::FormDataImporter::ProcessAddressProfileImportCandidates+0x163
087cec5c 16243e87 42afc380 00000001 00000001 libcef!autofill::FormDataImporter::ImportAndProcessFormData+0x124
087cee88 16243c3f 00000000 42afc380 434c4740 libcef!autofill::`anonymous namespace'::MaybeImportFromSubmittedForm+0xb7
087ceec8 1623bdba 00000031 00000000 087cef10 libcef!autofill::BrowserAutofillManager::OnFormSubmittedImpl::<lambda_9>::operator()+0xcf
087cf1b8 162480b0 434c4740 00000005 12f5c740 libcef!autofill::BrowserAutofillManager::OnFormSubmittedImpl+0x47a
087cf1dc 1636aa0e 434c4740 00000005 087cf210 libcef!autofill::AutofillManager::OnFormSubmitted+0x60
087cf1f8 16f1048b 087cf488 4366e700 434c4740 libcef!absl::functional_internal::InvokeObject<`lambda at ..\..\components\autofill\content\browser\content_autofill_driver.cc:250:7',void,autofill::AutofillDriver &,const autofill::FormData &,const autofill::internal::GlobalId<autofill::FieldRendererId> &>+0x5e
087cf288 1636953d 087cf488 1636a9b0 4366e700 libcef!autofill::AutofillDriverRouter::FormSubmitted+0xfb
087cf4a0 16369471 16f10390 12f55b00 087cf528 libcef!autofill::`anonymous namespace'::RouteToManager<autofill::FormData,autofill::mojom::SubmissionSource,const autofill::FormData &,autofill::mojom::SubmissionSource,const autofill::FormData &,autofill::mojom::SubmissionSource &>+0xad
087cf4d0 10561593 087cf528 00000005 ffffffff libcef!autofill::ContentAutofillDriver::FormSubmitted+0x41
087cf714 10c5d863 4366e708 087cf87c 087cf780 libcef!autofill::mojom::AutofillDriverStubDispatch::Accept+0x253
087cf724 1244fe19 087cf87c 087cf87c 428ff940 libcef!autofill::mojom::AutofillDriverStub<mojo::RawPtrImplRefTraits<autofill::mojom::AutofillDriver> >::Accept+0x13
087cf780 12583e2e 087cf87c 087cf7b0 1240a2a5 libcef!mojo::InterfaceEndpointClient::HandleValidatedMessage+0x159
087cf7b0 124510ec 087cf87c 19e7e958 23142733 libcef!mojo::MessageDispatcher::Accept+0x6e
087cf870 124a6ed7 087cf87c 434be270 00000000 libcef!mojo::InterfaceEndpointClient::HandleIncomingMessage+0x4c
087cf8e4 124a6d9e 124a6af0 00000000 42f799e8 libcef!base::internal::DecayedFunctorTraits<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification) __attribute__((thiscall)),IPC::ChannelAssociatedGroupController *&&,mojo::Message &&,IPC::(anonymous namespace)::ScopedUrgentMessageNotification &&>::Invoke<void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification) __attribute__((thiscall)),scoped_refptr<IPC::ChannelAssociatedGroupController>,mojo::Message,IPC::(anonymous namespace)::ScopedUrgentMessageNotification>+0x127
087cf90c 123fd443 42f79990 ffffff00 ffffffff libcef!base::internal::Invoker<base::internal::FunctorTraits<void (IPC::ChannelAssociatedGroupController::*&&)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification) __attribute__((thiscall)),IPC::ChannelAssociatedGroupController *&&,mojo::Message &&,IPC::(anonymous namespace)::ScopedUrgentMessageNotification &&>,base::internal::BindState<1,1,0,void (IPC::ChannelAssociatedGroupController::*)(mojo::Message, IPC::(anonymous namespace)::ScopedUrgentMessageNotification) __attribute__((thiscall)),scoped_refptr<IPC::ChannelAssociatedGroupController>,mojo::Message,IPC::(anonymous namespace)::ScopedUrgentMessageNotification>,void ()>::RunOnce+0x3e
087cf964 12573257 42fc8000 123febf6 123fec26 libcef!base::TaskAnnotator::RunTaskImpl+0x103
087cfb08 123efecf 087cfb30 00000083 00003e80 libcef!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork+0x457
087cfb64 107ff182 4c085438 ffff0000 23142b63 libcef!base::MessagePumpForUI::DoRunLoop+0x6f
087cfb84 10d635f0 4c085438 087cfba8 4c085398 libcef!base::MessagePumpWin::Run+0xb2
087cfbdc 108219ad 00000001 ffffffff 7fffffff libcef!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run+0x100
087cfc50 0fa2b764 087cfc5c 19928184 19928106 libcef!base::RunLoop::Run+0xed
087cfca0 0fa82399 4c040680 0000000b 80000010 libcef!CefMainRunner::RunMessageLoop+0xe4
087cfcc4 107fb480 4c0644b0 00000001 000000e0 libcef!CefUIThread::ThreadMain+0xc9
087cfce8 760f5d49 4c0781c0 760f5d30 087cfd50 libcef!base::`anonymous namespace'::ThreadFunc+0x100
087cfcf8 775ed03b 4c0781c0 8f4bcf2f 00000000 kernel32!BaseThreadInitThunk+0x19
087cfd50 775ecfc1 ffffffff 77632122 00000000 ntdll!__RtlUserThreadStart+0x2b
087cfd60 00000000 107fb380 4c0781c0 00000000 ntdll!_RtlUserThreadStart+0x1b
FAULTING_SOURCE_LINE: Y:\work\CEF3_git\chromium\src\chrome\browser\ui\autofill\address_bubbles_controller.cc
FAULTING_SOURCE_FILE: Y:\work\CEF3_git\chromium\src\chrome\browser\ui\autofill\address_bubbles_controller.cc
FAULTING_SOURCE_LINE_NUMBER: 55
FAULTING_SOURCE_CODE: No source found for 'Y:\work\CEF3_git\chromium\src\base\allocator\partition_allocator\src\partition_alloc\pointers\raw_ptr.h'
SYMBOL_NAME: libcef+68
MODULE_NAME: libcef
IMAGE_NAME: libcef.dll
FAILURE_BUCKET_ID: NULL_CLASS_PTR_READ_INVALID_POINTER_READ_c0000005_libcef.dll!Unknown
OS_VERSION: 10.0.26100.1
BUILDLAB_STR: ge_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
IMAGE_VERSION: 135.0.21.0
Hope this helps! Let me know if any further information is required.
Thanks and best regards, René
For anyone wondering, the easiest way to run a localhost server on Windows is:
- Open terminal in the target root directory
- Run
python -m http.server 8000