New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
back Nov 29
Closed: Apr 2012
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment
Heap-use-after-free in WebCore::V8AbstractEventListener::~V8AbstractEventListener
Project Member Reported by, Apr 3 2012 Back to list
Detailed report:

Fuzzer: Inferno_layout_test_fuzzer

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f3c44a55360
Crash State:
  - crash stack -
  - free stack -

Minimized Testcase (1.73 Kb):
Labels: Feature-IndexedDB
Could this be coming from revert from I cannot see anything else in that narrow regression range -

dgrogan@, jsbell@, any idea about this ?

Status: Assigned
If that minimized test case is accurate it's not hitting the change in at all; the change set only applies if the IDBObjectStore had a keyPath and autoIncrement was set, which are not the defaults and not set in that test case.

Ah, the revision range on the Chromium side is: r118266:r118281
... which includes:
Always enable indexeddb for workers.  Remove --enable-indexeddb-for-workers switch.

I believe that revision range was identified simply because that's when IDB+Workers would have been exposed to fuzzing; the actual issue would have been latent before then.
This looks similar to an Google-internal report that came across our radar this morning - sorry non-Googlers:


... and stack of the thread which crashed with EXCEPTION_ACCESS_VIOLATION_READ:

0x65b07a20	 [chrome.dll	 - v8.h:3956]	v8::Local<v8::Function>::New(v8::Handle<v8::Function>)
0x6619a79d	 [chrome.dll	 - v8abstracteventlistener.cpp:71]	WebCore::V8AbstractEventListener::~V8AbstractEventListener()
0x663cd68b	 [chrome.dll	 + 0x00b2d68b]	WebCore::V8WorkerContextEventListener::`scalar deleting destructor'(unsigned int)
0x661f102f	 [chrome.dll	 - vector.h:58]	WTF::VectorDestructor<1,WebCore::RegisteredEventListener>::destruct(WebCore::RegisteredEventListener *,WebCore::RegisteredEventListener *)
0x66349c46	 [chrome.dll	 + 0x00aa9c46]	WTF::Vector<WebCore::RegisteredEventListener,1>::`scalar deleting destructor'(unsigned int)
0x65b60c14	 [chrome.dll	 - hashtable.h:931]	WTF::HashTable<WTF::AtomicString,std::pair<WTF::AtomicString,WTF::OwnPtr<WTF::Vector<WebCore::RegisteredEventListener,1> > >,WTF::PairFirstExtractor<std::pair<WTF::AtomicString,WTF::OwnPtr<WTF::Vector<WebCore::RegisteredEventListener,1> > > >,WTF::AtomicStringHash,WTF::PairHashTraits<WebCore::EventListenerMap::EventListenerHashMapTraits,WTF::HashTraits<WTF::OwnPtr<WTF::Vector<WebCore::RegisteredEventListener,1> > > >,WebCore::EventListenerMap::EventListenerHashMapTraits>::deallocateTable(std::pair<WTF::AtomicString,WTF::OwnPtr<WTF::Vector<WebCore::RegisteredEventListener,1> > > *,int)
0x6636a55c	 [chrome.dll	 - eventtarget.cpp:78]	WebCore::EventTargetData::~EventTargetData()
0x6613ecfa	 [chrome.dll	 - idbrequest.cpp:77]	WebCore::IDBRequest::~IDBRequest()
0x6613ec99	 [chrome.dll	 + 0x0089ec99]	WebCore::IDBRequest::`scalar deleting destructor'(unsigned int)
0x66105ccf	 [chrome.dll	 - threadsaferefcounted.h:137]	WTF::ThreadSafeRefCounted<WebCore::IDBCursorBackendInterface>::deref()
0x66b18ef0	 [chrome.dll	 - webidbcallbacksimpl.cpp:56]	WebKit::WebIDBCallbacksImpl::~WebIDBCallbacksImpl()
0x66b18f75	 [chrome.dll	 + 0x01278f75]	WebKit::WebIDBCallbacksImpl::`scalar deleting destructor'(unsigned int)
0x658d8376	 [chrome.dll	 - id_map.h:184]	IDMap<fileapi::FileSystemCallbackDispatcher,1>::Releaser<1,0>::release_all(stdext::hash_map<int,fileapi::FileSystemCallbackDispatcher *,stdext::hash_compare<int,std::less<int> >,std::allocator<std::pair<int const ,fileapi::FileSystemCallbackDispatcher *> > > *)
0x658d8323	 [chrome.dll	 - id_map.h:52]	IDMap<WebKit::WebIDBCallbacks,1>::~IDMap<WebKit::WebIDBCallbacks,1>()
0x66b9f062	 [chrome.dll	 -]	IndexedDBDispatcher::~IndexedDBDispatcher()
0x66b9fe2e	 [chrome.dll	 + 0x012ffe2e]	IndexedDBDispatcher::`vector deleting destructor'(unsigned int)
0x658db215	 [chrome.dll	 -]	webkit_database::DatabaseQuotaClient::OnQuotaManagerDestroyed()
0x668271c0	 [chrome.dll	 -]	webkit_glue::WorkerTaskRunner::OnWorkerRunLoopStopped(WebKit::WebWorkerRunLoop const &)
0x66b04ad3	 [chrome.dll	 - platformsupport.cpp:1130]	WebCore::PlatformSupport::didStopWorkerRunLoop(WebCore::WorkerRunLoop *)
0x66166279	 [chrome.dll	 - workerthread.cpp:161]	WebCore::WorkerThread::workerThread()
0x66343637	 [chrome.dll	 - threading.cpp:69]	WTF::threadEntryPoint
0x65dce6bd	 [chrome.dll	 - threadingwin.cpp:213]	WTF::wtfThreadEntryPoint
0x6593abc3	 [chrome.dll	 - threadex.c:348]	_callthreadstartex
0x6593ab87	 [chrome.dll	 - threadex.c:326]	_threadstartex
0x76f23399	 [kernel32.dll	 + 0x00013399]	BaseThreadInitThunk
0x77eb9ef1	 [ntdll.dll	 + 0x00039ef1]	__RtlUserThreadStart
0x77eb9ec4	 [ntdll.dll	 + 0x00039ec4]	_RtlUserThreadStart
Status: Started
Labels: webkit-id-83104
Project Member Comment 11 by, Apr 4 2012
Labels: -webkit-id-83104 WebKit-ID-83104-NEW
i'll make the same comment here as i made on a dup of this bug...

Looks like there was a pending transaction at shutdown time.

The cleanup tasks below happen prior to didStopWorkerRunLoop() being invoked. Is it possible that a cleanup task has cleaned up some state that the IDBRequest dtor depends on?

void WorkerRunLoop::run(WorkerContext* context)
    RunLoopSetup setup(*this);
    ModePredicate modePredicate(defaultMode());
    MessageQueueWaitResult result;
    do {
        result = runInMode(context, modePredicate, WaitForMessage);
    } while (result != MessageQueueTerminated);

If so, hoisting our calls to PlatformSupport didStartWorkerRunLoop and didStopWorkerRunLoop up into that run method, and calling stop before running cleanup tasks, could help.
Project Member Comment 16 by, Apr 11 2012
The following revision refers to this bug:

r131679 | | Tue Apr 10 17:08:01 PDT 2012

Changed paths:

Add DCHECK to ensure IndexedDBDispatcher doesn't get re-created.

This could happen if there are IDB objects that survive the call to

BUG= 121734 

Review URL:
Project Member Comment 17 by, Apr 11 2012
The following revision refers to this bug:

r131683 | | Tue Apr 10 17:39:51 PDT 2012

Changed paths:

Revert 131679 - Add DCHECK to ensure IndexedDBDispatcher doesn't get re-created.
Broke content_unittests WebRTCAudioDeviceTest.TestValidOutputRates

This could happen if there are IDB objects that survive the call to

BUG= 121734 

Review URL:
Review URL:
Labels: Merge-Requested
The webkit fix landed in  Can we merge it to 19?

Hm, I see it was tagged with Mstone-18.  Is it serious enough to warrant patching into 18?

Labels: -Merge-Requested Merge-Approved
Status: FixUnreleased
We will see the need to merge to m18 if another stable patch comes.
I just noticed in the "Merge instructions for Chrome 19" email:

> Have your change checked into the trunk, and passed through either a Canary build or Dev channel release before asking for merge approval

This fix was just rolled into chrome this morning and hasn't been through a canary or dev release yet. I also got an email from notifier@ saying this merge request was approved improperly, subject:

Merge Approved Improperly(cr): 121734 [FixUnreleased||Mstone-18|] - Heap-use-after-free in WebCore::V8AbstractEventListener::~V8AbstractEventListener - 

So it seems that my merge request was improper, and inferno's approval was improper. So I'm not going to merge to m19 yet. Let me know if I should merge despite these improprieties.
David, security bugs have blanket approval for merges and we do check with the release managers before doing mass merges. Best to just leave it for now and we will merge to the appropriate branches as needed.
Ok cool, if you guys handle the merging then I'm off the hook.  Thanks!
Project Member Comment 23 by, Apr 13 2012
The following revision refers to this bug:

r132128 | | Thu Apr 12 19:16:08 PDT 2012

Changed paths:

Add DCHECK in IndexedDBDispatcher::ThreadSpecificInstance to ensure
IndexedDBDispatcher doesn't get re-created during worker shutdown.

This could happen if there are IDB objects that survive the call to

This CL also makes RenderThreadImpl call new IndexedDBDispatcher
instead of IndexedDBDispatcher::ThreadSpecificInstance to avoid
hitting that DCHECK in tests.  WebRTCAudioDeviceTest creates a
RenderThreadImpl object, deletes it, and creates another render
thread object, all on the same thread.

BUG= 121734 

Review URL:
Note that the chrome change doesn't need to be merged to m19's branch, just
I thought this would been merged into m19 by now. Is that going to happen? There's a bug about this affecting internal teams:
Please feel free to merge to m19 if you need it early. We were planning to merge this when m19 stable release date comes close. Also please check with similar/same stack which is still hitting.
Labels: -Mstone-18 -Merge-Approved Mstone-19 Merge-Merged
Merged into m19, branch 1084:
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: CVE-2011-3091
Comment 30 by, May 15 2012
Status: Fixed
Updating status to Fixed on security bugs which were fixed when m19 went to stable.
Project Member Comment 31 by, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Comment 32 by, Oct 17 2012
Labels: -Feature-IndexedDB WebKit-Storage-IndexedDB
Project Member Comment 33 by, Mar 10 2013
Labels: -Area-WebKit -Type-Security -SecSeverity-High -SecImpacts-Stable -Mstone-19 -SecImpacts-Beta -Stability-AddressSanitizer -WebKit-Storage-IndexedDB Cr-Content Security-Impact-Stable Security-Impact-Beta Type-Bug-Security M-19 Security-Severity-High Cr-Content-Storage-IndexedDB Performance-Memory-AddressSanitizer
Project Member Comment 34 by, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 35 by, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 37 by, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 38 by, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 39 by, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 40 by, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 41 by, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 42 by, Apr 6 2013
Labels: -Cr-Content-Storage-IndexedDB Cr-Blink-Storage-IndexedDB
Comment 44 by, Feb 12 2015
Project Member Comment 45 by, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 46 by, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member Comment 47 by, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment