New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Sep 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment
ThreadSanitizer v2 reports a heap-use-after-free in _get_bitmap_surface
Project Member Reported by glider@chromium.org, Sep 24 2014 Back to list
This is a report from ClusterFuzz: https://cluster-fuzz.appspot.com/testcase?key=6393869835960320

==================
WARNING: ThreadSanitizer: heap-use-after-free (pid=25351)
  Read of size 1 at 0x7d04000928f8 by main thread (mutexes: write M13451, write M13476, write M13450, write M7054):
    #0 memcpy <null>:0 (chrome+0x000000a1c060)
    #1 memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:51 (libcairo.so.2+0x0000000b2925)
    #2 _get_bitmap_surface /build/buildd/cairo-1.12.16/src/cairo-ft-font.c:1166 (libcairo.so.2+0x0000000b2925)
    #3 libgtk2ui::Gtk2EventLoop::GdkEventTrampoline(_GdkEvent*, void*) chrome/browser/ui/libgtk2ui/gtk2_event_loop.cc:34:3 (chrome+0x0000051fee50)
    #4 _gdk_window_process_updates_recurse /build/buildd/gtk+2.0-2.24.20/gdk/gdkwindow.c:5427 (libgdk-x11-2.0.so.0+0x000000040f2e)
    #5 base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:415:3 (chrome+0x0000011edb1b)
    #6 base::RunLoop::Run() base/run_loop.cc:54:3 (chrome+0x00000120751e)
    #7 ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1610:3 (chrome+0x000000e36d25)
    #8 content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:748:21 (chrome+0x0000047de169)
    #9 content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:118:5 (chrome+0x0000047e2107)
    #10 content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:26:15 (chrome+0x0000047d82e7)
    #11 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:420:14 (chrome+0x0000011a22df)
    #12 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:767:12 (chrome+0x0000011a2be1)
    #13 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 (chrome+0x0000011a17ce)
    #14 ChromeMain chrome/app/chrome_main.cc:57:12 (chrome+0x000000a91ce3)
    #15 main chrome/app/chrome_exe_main_aura.cc:17:10 (chrome+0x000000a91c5e)

  Previous write of size 8 at 0x7d04000928f8 by main thread (mutexes: write M13451, write M13452, write M13450):
    #0 free <null>:0 (chrome+0x000000a1adbb)
    #1 _cairo_image_surface_finish /build/buildd/cairo-1.12.16/src/cairo-image-surface.c:846 (libcairo.so.2+0x0000000368bb)
    #2 libgtk2ui::Gtk2EventLoop::GdkEventTrampoline(_GdkEvent*, void*) chrome/browser/ui/libgtk2ui/gtk2_event_loop.cc:34:3 (chrome+0x0000051fee50)
    #3 _gdk_window_process_updates_recurse /build/buildd/gtk+2.0-2.24.20/gdk/gdkwindow.c:5427 (libgdk-x11-2.0.so.0+0x000000040f2e)
    #4 base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:415:3 (chrome+0x0000011edb1b)
    #5 base::RunLoop::Run() base/run_loop.cc:54:3 (chrome+0x00000120751e)
    #6 ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1610:3 (chrome+0x000000e36d25)
    #7 content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:748:21 (chrome+0x0000047de169)
    #8 content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:118:5 (chrome+0x0000047e2107)
    #9 content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:26:15 (chrome+0x0000047d82e7)
    #10 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:420:14 (chrome+0x0000011a22df)
    #11 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:767:12 (chrome+0x0000011a2be1)
    #12 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 (chrome+0x0000011a17ce)
    #13 ChromeMain chrome/app/chrome_main.cc:57:12 (chrome+0x000000a91ce3)
    #14 main chrome/app/chrome_exe_main_aura.cc:17:10 (chrome+0x000000a91c5e)

  Location is heap block of size 7 at 0x7d04000928f0 allocated by main thread:
    #0 malloc <null>:0 (chrome+0x000000a1a7bd)
    #1 ft_alloc third_party/freetype2/src/src/base/ftsystem.c:74:12 (libfreetype.so.6+0x000000009419)
    #2 ft_mem_qalloc third_party/freetype2/src/src/base/ftutil.c:76:15 (libfreetype.so.6+0x00000000d42a)
    #3 ft_mem_alloc third_party/freetype2/src/src/base/ftutil.c:55 (libfreetype.so.6+0x00000000d42a)
    #4 ft_glyphslot_alloc_bitmap third_party/freetype2/src/src/base/ftobjs.c:300 (libfreetype.so.6+0x00000000d42a)
    #5 Load_SBit_Image third_party/freetype2/src/src/sfnt/ttsbit.c:1312:15 (libfreetype.so.6+0x00000005f483)
    #6 tt_face_load_sbit_image third_party/freetype2/src/src/sfnt/ttsbit.c:1475:13 (libfreetype.so.6+0x00000005c7a1)
    #7 load_sbit_image third_party/freetype2/src/src/truetype/ttgload.c:1736:13 (libfreetype.so.6+0x0000000643c0)
    #8 TT_Load_Glyph third_party/freetype2/src/src/truetype/ttgload.c:1946 (libfreetype.so.6+0x0000000643c0)
    #9 Load_Glyph third_party/freetype2/src/src/truetype/ttdriver.c:325 (libfreetype.so.6+0x0000000643c0)
    #10 FT_Load_Glyph third_party/freetype2/src/src/base/ftobjs.c:675:15 (libfreetype.so.6+0x000000009f2f)
    #11 _cairo_ft_scaled_glyph_init /build/buildd/cairo-1.12.16/src/cairo-ft-font.c:2251 (libcairo.so.2+0x0000000b2a4a)
    #12 libgtk2ui::Gtk2EventLoop::GdkEventTrampoline(_GdkEvent*, void*) chrome/browser/ui/libgtk2ui/gtk2_event_loop.cc:34:3 (chrome+0x0000051fee50)
    #13 _gdk_window_process_updates_recurse /build/buildd/gtk+2.0-2.24.20/gdk/gdkwindow.c:5427 (libgdk-x11-2.0.so.0+0x000000040f2e)
    #14 base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:415:3 (chrome+0x0000011edb1b)
    #15 base::RunLoop::Run() base/run_loop.cc:54:3 (chrome+0x00000120751e)
    #16 ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1610:3 (chrome+0x000000e36d25)
    #17 content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:748:21 (chrome+0x0000047de169)
    #18 content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:118:5 (chrome+0x0000047e2107)
    #19 content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:26:15 (chrome+0x0000047d82e7)
    #20 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:420:14 (chrome+0x0000011a22df)
    #21 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:767:12 (chrome+0x0000011a2be1)
    #22 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 (chrome+0x0000011a17ce)
    #23 ChromeMain chrome/app/chrome_main.cc:57:12 (chrome+0x000000a91ce3)
    #24 main chrome/app/chrome_exe_main_aura.cc:17:10 (chrome+0x000000a91c5e)

  Mutex M13451 (0x7d0c0017ac00) created at:
    #0 pthread_mutex_init <null>:0 (chrome+0x000000a1f850)
    #1 g_mutex_impl_new /build/buildd/glib2.0-2.38.1/glib/gthread-posix.c:104 (libglib-2.0.so.0+0x000000088087)
    #2 libgtk2ui::Gtk2EventLoop::GdkEventTrampoline(_GdkEvent*, void*) chrome/browser/ui/libgtk2ui/gtk2_event_loop.cc:34:3 (chrome+0x0000051fee50)
    #3 _gdk_window_process_updates_recurse /build/buildd/gtk+2.0-2.24.20/gdk/gdkwindow.c:5427 (libgdk-x11-2.0.so.0+0x000000040f2e)
    #4 base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:415:3 (chrome+0x0000011edb1b)
    #5 base::RunLoop::Run() base/run_loop.cc:54:3 (chrome+0x00000120751e)
    #6 ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1610:3 (chrome+0x000000e36d25)
    #7 content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:748:21 (chrome+0x0000047de169)
    #8 content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:118:5 (chrome+0x0000047e2107)
    #9 content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:26:15 (chrome+0x0000047d82e7)
    #10 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:420:14 (chrome+0x0000011a22df)
    #11 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:767:12 (chrome+0x0000011a2be1)
    #12 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 (chrome+0x0000011a17ce)
    #13 ChromeMain chrome/app/chrome_main.cc:57:12 (chrome+0x000000a91ce3)
    #14 main chrome/app/chrome_exe_main_aura.cc:17:10 (chrome+0x000000a91c5e)

  Mutex M13476 (0x7d54000eeff0) created at:
    #0 pthread_mutex_lock <null>:0 (chrome+0x000000a3eeb0)
    #1 _cairo_scaled_font_freeze_cache /build/buildd/cairo-1.12.16/src/cairo-scaled-font.c:798 (libcairo.so.2+0x000000061898)
    #2 libgtk2ui::Gtk2EventLoop::GdkEventTrampoline(_GdkEvent*, void*) chrome/browser/ui/libgtk2ui/gtk2_event_loop.cc:34:3 (chrome+0x0000051fee50)
    #3 _gdk_window_process_updates_recurse /build/buildd/gtk+2.0-2.24.20/gdk/gdkwindow.c:5427 (libgdk-x11-2.0.so.0+0x000000040f2e)
    #4 base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:415:3 (chrome+0x0000011edb1b)
    #5 base::RunLoop::Run() base/run_loop.cc:54:3 (chrome+0x00000120751e)
    #6 ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1610:3 (chrome+0x000000e36d25)
    #7 content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:748:21 (chrome+0x0000047de169)
    #8 content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:118:5 (chrome+0x0000047e2107)
    #9 content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:26:15 (chrome+0x0000047d82e7)
    #10 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:420:14 (chrome+0x0000011a22df)
    #11 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:767:12 (chrome+0x0000011a2be1)
    #12 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 (chrome+0x0000011a17ce)
    #13 ChromeMain chrome/app/chrome_main.cc:57:12 (chrome+0x000000a91ce3)
    #14 main chrome/app/chrome_exe_main_aura.cc:17:10 (chrome+0x000000a91c5e)

  Mutex M13450 (0x7d7800004828) created at:
    #0 pthread_mutex_init <null>:0 (chrome+0x000000a1f850)
    #1 _cairo_device_init /build/buildd/cairo-1.12.16/src/cairo-device.c:176 (libcairo.so.2+0x00000002955a)
    #2 libgtk2ui::Gtk2EventLoop::GdkEventTrampoline(_GdkEvent*, void*) chrome/browser/ui/libgtk2ui/gtk2_event_loop.cc:34:3 (chrome+0x0000051fee50)
    #3 _gdk_window_process_updates_recurse /build/buildd/gtk+2.0-2.24.20/gdk/gdkwindow.c:5427 (libgdk-x11-2.0.so.0+0x000000040f2e)
    #4 base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:415:3 (chrome+0x0000011edb1b)
    #5 base::RunLoop::Run() base/run_loop.cc:54:3 (chrome+0x00000120751e)
    #6 ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1610:3 (chrome+0x000000e36d25)
    #7 content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:748:21 (chrome+0x0000047de169)
    #8 content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:118:5 (chrome+0x0000047e2107)
    #9 content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:26:15 (chrome+0x0000047d82e7)
    #10 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:420:14 (chrome+0x0000011a22df)
    #11 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:767:12 (chrome+0x0000011a2be1)
    #12 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 (chrome+0x0000011a17ce)
    #13 ChromeMain chrome/app/chrome_main.cc:57:12 (chrome+0x000000a91ce3)
    #14 main chrome/app/chrome_exe_main_aura.cc:17:10 (chrome+0x000000a91c5e)

  Mutex M7054 (0x7d4400046210) created at:
    #0 pthread_mutex_lock <null>:0 (chrome+0x000000a3eeb0)
    #1 _cairo_ft_unscaled_font_lock_face /build/buildd/cairo-1.12.16/src/cairo-ft-font.c:651 (libcairo.so.2+0x0000000b1094)
    #2 gfx::RenderTextPango::GetStringSize() ui/gfx/render_text_pango.cc:93:3 (chrome+0x000001c8cad1)
    #3 gfx::RenderText::GetStringSizeF() ui/gfx/render_text.cc:708:21 (chrome+0x000001c7cc73)
    #4 gfx::Canvas::SizeStringFloat(std::__1::basic_string<unsigned short, base::string16_char_traits, std::__1::allocator<unsigned short> > const&, gfx::FontList const&, float*, float*, int, int) ui/gfx/canvas_skia.cc:212:34 (chrome+0x000001c5e584)
    #5 gfx::Canvas::SizeStringInt(std::__1::basic_string<unsigned short, base::string16_char_traits, std::__1::allocator<unsigned short> > const&, gfx::FontList const&, int*, int*, int, int) ui/gfx/canvas.cc:95:3 (chrome+0x000001c5b75f)
    #6 views::Label::GetTextSize() const ui/views/controls/label.cc:347:5 (chrome+0x000004da9a46)
    #7 views::Label::GetPreferredSize() const ui/views/controls/label.cc:235:18 (chrome+0x000004da8dac)
    #8 Tab::Layout() chrome/browser/ui/views/tabs/tab.cc:801:30 (chrome+0x000004353c0b)
    #9 Tab::SetData(TabRendererData const&) chrome/browser/ui/views/tabs/tab.cc:525:3 (chrome+0x0000043512c3)
    #10 TabStrip::SetTabData(int, TabRendererData const&) chrome/browser/ui/views/tabs/tab_strip.cc:706:3 (chrome+0x00000435e526)
    #11 SetTabDataAt chrome/browser/ui/views/tabs/browser_tab_strip_controller.cc:519:3 (chrome+0x00000434f160)
    #12 TabChangedAt chrome/browser/ui/views/tabs/browser_tab_strip_controller.cc:468 (chrome+0x00000434f160)
    #13 non-virtual thunk to BrowserTabStripController::TabChangedAt(content::WebContents*, int, TabStripModelObserver::TabChangeType) chrome/browser/ui/views/tabs/browser_tab_strip_controller.cc:469 (chrome+0x00000434f160)
    #14 TabStripModel::UpdateWebContentsStateAt(int, TabStripModelObserver::TabChangeType) chrome/browser/ui/tabs/tab_strip_model.cc:533:3 (chrome+0x0000043da63d)
    #15 Browser::ProcessPendingUIUpdates() chrome/browser/ui/browser.cc:2140:7 (chrome+0x0000043977af)
    #16 Run base/bind_internal.h:134:12 (chrome+0x00000439dcd8)
    #17 MakeItSo base/bind_internal.h:882 (chrome+0x00000439dcd8)
    #18 base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (Browser::*)()>, void (Browser*), void (base::WeakPtr<Browser>)>, void (Browser*)>::Run(base::internal::BindStateBase*) base/bind_internal.h:1166 (chrome+0x00000439dcd8)
    #19 Run base/callback.h:401:12 (chrome+0x00000124e1d4)
    #20 base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:62 (chrome+0x00000124e1d4)
    #21 base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:446:3 (chrome+0x0000011ee2b6)
    #22 DeferOrRunPendingTask base/message_loop/message_loop.cc:456:5 (chrome+0x0000011ef206)
    #23 base::MessageLoop::DoDelayedWork(base::TimeTicks*) base/message_loop/message_loop.cc:603 (chrome+0x0000011ef206)
    #24 base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:318:9 (chrome+0x0000012410b4)
    #25 base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:415:3 (chrome+0x0000011edb1b)
    #26 base::RunLoop::Run() base/run_loop.cc:54:3 (chrome+0x00000120751e)
    #27 ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1610:3 (chrome+0x000000e36d25)
    #28 content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:748:21 (chrome+0x0000047de169)
    #29 content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:118:5 (chrome+0x0000047e2107)
    #30 content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:26:15 (chrome+0x0000047d82e7)
    #31 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:420:14 (chrome+0x0000011a22df)
    #32 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:767:12 (chrome+0x0000011a2be1)
    #33 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 (chrome+0x0000011a17ce)
    #34 ChromeMain chrome/app/chrome_main.cc:57:12 (chrome+0x000000a91ce3)
    #35 main chrome/app/chrome_exe_main_aura.cc:17:10 (chrome+0x000000a91c5e)

  Mutex M13452 (0x7d54000729f0) created at:
    #0 pthread_mutex_lock <null>:0 (chrome+0x000000a3eeb0)
    #1 _cairo_scaled_font_freeze_cache /build/buildd/cairo-1.12.16/src/cairo-scaled-font.c:798 (libcairo.so.2+0x000000061898)
    #2 libgtk2ui::Gtk2EventLoop::GdkEventTrampoline(_GdkEvent*, void*) chrome/browser/ui/libgtk2ui/gtk2_event_loop.cc:34:3 (chrome+0x0000051fee50)
    #3 _gdk_window_process_updates_recurse /build/buildd/gtk+2.0-2.24.20/gdk/gdkwindow.c:5427 (libgdk-x11-2.0.so.0+0x000000040f2e)
    #4 base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:415:3 (chrome+0x0000011edb1b)
    #5 base::RunLoop::Run() base/run_loop.cc:54:3 (chrome+0x00000120751e)
    #6 ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1610:3 (chrome+0x000000e36d25)
    #7 content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:748:21 (chrome+0x0000047de169)
    #8 content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:118:5 (chrome+0x0000047e2107)
    #9 content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:26:15 (chrome+0x0000047d82e7)
    #10 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:420:14 (chrome+0x0000011a22df)
    #11 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:767:12 (chrome+0x0000011a2be1)
    #12 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15 (chrome+0x0000011a17ce)
    #13 ChromeMain chrome/app/chrome_main.cc:57:12 (chrome+0x000000a91ce3)
    #14 main chrome/app/chrome_exe_main_aura.cc:17:10 (chrome+0x000000a91c5e)

SUMMARY: ThreadSanitizer: heap-use-after-free ??:0 memcpy
==================
 
Labels: -Type-Bug -Pri-2 -Restrict-View-SecurityNotify Type-Bug-Security Pri-1 Restrict-View-SecurityTeam
Project Member Comment 2 by ClusterFuzz, Sep 24 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6393869835960320

Fuzzer: Inferno_twister_custom_bundle
Job Type: Linux_tsan_chrome_mp

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x7d04000928f8
Crash State:
  _get_bitmap_surface
  libgtk2ui::Gtk2EventLoop::GdkEventTrampoline
  _gdk_window_process_updates_recurse
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=262551:262628

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97oXgWvzM_Mii89I0mcnt70I9--ZE1Cxj_vTlNyDS_f7i-JgPJjqwqve8ak6EiLLYJFzqv-nO1N6xTi-AzWFtYNlYai-NL1XYJ52Gr3qgXQzCTAk1VhhNOOFiPSOptEgoztE7df369ByCyxc0P9lpG0a0TgLw
 http-equiv=Content-Type<title>CD?&#x4a71;&#x91bc;&#xa86f0;M`&#x7c12;&#xff6b;


Additional requirements: Requires Gestures

Filer: aarya
Project Member Comment 3 by ClusterFuzz, Sep 24 2014
Labels: Security_Impact-Stable Stability-Memory-ThreadSanitizer
Project Member Comment 4 by bugdroid1@chromium.org, Sep 27 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1291d0c2e4435561edcc260aa0b3337dbd583eda

commit 1291d0c2e4435561edcc260aa0b3337dbd583eda
Author: yukishiino <yukishiino@chromium.org>
Date: Sat Sep 27 11:56:38 2014

linux: Fixes a racy crash by key input at termination.

It seems that it's possible that GDK events happen while we're going
to unregister the GDK event handler, and the code must be thread-safe.
(A gpointer |data| in the old code seems pointing to the deleted object.)

This CL removes use of |data| pointer and makes the code thread-safe
without adding any mutex.

BUG= 417210 

Review URL: https://codereview.chromium.org/610523002

Cr-Commit-Position: refs/heads/master@{#297112}

[modify] https://chromium.googlesource.com/chromium/src.git/+/1291d0c2e4435561edcc260aa0b3337dbd583eda/chrome/browser/ui/libgtk2ui/gtk2_event_loop.cc
[modify] https://chromium.googlesource.com/chromium/src.git/+/1291d0c2e4435561edcc260aa0b3337dbd583eda/chrome/browser/ui/libgtk2ui/gtk2_event_loop.h

Status: Fixed
Project Member Comment 6 by ClusterFuzz, Sep 28 2014
Labels: Merge-Triage M-39 M-38 M-37
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz
Labels: -Merge-Triage -M-38 -M-37 Release-0-M39
Project Member Comment 8 by ClusterFuzz, Jan 3 2015
Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
Labels: -Stability-Memory-ThreadSanitizer
Project Member Comment 10 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 11 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment