New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 592276 link

Starred by 2 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug

Blocking:
issue 539505



Sign in to add a comment

handle verifier "CloseHandle called on tracked handle" on shutdown

Project Member Reported by wfh@chromium.org, Mar 7 2016

Issue description

This bug is to track any times that handle verifier catches tracked handles being closed on process shutdown.

This appears to only happen on Windows 7 because it seems to do more stuff on shutdown.

The stacks will look largely like this, in particular they will contain the stack frame "_ProcessDetach" and also "OnHandleBeingClosed".

e.g.

Thread 0 CRASHED [EXCEPTION_ACCESS_VIOLATION_EXEC @ 0xe9e8e7e6 ] MAGIC SIGNATURE THREAD
0xe9e8e7e6		
0x00f41fd8	(chrome.exe -logging.cc:492 )	logging::LogMessage::LogMessage(char const *,int,int)
0x00f50090	(chrome.exe -scoped_handle.cc:212 )	`anonymous namespace'::ActiveVerifier::OnHandleBeingClosed(void *)
0x0feb3aad	(chrome_child.dll -close_handle_hook_win.cc:41 )	`anonymous namespace'::CloseHandleHook(void *)
0x76954b8e	(SHLWAPI.dll + 0x00014b8e )	_ProcessDetach
0x76954b4f	(SHLWAPI.dll + 0x00014b4f )	EtwUnregisterTraceGuids
0x76959c33	(SHLWAPI.dll + 0x00019c33 )	_DllMainCRTStartup
0x774b8d33	(ntdll.dll + 0x00058d33 )	LdrpCallInitRoutine
0x774be459	(ntdll.dll + 0x0005e459 )	RtlNumberGenericTableElements
0x774be4f4	(ntdll.dll + 0x0005e4f4 )	RtlExitUserProcess
0x76c2bdce	(kernel32.dll + 0x0005bdce )	ExitProcessStub
0x00f987aa	(chrome.exe -crt0dat.c:774 )	__crtExitProcess

a search query for this is

WHERE
  product.name='Chrome'
OMIT RECORD IF
  SUM(CrashedStackTrace.StackFrame.FunctionName CONTAINS 'ActiveVerifier') = 0 OR
  SUM(CrashedStackTrace.StackFrame.FunctionName='_ProcessDetach') = 0

or a crash link is:

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20product.version%3E%3D%2751.0.2667.0%27%20%20OMIT%20RECORD%20IF%20SUM(CrashedStackTrace.StackFrame.FunctionName%20CONTAINS%20%27ActiveVerifier%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27_ProcessDetach%27)%20%3D%200&ignore_case=false#samplereports
 

Comment 1 by wfh@chromium.org, Mar 7 2016

it seems these are mostly/all coming from chrome_child!`anonymous namespace'::FontFileStream::RuntimeClassInitialize

e.g. crash/8ddc563400000000

004cf64c  001dbb47 chrome!base::debug::StackTrace::StackTrace+0x17 [c:\b\build\slave\win\build\src\base\debug\stack_trace_win.cc @ 215]
004cf650  001cfd34 chrome!`anonymous namespace'::ActiveVerifier::StartTracking+0x64 [c:\b\build\slave\win\build\src\base\win\scoped_handle.cc @ 166]
004cf654  67c17eb3 chrome_child!base::win::GenericScopedHandle<base::win::HandleTraits,base::win::VerifierTraits>::Set+0x5c [c:\b\build\slave\win\build\src\base\win\scoped_handle.h @ 81]
004cf658  67c17df0 chrome_child!base::File::DoInitialize+0x12b [c:\b\build\slave\win\build\src\base\files\file_win.cc @ 386]
004cf65c  67c17ca4 chrome_child!base::File::Initialize+0xa2 [c:\b\build\slave\win\build\src\base\files\file.cc @ 94]
004cf660  67c4b9da chrome_child!base::MemoryMappedFile::Initialize+0x23 [c:\b\build\slave\win\build\src\base\files\memory_mapped_file.cc @ 39]
004cf664  67c84fb6 chrome_child!`anonymous namespace'::FontFileStream::RuntimeClassInitialize+0x123 [c:\b\build\slave\win\build\src\content\common\dwrite_font_platform_win.cc @ 592]
004cf668  67c84e2d chrome_child!Microsoft::WRL::Details::MakeAndInitialize<`anonymous namespace'::FontFileStream,A0x92745943::FontFileStream,unsigned int &>+0x3c [c:\b\depot_tools\win_toolchain\vs2013_files\4087e065abebdca6dbd0caca2910c6718d2ec67f\win_sdk\include\10.0.10586.0\winrt\wrl\implements.h @ 2547]
004cf66c  67c84dec chrome_child!Microsoft::WRL::Details::MakeAndInitialize<`anonymous namespace'::FontFileStream,A0x92745943::FontFileStream,unsigned int &>+0x1f [c:\b\depot_tools\win_toolchain\vs2013_files\4087e065abebdca6dbd0caca2910c6718d2ec67f\win_sdk\include\10.0.10586.0\winrt\wrl\implements.h @ 2614]
004cf670  67c84d9e chrome_child!`anonymous namespace'::FontFileLoader::CreateStreamFromKey+0x2a [c:\b\build\slave\win\build\src\content\common\dwrite_font_platform_win.cc @ 642]
004cf674  6e1a47f9*** WARNING: Unable to verify checksum for dwrite.dll
 dwrite!FontFileReference::GetStreamInternal+0xc6
004cf678  6e1a4593 dwrite!FontFragmentPtr<unsigned char>::FontFragmentPtr<unsigned char>+0x15
004cf67c  6e1a45d0 dwrite!FontFileReference::ReadIntoBuffer+0x1d
004cf680  6e1a3db6 dwrite!OpenTypeTableDirectory::GetTableCount+0x25
004cf684  6e1a3c62 dwrite!OpenTypeTableDirectory::OpenTypeTableDirectory+0x42
004cf688  6e166b28 dwrite!DWriteFontFace::TryGetFontTable+0x6c
004cf68c  68029b7b chrome_child!DWriteFontTypeface::onGetTableData+0x52 [c:\b\build\slave\win\build\src\third_party\skia\src\ports\sktypeface_win_dw.cpp @ 203]
004cf690  68029aa0 chrome_child!SkOTUtils::LocalizedStrings_NameTable::CreateForFamilyNames+0x14 [c:\b\build\slave\win\build\src\third_party\skia\src\sfnt\skotutils.cpp @ 167]
004cf694  68029969 chrome_child!blink::typefacesMatchesFamily+0x10 [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\fonts\win\fontcacheskiawin.cpp @ 233]
004cf698  68028be8 chrome_child!blink::FontCache::createFontPlatformData+0x60 [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\fonts\win\fontcacheskiawin.cpp @ 344]
004cf69c  6802825b chrome_child!blink::FontCache::getFontPlatformData+0x90 [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\fonts\fontcache.cpp @ 104]
004cf6a0  68042283 chrome_child!blink::FontFallbackList::compositeKey+0xb5 [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\fonts\fontfallbacklist.cpp @ 195]
004cf6a4  68042145 chrome_child!blink::FontFallbackList::shapeCache+0x27 [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\fonts\fontfallbacklist.h @ 86]
004cf6a8  68042102 chrome_child!blink::Font::floatWidthForComplexText+0x10 [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\fonts\font.cpp @ 730]
004cf6ac  68041ffb chrome_child!blink::Font::width+0x38 [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\fonts\font.cpp @ 237]
004cf6b0  6805df30 chrome_child!blink::LayoutText::computePreferredLogicalWidths+0xad7 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layouttext.cpp @ 1020]
004cf6b4  6805cea8 chrome_child!blink::LayoutText::trimmedPrefWidths+0x97 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layouttext.cpp @ 760]
004cf6b8  6805c985 chrome_child!blink::LayoutBlockFlow::computeInlinePreferredLogicalWidths+0x54c [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutblockflowline.cpp @ 1417]
004cf6bc  6805c2f3 chrome_child!blink::LayoutBlock::computeIntrinsicLogicalWidths+0x3b [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutblock.cpp @ 1977]
004cf6c0  6805bf36 chrome_child!blink::LayoutBlock::computePreferredLogicalWidths+0x119 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutblock.cpp @ 2013]
004cf6c4  686f8582 chrome_child!blink::LayoutTableCell::computePreferredLogicalWidths+0x2a [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layouttablecell.cpp @ 147]
004cf6c8  6873834d chrome_child!blink::TableLayoutAlgorithmAuto::recalcColumn+0x15e [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\tablelayoutalgorithmauto.cpp @ 67]
004cf6cc  68738b8c chrome_child!blink::TableLayoutAlgorithmAuto::fullRecalc+0x44a [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\tablelayoutalgorithmauto.cpp @ 177]
004cf6d0  68738d28 chrome_child!blink::TableLayoutAlgorithmAuto::computeIntrinsicLogicalWidths+0x36 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\tablelayoutalgorithmauto.cpp @ 216]
004cf6d4  687146ba chrome_child!blink::LayoutTable::computePreferredLogicalWidths+0x45 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layouttable.cpp @ 701]
004cf6d8  68711dd7 chrome_child!blink::LayoutTable::updateLogicalWidth+0x303 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layouttable.cpp @ 295]

Comment 2 by wfh@chromium.org, Mar 7 2016

Cc: ananta@chromium.org

Comment 3 by wfh@chromium.org, Mar 7 2016

FontFileStream is never being destructed? I'm not sure I fully understand the lifetime of these classes, as they seem to go in/out of COM.
Cc: scottmg@chromium.org
Cc: kulshin@chromium.org
Components: Internals>PlatformIntegration
I'm not sure if this is going away soon? Will and I looked at it a bit, it seems like maybe what's needed is a teardown of g_font_loader, but I'm not sure how easy that is.
Skia also holds on to bits of font code, so we need to be careful with lifetime management when tearing down font state. I am planning on removing this particular piece of code "soon".

Comment 7 by wfh@chromium.org, Mar 10 2016

Cc: wfh@chromium.org
Owner: ----
Status: Available (was: Assigned)
Project Member

Comment 8 by ClusterFuzz, Apr 14 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4781334154706944

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffc78fd7e50
Crash State:
  blink::TableLayoutAlgorithmAuto::fullRecalc
  blink::TableLayoutAlgorithmAuto::computeIntrinsicLogicalWidths
  blink::LayoutTable::computePreferredLogicalWidths
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=144946:145047

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95loXQxz348x4U5XTGdJnalJ51XSIg0j4UGcNSEOc4YwZfEg231IkIB1nFaXJ-s6GzDd9CYlCQ7kuQFNK7BOqf5IV-4t6NKLBMBfreacBKJ9XejEBOEb0Gm40oQf2I7tvY87rEEc7IJgWtN0fIeG-WDnEvsw38W4eE-xsljG3Vv9yfwI9A


Filer: tkonchada

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
g_font_file_loader was removed when I removed the font cache code. Worth checking if this is still a problem. wfh@ - how did you get the stack in #1?
Project Member

Comment 10 by ClusterFuzz, Jul 6 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4781334154706944

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffcda96bfc8
Crash State:
  blink::Node::reattach
  blink::Text::recalcTextStyle
  blink::ContainerNode::recalcChildStyle
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=269715:269724

Minimized Testcase (3.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95TW3qJaS2GuPUE_B1Rc30HqdlWMJ4xsQqGs6ur3NdkI3BVC5VCPO9UTIGvC1VB9BDAfZGXyyJnv8xup8I9FwfcPWTFmhJO-CcC4o_yzKmGEQSsed0CXMgLYX_F3eykQe-HRZNVrUZQHNdr8eCRyh2qc1h8dw?testcase_id=4781334154706944

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by sheriffbot@chromium.org, Jul 6 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Owner: wfh@chromium.org
Status: Assigned (was: Untriaged)
Hey Will, just assigning this to you for now.  Should this ticket remain open?  What's the state of handle verifying / failures?

If we want to leave it open, we should have it perma-assigned to someone.  ("Available" tickets are lost in a black hole.)
Components: -Internals

Sign in to add a comment