handle verifier "CloseHandle called on tracked handle" on shutdown |
||||||||
Issue descriptionThis bug is to track any times that handle verifier catches tracked handles being closed on process shutdown. This appears to only happen on Windows 7 because it seems to do more stuff on shutdown. The stacks will look largely like this, in particular they will contain the stack frame "_ProcessDetach" and also "OnHandleBeingClosed". e.g. Thread 0 CRASHED [EXCEPTION_ACCESS_VIOLATION_EXEC @ 0xe9e8e7e6 ] MAGIC SIGNATURE THREAD 0xe9e8e7e6 0x00f41fd8 (chrome.exe -logging.cc:492 ) logging::LogMessage::LogMessage(char const *,int,int) 0x00f50090 (chrome.exe -scoped_handle.cc:212 ) `anonymous namespace'::ActiveVerifier::OnHandleBeingClosed(void *) 0x0feb3aad (chrome_child.dll -close_handle_hook_win.cc:41 ) `anonymous namespace'::CloseHandleHook(void *) 0x76954b8e (SHLWAPI.dll + 0x00014b8e ) _ProcessDetach 0x76954b4f (SHLWAPI.dll + 0x00014b4f ) EtwUnregisterTraceGuids 0x76959c33 (SHLWAPI.dll + 0x00019c33 ) _DllMainCRTStartup 0x774b8d33 (ntdll.dll + 0x00058d33 ) LdrpCallInitRoutine 0x774be459 (ntdll.dll + 0x0005e459 ) RtlNumberGenericTableElements 0x774be4f4 (ntdll.dll + 0x0005e4f4 ) RtlExitUserProcess 0x76c2bdce (kernel32.dll + 0x0005bdce ) ExitProcessStub 0x00f987aa (chrome.exe -crt0dat.c:774 ) __crtExitProcess a search query for this is WHERE product.name='Chrome' OMIT RECORD IF SUM(CrashedStackTrace.StackFrame.FunctionName CONTAINS 'ActiveVerifier') = 0 OR SUM(CrashedStackTrace.StackFrame.FunctionName='_ProcessDetach') = 0 or a crash link is: https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20product.version%3E%3D%2751.0.2667.0%27%20%20OMIT%20RECORD%20IF%20SUM(CrashedStackTrace.StackFrame.FunctionName%20CONTAINS%20%27ActiveVerifier%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27_ProcessDetach%27)%20%3D%200&ignore_case=false#samplereports
,
Mar 7 2016
,
Mar 7 2016
FontFileStream is never being destructed? I'm not sure I fully understand the lifetime of these classes, as they seem to go in/out of COM.
,
Mar 7 2016
,
Mar 7 2016
I'm not sure if this is going away soon? Will and I looked at it a bit, it seems like maybe what's needed is a teardown of g_font_loader, but I'm not sure how easy that is.
,
Mar 7 2016
Skia also holds on to bits of font code, so we need to be careful with lifetime management when tearing down font state. I am planning on removing this particular piece of code "soon".
,
Mar 10 2016
,
Apr 14 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4781334154706944 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffc78fd7e50 Crash State: blink::TableLayoutAlgorithmAuto::fullRecalc blink::TableLayoutAlgorithmAuto::computeIntrinsicLogicalWidths blink::LayoutTable::computePreferredLogicalWidths Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=144946:145047 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95loXQxz348x4U5XTGdJnalJ51XSIg0j4UGcNSEOc4YwZfEg231IkIB1nFaXJ-s6GzDd9CYlCQ7kuQFNK7BOqf5IV-4t6NKLBMBfreacBKJ9XejEBOEb0Gm40oQf2I7tvY87rEEc7IJgWtN0fIeG-WDnEvsw38W4eE-xsljG3Vv9yfwI9A Filer: tkonchada See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 9 2016
g_font_file_loader was removed when I removed the font cache code. Worth checking if this is still a problem. wfh@ - how did you get the stack in #1?
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4781334154706944 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Stack-overflow Crash Address: 0x7ffcda96bfc8 Crash State: blink::Node::reattach blink::Text::recalcTextStyle blink::ContainerNode::recalcChildStyle Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=269715:269724 Minimized Testcase (3.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95TW3qJaS2GuPUE_B1Rc30HqdlWMJ4xsQqGs6ur3NdkI3BVC5VCPO9UTIGvC1VB9BDAfZGXyyJnv8xup8I9FwfcPWTFmhJO-CcC4o_yzKmGEQSsed0CXMgLYX_F3eykQe-HRZNVrUZQHNdr8eCRyh2qc1h8dw?testcase_id=4781334154706944 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 6 2017
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 17 2017
Hey Will, just assigning this to you for now. Should this ticket remain open? What's the state of handle verifying / failures?
If we want to leave it open, we should have it perma-assigned to someone. ("Available" tickets are lost in a black hole.)
,
Aug 23
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by wfh@chromium.org
, Mar 7 2016