It is an access of a freed libevent event. Patch upcoming.

Can you please provide more details about why this is flagged Internals>Network, such as a backtrace or details about the use-after-free?

I'm afraid we'll need to close this unless more meaningful bug data is added.

I only opened this bug as a reference for the fix, I didn't intend for you to solve it which is why I didn't supply more information.

The use-after-free is the event "e" that the libevent FileDescriptionWatcher deletes. 

The issue is that when this event is no longer valid once the event-loop is exited, but the FileDescription watcher is deleted by the address tracker which is deleted by the network change notifier which is deleted right after the event loop is exited.

The way I fixed is to make the address tracker a owned pointer instead of owned data, so it can be deleted from the Cleanup() method instead of during destruction.

Unfortunately I don't have the backtrace with me, and it will be two weeks before I am back at the office. I will supply it when I can, if the textual description is not enough.

Here is the trace. Note it is not Chromium, but Chromium-based QtWebEngine.

==14994== Invalid read of size 8
==14994==    at 0xC61A0E4: event_del (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9)
==14994==    by 0x69EDE52: base::MessagePumpLibevent::FileDescriptorWatcher::StopWatchingFileDescriptor() (message_pump_libevent.cc:73)
==14994==    by 0x69EDE8E: base::MessagePumpLibevent::FileDescriptorWatcher::~FileDescriptorWatcher() (message_pump_libevent.cc:63)
==14994==    by 0x5E16A6B: net::internal::AddressTrackerLinux::~AddressTrackerLinux() (address_tracker_linux.cc:144)
==14994==    by 0x5D714ED: net::NetworkChangeNotifierLinux::Thread::~Thread() (network_change_notifier_linux.cc:59)
==14994==    by 0x5D71518: net::NetworkChangeNotifierLinux::Thread::~Thread() (network_change_notifier_linux.cc:61)
==14994==    by 0x5D71205: operator() (scoped_ptr.h:128)
==14994==    by 0x5D71205: ~scoped_ptr_impl (scoped_ptr.h:222)
==14994==    by 0x5D71205: ~scoped_ptr (scoped_ptr.h:312)
==14994==    by 0x5D71205: net::NetworkChangeNotifierLinux::~NetworkChangeNotifierLinux() (network_change_notifier_linux.cc:99)
==14994==    by 0x5D71218: net::NetworkChangeNotifierLinux::~NetworkChangeNotifierLinux() (network_change_notifier_linux.cc:103)
==14994==    by 0x6078C09: operator() (scoped_ptr.h:128)
==14994==    by 0x6078C09: ~scoped_ptr_impl (scoped_ptr.h:222)
==14994==    by 0x6078C09: ~scoped_ptr (scoped_ptr.h:312)
==14994==    by 0x6078C09: content::BrowserMainLoop::~BrowserMainLoop() (browser_main_loop.cc:396)
==14994==    by 0x6078CB8: content::BrowserMainLoop::~BrowserMainLoop() (browser_main_loop.cc:402)
==14994==    by 0x5ED1FC2: operator() (scoped_ptr.h:128)
==14994==    by 0x5ED1FC2: reset (scoped_ptr.h:248)
==14994==    by 0x5ED1FC2: reset (scoped_ptr.h:377)
==14994==    by 0x5ED1FC2: Shutdown (browser_main_runner.cc:268)
==14994==    by 0x5ED1FC2: ~BrowserMainRunnerImpl (browser_main_runner.cc:128)
==14994==    by 0x5ED1FC2: content::BrowserMainRunnerImpl::~BrowserMainRunnerImpl() (browser_main_runner.cc:129)
==14994==    by 0x5440E9A: operator() (scoped_ptr.h:128)
==14994==    by 0x5440E9A: reset (scoped_ptr.h:248)
==14994==    by 0x5440E9A: reset (scoped_ptr.h:377)
==14994==    by 0x5440E9A: WebEngineContext::destroy() (web_engine_context.cpp:166)
==14994==  Address 0x18545e80 is 448 bytes inside a block of size 640 free'd
==14994==    at 0x4C2AE90: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14994==    by 0x69EDB00: base::MessagePumpLibevent::~MessagePumpLibevent() (message_pump_libevent.cc:136)
==14994==    by 0x69EDB38: base::MessagePumpLibevent::~MessagePumpLibevent() (message_pump_libevent.cc:137)
==14994==    by 0x6A11DA1: operator() (scoped_ptr.h:128)
==14994==    by 0x6A11DA1: ~scoped_ptr_impl (scoped_ptr.h:222)
==14994==    by 0x6A11DA1: ~scoped_ptr (scoped_ptr.h:312)
==14994==    by 0x6A11DA1: base::MessageLoop::~MessageLoop() (message_loop.cc:132)
==14994==    by 0x6A11FF8: base::MessageLoop::~MessageLoop() (message_loop.cc:178)
==14994==    by 0x6A3A3A3: operator() (scoped_ptr.h:128)
==14994==    by 0x6A3A3A3: ~scoped_ptr_impl (scoped_ptr.h:222)
==14994==    by 0x6A3A3A3: ~scoped_ptr (scoped_ptr.h:312)
==14994==    by 0x6A3A3A3: base::Thread::ThreadMain() (thread.cc:220)
==14994==    by 0x6A36BAC: base::(anonymous namespace)::ThreadFunc(void*) (platform_thread_posix.cc:76)
==14994==    by 0xB09A283: start_thread (pthread_create.c:333)
==14994==    by 0xBC3597C: clone (in /lib/x86_64-linux-gnu/libc-2.21.so)
==14994== 

Thank you for providing more feedback. Assigning to requester "rsleevi@chromium.org" for another review.

For more details visit https://sites.google.com/a/chromium.org/dev/issue-tracking/autotriage - Your friendly Sheriffbot

Thanks for clarifying. When filing a bug, even if you plan on writing the fix, it often helps to include the details about the bug, so that reviewers of the CL understand.

It sounds like this is not a bug in Chromium, based on your description, so I'm marking this WontFix. Unfortunately, your description doesn't make it clear where the root cause is, nor if you submitted a Chromium change, what that change was (I don't see anything in the //net/base change logs)

I wrote both what the cause is and what the fix is in comment #4.

See also https://codereview.chromium.org/1808543003/

I think this is at least a dangling pointer bug in Chromium:
net::NetworkChangeNotifierLinux::Thread::Stop() deletes the MessageLoop, but the FileDescriptorWatcher in the AddressTrackerLinux in net::NetworkChangeNotifierLinux::Thread still holds a pointer to the MessageLoop.
The reporter's proposed fix has a better description in the CL description.

Anyhow, I'd like to fix this before it causes any problems.  Dangling pointers are harbinger of mysterious crashes.  The reporter says on the CL that this shows up in valgrind with a newer version of libevent; I'd like to nip this in the bud before Chromium gets to the newer version.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/143cc3e1332fe8ff4c9cac86fe07187c2cad3f75

commit 143cc3e1332fe8ff4c9cac86fe07187c2cad3f75
Author: allan.jensen <allan.jensen@theqtcompany.com>
Date: Mon Mar 21 13:00:31 2016

Fix use-after-free on Linux at shutdown

The address tracker has a file-description watcher that references
a libevent event that is deleted when the message-loop is deleted.

Fixed by deleting the address-tracker before the message-loop.

BUG= 595316 
R=derekjchow@chromium.org

Review URL: https://codereview.chromium.org/1808543003

Cr-Commit-Position: refs/heads/master@{#382271}

[modify] https://crrev.com/143cc3e1332fe8ff4c9cac86fe07187c2cad3f75/net/base/network_change_notifier_linux.cc