Issue metadata
Sign in to add a comment
|
Chrome_ASAN: Crash Report - views::MenuController::OnGestureEvent |
||||||||||||||||||||||
Issue descriptionThis crash : go/crash/76235fe800000000, has been found by the last SyzyASAN Canary (51.0.2686.1) Bad access information: Error Type: heap-use-after-free Location: 0x19df0012 Access Mode: write Access Size: 1 User Size : 416 Magic Stack: ============= Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x6a4b7ffd ] MAGIC SIGNATURE THREAD 0x6a4b7ffd (chrome.dll -menu_controller.cc:783 ) views::MenuController::OnGestureEvent(views::SubmenuView *,ui::GestureEvent *) 0x73559ee7 (syzyasan_rtl.dll -block_heap_manager.cc:330 ) agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *) 0x6a4c8b37 (chrome.dll -menu_host_root_view.cc:83 ) views::MenuHostRootView::OnEventProcessingFinished(ui::Event *) 0x6a85d7b2 (chrome.dll -event_processor.cc:53 ) ui::EventProcessor::OnEventFromSource(ui::Event *) 0x6a85cb26 (chrome.dll -event_source.cc:73 ) ui::EventSource::DeliverEventToProcessor(ui::Event *) 0x6a85cc0a (chrome.dll -event_source.cc:51 ) ui::EventSource::SendEventToProcessor(ui::Event *) 0x6a48a39c (chrome.dll -widget.cc:1271 ) views::Widget::OnGestureEvent(ui::GestureEvent *) 0x6a85c440 (chrome.dll -event_handler.cc:35 ) ui::EventHandler::OnEvent(ui::Event *) 0x6a85cf6c (chrome.dll -event_dispatcher.cc:191 ) ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *) 0x6a85d4e2 (chrome.dll -event_dispatcher.cc:139 ) ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *) 0x6a85d2be (chrome.dll -event_dispatcher.cc:86 ) ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *) 0x6a85d057 (chrome.dll -event_dispatcher.cc:58 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x6a9e7a71 (chrome.dll -window_event_dispatcher.cc:308 ) aura::WindowEventDispatcher::ProcessGestures(aura::Window *,ScopedVector<ui::GestureEvent> *) 0x6a9e6ea6 (chrome.dll -window_event_dispatcher.cc:514 ) aura::WindowEventDispatcher::PostDispatchEvent(ui::EventTarget *,ui::Event const &) 0x6a85d0bb (chrome.dll -event_dispatcher.cc:62 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x6a85d6eb (chrome.dll -event_processor.cc:35 ) ui::EventProcessor::OnEventFromSource(ui::Event *) 0x6a85cb26 (chrome.dll -event_source.cc:73 ) ui::EventSource::DeliverEventToProcessor(ui::Event *) 0x6a85cc0a (chrome.dll -event_source.cc:51 ) ui::EventSource::SendEventToProcessor(ui::Event *) 0x6a4a08e8 (chrome.dll -desktop_window_tree_host_win.cc:850 ) views::DesktopWindowTreeHostWin::HandleTouchEvent(ui::TouchEvent const &) 0x6f0a783f (ninput.dll + 0x0000783f ) COutputCoalescingFilter::Input(void *,INTERACTION_OUTPUT const *) 0x6a4af4dc (chrome.dll -hwnd_message_handler.cc:2308 ) views::HWNDMessageHandler::HandleTouchEvents(std::vector<ui::TouchEvent,std::allocator<ui::TouchEvent> > const &) 0x6b0699ca (chrome.dll -bind_internal.h:314 ) base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( password_manager::AffiliationBackend::*)(password_manager::FacetURI const &)> >::MakeItSo<base::WeakPtr<password_manager::AffiliationBackend>,password_manager::FacetURI const &>(base::internal::RunnableAdapter<void ( password_manager::AffiliationBackend::*)(password_manager::FacetURI const &)>,base::WeakPtr<password_manager::AffiliationBackend>,password_manager::FacetURI const &) 0x6baf52d7 (chrome.dll -bind_internal.h:352 ) base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void ( syncer_v2::ModelTypeWorker::*)(std::vector<syncer_v2::CommitRequestData,std::allocator<syncer_v2::CommitRequestData> > const &)>,void ,base::WeakPtr<syncer_v2::ModelTypeWorker> &,std::vector<syncer_v2::CommitRequestData,std::allocator<syncer_v2::CommitRequestData> > const &>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( syncer_v2::ModelTypeWorker::*)(std::vector<syncer_v2::CommitRequestData,std::allocator<syncer_v2::CommitRequestData> > const &)> >,void >::Run(base::internal::BindStateBase *) 0x69749ffb (chrome.dll -task_annotator.cc:51 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &) 0x696cf8bc (chrome.dll -message_loop.cc:476 ) base::MessageLoop::RunTask(base::PendingTask const &) 0x696d09f6 (chrome.dll -message_loop.cc:597 ) base::MessageLoop::DoWork() 0x6974a641 (chrome.dll -message_pump_win.cc:168 ) base::MessagePumpForUI::DoRunLoop() 0x6974a192 (chrome.dll -message_pump_win.cc:50 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x6972adcd (chrome.dll -run_loop.cc:35 ) base::RunLoop::Run() 0x6a357e1c (chrome.dll -chrome_browser_main.cc:1842 ) ChromeBrowserMainParts::MainMessageLoopRun(int *) 0x6ac04ffd (chrome.dll -browser_main_loop.cc:961 ) content::BrowserMainLoop::RunMainMessageLoopParts() 0x6ac0146c (chrome.dll -browser_main_runner.cc:152 ) content::BrowserMainRunnerImpl::Run() 0x6ababc52 (chrome.dll -browser_main.cc:44 ) content::BrowserMain(content::MainFunctionParams const &) 0x6a470e94 (chrome.dll -content_main_runner.cc:399 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x6a470de8 (chrome.dll -content_main_runner.cc:772 ) content::ContentMainRunnerImpl::Run() 0x6a46dfda (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &) 0x6a306bbf (chrome.dll -chrome_main.cc:84 ) ChromeMain 0x0135f922 (chrome.exe -main_dll_loader_win.cc:183 ) MainDllLoader::Launch(HINSTANCE__ *) 0x0135ebfa (chrome.exe -chrome_exe_main_win.cc:230 ) wWinMain 0x013912bf (chrome.exe -exe_common.inl:264 ) __scrt_common_main_seh 0x771e38f3 (kernel32.dll + 0x000138f3 ) BaseThreadInitThunk 0x77ed5de2 (ntdll.dll + 0x00065de2 ) __RtlUserThreadStart 0x77ed5dad (ntdll.dll + 0x00065dad ) _RtlUserThreadStart ASAN Free Stack trace: ======================= 0x73559dba (syzyasan_rtl.dll -block_heap_manager.cc:294 ) agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *) 0x7355d08d (syzyasan_rtl.dll -rtl_impl.cc:123 ) asan_HeapFree 0x6b4cc31f (chrome.dll -free_base.cpp:107 ) _free_base 0x6a4b5262 (chrome.dll + 0x00e45262 ) views::MenuController::`scalar deleting destructor'(unsigned int) 0x6a4a249a (chrome.dll -menu_runner_impl.cc:184 ) views::internal::MenuRunnerImpl::MenuDone(views::internal::MenuControllerDelegate::NotifyType,views::MenuItemView *,int) 0x6a4b6781 (chrome.dll -menu_controller.cc:2511 ) views::MenuController::ExitAsyncRun() 0x6a4b7ff0 (chrome.dll -menu_controller.cc:783 ) views::MenuController::OnGestureEvent(views::SubmenuView *,ui::GestureEvent *) 0x6a4c8b38 (chrome.dll -menu_host_root_view.cc:83 ) views::MenuHostRootView::OnEventProcessingFinished(ui::Event *) 0x6a85d7b3 (chrome.dll -event_processor.cc:54 ) ui::EventProcessor::OnEventFromSource(ui::Event *) 0x6a85cb27 (chrome.dll -event_source.cc:73 ) ui::EventSource::DeliverEventToProcessor(ui::Event *) 0x6a85cc0b (chrome.dll -event_source.cc:52 ) ui::EventSource::SendEventToProcessor(ui::Event *) 0x6a48a39d (chrome.dll -widget.cc:1272 ) views::Widget::OnGestureEvent(ui::GestureEvent *) 0x6a85c441 (chrome.dll -event_handler.cc:35 ) ui::EventHandler::OnEvent(ui::Event *) 0x6a85cf6d (chrome.dll -event_dispatcher.cc:192 ) ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *) 0x6a85d4e3 (chrome.dll -event_dispatcher.cc:140 ) ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *) 0x6a85d2bf (chrome.dll -event_dispatcher.cc:87 ) ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *) 0x6a85d058 (chrome.dll -event_dispatcher.cc:58 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x6a9e7a72 (chrome.dll -window_event_dispatcher.cc:308 ) aura::WindowEventDispatcher::ProcessGestures(aura::Window *,ScopedVector<ui::GestureEvent> *) 0x6a9e6ea7 (chrome.dll -window_event_dispatcher.cc:514 ) aura::WindowEventDispatcher::PostDispatchEvent(ui::EventTarget *,ui::Event const &) 0x6a85d0bc (chrome.dll -event_dispatcher.cc:62 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x6a85d6ec (chrome.dll -event_processor.cc:37 ) ui::EventProcessor::OnEventFromSource(ui::Event *) 0x6a85cb27 (chrome.dll -event_source.cc:73 ) ui::EventSource::DeliverEventToProcessor(ui::Event *) 0x6a85cc0b (chrome.dll -event_source.cc:52 ) ui::EventSource::SendEventToProcessor(ui::Event *) 0x6a4a08e9 (chrome.dll -desktop_window_tree_host_win.cc:851 ) views::DesktopWindowTreeHostWin::HandleTouchEvent(ui::TouchEvent const &) 0x6a4af4dd (chrome.dll -hwnd_message_handler.cc:2307 ) views::HWNDMessageHandler::HandleTouchEvents(std::vector<ui::TouchEvent,std::allocator<ui::TouchEvent> > const &) 0x6b0699cb (chrome.dll -bind_internal.h:314 ) base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( password_manager::AffiliationBackend::*)(password_manager::FacetURI const &)> >::MakeItSo<base::WeakPtr<password_manager::AffiliationBackend>,password_manager::FacetURI const &>(base::internal::RunnableAdapter<void ( password_manager::AffiliationBackend::*)(password_manager::FacetURI const &)>,base::WeakPtr<password_manager::AffiliationBackend>,password_manager::FacetURI const &) 0x6baf52d8 (chrome.dll -bind_internal.h:352 ) base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void ( syncer_v2::ModelTypeWorker::*)(std::vector<syncer_v2::CommitRequestData,std::allocator<syncer_v2::CommitRequestData> > const &)>,void ,base::WeakPtr<syncer_v2::ModelTypeWorker> &,std::vector<syncer_v2::CommitRequestData,std::allocator<syncer_v2::CommitRequestData> > const &>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( syncer_v2::ModelTypeWorker::*)(std::vector<syncer_v2::CommitRequestData,std::allocator<syncer_v2::CommitRequestData> > const &)> >,void >::Run(base::internal::BindStateBase *) 0x69749ffc (chrome.dll -task_annotator.cc:51 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &) 0x696cf8bd (chrome.dll -message_loop.cc:477 ) base::MessageLoop::RunTask(base::PendingTask const &) 0x696d09f7 (chrome.dll -message_loop.cc:598 ) base::MessageLoop::DoWork() 0x6974a642 (chrome.dll -message_pump_win.cc:169 ) base::MessagePumpForUI::DoRunLoop() 0x6974a193 (chrome.dll -message_pump_win.cc:52 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x6972adce (chrome.dll -run_loop.cc:36 ) base::RunLoop::Run() 0x6a357e1d (chrome.dll -chrome_browser_main.cc:1844 ) ChromeBrowserMainParts::MainMessageLoopRun(int *) 0x6ac04ffe (chrome.dll -browser_main_loop.cc:963 ) content::BrowserMainLoop::RunMainMessageLoopParts() 0x6ababc53 (chrome.dll -browser_main.cc:44 ) content::BrowserMain(content::MainFunctionParams const &) 0x6a470e95 (chrome.dll -content_main_runner.cc:399 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x6a470de9 (chrome.dll -content_main_runner.cc:772 ) content::ContentMainRunnerImpl::Run() 0x6a46dfdb (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &) 0x6a306bc0 (chrome.dll -chrome_main.cc:87 ) ChromeMain 0x0135f923 (chrome.exe -main_dll_loader_win.cc:184 ) MainDllLoader::Launch(HINSTANCE__ *) 0x0135ebfb (chrome.exe -chrome_exe_main_win.cc:231 ) wWinMain 0x013912c0 (chrome.exe -exe_common.inl:264 ) __scrt_common_main_seh 0x771e38f4 (kernel32.dll + 0x000138f4 ) BaseThreadInitThunk 0x77ed5de3 (ntdll.dll + 0x00065de3 ) __RtlUserThreadStart 0x77ed5dae (ntdll.dll + 0x00065dae ) _RtlUserThreadStart ASAN Allocation Stack Trace: ============================= 0x73559abe (syzyasan_rtl.dll -block_heap_manager.cc:190 ) agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int) 0x7355cfe3 (syzyasan_rtl.dll -rtl_impl.cc:102 ) asan_HeapAlloc 0x6b4cc37f (chrome.dll -malloc_base.cpp:29 ) _malloc_base 0x6b49ee48 (chrome.dll -new_scalar.cpp:19 ) operator new(unsigned int) 0x6a4a27d1 (chrome.dll -menu_runner_impl.cc:115 ) views::internal::MenuRunnerImpl::RunMenuAt(views::Widget *,views::MenuButton *,gfx::Rect const &,views::MenuAnchorPosition,int) 0x6a4916c0 (chrome.dll -menu_runner.cc:59 ) views::MenuRunner::RunMenuAt(views::Widget *,views::MenuButton *,gfx::Rect const &,views::MenuAnchorPosition,ui::MenuSourceType) 0x6beccc37 (chrome.dll -toolbar_action_view.cc:314 ) ToolbarActionView::DoShowContextMenu(ui::MenuSourceType) 0x6becd1f7 (chrome.dll -toolbar_action_view.cc:277 ) ToolbarActionView::ShowContextMenuForView(views::View *,gfx::Point const &,ui::MenuSourceType) 0x6beccf40 (chrome.dll -toolbar_action_view.cc:172 ) ToolbarActionView::OnMenuButtonClicked(views::MenuButton *,gfx::Point const &,ui::Event const *) 0x6a4a55a2 (chrome.dll -menu_button.cc:141 ) views::MenuButton::Activate(ui::Event const *) 0x6a4a5b63 (chrome.dll -menu_button.cc:252 ) views::MenuButton::OnGestureEvent(ui::GestureEvent *) 0x6a85c441 (chrome.dll -event_handler.cc:35 ) ui::EventHandler::OnEvent(ui::Event *) 0x6be23d9b (chrome.dll -scoped_target_handler.cc:34 ) ui::ScopedTargetHandler::OnEvent(ui::Event *) 0x6a85cf6d (chrome.dll -event_dispatcher.cc:192 ) ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *) 0x6a85d4e3 (chrome.dll -event_dispatcher.cc:140 ) ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *) 0x6a85d2bf (chrome.dll -event_dispatcher.cc:87 ) ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *) 0x6a85d058 (chrome.dll -event_dispatcher.cc:58 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x6a85d6ec (chrome.dll -event_processor.cc:37 ) ui::EventProcessor::OnEventFromSource(ui::Event *) 0x6a85cb27 (chrome.dll -event_source.cc:73 ) ui::EventSource::DeliverEventToProcessor(ui::Event *) 0x6a85cc0b (chrome.dll -event_source.cc:52 ) ui::EventSource::SendEventToProcessor(ui::Event *) 0x6a48a39d (chrome.dll -widget.cc:1272 ) views::Widget::OnGestureEvent(ui::GestureEvent *) 0x6a85c441 (chrome.dll -event_handler.cc:35 ) ui::EventHandler::OnEvent(ui::Event *) 0x6a85cf6d (chrome.dll -event_dispatcher.cc:192 ) ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *) 0x6a85d4e3 (chrome.dll -event_dispatcher.cc:140 ) ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *) 0x6a85d2bf (chrome.dll -event_dispatcher.cc:87 ) ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *) 0x6a85d058 (chrome.dll -event_dispatcher.cc:58 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x6a9e7a72 (chrome.dll -window_event_dispatcher.cc:308 ) aura::WindowEventDispatcher::ProcessGestures(aura::Window *,ScopedVector<ui::GestureEvent> *) 0x6a9e6ea7 (chrome.dll -window_event_dispatcher.cc:514 ) aura::WindowEventDispatcher::PostDispatchEvent(ui::EventTarget *,ui::Event const &) 0x6a85d0bc (chrome.dll -event_dispatcher.cc:62 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x6a85d6ec (chrome.dll -event_processor.cc:37 ) ui::EventProcessor::OnEventFromSource(ui::Event *) 0x6a85cb27 (chrome.dll -event_source.cc:73 ) ui::EventSource::DeliverEventToProcessor(ui::Event *) 0x6a85cc0b (chrome.dll -event_source.cc:52 ) ui::EventSource::SendEventToProcessor(ui::Event *) 0x6a4a08e9 (chrome.dll -desktop_window_tree_host_win.cc:851 ) views::DesktopWindowTreeHostWin::HandleTouchEvent(ui::TouchEvent const &) 0x6a4af4dd (chrome.dll -hwnd_message_handler.cc:2307 ) views::HWNDMessageHandler::HandleTouchEvents(std::vector<ui::TouchEvent,std::allocator<ui::TouchEvent> > const &) 0x6b0699cb (chrome.dll -bind_internal.h:314 ) base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( password_manager::AffiliationBackend::*)(password_manager::FacetURI const &)> >::MakeItSo<base::WeakPtr<password_manager::AffiliationBackend>,password_manager::FacetURI const &>(base::internal::RunnableAdapter<void ( password_manager::AffiliationBackend::*)(password_manager::FacetURI const &)>,base::WeakPtr<password_manager::AffiliationBackend>,password_manager::FacetURI const &) 0x6baf52d8 (chrome.dll -bind_internal.h:352 ) base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void ( syncer_v2::ModelTypeWorker::*)(std::vector<syncer_v2::CommitRequestData,std::allocator<syncer_v2::CommitRequestData> > const &)>,void ,base::WeakPtr<syncer_v2::ModelTypeWorker> &,std::vector<syncer_v2::CommitRequestData,std::allocator<syncer_v2::CommitRequestData> > const &>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( syncer_v2::ModelTypeWorker::*)(std::vector<syncer_v2::CommitRequestData,std::allocator<syncer_v2::CommitRequestData> > const &)> >,void >::Run(base::internal::BindStateBase *) 0x69749ffc (chrome.dll -task_annotator.cc:51 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &) 0x696cf8bd (chrome.dll -message_loop.cc:477 ) base::MessageLoop::RunTask(base::PendingTask const &) 0x696d09f7 (chrome.dll -message_loop.cc:598 ) base::MessageLoop::DoWork() 0x6974a642 (chrome.dll -message_pump_win.cc:169 ) base::MessagePumpForUI::DoRunLoop() 0x6974a193 (chrome.dll -message_pump_win.cc:52 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x6972adce (chrome.dll -run_loop.cc:36 ) base::RunLoop::Run() 0x6a357e1d (chrome.dll -chrome_browser_main.cc:1844 ) ChromeBrowserMainParts::MainMessageLoopRun(int *) 0x6ac04ffe (chrome.dll -browser_main_loop.cc:963 ) content::BrowserMainLoop::RunMainMessageLoopParts() 0x6ababc53 (chrome.dll -browser_main.cc:44 ) content::BrowserMain(content::MainFunctionParams const &) 0x6a470e95 (chrome.dll -content_main_runner.cc:399 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x6a470de9 (chrome.dll -content_main_runner.cc:772 ) content::ContentMainRunnerImpl::Run() 0x6a46dfdb (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &) 0x6a306bc0 (chrome.dll -chrome_main.cc:87 ) ChromeMain 0x0135f923 (chrome.exe -main_dll_loader_win.cc:184 ) MainDllLoader::Launch(HINSTANCE__ *) 0x0135ebfb (chrome.exe -chrome_exe_main_win.cc:231 ) wWinMain 0x013912c0 (chrome.exe -exe_common.inl:264 ) __scrt_common_main_seh 0x771e38f4 (kernel32.dll + 0x000138f4 ) BaseThreadInitThunk 0x77ed5de3 (ntdll.dll + 0x00065de3 ) __RtlUserThreadStart 0x77ed5dae (ntdll.dll + 0x00065dae ) _RtlUserThreadStart This ASAN crash is introduced in latest canary 51.0.2686.1, only 01 instances so far. Not seeing any Non-ASAN builds with this crash. Here is the link where you can see the list of chrome builds with this crash. https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20special_protos.asan_report.is_actionable%3D1%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27views%3A%3AMenuController%3A%3AOnGestureEvent%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D bruthig@, could you please look into this recent change (https://chromium.googlesource.com/chromium/src/+/db5c17d7fd792247f8e852881f16a4d5ab228afb%5E%21/ui/views/controls/menu/menu_controller.cc)? Please feel free to re-assign in case if this is not related to your's. I found this suspect from 'Code search', however looping https://chromium.googlesource.com/chromium/src/+/master/ui/views/OWNERS as well. Thank you!
,
Mar 22 2016
I would be super surprised if this was caused by https://chromium.googlesource.com/chromium/src/+/db5c17d7fd792247f8e852881f16a4d5ab228afb%5E%21/ui/views/controls/menu/menu_controller.cc I know jonross@ has been doing some work with menu's. jonross@, is there any chance some of your recent work on menu's may be causing this?
,
Mar 22 2016
It's mine. I see the cause/know the fix.
,
Mar 23 2016
,
Mar 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0430b51ca87b2b8c0b7f076ee9834995f7cafaf7 commit 0430b51ca87b2b8c0b7f076ee9834995f7cafaf7 Author: jonross <jonross@chromium.org> Date: Wed Mar 23 16:33:42 2016 MenuController::OnGestureEvent can lead to menu closures. If a MenuDelegate were to delete the controller this can lead to a use_after_free error. This change fixes that error, by setting the item_selected_by_touch_ flag before accepting taps. Which also correctly sets it for ExitMenuRun of async menus. TEST=MenuControllerTest.AsynchronousGestureDeletesController BUG= 596688 Review URL: https://codereview.chromium.org/1824993003 Cr-Commit-Position: refs/heads/master@{#382862} [modify] https://crrev.com/0430b51ca87b2b8c0b7f076ee9834995f7cafaf7/ui/views/controls/menu/menu_controller.cc [modify] https://crrev.com/0430b51ca87b2b8c0b7f076ee9834995f7cafaf7/ui/views/controls/menu/menu_controller_unittest.cc
,
Mar 24 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by manoranj...@chromium.org
, Mar 21 2016