New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 596693 link

Starred by 2 users
Status: Fixed
Owner:
mlerman@chromium.org
Last visit > 30 days ago
Closed: Apr 2016
Cc:
lwc...@gmail.com
ligim...@chromium.org
sky@chromium.org
mlerman@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 3
Type: Bug-Regression



Sign in to add a comment

Chrome_ASAN: Crash Report - bookmarks::BookmarkModel::DoneLoading

Project Member Reported by manoranj...@chromium.org, Mar 21 2016 
This crash : go/crash/0fc8901800000000, has been found by the last SyzyASAN Canary (51.0.2686.1) 

Bad access information:

Error Type: heap-use-after-free
Location: 0x1f85c0bb
Access Mode: read
Access Size: 4
User Size : 8

Magic Stack:
=============
Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x673e923b ] MAGIC SIGNATURE THREAD
0x673e923b	(chrome.dll -bookmark_model.cc:889 )	bookmarks::BookmarkModel::DoneLoading(std::unique_ptr<bookmarks::BookmarkLoadDetails,std::default_delete<bookmarks::BookmarkLoadDetails> >)
0x673f0b16	(chrome.dll -bookmark_storage.cc:217 )	bookmarks::BookmarkStorage::OnLoadFinished(std::unique_ptr<bookmarks::BookmarkLoadDetails,std::default_delete<bookmarks::BookmarkLoadDetails> >)
0x667bab08	(chrome.dll -bind_internal.h:314 )	base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( safe_browsing::IncidentReportingService::*)(std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> >)> >::MakeItSo<base::WeakPtr<safe_browsing::IncidentReportingService>,std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> > >(base::internal::RunnableAdapter<void ( safe_browsing::IncidentReportingService::*)(std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> >)>,base::WeakPtr<safe_browsing::IncidentReportingService>,std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> > &&)
0x673f0c4d	(chrome.dll -bind_internal.h:352 )	base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void ( bookmarks::BookmarkStorage::*)(std::unique_ptr<bookmarks::BookmarkLoadDetails,std::default_delete<bookmarks::BookmarkLoadDetails> >)>,void ,base::WeakPtr<bookmarks::BookmarkStorage> const &,base::internal::PassedWrapper<std::unique_ptr<bookmarks::BookmarkLoadDetails,std::default_delete<bookmarks::BookmarkLoadDetails> > > >,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( bookmarks::BookmarkStorage::*)(std::unique_ptr<bookmarks::BookmarkLoadDetails,std::default_delete<bookmarks::BookmarkLoadDetails> >)> >,void >::Run(base::internal::BindStateBase *)
0x65b49ffb	(chrome.dll -task_annotator.cc:51 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x65acf8bc	(chrome.dll -message_loop.cc:476 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x65ad09f6	(chrome.dll -message_loop.cc:597 )	base::MessageLoop::DoWork()
0x65b4a641	(chrome.dll -message_pump_win.cc:168 )	base::MessagePumpForUI::DoRunLoop()
0x65b4a192	(chrome.dll -message_pump_win.cc:50 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x65b2adcd	(chrome.dll -run_loop.cc:35 )	base::RunLoop::Run()
0x66757e1c	(chrome.dll -chrome_browser_main.cc:1842 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x67004ffd	(chrome.dll -browser_main_loop.cc:961 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x6700146c	(chrome.dll -browser_main_runner.cc:152 )	content::BrowserMainRunnerImpl::Run()
0x66fabc52	(chrome.dll -browser_main.cc:44 )	content::BrowserMain(content::MainFunctionParams const &)
0x66870e94	(chrome.dll -content_main_runner.cc:399 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x66870de8	(chrome.dll -content_main_runner.cc:772 )	content::ContentMainRunnerImpl::Run()
0x6686dfda	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x66706bbf	(chrome.dll -chrome_main.cc:84 )	ChromeMain
0x0015f922	(chrome.exe -main_dll_loader_win.cc:183 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0015ebfa	(chrome.exe -chrome_exe_main_win.cc:230 )	wWinMain
0x001912bf	(chrome.exe -exe_common.inl:264 )	__scrt_common_main_seh
0x77233389	(kernel32.dll + 0x00013389 )	BaseThreadInitThunk
0x77e09a01	(ntdll.dll + 0x00039a01 )	__RtlUserThreadStart
0x77e099d4	(ntdll.dll + 0x000399d4 )	_RtlUserThreadStart

ASAN Free Stack trace:
=======================
0x6eca9dba	(syzyasan_rtl.dll -block_heap_manager.cc:294 )	agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *)
0x6ecad08d	(syzyasan_rtl.dll -rtl_impl.cc:123 )	asan_HeapFree
0x678cc31f	(chrome.dll -free_base.cpp:107 )	_free_base
0x67a00ed8	(chrome.dll + 0x01f90ed8 )	ProfileStatisticsAggregator::BookmarkModelHelper::`scalar deleting destructor'(unsigned int)
0x67a0170f	(chrome.dll -profile_statistics_aggregator.cc:203 )	ProfileStatisticsAggregator::WaitOrCountBookmarks()
0x65b1b249	(chrome.dll -bind_internal.h:352 )	base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (*)(base::TaskRunner *,base::Callback<void ,1> const &)>,void ,scoped_refptr<base::SingleThreadTaskRunner>,base::Callback<void ,1> &>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (*)(base::TaskRunner *,base::Callback<void ,1> const &)> >,void >::Run(base::internal::BindStateBase *)
0x65b6244a	(chrome.dll -post_task_and_reply_impl.cc:43 )	base::`anonymous namespace'::PostTaskAndReplyRelay::Run
0x65b49ffc	(chrome.dll -task_annotator.cc:51 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x65acf8bd	(chrome.dll -message_loop.cc:477 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x65ad09f7	(chrome.dll -message_loop.cc:598 )	base::MessageLoop::DoWork()
0x65b4a642	(chrome.dll -message_pump_win.cc:169 )	base::MessagePumpForUI::DoRunLoop()
0x65b4a193	(chrome.dll -message_pump_win.cc:52 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x65b2adce	(chrome.dll -run_loop.cc:36 )	base::RunLoop::Run()
0x66757e1d	(chrome.dll -chrome_browser_main.cc:1844 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x67004ffe	(chrome.dll -browser_main_loop.cc:963 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x66fabc53	(chrome.dll -browser_main.cc:44 )	content::BrowserMain(content::MainFunctionParams const &)
0x66870e95	(chrome.dll -content_main_runner.cc:399 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x66870de9	(chrome.dll -content_main_runner.cc:772 )	content::ContentMainRunnerImpl::Run()
0x6686dfdb	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x66706bc0	(chrome.dll -chrome_main.cc:87 )	ChromeMain
0x0015f923	(chrome.exe -main_dll_loader_win.cc:184 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0015ebfb	(chrome.exe -chrome_exe_main_win.cc:231 )	wWinMain
0x001912c0	(chrome.exe -exe_common.inl:264 )	__scrt_common_main_seh
0x7723338a	(kernel32.dll + 0x0001338a )	BaseThreadInitThunk
0x77e09a02	(ntdll.dll + 0x00039a02 )	__RtlUserThreadStart
0x77e099d5	(ntdll.dll + 0x000399d5 )	_RtlUserThreadStart

ASAN Allocation Stack Trace:
=============================
	0x6eca9abe	(syzyasan_rtl.dll -block_heap_manager.cc:190 )	agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int)
0x6ecacfe3	(syzyasan_rtl.dll -rtl_impl.cc:102 )	asan_HeapAlloc
0x678cc37f	(chrome.dll -malloc_base.cpp:29 )	_malloc_base
0x6789ee48	(chrome.dll -new_scalar.cpp:19 )	operator new(unsigned int)
0x67a016ba	(chrome.dll -profile_statistics_aggregator.cc:202 )	ProfileStatisticsAggregator::WaitOrCountBookmarks()
0x65b1b249	(chrome.dll -bind_internal.h:352 )	base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (*)(base::TaskRunner *,base::Callback<void ,1> const &)>,void ,scoped_refptr<base::SingleThreadTaskRunner>,base::Callback<void ,1> &>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (*)(base::TaskRunner *,base::Callback<void ,1> const &)> >,void >::Run(base::internal::BindStateBase *)
0x65b6244a	(chrome.dll -post_task_and_reply_impl.cc:43 )	base::`anonymous namespace'::PostTaskAndReplyRelay::Run
0x65b49ffc	(chrome.dll -task_annotator.cc:51 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x65acf8bd	(chrome.dll -message_loop.cc:477 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x65ad09f7	(chrome.dll -message_loop.cc:598 )	base::MessageLoop::DoWork()
0x65b4a642	(chrome.dll -message_pump_win.cc:169 )	base::MessagePumpForUI::DoRunLoop()
0x65b4a193	(chrome.dll -message_pump_win.cc:52 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x65b2adce	(chrome.dll -run_loop.cc:36 )	base::RunLoop::Run()
0x66757e1d	(chrome.dll -chrome_browser_main.cc:1844 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x67004ffe	(chrome.dll -browser_main_loop.cc:963 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x66fabc53	(chrome.dll -browser_main.cc:44 )	content::BrowserMain(content::MainFunctionParams const &)
0x66870e95	(chrome.dll -content_main_runner.cc:399 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x66870de9	(chrome.dll -content_main_runner.cc:772 )	content::ContentMainRunnerImpl::Run()
0x6686dfdb	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x66706bc0	(chrome.dll -chrome_main.cc:87 )	ChromeMain
0x0015f923	(chrome.exe -main_dll_loader_win.cc:184 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0015ebfb	(chrome.exe -chrome_exe_main_win.cc:231 )	wWinMain
0x001912c0	(chrome.exe -exe_common.inl:264 )	__scrt_common_main_seh
0x7723338a	(kernel32.dll + 0x0001338a )	BaseThreadInitThunk
0x77e09a02	(ntdll.dll + 0x00039a02 )	__RtlUserThreadStart
0x77e099d5	(ntdll.dll + 0x000399d5 )	_RtlUserThreadStart

This ASAN crash is introduced in latest canary 51.0.2686.1, only 01 instances so far. Not seeing any Non-ASAN builds with this crash.

Here is the link where you can see the list of chrome builds with this crash.
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20special_protos.asan_report.is_actionable%3D1%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27bookmarks%3A%3ABookmarkModel%3A%3ADoneLoading%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

vmpstr@, could you please look into this recent change https://chromium.googlesource.com/chromium/src/+/3abe3303bcbb2b24d7c21228f88114337347b674%5E%21/components/bookmarks/browser/bookmark_model.cc ? Please feel free to re-assign in case if this is not related to your's.

I found this suspect from 'Code search', however looping https://chromium.googlesource.com/chromium/src/+/master/components/bookmarks/OWNERS as well.

Thank you!
Project Member

Comment 1 by sheriffbot@chromium.org, Mar 24 2016

Labels: Fracas
Users experienced this crash on the following builds:



If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Comment 2 by vmp...@chromium.org, Mar 29 2016

Owner: manoranj...@chromium.org
The suspected patch doesn't change any behavior, it just removes unnecessary code.

Comment 3 by ligim...@chromium.org, Mar 29 2016 

Issue 597541 has been merged into this issue.

Comment 4 by ligim...@chromium.org, Mar 29 2016

Cc: ligim...@chromium.org
Owner: vmp...@chromium.org
May be this patch - 

https://chromium.googlesource.com/chromium/src/+/a34d11324e0767acd94d8754e3a117e072492cf4

Vlad, could you please check whether this is the suspect?

Comment 5 by vmp...@chromium.org, Mar 29 2016

Cc: mlerman@chromium.org lwc...@gmail.com
Owner: mlerman@chromium.org
The memory is created and freed in the ProfileStatisticsAggregator::WaitOrCountBookmarks(), which was recently added in https://codereview.chromium.org/1579433002. I would probably suspect that it's the culprit.

It seems that we reset a scoped_ptr, add it to an observer list, then at some point we reset the observer again (deleting the previous one), and then notify the old stale observer. I'm not familiar with that code, so I'm not sure of the intended behavior though. 

Assigning to one of the patch reviewers, since the patch author is an external contributor.
Project Member

Comment 6 by sheriffbot@chromium.org, Mar 31 2016

Labels: OS-Linux
Users experienced this crash on the following builds:

Linux Dev 51.0.2693.2 - 1 reports, 1 clients (signature bookmarks::BookmarkModel::~BookmarkModel)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 6 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/592ca50b6619173d09a6531e4202d22f7e647c74

commit 592ca50b6619173d09a6531e4202d22f7e647c74
Author: lwchkg <lwchkg@gmail.com>
Date: Wed Apr 06 19:53:53 2016

Fix a use-after-free error in WaitOrCountBookmarks

The use-after-free error is reproduced when WaitOrCountBookmarks is
executed twice before the bookmark model is loaded.

BUG= 596693 
TEST=Added a unit test, with patched code passing and unpatched code failing.

Review URL: https://codereview.chromium.org/1838083006

Cr-Commit-Position: refs/heads/master@{#385528}

[modify] https://crrev.com/592ca50b6619173d09a6531e4202d22f7e647c74/chrome/browser/profiles/profile_statistics_aggregator.cc
[modify] https://crrev.com/592ca50b6619173d09a6531e4202d22f7e647c74/chrome/browser/profiles/profile_statistics_unittest.cc

Comment 8 by mlerman@chromium.org, Apr 6 2016

Status: Fixed (was: Assigned)
Thanks lwchkg@!

Sign in to add a comment