This crash : go/crash/2e9b346400000000, has been found by the last SyzyASAN Canary (51.0.2684.1)
Bad access information:
Error Type: heap-use-after-free
Location: 0x179e3fa7
Access Mode: write
Access Size: 4
User Size : 28
Magic Stack:
=============
Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x5b827be1 ] MAGIC SIGNATURE THREAD
0x5b827be1 (chrome.dll -ref_counted.cc:42 ) base::subtle::RefCountedThreadSafeBase::Release()
0x5c448c6d (chrome.dll -ref_counted.h:183 ) base::RefCountedThreadSafe<RefcountedKeyedService,impl::RefcountedKeyedServiceTraits>::Release()
0x5d40bd2f (chrome.dll + 0x01c6bd2f ) std::tuple<scoped_refptr<extensions::DialAPI>,std::vector<extensions::DialDeviceData,std::allocator<extensions::DialDeviceData> > >::~tuple<scoped_refptr<extensions::DialAPI>,std::vector<extensions::DialDeviceData,std::allocator<extensions::DialDeviceData> > >()
0x5d40be81 (chrome.dll -bind_internal.h:431 ) base::internal::BindState<base::internal::RunnableAdapter<void ( extensions::DialAPI::*)(std::vector<extensions::DialDeviceData,std::allocator<extensions::DialDeviceData> > const &)>,void ,extensions::DialAPI * const,std::vector<extensions::DialDeviceData,std::allocator<extensions::DialDeviceData> > const &>::Destroy(base::internal::BindStateBase *)
0x5b7ffeef (chrome.dll -message_loop.cc:513 ) base::MessageLoop::DeletePendingTasks()
0x5b7fe046 (chrome.dll -message_loop.cc:163 ) base::MessageLoop::~MessageLoop()
0x5b7fdca4 (chrome.dll + 0x0005dca4 ) base::MessageLoop::`scalar deleting destructor'(unsigned int)
0x5cd32065 (chrome.dll -browser_main_loop.cc:436 ) content::BrowserMainLoop::~BrowserMainLoop()
0x5cd321ca (chrome.dll + 0x015921ca ) content::BrowserMainLoop::`scalar deleting destructor'(unsigned int)
0x5cd3172a (chrome.dll -browser_main_runner.cc:221 ) content::BrowserMainRunnerImpl::Shutdown()
0x5ccdbc6f (chrome.dll -browser_main.cc:46 ) content::BrowserMain(content::MainFunctionParams const &)
0x5c5a0e94 (chrome.dll -content_main_runner.cc:399 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x5c5a0de8 (chrome.dll -content_main_runner.cc:772 ) content::ContentMainRunnerImpl::Run()
0x5c59dfda (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &)
0x5c436bbf (chrome.dll -chrome_main.cc:84 ) ChromeMain
0x000df922 (chrome.exe -main_dll_loader_win.cc:183 ) MainDllLoader::Launch(HINSTANCE__ *)
0x000debfa (chrome.exe -chrome_exe_main_win.cc:230 ) wWinMain
0x001112bf (chrome.exe -exe_common.inl:264 ) __scrt_common_main_seh
0x76e67c03 (kernel32.dll + 0x00017c03 ) BaseThreadInitThunk
0x77edab8e (ntdll.dll + 0x0005ab8e ) __RtlUserThreadStart
0x77edab59 (ntdll.dll + 0x0005ab59 ) _RtlUserThreadStart
ASAN Free Stack trace:
=======================
0x68139dba (syzyasan_rtl.dll -block_heap_manager.cc:294 ) agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *)
0x6813d08d (syzyasan_rtl.dll -rtl_impl.cc:123 ) asan_HeapFree
0x5d5fc31f (chrome.dll -free_base.cpp:107 ) _free_base
0x5d40be38 (chrome.dll + 0x01c6be38 ) extensions::DialAPI::`scalar deleting destructor'(unsigned int)
0x5cd61afd (chrome.dll -sequenced_task_runner_helpers.h:41 ) base::DeleteHelper<content::NotificationMessageFilter>::DoDelete(void const *)
0x5b80242b (chrome.dll -bind_internal.h:352 ) base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (*)(void const *)>,void ,void const * &>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (*)(void const *)> >,void >::Run(base::internal::BindStateBase *)
0x5b879ffc (chrome.dll -task_annotator.cc:51 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x5b7ff8bd (chrome.dll -message_loop.cc:477 ) base::MessageLoop::RunTask(base::PendingTask const &)
0x5b8009f7 (chrome.dll -message_loop.cc:598 ) base::MessageLoop::DoWork()
0x5b87b2e8 (chrome.dll -message_pump_win.cc:485 ) base::MessagePumpForIO::DoRunLoop()
0x5b87a193 (chrome.dll -message_pump_win.cc:52 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x5b85adce (chrome.dll -run_loop.cc:36 ) base::RunLoop::Run()
0x5b829949 (chrome.dll -thread.cc:202 ) base::Thread::Run(base::MessageLoop *)
0x5cc6f502 (chrome.dll -browser_thread_impl.cc:216 ) content::BrowserThreadImpl::IOThreadRun(base::MessageLoop *)
0x5cc6fba9 (chrome.dll -browser_thread_impl.cc:251 ) content::BrowserThreadImpl::Run(base::MessageLoop *)
0x5b829c54 (chrome.dll -thread.cc:254 ) base::Thread::ThreadMain()
0x5b85b39e (chrome.dll -platform_thread_win.cc:86 ) base::`anonymous namespace'::ThreadFunc
0x76e67c04 (kernel32.dll + 0x00017c04 ) BaseThreadInitThunk
0x77edab8f (ntdll.dll + 0x0005ab8f ) __RtlUserThreadStart
0x77edab5a (ntdll.dll + 0x0005ab5a ) _RtlUserThreadStart
ASAN Allocation Stack Trace:
=============================
0x68139abe (syzyasan_rtl.dll -block_heap_manager.cc:190 ) agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int)
0x6813cfe3 (syzyasan_rtl.dll -rtl_impl.cc:102 ) asan_HeapAlloc
0x5d5fc37f (chrome.dll -malloc_base.cpp:29 ) _malloc_base
0x5d5cee48 (chrome.dll -new_scalar.cpp:19 ) operator new(unsigned int)
0x5d3aec32 (chrome.dll -dial_api_factory.cc:36 ) extensions::DialAPIFactory::BuildServiceInstanceFor(content::BrowserContext *)
0x5d2855ca (chrome.dll -refcounted_browser_context_keyed_service_factory.cc:88 ) RefcountedBrowserContextKeyedServiceFactory::BuildServiceInstanceFor(base::SupportsUserData *)
0x5ca50f80 (chrome.dll -refcounted_keyed_service_factory.cc:82 ) RefcountedKeyedServiceFactory::GetServiceForContext(base::SupportsUserData *,bool)
0x5ca50de4 (chrome.dll -refcounted_keyed_service_factory.cc:130 ) RefcountedKeyedServiceFactory::CreateServiceNow(base::SupportsUserData *)
0x5ca518e3 (chrome.dll -dependency_manager.cc:66 ) DependencyManager::CreateContextServices(base::SupportsUserData *,bool)
0x5d2857b5 (chrome.dll -browser_context_dependency_manager.cc:48 ) BrowserContextDependencyManager::DoCreateBrowserContextServices(content::BrowserContext *,bool)
0x5d285729 (chrome.dll -browser_context_dependency_manager.cc:33 ) BrowserContextDependencyManager::CreateBrowserContextServices(content::BrowserContext *)
0x5c53d515 (chrome.dll -profile_impl.cc:825 ) ProfileImpl::OnLocaleReady()
0x5c53d867 (chrome.dll -profile_impl.cc:857 ) ProfileImpl::OnPrefsLoaded(Profile::CreateMode,bool)
0x5c53b165 (chrome.dll -profile_impl.cc:481 ) ProfileImpl::ProfileImpl(base::FilePath const &,Profile::Delegate *,Profile::CreateMode,base::SequencedTaskRunner *)
0x5c53b73a (chrome.dll -profile_impl.cc:316 ) Profile::CreateProfile(base::FilePath const &,Profile::Delegate *,Profile::CreateMode)
0x5c4d5612 (chrome.dll -profile_manager.cc:1236 ) ProfileManager::CreateProfileHelper(base::FilePath const &)
0x5c4d5111 (chrome.dll -profile_manager.cc:1316 ) ProfileManager::CreateAndInitializeProfile(base::FilePath const &)
0x5c4d69ad (chrome.dll -profile_manager.cc:429 ) ProfileManager::GetProfile(base::FilePath const &)
0x5c487742 (chrome.dll -chrome_browser_main.cc:396 ) `anonymous namespace'::CreatePrimaryProfile
0x5c48a0c9 (chrome.dll -chrome_browser_main.cc:1492 ) ChromeBrowserMainParts::PreMainMessageLoopRunImpl()
0x5c48979c (chrome.dll -chrome_browser_main.cc:1144 ) ChromeBrowserMainParts::PreMainMessageLoopRun()
0x5cd34d4f (chrome.dll -browser_main_loop.cc:945 ) content::BrowserMainLoop::PreMainMessageLoopRun()
0x5ce5a0b5 (chrome.dll -startup_task_runner.cc:45 ) content::StartupTaskRunner::RunAllTasksNow()
0x5cd32e4d (chrome.dll -browser_main_loop.cc:819 ) content::BrowserMainLoop::CreateStartupTasks()
0x5cd312b5 (chrome.dll -browser_main_runner.cc:138 ) content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const &)
0x5ccdbc32 (chrome.dll -browser_main.cc:40 ) content::BrowserMain(content::MainFunctionParams const &)
0x5c5a0e95 (chrome.dll -content_main_runner.cc:399 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x5c5a0de9 (chrome.dll -content_main_runner.cc:772 ) content::ContentMainRunnerImpl::Run()
0x5c59dfdb (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &)
0x5c436bc0 (chrome.dll -chrome_main.cc:87 ) ChromeMain
0x000df923 (chrome.exe -main_dll_loader_win.cc:184 ) MainDllLoader::Launch(HINSTANCE__ *)
0x000debfb (chrome.exe -chrome_exe_main_win.cc:231 ) wWinMain
0x001112c0 (chrome.exe -exe_common.inl:264 ) __scrt_common_main_seh
0x76e67c04 (kernel32.dll + 0x00017c04 ) BaseThreadInitThunk
0x77edab8f (ntdll.dll + 0x0005ab8f ) __RtlUserThreadStart
0x77edab5a (ntdll.dll + 0x0005ab5a ) _RtlUserThreadStart
This ASAN crash has introduced in Canary#51.0.2684.1 and below is the list of builds having this issue. Not seeing any Non-ASAN builds with this crash.
51.0.2686.1 50.00% 1
51.0.2684.1 50.00% 1
Here is the link where you can see the list of chrome builds with this crash.
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20special_protos.asan_report.is_actionable%3D1%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27base%3A%3Asubtle%3A%3ARefCountedThreadSafeBase%3A%3ARelease%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D
Forwording to https://chromium.googlesource.com/chromium/src/+/master/base/memory/OWNERS.
Thank you!
Comment 1 by manoranj...@chromium.org
, Mar 21 2016