Issue 597742 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	dgozman@chromium.org
Closed:	Jul 2016
Components:	Platform>DevTools
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	1
Type:	Bug-Regression
Hotlist-SyzyASAN M-51

Chrome_ASAN: Crash Report - devtools_http_handler::DevToolsHttpHandler::OnWebSocketMessage.

Project Member Reported by manoranj...@chromium.org, Mar 24 2016

Issue description

This crash : go/crash/75a08f3800000000, has been found by the last SyzyASAN Canary (51.0.2689.1) 

Bad access information:

Error Type: heap-use-after-free
Location: 0x28433a23
Access Mode: read
Access Size: 4
User Size : 140

Magic Stack:
=============
Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x0fb1ffd6 ] MAGIC SIGNATURE THREAD
0x0fb1ffd6	(chrome.dll -devtools_http_handler.cc:758 )	devtools_http_handler::DevToolsHttpHandler::OnWebSocketMessage(int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x0f3b558b	(chrome.dll -bind_internal.h:324 )	base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( policy::ExternalPolicyDataFetcherBackend::*)(policy::ExternalPolicyDataFetcher::Job *,base::Callback<void ,1> const &)> >::MakeItSo<base::WeakPtr<policy::ExternalPolicyDataFetcherBackend>,policy::ExternalPolicyDataFetcher::Job * const &,base::Callback<void ,1> const &>(base::internal::RunnableAdapter<void ( policy::ExternalPolicyDataFetcherBackend::*)(policy::ExternalPolicyDataFetcher::Job *,base::Callback<void ,1> const &)>,base::WeakPtr<policy::ExternalPolicyDataFetcherBackend>,policy::ExternalPolicyDataFetcher::Job * const &,base::Callback<void ,1> const &)
0x0fb2064b	(chrome.dll -bind_internal.h:362 )	base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void ( devtools_http_handler::DevToolsHttpHandler::*)(int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>,void ,base::WeakPtr<devtools_http_handler::DevToolsHttpHandler> &,int &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > &>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( devtools_http_handler::DevToolsHttpHandler::*)(int,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)> >,void >::Run(base::internal::BindStateBase *)
0x0e1c75b0	(chrome.dll -task_annotator.cc:51 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x0e14f8bc	(chrome.dll -message_loop.cc:476 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x0e1509f6	(chrome.dll -message_loop.cc:597 )	base::MessageLoop::DoWork()
0x0e1c7bf6	(chrome.dll -message_pump_win.cc:168 )	base::MessagePumpForUI::DoRunLoop()
0x0e1c7747	(chrome.dll -message_pump_win.cc:50 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x0e1a76a0	(chrome.dll -run_loop.cc:35 )	base::RunLoop::Run()
0x0edfa790	(chrome.dll -chrome_browser_main.cc:1857 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x0f6bd102	(chrome.dll -browser_main_loop.cc:944 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x0f6b95a0	(chrome.dll -browser_main_runner.cc:150 )	content::BrowserMainRunnerImpl::Run()
0x0f6644ab	(chrome.dll -browser_main.cc:44 )	content::BrowserMain(content::MainFunctionParams const &)
0x0ef10311	(chrome.dll -content_main_runner.cc:393 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x0ef10265	(chrome.dll -content_main_runner.cc:754 )	content::ContentMainRunnerImpl::Run()
0x0ef0d457	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x0edae326	(chrome.dll -chrome_main.cc:84 )	ChromeMain
0x0122f203	(chrome.exe -main_dll_loader_win.cc:183 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0122e469	(chrome.exe -chrome_exe_main_win.cc:230 )	wWinMain
0x0125d544	(chrome.exe -exe_common.inl:264 )	__scrt_common_main_seh
0x762c3389	(kernel32.dll + 0x00013389 )	BaseThreadInitThunk
0x77479a01	(ntdll.dll + 0x00039a01 )	__RtlUserThreadStart
0x774799d4	(ntdll.dll + 0x000399d4 )	_RtlUserThreadStart

ASAN Free Stack trace:
=======================
ASAN Free Stack Trace
0x611a9e4a	(syzyasan_rtl.dll -block_heap_manager.cc:294 )	agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *)
0x611ad11d	(syzyasan_rtl.dll -rtl_impl.cc:123 )	asan_HeapFree
0x0ff67c9f	(chrome.dll -free_base.cpp:107 )	_free_base
0x0f879029	(chrome.dll + 0x01789029 )	content::SharedWorkerDevToolsAgentHost::`scalar deleting destructor'(unsigned int)
0x0f7a9922	(chrome.dll -ref_counted.h:420 )	scoped_refptr<content::WorkerDevToolsAgentHost>::Release(content::WorkerDevToolsAgentHost *)
0x0f7aa36f	(chrome.dll -shared_worker_devtools_manager.cc:78 )	content::SharedWorkerDevToolsManager::WorkerDestroyed(int,int)
0x0f7ab450	(chrome.dll -shared_worker_host.cc:49 )	content::`anonymous namespace'::NotifyWorkerDestroyed
0x0ee7e305	(chrome.dll -bind_internal.h:362 )	base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (*)(int,int)>,void ,int &,int &>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (*)(int,int)> >,void >::Run(base::internal::BindStateBase *)
0x0e1c75b1	(chrome.dll -task_annotator.cc:51 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x0e14f8bd	(chrome.dll -message_loop.cc:477 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x0e1509f7	(chrome.dll -message_loop.cc:598 )	base::MessageLoop::DoWork()
0x0e1c7bf7	(chrome.dll -message_pump_win.cc:169 )	base::MessagePumpForUI::DoRunLoop()
0x0e1c7748	(chrome.dll -message_pump_win.cc:52 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x0e1a76a1	(chrome.dll -run_loop.cc:36 )	base::RunLoop::Run()
0x0edfa791	(chrome.dll -chrome_browser_main.cc:1859 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x0f6bd103	(chrome.dll -browser_main_loop.cc:946 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x0f6644ac	(chrome.dll -browser_main.cc:44 )	content::BrowserMain(content::MainFunctionParams const &)
0x0ef10312	(chrome.dll -content_main_runner.cc:393 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x0ef10266	(chrome.dll -content_main_runner.cc:754 )	content::ContentMainRunnerImpl::Run()
0x0ef0d458	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x0edae327	(chrome.dll -chrome_main.cc:87 )	ChromeMain
0x0122f204	(chrome.exe -main_dll_loader_win.cc:184 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0122e46a	(chrome.exe -chrome_exe_main_win.cc:231 )	wWinMain
0x0125d545	(chrome.exe -exe_common.inl:264 )	__scrt_common_main_seh
0x762c338a	(kernel32.dll + 0x0001338a )	BaseThreadInitThunk
0x77479a02	(ntdll.dll + 0x00039a02 )	__RtlUserThreadStart
0x774799d5	(ntdll.dll + 0x000399d5 )	_RtlUserThreadStart

ASAN Allocation Stack Trace:
=============================
ASAN Allocation Stack Trace
0x611a9b4e	(syzyasan_rtl.dll -block_heap_manager.cc:190 )	agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int)
0x611ad073	(syzyasan_rtl.dll -rtl_impl.cc:102 )	asan_HeapAlloc
0x0ff67cff	(chrome.dll -malloc_base.cpp:29 )	_malloc_base
0x0ff3aaf3	(chrome.dll -new_scalar.cpp:19 )	operator new(unsigned int)
0x0f7aa275	(chrome.dll -shared_worker_devtools_manager.cc:45 )	content::SharedWorkerDevToolsManager::WorkerCreated(int,int,content::SharedWorkerInstance const &)
0x0f663a0d	(chrome.dll -shared_worker_service_impl.cc:203 )	content::SharedWorkerServiceImpl::SharedWorkerReserver::TryReserve(base::Callback<void ,1> const &,base::Callback<void ,1> const &,bool (*)(int))
0x0f663813	(chrome.dll -bind_internal.h:365 )	base::internal::Invoker<base::IndexSequence<0,1,2,3>,base::internal::BindState<base::internal::RunnableAdapter<void ( content::SharedWorkerServiceImpl::SharedWorkerReserver::*)(base::Callback<void ,1> const &,base::Callback<void ,1> const &,bool (*)(int))>,void ,scoped_refptr<content::SharedWorkerServiceImpl::SharedWorkerReserver> &,base::Callback<void ,1>,base::Callback<void ,1>,bool (*&)(int)>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void ( content::SharedWorkerServiceImpl::SharedWorkerReserver::*)(base::Callback<void ,1> const &,base::Callback<void ,1> const &,bool (*)(int))> >,void >::Run(base::internal::BindStateBase *)
0x0e1c75b1	(chrome.dll -task_annotator.cc:51 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x0e14f8bd	(chrome.dll -message_loop.cc:477 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x0e1509f7	(chrome.dll -message_loop.cc:598 )	base::MessageLoop::DoWork()
0x0e1c7bf7	(chrome.dll -message_pump_win.cc:169 )	base::MessagePumpForUI::DoRunLoop()
0x0e1c7748	(chrome.dll -message_pump_win.cc:52 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x0e1a76a1	(chrome.dll -run_loop.cc:36 )	base::RunLoop::Run()
0x0edfa791	(chrome.dll -chrome_browser_main.cc:1859 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x0f6bd103	(chrome.dll -browser_main_loop.cc:946 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x0f6644ac	(chrome.dll -browser_main.cc:44 )	content::BrowserMain(content::MainFunctionParams const &)
0x0ef10312	(chrome.dll -content_main_runner.cc:393 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x0ef10266	(chrome.dll -content_main_runner.cc:754 )	content::ContentMainRunnerImpl::Run()
0x0ef0d458	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x0edae327	(chrome.dll -chrome_main.cc:87 )	ChromeMain
0x0122f204	(chrome.exe -main_dll_loader_win.cc:184 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0122e46a	(chrome.exe -chrome_exe_main_win.cc:231 )	wWinMain
0x0125d545	(chrome.exe -exe_common.inl:264 )	__scrt_common_main_seh
0x762c338a	(kernel32.dll + 0x0001338a )	BaseThreadInitThunk
0x77479a02	(ntdll.dll + 0x00039a02 )	__RtlUserThreadStart
0x774799d5	(ntdll.dll + 0x000399d5 )	_RtlUserThreadStart

This ASAN crash has introduced in Latest Canary#51.0.2689.1 and below is the list of builds having this issue. Not seeing any Non-ASAN builds with this crash.

51.0.2689.1	50.00%	1	

Here is the link where you can see the list of chrome builds with this crash.
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20special_protos.asan_report.is_actionable%3D1%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27devtools_http_handler%3A%3ADevToolsHttpHandler%3A%3AOnWebSocketMessage%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

Chromium CL:
=============
https://chromium.googlesource.com/chromium/src/+log/51.0.2688.0..51.0.2689.0?pretty=fuller&n=10000

dgozman@, could you please look into this change (https://chromium.googlesource.com/chromium/src/+/6c4ea00151d1ad5efcfbf27b0c7d77f66df21c81) if possible?

Thank you!

Comment 1 by dgozman@chromium.org, Jul 29 2016

Status: WontFix (was: Assigned)

No crashes anymore.

►

Issue 597742 link

Issue metadata

Chrome_ASAN: Crash Report - devtools_http_handler::DevToolsHttpHandler::OnWebSocketMessage.

Issue description

Comment 1 by dgozman@chromium.org, Jul 29 2016

Comment 1 Deleted

Sign in to add a comment