Issue 600359 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 516821
Owner:	█ brettw@chromium.org Last visit 26 days ago
Closed:	Apr 2016
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	2
Type:	Bug
Hotlist-SyzyASAN

Use-after-free in TranslateAcceptLanguages::InitAcceptLanguages

Project Member Reported by chrisha@chromium.org, Apr 4 2016

Issue description

This is being seen regularly on the Windows canary_asan builds. An example crash can be found here: http://crash/17462d0c00000000

Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x0f691d9d ] MAGIC SIGNATURE THREAD
0x0f691d9d	(syzyasan_rtl.dll -rtl_utils.cc:154 )	agent::asan::TestMemoryRange(unsigned char const *,unsigned int,agent::asan::AccessMode)
0x0f6b5c26	(syzyasan_rtl.dll -crt_interceptors.cc:57 )	asan_memchr
0x633b298e	(chrome.dll -string_piece.cc:133 )	base::internal::findT<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >(base::BasicStringPiece<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > const &,char,unsigned int)
0x633b1ee2	(chrome.dll -string_piece.cc:139 )	base::internal::find(base::BasicStringPiece<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > const &,char,unsigned int)
0x655304da	(chrome.dll -translate_accept_languages.cc:70 )	translate::TranslateAcceptLanguages::InitAcceptLanguages(PrefService *)
0x655302e9	(chrome.dll -translate_accept_languages.cc:21 )	translate::TranslateAcceptLanguages::TranslateAcceptLanguages(PrefService *,char const *)
0x64f2148c	(chrome.dll -translate_accept_languages_factory.cc:36 )	`anonymous namespace'::TranslateAcceptLanguagesService::TranslateAcceptLanguagesService(PrefService *)
0x64f21545	(chrome.dll -translate_accept_languages_factory.cc:68 )	TranslateAcceptLanguagesFactory::BuildServiceInstanceFor(content::BrowserContext *)
0x64ae0645	(chrome.dll -browser_context_keyed_service_factory.cc:94 )	BrowserContextKeyedServiceFactory::BuildServiceInstanceFor(base::SupportsUserData *)
0x6491a8fb	(chrome.dll -keyed_service_factory.cc:89 )	KeyedServiceFactory::GetServiceForContext(base::SupportsUserData *,bool)
0x64f21563	(chrome.dll -translate_accept_languages_factory.cc:54 )	TranslateAcceptLanguagesFactory::GetForBrowserContext(content::BrowserContext *)
0x64e6f9d7	(chrome.dll -chrome_translate_client.cc:229 )	ChromeTranslateClient::GetTranslateAcceptLanguages()
0x6552dd4b	(chrome.dll -translate_manager.cc:177 )	translate::TranslateManager::InitiateTranslation(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x64d6ae4f	(chrome.dll -content_translate_driver.cc:240 )	translate::ContentTranslateDriver::OnLanguageDetermined(translate::LanguageDetectionDetails const &,bool)
0x64d6a694	(chrome.dll -tuple.h:254 )	base::DispatchToMethodImpl<translate::ContentTranslateDriver,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),translate::LanguageDetectionDetails,bool,0,1>(translate::ContentTranslateDriver *,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),base::Tuple<translate::LanguageDetectionDetails,bool> const &,base::IndexSequence<0,1>)
0x64d6a63e	(chrome.dll -tuple.h:261 )	base::DispatchToMethod<translate::ContentTranslateDriver,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),translate::LanguageDetectionDetails,bool>(translate::ContentTranslateDriver *,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),base::Tuple<translate::LanguageDetectionDetails,bool> const &)
0x64d6a58d	(chrome.dll -translate_messages.h:61 )	ChromeViewHostMsg_TranslateLanguageDetermined::Dispatch<translate::ContentTranslateDriver,translate::ContentTranslateDriver,void,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool)>(IPC::Message const *,translate::ContentTranslateDriver *,translate::ContentTranslateDriver *,void *,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool))
0x64d6af76	(chrome.dll -content_translate_driver.cc:221 )	translate::ContentTranslateDriver::OnMessageReceived(IPC::Message const &)
0x6458040e	(chrome.dll -web_contents_impl.cc:596 )	content::WebContentsImpl::OnMessageReceived(content::RenderViewHost *,content::RenderFrameHost *,IPC::Message const &)
0x64580d43	(chrome.dll -web_contents_impl.cc:576 )	content::WebContentsImpl::OnMessageReceived(content::RenderViewHost *,IPC::Message const &)
0x645a3102	(chrome.dll -render_view_host_impl.cc:898 )	content::RenderViewHostImpl::OnMessageReceived(IPC::Message const &)
0x6459641c	(chrome.dll -render_process_host_impl.cc:1568 )	content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const &)
0x641838e9	(chrome.dll -ipc_channel_proxy.cc:288 )	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &)
0x63b5b60e	(chrome.dll -bind_internal.h:346 )	base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void ( BrowsingDataCookieHelper::*)(std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > const &)>,void ,base::internal::TypeList<BrowsingDataCookieHelper *,std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > > >,base::internal::TypeList<base::internal::UnwrapTraits<BrowsingDataCookieHelper *>,base::internal::UnwrapTraits<std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > > >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void ( BrowsingDataCookieHelper::*)(std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > const &)>,base::internal::TypeList<BrowsingDataCookieHelper * const &,std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > const &> >,void >::Run(base::internal::BindStateBase *)
0x633c6aa8	(chrome.dll -task_annotator.cc:49 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x6334e2f1	(chrome.dll -message_loop.cc:481 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x6334f5cc	(chrome.dll -message_loop.cc:602 )	base::MessageLoop::DoWork()
0x633c5395	(chrome.dll -message_pump_win.cc:184 )	base::MessagePumpForUI::DoRunLoop()
0x633c4ed8	(chrome.dll -message_pump_win.cc:57 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x6334dea2	(chrome.dll -message_loop.cc:445 )	base::MessageLoop::RunHandler()
0x633a98b4	(chrome.dll -run_loop.cc:55 )	base::RunLoop::Run()
0x63a7b497	(chrome.dll -chrome_browser_main.cc:1731 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x64622918	(chrome.dll -browser_main_loop.cc:880 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x6467701c	(chrome.dll -browser_main_runner.cc:211 )	content::BrowserMainRunnerImpl::Run()
0x645ddb14	(chrome.dll -browser_main.cc:26 )	content::BrowserMain(content::MainFunctionParams const &)
0x63be415e	(chrome.dll -content_main_runner.cc:367 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x63be40b2	(chrome.dll -content_main_runner.cc:792 )	content::ContentMainRunnerImpl::Run()
0x63be1449	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x63a3429c	(chrome.dll -chrome_main.cc:66 )	ChromeMain
0x00fe9d9c	(chrome.exe -client_util.cc:255 )	MainDllLoader::Launch(HINSTANCE__ *)
0x00fe90fd	(chrome.exe -chrome_exe_main_win.cc:157 )	wWinMain
0x0100da99	(chrome.exe -crt0.c:251 )	__tmainCRTStartup
0x75097c03	(kernel32.dll + 0x00017c03 )	BaseThreadInitThunk
0x777aad1e	(ntdll.dll + 0x0005ad1e )	__RtlUserThreadStart
0x777aace9	(ntdll.dll + 0x0005ace9 )	_RtlUserThreadStart

ASAN Free Stack Trace
0x0f68f661	(syzyasan_rtl.dll -block_heap_manager.cc:299 )	agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *)
0x0f689cbd	(syzyasan_rtl.dll -rtl_impl.cc:124 )	asan_HeapFree
0x64d97934	(chrome.dll -free.c:51 )	free
0x63339f0f	(chrome.dll -xstring:2282 )	std::basic_string<char,std::char_traits<char>,std::allocator<char> >::_Tidy(bool,unsigned int)
0x655304c6	(chrome.dll -translate_accept_languages.cc:65 )	translate::TranslateAcceptLanguages::InitAcceptLanguages(PrefService *)
0x655302ea	(chrome.dll -translate_accept_languages.cc:24 )	translate::TranslateAcceptLanguages::TranslateAcceptLanguages(PrefService *,char const *)
0x64f2148d	(chrome.dll -translate_accept_languages_factory.cc:36 )	`anonymous namespace'::TranslateAcceptLanguagesService::TranslateAcceptLanguagesService(PrefService *)
0x64f21546	(chrome.dll -translate_accept_languages_factory.cc:68 )	TranslateAcceptLanguagesFactory::BuildServiceInstanceFor(content::BrowserContext *)
0x64ae0646	(chrome.dll -browser_context_keyed_service_factory.cc:94 )	BrowserContextKeyedServiceFactory::BuildServiceInstanceFor(base::SupportsUserData *)
0x6491a8fc	(chrome.dll -keyed_service_factory.cc:89 )	KeyedServiceFactory::GetServiceForContext(base::SupportsUserData *,bool)
0x64f21564	(chrome.dll -translate_accept_languages_factory.cc:55 )	TranslateAcceptLanguagesFactory::GetForBrowserContext(content::BrowserContext *)
0x64e6f9d8	(chrome.dll -chrome_translate_client.cc:229 )	ChromeTranslateClient::GetTranslateAcceptLanguages()
0x6552dd4c	(chrome.dll -translate_manager.cc:180 )	translate::TranslateManager::InitiateTranslation(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x64d6ae50	(chrome.dll -content_translate_driver.cc:242 )	translate::ContentTranslateDriver::OnLanguageDetermined(translate::LanguageDetectionDetails const &,bool)
0x64d6a695	(chrome.dll -tuple.h:255 )	base::DispatchToMethodImpl<translate::ContentTranslateDriver,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),translate::LanguageDetectionDetails,bool,0,1>(translate::ContentTranslateDriver *,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),base::Tuple<translate::LanguageDetectionDetails,bool> const &,base::IndexSequence<0,1>)
0x64d6a63f	(chrome.dll -tuple.h:261 )	base::DispatchToMethod<translate::ContentTranslateDriver,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),translate::LanguageDetectionDetails,bool>(translate::ContentTranslateDriver *,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),base::Tuple<translate::LanguageDetectionDetails,bool> const &)
0x64d6a58e	(chrome.dll -translate_messages.h:61 )	ChromeViewHostMsg_TranslateLanguageDetermined::Dispatch<translate::ContentTranslateDriver,translate::ContentTranslateDriver,void,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool)>(IPC::Message const *,translate::ContentTranslateDriver *,translate::ContentTranslateDriver *,void *,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool))
0x64d6af77	(chrome.dll -content_translate_driver.cc:221 )	translate::ContentTranslateDriver::OnMessageReceived(IPC::Message const &)
0x6458040f	(chrome.dll -web_contents_impl.cc:596 )	content::WebContentsImpl::OnMessageReceived(content::RenderViewHost *,content::RenderFrameHost *,IPC::Message const &)
0x64580d44	(chrome.dll -web_contents_impl.cc:577 )	content::WebContentsImpl::OnMessageReceived(content::RenderViewHost *,IPC::Message const &)
0x645a3103	(chrome.dll -render_view_host_impl.cc:898 )	content::RenderViewHostImpl::OnMessageReceived(IPC::Message const &)
0x6459641d	(chrome.dll -render_process_host_impl.cc:1568 )	content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const &)
0x641838ea	(chrome.dll -ipc_channel_proxy.cc:289 )	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &)
0x63b5b60f	(chrome.dll -bind_internal.h:346 )	base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void ( BrowsingDataCookieHelper::*)(std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > const &)>,void ,base::internal::TypeList<BrowsingDataCookieHelper *,std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > > >,base::internal::TypeList<base::internal::UnwrapTraits<BrowsingDataCookieHelper *>,base::internal::UnwrapTraits<std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > > >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void ( BrowsingDataCookieHelper::*)(std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > const &)>,base::internal::TypeList<BrowsingDataCookieHelper * const &,std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > const &> >,void >::Run(base::internal::BindStateBase *)
0x633c6aa9	(chrome.dll -task_annotator.cc:49 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x6334e2f2	(chrome.dll -message_loop.cc:483 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x6334f5cd	(chrome.dll -message_loop.cc:603 )	base::MessageLoop::DoWork()
0x633c5396	(chrome.dll -message_pump_win.cc:185 )	base::MessagePumpForUI::DoRunLoop()
0x633c4ed9	(chrome.dll -message_pump_win.cc:57 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x6334dea3	(chrome.dll -message_loop.cc:446 )	base::MessageLoop::RunHandler()
0x633a98b5	(chrome.dll -run_loop.cc:56 )	base::RunLoop::Run()
0x63a7b498	(chrome.dll -chrome_browser_main.cc:1733 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x64622919	(chrome.dll -browser_main_loop.cc:882 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x645ddb15	(chrome.dll -browser_main.cc:26 )	content::BrowserMain(content::MainFunctionParams const &)
0x63be415f	(chrome.dll -content_main_runner.cc:367 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x63be40b3	(chrome.dll -content_main_runner.cc:792 )	content::ContentMainRunnerImpl::Run()
0x63be144a	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x63a3429d	(chrome.dll -chrome_main.cc:69 )	ChromeMain
0x00fe9d9d	(chrome.exe -client_util.cc:256 )	MainDllLoader::Launch(HINSTANCE__ *)
0x00fe90fe	(chrome.exe -chrome_exe_main_win.cc:158 )	wWinMain
0x0100da9a	(chrome.exe -crt0.c:251 )	__tmainCRTStartup
0x75097c04	(kernel32.dll + 0x00017c04 )	BaseThreadInitThunk
0x777aad1f	(ntdll.dll + 0x0005ad1f )	__RtlUserThreadStart
0x777aacea	(ntdll.dll + 0x0005acea )	_RtlUserThreadStart

ASAN Allocation Stack Trace
0x0f68f384	(syzyasan_rtl.dll -block_heap_manager.cc:196 )	agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int)
0x0f689c13	(syzyasan_rtl.dll -rtl_impl.cc:103 )	asan_HeapAlloc
0x64d9b8b6	(chrome.dll -malloc.c:92 )	malloc
0x64d9685c	(chrome.dll -new.cpp:59 )	operator new(unsigned int)
0x6333b589	(chrome.dll -xstring:2215 )	std::basic_string<char,std::char_traits<char>,std::allocator<char> >::_Copy(unsigned int,unsigned int)
0x6333aa59	(chrome.dll -xstring:1158 )	std::basic_string<char,std::char_traits<char>,std::allocator<char> >::assign(char const *,unsigned int)
0x633d1f1f	(chrome.dll -json_parser.cc:143 )	base::internal::`anonymous namespace'::JSONStringValue::GetAsString(std::basic_string<char,std::char_traits<char>,std::allocator<char> > *)
0x633e9714	(chrome.dll -pref_service.cc:171 )	PrefService::GetString(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x655304a4	(chrome.dll -translate_accept_languages.cc:65 )	translate::TranslateAcceptLanguages::InitAcceptLanguages(PrefService *)
0x655302ea	(chrome.dll -translate_accept_languages.cc:24 )	translate::TranslateAcceptLanguages::TranslateAcceptLanguages(PrefService *,char const *)
0x64f2148d	(chrome.dll -translate_accept_languages_factory.cc:36 )	`anonymous namespace'::TranslateAcceptLanguagesService::TranslateAcceptLanguagesService(PrefService *)
0x64f21546	(chrome.dll -translate_accept_languages_factory.cc:68 )	TranslateAcceptLanguagesFactory::BuildServiceInstanceFor(content::BrowserContext *)
0x64ae0646	(chrome.dll -browser_context_keyed_service_factory.cc:94 )	BrowserContextKeyedServiceFactory::BuildServiceInstanceFor(base::SupportsUserData *)
0x6491a8fc	(chrome.dll -keyed_service_factory.cc:89 )	KeyedServiceFactory::GetServiceForContext(base::SupportsUserData *,bool)
0x64f21564	(chrome.dll -translate_accept_languages_factory.cc:55 )	TranslateAcceptLanguagesFactory::GetForBrowserContext(content::BrowserContext *)
0x64e6f9d8	(chrome.dll -chrome_translate_client.cc:229 )	ChromeTranslateClient::GetTranslateAcceptLanguages()
0x6552dd4c	(chrome.dll -translate_manager.cc:180 )	translate::TranslateManager::InitiateTranslation(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x64d6ae50	(chrome.dll -content_translate_driver.cc:242 )	translate::ContentTranslateDriver::OnLanguageDetermined(translate::LanguageDetectionDetails const &,bool)
0x64d6a695	(chrome.dll -tuple.h:255 )	base::DispatchToMethodImpl<translate::ContentTranslateDriver,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),translate::LanguageDetectionDetails,bool,0,1>(translate::ContentTranslateDriver *,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),base::Tuple<translate::LanguageDetectionDetails,bool> const &,base::IndexSequence<0,1>)
0x64d6a63f	(chrome.dll -tuple.h:261 )	base::DispatchToMethod<translate::ContentTranslateDriver,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),translate::LanguageDetectionDetails,bool>(translate::ContentTranslateDriver *,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool),base::Tuple<translate::LanguageDetectionDetails,bool> const &)
0x64d6a58e	(chrome.dll -translate_messages.h:61 )	ChromeViewHostMsg_TranslateLanguageDetermined::Dispatch<translate::ContentTranslateDriver,translate::ContentTranslateDriver,void,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool)>(IPC::Message const *,translate::ContentTranslateDriver *,translate::ContentTranslateDriver *,void *,void ( translate::ContentTranslateDriver::*)(translate::LanguageDetectionDetails const &,bool))
0x64d6af77	(chrome.dll -content_translate_driver.cc:221 )	translate::ContentTranslateDriver::OnMessageReceived(IPC::Message const &)
0x6458040f	(chrome.dll -web_contents_impl.cc:596 )	content::WebContentsImpl::OnMessageReceived(content::RenderViewHost *,content::RenderFrameHost *,IPC::Message const &)
0x64580d44	(chrome.dll -web_contents_impl.cc:577 )	content::WebContentsImpl::OnMessageReceived(content::RenderViewHost *,IPC::Message const &)
0x645a3103	(chrome.dll -render_view_host_impl.cc:898 )	content::RenderViewHostImpl::OnMessageReceived(IPC::Message const &)
0x6459641d	(chrome.dll -render_process_host_impl.cc:1568 )	content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const &)
0x641838ea	(chrome.dll -ipc_channel_proxy.cc:289 )	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &)
0x63b5b60f	(chrome.dll -bind_internal.h:346 )	base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void ( BrowsingDataCookieHelper::*)(std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > const &)>,void ,base::internal::TypeList<BrowsingDataCookieHelper *,std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > > >,base::internal::TypeList<base::internal::UnwrapTraits<BrowsingDataCookieHelper *>,base::internal::UnwrapTraits<std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > > >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void ( BrowsingDataCookieHelper::*)(std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > const &)>,base::internal::TypeList<BrowsingDataCookieHelper * const &,std::vector<net::CanonicalCookie,std::allocator<net::CanonicalCookie> > const &> >,void >::Run(base::internal::BindStateBase *)
0x633c6aa9	(chrome.dll -task_annotator.cc:49 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x6334e2f2	(chrome.dll -message_loop.cc:483 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x6334f5cd	(chrome.dll -message_loop.cc:603 )	base::MessageLoop::DoWork()
0x633c5396	(chrome.dll -message_pump_win.cc:185 )	base::MessagePumpForUI::DoRunLoop()
0x633c4ed9	(chrome.dll -message_pump_win.cc:57 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x6334dea3	(chrome.dll -message_loop.cc:446 )	base::MessageLoop::RunHandler()
0x633a98b5	(chrome.dll -run_loop.cc:56 )	base::RunLoop::Run()
0x63a7b498	(chrome.dll -chrome_browser_main.cc:1733 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x64622919	(chrome.dll -browser_main_loop.cc:882 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x645ddb15	(chrome.dll -browser_main.cc:26 )	content::BrowserMain(content::MainFunctionParams const &)
0x63be415f	(chrome.dll -content_main_runner.cc:367 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x63be40b3	(chrome.dll -content_main_runner.cc:792 )	content::ContentMainRunnerImpl::Run()
0x63be144a	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x63a3429d	(chrome.dll -chrome_main.cc:69 )	ChromeMain
0x00fe9d9d	(chrome.exe -client_util.cc:256 )	MainDllLoader::Launch(HINSTANCE__ *)
0x00fe90fe	(chrome.exe -chrome_exe_main_win.cc:158 )	wWinMain
0x0100da9a	(chrome.exe -crt0.c:251 )	__tmainCRTStartup
0x75097c04	(kernel32.dll + 0x00017c04 )	BaseThreadInitThunk
0x777aad1f	(ntdll.dll + 0x0005ad1f )	__RtlUserThreadStart
0x777aacea	(ntdll.dll + 0x0005acea )	_RtlUserThreadStart

Comment 1 by chrisha@chromium.org, Apr 4 2016

Labels: -Pri-3 Hotlist-SyzyASAN OS-Windows Pri-2
Owner: brettw@chromium.org
Status: Assigned (was: Untriaged)

This appears to be a straight-forward bug: the temporary string being returned by prefs->GetString is being parsed and iterated over via SplitStringPiece, but it goes out of scope and is destroyed after construction of the SplitStringPiece object, and prior to iteration.

The iteration then tries to generate StringPiece objects over the now invalid std::string.

This was introduced here:

https://chromium.googlesource.com/chromium/src.git/+/8be197d144c267c6a7c1b207a41267ac6c971712%5E%21/#F35

Comment 2 by chrisha@chromium.org, Apr 6 2016

Mergedinto: 516821
Status: Duplicate (was: Assigned)

Realized that this was from an old ASAN release, and that the crash has actually been fixed by 

https://chromium.googlesource.com/chromium/src/+/a1cc6e25362aabb6551b589519496e107a69306a

►

Issue 600359 link

Issue metadata

Use-after-free in TranslateAcceptLanguages::InitAcceptLanguages

Issue description

Comment 1 by chrisha@chromium.org, Apr 4 2016

Comment 1 Deleted

Comment 2 by chrisha@chromium.org, Apr 6 2016

Comment 2 Deleted

Sign in to add a comment