Double free of CallbackList<void()>::Subscription |
|||
Issue descriptionThis is occurring on a the 51.0.2693.1 Windows canary_asan build. Crash available here: http://crash/a1d1c20c00000000 Thread 14 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x69c69f8d ] MAGIC SIGNATURE THREAD 0x69c69f8d (syzyasan_rtl.dll -block_heap_manager.cc:275 ) agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *) 0x69c6d11c (syzyasan_rtl.dll -rtl_impl.cc:123 ) asan_HeapFree 0x5b692b7e (chrome.dll -free_base.cpp:107 ) _free_base 0x5b517905 (chrome.dll -memory:1195 ) std::default_delete<base::internal::CallbackListBase<base::Callback<void ,1> >::Subscription>::operator()(base::internal::CallbackListBase<base::Callback<void ,1> >::Subscription *) 0x5a3fc08e (chrome.dll -prerender_message_filter.cc:58 ) prerender::PrerenderMessageFilter::~PrerenderMessageFilter() 0x5a3fc0a1 (chrome.dll + 0x00d2c0a1 ) prerender::PrerenderMessageFilter::`scalar deleting destructor'(unsigned int) 0x5973a4b7 (chrome.dll -trace_log.cc:307 ) base::trace_event::TraceLog::ThreadLocalEventBuffer::WillDestroyCurrentMessageLoop() 0x5ad374a4 (chrome.dll -browser_message_filter.cc:35 ) content::BrowserMessageFilter::Internal::~Internal() 0x5ad374d7 (chrome.dll + 0x016674d7 ) content::BrowserMessageFilter::Internal::`scalar deleting destructor'(unsigned int) 0x5ad60310 (chrome.dll -ref_counted.h:184 ) base::RefCountedThreadSafe<content::TracingController::TraceDataSink,base::DefaultRefCountedThreadSafeTraits<content::TracingController::TraceDataSink> >::Release() 0x5a6726da (chrome.dll + 0x00fa26da ) scoped_refptr<IPC::MessageFilter>::`scalar deleting destructor'(unsigned int) 0x5a67230c (chrome.dll -xmemory0:186 ) std::_Destroy_range<std::_Wrap_alloc<std::allocator<scoped_refptr<IPC::MessageFilter> > > >(scoped_refptr<IPC::MessageFilter> *,scoped_refptr<IPC::MessageFilter> *,std::_Wrap_alloc<std::allocator<scoped_refptr<IPC::MessageFilter> > > &) 0x5a6736a1 (chrome.dll -vector:1541 ) std::vector<scoped_refptr<IPC::MessageFilter>,std::allocator<scoped_refptr<IPC::MessageFilter> > >::clear() 0x5a672ef9 (chrome.dll -ipc_channel_proxy.cc:171 ) IPC::ChannelProxy::Context::OnChannelClosed() 0x597aa640 (chrome.dll -task_annotator.cc:51 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &) 0x5972f8bc (chrome.dll -message_loop.cc:476 ) base::MessageLoop::RunTask(base::PendingTask const &) 0x597309f6 (chrome.dll -message_loop.cc:597 ) base::MessageLoop::DoWork() 0x597ab92c (chrome.dll -message_pump_win.cc:485 ) base::MessagePumpForIO::DoRunLoop() 0x597aa7d7 (chrome.dll -message_pump_win.cc:50 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x59790c37 (chrome.dll -run_loop.cc:35 ) base::RunLoop::Run() 0x59759950 (chrome.dll -thread.cc:202 ) base::Thread::Run(base::MessageLoop *) 0x5ad0a124 (chrome.dll -browser_thread_impl.cc:215 ) content::BrowserThreadImpl::IOThreadRun(base::MessageLoop *) 0x5ad0a7cb (chrome.dll -browser_thread_impl.cc:251 ) content::BrowserThreadImpl::Run(base::MessageLoop *) 0x59759c5b (chrome.dll -thread.cc:254 ) base::Thread::ThreadMain() 0x59772837 (chrome.dll -platform_thread_win.cc:84 ) base::`anonymous namespace'::ThreadFunc 0x752f38f3 (kernel32.dll + 0x000138f3 ) BaseThreadInitThunk 0x77765de2 (ntdll.dll + 0x00065de2 ) __RtlUserThreadStart 0x77765dad (ntdll.dll + 0x00065dad ) _RtlUserThreadStart ASAN Free Stack Trace 0x69c69e4a (syzyasan_rtl.dll -block_heap_manager.cc:294 ) agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *) 0x69c6d11d (syzyasan_rtl.dll -rtl_impl.cc:123 ) asan_HeapFree 0x5b692b7f (chrome.dll -free_base.cpp:107 ) _free_base 0x5b517906 (chrome.dll -memory:1195 ) std::default_delete<base::internal::CallbackListBase<base::Callback<void ,1> >::Subscription>::operator()(base::internal::CallbackListBase<base::Callback<void ,1> >::Subscription *) 0x5a3fc41c (chrome.dll -prerender_message_filter.cc:128 ) prerender::PrerenderMessageFilter::ShutdownOnUIThread() 0x5aa16ce8 (chrome.dll -keyed_service_factory.cc:116 ) KeyedServiceFactory::ContextShutdown(base::SupportsUserData *) 0x5aa172ef (chrome.dll -dependency_manager.cc:89 ) DependencyManager::DestroyContextServices(base::SupportsUserData *) 0x5a41540c (chrome.dll -profile_impl.cc:691 ) ProfileImpl::~ProfileImpl() 0x5a3e2676 (chrome.dll -profile_destroyer.cc:70 ) ProfileDestroyer::DestroyProfileWhenAppropriate(Profile * const) 0x5a3b7b7b (chrome.dll -profile_manager.cc:1494 ) ProfileManager::ProfileInfo::~ProfileInfo() 0x5a3bc4c6 (chrome.dll -xtree:2069 ) std::_Tree<std::_Tmap_traits<base::FilePath,linked_ptr<ProfileManager::ProfileInfo>,std::less<base::FilePath>,std::allocator<std::pair<base::FilePath const ,linked_ptr<ProfileManager::ProfileInfo> > >,0> >::_Erase(std::_Tree_node<std::pair<base::FilePath const ,linked_ptr<ProfileManager::ProfileInfo> >,void *> *) 0x5a3bc50d (chrome.dll -xtree:1478 ) std::_Tree<std::_Tmap_traits<base::FilePath,linked_ptr<ProfileManager::ProfileInfo>,std::less<base::FilePath>,std::allocator<std::pair<base::FilePath const ,linked_ptr<ProfileManager::ProfileInfo> > >,0> >::clear() 0x5a3b7aff (chrome.dll -xtree:1128 ) std::_Tree<std::_Tmap_traits<base::FilePath,linked_ptr<ProfileManager::ProfileInfo>,std::less<base::FilePath>,std::allocator<std::pair<base::FilePath const ,linked_ptr<ProfileManager::ProfileInfo> > >,0> >::~_Tree<std::_Tmap_traits<base::FilePath,linked_ptr<ProfileManager::ProfileInfo>,std::less<base::FilePath>,std::allocator<std::pair<base::FilePath const ,linked_ptr<ProfileManager::ProfileInfo> > >,0> >() 0x5a3b7c18 (chrome.dll -profile_manager.cc:322 ) ProfileManager::~ProfileManager() 0x5a441bc1 (chrome.dll -browser_process_impl.cc:305 ) BrowserProcessImpl::StartTearDown() 0x5a40ef5c (chrome.dll -chrome_browser_main.cc:1909 ) ChromeBrowserMainParts::PostMainMessageLoopRun() 0x5add746c (chrome.dll -browser_main_loop.cc:974 ) content::BrowserMainLoop::ShutdownThreadsAndCleanUp() 0x5add3913 (chrome.dll -browser_main_runner.cc:208 ) content::BrowserMainRunnerImpl::Shutdown() 0x5ad7b36d (chrome.dll -browser_main.cc:48 ) content::BrowserMain(content::MainFunctionParams const &) 0x5a591b35 (chrome.dll -content_main_runner.cc:393 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x5a591a89 (chrome.dll -content_main_runner.cc:754 ) content::ContentMainRunnerImpl::Run() 0x5a58ec7b (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &) 0x5a38bdeb (chrome.dll -chrome_main.cc:87 ) ChromeMain 0x0105f13e (chrome.exe -main_dll_loader_win.cc:184 ) MainDllLoader::Launch(HINSTANCE__ *) 0x0105e4ca (chrome.exe -chrome_exe_main_win.cc:231 ) wWinMain 0x0108d37d (chrome.exe -exe_common.inl:264 ) __scrt_common_main_seh 0x752f38f4 (kernel32.dll + 0x000138f4 ) BaseThreadInitThunk 0x77765de3 (ntdll.dll + 0x00065de3 ) __RtlUserThreadStart 0x77765dae (ntdll.dll + 0x00065dae ) _RtlUserThreadStart ASAN Allocation Stack Trace 0x69c69b4e (syzyasan_rtl.dll -block_heap_manager.cc:190 ) agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int) 0x69c6d073 (syzyasan_rtl.dll -rtl_impl.cc:102 ) asan_HeapAlloc 0x5b692bdf (chrome.dll -malloc_base.cpp:29 ) _malloc_base 0x5b665a1f (chrome.dll -new_scalar.cpp:19 ) operator new(unsigned int) 0x5b61b1a2 (chrome.dll -callback_list.h:108 ) base::internal::CallbackListBase<base::Callback<void ,1> >::Add(base::Callback<void ,1> const &) 0x5aa170dd (chrome.dll -keyed_service_shutdown_notifier.cc:15 ) KeyedServiceShutdownNotifier::Subscribe(base::Callback<void ,1> const &) 0x5a3fc02c (chrome.dll -prerender_message_filter.cc:51 ) prerender::PrerenderMessageFilter::PrerenderMessageFilter(int,Profile *) 0x5a398652 (chrome.dll -chrome_content_browser_client.cc:944 ) ChromeContentBrowserClient::RenderProcessWillLaunch(content::RenderProcessHost *) 0x5ad30e4e (chrome.dll -render_process_host_impl.cc:743 ) content::RenderProcessHostImpl::Init() 0x5ad88b6e (chrome.dll -render_frame_host_manager.cc:1747 ) content::RenderFrameHostManager::InitRenderView(content::RenderViewHostImpl *,content::RenderFrameProxyHost *) 0x5ad891d5 (chrome.dll -render_frame_host_manager.cc:245 ) content::RenderFrameHostManager::Navigate(GURL const &,content::FrameNavigationEntry const &,content::NavigationEntryImpl const &) 0x5adb0e5e (chrome.dll -navigator_impl.cc:338 ) content::NavigatorImpl::NavigateToEntry(content::FrameTreeNode *,content::FrameNavigationEntry const &,content::NavigationEntryImpl const &,content::NavigationController::ReloadType,bool,bool) 0x5adb11df (chrome.dll -navigator_impl.cc:424 ) content::NavigatorImpl::NavigateToPendingEntry(content::FrameTreeNode *,content::FrameNavigationEntry const &,content::NavigationController::ReloadType,bool) 0x5ad7e34a (chrome.dll -navigation_controller_impl.cc:1837 ) content::NavigationControllerImpl::NavigateToPendingEntryInternal(content::NavigationController::ReloadType) 0x5ad7e20f (chrome.dll -navigation_controller_impl.cc:1815 ) content::NavigationControllerImpl::NavigateToPendingEntry(content::NavigationController::ReloadType) 0x5ad7d7f2 (chrome.dll -navigation_controller_impl.cc:462 ) content::NavigationControllerImpl::LoadEntry(std::unique_ptr<content::NavigationEntryImpl,std::default_delete<content::NavigationEntryImpl> >) 0x5ad7df51 (chrome.dll -navigation_controller_impl.cc:830 ) content::NavigationControllerImpl::LoadURLWithParams(content::NavigationController::LoadURLParams const &) 0x5ad7d8fa (chrome.dll -navigation_controller_impl.cc:697 ) content::NavigationControllerImpl::LoadURL(GURL const &,content::Referrer const &,ui::PageTransition,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &) 0x5b2a719d (chrome.dll -extension_host.cc:234 ) extensions::ExtensionHost::LoadInitialURL() 0x5b2a6af1 (chrome.dll -extension_host.cc:160 ) extensions::ExtensionHost::CreateRenderViewNow() 0x5bd850df (chrome.dll -serial_extension_host_queue.cc:78 ) extensions::SerialExtensionHostQueue::ProcessOneHost() 0x5b155458 (chrome.dll -bind_internal.h:324 ) base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( gcm::GCMChannelStatusSyncer::*)(void)> >::MakeItSo<base::WeakPtr<gcm::GCMChannelStatusSyncer> >(base::internal::RunnableAdapter<void ( gcm::GCMChannelStatusSyncer::*)(void)>,base::WeakPtr<gcm::GCMChannelStatusSyncer>) 0x5b155be1 (chrome.dll -bind_internal.h:362 ) base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void ( gcm::GCMChannelStatusSyncer::*)(void)>,void ,base::WeakPtr<gcm::GCMChannelStatusSyncer> >,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( gcm::GCMChannelStatusSyncer::*)(void)> >,void >::Run(base::internal::BindStateBase *) 0x597aa641 (chrome.dll -task_annotator.cc:51 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &) 0x5972f8bd (chrome.dll -message_loop.cc:477 ) base::MessageLoop::RunTask(base::PendingTask const &) 0x597309f7 (chrome.dll -message_loop.cc:598 ) base::MessageLoop::DoWork() 0x597aac87 (chrome.dll -message_pump_win.cc:169 ) base::MessagePumpForUI::DoRunLoop() 0x597aa7d8 (chrome.dll -message_pump_win.cc:52 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x59790c38 (chrome.dll -run_loop.cc:36 ) base::RunLoop::Run() 0x5a40e8fc (chrome.dll -chrome_browser_main.cc:1859 ) ChromeBrowserMainParts::MainMessageLoopRun(int *) 0x5add7270 (chrome.dll -browser_main_loop.cc:943 ) content::BrowserMainLoop::RunMainMessageLoopParts() 0x5ad7b350 (chrome.dll -browser_main.cc:44 ) content::BrowserMain(content::MainFunctionParams const &) 0x5a591b35 (chrome.dll -content_main_runner.cc:393 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x5a591a89 (chrome.dll -content_main_runner.cc:754 ) content::ContentMainRunnerImpl::Run() 0x5a58ec7b (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &) 0x5a38bdeb (chrome.dll -chrome_main.cc:87 ) ChromeMain 0x0105f13e (chrome.exe -main_dll_loader_win.cc:184 ) MainDllLoader::Launch(HINSTANCE__ *) 0x0105e4ca (chrome.exe -chrome_exe_main_win.cc:231 ) wWinMain 0x0108d37d (chrome.exe -exe_common.inl:264 ) __scrt_common_main_seh 0x752f38f4 (kernel32.dll + 0x000138f4 ) BaseThreadInitThunk 0x77765de3 (ntdll.dll + 0x00065de3 ) __RtlUserThreadStart 0x77765dae (ntdll.dll + 0x00065dae ) _RtlUserThreadStart
,
Apr 4 2016
Oops. Yeah, that subscription (and therefore the whole message filter) should only be destroyed on the UI thread.
,
Apr 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a2b155292067c0b71c49c6d355c6b13374629890 commit a2b155292067c0b71c49c6d355c6b13374629890 Author: bauerb <bauerb@chromium.org> Date: Wed Apr 06 14:29:47 2016 Destroy PrerenderMessageFilter on the UI thread. PrerenderMessageFilter contains a subscription to a KeyedServiceShutdownNotifier, which needs to be destroyed on the UI thread. BUG= 600368 Review URL: https://codereview.chromium.org/1858663002 Cr-Commit-Position: refs/heads/master@{#385458} [modify] https://crrev.com/a2b155292067c0b71c49c6d355c6b13374629890/chrome/browser/prerender/prerender_message_filter.cc [modify] https://crrev.com/a2b155292067c0b71c49c6d355c6b13374629890/chrome/browser/prerender/prerender_message_filter.h
,
Apr 11 2017
|
|||
►
Sign in to add a comment |
|||
Comment 1 by chrisha@chromium.org
, Apr 4 2016Owner: bauerb@chromium.org
Status: Assigned (was: Untriaged)