Dr. Memory reports a use-after-free in RenderFrameHostManagerTest.CreateRenderViewAfterProcessKillAndClosedProxy |
||
Issue descriptionSee https://build.chromium.org/p/chromium.memory.fyi/builders/Windows%20Content%20Browser%20%28DrMemory%20full%29%20%282%29/builds/3460/steps/memory%20test%3A%20content_browsertests_9/logs/stdio: Below is the report for drmemory wrapper PID=3952_28. It was used while running the `RenderFrameHostManagerTest.CreateRenderViewAfterProcessKillAndClosedProxy` test. ... 22:14:53 drmemory_analyze.py [INFO] Found 2 error reports 22:14:53 drmemory_analyze.py [INFO] Report #1 ### BEGIN MEMORY TOOL REPORT (error hash=#7CE00E21C711872C#) UNADDRESSABLE ACCESS of freed memory: reading 0x036c23d0-0x036c23d4 4 byte(s) # 0 content.dll!content::RenderFrameHostImpl::ResetSwapOutTimerForTesting [content\browser\frame_host\render_frame_host_impl.cc:1375] # 1 content::RenderFrameHostManagerTest_CreateRenderViewAfterProcessKillAndClosedProxy_Test::RunTestOnMainThread [content\browser\frame_host\render_frame_host_manager_browsertest.cc:2393] # 2 content::ContentBrowserTest::RunTestOnMainThreadLoop [content\public\test\content_browser_test.cc:134] # 3 content::BrowserTestBase::ProxyRunTestOnMainThreadLoop [content\public\test\browser_test_base.cc:309] # 4 content::ShellBrowserMainParts::PreMainMessageLoopRun [content\shell\browser\shell_browser_main_parts.cc:175] # 5 content.dll!content::BrowserMainLoop::PreMainMessageLoopRun [content\browser\browser_main_loop.cc:928] # 6 content.dll!base::internal::Invoker<>::Run [base\bind_internal.h:362] # 7 content.dll!content::StartupTaskRunner::RunAllTasksNow [content\browser\startup_task_runner.cc:45] # 8 content.dll!content::BrowserMainLoop::CreateStartupTasks [content\browser\browser_main_loop.cc:801] # 9 content.dll!content::BrowserMainRunnerImpl::Initialize [content\browser\browser_main_runner.cc:139] #10 ShellBrowserMain [content\shell\browser\shell_browser_main.cc:23] #11 content::ShellMainDelegate::RunProcess [content\shell\app\shell_main_delegate.cc:285] #12 content.dll!content::RunNamedProcessTypeMain [content\app\content_main_runner.cc:367] #13 content.dll!content::ContentMainRunnerImpl::Run [content\app\content_main_runner.cc:741] #14 content.dll!content::ContentMain [content\app\content_main.cc:19] #15 content::BrowserTestBase::SetUp [content\public\test\browser_test_base.cc:282] #16 content::ContentBrowserTest::SetUp [content\public\test\content_browser_test.cc:92] #17 testing::internal::HandleExceptionsInMethodIfSupported<> [testing\gtest\src\gtest.cc:2458] Note: @0:02:47.279 in thread 2628 Note: next higher malloc: 0x036c27b8-0x036c27f8 Note: prev lower malloc: 0x036c2068-0x036c227c Note: 0x036c23d0-0x036c23d4 overlaps memory 0x036c22a0-0x036c24d8 that was freed here: Note: # 0 replace_operator_delete_nothrow [d:\drmemory_package\common\alloc_replace.c:2974] Note: # 1 content.dll!content::RenderFrameHostImpl::`vector deleting destructor' Note: # 2 content.dll!content::RenderFrameHostManager::DeleteFromPendingList [content\browser\frame_host\render_frame_host_manager.cc:745] Note: # 3 content.dll!content::RenderFrameHostImpl::OnSwappedOut [content\browser\frame_host\render_frame_host_impl.cc:1371] Note: # 4 content.dll!base::internal::Invoker<>::Run [base\bind_internal.h:362] Note: # 5 content.dll!content::TimeoutMonitor::CheckTimedOut [content\browser\renderer_host\input\timeout_monitor.cc:104] Note: instruction: mov 0x00000130(%ecx) -> %ecx The report came from the `RenderFrameHostManagerTest.CreateRenderViewAfterProcessKillAndClosedProxy` test. Suppression (error hash=#7CE00E21C711872C#): For more info on using suppressions see http://dev.chromium.org/developers/how-tos/using-drmemory#TOC-Suppressing-error-reports-from-the- { UNADDRESSABLE ACCESS name=<insert_a_suppression_name_here> content.dll!content::RenderFrameHostImpl::ResetSwapOutTimerForTesting *!content::RenderFrameHostManagerTest_CreateRenderViewAfterProcessKillAndClosedProxy_Test::RunTestOnMainThread *!content::ContentBrowserTest::RunTestOnMainThreadLoop *!content::BrowserTestBase::ProxyRunTestOnMainThreadLoop *!content::ShellBrowserMainParts::PreMainMessageLoopRun content.dll!content::BrowserMainLoop::PreMainMessageLoopRun content.dll!base::internal::Invoker<>::Run content.dll!content::StartupTaskRunner::RunAllTasksNow content.dll!content::BrowserMainLoop::CreateStartupTasks content.dll!content::BrowserMainRunnerImpl::Initialize *!ShellBrowserMain *!content::ShellMainDelegate::RunProcess content.dll!content::RunNamedProcessTypeMain content.dll!content::ContentMainRunnerImpl::Run content.dll!content::ContentMain *!content::BrowserTestBase::SetUp *!content::ContentBrowserTest::SetUp *!testing::internal::HandleExceptionsInMethodIfSupported<> } ### END MEMORY TOOL REPORT (error hash=#7CE00E21C711872C#) 22:14:53 drmemory_analyze.py [INFO] Report #2 ### BEGIN MEMORY TOOL REPORT (error hash=#5712B4435A7E9246#) UNADDRESSABLE ACCESS: reading 0x00000010-0x00000014 4 byte(s) # 0 content.dll!content::TimeoutMonitor::IsRunning [content\browser\renderer_host\input\timeout_monitor.cc:108] # 1 content.dll!content::TimeoutMonitor::Stop [content\browser\renderer_host\input\timeout_monitor.cc:47] # 2 content::RenderFrameHostManagerTest_CreateRenderViewAfterProcessKillAndClosedProxy_Test::RunTestOnMainThread [content\browser\frame_host\render_frame_host_manager_browsertest.cc:2393] # 3 content::ContentBrowserTest::RunTestOnMainThreadLoop [content\public\test\content_browser_test.cc:134] # 4 content::BrowserTestBase::ProxyRunTestOnMainThreadLoop [content\public\test\browser_test_base.cc:309] # 5 content::ShellBrowserMainParts::PreMainMessageLoopRun [content\shell\browser\shell_browser_main_parts.cc:175] # 6 content.dll!content::BrowserMainLoop::PreMainMessageLoopRun [content\browser\browser_main_loop.cc:928] # 7 content.dll!base::internal::Invoker<>::Run [base\bind_internal.h:362] # 8 content.dll!content::StartupTaskRunner::RunAllTasksNow [content\browser\startup_task_runner.cc:45] # 9 content.dll!content::BrowserMainLoop::CreateStartupTasks [content\browser\browser_main_loop.cc:801] #10 content.dll!content::BrowserMainRunnerImpl::Initialize [content\browser\browser_main_runner.cc:139] #11 ShellBrowserMain [content\shell\browser\shell_browser_main.cc:23] #12 content::ShellMainDelegate::RunProcess [content\shell\app\shell_main_delegate.cc:285] #13 content.dll!content::RunNamedProcessTypeMain [content\app\content_main_runner.cc:367] #14 content.dll!content::ContentMainRunnerImpl::Run [content\app\content_main_runner.cc:741] #15 content.dll!content::ContentMain [content\app\content_main.cc:19] #16 content::BrowserTestBase::SetUp [content\public\test\browser_test_base.cc:282] #17 content::ContentBrowserTest::SetUp [content\public\test\content_browser_test.cc:92] #18 testing::internal::HandleExceptionsInMethodIfSupported<> [testing\gtest\src\gtest.cc:2458] Note: @0:02:47.594 in thread 2628 Note: instruction: mov 0x10(%esi) -> %eax The report came from the `RenderFrameHostManagerTest.CreateRenderViewAfterProcessKillAndClosedProxy` test. Suppression (error hash=#5712B4435A7E9246#): For more info on using suppressions see http://dev.chromium.org/developers/how-tos/using-drmemory#TOC-Suppressing-error-reports-from-the- { UNADDRESSABLE ACCESS name=<insert_a_suppression_name_here> content.dll!content::TimeoutMonitor::IsRunning content.dll!content::TimeoutMonitor::Stop *!content::RenderFrameHostManagerTest_CreateRenderViewAfterProcessKillAndClosedProxy_Test::RunTestOnMainThread *!content::ContentBrowserTest::RunTestOnMainThreadLoop *!content::BrowserTestBase::ProxyRunTestOnMainThreadLoop *!content::ShellBrowserMainParts::PreMainMessageLoopRun content.dll!content::BrowserMainLoop::PreMainMessageLoopRun content.dll!base::internal::Invoker<>::Run content.dll!content::StartupTaskRunner::RunAllTasksNow content.dll!content::BrowserMainLoop::CreateStartupTasks content.dll!content::BrowserMainRunnerImpl::Initialize *!ShellBrowserMain *!content::ShellMainDelegate::RunProcess content.dll!content::RunNamedProcessTypeMain content.dll!content::ContentMainRunnerImpl::Run content.dll!content::ContentMain *!content::BrowserTestBase::SetUp *!content::ContentBrowserTest::SetUp *!testing::internal::HandleExceptionsInMethodIfSupported<> } ### END MEMORY TOOL REPORT (error hash=#5712B4435A7E9246#) Charlie, this seems to be related to https://codereview.chromium.org/1835833002, can you please take a look?
,
Apr 6 2016
Yeah, looks like this can happen if the swap out timer times out before we disable it. I didn't think that would happen if we waited for commit rather than load stop, since the timer doesn't start until commit. I'm guessing the WaitForCommit can continue running tasks before returning, and thus we might allow the timer to expire. I suppose we can replace ResetSwapOutTimerForTesting with some other approach that disables that timer entirely for tests.
,
Apr 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ecf91fe4382775df7e1be7f237ca5a767d2e9df1 commit ecf91fe4382775df7e1be7f237ca5a767d2e9df1 Author: creis <creis@chromium.org> Date: Mon Apr 11 18:49:04 2016 Fix flakiness when disabling swap out timer in tests. The swap out timer could still fire in tests that were trying to reset it, so use another approach that disables the timer ahead of time. BUG= 600957 , 554825 TEST=Tests stay green. CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation Review URL: https://codereview.chromium.org/1874923002 Cr-Commit-Position: refs/heads/master@{#386429} [modify] https://crrev.com/ecf91fe4382775df7e1be7f237ca5a767d2e9df1/content/browser/frame_host/render_frame_host_impl.cc [modify] https://crrev.com/ecf91fe4382775df7e1be7f237ca5a767d2e9df1/content/browser/frame_host/render_frame_host_impl.h [modify] https://crrev.com/ecf91fe4382775df7e1be7f237ca5a767d2e9df1/content/browser/frame_host/render_frame_host_manager_browsertest.cc [modify] https://crrev.com/ecf91fe4382775df7e1be7f237ca5a767d2e9df1/content/browser/site_per_process_browsertest.cc
,
Apr 11 2016
Hopefully this is fixed now. |
||
►
Sign in to add a comment |
||
Comment 1 by bugdroid1@chromium.org
, Apr 6 2016