Issue 603740 link

Starred by 1 user

Issue metadata

Status:	Archived
Owner:	rdevlin....@chromium.org
Closed:	Oct 2016
Cc:	mek@chromium.org █ asargent@chromium.org benwells@chromium.org
Components:	Platform>Extensions
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	2
Type:	Bug-Regression
M-54 Hotlist-SyzyASAN MovedFrom-52 MovedFrom-53

Chrome_ASAN: Crash Report - apps::AppLifetimeMonitorFactory::GetBrowserContextToUse

Project Member Reported by manoranj...@chromium.org, Apr 14 2016

Issue description

This crash : go/crash/c260f1a200000000, has been found by the Latest SyzyASAN Canary (52.0.2708.1)

Bad access information:

Error Type: heap-use-after-free
Location: 0x2307c3fb
Access Mode: read
Access Size: 4
User Size : 36

Magic Stack:
=============
Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x5b27c433 ] MAGIC SIGNATURE THREAD
0x5b27c433	(chrome.dll -app_lifetime_monitor_factory.cc:45 )	apps::AppLifetimeMonitorFactory::GetBrowserContextToUse(content::BrowserContext *)
0x5a6bdafe	(chrome.dll -keyed_service_factory.cc:65 )	KeyedServiceFactory::GetServiceForContext(base::SupportsUserData *,bool)
0x5af49f28	(chrome.dll -extension_prefs_factory.cc:24 )	extensions::ExtensionPrefsFactory::GetForBrowserContext(content::BrowserContext *)
0x5b0e611b	(chrome.dll -toolbar_actions_model_factory.cc:43 )	ToolbarActionsModelFactory::BuildServiceInstanceFor(content::BrowserContext *)
0x5affa727	(chrome.dll -browser_context_keyed_service_factory.cc:93 )	BrowserContextKeyedServiceFactory::BuildServiceInstanceFor(base::SupportsUserData *)
0x5a6bdc0a	(chrome.dll -keyed_service_factory.cc:91 )	KeyedServiceFactory::GetServiceForContext(base::SupportsUserData *,bool)
0x5b0e6155	(chrome.dll -toolbar_actions_model_factory.cc:20 )	ToolbarActionsModelFactory::GetForProfile(Profile *)
0x5bbc2ac9	(chrome.dll -extension_message_bubble_controller.cc:111 )	extensions::ExtensionMessageBubbleController::~ExtensionMessageBubbleController()
0x5bbc2b2f	(chrome.dll + 0x027c2b2f )	extensions::ExtensionMessageBubbleController::`scalar deleting destructor'(unsigned int)
0x5ba3bdf8	(chrome.dll -extension_message_bubble_bridge.cc:15 )	ExtensionMessageBubbleBridge::~ExtensionMessageBubbleBridge()
0x5ba3be15	(chrome.dll + 0x0263be15 )	ExtensionMessageBubbleBridge::`scalar deleting destructor'(unsigned int)
0x5b3c82cb	(chrome.dll + 0x01fc82cb )	std::tuple<base::WeakPtr<safe_browsing::IncidentReportingService>,base::internal::PassedWrapper<std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> > > >::~tuple<base::WeakPtr<safe_browsing::IncidentReportingService>,base::internal::PassedWrapper<std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> > > >()
0x5bc9c21e	(chrome.dll -bind_internal.h:451 )	base::internal::BindState<base::internal::RunnableAdapter<void ( sync_file_system::drive_backend::RemoteToLocalSyncer::*)(std::unique_ptr<sync_file_system::drive_backend::SyncTaskToken,std::default_delete<sync_file_system::drive_backend::SyncTaskToken> >,google_apis::DriveApiErrorCode,std::unique_ptr<google_apis::FileResource,std::default_delete<google_apis::FileResource> >)>,void ,base::WeakPtr<sync_file_system::drive_backend::RemoteToLocalSyncer>,base::internal::PassedWrapper<std::unique_ptr<sync_file_system::drive_backend::SyncTaskToken,std::default_delete<sync_file_system::drive_backend::SyncTaskToken> > > >::Destroy(base::internal::BindStateBase *)
0x5945fc39	(chrome.dll -message_loop.cc:529 )	base::MessageLoop::DeletePendingTasks()
0x5945d9d5	(chrome.dll -message_loop.cc:161 )	base::MessageLoop::~MessageLoop()
0x5945d7ad	(chrome.dll + 0x0005d7ad )	base::MessageLoop::`scalar deleting destructor'(unsigned int)
0x5a9fc901	(chrome.dll -browser_main_loop.cc:430 )	content::BrowserMainLoop::~BrowserMainLoop()
0x5a9fca66	(chrome.dll + 0x015fca66 )	content::BrowserMainLoop::`scalar deleting destructor'(unsigned int)
0x5a9fbf01	(chrome.dll -browser_main_runner.cc:223 )	content::BrowserMainRunnerImpl::Shutdown()
0x5a99cb67	(chrome.dll -browser_main.cc:48 )	content::BrowserMain(content::MainFunctionParams const &)
0x5a2b371c	(chrome.dll -content_main_runner.cc:381 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x5a2b3670	(chrome.dll -content_main_runner.cc:742 )	content::ContentMainRunnerImpl::Run()
0x5a2b0884	(chrome.dll -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const &)
0x5a0f3480	(chrome.dll -chrome_main.cc:84 )	ChromeMain
0x0041f995	(chrome.exe -main_dll_loader_win.cc:183 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0041ed8c	(chrome.exe -chrome_exe_main_win.cc:268 )	wWinMain
0x0044d741	(chrome.exe -exe_common.inl:255 )	__scrt_common_main_seh
0x757b7c03	(kernel32.dll + 0x00017c03 )	BaseThreadInitThunk
0x76f8ab8e	(ntdll.dll + 0x0005ab8e )	__RtlUserThreadStart
0x76f8ab59	(ntdll.dll + 0x0005ab59 )	_RtlUserThreadStart

ASAN Free Stack trace:
=======================
0x6c67a04a	(syzyasan_rtl.dll -block_heap_manager.cc:299 )	agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *)
0x6c67d87d	(syzyasan_rtl.dll -rtl_impl.cc:123 )	asan_HeapFree
0x5b2c129f	(chrome.dll -free_base.cpp:107 )	_free_base
0x5b071dcd	(chrome.dll + 0x01c71dcd )	extensions::ChromeExtensionsBrowserClient::`scalar deleting destructor'(unsigned int)
0x5a1e444b	(chrome.dll -browser_process_impl.cc:257 )	BrowserProcessImpl::~BrowserProcessImpl()
0x5a165a0a	(chrome.dll -browser_shutdown.cc:199 )	browser_shutdown::ShutdownPostThreadsStop(bool)
0x5a13a530	(chrome.dll -chrome_browser_main.cc:1933 )	ChromeBrowserMainParts::PostDestroyThreads()
0x5aa0073f	(chrome.dll -browser_main_loop.cc:1150 )	content::BrowserMainLoop::ShutdownThreadsAndCleanUp()
0x5a9fbeb4	(chrome.dll -browser_main_runner.cc:212 )	content::BrowserMainRunnerImpl::Shutdown()
0x5a99cb68	(chrome.dll -browser_main.cc:50 )	content::BrowserMain(content::MainFunctionParams const &)
0x5a2b371d	(chrome.dll -content_main_runner.cc:381 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x5a2b3671	(chrome.dll -content_main_runner.cc:742 )	content::ContentMainRunnerImpl::Run()
0x5a2b0885	(chrome.dll -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const &)
0x5a0f3481	(chrome.dll -chrome_main.cc:87 )	ChromeMain
0x0041f996	(chrome.exe -main_dll_loader_win.cc:184 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0041ed8d	(chrome.exe -chrome_exe_main_win.cc:269 )	wWinMain
0x0044d742	(chrome.exe -exe_common.inl:255 )	__scrt_common_main_seh
0x757b7c04	(kernel32.dll + 0x00017c04 )	BaseThreadInitThunk
0x76f8ab8f	(ntdll.dll + 0x0005ab8f )	__RtlUserThreadStart
0x76f8ab5a	(ntdll.dll + 0x0005ab5a )	_RtlUserThreadStart

ASAN Allocation Stack Trace:
=============================
	0x6c679d4e	(syzyasan_rtl.dll -block_heap_manager.cc:195 )	agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int)
0x6c67d7d3	(syzyasan_rtl.dll -rtl_impl.cc:102 )	asan_HeapAlloc
0x5b2c12ff	(chrome.dll -malloc_base.cpp:29 )	_malloc_base
0x5b29492d	(chrome.dll -new_scalar.cpp:19 )	operator new(unsigned int)
0x5a1e3e20	(chrome.dll -browser_process_impl.cc:234 )	BrowserProcessImpl::BrowserProcessImpl(base::SequencedTaskRunner *,base::CommandLine const &)
0x5a13b0b9	(chrome.dll -chrome_browser_main.cc:932 )	ChromeBrowserMainParts::PreCreateThreadsImpl()
0x5a13ad75	(chrome.dll -chrome_browser_main.cc:874 )	ChromeBrowserMainParts::PreCreateThreads()
0x5a1065fe	(chrome.dll -chrome_browser_main_win.cc:296 )	ChromeBrowserMainPartsWin::PreCreateThreads()
0x5a9ff424	(chrome.dll -browser_main_loop.cc:701 )	content::BrowserMainLoop::PreCreateThreads()
0x5ab3321d	(chrome.dll -startup_task_runner.cc:45 )	content::StartupTaskRunner::RunAllTasksNow()
0x5a9fd6e9	(chrome.dll -browser_main_loop.cc:807 )	content::BrowserMainLoop::CreateStartupTasks()
0x5a9fba8c	(chrome.dll -browser_main_runner.cc:140 )	content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const &)
0x5a99cb2a	(chrome.dll -browser_main.cc:42 )	content::BrowserMain(content::MainFunctionParams const &)
0x5a2b371d	(chrome.dll -content_main_runner.cc:381 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x5a2b3671	(chrome.dll -content_main_runner.cc:742 )	content::ContentMainRunnerImpl::Run()
0x5a2b0885	(chrome.dll -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const &)
0x5a0f3481	(chrome.dll -chrome_main.cc:87 )	ChromeMain
0x0041f996	(chrome.exe -main_dll_loader_win.cc:184 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0041ed8d	(chrome.exe -chrome_exe_main_win.cc:269 )	wWinMain
0x0044d742	(chrome.exe -exe_common.inl:255 )	__scrt_common_main_seh
0x757b7c04	(kernel32.dll + 0x00017c04 )	BaseThreadInitThunk
0x76f8ab8f	(ntdll.dll + 0x0005ab8f )	__RtlUserThreadStart
0x76f8ab5a	(ntdll.dll + 0x0005ab5a )	_RtlUserThreadStart

You can see the list of ASAN builds having this issue here:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20special_protos.asan_report.is_actionable%3D1%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27apps%3A%3AAppLifetimeMonitorFactory%3A%3AGetBrowserContextToUse%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

Unable to find the culprit fron this CL: https://chromium.googlesource.com/chromium/src/+log/52.0.2707.0..52.0.2708.0?pretty=fuller&n=10000

Hence, looping https://chromium.googlesource.com/chromium/src/+/master/apps/OWNERS for further triaging.

Thank you!

Comment 1 by mek@chromium.org, Apr 14 2016

Components: -Platform>Apps Platform>Extensions
Owner: rdevlin....@chromium.org

https://chromium.googlesource.com/chromium/src/+/5251920ddf61989a550ba9e49c8d1663a824a81f seems to be the most likely culprit since that CL added the code that is crashing.

Project Member

Comment 2 by sheriffbot@chromium.org, Jun 1 2016

Labels: -M-52 M-53 MovedFrom-52

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 3 by sheriffbot@chromium.org, Jul 13 2016

Labels: -M-53 -Pri-1 M-54 MovedFrom-53 Pri-2

This issue is Pri-1 but has already been moved once. Lowering the priority and moving to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by rdevlin....@chromium.org, Oct 28 2016

Status: Archived (was: Assigned)

Seems like no recent reports according to the link.

►

Issue 603740 link

Issue metadata

Chrome_ASAN: Crash Report - apps::AppLifetimeMonitorFactory::GetBrowserContextToUse

Issue description

Comment 1 by mek@chromium.org, Apr 14 2016

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Jun 1 2016

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, Jul 13 2016

Comment 3 Deleted

Comment 4 by rdevlin....@chromium.org, Oct 28 2016

Comment 4 Deleted

Sign in to add a comment