This crash : go/crash/f7f2facc00000000, has been found by SyzyASAN Canary (51.0.2693.1)
Bad access information:
Error Type: heap-use-after-free
Location: 0x080ac0ff
Access Mode: read
Access Size: 4
User Size : 56
Magic Stack:
=============
Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x57fe7a39 ] MAGIC SIGNATURE THREAD
0x57fe7a39 (chrome.dll -image_skia.cc:238 ) gfx::internal::ImageSkiaStorage::FindRepresentation(float,bool)
0x57fe75a0 (chrome.dll -image_skia.cc:141 ) gfx::internal::ImageSkiaStorage::ImageSkiaStorage(gfx::ImageSkiaSource *,float)
0x57fe7419 (chrome.dll -image_skia.cc:289 ) gfx::ImageSkia::ImageSkia(gfx::ImageSkiaSource *,float)
0x57fd2424 (chrome.dll -resource_bundle.cc:404 ) ui::ResourceBundle::GetImageNamed(int)
0x57fd254d (chrome.dll -resource_bundle.cc:371 ) ui::ResourceBundle::GetImageSkiaNamed(int)
0x59040814 (chrome.dll -nine_image_painter_factory.cc:23 ) ui::`anonymous namespace'::ImageIdsToImages
0x5904078a (chrome.dll -nine_image_painter_factory.cc:32 ) ui::CreateNineImagePainter(int const * const)
0x58e5a9af (chrome.dll -painter.cc:314 ) views::Painter::CreateImageGridPainter(int const * const)
0x58e5b22e (chrome.dll -label_button_border.cc:104 ) views::LabelButtonAssetBorder::LabelButtonAssetBorder(views::Button::ButtonStyle)
0x596e29c1 (chrome.dll -new_avatar_button.cc:33 ) `anonymous namespace'::CreateBorder
0x596e2706 (chrome.dll -new_avatar_button.cc:100 ) NewAvatarButton::NewAvatarButton(AvatarButtonDelegate *,AvatarButtonStyle,Profile *)
0x596dac4d (chrome.dll -avatar_button_manager.cc:25 ) AvatarButtonManager::Update(AvatarButtonStyle)
0x594a461d (chrome.dll -glass_browser_frame_view.cc:280 ) GlassBrowserFrameView::UpdateAvatar()
0x593a732b (chrome.dll -browser_non_client_frame_view.cc:196 ) BrowserNonClientFrameView::ViewHierarchyChanged(views::View::ViewHierarchyChangedDetails const &)
0x58e39516 (chrome.dll -view.cc:1890 ) views::View::ViewHierarchyChangedImpl(bool,views::View::ViewHierarchyChangedDetails const &)
0x58e37a79 (chrome.dll -view.cc:1866 ) views::View::PropagateAddNotifications(views::View::ViewHierarchyChangedDetails const &)
0x58e33f69 (chrome.dll -view.cc:211 ) views::View::AddChildViewAt(views::View *,int)
0x58e68973 (chrome.dll -non_client_view.cc:188 ) views::NonClientView::ViewHierarchyChanged(views::View::ViewHierarchyChangedDetails const &)
0x58e39516 (chrome.dll -view.cc:1890 ) views::View::ViewHierarchyChangedImpl(bool,views::View::ViewHierarchyChangedDetails const &)
0x58e37a79 (chrome.dll -view.cc:1866 ) views::View::PropagateAddNotifications(views::View::ViewHierarchyChangedDetails const &)
0x58e33f69 (chrome.dll -view.cc:211 ) views::View::AddChildViewAt(views::View *,int)
0x58e33de2 (chrome.dll -view.cc:158 ) views::View::AddChildView(views::View *)
0x58e7cb8c (chrome.dll -root_view.cc:196 ) views::internal::RootView::SetContentsView(views::View *)
0x58e409d2 (chrome.dll -widget.cc:455 ) views::Widget::SetContentsView(views::View *)
0x58e3f26b (chrome.dll -widget.cc:342 ) views::Widget::Init(views::Widget::InitParams const &)
0x5938f748 (chrome.dll -browser_frame.cc:84 ) BrowserFrame::InitBrowserFrame()
0x5935439a (chrome.dll -browser_window_factory.cc:18 ) BrowserWindow::CreateBrowserWindow(Browser *)
0x5826aa0a (chrome.dll -browser.cc:459 ) Browser::Browser(Browser::CreateParams const &)
0x582885fe (chrome.dll -startup_browser_creator_impl.cc:735 ) StartupBrowserCreatorImpl::OpenTabsInBrowser(Browser *,bool,std::vector<StartupTab,std::allocator<StartupTab> > const &)
0x58288cc5 (chrome.dll -startup_browser_creator_impl.cc:690 ) StartupBrowserCreatorImpl::ProcessSpecifiedURLs(std::vector<GURL,std::allocator<GURL> > const &)
0x58288fb6 (chrome.dll -startup_browser_creator_impl.cc:631 ) StartupBrowserCreatorImpl::ProcessStartupURLs(std::vector<GURL,std::allocator<GURL> > const &)
0x582889b9 (chrome.dll -startup_browser_creator_impl.cc:520 ) StartupBrowserCreatorImpl::ProcessLaunchURLs(bool,std::vector<GURL,std::allocator<GURL> > const &)
0x58288127 (chrome.dll -startup_browser_creator_impl.cc:351 ) StartupBrowserCreatorImpl::Launch(Profile *,std::vector<GURL,std::allocator<GURL> > const &,bool)
0x58259a7d (chrome.dll -startup_browser_creator.cc:369 ) StartupBrowserCreator::LaunchBrowser(base::CommandLine const &,Profile *,base::FilePath const &,chrome::startup::IsProcessStartup,chrome::startup::IsFirstRun)
0x5825a386 (chrome.dll -startup_browser_creator.cc:735 ) StartupBrowserCreator::ProcessCmdLineImpl(base::CommandLine const &,base::FilePath const &,bool,Profile *,std::vector<Profile *,std::allocator<Profile *> > const &)
0x5825ac25 (chrome.dll -startup_browser_creator.cc:323 ) StartupBrowserCreator::Start(base::CommandLine const &,base::FilePath const &,Profile *,std::vector<Profile *,std::allocator<Profile *> > const &)
0x57b0ce74 (chrome.dll -chrome_browser_main.cc:1744 ) ChromeBrowserMainParts::PreMainMessageLoopRunImpl()
0x57b0bc35 (chrome.dll -chrome_browser_main.cc:1165 ) ChromeBrowserMainParts::PreMainMessageLoopRun()
0x583cf699 (chrome.dll -browser_main_loop.cc:932 ) content::BrowserMainLoop::PreMainMessageLoopRun()
0x5850321c (chrome.dll -startup_task_runner.cc:45 ) content::StartupTaskRunner::RunAllTasksNow()
0x583cd6e8 (chrome.dll -browser_main_loop.cc:805 ) content::BrowserMainLoop::CreateStartupTasks()
0x583cba8b (chrome.dll -browser_main_runner.cc:139 ) content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const &)
0x5836cb29 (chrome.dll -browser_main.cc:42 ) content::BrowserMain(content::MainFunctionParams const &)
0x57c8371c (chrome.dll -content_main_runner.cc:381 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x57c83670 (chrome.dll -content_main_runner.cc:742 ) content::ContentMainRunnerImpl::Run()
0x57c80884 (chrome.dll -content_main.cc:20 ) content::ContentMain(content::ContentMainParams const &)
0x57ac3480 (chrome.dll -chrome_main.cc:84 ) ChromeMain
0x0133f995 (chrome.exe -main_dll_loader_win.cc:183 ) MainDllLoader::Launch(HINSTANCE__ *)
0x0133ed8c (chrome.exe -chrome_exe_main_win.cc:268 ) wWinMain
0x0136d741 (chrome.exe -exe_common.inl:255 ) __scrt_common_main_seh
0x76067c03 (kernel32.dll + 0x00017c03 ) BaseThreadInitThunk
0x770dab8e (ntdll.dll + 0x0005ab8e ) __RtlUserThreadStart
0x770dab59 (ntdll.dll + 0x0005ab59 ) _RtlUserThreadStart
ASAN Free Stack:
=================
0x6416a04a (syzyasan_rtl.dll -block_heap_manager.cc:299 ) agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *)
0x6416d87d (syzyasan_rtl.dll -rtl_impl.cc:123 ) asan_HeapFree
0x58c9129f (chrome.dll -free_base.cpp:107 ) _free_base
0x591b2310 (chrome.dll -sqlite3.c:22187 ) sqlite3_free
0x591f3717 (chrome.dll -sqlite3.c:22229 ) sqlite3DbFree
0x591f8549 (chrome.dll -sqlite3.c:86761 ) sqlite3ExprDelete
0x591ea03e (chrome.dll -sqlite3.c:95124 ) sqlite3AddDefaultValue
0x592390e6 (chrome.dll -sqlite3.c:129668 ) yy_reduce
0x592088b7 (chrome.dll -sqlite3.c:130886 ) sqlite3Parser
0x5920d912 (chrome.dll -sqlite3.c:131723 ) sqlite3RunParser
0x5920bec1 (chrome.dll -sqlite3.c:109524 ) sqlite3Prepare
0x59204bc0 (chrome.dll -sqlite3.c:109619 ) sqlite3LockAndPrepare
0x592023f4 (chrome.dll -sqlite3.c:108980 ) sqlite3InitCallback
0x591ade24 (chrome.dll -sqlite3.c:105078 ) sqlite3_exec
0x592028d9 (chrome.dll -sqlite3.c:109232 ) sqlite3InitOne
0x59202201 (chrome.dll -sqlite3.c:109299 ) sqlite3Init
0x591b06d9 (chrome.dll -sqlite3.c:93216 ) attachFunc
0x59216ee8 (chrome.dll -sqlite3.c:75508 ) sqlite3VdbeExec
0x592115b6 (chrome.dll -sqlite3.c:72483 ) sqlite3Step
0x591b58b1 (chrome.dll -sqlite3.c:72544 ) sqlite3_step
0x582080c5 (chrome.dll -statement.cc:72 ) sql::Statement::StepInternal(bool)
0x58207fcb (chrome.dll -statement.cc:89 ) sql::Statement::Run()
0x588d935a (chrome.dll -in_memory_database.cc:77 ) history::InMemoryDatabase::InitFromDisk(base::FilePath const &)
0x588c68fa (chrome.dll -in_memory_history_backend.cc:28 ) history::InMemoryHistoryBackend::Init(base::FilePath const &)
0x588c1ecd (chrome.dll -history_backend.cc:681 ) history::HistoryBackend::InitImpl(history::HistoryDatabaseParams const &)
0x588c1bd6 (chrome.dll -history_backend.cc:250 ) history::HistoryBackend::Init(bool,history::HistoryDatabaseParams const &)
0x588b1e21 (chrome.dll -bind_internal.h:372 ) base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void ( history::HistoryBackend::*)(bool,history::HistoryDatabaseParams const &)>,void ,history::HistoryBackend *,bool &,history::HistoryDatabaseParams const &>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void ( history::HistoryBackend::*)(bool,history::HistoryDatabaseParams const &)> >,void >::Run(base::internal::BindStateBase *)
0x56eaa30f (chrome.dll -task_annotator.cc:51 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x56e2f42a (chrome.dll -message_loop.cc:480 ) base::MessageLoop::RunTask(base::PendingTask const &)
0x56e3058d (chrome.dll -message_loop.cc:601 ) base::MessageLoop::DoWork()
0x56eabec9 (chrome.dll -message_pump_default.cc:34 ) base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x56e8a7d2 (chrome.dll -run_loop.cc:36 ) base::RunLoop::Run()
0x56e595bc (chrome.dll -thread.cc:254 ) base::Thread::ThreadMain()
0x56e7882d (chrome.dll -platform_thread_win.cc:86 ) base::`anonymous namespace'::ThreadFunc
0x76067c04 (kernel32.dll + 0x00017c04 ) BaseThreadInitThunk
0x770dab8f (ntdll.dll + 0x0005ab8f ) __RtlUserThreadStart
0x770dab5a (ntdll.dll + 0x0005ab5a ) _RtlUserThreadStart
ASAN Allocation Stack Trace:
=============================
0x64169d4e (syzyasan_rtl.dll -block_heap_manager.cc:195 ) agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int)
0x6416d7d3 (syzyasan_rtl.dll -rtl_impl.cc:102 ) asan_HeapAlloc
0x58c912ff (chrome.dll -malloc_base.cpp:29 ) _malloc_base
0x591ae653 (chrome.dll -sqlite3.c:18306 ) sqlite3MemMalloc
0x591db4c8 (chrome.dll -sqlite3.c:21975 ) mallocWithAlarm
0x59204de5 (chrome.dll -sqlite3.c:22007 ) sqlite3Malloc
0x591f378f (chrome.dll -sqlite3.c:22374 ) sqlite3DbMallocRaw
0x591f3883 (chrome.dll -sqlite3.c:22318 ) sqlite3DbMallocZero
0x591f5c3d (chrome.dll -sqlite3.c:86487 ) sqlite3ExprAlloc
0x59205e1e (chrome.dll -sqlite3.c:86579 ) sqlite3PExpr
0x591e9916 (chrome.dll -sqlite3.c:127470 ) spanExpr
0x5923a00b (chrome.dll -sqlite3.c:130134 ) yy_reduce
0x592088b7 (chrome.dll -sqlite3.c:130886 ) sqlite3Parser
0x5920d912 (chrome.dll -sqlite3.c:131723 ) sqlite3RunParser
0x5920bec1 (chrome.dll -sqlite3.c:109524 ) sqlite3Prepare
0x59204bc0 (chrome.dll -sqlite3.c:109619 ) sqlite3LockAndPrepare
0x592023f4 (chrome.dll -sqlite3.c:108980 ) sqlite3InitCallback
0x591ade24 (chrome.dll -sqlite3.c:105078 ) sqlite3_exec
0x592028d9 (chrome.dll -sqlite3.c:109232 ) sqlite3InitOne
0x59202201 (chrome.dll -sqlite3.c:109299 ) sqlite3Init
0x591b06d9 (chrome.dll -sqlite3.c:93216 ) attachFunc
0x59216ee8 (chrome.dll -sqlite3.c:75508 ) sqlite3VdbeExec
0x592115b6 (chrome.dll -sqlite3.c:72483 ) sqlite3Step
0x591b58b1 (chrome.dll -sqlite3.c:72544 ) sqlite3_step
0x582080c5 (chrome.dll -statement.cc:72 ) sql::Statement::StepInternal(bool)
0x58207fcb (chrome.dll -statement.cc:89 ) sql::Statement::Run()
0x588d935a (chrome.dll -in_memory_database.cc:77 ) history::InMemoryDatabase::InitFromDisk(base::FilePath const &)
0x588c68fa (chrome.dll -in_memory_history_backend.cc:28 ) history::InMemoryHistoryBackend::Init(base::FilePath const &)
0x588c1ecd (chrome.dll -history_backend.cc:681 ) history::HistoryBackend::InitImpl(history::HistoryDatabaseParams const &)
0x588c1bd6 (chrome.dll -history_backend.cc:250 ) history::HistoryBackend::Init(bool,history::HistoryDatabaseParams const &)
0x588b1e21 (chrome.dll -bind_internal.h:372 ) base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void ( history::HistoryBackend::*)(bool,history::HistoryDatabaseParams const &)>,void ,history::HistoryBackend *,bool &,history::HistoryDatabaseParams const &>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void ( history::HistoryBackend::*)(bool,history::HistoryDatabaseParams const &)> >,void >::Run(base::internal::BindStateBase *)
0x56eaa30f (chrome.dll -task_annotator.cc:51 ) base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x56e2f42a (chrome.dll -message_loop.cc:480 ) base::MessageLoop::RunTask(base::PendingTask const &)
0x56e3058d (chrome.dll -message_loop.cc:601 ) base::MessageLoop::DoWork()
0x56eabec9 (chrome.dll -message_pump_default.cc:34 ) base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x56e8a7d2 (chrome.dll -run_loop.cc:36 ) base::RunLoop::Run()
0x56e595bc (chrome.dll -thread.cc:254 ) base::Thread::ThreadMain()
0x56e7882d (chrome.dll -platform_thread_win.cc:86 ) base::`anonymous namespace'::ThreadFunc
0x76067c04 (kernel32.dll + 0x00017c04 ) BaseThreadInitThunk
0x770dab8f (ntdll.dll + 0x0005ab8f ) __RtlUserThreadStart
0x770dab5a (ntdll.dll + 0x0005ab5a ) _RtlUserThreadStart
You can see the list of ASAN builds having this issue here:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20special_protos.asan_report.is_actionable%3D1%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27gfx%3A%3Ainternal%3A%3AImageSkiaStorage%3A%3AFindRepresentation%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D
pkasting@, could you please look into this change (https://chromium.googlesource.com/chromium/src/+/2bd8b487468f1a1f5dd93a7c08470715320342ec%5E%21/ui/gfx/image/image_skia.cc) if possible? Please feel free to re-assign incase if this is not your change.
Might be this is related to: https://bugs.chromium.org/p/chromium/issues/detail?id=599669 ?
Thank you!
Comment 1 by osh...@chromium.org
, Apr 15 2016Status: Duplicate (was: Assigned)