Heap use after free in Bluetooth LayoutTests |
|||
Issue description# heap-use-after-free on address 0x61f0000284a0 at pc 0x00000d038119 bp 0x7fffe4ebce70 sp 0x7fffe4ebce68 #0 0xd038118 in size buildtools/third_party/libc++/trunk/include/vector:639:46 #1 0xd038118 in size base/observer_list.h:114:0 #2 0xd038118 in might_have_observers base/observer_list.h:232:0 #3 0xd038118 in DoNotify device/bluetooth/test/mock_bluetooth_gatt_notify_session.cc:44:0 bluetooth/notifications/concurrent-starts.html [ Skip ] bluetooth/notifications/start-before-stop-resolves.html [ Skip ] bluetooth/notifications/add-listener-after-promise.html [ Skip ] bluetooth/notifications/gc-with-pending-start.html [ Skip ] bluetooth/notifications/start-twice-in-a-row.html [ Skip ] bluetooth/notifications/start-succeeds.html [ Skip ]
,
Apr 18 2016
,
Apr 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c715f8900e89f3d40be473a9a6f0ecc7cc91f02f commit c715f8900e89f3d40be473a9a6f0ecc7cc91f02f Author: Per <perkj@chromium.org> Date: Mon Apr 18 15:34:58 2016 Skip failing Bluetooth notification LayoutTests on MSAN. bluetooth/notifications/concurrent-starts.html [ Skip ] bluetooth/notifications/start-before-stop-resolves.html [ Skip ] bluetooth/notifications/add-listener-after-promise.html [ Skip ] bluetooth/notifications/gc-with-pending-start.html [ Skip ] bluetooth/notifications/start-twice-in-a-row.html [ Skip ] bluetooth/notifications/start-succeeds.html [ Skip ] ASAN disabled here: https://codereview.chromium.org/1894973002/ Reason for disabling: https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20MSAN/builds/9574/steps/webkit_tests/logs/stdio BUG= 604318 TBR=ortuno@chromium.org Review URL: https://codereview.chromium.org/1895833002 . Cr-Commit-Position: refs/heads/master@{#387913} [modify] https://crrev.com/c715f8900e89f3d40be473a9a6f0ecc7cc91f02f/third_party/WebKit/LayoutTests/MSANExpectations
,
Apr 19 2016
Issue 604671 has been merged into this issue.
,
Apr 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e2d1eb7c37a9a08934b35e92dcc4b9658a59799c commit e2d1eb7c37a9a08934b35e92dcc4b9658a59799c Author: ortuno <ortuno@chromium.org> Date: Wed Apr 20 00:32:58 2016 bluetooth: Clean up WebBluetoothServiceImpl when adapter is removed There was a use-after-free because the adapter in BluetoothDispatcherHost was destroyed before notify sessions in WebBluetoothServiceImpl were destroyed. This CL calls AdapterPresentChange on the adapter observers to notify that the adapter has been destroyed and that all state should be cleaned. BUG= 604318 Review URL: https://codereview.chromium.org/1898303003 Cr-Commit-Position: refs/heads/master@{#388378} [modify] https://crrev.com/e2d1eb7c37a9a08934b35e92dcc4b9658a59799c/content/browser/bluetooth/bluetooth_dispatcher_host.cc [modify] https://crrev.com/e2d1eb7c37a9a08934b35e92dcc4b9658a59799c/content/browser/bluetooth/web_bluetooth_service_impl.cc [modify] https://crrev.com/e2d1eb7c37a9a08934b35e92dcc4b9658a59799c/content/browser/bluetooth/web_bluetooth_service_impl.h [modify] https://crrev.com/e2d1eb7c37a9a08934b35e92dcc4b9658a59799c/third_party/WebKit/LayoutTests/ASANExpectations [modify] https://crrev.com/e2d1eb7c37a9a08934b35e92dcc4b9658a59799c/third_party/WebKit/LayoutTests/MSANExpectations
,
Apr 20 2016
|
|||
►
Sign in to add a comment |
|||
Comment 1 by bugdroid1@chromium.org
, Apr 18 2016