This crash : go/crash/d0db171200000000, has been found by the last SyzyASAN Canary -52.0.2712.1
Bad access information:
Error Type: heap-use-after-free
Location: 0x2254add3
Access Mode: read
Access Size: 4
User Size: 36
Magic Stack
===========
Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x683c393f ] MAGIC SIGNATURE THREAD
0x683c393f (chrome.dll -browser_context_keyed_api_factory.h:121 ) extensions::BrowserContextKeyedAPIFactory<extensions::PowerAPI>::GetBrowserContextToUse(content::BrowserContext *)
0x6703e43e (chrome.dll -keyed_service_factory.cc:65 ) KeyedServiceFactory::GetServiceForContext(base::SupportsUserData *,bool)
0x678779b4 (chrome.dll -extension_prefs_factory.cc:24 ) extensions::ExtensionPrefsFactory::GetForBrowserContext(content::BrowserContext *)
0x679ad7b5 (chrome.dll -toolbar_actions_model_factory.cc:43 ) ToolbarActionsModelFactory::BuildServiceInstanceFor(content::BrowserContext *)
0x678f043f (chrome.dll -browser_context_keyed_service_factory.cc:93 ) BrowserContextKeyedServiceFactory::BuildServiceInstanceFor(base::SupportsUserData *)
0x6703e54a (chrome.dll -keyed_service_factory.cc:91 ) KeyedServiceFactory::GetServiceForContext(base::SupportsUserData *,bool)
0x679ad7ef (chrome.dll -toolbar_actions_model_factory.cc:20 ) ToolbarActionsModelFactory::GetForProfile(Profile *)
0x679599e8 (chrome.dll -extension_message_bubble_controller.cc:111 ) extensions::ExtensionMessageBubbleController::~ExtensionMessageBubbleController()
0x67959a4e (chrome.dll + 0x01c19a4e ) extensions::ExtensionMessageBubbleController::`scalar deleting destructor'(unsigned int)
0x6723ce93 (chrome.dll -extension_message_bubble_bridge.cc:15 ) ExtensionMessageBubbleBridge::~ExtensionMessageBubbleBridge()
0x6723ceb0 (chrome.dll + 0x014fceb0 ) ExtensionMessageBubbleBridge::`scalar deleting destructor'(unsigned int)
0x67c128f9 (chrome.dll + 0x01ed28f9 ) std::tuple<base::WeakPtr<safe_browsing::IncidentReportingService>,base::internal::PassedWrapper<std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> > > >::~tuple<base::WeakPtr<safe_browsing::IncidentReportingService>,base::internal::PassedWrapper<std::unique_ptr<safe_browsing::ClientIncidentReport_EnvironmentData,std::default_delete<safe_browsing::ClientIncidentReport_EnvironmentData> > > >()
0x67ce87d9 (chrome.dll -bind_internal.h:451 ) base::internal::BindState<base::internal::RunnableAdapter<void ( safe_browsing::DownloadMetadataManager::ManagerContext::*)(std::unique_ptr<safe_browsing::DownloadMetadata,std::default_delete<safe_browsing::DownloadMetadata> >)>,void ,base::WeakPtr<safe_browsing::DownloadMetadataManager::ManagerContext>,base::internal::PassedWrapper<std::unique_ptr<safe_browsing::DownloadMetadata,std::default_delete<safe_browsing::DownloadMetadata> > > >::Destroy(base::internal::BindStateBase *)
0x65d9fc39 (chrome.dll -message_loop.cc:529 ) base::MessageLoop::DeletePendingTasks()
0x65d9d9d5 (chrome.dll -message_loop.cc:161 ) base::MessageLoop::~MessageLoop()
0x65d9d7ad (chrome.dll + 0x0005d7ad ) base::MessageLoop::`scalar deleting destructor'(unsigned int)
0x6734c1ca (chrome.dll -browser_main_loop.cc:428 ) content::BrowserMainLoop::~BrowserMainLoop()
0x6734c36c (chrome.dll + 0x0160c36c ) content::BrowserMainLoop::`scalar deleting destructor'(unsigned int)
0x6734b8b6 (chrome.dll -browser_main_runner.cc:223 ) content::BrowserMainRunnerImpl::Shutdown()
0x672f042e (chrome.dll -browser_main.cc:48 ) content::BrowserMain(content::MainFunctionParams const &)
0x66bbcf76 (chrome.dll -content_main_runner.cc:381 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x66bbceca (chrome.dll -content_main_runner.cc:742 ) content::ContentMainRunnerImpl::Run()
0x66bba0d8 (chrome.dll -content_main.cc:20 ) content::ContentMain(content::ContentMainParams const &)
0x66a3de0c (chrome.dll -chrome_main.cc:84 ) ChromeMain
0x00a107b2 (chrome.exe -main_dll_loader_win.cc:184 ) MainDllLoader::Launch(HINSTANCE__ *)
0x00a0fb56 (chrome.exe -chrome_exe_main_win.cc:268 ) wWinMain
0x00a3e3e7 (chrome.exe -exe_common.inl:255 ) __scrt_common_main_seh
0x76d13379 (kernel32.dll + 0x00013379 ) BaseThreadInitThunk
0x77609881 (ntdll.dll + 0x00039881 ) __RtlUserThreadStart
0x77609854 (ntdll.dll + 0x00039854 ) _RtlUserThreadStart
ASAN Free Stack Trace (TID: 6036)
======================
0x735ba04a (syzyasan_rtl.dll -block_heap_manager.cc:299 ) agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *)
0x735bd87d (syzyasan_rtl.dll -rtl_impl.cc:123 ) asan_HeapFree
0x67b5be10 (chrome.dll -free_base.cpp:107 ) _free_base
0x67932ddd (chrome.dll + 0x01bf2ddd ) extensions::ChromeExtensionsBrowserClient::`scalar deleting destructor'(unsigned int)
0x66ad0bb7 (chrome.dll -browser_process_impl.cc:257 ) BrowserProcessImpl::~BrowserProcessImpl()
0x66b254c8 (chrome.dll -browser_shutdown.cc:199 ) browser_shutdown::ShutdownPostThreadsStop(bool)
0x66aa871f (chrome.dll -chrome_browser_main.cc:1935 ) ChromeBrowserMainParts::PostDestroyThreads()
0x673501fb (chrome.dll -browser_main_loop.cc:1148 ) content::BrowserMainLoop::ShutdownThreadsAndCleanUp()
0x6734b869 (chrome.dll -browser_main_runner.cc:212 ) content::BrowserMainRunnerImpl::Shutdown()
0x672f042f (chrome.dll -browser_main.cc:50 ) content::BrowserMain(content::MainFunctionParams const &)
0x66bbcf77 (chrome.dll -content_main_runner.cc:381 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x66bbcecb (chrome.dll -content_main_runner.cc:742 ) content::ContentMainRunnerImpl::Run()
0x66bba0d9 (chrome.dll -content_main.cc:20 ) content::ContentMain(content::ContentMainParams const &)
0x66a3de0d (chrome.dll -chrome_main.cc:87 ) ChromeMain
0x00a107b3 (chrome.exe -main_dll_loader_win.cc:185 ) MainDllLoader::Launch(HINSTANCE__ *)
0x00a0fb57 (chrome.exe -chrome_exe_main_win.cc:269 ) wWinMain
0x00a3e3e8 (chrome.exe -exe_common.inl:255 ) __scrt_common_main_seh
0x76d1337a (kernel32.dll + 0x0001337a ) BaseThreadInitThunk
0x77609882 (ntdll.dll + 0x00039882 ) __RtlUserThreadStart
0x77609855 (ntdll.dll + 0x00039855 ) _RtlUserThreadStart
ASAN Allocation Stack Trace (TID: 6036)
============================
0x735b9d4e (syzyasan_rtl.dll -block_heap_manager.cc:195 ) agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int)
0x735bd7d3 (syzyasan_rtl.dll -rtl_impl.cc:102 ) asan_HeapAlloc
0x67b5be70 (chrome.dll -malloc_base.cpp:29 ) _malloc_base
0x67b2eb90 (chrome.dll -new_scalar.cpp:19 ) operator new(unsigned int)
0x66ad058c (chrome.dll -browser_process_impl.cc:234 ) BrowserProcessImpl::BrowserProcessImpl(base::SequencedTaskRunner *,base::CommandLine const &)
0x66aa92a8 (chrome.dll -chrome_browser_main.cc:934 ) ChromeBrowserMainParts::PreCreateThreadsImpl()
0x66aa8f64 (chrome.dll -chrome_browser_main.cc:876 ) ChromeBrowserMainParts::PreCreateThreads()
0x66a579b3 (chrome.dll -chrome_browser_main_win.cc:296 ) ChromeBrowserMainPartsWin::PreCreateThreads()
0x6734eee0 (chrome.dll -browser_main_loop.cc:699 ) content::BrowserMainLoop::PreCreateThreads()
0x67478f0d (chrome.dll -startup_task_runner.cc:45 ) content::StartupTaskRunner::RunAllTasksNow()
0x6734d1a5 (chrome.dll -browser_main_loop.cc:805 ) content::BrowserMainLoop::CreateStartupTasks()
0x6734b441 (chrome.dll -browser_main_runner.cc:140 ) content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const &)
0x672f03f1 (chrome.dll -browser_main.cc:42 ) content::BrowserMain(content::MainFunctionParams const &)
0x66bbcf77 (chrome.dll -content_main_runner.cc:381 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x66bbcecb (chrome.dll -content_main_runner.cc:742 ) content::ContentMainRunnerImpl::Run()
0x66bba0d9 (chrome.dll -content_main.cc:20 ) content::ContentMain(content::ContentMainParams const &)
0x66a3de0d (chrome.dll -chrome_main.cc:87 ) ChromeMain
0x00a107b3 (chrome.exe -main_dll_loader_win.cc:185 ) MainDllLoader::Launch(HINSTANCE__ *)
0x00a0fb57 (chrome.exe -chrome_exe_main_win.cc:269 ) wWinMain
0x00a3e3e8 (chrome.exe -exe_common.inl:255 ) __scrt_common_main_seh
0x76d1337a (kernel32.dll + 0x0001337a ) BaseThreadInitThunk
0x77609882 (ntdll.dll + 0x00039882 ) __RtlUserThreadStart
0x77609855 (ntdll.dll + 0x00039855 ) _RtlUserThreadStart
This ASAN crash is first reported in 52.0.2712.1 only 1 instance so far.
Crash is NOT seen in non asan builds.
Link to the builds / instances which helps in future triage:
https://crash.corp.google.com/browse?q=special_protos.asan_report.is_actionable%3D1%20AND%20product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27extensions%3A%3ABrowserContextKeyedAPIFactory%3Cextensions%3A%3APowerAPI%3E%3A%3AGetBrowserContextToUse%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,extensions
There is no recent changes in the source files.Forwarding to - chromium//src/components/keyed_service/OWNERS for further triaging.
Comment 1 by e...@chromium.org
, Apr 19 2016Owner: ----
Status: Available (was: Assigned)