UaF of WebWidget in components/test_runner/web_widget_test_client.cc |
||||
Issue descriptionRepro steps: $ cat out/gn/args.gn dcheck_always_on = true is_asan = true is_component_build = true is_debug = false use_goma = true $ ninja -C out/gn ... blink_tests $ third_party/WebKit/Tools/Scripts/run-webkit-tests -t gn -v --additional-drt-flag=--site-per-process http/tests/misc/copy-resolves-urls.html Actual behavior: ASAN reports UaF: STDERR: ================================================================= STDERR: ==28850==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000f2150 at pc 0x7fdcc9d6e9e8 bp 0x7ffc732449b0 sp 0x7ffc732449a8 STDERR: READ of size 8 at 0x6040000f2150 thread T0 (content_shell) STDERR: #0 0x7fdcc9d6e9e7 in AnimateNow ./out/gn/../../components/test_runner/web_widget_test_client.cc:58:5 STDERR: #1 0x7fdcc9d6f41a in Run<> ./out/gn/../../base/bind_internal.h:181:12 STDERR: #2 0x7fdcc9d6f41a in MakeItSo<base::WeakPtr<test_runner::WebWidgetTestClient>> ./out/gn/../../base/bind_internal.h:334:0 STDERR: #3 0x7fdcc9d6f41a in Run ./out/gn/../../base/bind_internal.h:372:0 STDERR: #4 0x7fdcbea1a995 in Run<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > ./out/gn/../../base/bind_internal.h:159:12 STDERR: #5 0x7fdcbea1a995 in MakeItSo<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > ./out/gn/../../base/bind_internal.h:321:0 STDERR: #6 0x7fdcbea1a995 in Run ./out/gn/../../base/bind_internal.h:372:0 STDERR: #7 0x7fdcd2d72c01 in Run ./out/gn/../../base/callback.h:397:12 STDERR: #8 0x7fdcd2d72c01 in RunTask ./out/gn/../../base/debug/task_annotator.cc:51:0 STDERR: #9 0x7fdcbe9efdc3 in ProcessTaskFromWorkQueue ./out/gn/../../components/scheduler/base/task_queue_manager.cc:289:3 STDERR: #10 0x7fdcbe9ec1f3 in DoWork ./out/gn/../../components/scheduler/base/task_queue_manager.cc:201:13 STDERR: #11 0x7fdcbe9f6214 in Run<const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:181:12 STDERR: #12 0x7fdcbe9f6214 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:334:0 STDERR: #13 0x7fdcbe9f6214 in Run ./out/gn/../../base/bind_internal.h:372:0 STDERR: #14 0x7fdcd2d72c01 in Run ./out/gn/../../base/callback.h:397:12 STDERR: #15 0x7fdcd2d72c01 in RunTask ./out/gn/../../base/debug/task_annotator.cc:51:0 STDERR: #16 0x7fdcd2dfc1a1 in RunTask ./out/gn/../../base/message_loop/message_loop.cc:484:3 STDERR: #17 0x7fdcd2dfcd75 in DeferOrRunPendingTask ./out/gn/../../base/message_loop/message_loop.cc:493:5 STDERR: #18 0x7fdcd2dfe1fe in DoDelayedWork ./out/gn/../../base/message_loop/message_loop.cc:648:10 STDERR: #19 0x7fdcd2e046f1 in Run ./out/gn/../../base/message_loop/message_pump_default.cc:37:17 STDERR: #20 0x7fdcd2dfb3d7 in RunHandler ./out/gn/../../base/message_loop/message_loop.cc:448:3 STDERR: #21 0x7fdcd2e8f9d5 in Run ./out/gn/../../base/run_loop.cc:35:3 STDERR: #22 0x7fdcd2df8a88 in Run ./out/gn/../../base/message_loop/message_loop.cc:300:3 STDERR: #23 0x7fdcd6716f07 in RendererMain ./out/gn/../../content/renderer/renderer_main.cc:199:7 STDERR: #24 0x7fdcd6b34195 in RunZygote ./out/gn/../../content/app/content_main_runner.cc:346:14 STDERR: #25 0x7fdcd6b358dc in RunNamedProcessTypeMain ./out/gn/../../content/app/content_main_runner.cc:429:12 STDERR: #26 0x7fdcd6b3749b in Run ./out/gn/../../content/app/content_main_runner.cc:788:12 STDERR: #27 0x7fdcd6b3340a in ContentMain ./out/gn/../../content/app/content_main.cc:20:15 STDERR: #28 0x5ba1d5 in main ./out/gn/../../content/shell/app/shell_main.cc:48:10 STDERR: #29 0x7fdcb8acaec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287:0 STDERR: STDERR: 0x6040000f2150 is located 0 bytes inside of 48-byte region [0x6040000f2150,0x6040000f2180) STDERR: freed by thread T0 (content_shell) here: STDERR: #0 0x5b864b in operator delete(void*) ??:? STDERR: #1 0x7fdcd66cbeab in CloseForFrame ./out/gn/../../content/renderer/render_view_impl.cc:2810:3 STDERR: #2 0x7fdcd6616c68 in frameDetached ./out/gn/../../content/renderer/render_frame_impl.cc:2687:5 STDERR: #3 0x7fdcca414324 in detached ./out/gn/../../third_party/WebKit/Source/web/FrameLoaderClientImpl.cpp:388:5 STDERR: #4 0x7fdcc50fe7a9 in detach ./out/gn/../../third_party/WebKit/Source/core/frame/Frame.cpp:76:5 STDERR: #5 0x7fdcc51b6d7e in detach ./out/gn/../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:347:5 STDERR: #6 0x7fdcca50aa26 in swap ./out/gn/../../third_party/WebKit/Source/web/WebFrame.cpp:80:5 STDERR: #7 0x7fdcd65e92e8 in OnSwapOut ./out/gn/../../content/renderer/render_frame_impl.cc:1592:3 STDERR: #8 0x7fdcd65e897e in DispatchToMethodImpl<content::RenderFrameImpl *, void (content::RenderFrameImpl::*)(int, bool, const content::FrameReplicationState &), int, bool, content::FrameReplicationState, 0, 1, 2> ./out/gn/../../base/tuple.h:166:3 STDERR: #9 0x7fdcd65e897e in DispatchToMethod<content::RenderFrameImpl *, void (content::RenderFrameImpl::*)(int, bool, const content::FrameReplicationState &), int, bool, content::FrameReplicationState> ./out/gn/../../base/tuple.h:173:0 STDERR: #10 0x7fdcd65e897e in DispatchToMethod<content::RenderFrameImpl, void (content::RenderFrameImpl::*)(int, bool, const content::FrameReplicationState &), void, std::__1::tuple<int, bool, content::FrameReplicationState> > ./out/gn/../../ipc/ipc_message_templates.h:26:0 STDERR: #11 0x7fdcd65e897e in Dispatch<content::RenderFrameImpl, content::RenderFrameImpl, void, void (content::RenderFrameImpl::*)(int, bool, const content::FrameReplicationState &)> ./out/gn/../../ipc/ipc_message_templates.h:121:0 STDERR: #12 0x7fdcd65e514f in OnMessageReceived ./out/gn/../../content/renderer/render_frame_impl.cc:1377:5 STDERR: #13 0x7fdcd0104982 in RouteMessage ./out/gn/../../ipc/message_router.cc:52:10 STDERR: #14 0x7fdcd01046e8 in OnMessageReceived ./out/gn/../../ipc/message_router.cc:44:10 STDERR: #15 0x7fdcd3e00ecf in OnMessageReceived ./out/gn/../../content/child/child_thread_impl.cc:649:10 STDERR: #16 0x7fdcd00cb217 in OnDispatchMessage ./out/gn/../../ipc/ipc_channel_proxy.cc:284:3 STDERR: #17 0x7fdcd2d72c01 in Run ./out/gn/../../base/callback.h:397:12 STDERR: #18 0x7fdcd2d72c01 in RunTask ./out/gn/../../base/debug/task_annotator.cc:51:0 STDERR: #19 0x7fdcbe9efdc3 in ProcessTaskFromWorkQueue ./out/gn/../../components/scheduler/base/task_queue_manager.cc:289:3 STDERR: #20 0x7fdcbe9ec1f3 in DoWork ./out/gn/../../components/scheduler/base/task_queue_manager.cc:201:13 STDERR: #21 0x7fdcbe9f28a4 in Run<const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:181:12 STDERR: #22 0x7fdcbe9f28a4 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:334:0 STDERR: #23 0x7fdcbe9f28a4 in Run ./out/gn/../../base/bind_internal.h:372:0 STDERR: #24 0x7fdcd2d72c01 in Run ./out/gn/../../base/callback.h:397:12 STDERR: #25 0x7fdcd2d72c01 in RunTask ./out/gn/../../base/debug/task_annotator.cc:51:0 STDERR: #26 0x7fdcd2dfc1a1 in RunTask ./out/gn/../../base/message_loop/message_loop.cc:484:3 STDERR: #27 0x7fdcd2dfcd75 in DeferOrRunPendingTask ./out/gn/../../base/message_loop/message_loop.cc:493:5 STDERR: #28 0x7fdcd2dfdc4c in DoWork ./out/gn/../../base/message_loop/message_loop.cc:610:13 STDERR: #29 0x7fdcd2e0483e in Run ./out/gn/../../base/message_loop/message_pump_default.cc:33:21 STDERR: #30 0x7fdcd2dfb3d7 in RunHandler ./out/gn/../../base/message_loop/message_loop.cc:448:3 STDERR: #31 0x7fdcd2e8f9d5 in Run ./out/gn/../../base/run_loop.cc:35:3 STDERR: #32 0x7fdcd2df8a88 in Run ./out/gn/../../base/message_loop/message_loop.cc:300:3 STDERR: #33 0x7fdcd6716f07 in RendererMain ./out/gn/../../content/renderer/renderer_main.cc:199:7 STDERR: #34 0x7fdcd6b34195 in RunZygote ./out/gn/../../content/app/content_main_runner.cc:346:14 STDERR: #35 0x7fdcd6b358dc in RunNamedProcessTypeMain ./out/gn/../../content/app/content_main_runner.cc:429:12 STDERR: #36 0x7fdcd6b3749b in Run ./out/gn/../../content/app/content_main_runner.cc:788:12 STDERR: STDERR: previously allocated by thread T0 (content_shell) here: STDERR: #0 0x5b808b in operator new(unsigned long) ??:? STDERR: #1 0x7fdcca51c75d in create ./out/gn/../../third_party/WebKit/Source/web/WebFrameWidgetImpl.cpp:72:12 STDERR: #2 0x7fdcd66deb8a in CreateWebFrameWidget ./out/gn/../../content/renderer/render_widget.cc:329:12 STDERR: #3 0x7fdcd66deb8a in CreateForFrame ./out/gn/../../content/renderer/render_widget.cc:304:0 STDERR: #4 0x7fdcd65da75a in CreateMainFrame ./out/gn/../../content/renderer/render_frame_impl.cc:839:34 STDERR: #5 0x7fdcd66923ae in Initialize ./out/gn/../../content/renderer/render_view_impl.cc:714:26 STDERR: #6 0x7fdcd669aba4 in Create ./out/gn/../../content/renderer/render_view_impl.cc:1134:3 STDERR: #7 0x7fdcd667ef9a in DispatchToMethodImpl<content::RenderThreadImpl *, void (content::RenderThreadImpl::*)(const ViewMsg_New_Params &), ViewMsg_New_Params, 0> ./out/gn/../../base/tuple.h:166:3 STDERR: #8 0x7fdcd667ef9a in DispatchToMethod<content::RenderThreadImpl *, void (content::RenderThreadImpl::*)(const ViewMsg_New_Params &), ViewMsg_New_Params> ./out/gn/../../base/tuple.h:173:0 STDERR: #9 0x7fdcd667ef9a in DispatchToMethod<content::RenderThreadImpl, void (content::RenderThreadImpl::*)(const ViewMsg_New_Params &), void, std::__1::tuple<ViewMsg_New_Params> > ./out/gn/../../ipc/ipc_message_templates.h:26:0 STDERR: #10 0x7fdcd667ef9a in Dispatch<content::RenderThreadImpl, content::RenderThreadImpl, void, void (content::RenderThreadImpl::*)(const ViewMsg_New_Params &)> ./out/gn/../../ipc/ipc_message_templates.h:121:0 STDERR: #11 0x7fdcd667d500 in OnControlMessageReceived ./out/gn/../../content/renderer/render_thread_impl.cc:1658:5 STDERR: #12 0x7fdcd3e00ecf in OnMessageReceived ./out/gn/../../content/child/child_thread_impl.cc:649:10 STDERR: #13 0x7fdcd00cb217 in OnDispatchMessage ./out/gn/../../ipc/ipc_channel_proxy.cc:284:3 STDERR: #14 0x7fdcd2d72c01 in Run ./out/gn/../../base/callback.h:397:12 STDERR: #15 0x7fdcd2d72c01 in RunTask ./out/gn/../../base/debug/task_annotator.cc:51:0 STDERR: #16 0x7fdcbe9efdc3 in ProcessTaskFromWorkQueue ./out/gn/../../components/scheduler/base/task_queue_manager.cc:289:3 STDERR: #17 0x7fdcbe9ec1f3 in DoWork ./out/gn/../../components/scheduler/base/task_queue_manager.cc:201:13 STDERR: #18 0x7fdcbe9f28a4 in Run<const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:181:12 STDERR: #19 0x7fdcbe9f28a4 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> ./out/gn/../../base/bind_internal.h:334:0 STDERR: #20 0x7fdcbe9f28a4 in Run ./out/gn/../../base/bind_internal.h:372:0 STDERR: #21 0x7fdcd2d72c01 in Run ./out/gn/../../base/callback.h:397:12 STDERR: #22 0x7fdcd2d72c01 in RunTask ./out/gn/../../base/debug/task_annotator.cc:51:0 STDERR: #23 0x7fdcd2dfc1a1 in RunTask ./out/gn/../../base/message_loop/message_loop.cc:484:3 STDERR: #24 0x7fdcd2dfcd75 in DeferOrRunPendingTask ./out/gn/../../base/message_loop/message_loop.cc:493:5 STDERR: #25 0x7fdcd2dfdc4c in DoWork ./out/gn/../../base/message_loop/message_loop.cc:610:13 STDERR: #26 0x7fdcd2e0483e in Run ./out/gn/../../base/message_loop/message_pump_default.cc:33:21 STDERR: #27 0x7fdcd2dfb3d7 in RunHandler ./out/gn/../../base/message_loop/message_loop.cc:448:3 STDERR: #28 0x7fdcd2e8f9d5 in Run ./out/gn/../../base/run_loop.cc:35:3 STDERR: #29 0x7fdcd2df8a88 in Run ./out/gn/../../base/message_loop/message_loop.cc:300:3 STDERR: #30 0x7fdcd6716f07 in RendererMain ./out/gn/../../content/renderer/renderer_main.cc:199:7 STDERR: #31 0x7fdcd6b34195 in RunZygote ./out/gn/../../content/app/content_main_runner.cc:346:14 STDERR: #32 0x7fdcd6b358dc in RunNamedProcessTypeMain ./out/gn/../../content/app/content_main_runner.cc:429:12 STDERR: #33 0x7fdcd6b3749b in Run ./out/gn/../../content/app/content_main_runner.cc:788:12 STDERR: #34 0x7fdcd6b3340a in ContentMain ./out/gn/../../content/app/content_main.cc:20:15 STDERR: #35 0x5ba1d5 in main ./out/gn/../../content/shell/app/shell_main.cc:48:10 STDERR: #36 0x7fdcb8acaec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287:0 STDERR: STDERR: SUMMARY: AddressSanitizer: heap-use-after-free
,
May 10 2016
,
May 10 2016
That's a bit surprising: why is the WebWidgetTestClient still live?
,
May 10 2016
,
May 10 2016
The WebTestProxy owns the WebWidgetTestClient and it doesn't like it being changed or set to null (see https://code.google.com/p/chromium/codesearch#chromium/src/components/test_runner/web_test_proxy.h&l=83). I've tried setting it to null (as well as the WebWidget), and this test passes, but I'm not sure what other implications we could have. I'll try to run that through the bots and see. We could also do the easy fix, which is to set the WebView as the WebWidget in the WebTestProxy, instead of the WebViewFrameWidget, which will also work, since the WebView is never destroyed.
,
May 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fdd53d6357138bcd0ad557bc5995f6e55952758c commit fdd53d6357138bcd0ad557bc5995f6e55952758c Author: lfg <lfg@chromium.org> Date: Wed May 11 15:27:03 2016 Destroy WebWidgetTestClient when its WebWidget is destroyed. This fixes a UaF trying to access the WebWidget from the WebWidgetTestClient. BUG= 610513 Review-Url: https://codereview.chromium.org/1962393002 Cr-Commit-Position: refs/heads/master@{#392928} [modify] https://crrev.com/fdd53d6357138bcd0ad557bc5995f6e55952758c/content/shell/renderer/layout_test/layout_test_content_renderer_client.cc
,
May 11 2016
|
||||
►
Sign in to add a comment |
||||
Comment 1 by lukasza@chromium.org
, May 9 2016