Issue metadata
Sign in to add a comment
|
Heap use after free in WorkerTarget::~WorkerTarget |
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36 Steps to reproduce the problem: 1. Ensure no other Chrome tabs are open 2. Go to https://drive.google.com 3. Open up chrome://inspect/#workers, confirm there are some shared workers running 4. Refresh the page What is the expected behavior? What went wrong? Chrome crashes all tabs/windows when trying to reload the page. Chrome may momentarily hang, before closing everything out. Crashed report ID: b0f3d2f200000000 bf41d2f200000000 0e4fd2f200000000 31243eec00000000 f2bbdeec00000000 e532d2f200000000 48f7094a00000000 How much crashed? Whole browser Is it a problem with a plugin? N/A Did this work before? Yes Haven't seen this happen working with Shared Workers up until a week or two ago Chrome version: 50.0.2661.94 Channel: stable OS Version: Flash Version: Shockwave Flash 21.0 r0
,
May 10 2016
,
May 10 2016
==44688==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100054d488 at pc 0x7f37cc0f4c75 bp 0x7fffe89e5370 sp 0x7fffe89e5368
READ of size 4 at 0x61100054d488 thread T0 (chrome)
#0 0x7f37cc0f4c74 in base::subtle::RefCountedBase::Release() const base/memory/ref_counted.h:66:9
#1 0x7f37ccafe23a in base::RefCounted<content::DevToolsAgentHost>::Release() const base/memory/ref_counted.h:134:9
#2 0x7f37d73a25de in devtools_discovery::BasicTargetDescriptor::~BasicTargetDescriptor() components/devtools_discovery/basic_target_descriptor.cc:55:1
#3 0x7f37ccb0928a in (anonymous namespace)::WorkerTarget::~WorkerTarget() chrome/browser/devtools/devtools_target_impl.cc:145:7
#4 0x7f37ccbddc10 in void STLDeleteContainerPairSecondPointers<std::__1::__map_iterator<std::__1::__tree_iterator<std::__1::__value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, DevToolsTargetImpl*>, std::__1::__tree_node<std::__1::__value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, DevToolsTargetImpl*>, void*>*, long> > >(std::__1::__map_iterator<std::__1::__tree_iterator<std::__1::__value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, DevToolsTargetImpl*>, std::__1::__tree_node<std::__1::__value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, DevToolsTargetImpl*>, void*>*, long> >, std::__1::__map_iterator<std::__1::__tree_iterator<std::__1::__value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, DevToolsTargetImpl*>, std::__1::__tree_node<std::__1::__value_type<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, DevToolsTargetImpl*>, void*>*, long> >) base/stl_util.h:89:5
#5 0x7f37ccbd1f2d in void STLDeleteValues<std::__1::map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, DevToolsTargetImpl*, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const, DevToolsTargetImpl*> > > >(std::__1::map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, DevToolsTargetImpl*, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const, DevToolsTargetImpl*> > >*) base/stl_util.h:146:3
#6 0x7f37ccbd73a1 in (anonymous namespace)::LocalTargetsUIHandler::SendTargets(std::__1::vector<DevToolsTargetImpl*, std::__1::allocator<DevToolsTargetImpl*> > const&) chrome/browser/devtools/devtools_targets_ui.cc:235:3
#7 0x7f37ccbd43bd in (anonymous namespace)::LocalTargetsUIHandler::UpdateTargets() chrome/browser/devtools/devtools_targets_ui.cc:227:3
#8 0x7f37ccbd5e04 in void base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void ((anonymous namespace)::LocalTargetsUIHandler::*)()> >::MakeItSo<(anonymous namespace)::LocalTargetsUIHandler*>(base::internal::RunnableAdapter<void ((anonymous namespace)::LocalTargetsUIHandler::*)()>, (anonymous namespace)::LocalTargetsUIHandler*&&) base/bind_internal.h:321:5
#9 0x7f37ccbd5c77 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void ((anonymous namespace)::LocalTargetsUIHandler::*)()>, void ((anonymous namespace)::LocalTargetsUIHandler*), base::internal::UnretainedWrapper<(anonymous namespace)::LocalTargetsUIHandler> >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void ((anonymous namespace)::LocalTargetsUIHandler::*)()> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:372:12
#10 0x7f37ccbd6ed5 in void base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void ((anonymous namespace)::CancelableTimer::*)()> >::MakeItSo<base::WeakPtr<(anonymous namespace)::CancelableTimer>>(base::internal::RunnableAdapter<void ((anonymous namespace)::CancelableTimer::*)()>, base::WeakPtr<(anonymous namespace)::CancelableTimer>) base/bind_internal.h:334:5
#11 0x7f37ccbd6d37 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void ((anonymous namespace)::CancelableTimer::*)()>, void ((anonymous namespace)::CancelableTimer*), base::WeakPtr<(anonymous namespace)::CancelableTimer> >, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void ((anonymous namespace)::CancelableTimer::*)()> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:372:12
#12 0x7f37cd183406 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51:3
#13 0x7f37cd025839 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:484:3
#14 0x7f37cd02648d in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:493:5
#15 0x7f37cd027ae9 in base::MessageLoop::DoDelayedWork(base::TimeTicks*) base/message_loop/message_loop.cc:648:10
#16 0x7f37cd17c793 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:318:9
#17 0x7f37cd024e6e in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:448:3
#18 0x7f37cd090584 in base::RunLoop::Run() base/run_loop.cc:35:3
#19 0x7f37cc6d3070 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1903:3
#20 0x7f37d5f03e43 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:972:21
#21 0x7f37d555cf4f in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:154:5
#22 0x7f37d555b6ce in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:46:15
#23 0x7f37ccefa9db in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:788:12
#24 0x7f37ccef592f in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:15
#25 0x7f37cbd320fa in ChromeMain chrome/app/chrome_main.cc:84:12
#26 0x7f37c109bec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
0x61100054d488 is located 8 bytes inside of 208-byte region [0x61100054d480,0x61100054d550)
freed by thread T0 (chrome) here:
#0 0x7f37cbd3041b in operator delete(void*) (/src/Downloads/asan-symbolized-linux-release-392634/chrome+0x2dc241b)
#1 0x7f37d55ad845 in content::SharedWorkerDevToolsManager::WorkerDestroyed(int, int) content/browser/devtools/shared_worker_devtools_manager.cc:78:1
#2 0x7f37d6413f15 in content::(anonymous namespace)::NotifyWorkerDestroyed(int, int) content/browser/shared_worker/shared_worker_host.cc:47:3
#3 0x7f37cbe2cf42 in void base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(int, int)> >::MakeItSo<int const&, int const&>(base::internal::RunnableAdapter<void (*)(int, int)>, int const&, int const&) base/bind_internal.h:321:5
#4 0x7f37cd183406 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51:3
#5 0x7f37cd025839 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:484:3
#6 0x7f37cd02648d in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:493:5
#7 0x7f37cd02727c in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:610:13
#8 0x7f37cd17c708 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:313:31
#9 0x7f37cd024e6e in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:448:3
#10 0x7f37cd090584 in base::RunLoop::Run() base/run_loop.cc:35:3
#11 0x7f37cc6d3070 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1903:3
#12 0x7f37d5f03e43 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:972:21
#13 0x7f37d555cf4f in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:154:5
#14 0x7f37d555b6ce in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:46:15
#15 0x7f37ccefa9db in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:788:12
#16 0x7f37ccef592f in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:15
#17 0x7f37cbd320fa in ChromeMain chrome/app/chrome_main.cc:84:12
#18 0x7f37c109bec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
previously allocated by thread T0 (chrome) here:
#0 0x7f37cbd2fe5b in operator new(unsigned long) (/src/Downloads/asan-symbolized-linux-release-392634/chrome+0x2dc1e5b)
#1 0x7f37d55ad03f in content::SharedWorkerDevToolsManager::WorkerCreated(int, int, content::SharedWorkerInstance const&) content/browser/devtools/shared_worker_devtools_manager.cc:45:20
#2 0x7f37d5b2a301 in content::SharedWorkerServiceImpl::SharedWorkerReserver::TryReserve(base::Callback<void (bool), (base::internal::CopyMode)1> const&, base::Callback<void (), (base::internal::CopyMode)1> const&, bool (*)(int)) content/browser/shared_worker/shared_worker_service_impl.cc:206:11
#3 0x7f37d5b375aa in void base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (content::SharedWorkerServiceImpl::SharedWorkerReserver::*)(base::Callback<void (bool), (base::internal::CopyMode)1> const&, base::Callback<void (), (base::internal::CopyMode)1> const&, bool (*)(int))> >::MakeItSo<scoped_refptr<content::SharedWorkerServiceImpl::SharedWorkerReserver> const&, base::Callback<void (bool), (base::internal::CopyMode)1> const&, base::Callback<void (), (base::internal::CopyMode)1> const&, bool (* const&)(int)>(base::internal::RunnableAdapter<void (content::SharedWorkerServiceImpl::SharedWorkerReserver::*)(base::Callback<void (bool), (base::internal::CopyMode)1> const&, base::Callback<void (), (base::internal::CopyMode)1> const&, bool (*)(int))>, scoped_refptr<content::SharedWorkerServiceImpl::SharedWorkerReserver> const&, base::Callback<void (bool), (base::internal::CopyMode)1> const&, base::Callback<void (), (base::internal::CopyMode)1> const&, bool (* const&)(int)) base/bind_internal.h:321:5
#4 0x7f37cd183406 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51:3
#5 0x7f37cd025839 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:484:3
#6 0x7f37cd02648d in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:493:5
#7 0x7f37cd02727c in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:610:13
#8 0x7f37cd17c29c in base::MessagePumpGlib::HandleDispatch() base/message_loop/message_pump_glib.cc:267:7
#9 0x7f37cd17d01e in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:109:3
#10 0x7f37c8026e03 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48e03)
SUMMARY: AddressSanitizer: heap-use-after-free base/memory/ref_counted.h:66:9 in base::subtle::RefCountedBase::Release() const
Shadow bytes around the buggy address:
0x0c22800a1a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800a1a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800a1a60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c22800a1a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800a1a80: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c22800a1a90: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800a1aa0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c22800a1ab0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c22800a1ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800a1ad0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c22800a1ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
,
May 10 2016
pfeldman - can you take a look at this UAF?
,
May 10 2016
,
May 10 2016
I can repro.
,
May 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cab5db51dd86ab96cc5c85df31ccc21a7b1ee019 commit cab5db51dd86ab96cc5c85df31ccc21a7b1ee019 Author: pfeldman <pfeldman@chromium.org> Date: Wed May 11 01:59:50 2016 DevTools: do not report worker destroyed twice. BUG= 610799 Review-Url: https://codereview.chromium.org/1968653003 Cr-Commit-Position: refs/heads/master@{#392819} [modify] https://crrev.com/cab5db51dd86ab96cc5c85df31ccc21a7b1ee019/content/browser/devtools/shared_worker_devtools_manager.cc
,
May 11 2016
,
May 11 2016
,
May 23 2016
pfeldman: Is this fixed with #7? If so, let's merge to M51.
,
May 23 2016
Sure.
,
May 23 2016
[Automated comment] Less than 2 weeks to go before stable on M51, manual review required.
,
May 23 2016
Fixed bugs pending merge should be in fixed status. Merge is tracked by merge labels.
,
May 23 2016
Before we approve merge to M51, Could you please confirm whether this change is baked/verified in Canary and safe to merge?
,
May 23 2016
It has been running on Canary for 10 days with no issues.
,
May 23 2016
Thank you, approving merge to M51 branch 2704 based on comment #15. Please merge before 5:00 PM PST, today (Monday) in order to make it to M51 Desktop stable candidate cut for this week release.
,
May 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3bc413f74d8a403ac37fc6544666a15de6223ef0 commit 3bc413f74d8a403ac37fc6544666a15de6223ef0 Author: Pavel Feldman <pfeldman@chromium.org> Date: Mon May 23 18:26:04 2016 DevTools: do not report worker destroyed twice. BUG= 610799 Review-Url: https://codereview.chromium.org/1968653003 Cr-Commit-Position: refs/heads/master@{#392819} (cherry picked from commit cab5db51dd86ab96cc5c85df31ccc21a7b1ee019) Review URL: https://codereview.chromium.org/2000233003 . Cr-Commit-Position: refs/branch-heads/2704@{#637} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/3bc413f74d8a403ac37fc6544666a15de6223ef0/content/browser/devtools/shared_worker_devtools_manager.cc
,
May 24 2016
,
Jun 3 2016
,
Jun 6 2016
Noting in next M51 release notes.
,
Aug 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by wfh@chromium.org
, May 10 2016Status: Available (was: Unconfirmed)