ben@, could you please take a look?

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+wittman and oshima, who have worked on some of the relevant code.

It's probably regressed in https://crrev.com/65dafe01584f929280381544785961d5d5d26b3d. CL may not be the root cause but just revealing the issue though.

yoshiki@, can you take a look?

yoshiki: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Umm, I can't repro this.

Kicked off redo 'Fixed' job.

yoshiki@, as I see there are some gestures involved:

Interaction Gestures?	[u'key,super+space', u'key,ctrl+minus', u'keydown,space', u'key,alt+N']

Have you tried to reproduce it with gestures?

I sometimes tried the cluster-fuzz scripts with the "Local reproduction config" and "Build" on the cluster fuzz dashboard. But it ran without an asan error. And I also tried gestures manually, but no error.

This heap-use-after might be flaky.

Marty, what do we usually do with such issues?

Here is the stack. Looks like TrayBubbleWrapper is a WidgetObserver and it's somehow called after it is deleted.

==17977==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080002ac9d8 at pc 0x7fba5b3adfbd bp 0x7ffe3e814ff0 sp 0x7ffe3e814fe8
READ of size 8 at 0x6080002ac9d8 thread T0 (chrome)
SCARINESS: 51 (8-byte-read-heap-use-after-free)
    #0 0x7fba5b3adfbc in views::Widget::OnNativeWidgetDestroying() ui/views/widget/widget.cc:1073:3
    #1 0x7fba5b402dd5 in OnWindowDestroying ui/views/widget/native_widget_aura.cc:846:14
    #2 0x7fba5b402dd5 in non-virtual thunk to views::NativeWidgetAura::OnWindowDestroying(aura::Window*) ui/views/widget/native_widget_aura.cc:844
    #3 0x7fba57202437 in aura::Window::~Window() ui/aura/window.cc:111:16
    #4 0x7fba5720473a in aura::Window::~Window() ui/aura/window.cc:104:19
    #5 0x7fba5b406f10 in Run<views::NativeWidgetAura *> base/bind_internal.h:186:12
    #6 0x7fba5b406f10 in MakeItSo<base::internal::RunnableAdapter<void (views::NativeWidgetAura::*)()> &, base::WeakPtr<views::NativeWidgetAura>> base/bind_internal.h:324
    #7 0x7fba5b406f10 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (views::NativeWidgetAura::*)()>, void (views::NativeWidgetAura*), base::WeakPtr<views::NativeWidgetAura> >, true, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:363
    #8 0x7fba4c585a17 in Run base/callback.h:397:12
    #9 0x7fba4c585a17 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
    #10 0x7fba4c3f44d5 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:475:19
    #11 0x7fba4c3f59bf in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:484:5
    #12 0x7fba4c3f715c in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:601:13
    #13 0x7fba4c57d027 in HandleDispatch base/message_loop/message_pump_glib.cc:267:25
    #14 0x7fba4c57d027 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:109
    #15 0x7fba47173e03 in g_main_context_dispatch
0x6080002ac9d8 is located 56 bytes inside of 88-byte region [0x6080002ac9a0,0x6080002ac9f8)
freed by thread T0 (chrome) here:
    #0 0x7fba4b0b3a3b in operator delete(void*)
    #1 0x7fba589a5602 in operator() /usr/include/c++/4.6/bits/unique_ptr.h:63:2
    #2 0x7fba589a5602 in reset /usr/include/c++/4.6/bits/unique_ptr.h:245
    #3 0x7fba589a5602 in ~unique_ptr /usr/include/c++/4.6/bits/unique_ptr.h:169
    #4 0x7fba589a5602 in ~WebNotificationBubbleWrapper ash/system/web_notification/web_notification_tray.cc:82
    #5 0x7fba589a5602 in operator() /usr/include/c++/4.6/bits/unique_ptr.h:63
    #6 0x7fba589a5602 in reset /usr/include/c++/4.6/bits/unique_ptr.h:245
    #7 0x7fba589a5602 in ash::WebNotificationTray::HideMessageCenter() ash/system/web_notification/web_notification_tray.cc:276
    #8 0x7fba5b47a94a in message_center::MessageCenterTray::HideMessageCenterBubble() ui/message_center/message_center_tray.cc:138:14
    #9 0x7fba5898826d in ash::TrayBubbleWrapper::OnWidgetDestroying(views::Widget*) ash/system/tray/tray_bubble_wrapper.cc:53:10
    #10 0x7fba5b3ade76 in views::Widget::OnNativeWidgetDestroying() ui/views/widget/widget.cc:1073:3
    #11 0x7fba5b402dd5 in OnWindowDestroying ui/views/widget/native_widget_aura.cc:846:14
    #12 0x7fba5b402dd5 in non-virtual thunk to views::NativeWidgetAura::OnWindowDestroying(aura::Window*) ui/views/widget/native_widget_aura.cc:844
    #13 0x7fba57202437 in aura::Window::~Window() ui/aura/window.cc:111:16
    #14 0x7fba5720473a in aura::Window::~Window() ui/aura/window.cc:104:19
    #15 0x7fba5b406f10 in Run<views::NativeWidgetAura *> base/bind_internal.h:186:12
    #16 0x7fba5b406f10 in MakeItSo<base::internal::RunnableAdapter<void (views::NativeWidgetAura::*)()> &, base::WeakPtr<views::NativeWidgetAura>> base/bind_internal.h:324
    #17 0x7fba5b406f10 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (views::NativeWidgetAura::*)()>, void (views::NativeWidgetAura*), base::WeakPtr<views::NativeWidgetAura> >, true, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:363
    #18 0x7fba4c585a17 in Run base/callback.h:397:12
    #19 0x7fba4c585a17 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
    #20 0x7fba4c3f44d5 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:475:19
    #21 0x7fba4c3f59bf in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:484:5
    #22 0x7fba4c3f715c in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:601:13
    #23 0x7fba4c57d027 in HandleDispatch base/message_loop/message_pump_glib.cc:267:25
    #24 0x7fba4c57d027 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:109
    #25 0x7fba47173e03 in g_main_context_dispatch

previously allocated by thread T0 (chrome) here:
    #0 0x7fba4b0b347b in operator new(unsigned long)
    #1 0x7fba589a488d in ash::WebNotificationTray::ShowMessageCenterInternal(bool) ash/system/web_notification/web_notification_tray.cc:243:7
    #2 0x7fba5b47a6a0 in message_center::MessageCenterTray::ShowMessageCenterBubble() ui/message_center/message_center_tray.cc:127:40
    #3 0x7fba587b6c8d in HandleShowMessageCenterBubble ash/accelerators/accelerator_controller.cc:436:26
    #4 0x7fba587b6c8d in ash::AcceleratorController::PerformAction(ash::AcceleratorAction, ui::Accelerator const&) ash/accelerators/accelerator_controller.cc:1258
    #5 0x7fba587bc3b0 in ash::AcceleratorController::AcceleratorPressed(ui::Accelerator const&) ash/accelerators/accelerator_controller.cc:894:5
    #6 0x7fba60666bb2 in ui::AcceleratorManager::Process(ui::Accelerator const&) ui/base/accelerators/accelerator_manager.cc:94:20
    #7 0x7fba58a47781 in ash::AcceleratorDelegate::ProcessAccelerator(ui::KeyEvent const&, ui::Accelerator const&, wm::AcceleratorDelegate::KeyType) ash/accelerators/accelerator_delegate.cc:38:58
    #8 0x7fba5b19b7d7 in wm::AcceleratorFilter::OnKeyEvent(ui::KeyEvent*) ui/wm/core/accelerator_filter.cc:73:18
    #9 0x7fba607381a6 in DispatchEvent ui/events/event_dispatcher.cc:191:12
    #10 0x7fba607381a6 in ui::EventDispatcher::DispatchEventToEventHandlers(std::vector<ui::EventHandler*, std::allocator<ui::EventHandler*> >*, ui::Event*) ui/events/event_dispatcher.cc:170
    #11 0x7fba60736e18 in ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:127:3
    #12 0x7fba6073679d in DispatchEventToTarget ui/events/event_dispatcher.cc:86:14
    #13 0x7fba6073679d in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:58
    #14 0x7fba6073a57e in ui::EventProcessor::OnEventFromSource(ui::Event*) ui/events/event_processor.cc:35:15
    #15 0x7fba5887bbcc in DispatchKeyEventPostIME ash/host/ash_window_tree_host_x11.cc:242:26
    #16 0x7fba5887bbcc in non-virtual thunk to ash::AshWindowTreeHostX11::DispatchKeyEventPostIME(ui::KeyEvent*) ash/host/ash_window_tree_host_x11.cc:238
    #17 0x7fba62dcad9f in ui::InputMethodBase::DispatchKeyEventPostIME(ui::KeyEvent*) const ui/base/ime/input_method_base.cc:118:26
    #18 0x7fba62dbc950 in ProcessUnfilteredKeyPressEvent ui/base/ime/input_method_chromeos.cc:376:17
    #19 0x7fba62dbc950 in ui::InputMethodChromeOS::DispatchKeyEvent(ui::KeyEvent*) ui/base/ime/input_method_chromeos.cc:119
    #20 0x7fba5887dd2d in ash::InputMethodEventHandler::OnKeyEvent(ui::KeyEvent*) ash/ime/input_method_event_handler.cc:35:18
    #21 0x7fba607381a6 in DispatchEvent ui/events/event_dispatcher.cc:191:12
    #22 0x7fba607381a6 in ui::EventDispatcher::DispatchEventToEventHandlers(std::vector<ui::EventHandler*, std::allocator<ui::EventHandler*> >*, ui::Event*) ui/events/event_dispatcher.cc:170
    #23 0x7fba60736e18 in ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:127:3
    #24 0x7fba6073679d in DispatchEventToTarget ui/events/event_dispatcher.cc:86:14
    #25 0x7fba6073679d in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:58
    #26 0x7fba6073a57e in ui::EventProcessor::OnEventFromSource(ui::Event*) ui/events/event_processor.cc:35:15
    #27 0x7fba6073bae9 in DeliverEventToProcessor ui/events/event_source.cc:73:21
    #28 0x7fba6073bae9 in ui::EventSource::SendEventToProcessor(ui::Event*) ui/events/event_source.cc:51
    #29 0x7fba62dd30aa in aura::WindowTreeHostX11::DispatchEvent(_XEvent* const&) ui/aura/window_tree_host_x11.cc:245:9
    #30 0x7fba4e97aaa6 in ui::PlatformEventSource::DispatchEvent(_XEvent*) ui/events/platform/platform_event_source.cc:83:30
    #31 0x7fba60789a8c in ui::X11EventSource::ExtractCookieDataDispatchEvent(_XEvent*) ui/events/platform/x11/x11_event_source.cc:204:14
    #32 0x7fba607895ea in ui::X11EventSource::DispatchXEvents() ui/events/platform/x11/x11_event_source.cc:139:5
    #33 0x7fba60788efa in ui::(anonymous namespace)::XSourceDispatch(_GSource*, int (*)(void*), void*) ui/events/platform/x11/x11_event_source_glib.cc:41:15
    #34 0x7fba47173ce4 in g_main_context_dispatch

Should we do RemoveObserver(this) in the destructor in MessageCenterBubble?
(like: https://codereview.chromium.org/2031763003/)

c#14: The script mentioned in c#13 is the best bet. If some kind of speculative fix is possible, which seems to be the case from the recent comments, it's worth a try. Otherwise there's not much that can be done.

yoshiki: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Any update on this bug as it is marked as M52 stable blocker?

Trying on speculative fix: https://codereview.chromium.org/2071553002/

> c#20
But I can't repro this heap-after-free, so it may be false positive or rare. Although I'm trying on adding speculative fix, I don't think this issue is stable blocker.

** IMPORTANT change in M52 merge date due to first 2 weeks of July no release weeks **
M52 Stable is launching very soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged ASAP. All changes MUST be merged into the release branch by 5pm on July 1 to make into the desktop Stable final build cut. Thank you!

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5772411869331456

Fuzzer: inferno_webbot
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x608000313d58
Crash State:
  views::Widget::OnNativeWidgetDestroying
  views::NativeWidgetAura::OnWindowDestroying
  aura::Window::~Window
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv970m6qSmfm8IiINFyqaG54FRNAQOKg4WODrRCxqD-oz_UjTSIGpG5bZTH9i4lHKtQAkdWPKOzBTi1VJXMZMqqQrJlsb8LyriZorRNHte80MiaXN4kbq7UqkRQwoBErN3_p0d05N8NP8IafCcQ3655QrRFMjWA?testcase_id=5772411869331456


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/58f821b32a3b99bf15855225dff13d77f10d7484

commit 58f821b32a3b99bf15855225dff13d77f10d7484
Author: yoshiki <yoshiki@chromium.org>
Date: Tue Jun 28 05:28:59 2016

Remove itself from the widget observers in destructor

This patch may fix the use-after-free reported in  crbug.com/612050 .

BUG= 612050 
TEST=msan passes

Review-Url: https://codereview.chromium.org/2031763003
Cr-Commit-Position: refs/heads/master@{#402408}

[modify] https://crrev.com/58f821b32a3b99bf15855225dff13d77f10d7484/ui/message_center/views/message_center_bubble.cc

Before we approve merge to M52, Could you please confirm whether this change is baked/verified in Canary and safe to merge?

Got it. Let's wait for the next canary.

memo: 53.0.2783 or later contain the fix.

Approving merge to M52.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/48a749e6902eab2284b7b670e1e053d7338fa8f0

commit 48a749e6902eab2284b7b670e1e053d7338fa8f0
Author: yoshiki iguchi <yoshiki@chromium.org>
Date: Tue Jul 12 03:52:12 2016

Remove itself from the widget observers in destructor

This patch may fix the use-after-free reported in  crbug.com/612050 .

BUG= 612050 
TEST=msan passes

Review-Url: https://codereview.chromium.org/2031763003
Cr-Commit-Position: refs/heads/master@{#402408}
(cherry picked from commit 58f821b32a3b99bf15855225dff13d77f10d7484)

Review URL: https://codereview.chromium.org/2140923003 .

Cr-Commit-Position: refs/branch-heads/2743@{#615}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/48a749e6902eab2284b7b670e1e053d7338fa8f0/ui/message_center/views/message_center_bubble.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot