Issue metadata
Sign in to add a comment
|
Security: Heap-use-after-free in extensions::Extension::id
Reported by
chromium...@gmail.com,
May 31 2016
|
||||||||||||||||||||
Issue description
VERSION
Chrome Version: 53.0.2753.0 canary
Operating System: Win7
REPRODUCTION CASE
1. Navigate to chrome://apps and right click on any app, select 'Open as window' option
2. Lunch that app, and now navigate to chrome://settings and remove that person.
3. Crash!
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
=================================================================
==3956==ERROR: AddressSanitizer: heap-use-after-free on address 0x1cb0a0bc at pc 0x0a276e24 bp 0xdeadbeef sp 0x002dcf74
READ of size 4 at 0x1cb0a0bc thread T0
[0531/135722:ERROR:registration_protocol_win.cc(53)] CreateFile: The system cannot find the path specified. (0x3)
==3956==WARNING: Failed to use and restart external symbolizer!
[0531/135741:ERROR:main_dll_loader_win.cc(199)] Could not find exported function RelaunchChromeBrowserWithNewCommandLineIfNeeded
#0 0xa276e23 in extensions::Extension::id C:\b\build\slave\Win_ASan_Release\build\src\extensions\common\extension.cc:394
#1 0x65e8119 in ChromeTabRestoreServiceClient::GetExtensionAppIDForTab C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\sessions\chrome_tab_resto
re_service_client.cc:104
#2 0xda82766 in sessions::TabRestoreServiceHelper::PopulateTab C:\b\build\slave\Win_ASan_Release\build\src\components\sessions\core\tab_restore_service_hel
per.cc:376
#3 0xda83e04 in sessions::TabRestoreServiceHelper::BrowserClosing C:\b\build\slave\Win_ASan_Release\build\src\components\sessions\core\tab_restore_service_
helper.cc:100
#4 0xa8f1323 in Browser::OnWindowClosing C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\browser.cc:709
#5 0xab8d11e in chrome::UnloadController::ProcessPendingTabs C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\unload_controller.cc:288
#6 0xab8b92c in chrome::UnloadController::ClearUnloadState C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\unload_controller.cc:364
#7 0xab8b30c in chrome::UnloadController::CanCloseContents C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\unload_controller.cc:41
#8 0xa8fb46a in Browser::CloseContents C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\ui\browser.cc:1498
#9 0xb39b4e7 in content::WebContentsImpl::Close+0x97 (C:\Users\admin\Desktop\asan-win32-release-396634\chrome.dll+0x71cb4e7)
#10 0xb38a267 in content::WebContentsImpl::Close+0x57 (C:\Users\admin\Desktop\asan-win32-release-396634\chrome.dll+0x71ba267)
#11 0xb39e774 in content::WebContentsImpl::RendererUnresponsive+0x3c4 (C:\Users\admin\Desktop\asan-win32-release-396634\chrome.dll+0x71ce774)
#12 0xb59cb21 in content::RenderWidgetHostImpl::RendererIsUnresponsive C:\b\build\slave\Win_ASan_Release\build\src\content\browser\renderer_host\render_wid
get_host_impl.cc:1462
#13 0x9ed4bea in base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (device::UsbServiceImpl::*)(
) __attribute__((thiscall))>,void (device::UsbServiceImpl *),base::WeakPtr<device::UsbServiceImpl> >,base::internal::InvokeHelper<1,void,base::internal::Runnab
leAdapter<void (device::UsbServiceImpl::*)() __attribute__((thiscall))> >,void ()>::Run+0x12a (C:\Users\admin\Desktop\asan-win32-release-396634\chrome.dll+0x5d
04bea)
#14 0xb91c60f in content::TimeoutMonitor::CheckTimedOut C:\b\build\slave\Win_ASan_Release\build\src\content\browser\renderer_host\input\timeout_monitor.cc:
103
#15 0x744ebd7 in base::Timer::RunScheduledTask C:\b\build\slave\Win_ASan_Release\build\src\base\timer\timer.cc:211
#16 0x7532851 in base::debug::TaskAnnotator::RunTask C:\b\build\slave\Win_ASan_Release\build\src\base\debug\task_annotator.cc:49
#17 0x739d242 in base::MessageLoop::RunTask C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:475
#18 0x739f172 in base::MessageLoop::DoDelayedWork C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:637
#19 0x75353bf in base::MessagePumpForUI::WndProcThunk C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_pump_win.cc:143
#20 0x7536140 in base::win::WrappedWindowProc C:\b\build\slave\Win_ASan_Release\build\src\base\win\wrapped_window_proc.h:76
#21 0x75f6c4e6 in gapfnScSendMessage+0x1ce (C:\Windows\system32\USER32.dll+0x77d2c4e6)
#22 0x75f6c5e6 in gapfnScSendMessage+0x2ce (C:\Windows\system32\USER32.dll+0x77d2c5e6)
#23 0x75f6cc18 in gapfnScSendMessage+0x900 (C:\Windows\system32\USER32.dll+0x77d2cc18)
#24 0x75f6cc6f in DispatchMessageW+0xe (C:\Windows\system32\USER32.dll+0x77d2cc6f)
#25 0x753668e in base::MessagePumpForUI::ProcessMessageHelper C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_pump_win.cc:388
#26 0x753596d in base::MessagePumpForUI::DoRunLoop C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_pump_win.cc:204
#27 0x753463d in base::MessagePumpWin::Run C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_pump_win.cc:58
#28 0x739c5b8 in base::MessageLoop::RunHandler C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:439
#29 0x7489500 in base::RunLoop::Run+0x1e0 (C:\Users\admin\Desktop\asan-win32-release-396634\chrome.dll+0x32b9500)
#30 0x6060665 in ChromeBrowserMainParts::MainMessageLoopRun C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\chrome_browser_main.cc:1904
#31 0xb69d720 in content::BrowserMainLoop::RunMainMessageLoopParts C:\b\build\slave\Win_ASan_Release\build\src\content\browser\browser_main_loop.cc:972
#32 0xb6430ef in content::BrowserMainRunnerImpl::Run C:\b\build\slave\Win_ASan_Release\build\src\content\browser\browser_main_runner.cc:154
#33 0xb603597 in content::BrowserMain C:\b\build\slave\Win_ASan_Release\build\src\content\browser\browser_main.cc:46
#34 0x70a567d in content::RunNamedProcessTypeMain C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main_runner.cc:420
#35 0x70a7659 in content::ContentMainRunnerImpl::Run C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main_runner.cc:787
#36 0x70a5234 in content::ContentMain C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main.cc:20
#37 0x5e01232 in ChromeMain C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\chrome_main.cc:84
#38 0x124aaf6 in MainDllLoader::Launch C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\main_dll_loader_win.cc:185
#39 0x12425a6 in main C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\chrome_exe_main_win.cc:263
#40 0x1e4bd4c in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255
#41 0x77243c44 in BaseThreadInitThunk+0x11 (C:\Windows\system32\kernel32.dll+0x77e33c44)
#42 0x778c37f4 in RtlInitializeExceptionChain+0xee (C:\Windows\SYSTEM32\ntdll.dll+0x77f237f4)
#43 0x778c37c7 in RtlInitializeExceptionChain+0xc1 (C:\Windows\SYSTEM32\ntdll.dll+0x77f237c7)
0x1cb0a0bc is located 316 bytes inside of 340-byte region [0x1cb09f80,0x1cb0a0d4)
freed by thread T0 here:
#0 0x1e35344 in free+0xa4 (C:\Users\admin\Desktop\asan-win32-release-396634\chrome.exe+0xff5344)
#1 0xa285ac6 in extensions::Extension::~Extension C:\b\build\slave\Win_ASan_Release\build\src\extensions\common\extension.cc:508
#2 0xdc22f16 in ExtensionService::UnloadExtension C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\extensions\extension_service.cc:1381
#3 0xdc30891 in ExtensionService::OnProfileDestructionStarted C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\extensions\extension_service.cc:24
46
#4 0xdc2ea0d in ExtensionService::Observe C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\extensions\extension_service.cc:2180
#5 0xb3ccc10 in content::NotificationServiceImpl::Notify C:\b\build\slave\Win_ASan_Release\build\src\content\browser\notification_service_impl.cc:130
#6 0x628b326 in ProfileManager::FinishDeletingProfile C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\profiles\profile_manager.cc:1362
#7 0x628affe in ProfileManager::OnNewActiveProfileLoaded C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\profiles\profile_manager.cc:1637
#8 0x629fb0f in base::internal::Invoker<base::IndexSequence<0,1,2,3>,base::internal::BindState<base::internal::RunnableAdapter<void (ProfileManager::*)(con
st base::FilePath &, const base::FilePath &, const base::Callback<void (Profile *, Profile::CreateStatus),base::internal::CopyMode::Copyable> &, Profile *, Pro
file::CreateStatus) __attribute__((thiscall))>,void (ProfileManager *, const base::FilePath &, const base::FilePath &, const base::Callback<void (Profile *, Pr
ofile::CreateStatus),base::internal::CopyMode::Copyable> &, Profile *, Profile::CreateStatus),base::internal::UnretainedWrapper<ProfileManager>,const base::Fil
ePath &,base::FilePath &,const base::Callback<void (Profile *, Profile::CreateStatus),base::internal::CopyMode::Copyable> &>,base::internal::InvokeHelper<0,voi
d,base::internal::RunnableAdapter<void (ProfileManager::*)(const base::FilePath &, const base::FilePath &, const base::Callback<void (Profile *, Profile::Creat
eStatus),base::internal::CopyMode::Copyable> &, Profile *, Profile::CreateStatus) __attribute__((thiscall))> >,void (Profile *, Profile::CreateStatus)>::Run C:
\b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:363
#9 0x62939f8 in ProfileManager::OnProfileCreated C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\profiles\profile_manager.cc:1081
#10 0x67ac2e7 in ProfileImpl::DoFinalInit C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\profiles\profile_impl.cc:626
#11 0x67b33fd in ProfileImpl::OnLocaleReady C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\profiles\profile_impl.cc:833
#12 0x67aa415 in ProfileImpl::OnPrefsLoaded C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\profiles\profile_impl.cc:854
#13 0xcc8db18 in base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (invalidation::SafeStorage
::*)(base::Callback<void (bool),base::internal::CopyMode::Copyable> *, bool) __attribute__((thiscall))>,void (invalidation::SafeStorage *, base::Callback<void
(bool),base::internal::CopyMode::Copyable> *, bool),base::internal::UnretainedWrapper<invalidation::SafeStorage>,base::Callback<void (bool),base::internal::Cop
yMode::Copyable> *&>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (invalidation::SafeStorage::*)(base::Callback<void (bool),base::i
nternal::CopyMode::Copyable> *, bool) __attribute__((thiscall))> >,void (bool)>::Run C:\b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:363
#14 0x771be41 in PrefNotifierImpl::OnInitializationCompleted C:\b\build\slave\Win_ASan_Release\build\src\components\prefs\pref_notifier_impl.cc:93
#15 0x7720c8f in PrefValueStore::PrefStoreKeeper::OnInitializationCompleted C:\b\build\slave\Win_ASan_Release\build\src\components\prefs\pref_value_store.c
c:48
#16 0xee8c3ca in SegregatedPrefStore::AggregatingObserver::OnInitializationCompleted C:\b\build\slave\Win_ASan_Release\build\src\components\user_prefs\trac
ked\segregated_pref_store.cc:47
#17 0x77075e5 in JsonPrefStore::FinalizeFileRead C:\b\build\slave\Win_ASan_Release\build\src\components\prefs\json_pref_store.cc:440
#18 0x7709a45 in base::internal::RunnableAdapter<void (JsonPrefStore::*)(bool, std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryVa
lue> >, bool) __attribute__((thiscall))>::Run C:\b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:186
#19 0x770972c in base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (JsonPrefStore::*)(bool, s
td::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool) __attribute__((thiscall))>,void (JsonPrefStore *, bool, std::unique_pt
r<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool),base::WeakPtr<JsonPrefStore>,bool &>,base::internal::InvokeHelper<1,void,base::inte
rnal::RunnableAdapter<void (JsonPrefStore::*)(bool, std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool) __attribute__((th
iscall))> >,void (std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool)>::Run C:\b\build\slave\Win_ASan_Release\build\src\b
ase\bind_internal.h:357
#20 0xee7b8d2 in PrefHashFilter::FinalizeFilterOnLoad C:\b\build\slave\Win_ASan_Release\build\src\components\user_prefs\tracked\pref_hash_filter.cc:234
#21 0xee8fd21 in base::internal::RunnableAdapter<void (InterceptablePrefFilter::*)(const base::Callback<void (std::unique_ptr<base::DictionaryValue,std::de
fault_delete<base::DictionaryValue> >, bool),base::internal::CopyMode::Copyable> &, std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryV
alue> >, bool) __attribute__((thiscall))>::Run C:\b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:186
#22 0xee8fa1c in base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (InterceptablePrefFilter::
*)(const base::Callback<void (std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool),base::internal::CopyMode::Copyable> &,
std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool) __attribute__((thiscall))>,void (InterceptablePrefFilter *, const bas
e::Callback<void (std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool),base::internal::CopyMode::Copyable> &, std::unique_
ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool),base::WeakPtr<InterceptablePrefFilter>,const base::Callback<void (std::unique_ptr
<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool),base::internal::CopyMode::Copyable> &>,base::internal::InvokeHelper<1,void,base::int
ernal::RunnableAdapter<void (InterceptablePrefFilter::*)(const base::Callback<void (std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryV
alue> >, bool),base::internal::CopyMode::Copyable> &, std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool) __attribute__((
thiscall))> >,void (std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool)>::Run C:\b\build\slave\Win_ASan_Release\build\src
\base\bind_internal.h:357
#23 0xee8923a in `anonymous namespace'::TrackedPreferencesMigrator::MigrateIfReady C:\b\build\slave\Win_ASan_Release\build\src\components\user_prefs\tracke
d\tracked_preferences_migration.cc:317
#24 0xee88782 in `anonymous namespace'::TrackedPreferencesMigrator::InterceptFilterOnLoad C:\b\build\slave\Win_ASan_Release\build\src\components\user_prefs
\tracked\tracked_preferences_migration.cc:266
#25 0xee88bbd in base::internal::RunnableAdapter<void ((anonymous namespace)::TrackedPreferencesMigrator::*)((anonymous namespace)::TrackedPreferencesMigra
tor::PrefFilterID, const base::Callback<void (std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool),base::internal::CopyMod
e::Copyable> &, std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >) __attribute__((thiscall))>::Run C:\b\build\slave\Win_ASan_R
elease\build\src\base\bind_internal.h:186
#26 0xee88a6d in base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void ((anonymous namespace)::Tr
ackedPreferencesMigrator::*)((anonymous namespace)::TrackedPreferencesMigrator::PrefFilterID, const base::Callback<void (std::unique_ptr<base::DictionaryValue,
std::default_delete<base::DictionaryValue> >, bool),base::internal::CopyMode::Copyable> &, std::unique_ptr<base::DictionaryValue,std::default_delete<base::Dict
ionaryValue> >) __attribute__((thiscall))>,void ((anonymous namespace)::TrackedPreferencesMigrator *, (anonymous namespace)::TrackedPreferencesMigrator::PrefFi
lterID, const base::Callback<void (std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool),base::internal::CopyMode::Copyable
> &, std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >),(anonymous namespace)::TrackedPreferencesMigrator *,(anonymous namespa
ce)::TrackedPreferencesMigrator::PrefFilterID>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void ((anonymous namespace)::TrackedPreferen
cesMigrator::*)((anonymous namespace)::TrackedPreferencesMigrator::PrefFilterID, const base::Callback<void (std::unique_ptr<base::DictionaryValue,std::default_
delete<base::DictionaryValue> >, bool),base::internal::CopyMode::Copyable> &, std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue>
>) __attribute__((thiscall))> >,void (const base::Callback<void (std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >, bool),base
::internal::CopyMode::Copyable> &, std::unique_ptr<base::DictionaryValue,std::default_delete<base::DictionaryValue> >)>::Run C:\b\build\slave\Win_ASan_Release\
build\src\base\bind_internal.h:363
#27 0xee8f258 in InterceptablePrefFilter::FilterOnLoad C:\b\build\slave\Win_ASan_Release\build\src\components\user_prefs\tracked\interceptable_pref_filter.
cc:31
#28 0x7704f95 in JsonPrefStore::OnFileRead C:\b\build\slave\Win_ASan_Release\build\src\components\prefs\json_pref_store.cc:385
#29 0xd95626a in base::internal::RunnableAdapter<void (extensions::NetworkingPrivateGetNetworksFunction::*)(std::unique_ptr<base::ListValue,std::default_de
lete<base::ListValue> >) __attribute__((thiscall))>::Run C:\b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:186
previously allocated by thread T0 here:
#0 0x1e35418 in malloc+0xb8 (C:\Users\admin\Desktop\asan-win32-release-396634\chrome.exe+0xff5418)
#1 0x12f6f26e in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:19
#2 0xa2725cf in extensions::Extension::Create C:\b\build\slave\Win_ASan_Release\build\src\extensions\common\extension.cc:134
#3 0xa2722bd in extensions::Extension::Create C:\b\build\slave\Win_ASan_Release\build\src\extensions\common\extension.cc:103
#4 0xdcc674a in extensions::ComponentLoader::Load C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\extensions\component_loader.cc:269
#5 0xdcc6085 in extensions::ComponentLoader::LoadAll C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\extensions\component_loader.cc:158
#6 0xdc0f958 in ExtensionService::Init C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\extensions\extension_service.cc:426
#7 0xe1ff480 in extensions::ExtensionSystemImpl::Shared::Init C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\extensions\extension_system_impl.c
c:256
#8 0xe202492 in extensions::ExtensionSystemImpl::InitForRegularProfile C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\extensions\extension_syst
em_impl.cc:371
#9 0x629801e in ProfileManager::DoFinalInitForServices C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\profiles\profile_manager.cc:1164
#10 0x62975ca in ProfileManager::DoFinalInit C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\profiles\profile_manager.cc:1131
#11 0x629c4ef in ProfileManager::AddProfile C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\profiles\profile_manager.cc:1320
#12 0x628322e in ProfileManager::CreateAndInitializeProfile C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\profiles\profile_manager.cc:1339
#13 0x62823f9 in ProfileManager::GetProfile C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\profiles\profile_manager.cc:433
#14 0x605a1ac in ChromeBrowserMainParts::PreMainMessageLoopRunImpl C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\chrome_browser_main.cc:1556
#15 0x6057e81 in ChromeBrowserMainParts::PreMainMessageLoopRun C:\b\build\slave\Win_ASan_Release\build\src\chrome\browser\chrome_browser_main.cc:1172
#16 0xb69d0a2 in content::BrowserMainLoop::PreMainMessageLoopRun C:\b\build\slave\Win_ASan_Release\build\src\content\browser\browser_main_loop.cc:955
#17 0xbed014c in content::StartupTaskRunner::RunAllTasksNow C:\b\build\slave\Win_ASan_Release\build\src\content\browser\startup_task_runner.cc:40
#18 0xb696a1e in content::BrowserMainLoop::CreateStartupTasks C:\b\build\slave\Win_ASan_Release\build\src\content\browser\browser_main_loop.cc:842
#19 0xb6426d6 in content::BrowserMainRunnerImpl::Initialize C:\b\build\slave\Win_ASan_Release\build\src\content\browser\browser_main_runner.cc:139
#20 0xb60355d in content::BrowserMain C:\b\build\slave\Win_ASan_Release\build\src\content\browser\browser_main.cc:42
#21 0x70a567d in content::RunNamedProcessTypeMain C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main_runner.cc:420
#22 0x70a7659 in content::ContentMainRunnerImpl::Run C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main_runner.cc:787
#23 0x70a5234 in content::ContentMain C:\b\build\slave\Win_ASan_Release\build\src\content\app\content_main.cc:20
#24 0x5e01232 in ChromeMain C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\chrome_main.cc:84
#25 0x124aaf6 in MainDllLoader::Launch C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\main_dll_loader_win.cc:185
#26 0x12425a6 in main C:\b\build\slave\Win_ASan_Release\build\src\chrome\app\chrome_exe_main_win.cc:263
#27 0x1e4bd4c in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255
#28 0x77243c44 in BaseThreadInitThunk+0x11 (C:\Windows\system32\kernel32.dll+0x77e33c44)
#29 0x778c37f4 in RtlInitializeExceptionChain+0xee (C:\Windows\SYSTEM32\ntdll.dll+0x77f237f4)
SUMMARY: AddressSanitizer: heap-use-after-free C:\b\build\slave\Win_ASan_Release\build\src\extensions\common\extension.cc:394 in extensions::Extension::id
Shadow bytes around the buggy address:
0x339613c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x339613d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x339613e0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x339613f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x33961400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x33961410: fd fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa fa
0x33961420: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x33961430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x33961440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x33961450: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x33961460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3956==ABORTING
,
May 31 2016
,
Jun 1 2016
,
Jun 3 2016
,
Jun 9 2016
Seems like this crash has been fixed in 53.0.2763.0 canary.
,
Jun 9 2016
,
Sep 16 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by mea...@chromium.org
, May 31 2016Owner: rdevlin....@chromium.org
Status: Assigned (was: Unconfirmed)