New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 616314 link

Starred by 2 users
Status: WontFix
Owner:
wjmaclean@chromium.org
Closed: Sep 2017
Cc:
lfg@chromium.org
wjmaclean@chromium.org
fsam...@chromium.org
lazyboy@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Chrome_ASAN: Crash Report - extensions::WebViewInternalExecuteCodeFunction::GetScriptExecutor

Project Member Reported by manoranj...@chromium.org, Jun 1 2016 
This crash : go/crash/01f81e5c00000000, has been found by the Latest SyzyASAN Canary (53.0.2753.1)

Bad access information:

Error Type: heap-use-after-free
Location: 0x2eb0abb3
Access Mode: read
Access Size: 4
User Size : 568

Magic Stack:
=============
Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x042f4697 ] MAGIC SIGNATURE THREAD
0x042f4697	(chrome.dll -web_view_internal_api.cc:396 )	extensions::WebViewInternalExecuteCodeFunction::GetScriptExecutor()
0x04046483	(chrome.dll -execute_code_function.cc:130 )	extensions::ExecuteCodeFunction::Execute(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x0404621f	(chrome.dll -execute_code_function.cc:119 )	extensions::ExecuteCodeFunction::DidLoadAndLocalizeFile(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,bool,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x04046a85	(chrome.dll -bind_internal.h:362 )	base::internal::Invoker<base::IndexSequence<0,1,2,3>,base::internal::BindState<base::internal::RunnableAdapter<void ( extensions::ExecuteCodeFunction::*)(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,bool,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>,void ,extensions::ExecuteCodeFunction * const,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,bool,std::basic_string<char,std::char_traits<char>,std::allocator<char> > &>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void ( extensions::ExecuteCodeFunction::*)(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,bool,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)> >,void >::Run(base::internal::BindStateBase *)
0x019cb774	(chrome.dll -task_annotator.cc:51 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x0194f467	(chrome.dll -message_loop.cc:475 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x01950742	(chrome.dll -message_loop.cc:601 )	base::MessageLoop::DoWork()
0x019cbe31	(chrome.dll -message_pump_win.cc:179 )	base::MessagePumpForUI::DoRunLoop()
0x019cb92a	(chrome.dll -message_pump_win.cc:58 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x019a1b70	(chrome.dll -run_loop.cc:35 )	base::RunLoop::Run()
0x026c6022	(chrome.dll -chrome_browser_main.cc:1904 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x03010c40	(chrome.dll -browser_main_loop.cc:972 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x0300cccf	(chrome.dll -browser_main_runner.cc:154 )	content::BrowserMainRunnerImpl::Run()
0x02fa178e	(chrome.dll -browser_main.cc:46 )	content::BrowserMain(content::MainFunctionParams const &)
0x0279cc79	(chrome.dll -content_main_runner.cc:420 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x0279cbbf	(chrome.dll -content_main_runner.cc:787 )	content::ContentMainRunnerImpl::Run()
0x0279c0a6	(chrome.dll -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const &)
0x02677ed1	(chrome.dll -chrome_main.cc:84 )	ChromeMain
0x002209a2	(chrome.exe -main_dll_loader_win.cc:185 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0021fdac	(chrome.exe -chrome_exe_main_win.cc:263 )	wWinMain
0x0025481c	(chrome.exe -exe_common.inl:255 )	__scrt_common_main_seh
0x771095f3	(kernel32.dll + 0x000195f3 )	BaseThreadInitThunk
0x771b2419	(ntdll.dll + 0x00022419 )	__RtlUserThreadStart
0x771b23e8	(ntdll.dll + 0x000223e8 )	_RtlUserThreadStart

ASAN Free Stack trace:
=======================
	0x0f9bb166	(syzyasan_rtl.dll -block_heap_manager.cc:299 )	agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *)
0x0f9be87d	(syzyasan_rtl.dll -rtl_impl.cc:123 )	asan_HeapFree
0x0388f15a	(chrome.dll -free_base.cpp:107 )	_free_base
0x02f5dc0e	(chrome.dll + 0x0166dc0e )	content::RenderFrameHostImpl::`scalar deleting destructor'(unsigned int)
0x02fac25c	(chrome.dll -render_frame_host_manager.cc:84 )	content::RenderFrameHostManager::~RenderFrameHostManager()
0x02fb2f13	(chrome.dll -frame_tree_node.cc:131 )	content::FrameTreeNode::~FrameTreeNode()
0x02fb4457	(chrome.dll -frame_tree.cc:112 )	content::FrameTree::~FrameTree()
0x02f4a544	(chrome.dll + 0x0165a544 )	content::WebContentsImpl::`scalar deleting destructor'(unsigned int)
0x0431d8a0	(chrome.dll -app_window_contents.cc:27 )	extensions::AppWindowContentsImpl::~AppWindowContentsImpl()
0x034f690d	(chrome.dll -app_window.cc:354 )	extensions::AppWindow::~AppWindow()
0x034f85b1	(chrome.dll -app_window.cc:487 )	extensions::AppWindow::OnNativeClose()
0x03ab0700	(chrome.dll -desktop_native_widget_aura.cc:335 )	views::DesktopNativeWidgetAura::OnHostClosed()
0x02b0091e	(chrome.dll -window_impl.cc:303 )	gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)
0x02b000a7	(chrome.dll -wrapped_window_proc.h:76 )	base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)>(HWND__ *,unsigned int,unsigned int,long)
0x74bd5d93	(user32.dll + 0x00035d93 )	_InternalCallWinProc
0x74bb9f3a	(user32.dll + 0x00019f3a )	UserCallWinProcCheckWow
0x74bb9d15	(user32.dll + 0x00019d15 )	DispatchClientMessage
0x74bc729a	(user32.dll + 0x0002729a )	__fnNCDESTROY
0x77221326	(ntdll.dll + 0x00091326 )	KiUserCallbackDispatcher
0x02ec38bb	(chrome.dll -bind_internal.h:362 )	base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void ( DownloadItemView::*)(void)>,void ,base::WeakPtr<DownloadItemView> >,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void ( DownloadItemView::*)(void)> >,void >::Run(base::internal::BindStateBase *)
0x019cb775	(chrome.dll -task_annotator.cc:51 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x0194f468	(chrome.dll -message_loop.cc:476 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x01950743	(chrome.dll -message_loop.cc:602 )	base::MessageLoop::DoWork()
0x019cbe32	(chrome.dll -message_pump_win.cc:180 )	base::MessagePumpForUI::DoRunLoop()
0x019cb92b	(chrome.dll -message_pump_win.cc:60 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x019a1b71	(chrome.dll -run_loop.cc:36 )	base::RunLoop::Run()
0x026c6023	(chrome.dll -chrome_browser_main.cc:1906 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x03010c41	(chrome.dll -browser_main_loop.cc:974 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x02fa178f	(chrome.dll -browser_main.cc:46 )	content::BrowserMain(content::MainFunctionParams const &)
0x0279cc7a	(chrome.dll -content_main_runner.cc:420 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x0279cbc0	(chrome.dll -content_main_runner.cc:787 )	content::ContentMainRunnerImpl::Run()
0x0279c0a7	(chrome.dll -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const &)
0x02677ed2	(chrome.dll -chrome_main.cc:87 )	ChromeMain
0x002209a3	(chrome.exe -main_dll_loader_win.cc:186 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0021fdad	(chrome.exe -chrome_exe_main_win.cc:264 )	wWinMain
0x0025481d	(chrome.exe -exe_common.inl:255 )	__scrt_common_main_seh
0x771095f4	(kernel32.dll + 0x000195f4 )	BaseThreadInitThunk
0x771b241a	(ntdll.dll + 0x0002241a )	__RtlUserThreadStart
0x771b23e9	(ntdll.dll + 0x000223e9 )	_RtlUserThreadStart

ASAN Allocation Stack Trace:
=============================
0x0f9bae7e	(syzyasan_rtl.dll -block_heap_manager.cc:195 )	agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int)
0x0f9be7d3	(syzyasan_rtl.dll -rtl_impl.cc:102 )	asan_HeapAlloc
0x0388f1ba	(chrome.dll -malloc_base.cpp:29 )	_malloc_base
0x03862f8c	(chrome.dll -new_scalar.cpp:19 )	operator new(unsigned int)
0x030f83e0	(chrome.dll -render_frame_host_factory.cc:33 )	content::RenderFrameHostFactory::Create(content::SiteInstance *,content::RenderViewHostImpl *,content::RenderFrameHostDelegate *,content::RenderWidgetHostDelegate *,content::FrameTree *,content::FrameTreeNode *,int,int,bool)
0x02fadf1b	(chrome.dll -render_frame_host_manager.cc:1647 )	content::RenderFrameHostManager::CreateRenderFrameHost(content::SiteInstance *,int,int,int,bool)
0x02faf6cf	(chrome.dll -render_frame_host_manager.cc:96 )	content::RenderFrameHostManager::Init(content::SiteInstance *,int,int,int)
0x02f5048e	(chrome.dll -web_contents_impl.cc:1510 )	content::WebContentsImpl::Init(content::WebContents::CreateParams const &)
0x02f4c2ed	(chrome.dll -web_contents_impl.cc:565 )	content::WebContentsImpl::CreateWithOpener(content::WebContents::CreateParams const &,content::FrameTreeNode *)
0x02f4b256	(chrome.dll -web_contents_impl.cc:249 )	content::WebContents::Create(content::WebContents::CreateParams const &)
0x0431dafb	(chrome.dll -app_window_contents.cc:38 )	extensions::AppWindowContentsImpl::Initialize(content::BrowserContext *,content::RenderFrameHost *,GURL const &)
0x034f7bec	(chrome.dll -app_window.cc:271 )	extensions::AppWindow::Init(GURL const &,extensions::AppWindowContents *,content::RenderFrameHost *,extensions::AppWindow::CreateParams const &)
0x04309290	(chrome.dll -app_window_api.cc:350 )	extensions::AppWindowCreateFunction::RunAsync()
0x035f6cd7	(chrome.dll -chrome_extension_function.cc:103 )	ChromeAsyncExtensionFunction::Run()
0x03540c8f	(chrome.dll -extension_function_dispatcher.cc:536 )	extensions::ExtensionFunctionDispatcher::DispatchWithCallbackInternal(ExtensionHostMsg_Request_Params const &,content::RenderFrameHost *,int,base::Callback<void ,1> const &)
0x0354039e	(chrome.dll -extension_function_dispatcher.cc:435 )	extensions::ExtensionFunctionDispatcher::Dispatch(ExtensionHostMsg_Request_Params const &,content::RenderFrameHost *,int)
0x0354ded7	(chrome.dll -extension_web_contents_observer.cc:274 )	extensions::ExtensionWebContentsObserver::OnRequest(content::RenderFrameHost *,ExtensionHostMsg_Request_Params const &)
0x0354d65e	(chrome.dll -ipc_message_templates.h:121 )	IPC::MessageT<ExtensionHostMsg_Request_Meta,std::tuple<ExtensionHostMsg_Request_Params>,void>::Dispatch<extensions::ExtensionWebContentsObserver,extensions::ExtensionWebContentsObserver,content::RenderFrameHost,void ( extensions::ExtensionWebContentsObserver::*)(content::RenderFrameHost *,ExtensionHostMsg_Request_Params const &)>(IPC::Message const *,extensions::ExtensionWebContentsObserver *,extensions::ExtensionWebContentsObserver *,content::RenderFrameHost *,void ( extensions::ExtensionWebContentsObserver::*)(content::RenderFrameHost *,ExtensionHostMsg_Request_Params const &))
0x0354de63	(chrome.dll -extension_web_contents_observer.cc:177 )	extensions::ExtensionWebContentsObserver::OnMessageReceived(IPC::Message const &,content::RenderFrameHost *)
0x035ff56c	(chrome.dll -chrome_extension_web_contents_observer.cc:93 )	extensions::ChromeExtensionWebContentsObserver::OnMessageReceived(IPC::Message const &,content::RenderFrameHost *)
0x02f53175	(chrome.dll -web_contents_impl.cc:630 )	content::WebContentsImpl::OnMessageReceived(content::RenderViewHost *,content::RenderFrameHost *,IPC::Message const &)
0x02f53b66	(chrome.dll -web_contents_impl.cc:3987 )	content::WebContentsImpl::OnMessageReceived(content::RenderFrameHost *,IPC::Message const &)
0x02f6375a	(chrome.dll -render_frame_host_impl.cc:505 )	content::RenderFrameHostImpl::OnMessageReceived(IPC::Message const &)
0x02f6dd5a	(chrome.dll -render_process_host_impl.cc:1741 )	content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const &)
0x0282b853	(chrome.dll -ipc_channel_proxy.cc:285 )	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &)
0x04233480	(chrome.dll -bind_internal.h:362 )	base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void ( quota_internals::QuotaInternalsProxy::*)(quota_internals::GlobalStorageInfo const &)>,void ,quota_internals::QuotaInternalsProxy * const,quota_internals::GlobalStorageInfo const &>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void ( quota_internals::QuotaInternalsProxy::*)(quota_internals::GlobalStorageInfo const &)> >,void >::Run(base::internal::BindStateBase *)
0x019cb775	(chrome.dll -task_annotator.cc:51 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask const &)
0x0194f468	(chrome.dll -message_loop.cc:476 )	base::MessageLoop::RunTask(base::PendingTask const &)
0x01950743	(chrome.dll -message_loop.cc:602 )	base::MessageLoop::DoWork()
0x019cbe32	(chrome.dll -message_pump_win.cc:180 )	base::MessagePumpForUI::DoRunLoop()
0x019cb92b	(chrome.dll -message_pump_win.cc:60 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x019a1b71	(chrome.dll -run_loop.cc:36 )	base::RunLoop::Run()
0x026c6023	(chrome.dll -chrome_browser_main.cc:1906 )	ChromeBrowserMainParts::MainMessageLoopRun(int *)
0x03010c41	(chrome.dll -browser_main_loop.cc:974 )	content::BrowserMainLoop::RunMainMessageLoopParts()
0x02fa178f	(chrome.dll -browser_main.cc:46 )	content::BrowserMain(content::MainFunctionParams const &)
0x0279cc7a	(chrome.dll -content_main_runner.cc:420 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x0279cbc0	(chrome.dll -content_main_runner.cc:787 )	content::ContentMainRunnerImpl::Run()
0x0279c0a7	(chrome.dll -content_main.cc:20 )	content::ContentMain(content::ContentMainParams const &)
0x02677ed2	(chrome.dll -chrome_main.cc:87 )	ChromeMain
0x002209a3	(chrome.exe -main_dll_loader_win.cc:186 )	MainDllLoader::Launch(HINSTANCE__ *)
0x0021fdad	(chrome.exe -chrome_exe_main_win.cc:264 )	wWinMain
0x0025481d	(chrome.exe -exe_common.inl:255 )	__scrt_common_main_seh
0x771095f4	(kernel32.dll + 0x000195f4 )	BaseThreadInitThunk
0x771b241a	(ntdll.dll + 0x0002241a )	__RtlUserThreadStart
0x771b23e9	(ntdll.dll + 0x000223e9 )	_RtlUserThreadStart

You can see the list of ASAN builds having this issue here:

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20special_protos.asan_report.is_actionable%3D1%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27extensions%3A%3AWebViewInternalExecuteCodeFunction%3A%3AGetScriptExecutor%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

Unable to find the culprit fron this CL: https://chromium.googlesource.com/chromium/src/+log/53.0.2751.0..53.0.2753.0?pretty=fuller&n=10000

Hence looping https://chromium.googlesource.com/chromium/src/+/master/extensions/browser/api/guest_view/OWNERS

Thank you!
Project Member

Comment 1 by sheriffbot@chromium.org, Jul 7 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 7 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by lazyboy@chromium.org, Jul 7 2017

Cc: -hanxi@chromium.org
Owner: wjmaclean@chromium.org
Status: Assigned (was: Untriaged)
To James for triage.

Comment 4 by wjmaclean@chromium.org, Sep 26 2017

Status: WontFix (was: Assigned)
There doesn't seem to have been any occurences of this for a long time now, so marking as obsolete.

Sign in to add a comment