Chrome is incompatible with page heap. Can you confirm page heap is not enabled?

This has no security impact to users, so changing to a normal bug.

yes its without page heap 

attaching the stack trace with !exploitable plugin which show stack corruption for the same 
with dump file 
!exploitable -m 
VERSION:1.6.0.0
IDENTITY:HostMachine\HostUser
PROCESSOR:X64
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0xffffffffffffffff
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:READ
FAULTING_INSTRUCTION:00007ffe`e0f43819 movaps xmmword ptr [rbp-40h],xmm0
BASIC_BLOCK_INSTRUCTION_COUNT:8
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f43819 movaps xmmword ptr [rbp-40h],xmm0
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f4381d movaps xmm0,xmmword ptr [chrome_elf!exceptiontemplate+0x20 (00007ffe`e0f68210)]
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f43824 movaps xmmword ptr [rbp-30h],xmm1
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f43828 movaps xmm1,xmmword ptr [chrome_elf!exceptiontemplate+0x30 (00007ffe`e0f68220)]
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f4382f movaps xmmword ptr [rbp-20h],xmm0
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f43833 movaps xmmword ptr [rbp-10h],xmm1
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f43837 test rdx,rdx
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f4383a je chrome_elf!_cxxthrowexception+0x6e (00007ffe`e0f4385e)
MAJOR_HASH:0x13e64c4a
MINOR_HASH:0xfde2f873
STACK_DEPTH:22
STACK_FRAME:chrome_elf!_CxxThrowException+0x29
STACK_FRAME:chrome_elf!__scrt_throw_std_bad_array_new_length+0x1f
STACK_FRAME:chrome_elf!_umaskval+0x0
STACK_FRAME:Unknown
STACK_FRAME:chrome_elf!std::`dynamic initializer for 'cerr''+0x2f
STACK_FRAME:chrome_elf!std::ferr+0x0
STACK_FRAME:chrome_elf!operator new+0x29
STACK_FRAME:chrome_elf!std::basic_streambuf<char,std::char_traits<char> >::basic_streambuf<char,std::char_traits<char> >+0x21
STACK_FRAME:chrome_elf!std::`dynamic initializer for 'ferr''+0x1f
STACK_FRAME:chrome_elf!_initterm+0x4f
STACK_FRAME:chrome_elf!dllmain_crt_process_attach+0xbb
STACK_FRAME:chrome_elf!dllmain_dispatch+0x5d
STACK_FRAME:verifier!AVrfpStandardDllEntryPointRoutine+0xc9
STACK_FRAME:vrfcore!VfCoreStandardDllEntryPointRoutine+0x155
STACK_FRAME:vfbasics!AVrfpStandardDllEntryPointRoutine+0xc9
STACK_FRAME:ntdll!LdrpCallInitRoutine+0x4b
STACK_FRAME:ntdll!LdrpInitializeNode+0x15a
STACK_FRAME:ntdll!LdrpInitializeGraphRecurse+0x73
STACK_FRAME:ntdll!LdrpInitializeGraphRecurse+0x91
STACK_FRAME:ntdll!LdrpInitializeProcess+0x77e
STACK_FRAME:ntdll!_LdrpInitialize+0x4ed40
STACK_FRAME:ntdll!LdrInitializeThunk+0xe
INSTRUCTION_ADDRESS:0x00007ffee0f43819
INVOKING_STACK_FRAME:0
SOURCE_FILE:f:\dd\vctools\crt\vcruntime\src\eh\throw.cpp
SOURCE_LINE:75
DESCRIPTION:Possible Stack Corruption
SHORT_DESCRIPTION:PossibleStackCorruption
CLASSIFICATION:UNKNOWN
BUG_TITLE:Possible Stack Corruption starting at chrome_elf!_CxxThrowException+0x0000000000000029 (Hash=0x13e64c4a.0xfde2f873)
EXPLANATION:The stack trace contains one or more locations for which no symbol or module could be found. This may be a sign of stack corruption.0:000> .dump /mfh chrome_elf.dmp
Creating chrome_elf.dmp - mini user dump
Dump successfully written
0:000> g 
(1e84.d54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chrome_elf!_CxxThrowException+0x29:
00007ffe`e0f43819 0f2945c0        movaps  xmmword ptr [rbp-40h],xmm0 ss:00000068`70fded98=0000e6a4573f473300007ffee0f30000
0:000> !exploitable -m 
VERSION:1.6.0.0
IDENTITY:HostMachine\HostUser
PROCESSOR:X64
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0xffffffffffffffff
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:FIRST_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:READ
FAULTING_INSTRUCTION:00007ffe`e0f43819 movaps xmmword ptr [rbp-40h],xmm0
BASIC_BLOCK_INSTRUCTION_COUNT:8
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f43819 movaps xmmword ptr [rbp-40h],xmm0
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f4381d movaps xmm0,xmmword ptr [chrome_elf!exceptiontemplate+0x20 (00007ffe`e0f68210)]
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f43824 movaps xmmword ptr [rbp-30h],xmm1
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f43828 movaps xmm1,xmmword ptr [chrome_elf!exceptiontemplate+0x30 (00007ffe`e0f68220)]
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f4382f movaps xmmword ptr [rbp-20h],xmm0
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f43833 movaps xmmword ptr [rbp-10h],xmm1
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f43837 test rdx,rdx
BASIC_BLOCK_INSTRUCTION:00007ffe`e0f4383a je chrome_elf!_cxxthrowexception+0x6e (00007ffe`e0f4385e)
MAJOR_HASH:0x13e64c4a
MINOR_HASH:0xfde2f873
STACK_DEPTH:22
STACK_FRAME:chrome_elf!_CxxThrowException+0x29
STACK_FRAME:chrome_elf!__scrt_throw_std_bad_array_new_length+0x1f
STACK_FRAME:chrome_elf!_umaskval+0x0
STACK_FRAME:Unknown
STACK_FRAME:chrome_elf!std::`dynamic initializer for 'cerr''+0x2f
STACK_FRAME:chrome_elf!std::ferr+0x0
STACK_FRAME:chrome_elf!operator new+0x29
STACK_FRAME:chrome_elf!std::basic_streambuf<char,std::char_traits<char> >::basic_streambuf<char,std::char_traits<char> >+0x21
STACK_FRAME:chrome_elf!std::`dynamic initializer for 'ferr''+0x1f
STACK_FRAME:chrome_elf!_initterm+0x4f
STACK_FRAME:chrome_elf!dllmain_crt_process_attach+0xbb
STACK_FRAME:chrome_elf!dllmain_dispatch+0x5d
STACK_FRAME:verifier!AVrfpStandardDllEntryPointRoutine+0xc9
STACK_FRAME:vrfcore!VfCoreStandardDllEntryPointRoutine+0x155
STACK_FRAME:vfbasics!AVrfpStandardDllEntryPointRoutine+0xc9
STACK_FRAME:ntdll!LdrpCallInitRoutine+0x4b
STACK_FRAME:ntdll!LdrpInitializeNode+0x15a
STACK_FRAME:ntdll!LdrpInitializeGraphRecurse+0x73
STACK_FRAME:ntdll!LdrpInitializeGraphRecurse+0x91
STACK_FRAME:ntdll!LdrpInitializeProcess+0x77e
STACK_FRAME:ntdll!_LdrpInitialize+0x4ed40
STACK_FRAME:ntdll!LdrInitializeThunk+0xe
INSTRUCTION_ADDRESS:0x00007ffee0f43819
INVOKING_STACK_FRAME:0
SOURCE_FILE:f:\dd\vctools\crt\vcruntime\src\eh\throw.cpp
SOURCE_LINE:75
DESCRIPTION:Possible Stack Corruption
SHORT_DESCRIPTION:PossibleStackCorruption
CLASSIFICATION:UNKNOWN
BUG_TITLE:Possible Stack Corruption starting at chrome_elf!_CxxThrowException+0x0000000000000029 (Hash=0x13e64c4a.0xfde2f873)
EXPLANATION:The stack trace contains one or more locations for which no symbol or module could be found. This may be a sign of stack corruption.0:000> g 
(1e84.d54): Access violation - code c0000005 (!!! second chance !!!)
chrome_elf!_CxxThrowException+0x29:
00007ffe`e0f43819 0f2945c0        movaps  xmmword ptr [rbp-40h],xmm0 ss:00000068`70fded98=0000e6a4573f473300007ffee0f30000
0:000> !analyze -v 
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

Current verifier stop:
APPLICATION_VERIFIER_MEMORY_DLL_UNEXPECTED_EXCEPTION (60d)
Unexpected exception raised in DLL entry point routine.
This stop is generated if a DLL's entry point (DllMain) function is raising
an exception. One example why this is bad is: if DllMain(DLL_PROCESS_ATTACH) is
raising an exception, the Windows DLL loader will:
- Catch and hide the exception;
- Unload the DLL without calling its DllMain(DLL_PROCESS_DETACH).
So in many cases the DLL allocated some resources already, then it raised the
exception, and it will not have a chance to release these resources on
DllMain (DLL_PROCESS_DETACH).
To debug this stop:
$ du parameter1 - to display the DLL name;
$ .exr parameter2 - to display the exception information;
$ .cxr parameter3 followed by kb - to display the exception context information
and the stack trace for the time when the exception was raised;
$ parameter4 is the address of an internal verifier structure and doesn't
have any significance for most of the verifier users. 
Arguments:
Arg1: 00000255d4bf6b0e, DLL name (use du to dump it). 
Arg2: 0000006870fdeab0, Exception record. Use .exr to display it. 
Arg3: 0000006870fde5c0, Context record. Use .cxr to display it. 
Arg4: 00000255cf4ac750, Verifier dll descriptor 

Previous verifier stop:
APPLICATION_VERIFIER_MEMORY_DLL_UNEXPECTED_EXCEPTION (60d)
Unexpected exception raised in DLL entry point routine.
This stop is generated if a DLL's entry point (DllMain) function is raising
an exception. One example why this is bad is: if DllMain(DLL_PROCESS_ATTACH) is
raising an exception, the Windows DLL loader will:
- Catch and hide the exception;
- Unload the DLL without calling its DllMain(DLL_PROCESS_DETACH).
So in many cases the DLL allocated some resources already, then it raised the
exception, and it will not have a chance to release these resources on
DllMain (DLL_PROCESS_DETACH).
To debug this stop:
$ du parameter1 - to display the DLL name;
$ .exr parameter2 - to display the exception information;
$ .cxr parameter3 followed by kb - to display the exception context information
and the stack trace for the time when the exception was raised;
$ parameter4 is the address of an internal verifier structure and doesn't
have any significance for most of the verifier users. 
Arguments:
Arg1: 00000255d4bf6b0e, DLL name (use du to dump it). 
Arg2: 0000006870fdeab0, Exception record. Use .exr to display it. 
Arg3: 0000006870fde5c0, Context record. Use .cxr to display it. 
Arg4: 00000255cf4ac750, Verifier dll descriptor 

DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
chrome_elf!_CxxThrowException+29 [f:\dd\vctools\crt\vcruntime\src\eh\throw.cpp @ 75]
00007ffe`e0f43819 0f2945c0        movaps  xmmword ptr [rbp-40h],xmm0

EXCEPTION_RECORD:  0000006870fdeab0 -- (.exr 0x6870fdeab0)
ExceptionAddress: 00007ffee0f43819 (chrome_elf!_CxxThrowException+0x0000000000000029)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

FAULTING_THREAD:  00000d54

PROCESS_NAME:  chrome.exe

CONTEXT:  0000006870fde5c0 -- (.cxr 0x6870fde5c0)
rax=0000006870fdee18 rbx=0000000000000010 rcx=0000006870fdee18
rdx=00007ffee0f78440 rsi=00007ffee0f78440 rdi=00007ffee0f7b720
rip=00007ffee0f43819 rsp=0000006870fded78 rbp=0000006870fdedd8
 r8=00007ffebcffa2e5  r9=00007ffeb9f032b9 r10=00007ffeed329d9f
r11=0000006870fdee20 r12=0000000000000001 r13=0000000000000000
r14=0000006870fdee18 r15=0000006870fdf840
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
chrome_elf!_CxxThrowException+0x29:
00007ffe`e0f43819 0f2945c0        movaps  xmmword ptr [rbp-40h],xmm0 ss:00000068`70fded98=0000e6a4573f473300007ffee0f30000
Resetting default scope

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffffffffffffffff

FOLLOWUP_IP: 
chrome_elf!__scrt_throw_std_bad_array_new_length+1f [f:\dd\vctools\crt\vcstartup\src\heap\throw_bad_alloc.cpp @ 38]
00007ffe`e0f42977 cc              int     3

READ_ADDRESS:  ffffffffffffffff 

WATSON_BKT_PROCSTAMP:  57cf9ca3

WATSON_BKT_PROCVER:  53.0.2785.101

PROCESS_VER_PRODUCT:  Google Chrome

WATSON_BKT_MODULE:  chrome_elf.dll

WATSON_BKT_MODSTAMP:  57cf555b

WATSON_BKT_MODOFFSET:  13819

WATSON_BKT_MODVER:  53.0.2785.101

MODULE_VER_PRODUCT:  Google Chrome

BUILD_VERSION_STRING:  10.0.14393.0 (rs1_release.160715-1616)

MODLIST_WITH_TSCHKSUM_HASH:  6f41b4f0b39e4be49149e8e637ce532eb9f5c6c2

MODLIST_SHA1_HASH:  2622d00c45a56b205b21d81dd5b7349775ae147a

NTGLOBALFLAG:  2000100

APPLICATION_VERIFIER_FLAGS:  81643277

PRODUCT_TYPE:  1

SUITE_MASK:  272

APPLICATION_VERIFIER_LOADED: 1

ANALYSIS_SESSION_HOST:  DESKTOP-NQOB8UH

ANALYSIS_SESSION_TIME:  09-09-2016 23:07:02.0137

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  ENU

PROBLEM_CLASSES: 



AVRF
    Tid    [0xd54]
    Frame  [0x00]: chrome_elf!_CxxThrowException
    Failure Bucketing



INVALID_POINTER_READ
    Tid    [0xd54]
    Frame  [0x00]: chrome_elf!_CxxThrowException


BUGCHECK_STR:  INVALID_POINTER_READ_AVRF

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ_AVRF

LAST_CONTROL_TRANSFER:  from 00007ffee0f42977 to 00007ffee0f43819

STACK_TEXT:  
00000068`70fded78 00007ffe`e0f42977 : 00000000`00000004 00000000`00000010 00007ffe`e0f31254 00007ffe`e0f78260 : chrome_elf!_CxxThrowException+0x29
00000068`70fdedf8 00007ffe`e0f30000 : 00000000`00000010 00007ffe`e0f31254 00007ffe`e0f4cafa 00007ffe`e0f63548 : chrome_elf!__scrt_throw_std_bad_array_new_length+0x1f
00000068`70fdee48 00000000`00000010 : 00007ffe`e0f31254 00007ffe`e0f4cafa 00007ffe`e0f63548 00007ffe`e0f63558 : chrome_elf!_umaskval
00000068`70fdee50 00007ffe`e0f31253 : 00007ffe`e0f4cafa 00007ffe`e0f63548 00007ffe`e0f63558 00000000`00000000 : 0x10
00000068`70fdee58 00007ffe`e0f7b720 : 00007ffe`e0f41ccd 00000000`00000010 00000068`70fdeec0 00000068`70fdeec8 : chrome_elf!std::`dynamic initializer for 'cerr''+0x2f
00000068`70fdee88 00007ffe`e0f41ccd : 00000000`00000010 00000068`70fdeec0 00000068`70fdeec8 00000068`70fdf840 : chrome_elf!std::ferr
00000068`70fdee90 00007ffe`e0f36209 : 00007ffe`e0f7c5a8 00007ffe`e0f62a4c 00007ffe`e0f7b480 00007ffe`00000002 : chrome_elf!operator new+0x29
00000068`70fdeec0 00007ffe`e0f31273 : 00007ffe`e0f7a280 00007ffe`e0f312dc 00000068`70fdf840 00000000`00000000 : chrome_elf!std::basic_streambuf<char,std::char_traits<char> >::basic_streambuf<char,std::char_traits<char> >+0x21
00000068`70fdeef0 00007ffe`e0f50e67 : 00000000`00000000 00000068`70fdf3c0 00000000`00000002 00000000`0000003c : chrome_elf!std::`dynamic initializer for 'ferr''+0x1f
00000068`70fdef20 00007ffe`e0f41df3 : 00000000`00000000 00000068`70fdf3c0 00000068`70fdf840 00000000`00000001 : chrome_elf!_initterm+0x4f
00000068`70fdef50 00007ffe`e0f41f45 : 00000000`00000001 00007ffe`e0f30000 00007ffe`e0f30000 00000000`00000001 : chrome_elf!dllmain_crt_process_attach+0xbb
00000068`70fdef80 00007ffe`ed2a0f29 : 00007ffe`e0f30000 00000000`00000001 00000068`70fdf840 00000255`ca59c510 : chrome_elf!dllmain_dispatch+0x5d
00000068`70fdefe0 00007ffe`bcffa2e5 : 00000255`d4bfbbf0 00007ffe`00000001 00000000`00000001 00007ffe`ed329cd6 : verifier!AVrfpStandardDllEntryPointRoutine+0xc9
00000068`70fdf060 00007ffe`b9f032b9 : 00000255`cf4ac750 00000255`00000001 00000000`00000000 00000255`c8382c00 : vrfcore!VfCoreStandardDllEntryPointRoutine+0x155
00000068`70fdf0f0 00007ffe`ed329d9f : 00000000`00000001 00000255`00000001 00000068`70fdf840 00007ffe`ed3077fb : vfbasics!AVrfpStandardDllEntryPointRoutine+0xc9
00000068`70fdf170 00007ffe`ed30771a : 00000255`d4bf5c30 00007ffe`e0f30000 00007ffe`00000001 00007ffe`e0f3cf40 : ntdll!LdrpCallInitRoutine+0x4b
00000068`70fdf1d0 00007ffe`ed307567 : 00000255`d4bf5dc0 00000255`d4bf5d00 00000068`70fdf301 00007ffe`eabd83b2 : ntdll!LdrpInitializeNode+0x15a
00000068`70fdf2f0 00007ffe`ed307585 : 00000000`00000000 00000255`c8382e70 00000068`70fdf370 00000000`00000000 : ntdll!LdrpInitializeGraphRecurse+0x73
00000068`70fdf330 00007ffe`ed3909ae : 00000000`00000000 00000000`00000000 00000068`70fdf3c6 00000000`00000003 : ntdll!LdrpInitializeGraphRecurse+0x91
00000068`70fdf370 00007ffe`ed3c7af4 : 00000000`00000000 00007ffe`ed388bc9 00000000`00000000 00000000`00000001 : ntdll!LdrpInitializeProcess+0x77e
00000068`70fdf770 00007ffe`ed378d5e : 00000068`70fdf840 00000000`00000000 00000000`00000000 00000068`710c7000 : ntdll!_LdrpInitialize+0x4ed40
00000068`70fdf7f0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe


THREAD_SHA1_HASH_MOD_FUNC:  c844c5b7262f04512f927d696cae1c8cfea8be88

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  2812759f0bfa68f667ceebf9358fb406e00aaec4

THREAD_SHA1_HASH_MOD:  770b79f6cd79faf120ea92703864e5ebe26191ad

FAULT_INSTR_CODE:  5c8948cc

FAULTING_SOURCE_LINE:  f:\dd\vctools\crt\vcstartup\src\heap\throw_bad_alloc.cpp

FAULTING_SOURCE_FILE:  f:\dd\vctools\crt\vcstartup\src\heap\throw_bad_alloc.cpp

FAULTING_SOURCE_LINE_NUMBER:  38

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  chrome_elf!__scrt_throw_std_bad_array_new_length+1f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: chrome_elf

IMAGE_NAME:  chrome_elf.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  57cf555b

STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s ; kb

BUCKET_ID:  INVALID_POINTER_READ_AVRF_chrome_elf!__scrt_throw_std_bad_array_new_length+1f

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ_AVRF_chrome_elf!__scrt_throw_std_bad_array_new_length+1f

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  chrome_elf.dll

BUCKET_ID_IMAGE_STR:  chrome_elf.dll

FAILURE_MODULE_NAME:  chrome_elf

BUCKET_ID_MODULE_STR:  chrome_elf

FAILURE_FUNCTION_NAME:  __scrt_throw_std_bad_array_new_length

BUCKET_ID_FUNCTION_STR:  __scrt_throw_std_bad_array_new_length

BUCKET_ID_OFFSET:  1f

BUCKET_ID_MODTIMEDATESTAMP:  57cf555b

BUCKET_ID_MODCHECKSUM:  5c099

BUCKET_ID_MODVER_STR:  53.0.2785.101

BUCKET_ID_PREFIX_STR:  INVALID_POINTER_READ_AVRF_

FAILURE_PROBLEM_CLASS:  INVALID_POINTER_READ_AVRF

FAILURE_SYMBOL_NAME:  chrome_elf.dll!__scrt_throw_std_bad_array_new_length

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_chrome_elf.dll!__scrt_throw_std_bad_array_new_length

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/chrome.exe/53.0.2785.101/57cf9ca3/chrome_elf.dll/53.0.2785.101/57cf555b/c0000005/00013819.htm?Retriage=1

TARGET_TIME:  2016-09-09T17:38:28.000Z

OSBUILD:  14393

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  2016-07-16 07:51:29

BUILDDATESTAMP_STR:  160715-1616

BUILDLAB_STR:  rs1_release

BUILDOSVER_STR:  10.0.14393.0

ANALYSIS_SESSION_ELAPSED_TIME: 152b6

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_avrf_c0000005_chrome_elf.dll!__scrt_throw_std_bad_array_new_length

FAILURE_ID_HASH:  {19a5f406-aea6-91ea-5720-3c6712404c0a}

Followup:     MachineOwner
---------

0:000> lmvm chrome_elf
Browse full module list
start             end                 module name
00007ffe`e0f30000 00007ffe`e0f89000   chrome_elf   (private pdb symbols)  C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\chrome_elf.dll.pdb\3CB50C8DDE124949B88500C6B24B266C1\chrome_elf.dll.pdb
    Loaded symbol image file: C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.101\chrome_elf.dll
    Image path: C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.101\chrome_elf.dll
    Image name: chrome_elf.dll
    Browse all global symbols  functions  data
    Timestamp:        Wed Sep  7 05:16:35 2016 (57CF555B)
    CheckSum:         0005C099
    ImageSize:        00059000
    File version:     53.0.2785.101
    Product version:  53.0.2785.101
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Google Inc.
    ProductName:      Google Chrome
    InternalName:     chrome_elf_dll
    OriginalFilename: chrome_elf.dll
    ProductVersion:   53.0.2785.101
    FileVersion:      53.0.2785.101
    FileDescription:  Google Chrome
    LegalCopyright:   Copyright 2016 Google Inc. All rights reserved.

Deleted: chrome_elf.zip 23.7 MB

chrome_elf.zip 23.7 MB Download

There is no guarantee that app verifier isn't just messing with Chrome's interception hooks or sandbox initialization. Can you get this to repro without application verifier? are you running with --no-sandbox.

yes as instructed in debugging guide lines for chrome i am using the --no-sandbox

i am not sure to get this without application verifier . 


But one thing observed after running unhooking chrome from app verifier and reinstalling the request maker and browsing internet is not active its damaged permanently  

app verifier might have false positives. If you can reproduce this crash without it running or point at some code that might have an issue, feel free to re-raise this bug, otherwise I will close as WontFix given we don't support running Chrome in App Verifier.

1. trace of following 

~* kp

.  0  Id: 2344.10fc Suspend: 1 Teb: 0000000e`9ae53000 Unfrozen
 # Child-SP          RetAddr           Call Site
00 0000000e`9b0fee58 00007ff6`3fe040c3 chrome!__std_exception_copy(struct __std_exception_data * from = 0x0000000e`9b0feea8, struct __std_exception_data * to = 0x0000000e`9b0feef0)+0x30 [f:\dd\vctools\crt\vcruntime\src\eh\std_exception.cpp @ 27]
01 (Inline Function) --------`-------- chrome!std::exception::{ctor}+0x2e
02 (Inline Function) --------`-------- chrome!std::logic_error::{ctor}+0x2e
03 0000000e`9b0fee88 00007ff6`3fe041d5 chrome!std::length_error::length_error(char * _Message = <Value unavailable error>)+0x37 [f:\dd\vctools\crt\crtw32\stdhpp\stdexcept @ 112]
04 0000000e`9b0feec8 00007ff6`3fd70000 

chrome!std::_Xlength_error(char * _Message = <Value unavailable error>)+0x11 [f:\dd\vctools\crt\crtw32\stdcpp\xthrow.cpp @ 20]
05 0000000e`9b0fef18 00000000`00000030 chrome!__acrt_signal_action_table_size
06 0000000e`9b0fef20 00000000`00000000 0x30


Source File: f:\dd\vctools\crt\vcruntime\src\eh\std_exception.cpp
Source Line: 27


dx -r1 (*((chrome!__std_exception_data *)0xe9b0feea8))
(*((chrome!__std_exception_data *)0xe9b0feea8))                 [Type: __std_exception_data]
    [+0x000] _What            : 0xad50f1b9aaeb0000 : "--- memory read error at address 0xad50f1b9`aaeb0000 ---" [Type: char *]
    [+0x008] _DoFree          : true [Type: bool]
0:000> dx -r1 (*((chrome!__std_exception_data *)0xe9b0feea8))
(*((chrome!__std_exception_data *)0xe9b0feea8))                 [Type: __std_exception_data]
    [+0x000] _What            : 0xad50f1b9aaeb0000 : "--- memory read error at address 0xad50f1b9`aaeb0000 ---" [Type: char *]
    [+0x008] _DoFree          : true [Type: bool]
0:000> dx -r1 (*((chrome!char *)0xad50f1b9aaeb0000))
Error: Unable to read memory at Address 0xad50f1b9aaeb0000
0:000> dx Debugger.Sessions[0].Processes[9028].Threads[4348].Stack.Frames[2].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[9028].Threads[4348].Stack.Frames[2].SwitchTo()
0:000> dx Debugger.Sessions[0].Processes[9028].Threads[4348].Stack.Frames[3].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[9028].Threads[4348].Stack.Frames[3].SwitchTo()
@rbx              class std::length_error * this = 0x0000000e`9b0feee8
<unavailable>     char * _Message = <value unavailable>
0:000> dx -r1 (*((chrome!std::length_error *)0xe9b0feee8))
(*((chrome!std::length_error *)0xe9b0feee8))                 [Type: std::length_error]
    [+0x008] _Ptr             : 0x0 [Type: char *]



Exception Sub-Type: Read Access Violation

Faulting Instruction:00007ff6`3fe08a64 cmp byte ptr [rax+rdi],0

Basic Block:
    00007ff6`3fe08a64 cmp byte ptr [rax+rdi],0
       Tainted Input operands: 'rax','rdi'
    00007ff6`3fe08a68 jne chrome!__std_exception_copy+0x2d (00007ff6`3fe08a61)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x641f31f7.0x0a12c100

 Hash Usage : Stack Trace:
Major+Minor : chrome!__std_exception_copy+0x30
Major+Minor : chrome!std::length_error::length_error+0x37
Major+Minor : chrome!std::_Xlength_error+0x11
Major+Minor : chrome!__acrt_signal_action_table_size+0x0
Major+Minor : Unknown
Instruction Address: 0x00007ff63fe08a64
Source File: f:\dd\vctools\crt\vcruntime\src\eh\std_exception.cpp
Source Line: 27

Deleted: chrome.zip 22.1 MB

chrome.zip 22.1 MB Download

If you can provide a test case that triggers without app verifier running then please supply it, otherwise results from automated tools that are incompatible with Chrome are not too much use.