New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 645708 link

Starred by 1 user
Status: Fixed
Owner:
varkha@chromium.org
Closed: Sep 2016
Cc:
bruthig@chromium.org
dmu...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Lots of unittests broken in window land ChromeOS

Project Member Reported by dmu...@chromium.org, Sep 10 2016 
Build is broken:
unit_tests on Ubuntu-12.04

Revision range:
chromium 417723 : 417742

Failing builders:
Linux Chromium OS ASan LSan Tests (1): https://build.chromium.org/p/chromium.memory/builders/Linux%20Chromium%20OS%20ASan%20LSan%20Tests%20(1)

Use-after-free
==27797==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160002cc380 at pc 0x0000017f1c68 bp 0x7ffdcf2b4050 sp 0x7ffdcf2b4048
WRITE of size 8 at 0x6160002cc380 thread T0
    #0 0x17f1c67 in OnItemRestored ash/common/wm/overview/window_selector_item.cc:200:33
    #1 0x17f1c67 in ~WindowSelectorItem ash/common/wm/overview/window_selector_item.cc:449
    #2 0x17f1c67 in ash::WindowSelectorItem::~WindowSelectorItem() ash/common/wm/overview/window_selector_item.cc:447
    #3 0x17d785c in STLDeleteContainerPointers<__gnu_cxx::__normal_iterator<ash::WindowSelectorItem **, std::vector<ash::WindowSelectorItem *, std::allocator<ash::WindowSelectorItem *> > > > base/stl_util.h:46:5
    #4 0x17d785c in STLDeleteElements<std::vector<ash::WindowSelectorItem *, std::allocator<ash::WindowSelectorItem *> > > base/stl_util.h:102
    #5 0x17d785c in clear base/memory/scoped_vector.h:101
    #6 0x17d785c in ~ScopedVector base/memory/scoped_vector.h:40
    #7 0x17d785c in ash::WindowGrid::~WindowGrid() ash/common/wm/overview/window_grid.cc:420
    #8 0x17d79ad in ash::WindowGrid::~WindowGrid() ash/common/wm/overview/window_grid.cc:420:27
    #9 0x17e4490 in operator() build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
    #10 0x17e4490 in reset build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245
    #11 0x17e4490 in ~unique_ptr build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169
    #12 0x17e4490 in _Destroy<std::unique_ptr<ash::WindowGrid, std::default_delete<ash::WindowGrid> > > build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_construct.h:94
    #13 0x17e4490 in __destroy<std::unique_ptr<ash::WindowGrid, std::default_delete<ash::WindowGrid> > *> build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_construct.h:104
    #14 0x17e4490 in _Destroy<std::unique_ptr<ash::WindowGrid, std::default_delete<ash::WindowGrid> > *> build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_construct.h:127
    #15 0x17e4490 in _Destroy<std::unique_ptr<ash::WindowGrid, std::default_delete<ash::WindowGrid> > *, std::unique_ptr<ash::WindowGrid, std::default_delete<ash::WindowGrid> > > build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_construct.h:153
    #16 0x17e4490 in _M_erase_at_end build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_vector.h:1255
    #17 0x17e4490 in clear build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_vector.h:1040
    #18 0x17e4490 in ash::WindowSelector::Shutdown() ash/common/wm/overview/window_selector.cc:430
    #19 0x17ed07c in ash::WindowSelectorController::OnSelectionEnded() ash/common/wm/overview/window_selector_controller.cc:83:21
    #20 0x17e7a8f in CancelSelection ash/common/wm/overview/window_selector.cc:445:14
    #21 0x17e7a8f in ash::WindowSelector::OnWindowActivated(ash::WmWindow*, ash::WmWindow*) ash/common/wm/overview/window_selector.cc:621
    #22 0x1948f7a in ash::WmShellAura::OnWindowActivated(aura::client::ActivationChangeObserver::ActivationReason, aura::Window*, aura::Window*) ash/aura/wm_shell_aura.cc:294:3
    #23 0x29b62a1 in wm::FocusController::SetActiveWindow(aura::client::ActivationChangeObserver::ActivationReason, aura::Window*, aura::Window*) ui/wm/core/focus_controller.cc:317:3
    #24 0x29b3056 in wm::FocusController::FocusAndActivateWindow(aura::client::ActivationChangeObserver::ActivationReason, aura::Window*) ui/wm/core/focus_controller.cc:212:5
    #25 0x26ad3e2 in DispatchEvent ui/events/event_dispatcher.cc:191:12
    #26 0x26ad3e2 in ui::EventDispatcher::DispatchEventToEventHandlers(std::vector<ui::EventHandler*, std::allocator<ui::EventHandler*> >*, ui::Event*) ui/events/event_dispatcher.cc:170
    #27 0x26ac826 in ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:127:3
    #28 0x26ac41e in DispatchEventToTarget ui/events/event_dispatcher.cc:86:14
    #29 0x26ac41e in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:58
    #30 0x25da0bf in aura::WindowEventDispatcher::ProcessGestures(aura::Window*, ScopedVector<ui::GestureEvent>*) ui/aura/window_event_dispatcher.cc:292:15
    #31 0x25de1fe in aura::WindowEventDispatcher::PostDispatchEvent(ui::EventTarget*, ui::Event const&) ui/aura/window_event_dispatcher.cc:498:16
    #32 0x26ac57b in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:62:15
    #33 0x26af02e in ui::EventProcessor::OnEventFromSource(ui::Event*) ui/events/event_processor.cc:35:15
    #34 0x26afbfe in DeliverEventToProcessor ui/events/event_source.cc:73:21
    #35 0x26afbfe in ui::EventSource::SendEventToProcessor(ui::Event*) ui/events/event_source.cc:51
    #36 0x26f8881 in ui::test::EventGenerator::DoDispatchEvent(ui::Event*, bool) ui/events/test/event_generator.cc:667:29
    #37 0x26f64f8 in Dispatch ui/events/test/event_generator.cc:562:3
    #38 0x26f64f8 in ui::test::EventGenerator::GestureTapAt(gfx::Point const&) ui/events/test/event_generator.cc:325
    #39 0x1008d3f in ash::WindowSelectorTest_CancelOverviewOnTap_Test::TestBody() ash/wm/overview/window_selector_unittest.cc:2053:13
    #40 0x258f96b in HandleExceptionsInMethodIfSupported<testing::Test, void> testing/gtest/src/gtest.cc:2458:12
    #41 0x258f96b in testing::Test::Run() testing/gtest/src/gtest.cc:2474
    #42 0x25919fb in testing::TestInfo::Run() testing/gtest/src/gtest.cc:2656:11
    #43 0x25927b6 in testing::TestCase::Run() testing/gtest/src/gtest.cc:2774:28
    #44 0x25a67b6 in testing::internal::UnitTestImpl::RunAllTests() testing/gtest/src/gtest.cc:4647:43
    #45 0x25a5e17 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> testing/gtest/src/gtest.cc:2458:12
    #46 0x25a5e17 in testing::UnitTest::Run() testing/gtest/src/gtest.cc:4255
    #47 0x1bbc03b in RUN_ALL_TESTS testing/gtest/include/gtest/gtest.h:2237:46
    #48 0x1bbc03b in base::TestSuite::Run() base/test/test_suite.cc:246
    #49 0x1bbfab3 in Run base/callback.h:56:12
    #50 0x1bbfab3 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1> const&) base/test/launcher/unit_test_launcher.cc:206
    #51 0x1bbf795 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1> const&) base/test/launcher/unit_test_launcher.cc:445:10
    #52 0xd2e391 in main ash/test/ash_unittests.cc:14:10
    #53 0x7fe584fa57ec in __libc_start_main /build/eglibc-oqps9y/eglibc-2.15/csu/libc-start.c:226

0x6160002cc380 is located 512 bytes inside of 560-byte region [0x6160002cc180,0x6160002cc3b0)
freed by thread T0 here:
    #0 0x64471b in operator delete(void*) (/b/swarming/w/irbhmjeI/out/Release/ash_unittests+0x64471b)
    #1 0x290b591 in views::View::~View() ui/views/view.cc:134:7
    #2 0x17f830d in ash::WindowSelectorItem::CaptionContainerView::~CaptionContainerView() ash/common/wm/overview/window_selector_item.cc:361:27
    #3 0x290d700 in operator() build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
    #4 0x290d700 in reset build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245
    #5 0x290d700 in ~unique_ptr build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169
    #6 0x290d700 in views::View::DoRemoveChildView(views::View*, bool, bool, bool, views::View*) ui/views/view.cc:1845
    #7 0x290e5f8 in views::View::RemoveAllChildViews(bool) ui/views/view.cc:259:5
    #8 0x292c213 in views::internal::RootView::~RootView() ui/views/widget/root_view.cc:182:5
    #9 0x292c3dd in views::internal::RootView::~RootView() ui/views/widget/root_view.cc:178:23
    #10 0x293559f in operator() build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
    #11 0x293559f in reset build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245
    #12 0x293559f in DestroyRootView ui/views/widget/widget.cc:1373
    #13 0x293559f in views::Widget::~Widget() ui/views/widget/widget.cc:172
    #14 0x2935b5d in views::Widget::~Widget() ui/views/widget/widget.cc:171:19
    #15 0x17ce1fb in operator() build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
    #16 0x17ce1fb in reset build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245
    #17 0x17ce1fb in ~unique_ptr build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169
    #18 0x17ce1fb in ~CleanupAnimationObserver ash/common/wm/overview/cleanup_animation_observer.cc:17
    #19 0x17ce1fb in ~CleanupAnimationObserver ash/common/wm/overview/cleanup_animation_observer.cc:17
    #20 0x17ce1fb in non-virtual thunk to ash::CleanupAnimationObserver::~CleanupAnimationObserver() ash/common/wm/overview/cleanup_animation_observer.cc:17
    #21 0x17ed780 in operator() build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
    #22 0x17ed780 in reset build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245
    #23 0x17ed780 in ~unique_ptr build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169
    #24 0x17ed780 in _Destroy<std::unique_ptr<ash::DelayedAnimationObserver, std::default_delete<ash::DelayedAnimationObserver> > > build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_construct.h:94
    #25 0x17ed780 in __destroy<std::unique_ptr<ash::DelayedAnimationObserver, std::default_delete<ash::DelayedAnimationObserver> > *> build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_construct.h:104
    #26 0x17ed780 in _Destroy<std::unique_ptr<ash::DelayedAnimationObserver, std::default_delete<ash::DelayedAnimationObserver> > *> build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_construct.h:127
    #27 0x17ed780 in _Destroy<std::unique_ptr<ash::DelayedAnimationObserver, std::default_delete<ash::DelayedAnimationObserver> > *, std::unique_ptr<ash::DelayedAnimationObserver, std::default_delete<ash::DelayedAnimationObserver> > > build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_construct.h:153
    #28 0x17ed780 in _M_erase_at_end build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_vector.h:1255
    #29 0x17ed780 in erase build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/vector.tcc:154
    #30 0x17ed780 in ash::WindowSelectorController::RemoveAndDestroyAnimationObserver(ash::DelayedAnimationObserver*) ash/common/wm/overview/window_selector_controller.cc:108
    #31 0x269124e in ui::ScopedLayerAnimationSettings::~ScopedLayerAnimationSettings() ui/compositor/scoped_layer_animation_settings.cc:45:11
    #32 0x269145d in ui::ScopedLayerAnimationSettings::~ScopedLayerAnimationSettings() ui/compositor/scoped_layer_animation_settings.cc:35:63
    #33 0x19e6a47 in operator() build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
    #34 0x19e6a47 in reset build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245
    #35 0x19e6a47 in ~unique_ptr build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169
    #36 0x19e6a47 in ~ScopedOverviewAnimationSettingsAura ash/wm/overview/scoped_overview_animation_settings_aura.cc:110
    #37 0x19e6a47 in ash::ScopedOverviewAnimationSettingsAura::~ScopedOverviewAnimationSettingsAura() ash/wm/overview/scoped_overview_animation_settings_aura.cc:110
    #38 0x17f3a8a in operator() build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
    #39 0x17f3a8a in reset build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245
    #40 0x17f3a8a in ~unique_ptr build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169
    #41 0x17f3a8a in ash::WindowSelectorItem::FadeOut(std::unique_ptr<views::Widget, std::default_delete<views::Widget> >) ash/common/wm/overview/window_selector_item.cc:893
    #42 0x17f3590 in ash::WindowSelectorItem::Shutdown() ash/common/wm/overview/window_selector_item.cc:479:3
    #43 0x17d7ad5 in ash::WindowGrid::Shutdown() ash/common/wm/overview/window_grid.cc:424:14
    #44 0x17e3e1b in ash::WindowSelector::Shutdown() ash/common/wm/overview/window_selector.cc:408:18
    #45 0x17ed07c in ash::WindowSelectorController::OnSelectionEnded() ash/common/wm/overview/window_selector_controller.cc:83:21
    #46 0x17e7a8f in CancelSelection ash/common/wm/overview/window_selector.cc:445:14
    #47 0x17e7a8f in ash::WindowSelector::OnWindowActivated(ash::WmWindow*, ash::WmWindow*) ash/common/wm/overview/window_selector.cc:621
    #48 0x1948f7a in ash::WmShellAura::OnWindowActivated(aura::client::ActivationChangeObserver::ActivationReason, aura::Window*, aura::Window*) ash/aura/wm_shell_aura.cc:294:3
    #49 0x29b62a1 in wm::FocusController::SetActiveWindow(aura::client::ActivationChangeObserver::ActivationReason, aura::Window*, aura::Window*) ui/wm/core/focus_controller.cc:317:3
    #50 0x29b3056 in wm::FocusController::FocusAndActivateWindow(aura::client::ActivationChangeObserver::ActivationReason, aura::Window*) ui/wm/core/focus_controller.cc:212:5
    #51 0x26ad3e2 in DispatchEvent ui/events/event_dispatcher.cc:191:12
    #52 0x26ad3e2 in ui::EventDispatcher::DispatchEventToEventHandlers(std::vector<ui::EventHandler*, std::allocator<ui::EventHandler*> >*, ui::Event*) ui/events/event_dispatcher.cc:170
    #53 0x26ac826 in ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:127:3
    #54 0x26ac41e in DispatchEventToTarget ui/events/event_dispatcher.cc:86:14
    #55 0x26ac41e in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:58
    #56 0x25da0bf in aura::WindowEventDispatcher::ProcessGestures(aura::Window*, ScopedVector<ui::GestureEvent>*) ui/aura/window_event_dispatcher.cc:292:15
    #57 0x25de1fe in aura::WindowEventDispatcher::PostDispatchEvent(ui::EventTarget*, ui::Event const&) ui/aura/window_event_dispatcher.cc:498:16
    #58 0x26ac57b in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:62:15
    #59 0x26af02e in ui::EventProcessor::OnEventFromSource(ui::Event*) ui/events/event_processor.cc:35:15

previously allocated by thread T0 here:
    #0 0x64411b in operator new(unsigned long) (/b/swarming/w/irbhmjeI/out/Release/ash_unittests+0x64411b)
    #1 0x17f000f in ash::WindowSelectorItem::CreateWindowLabel(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&) ash/common/wm/overview/window_selector_item.cc:684:24
    #2 0x17ef6bb in ash::WindowSelectorItem::WindowSelectorItem(ash::WmWindow*, ash::WindowSelector*) ash/common/wm/overview/window_selector_item.cc:417:3
    #3 0x17d69b3 in ash::WindowGrid::WindowGrid(ash::WmWindow*, std::vector<ash::WmWindow*, std::allocator<ash::WmWindow*> > const&, ash::WindowSelector*) ash/common/wm/overview/window_grid.cc:416:32
    #4 0x17e23b3 in ash::WindowSelector::Init(std::vector<ash::WmWindow*, std::allocator<ash::WmWindow*> > const&) ash/common/wm/overview/window_selector.cc:330:42
    #5 0x17ecb92 in ash::WindowSelectorController::ToggleOverview() ash/common/wm/overview/window_selector_controller.cc:66:23
    #6 0x1008cc3 in ToggleOverview ash/wm/overview/window_selector_unittest.cc:198:57
    #7 0x1008cc3 in ash::WindowSelectorTest_CancelOverviewOnTap_Test::TestBody() ash/wm/overview/window_selector_unittest.cc:2049
    #8 0x258f96b in HandleExceptionsInMethodIfSupported<testing::Test, void> testing/gtest/src/gtest.cc:2458:12
    #9 0x258f96b in testing::Test::Run() testing/gtest/src/gtest.cc:2474
    #10 0x25919fb in testing::TestInfo::Run() testing/gtest/src/gtest.cc:2656:11
    #11 0x25927b6 in testing::TestCase::Run() testing/gtest/src/gtest.cc:2774:28
    #12 0x25a67b6 in testing::internal::UnitTestImpl::RunAllTests() testing/gtest/src/gtest.cc:4647:43
    #13 0x25a5e17 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> testing/gtest/src/gtest.cc:2458:12
    #14 0x25a5e17 in testing::UnitTest::Run() testing/gtest/src/gtest.cc:4255
    #15 0x1bbc03b in RUN_ALL_TESTS testing/gtest/include/gtest/gtest.h:2237:46
    #16 0x1bbc03b in base::TestSuite::Run() base/test/test_suite.cc:246
    #17 0x1bbfab3 in Run base/callback.h:56:12
    #18 0x1bbfab3 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1> const&) base/test/launcher/unit_test_launcher.cc:206
    #19 0x1bbf795 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1> const&) base/test/launcher/unit_test_launcher.cc:445:10
    #20 0xd2e391 in main ash/test/ash_unittests.cc:14:10
    #21 0x7fe584fa57ec in __libc_start_main /build/eglibc-oqps9y/eglibc-2.15/csu/libc-start.c:226

SUMMARY: AddressSanitizer: heap-use-after-free ash/common/wm/overview/window_selector_item.cc:200:33 in OnItemRestored
Shadow bytes around the buggy address:
  0x0c2c80051820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c80051830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80051840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80051850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80051860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2c80051870:[fd]fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c2c80051880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c80051890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c800518a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c800518b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c800518c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27797==ABORTING


Suspected CL:
https://codereview.chromium.org/2239233002

Comment 1 by dmu...@chromium.org, Sep 10 2016

Cc: dmu...@chromium.org
Project Member

Comment 2 by bugdroid1@chromium.org, Sep 10 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/758e34e4a30be65c2cedf5fb2a893fa3a87596f0

commit 758e34e4a30be65c2cedf5fb2a893fa3a87596f0
Author: dmurph <dmurph@chromium.org>
Date: Sat Sep 10 01:50:58 2016

Revert of [ash-md] Fades overview header in and out (patchset #17 id:400001 of https://codereview.chromium.org/2239233002/ )

Reason for revert:
This is causing a use-after-free and crashing stuff :(

BUG= 645708 

Original issue's description:
> [ash-md] Fades overview header in and out
>
> This change installs an additional header on top of the real window's header and animates its bounds and opacity such that it appears to take over the real header. Only once the "fake" header is opaque a mask or alpha shape is applied to the window to hide its original header after which the "fake" header becomes translucent to conform to MD overview mode spec.
>
> This creates a visually smoother transition into overview mode than before.
>
> Special care is taken to animate the "fake" header in case when the window is restored for the overview mode from the minimized state and is thus animated from the shelf item.
>
> BUG= 624608 ,  645076 
> TEST=Most changes are only really visible under a great slow-down but watching closely the files app header transform into overview mode should be much less abrupt.
>
> Committed: https://crrev.com/f5d0098acc9a8167409476627eae3e91d94e8cac
> Cr-Commit-Position: refs/heads/master@{#417728}

TBR=sky@chromium.org,bruthig@chromium.org,varkha@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 624608 ,  645076 

Review-Url: https://codereview.chromium.org/2329433003
Cr-Commit-Position: refs/heads/master@{#417796}

[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/aura/wm_window_aura.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/aura/wm_window_aura.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/frame/custom_frame_view_ash.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/frame/default_header_painter.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/frame/default_header_painter.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/frame/header_view.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/frame/header_view.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/wm/overview/overview_animation_type.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/wm/overview/scoped_overview_animation_settings.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/wm/overview/scoped_transform_overview_window.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/wm/overview/scoped_transform_overview_window.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/wm/overview/window_grid.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/wm/overview/window_grid.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/wm/overview/window_selector_item.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/wm/overview/window_selector_item.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/wm_window.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/common/wm_window_property.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/mus/bridge/wm_window_mus.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/mus/bridge/wm_window_mus.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/wm/overview/scoped_overview_animation_settings_aura.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/wm/overview/scoped_overview_animation_settings_aura.h
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/wm/overview/window_selector_unittest.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ash/wm/panels/panel_frame_view.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/chrome/browser/ui/views/frame/browser_non_client_frame_view_ash.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ui/aura/client/aura_constants.cc
[modify] https://crrev.com/758e34e4a30be65c2cedf5fb2a893fa3a87596f0/ui/aura/client/aura_constants.h

Comment 3 by varkha@chromium.org, Sep 12 2016

Cc: bruthig@chromium.org
Components: UI>Shell>OverviewMode
Labels: -Pri-0 M-55 Proj-MaterialDesign-CrOS Pri-2 Type-Bug
Status: Started (was: Available)
Thanks for reporting this and reverting my CL. The re-land has been created at https://codereview.chromium.org/2336673002 with the use-after-free corrected (it was only happening in tests due to some sequence running differently with zero-duration animations.
Changing it to Pri-2 - with the revert this is just a feature work.
Project Member

Comment 4 by bugdroid1@chromium.org, Sep 12 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ebc9b9dfb7982cf069897b750a76231ab5bb2e31

commit ebc9b9dfb7982cf069897b750a76231ab5bb2e31
Author: varkha <varkha@chromium.org>
Date: Mon Sep 12 20:07:30 2016

Reland of [ash-md] Fades overview header in and out

This change installs an additional header on top of the real window's header and animates its bounds and opacity such that it appears to take over the real header. Only once the "fake" header is opaque a mask or alpha shape is applied to the window to hide its original header after which the "fake" header becomes translucent to conform to MD overview mode spec.

This creates a visually smoother transition into overview mode than before.

Special care is taken to animate the "fake" header in case when the window is restored for the overview mode from the minimized state and is thus animated from the shelf item.

---

This relands https://codereview.chromium.org/2239233002/ and
reverts commit 758e34e4a30be65c2cedf5fb2a893fa3a87596f0.

Corrects lifetime manipulation of the child views after their
ownership it taken over by a CleanupAnimationObserver.

BUG= 624608 ,  645076 ,  645708 
TEST=Most changes are only really visible under a great slow-down but watching closely the files app header transform into overview mode should be much less abrupt.

Review-Url: https://codereview.chromium.org/2336673002
Cr-Commit-Position: refs/heads/master@{#418017}

[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/aura/wm_window_aura.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/aura/wm_window_aura.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/frame/custom_frame_view_ash.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/frame/default_header_painter.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/frame/default_header_painter.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/frame/header_view.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/frame/header_view.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/wm/overview/overview_animation_type.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/wm/overview/scoped_overview_animation_settings.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/wm/overview/scoped_transform_overview_window.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/wm/overview/scoped_transform_overview_window.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/wm/overview/window_grid.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/wm/overview/window_grid.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/wm/overview/window_selector_item.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/wm/overview/window_selector_item.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/wm_window.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/common/wm_window_property.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/mus/bridge/wm_window_mus.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/mus/bridge/wm_window_mus.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/wm/overview/scoped_overview_animation_settings_aura.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/wm/overview/scoped_overview_animation_settings_aura.h
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/wm/overview/window_selector_unittest.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ash/wm/panels/panel_frame_view.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/chrome/browser/ui/views/frame/browser_non_client_frame_view_ash.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ui/aura/client/aura_constants.cc
[modify] https://crrev.com/ebc9b9dfb7982cf069897b750a76231ab5bb2e31/ui/aura/client/aura_constants.h

Comment 5 by varkha@chromium.org, Sep 14 2016

Status: Fixed (was: Started)
This one is fixed but note  bug 646350 .

Sign in to add a comment