Issue metadata
Sign in to add a comment
|
Security: blink::InlineTextBox UAF vulnerability
Reported by
lvblue...@gmail.com,
Oct 11 2016
|
||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The freeing happens inside src/third_party/WebKit/Source/core/layout/line/InlineTextBox.cpp@147. The InlineTextBox object pointed by 'this' is freed inside the function blink::PendingSelection::commit which is invoked by selectionStartEnd(). After returned, 'this' pointer is used again and UAF happens.
VERSION
Chrome Version: 54.0.2837.0(dev with SyzyASan)
Operating System: Windows 7 sp1 x86
REPRODUCTION CASE
open the poc file via web
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
agent_logger.exe outputs like following:
PID=4388; cmd-line='"c:\Chrome-bin\chrome.exe" --type=utility --lang=en-US --no-
sandbox --mojo-application-channel-token=54A69801025F86EF1D916C490B628960 --mojo
-platform-channel-handle=2052 /prefetch:8'
SyzyASAN: Using CrashpadReporter for error reporting.
PID=4704; cmd-line='"c:\Chrome-bin\chrome.exe" --type=renderer --enable-features
=AutomaticTabDiscarding<AutomaticTabDiscarding,ExpectCTReporting<ExpectCTReporti
ng,IncidentReportingDisableUpload<SafeBrowsingIncidentReportingService,IncidentR
eportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,Incident
ReportingSuspiciousModuleReporting<SafeBrowsingIncidentReportingServiceFeatures,
MainFrameBeforeActivation<MainFrameBeforeActivation,MaterialDesignUserManager<Ma
terialDesignUserManager,NetworkTimeServiceQuerying<NetworkTimeQueries,NewAudioRe
nderingMixingStrategy<NewAudioRenderingMixingStrategy,NonValidatingReloadOnNorma
lReload<NonValidatingReloadOnNormalReload,ParseHTMLOnMainThread<ParseHTMLOnMainT
hread,PassiveDocumentEventListeners<PassiveDocumentEventListeners,PointerEvent<P
ointerEvent,PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<Passwor
dSeparatedSigninFlow,WebRTC-EnableWebRtcEcdsa<WebRTC-EnableWebRtcEcdsa,WebRTC-H2
64WithOpenH264FFmpeg<WebRTC-H264WithOpenH264FFmpeg,token-binding<TokenBinding,us
e-new-media-cache<use-new-media-cache --disable-features=DocumentWriteEvaluator<
DisallowFetchForDocWrittenScriptsInMainFrame --force-fieldtrials=AutofillClassif
ier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/Enabled
LimitTo3/*AutomaticTabDiscarding/Enabled_Once_10-gen2/BlockSmallPluginContent/En
abled/*BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDe
tection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DefaultBrowserI
nfobar/SettingsTextNotNow/*DisallowFetchForDocWrittenScriptsInMainFrame/Document
WriteScriptBlockGroup/EnableGoogleCachedCopyTextExperiment/Button/*EnableMediaRo
uter/Enabled/EnableMediaRouterWithCastExtension/Enabled/EnableSessionCrashedBubb
leUI/Enabled/EnableWin32kLockDownMimeTypes/PPAPILockdown_Enabled/ExpectCTReporti
ng/ExpectCTReportingEnabled/ExtensionActionRedesign/Enabled/*ExtensionContentVer
ification/Enforce/ExtensionInstallVerification/Enforce/GoogleBrandedContextMenu/
branded/GoogleNow/Enable/*IconNTP/Default/InstanceID/Enabled/IntelligentSessionR
estore/Enabled/MainFrameBeforeActivation/Enabled/MaterialDesignDownloads/Enabled
/MaterialDesignUserManager/Enabled/MojoChannel/Enabled/*NetworkQualityEstimator/
Enabled/NetworkTimeQueries/NetworkTimeQueriesEnabled/NewAudioRenderingMixingStra
tegy/Enabled/*NewProfileManagement/Enabled/NonValidatingReloadOnNormalReload/Ena
bled/OfferUploadCreditCards/Enabled/OutOfProcessPac/Enabled/*PageRevisitInstrume
ntation/Enabled/*ParseHTMLOnMainThread/Enabled/*PassiveDocumentEventListeners/En
abled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordGeneration/Disab
led/*PasswordManagerSettingsMigration/Enable/PasswordSeparatedSigninFlow/Enabled
/PasswordSmartBubble/3-Times/*PointerEvent/Enabled/*PreRead/NoPrefetchArgument2/
*PreconnectMore/Enabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertifi
cateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SSLCommonNameMismatchHandl
ing/Enabled/*SafeBrowsingIncidentReportingService/Enabled/SafeBrowsingIncidentRe
portingServiceFeatures/WithSuspiciousModuleReporting/SafeBrowsingReportPhishingE
rrorLink/Enabled/SafeBrowsingUpdateFrequency/UpdateTime15m/SafeBrowsingV4LocalDa
tabaseManagerEnabled/Enabled/SchedulerExpensiveTaskBlocking/Enabled/SdchPersiste
nce/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/*StrictS
ecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled
/*TokenBinding/TokenBinding/*TriggeredResetFieldTrial/On/*V8CacheStrategiesForCa
cheStorage/default/VarationsServiceControl/Interval_30min/*WebFontsInterventionV
2/Enabled-slow2g/WebRTC-EnableWebRtcEcdsa/Enabled/WebRTC-H264WithOpenH264FFmpeg/
Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabl
ed/use-new-media-cache/Enabled/ --primordial-pipe-token=6ED20D55CDBB5B44AD3869D8
1C9F6F6E --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-
visible-only --blink-settings=disallowFetchForDocWrittenScriptsInMainFrameOnSlow
Connections=true,parseHTMLOnMainThreadCoalesceChunks=false,parseHTMLOnMainThread
SyncTokenize=false --enable-pinch --device-scale-factor=1 --num-raster-threads=1
--content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5
,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,355
3;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3
553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553
;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,355
3;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3
,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,355
3;3,12,3553;3,13,3553;3,14,3553 --mojo-application-channel-token=6ED20D55CDBB5B4
4AD3869D81C9F6F6E --channel="5524.3.827072917\690745378" --mojo-platform-channel
-handle=2988 /prefetch:1'
SyzyASAN: Using default error reporting handler.
SyzyASAN: Heap checker enabled, processing exception.
SyzyASAN error: heap-use-after-free on address 0x1767C3E5 (stack_id=0xD7B83C1B)
READ of size 2 at 0x1767C3E5
#0 0x00005f44cd51 in (unknown)+0
1767C3E5 is 53 bytes inside 56-byte block [1767C3B0,1767C3E8)
freed here:
#0 0x00006f74b366 in (unknown)+0
#1 0x00006f74ea7d in (unknown)+0
#2 0x00005d527c22 in (unknown)+0
#3 0x00005eae28a5 in (unknown)+0
#4 0x00005f35e3d1 in (unknown)+0
#5 0x00005f43eb19 in (unknown)+0
#6 0x00005f3dd867 in (unknown)+0
#7 0x00005f3dd559 in (unknown)+0
#8 0x00005f3b2359 in (unknown)+0
#9 0x00005f3b1817 in (unknown)+0
#10 0x00005f3d4508 in (unknown)+0
#11 0x00005f3e6256 in (unknown)+0
#12 0x00005f3e6fcd in (unknown)+0
#13 0x00005f3e69d1 in (unknown)+0
#14 0x00005f3d4508 in (unknown)+0
#15 0x00005f3e338b in (unknown)+0
#16 0x00005f3e3da8 in (unknown)+0
#17 0x00005f3e3b0b in (unknown)+0
#18 0x00005f3e6e1c in (unknown)+0
#19 0x00005f3e69d1 in (unknown)+0
#20 0x00005f3d4508 in (unknown)+0
#21 0x00005f3b48ec in (unknown)+0
#22 0x00005f3b1a2a in (unknown)+0
#23 0x00005f3b204d in (unknown)+0
#24 0x00005f3b2369 in (unknown)+0
#25 0x00005f3b1817 in (unknown)+0
#26 0x00005f3d4508 in (unknown)+0
#27 0x00005f21d31c in (unknown)+0
#28 0x00005f19cc80 in (unknown)+0
#29 0x00005f19bc19 in (unknown)+0
#30 0x00005f00e6f4 in (unknown)+0
#31 0x00005f00e72e in (unknown)+0
#32 0x00005f1d4817 in (unknown)+0
#33 0x00005f1dd0ec in (unknown)+0
#34 0x00005f1c6ac8 in (unknown)+0
#35 0x00005f1c6c70 in (unknown)+0
#36 0x00005f45686e in (unknown)+0
#37 0x00005f456984 in (unknown)+0
#38 0x00005f21c566 in (unknown)+0
#39 0x00005f44cd47 in (unknown)+0
#40 0x00005f44cf19 in (unknown)+0
#41 0x00005f384033 in (unknown)+0
#42 0x00005f383da7 in (unknown)+0
#43 0x00005f402d32 in (unknown)+0
#44 0x00005f24a40c in (unknown)+0
#45 0x00005f24ac31 in (unknown)+0
#46 0x00005f24a723 in (unknown)+0
#47 0x00005f29fd24 in (unknown)+0
#48 0x00005f35b4fc in (unknown)+0
#49 0x00005f24a723 in (unknown)+0
#50 0x00005f29fd24 in (unknown)+0
#51 0x00005f35b4fc in (unknown)+0
#52 0x00005f24a723 in (unknown)+0
#53 0x00005f29fd24 in (unknown)+0
#54 0x00005f35b4fc in (unknown)+0
#55 0x00005f24a723 in (unknown)+0
#56 0x00005f29fd24 in (unknown)+0
#57 0x00005f35b4fc in (unknown)+0
#58 0x00005f19aa85 in (unknown)+0
#59 0x00005f19ad03 in (unknown)+0
#60 0x00005f19ab12 in (unknown)+0
#61 0x00005f1a28cc in (unknown)+0
previously allocated here:
#0 0x00006f74b07e in (unknown)+0
#1 0x00006f74e9d3 in (unknown)+0
#2 0x00005d527c41 in (unknown)+0
#3 0x00005d527b9b in (unknown)+0
#4 0x00005ea815e0 in (unknown)+0
#5 0x00005f382e51 in (unknown)+0
#6 0x00005f3829c5 in (unknown)+0
#7 0x00005f3db974 in (unknown)+0
#8 0x00005f3db6af in (unknown)+0
#9 0x00005f3dbc39 in (unknown)+0
#10 0x00005f3dde21 in (unknown)+0
#11 0x00005f3dd887 in (unknown)+0
#12 0x00005f3dd559 in (unknown)+0
#13 0x00005f3b2359 in (unknown)+0
#14 0x00005f3b1817 in (unknown)+0
#15 0x00005f3d4508 in (unknown)+0
#16 0x00005f3e2876 in (unknown)+0
#17 0x00005f3e1d6b in (unknown)+0
#18 0x00005f3e7c8b in (unknown)+0
#19 0x00005f3e7054 in (unknown)+0
#20 0x00005f3e69d1 in (unknown)+0
#21 0x00005f3d4508 in (unknown)+0
#22 0x00005f3e6256 in (unknown)+0
#23 0x00005f3e6fcd in (unknown)+0
#24 0x00005f3e69d1 in (unknown)+0
#25 0x00005f3d4508 in (unknown)+0
#26 0x00005f3b48ec in (unknown)+0
#27 0x00005f3b1a2a in (unknown)+0
#28 0x00005f3b204d in (unknown)+0
#29 0x00005f3b2369 in (unknown)+0
#30 0x00005f3b1817 in (unknown)+0
#31 0x00005f3d4508 in (unknown)+0
#32 0x00005f21d31c in (unknown)+0
#33 0x00005f19cc80 in (unknown)+0
#34 0x00005f19bc19 in (unknown)+0
#35 0x00005f00e6f4 in (unknown)+0
#36 0x00005f00e72e in (unknown)+0
#37 0x00005f1d4817 in (unknown)+0
#38 0x00005f1dd0ec in (unknown)+0
#39 0x00005f1c6ac8 in (unknown)+0
#40 0x00005f1c6c70 in (unknown)+0
#41 0x00005f1e4984 in (unknown)+0
#42 0x00005f456a79 in (unknown)+0
#43 0x00005f21c566 in (unknown)+0
#44 0x00005f383fa1 in (unknown)+0
#45 0x00005f383da7 in (unknown)+0
#46 0x00005f402d32 in (unknown)+0
#47 0x00005f24a40c in (unknown)+0
#48 0x00005f24ac31 in (unknown)+0
#49 0x00005f24a723 in (unknown)+0
#50 0x00005f29fd24 in (unknown)+0
#51 0x00005f35b4fc in (unknown)+0
#52 0x00005f24a723 in (unknown)+0
#53 0x00005f29fd24 in (unknown)+0
#54 0x00005f35b4fc in (unknown)+0
#55 0x00005f24a723 in (unknown)+0
#56 0x00005f29fd24 in (unknown)+0
#57 0x00005f35b4fc in (unknown)+0
#58 0x00005f24a723 in (unknown)+0
#59 0x00005f29fd24 in (unknown)+0
#60 0x00005f35b4fc in (unknown)+0
#61 0x00005f19aa85 in (unknown)+0
Shadow bytes around the buggy address:
0x1767c2c0: f4 00 e0 fa fd fd fd fd
0x1767c300: fd fd fd fb fb f4 00 e0
0x1767c340: fa fd fd fd fd fd fd fd
0x1767c380: fb fb f4 00 e0 fa fd fd
=>0x1767c3c0: fd fd fd fd[fd]fb fb f4
0x1767c400: 00 e4 fa fd fd fd fd fd
0x1767c440: fd fd fd fb f4 00 e0 fa
0x1767c480: fd fd fd fd fd fd fd fb
0x1767c4c0: fb f4 00 e0 fa fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 - 07
Block start redzone: e0 - e7
Nested block start: e8 - ef
Asan memory byte: f1
Invalid address: f2
User redzone: f3
Block end redzone: f4
Nested block end: f5
Heap left redzone: fa
Heap right redzone: fb
Asan reserved byte: fc
Freed heap region: fd
SyzyASAN: Handling an exception.
SyzyASAN: Heap checker enabled, processing exception.
crash stack is as following:
ASAN .echo An Asan error has been found (heap-use-after-free), here are the details:; gASAN .echo Allocation stack trace:; gASAN dps 0093DBDC l62; gASAN .echo Free stack trace:; gASAN dps 0093DCD4 l62; g(254.5cc): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for KERNELBASE.dll -
*** WARNING: Unable to verify checksum for syzyasan_rtl.dll
KERNELBASE!DebugBreak+0x2:
74c682b2 cc int 3
0:000:x86> kvn
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0093d590 6b33050d 0093d8e8 6b326c80 0093d7bc KERNELBASE!DebugBreak+0x2
01 0093d5a8 6b328ac1 00bd9e90 0093d7bc 6b33c0a7 syzyasan_rtl!base::internal::Invoker<base::IndexSequence<>,base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(agent::asan::AsanErrorInfo *)>,void __cdecl(agent::asan::AsanErrorInfo *)>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(agent::asan::AsanErrorInfo *)> >,void __cdecl(agent::asan::AsanErrorInfo * const &)>::Run+0x2d (FPO: [Non-Fpo]) (CONV: cdecl) [e:\b\build\slave\syzygy_official\build\src\base\bind_internal.h @ 354]
02 0093d7b4 6b332f59 0093d8e8 00000003 240362a8 syzyasan_rtl!agent::asan::AsanRuntime::OnError+0x2e1 (FPO: [Non-Fpo]) (CONV: thiscall) [e:\b\build\slave\syzygy_official\build\src\syzygy\agent\asan\runtime.cc @ 647]
03 0093e0b8 6b326884 00000002 0093e0e0 0093e124 syzyasan_rtl!agent::asan::ReportBadMemoryAccess+0x209 (FPO: [Non-Fpo]) (CONV: cdecl) [e:\b\build\slave\syzygy_official\build\src\syzygy\agent\asan\rtl_utils.cc @ 132]
04 0093e0c8 6b384cdb 240362dd 00000000 00000002 syzyasan_rtl!asan_report_bad_memory_access+0x14 (FPO: [Non-Fpo]) (CONV: cdecl) [e:\b\build\slave\syzygy_official\build\src\syzygy\agent\asan\memory_interceptors.cc @ 196]
05 0093e124 690dcf19 240362a8 00003aed 690dd51a syzyasan_rtl!asan_check_2_byte_read_access_4gb+0x5b (CONV: cdecl) [E:\b\build\slave\Syzygy_Official\build\src\syzygy\agent\asan\gen\memory_interceptors_impl.asm @ 2323]
06 0093e130 690dd51a 240362a8 00001c00 2731db88 chrome_child!blink::InlineTextBox::hasWrappedSelectionNewline+0x16 (FPO: [0,0,0]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\line\inlinetextbox.cpp @ 200]
07 0093e1dc 69014033 0093e218 00003aed 00000440 chrome_child!blink::InlineTextBox::localSelectionRect+0x204 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\line\inlinetextbox.cpp @ 257]
08 0093e240 69013da7 0093e268 0093e2dc 2731db88 chrome_child!blink::LayoutText::localSelectionRect+0xb8 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layouttext.cpp @ 1672]
09 0093e278 69092d32 0093e28c 0093e2dc 29647060 chrome_child!blink::LayoutText::localOverflowRectForPaintInvalidation+0x32 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layouttext.cpp @ 1638]
0a 0093e29c 68eda40c 0093e300 29647028 0093e404 chrome_child!blink::PaintInvalidationState::computePaintInvalidationRectInBacking+0x47 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\paintinvalidationstate.cpp @ 383]
0b 0093e314 68edac31 0093e328 00000012 29647028 chrome_child!blink::LayoutObject::invalidatePaintIfNeeded+0x87 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 1302]
0c 0093e3b4 68eda723 0093e404 2761a390 0093e3d4 chrome_child!blink::LayoutObject::invalidateTreeIfNeeded+0x5d (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 1255]
0d 0093e3c4 68f2fd24 0093e404 2761a3c8 0093e490 chrome_child!blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded+0x2d (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 1263]
0e 0093e3d4 68feb4fc 0093e404 00000012 2761a390 chrome_child!blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded+0xe (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutbox.cpp @ 1609]
0f 0093e490 68eda723 0093e4e0 2761a840 0093e4b0 chrome_child!blink::LayoutBoxModelObject::invalidateTreeIfNeeded+0x134 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutboxmodelobject.cpp @ 415]
10 0093e4a0 68f2fd24 0093e4e0 2761a878 0093e56c chrome_child!blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded+0x2d (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 1263]
11 0093e4b0 68feb4fc 0093e4e0 00000012 2761a840 chrome_child!blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded+0xe (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutbox.cpp @ 1609]
12 0093e56c 68eda723 0093e5bc 2761a138 0093e58c chrome_child!blink::LayoutBoxModelObject::invalidateTreeIfNeeded+0x134 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutboxmodelobject.cpp @ 415]
13 0093e57c 68f2fd24 0093e5bc 2761a170 0093e648 chrome_child!blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded+0x2d (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 1263]
14 0093e58c 68feb4fc 0093e5bc 00000012 2761a138 chrome_child!blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded+0xe (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutbox.cpp @ 1609]
15 0093e648 68eda723 0093e698 295cc850 0093e668 chrome_child!blink::LayoutBoxModelObject::invalidateTreeIfNeeded+0x134 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutboxmodelobject.cpp @ 415]
16 0093e658 68f2fd24 0093e698 295cc888 0093e724 chrome_child!blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded+0x2d (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 1263]
17 0093e668 68feb4fc 0093e698 00000004 295cc850 chrome_child!blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded+0xe (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutbox.cpp @ 1609]
18 0093e724 68eda723 0093e774 295cb5e8 0093e744 chrome_child!blink::LayoutBoxModelObject::invalidateTreeIfNeeded+0x134 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutboxmodelobject.cpp @ 415]
19 0093e734 68f2fd24 0093e774 295cb620 0093e800 chrome_child!blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded+0x2d (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 1263]
1a 0093e744 68feb4fc 0093e774 00000004 295cb5e8 chrome_child!blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded+0xe (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutbox.cpp @ 1609]
1b 0093e800 68eda723 0093e850 295d1f80 0093e820 chrome_child!blink::LayoutBoxModelObject::invalidateTreeIfNeeded+0x134 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutboxmodelobject.cpp @ 415]
1c 0093e810 68f2fd24 0093e850 295d1fb8 0093e8dc chrome_child!blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded+0x2d (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 1263]
1d 0093e820 68feb4fc 0093e850 00000004 295d1f80 chrome_child!blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded+0xe (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutbox.cpp @ 1609]
1e 0093e8dc 68eda723 0093e92c 2731db88 0093e8fc chrome_child!blink::LayoutBoxModelObject::invalidateTreeIfNeeded+0x134 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutboxmodelobject.cpp @ 415]
1f 0093e8ec 68f2fd24 0093e92c 2731dbc0 0093e9b8 chrome_child!blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded+0x2d (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutobject.cpp @ 1263]
20 0093e8fc 68feb4fc 0093e92c 282e25b0 2731db88 chrome_child!blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded+0xe (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutbox.cpp @ 1609]
21 0093e9b8 68e2aa85 0093eaec 00000000 282e25b0 chrome_child!blink::LayoutBoxModelObject::invalidateTreeIfNeeded+0x134 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\layoutboxmodelobject.cpp @ 415]
22 (Inline) -------- -------- -------- -------- chrome_child!blink::LayoutItem::invalidateTreeIfNeeded+0x24 (Inline Function @ 68e2aa85) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\layout\api\layoutitem.h @ 282]
23 0093e9f4 68e2ad03 0093eaec 282e25b0 258f2300 chrome_child!blink::FrameView::invalidateTreeIfNeeded+0x109 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\frame\frameview.cpp @ 1143]
24 0093eb78 68e2ab12 282e25b0 2731db88 67d34df0 chrome_child!blink::FrameView::invalidateTreeIfNeededRecursiveInternal+0x194 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\frame\frameview.cpp @ 2872]
25 0093eb98 68e328cc 321e1850 00000000 00000000 chrome_child!blink::FrameView::invalidateTreeIfNeededRecursive+0x62 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\frame\frameview.cpp @ 2848]
26 0093ebd0 68e322ec 00000012 68f42d86 2582eae8 chrome_child!blink::FrameView::updateLifecyclePhasesInternal+0x156 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\frame\frameview.cpp @ 2633]
27 0093ebd8 68f42d86 2582eae8 00000000 0093ebf4 chrome_child!blink::FrameView::updateAllLifecyclePhases+0x18 (FPO: [0,0,0]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\frame\frameview.cpp @ 2517]
28 0093ebe8 68adfcd4 4b9e1a58 0093ec30 68ac1f34 chrome_child!blink::PageAnimator::updateAllLifecyclePhases+0x1c (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\core\page\pageanimator.cpp @ 86]
29 0093ebf4 68ac1f34 4b9e1820 4b9e1a58 00000000 chrome_child!blink::PageWidgetDelegate::updateAllLifecyclePhases+0x11 (FPO: [Non-Fpo]) (CONV: cdecl) [i:\chromium\src\third_party\webkit\source\web\pagewidgetdelegate.cpp @ 61]
2a 0093ec30 68507724 273b81dc 2402bf88 00000000 chrome_child!blink::WebViewImpl::updateAllLifecyclePhases+0xa0 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\web\webviewimpl.cpp @ 2017]
2b 0093ecdc 6851857d 2402bf88 24085aa8 22ae9798 chrome_child!cc::ProxyMain::BeginMainFrame+0x325 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\cc\trees\proxy_main.cc @ 204]
2c (Inline) -------- -------- -------- -------- chrome_child!base::internal::FunctorTraits<void (__thiscall cc::ProxyMain::*)(std::unique_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> >),void>::Invoke+0x8144857a (Inline Function @ 6851857d) (CONV: cdecl) [i:\chromium\src\base\bind_internal.h @ 214]
2d (Inline) -------- -------- -------- -------- chrome_child!base::internal::InvokeHelper<1,void>::MakeItSo+0x8144857d (Inline Function @ 6851857d) (CONV: cdecl) [i:\chromium\src\base\bind_internal.h @ 303]
2e 0093ee58 68519c62 273b81d8 6850726c 273b81d0 chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall cc::ProxyMain::*)(std::unique_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> >),base::WeakPtr<cc::ProxyMain>,base::internal::PassedWrapper<std::unique_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> > > >,void __cdecl(void)>::RunImpl<void (__thiscall cc::ProxyMain::*const &)(std::unique_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> >),std::tuple<base::WeakPtr<cc::ProxyMain>,base::internal::PassedWrapper<std::unique_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> > > > const &,0,1>+0x98 (FPO: [Non-Fpo]) (CONV: cdecl) [i:\chromium\src\base\bind_internal.h @ 350]
2f 0093ee6c 67f57ab9 273b81d0 0093eeb4 24089eb0 chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall cc::ProxyMain::*)(std::unique_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> >),base::WeakPtr<cc::ProxyMain>,base::internal::PassedWrapper<std::unique_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> > > >,void __cdecl(void)>::Run+0x16 (FPO: [Non-Fpo]) (CONV: cdecl) [i:\chromium\src\base\bind_internal.h @ 324]
30 (Inline) -------- -------- -------- -------- chrome_child!base::Callback<void __cdecl(void),1>::Run+0x1c (Inline Function @ 67f57ab9) (CONV: thiscall) [i:\chromium\src\base\callback.h @ 388]
31 0093eecc 68a57e4c 6a386c34 6a90914b 24089eb0 chrome_child!base::debug::TaskAnnotator::RunTask+0x100 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\base\debug\task_annotator.cc @ 54]
32 0093ef7c 68a574a8 24089eb0 0093f068 6a387880 chrome_child!blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x1e1 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc @ 319]
33 0093f0e8 68a56210 00000000 00000000 5e6c89cb chrome_child!blink::scheduler::TaskQueueManager::DoWork+0x180 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc @ 218]
34 0093f0fc 689aa441 68a5725d 24087e40 24087e38 chrome_child!base::internal::FunctorTraits<void (__thiscall blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),void>::Invoke<base::WeakPtr<blink::scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &>+0x1f (FPO: [Non-Fpo]) (CONV: cdecl) [i:\chromium\src\base\bind_internal.h @ 215]
35 0093f114 68a56229 24087e28 24087e40 24087e38 chrome_child!base::internal::InvokeHelper<1,void>::MakeItSo<void (__thiscall content::WebFileWriterBase::*const &)(__int64,bool),base::WeakPtr<content::WebFileWriterImpl> const &,__int64,bool>+0x22 (FPO: [Non-Fpo]) (CONV: cdecl) [i:\chromium\src\base\bind_internal.h @ 303]
36 0093f12c 68a580c8 24087e28 24087e30 24087e20 chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void __cdecl(void)>::RunImpl<void (__thiscall blink::scheduler::TaskQueueManager::*const &)(base::TimeTicks,bool),std::tuple<base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool> const &,0,1,2>+0x17 (FPO: [Non-Fpo]) (CONV: cdecl) [i:\chromium\src\base\bind_internal.h @ 346]
37 0093f140 67f57ab9 24087e20 0093f188 0093f360 chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void __cdecl(void)>::Run+0x16 (FPO: [Non-Fpo]) (CONV: cdecl) [i:\chromium\src\base\bind_internal.h @ 324]
38 (Inline) -------- -------- -------- -------- chrome_child!base::Callback<void __cdecl(void),1>::Run+0x1c (Inline Function @ 67f57ab9) (CONV: thiscall) [i:\chromium\src\base\callback.h @ 388]
39 0093f1a0 67ef2079 6a178004 6a90914b 22afc8a8 chrome_child!base::debug::TaskAnnotator::RunTask+0x100 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\base\debug\task_annotator.cc @ 54]
3a 0093f2e8 67ef149b 0093f360 22afc8a8 22afc8b8 chrome_child!base::MessageLoop::RunTask+0x2fb (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\base\message_loop\message_loop.cc @ 489]
3b (Inline) -------- -------- -------- -------- chrome_child!base::MessageLoop::DeferOrRunPendingTask+0x80e2148a (Inline Function @ 67ef149b) (CONV: thiscall) [i:\chromium\src\base\message_loop\message_loop.cc @ 497]
3c 0093f3a8 67f5a72a 00000000 24085108 6a109b1c chrome_child!base::MessageLoop::DoWork+0x25e (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\base\message_loop\message_loop.cc @ 621]
3d 0093f3dc 67ef1c3b 24085108 0093f420 67f42da2 chrome_child!base::MessagePumpDefault::Run+0x13d (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\base\message_loop\message_pump_default.cc @ 36]
3e 0093f3e8 67f42da2 6a48aa14 001234a9 00000000 chrome_child!base::MessageLoop::RunHandler+0x11 (FPO: [0,0,4]) (CONV: thiscall) [i:\chromium\src\base\message_loop\message_loop.cc @ 451]
3f 0093f40c 69645ae3 22df69d0 00000003 22df6b18 chrome_child!base::RunLoop::Run+0x65 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\base\run_loop.cc @ 36]
40 0093f4e4 67ec3dd3 0093f51c 22afc7d0 00000000 chrome_child!content::RendererMain+0x1e6 (FPO: [Non-Fpo]) (CONV: cdecl) [i:\chromium\src\content\renderer\renderer_main.cc @ 198]
41 0093f4f8 67ec3d19 0093f530 0093f51c 0093f628 chrome_child!content::RunNamedProcessTypeMain+0x61 (FPO: [Non-Fpo]) (CONV: cdecl) [i:\chromium\src\content\app\content_main_runner.cc @ 418]
42 0093f54c 67ec30d7 00000000 6ec64156 0093f658 chrome_child!content::ContentMainRunnerImpl::Run+0x91 (FPO: [Non-Fpo]) (CONV: thiscall) [i:\chromium\src\content\app\content_main_runner.cc @ 785]
43 0093f55c 671b0c01 0093f648 6ec64156 00ba4d58 chrome_child!content::ContentMain+0x23 (FPO: [Non-Fpo]) (CONV: cdecl) [i:\chromium\src\content\app\content_main.cc @ 20]
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\chrome\Chrome-bin\chrome.exe -
44 0093f658 0111569d 01100000 0093f674 01100000 chrome_child!ChromeMain+0x98 (FPO: [Non-Fpo]) (CONV: cdecl) [i:\chromium\src\chrome\app\chrome_main.cc @ 88]
45 0093f6f4 01113ade 01100000 00000000 01355c8c chrome+0x1569d
46 0093f818 012b183f 01100000 00000000 00b91a08 chrome+0x13ade
*** ERROR: Symbol file could not be found. Defaulted to export symbols for KERNEL32.dll -
47 0093f864 776b38f4 0067d000 776b38d0 bb03cc37 chrome!IsSandboxedProcess+0x15ef4a
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
48 0093f878 777e5de3 0067d000 88e63688 00000000 KERNEL32!BaseThreadInitThunk+0x24
49 0093f8c0 777e5dae ffffffff 7780b7b5 00000000 ntdll_77780000!RtlUnicodeStringToInteger+0x253
4a 0093f8d0 00000000 012b18b8 0067d000 00000000 ntdll_77780000!RtlUnicodeStringToInteger+0x21e
,
Oct 11 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5418291126599680
,
Oct 12 2016
Thanks for your report. I cannot reproduce the crash. Could you please provide more detailed instruction how do you reproduce it?
,
Oct 17 2016
I build the latest version 56.0.2889.0 and test on it. It doesn`t crash any more```
,
Oct 19 2016
Thanks for the report either way, it's better to be on the safe side. This looks like a duplicate of a report we received in June that's already been fixed.
,
Jan 26 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by ClusterFuzz
, Oct 11 2016