Version: tip
OS: Linux x86-64
What steps will reproduce the problem?
(1) Build extensions_browsertests with UBSan Vptr:
$ gn gen out/ubsan '--args=is_debug=false is_ubsan_no_recover=true is_ubsan_vptr=true symbol_level=2 dcheck_always_on=true' --check
$ ninja -C out/ubsan extensions_browsertests
(2) Run the test until a segfault is happened:
./out/ubsan/extensions_browsertests --gtest_filter=AppViewTests/AppViewTest.TestAppViewGoodDataShouldSucceed/0 --no-sandbox --single_process
Stack trace:
#0 0x0000000002b58ae5 in OnErrorOccurred () at ../../extensions/browser/api/web_request/web_request_api.cc:971
#1 0x0000000002ddf4c5 in OnCompleted () at ../../extensions/shell/browser/shell_network_delegate.cc:95
#2 0x0000000003e64a51 in NotifyCompleted () at ../../net/base/network_delegate.cc:123
#3 0x00000000041db981 in DoCancel () at ../../net/url_request/url_request.cc:732
#4 0x00000000041d306c in net::URLRequest::Cancel() () at ../../net/url_request/url_request.cc:688
#5 0x00000000041d324a in ~URLRequest () at ../../net/url_request/url_request.cc:177
#6 0x00000000041d3ee0 in net::URLRequest::~URLRequest() () at ../../net/url_request/url_request.cc:176
#7 0x0000000000ec14f6 in operator() () at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63
#8 reset () at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245
#9 ~unique_ptr () at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169
#10 ~ResourceLoader () at ../../content/browser/loader/resource_loader.cc:158
#11 0x0000000000ec17e0 in content::ResourceLoader::~ResourceLoader() () at ../../content/browser/loader/resource_loader.cc:150
#12 0x0000000000ebba5a in operator() () at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63
#13 reset () at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245
#14 ~unique_ptr () at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169
#15 ~pair () at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_pair.h:87
#16 ~_Rb_tree_node () at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:130
#17 destroy () at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/ext/new_allocator.h:118
#18 _M_destroy_node () at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:419
#19 _M_erase_aux () at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:1490
#20 0x0000000000eb4594 in CancelRequestsForRoute () at ../../content/browser/loader/resource_dispatcher_host_impl.cc:1956
#21 0x0000000000eb3c66 in CancelRequestsForProcess () at ../../content/browser/loader/resource_dispatcher_host_impl.cc:1904
#22 0x00000000006c9b07 in OnChannelClosing () at ../../content/public/browser/browser_message_filter.cc:48
#23 0x00000000030f0f89 in OnChannelClosed () at ../../ipc/ipc_channel_proxy.cc:219
#24 0x00000000030f74bb in Invoke<scoped_refptr<IPC::ChannelProxy::Context> const&> () at ../../base/bind_internal.h:214
#25 0x00000000030813db in Run () at ../../base/callback.h:47
#26 RunTask () at ../../base/debug/task_annotator.cc:52
#27 0x0000000002fb032c in RunTask () at ../../base/message_loop/message_loop.cc:413
#28 0x0000000002fb0959 in DeferOrRunPendingTask () at ../../base/message_loop/message_loop.cc:422
#29 0x0000000002fb13a3 in DoWork () at ../../base/message_loop/message_loop.cc:515
#30 0x0000000002fb9d26 in Run () at ../../base/message_loop/message_pump_libevent.cc:218
#31 0x0000000002fafa89 in RunHandler () at ../../base/message_loop/message_loop.cc:378
#32 0x0000000002ff7dd9 in base::RunLoop::Run() () at ../../base/run_loop.cc:35
#33 0x0000000003028749 in Run () at ../../base/threading/thread.cc:245
#34 0x0000000000a72379 in IOThreadRun () at ../../content/browser/browser_thread_impl.cc:253
#35 0x0000000000a72801 in Run () at ../../content/browser/browser_thread_impl.cc:288
#36 0x0000000003029323 in ThreadMain () at ../../base/threading/thread.cc:333
#37 0x000000000301c0dd in ThreadFunc () at ../../base/threading/platform_thread_posix.cc:71
#38 0x00007ffff169c184 in start_thread (arg=0x7fffe7160700) at pthread_create.c:312
#39 0x00007ffff0c7637d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
This is due to ExtensionsBrowserClient::Get() returning NULL sometimes (most likely, a race condition).
Comment 1 by bugdroid1@chromium.org
, Nov 9 2016