Issue 671787 link

Starred by 1 user

Issue metadata

Status:	Assigned
Owner:	lukasza@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug

UaF in layout tests (around TestRunnerForSpecificView::web_view?)

Project Member Reported by rogerta@chromium.org, Dec 6 2016

Issue description

webkit_tests failing on chromium.webkit/WebKit Linux Trusty ASAN

Type: build-failure

Builders failed on: 
- WebKit Linux Trusty ASAN: 
  https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN


Stack trace of crash:
11:50:32.082 2465   ==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170003c1a80 at pc 0x00000bf863b2 bp 0x7ffc1b5b50e0 sp 0x7ffc1b5b50d8
11:50:32.082 2465   READ of size 8 at 0x6170003c1a80 thread T0 (content_shell)
11:50:32.082 2465       #0 0xbf863b1 in Reset components/test_runner/test_runner_for_specific_view.cc:95:33
11:50:32.082 2465       #1 0xbeec362 in Reset components/test_runner/web_view_test_proxy.cc:45:22
11:50:32.082 2465       #2 0xbf40f47 in ResetTestHelperControllers components/test_runner/test_interfaces.cc:71:31
11:50:32.082 2465       #3 0xbf40f47 in ResetAll components/test_runner/test_interfaces.cc:75:0
11:50:32.082 2465       #4 0x42afa7f in OnReset content/shell/renderer/layout_test/blink_test_runner.cc:999:69
11:50:32.082 2465       #5 0x42af6c4 in DispatchToMethodImpl<content::BlinkTestRunner *, void (content::BlinkTestRunner::*)(), const std::__1::tuple<> &> base/tuple.h:143:3
11:50:32.082 2465       #6 0x42af6c4 in DispatchToMethod<content::BlinkTestRunner *, void (content::BlinkTestRunner::*)(), const std::__1::tuple<> &> base/tuple.h:150:0
11:50:32.082 2465       #7 0x42af6c4 in DispatchToMethod<content::BlinkTestRunner, void (content::BlinkTestRunner::*)(), void, std::__1::tuple<> > ipc/ipc_message_templates.h:26:0
11:50:32.082 2465       #8 0x42af6c4 in Dispatch<content::BlinkTestRunner, content::BlinkTestRunner, void, void (content::BlinkTestRunner::*)()> ipc/ipc_message_templates.h:121:0
11:50:32.082 2465       #9 0x42ae8d3 in OnMessageReceived content/shell/renderer/layout_test/blink_test_runner.cc:792:5
11:50:32.082 2465       #10 0x727a8f4 in OnMessageReceived content/renderer/render_view_impl.cc:1195:18
11:50:32.082 2465       #11 0x70963f6 in OnMessageReceived content/child/child_thread_impl.cc:755:18
11:50:32.082 2465       #12 0x48df3fa in OnDispatchMessage ipc/ipc_channel_proxy.cc:340:14
11:50:32.082 2465       #13 0x44b91af in Run base/callback.h:68:12
11:50:32.082 2465       #14 0x44b91af in RunTask base/debug/task_annotator.cc:52:0
11:50:32.082 2465       #15 0x7a8961d in ProcessTaskFromWorkQueue third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:349:19
11:50:32.082 2465       #16 0x7a84f87 in DoWork third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:242:13
11:50:32.082 2465       #17 0x44b91af in Run base/callback.h:68:12
11:50:32.082 2465       #18 0x44b91af in RunTask base/debug/task_annotator.cc:52:0
11:50:32.082 2465       #19 0x4378508 in RunTask base/message_loop/message_loop.cc:413:19
11:50:32.082 2465       #20 0x4379135 in DeferOrRunPendingTask base/message_loop/message_loop.cc:422:5
11:50:32.082 2465       #21 0x437a22e in DoWork base/message_loop/message_loop.cc:515:13
11:50:32.082 2465       #22 0x438217e in Run base/message_loop/message_pump_default.cc:33:31
11:50:32.082 2465       #23 0x43779e0 in RunHandler base/message_loop/message_loop.cc:378:10
11:50:32.082 2465       #24 0x43d6035 in Run base/run_loop.cc:35:10
11:50:32.083 2465       #25 0x72e509f in RendererMain content/renderer/renderer_main.cc:200:23
11:50:32.083 2465       #26 0x3149047 in RunZygote content/app/content_main_runner.cc:344:14
11:50:32.083 2465       #27 0x314bc99 in Run content/app/content_main_runner.cc:786:12
11:50:32.083 2465       #28 0x3136dda in ContentMain content/app/content_main.cc:20:28
11:50:32.083 2465       #29 0x51779d in main content/shell/app/shell_main.cc:48:10
11:50:32.083 2465       #30 0x7fc0d06c8f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
11:50:32.083 2465
11:50:32.083 2465   0x6170003c1a80 is located 0 bytes inside of 736-byte region [0x6170003c1a80,0x6170003c1d60)
11:50:32.083 2465   freed by thread T0 (content_shell) here:
11:50:32.083 2465       #0 0x4ea5eb in __interceptor_free ??:?
11:50:32.083 2465       #1 0x7ce49e9 in deref third_party/WebKit/Source/wtf/RefCounted.h:151:7
11:50:32.083 2465       #2 0x7ce49e9 in close third_party/WebKit/Source/web/WebViewImpl.cpp:1754:0
11:50:32.083 2465       #3 0x72c214a in Close content/renderer/render_widget.cc:1431:26
11:50:32.083 2465       #4 0x7297c42 in Close content/renderer/render_view_impl.cc:2370:17
11:50:32.083 2465       #5 0x44b91af in Run base/callback.h:68:12
11:50:32.083 2465       #6 0x44b91af in RunTask base/debug/task_annotator.cc:52:0
11:50:32.083 2465       #7 0x7a8961d in ProcessTaskFromWorkQueue third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:349:19
11:50:32.083 2465       #8 0x7a84f87 in DoWork third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:242:13
11:50:32.083 2465       #9 0x44b91af in Run base/callback.h:68:12
11:50:32.083 2465       #10 0x44b91af in RunTask base/debug/task_annotator.cc:52:0
11:50:32.083 2465       #11 0x4378508 in RunTask base/message_loop/message_loop.cc:413:19
11:50:32.083 2465       #12 0x4379135 in DeferOrRunPendingTask base/message_loop/message_loop.cc:422:5
11:50:32.083 2465       #13 0x437a22e in DoWork base/message_loop/message_loop.cc:515:13
11:50:32.083 2465       #14 0x438217e in Run base/message_loop/message_pump_default.cc:33:31
11:50:32.083 2465       #15 0x43779e0 in RunHandler base/message_loop/message_loop.cc:378:10
11:50:32.083 2465       #16 0x43d6035 in Run base/run_loop.cc:35:10
11:50:32.083 2465       #17 0x72e509f in RendererMain content/renderer/renderer_main.cc:200:23
11:50:32.083 2465       #18 0x3149047 in RunZygote content/app/content_main_runner.cc:344:14
11:50:32.083 2465       #19 0x314bc99 in Run content/app/content_main_runner.cc:786:12
11:50:32.083 2465       #20 0x3136dda in ContentMain content/app/content_main.cc:20:28
11:50:32.083 2465       #21 0x51779d in main content/shell/app/shell_main.cc:48:10
11:50:32.083 2465       #22 0x7fc0d06c8f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
11:50:32.084 2465
11:50:32.084 2465   previously allocated by thread T0 (content_shell) here:
11:50:32.084 2465       #0 0x4ea93c in __interceptor_malloc ??:?
11:50:32.084 2465       #1 0x7ccae5d in partitionAllocGenericFlags third_party/WebKit/Source/wtf/allocator/PartitionAlloc.h:821:18
11:50:32.084 2465       #2 0x7ccae5d in partitionAllocGeneric third_party/WebKit/Source/wtf/allocator/PartitionAlloc.h:842:0
11:50:32.084 2465       #3 0x7ccae5d in fastMalloc third_party/WebKit/Source/wtf/allocator/Partitions.h:105:0
11:50:32.084 2465       #4 0x7ccae5d in operator new third_party/WebKit/Source/wtf/RefCounted.h:146:0
11:50:32.084 2465       #5 0x7ccae5d in create third_party/WebKit/Source/web/WebViewImpl.cpp:288:0
11:50:32.084 2465       #6 0x726f615 in Initialize content/renderer/render_view_impl.cc:587:7
11:50:32.084 2465       #7 0x728c072 in Create content/renderer/render_view_impl.cc:1093:16
11:50:32.085 2465       #8 0x728c072 in createView content/renderer/render_view_impl.cc:1518:0
11:50:32.085 2465       #9 0x7d076dd in createWindow third_party/WebKit/Source/web/ChromeClientImpl.cpp:378:61
11:50:32.085 2465       #10 0x9f86871 in createNewWindow third_party/WebKit/Source/core/page/CreateWindow.cpp:81:40
11:50:32.085 2465       #11 0x9f86871 in createWindowHelper third_party/WebKit/Source/core/page/CreateWindow.cpp:175:0
11:50:32.085 2465       #12 0x9f85c40 in createWindow third_party/WebKit/Source/core/page/CreateWindow.cpp:228:7
11:50:32.085 2465       #13 0x9198660 in open third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp:1539:26
11:50:32.085 2465       #14 0xd3b035a in openMethodCustom third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp:259:53
11:50:32.085 2465       #15 0x103eca2 in Call v8/src/api-arguments.cc:19:3
11:50:32.085 2465       #16 0x11c8aeb in HandleApiCallHelper<false> v8/src/builtins/builtins-api.cc:106:36
11:50:32.085 2465       #17 0x11c62ee in Builtin_Impl_HandleApiCall v8/src/builtins/builtins-api.cc:135:5
11:50:32.085 2465       #12 0x7fc09e484426  (<unknown module>)
11:50:32.085 2465       #13 0x7fc09e5bcfb7  (<unknown module>)
11:50:32.085 2465       #14 0x7fc09e528079  (<unknown module>)
11:50:32.085 2465       #15 0x7fc09e5172bc  (<unknown module>)
11:50:32.085 2465       #16 0x7fc09e516862  (<unknown module>)
11:50:32.085 2465       #17 0x7fc09e4b65e0  (<unknown module>)
11:50:32.085 2465       #18 0x1b2ca3f in Invoke v8/src/execution.cc:139:13
11:50:32.085 2465       #19 0x1b2c252 in Call v8/src/execution.cc:176:10
11:50:32.085 2465       #20 0x108b440 in Call v8/src/api.cc:4996:7
11:50:32.085 2465       #21 0x7e72116 in callFunction third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:638:17
11:50:32.085 2465       #22 0xd3d2dde in callListenerFunction third_party/WebKit/Source/bindings/core/v8/V8LazyEventListener.cpp:109:8
11:50:32.085 2465       #23 0x7ed8010 in invokeEventHandler third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:142:19
11:50:32.085 2465       #24 0x7ed7bb7 in handleEvent third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:101:3
11:50:32.085 2465       #25 0x7ed7896 in handleEvent third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:89:3
11:50:32.085 2465       #26 0x901d965 in fireEventListeners third_party/WebKit/Source/core/events/EventTarget.cpp:691:15
11:50:32.085 2465       #27 0x901bda4 in fireEventListeners third_party/WebKit/Source/core/events/EventTarget.cpp:554:27
11:50:32.085 2465       #28 0x8c73908 in handleLocalEvents third_party/WebKit/Source/core/dom/Node.cpp:2058:3
11:50:32.086 2465       #29 0x9030ab4 in handleLocalEvents third_party/WebKit/Source/core/events/NodeEventContext.cpp:60:11

Comment 1 by rogerta@chromium.org, Dec 6 2016

A second crash in the same log:

12:06:24.189 2465   ==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000008ffe381 bp 0x7ffc7b4a7110 sp 0x7ffc7b4a7040 T0)
12:06:24.189 2465   ==1==The signal is caused by a READ memory access.
12:06:24.189 2465   ==1==Hint: address points to the zero page.
12:06:24.189 2465       #0 0x8ffe380 in dispatchEventPostProcess third_party/WebKit/Source/core/events/EventDispatcher.cpp:273:47
12:06:24.189 2465       #1 0x8ffc14f in dispatch third_party/WebKit/Source/core/events/EventDispatcher.cpp:159:3
12:06:24.189 2465       #2 0x902c8e8 in dispatchEvent third_party/WebKit/Source/core/events/MouseEvent.cpp:331:23
12:06:24.189 2465       #3 0x8ffaa18 in dispatchEvent third_party/WebKit/Source/core/events/EventDispatcher.cpp:59:20
12:06:24.189 2465       #4 0x901b7ac in dispatchEventForBindings third_party/WebKit/Source/core/events/EventTarget.cpp:446:10
12:06:24.189 2465       #5 0x7ff6620 in dispatchEventMethod ./out/Release/gen/blink/bindings/core/v8/V8EventTarget.cpp:196:23
12:06:24.189 2465       #6 0x7ff6620 in dispatchEventMethodCallback ./out/Release/gen/blink/bindings/core/v8/V8EventTarget.cpp:204:0
12:06:24.190 2465       #7 0x103eca2 in Call v8/src/api-arguments.cc:19:3
12:06:24.190 2465       #8 0x11c8aeb in HandleApiCallHelper<false> v8/src/builtins/builtins-api.cc:106:36
12:06:24.190 2465       #9 0x11c62ee in Builtin_Impl_HandleApiCall v8/src/builtins/builtins-api.cc:135:5
12:06:24.190 2465       #9 0x7f3017884426  (<unknown module>)
12:06:24.190 2465       #10 0x7f30179b9965  (<unknown module>)
12:06:24.190 2465       #11 0x7f30179286f9  (<unknown module>)
12:06:24.190 2465       #12 0x7f30179172bc  (<unknown module>)
12:06:24.190 2465       #13 0x7f3017885e54  (<unknown module>)
12:06:24.190 2465       #14 0x7f30179b5fc1  (<unknown module>)
12:06:24.190 2465       #15 0x7f3017885e54  (<unknown module>)
12:06:24.190 2465       #16 0x7f30179b5abc  (<unknown module>)
12:06:24.190 2465       #17 0x7f3017916862  (<unknown module>)
12:06:24.190 2465       #18 0x7f30178b65e0  (<unknown module>)
12:06:24.190 2465       #10 0x1b2ca3f in Invoke v8/src/execution.cc:139:13
12:06:24.190 2465       #11 0x1b2c252 in Call v8/src/execution.cc:176:10
12:06:24.190 2465       #12 0x1058fe1 in Run v8/src/api.cc:1957:7
12:06:24.190 2465       #13 0x7e701be in runCompiledScript third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:524:22
12:06:24.190 2465       #14 0x7df8187 in executeScriptAndReturnValue third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:145:17
12:06:24.190 2465       #15 0x7dfd7f8 in evaluateScriptInMainWorld third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:418:33
12:06:24.190 2465       #16 0x7dfdcc0 in executeScriptInMainWorld third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:391:3
12:06:24.190 2465       #17 0xdc088de in doExecuteScript third_party/WebKit/Source/core/dom/ScriptLoader.cpp:548:19
12:06:24.190 2465       #18 0xdc00eec in executeScript third_party/WebKit/Source/core/dom/ScriptLoader.cpp:433:17
12:06:24.190 2465       #19 0xdc00eec in prepareScript third_party/WebKit/Source/core/dom/ScriptLoader.cpp:319:0
12:06:24.190 2465       #20 0x958d622 in runScript third_party/WebKit/Source/core/html/parser/HTMLScriptRunner.cpp:498:19
12:06:24.190 2465       #21 0x958ca82 in execute third_party/WebKit/Source/core/html/parser/HTMLScriptRunner.cpp:347:3
12:06:24.190 2465       #22 0x9551211 in runScriptsForPausedTreeBuilder third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:285:21
12:06:24.190 2465       #23 0x9551211 in processTokenizedChunkFromBackgroundParser third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:555:0
12:06:24.190 2465       #24 0x954adfc in pumpPendingSpeculations third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:616:9
12:06:24.190 2465       #25 0x955a6e9 in resumeParsingAfterScriptExecution third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:1066:7
12:06:24.190 2465       #26 0x90884c8 in checkNotify third_party/WebKit/Source/core/fetch/Resource.cpp:364:8
12:06:24.190 2465       #27 0x90a928d in didFinishLoading third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp:1173:15
12:06:24.191 2465       #28 0xd0a29c4 in OnCompletedRequest content/child/web_url_loader_impl.cc:864:16
12:06:24.191 2465       #29 0x70dfba1 in OnRequestComplete content/child/resource_dispatcher.cc:465:9
12:06:24.191 2465       #30 0x70e4ded in DispatchToMethodImpl<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &), const std::__1::tuple<int, content::ResourceRequestCompletionStatus> &, 0, 1> base/tuple.h:143:3
12:06:24.191 2465       #31 0x70e4ded in DispatchToMethod<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &), const std::__1::tuple<int, content::ResourceRequestCompletionStatus> &> base/tuple.h:150:0
12:06:24.191 2465       #32 0x70e4ded in DispatchToMethod<content::ResourceDispatcher, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &), void, std::__1::tuple<int, content::ResourceRequestCompletionStatus> > ipc/ipc_message_templates.h:26:0
12:06:24.191 2465       #33 0x70e4ded in Dispatch<content::ResourceDispatcher, content::ResourceDispatcher, void, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &)> ipc/ipc_message_templates.h:121:0
12:06:24.191 2465       #34 0x70da73d in DispatchMessage content/child/resource_dispatcher.cc:601:5
12:06:24.191 2465       #35 0x70d9029 in OnMessageReceived content/child/resource_dispatcher.cc:210:3
12:06:24.191 2465       #36 0x70e91ba in DispatchMessage content/child/resource_scheduling_filter.cc:74:27
12:06:24.191 2465       #37 0x44b91af in Run base/callback.h:68:12
12:06:24.191 2465       #38 0x44b91af in RunTask base/debug/task_annotator.cc:52:0
12:06:24.191 2465       #39 0x7a8961d in ProcessTaskFromWorkQueue third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:349:19
12:06:24.191 2465       #40 0x7a84f87 in DoWork third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:242:13
12:06:24.191 2465       #41 0x44b91af in Run base/callback.h:68:12
12:06:24.191 2465       #42 0x44b91af in RunTask base/debug/task_annotator.cc:52:0
12:06:24.191 2465       #43 0x4378508 in RunTask base/message_loop/message_loop.cc:413:19
12:06:24.191 2465       #44 0x4379135 in DeferOrRunPendingTask base/message_loop/message_loop.cc:422:5
12:06:24.191 2465       #45 0x437a22e in DoWork base/message_loop/message_loop.cc:515:13
12:06:24.191 2465       #46 0x438217e in Run base/message_loop/message_pump_default.cc:33:31
12:06:24.191 2465       #47 0x43779e0 in RunHandler base/message_loop/message_loop.cc:378:10
12:06:24.191 2465       #48 0x43d6035 in Run base/run_loop.cc:35:10
12:06:24.191 2465       #49 0x72e509f in RendererMain content/renderer/renderer_main.cc:200:23
12:06:24.191 2465       #50 0x3149047 in RunZygote content/app/content_main_runner.cc:344:14
12:06:24.191 2465       #51 0x314bc99 in Run content/app/content_main_runner.cc:786:12
12:06:24.191 2465       #52 0x3136dda in ContentMain content/app/content_main.cc:20:28
12:06:24.191 2465       #53 0x51779d in main content/shell/app/shell_main.cc:48:10
12:06:24.191 2465       #54 0x7f3049adaf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0

Comment 2 by rogerta@chromium.org, Dec 6 2016

Crashes above taken from:

https://luci-logdog.appspot.com/v/?s=chromium%2Fbb%2Fchromium.webkit%2FWebKit_Linux_Trusty_ASAN%2F269%2F%2B%2Frecipes%2Fsteps%2Fwebkit_tests%2F0%2Fstdout

Comment 3 by yosin@chromium.org, Dec 7 2016

Owner: lukasza@chromium.org
Status: Assigned (was: Available)

Regarding #c1, Use-After-Tree is detected in components/test_runner/test_runner_for_specific_view.cc

lukasza@, could you take look, since you are doing some re-factoring[1]?

[1] http://crrev.com/1931833003 Moving TestRunnerForSpecificView into a separate compilation unit

Comment 4 by treib@chromium.org, Dec 8 2016

Labels: OS-Linux Pri-1 Type-Bug

Comment 5 by treib@chromium.org, Dec 8 2016

More builds with ASAN crashes; all different tests:
https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/271
https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/279
https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/286
https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/290

Comment 6 by vasi...@chromium.org, Dec 9 2016

Labels: -Sheriff-Chromium

Comment 7 by lukasza@chromium.org, Apr 10 2017

Summary: UaF in layout tests (around TestRunnerForSpecificView::web_view?) (was: webkit_tests failing on chromium.webkit/WebKit Linux Trusty ASAN)

►

Issue 671787 link

Issue metadata

UaF in layout tests (around TestRunnerForSpecificView::web_view?)

Issue description

Comment 1 by rogerta@chromium.org, Dec 6 2016

Comment 1 Deleted

Comment 2 by rogerta@chromium.org, Dec 6 2016

Comment 2 Deleted

Comment 3 by yosin@chromium.org, Dec 7 2016

Comment 3 Deleted

Comment 4 by treib@chromium.org, Dec 8 2016

Comment 4 Deleted

Comment 5 by treib@chromium.org, Dec 8 2016

Comment 5 Deleted

Comment 6 by vasi...@chromium.org, Dec 9 2016

Comment 6 Deleted

Comment 7 by lukasza@chromium.org, Apr 10 2017

Comment 7 Deleted

Sign in to add a comment