New issue
Advanced search Search tips

Issue 674489 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
Cc:
mbarbe...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Regression crash in base::ObserverListThreadSafe<content::GpuDataManagerObserver

Reported by chromium...@gmail.com, Dec 15 2016 
Chrome Version:  57.0.2952.0 canary (64-bit)
Operating System: Windows 7

REPRODUCTION CASE
1. Lunch a new tab and open Deevtools.
2. Open a new tab.
3. Close the first tab >> Crash.


chrome_7fee5170000!gpu::gles2::GLES2Interface::`vcall'{72}'+0x3:
000007fe`e53bd23b ff6048          jmp     qword ptr [rax+48h] ds:feeefeee`feeeff36=????????????????
0:019> k
Child-SP          RetAddr           Call Site
00000000`06ded138 000007fe`e5d3de29 chrome_7fee5170000!gpu::gles2::GLES2Interface::`vcall'{72}'+0x3
00000000`06ded140 000007fe`e62bb091 chrome_7fee5170000!base::ObserverListThreadSafe<content::GpuDataManagerObserver>::NotifyWrapper+0x37d [c:\b\build\slave\win64-pgo\build\src\base\observer_list_threadsafe.h @ 194]
00000000`06dedda0 000007fe`e626c15a chrome_7fee5170000!base::debug::TaskAnnotator::RunTask+0x281 [c:\b\build\slave\win64-pgo\build\src\base\debug\task_annotator.cc @ 52]
00000000`06dedf40 000007fe`e626cd55 chrome_7fee5170000!base::MessageLoop::RunTask+0x43a [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 414]
00000000`06def280 000007fe`e62bbd77 chrome_7fee5170000!base::MessageLoop::DoWork+0x425 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 515]
00000000`06def410 000007fe`e62bb1b4 chrome_7fee5170000!base::MessagePumpForIO::DoRunLoop+0x147 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 475]
00000000`06def6a0 000007fe`e628f744 chrome_7fee5170000!base::MessagePumpWin::Run+0x54 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 58]
00000000`06def6f0 000007fe`e5c608c9 chrome_7fee5170000!base::RunLoop::Run+0xa4 [c:\b\build\slave\win64-pgo\build\src\base\run_loop.cc @ 38]
00000000`06def740 000007fe`e5c60992 chrome_7fee5170000!content::BrowserThreadImpl::IOThreadRun+0x25 [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_thread_impl.cc @ 253]
00000000`06def780 000007fe`e626ab09 chrome_7fee5170000!content::BrowserThreadImpl::Run+0x8e [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_thread_impl.cc @ 287]
00000000`06def7b0 000007fe`e623871d chrome_7fee5170000!base::Thread::ThreadMain+0x1f9 [c:\b\build\slave\win64-pgo\build\src\base\threading\thread.cc @ 331]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\kernel32.dll - 
00000000`06def890 00000000`7768f56d chrome_7fee5170000!base::`anonymous namespace'::ThreadFunc+0xed [c:\b\build\slave\win64-pgo\build\src\base\threading\platform_thread_win.cc @ 86]
00000000`06def900 00000000`778c3281 kernel32!BaseThreadInitThunk+0xd
00000000`06def930 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Comment 1 by chromium...@gmail.com, Dec 15 2016 

Able to reproduce this issue under ASan-Windows bluid. This is a heap-use-after-free bug.
ASan.txt
10.1 KB View Download

Comment 2 by mbarbe...@chromium.org, Dec 19 2016

Cc: mbarbe...@chromium.org
Status: WontFix (was: Unconfirmed)
I've been unable to reproduce this on Windows or Linux. Marking as WontFix for now, but if you're able to provide any other information or can still reproduce it on the current trunk revision I can take another look. It may have just been a short-lived regression.
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 28 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment