Issue metadata
Sign in to add a comment
|
Memory corruption in SitePerProcessBrowserTest.NavigateAboutBlankAndDetach with PlzNavigate |
||||||||||||||||||||||
Issue descriptionbrowser_side_navigation_content_browsertests failing on chromium.linux/Linux Tests (dbg)(1) Type: build-failure Builders failed on: - Linux Tests (dbg)(1): https://build.chromium.org/p/chromium.linux/builders/Linux%20Tests%20%28dbg%29%281%29 [27930:27930:0124/111701.442732:6839404665:WARNING:render_frame_host_impl.cc(2155)] OnDidStopLoading was called twice. Found a corrupted memory buffer in MallocBlock (may be offset from user ptr): buffer index: 1, buffer ptr: 0x39c932b1e400, size of buffer: 952 Buffer byte 914 is 0x00 (should be 0xcd). Deleted by thread 0x7f3d8f726980 *** WARNING: Cannot convert addresses to symbols in output below. *** Reason: Cannot find 'pprof' (is PPROF_PATH set correctly?) *** If you cannot fix this, try running pprof directly. @ 0x7f3da5905e83 @ 0x7f3da58ac399 @ 0x7f3da55ed086 @ 0x7f3da58abc97 @ 0x7f3da8420e02 @ 0x7f3da8434398 @ 0x7f3da0014dbc @ 0x7f3d9dbb7548 @ 0x7f3d9dc3bca8 @ 0x7f3d9dd2c753 @ 0x7f3d9d6f491f @ 0x7f3d9d6f4457 @ 0x7f3d9d70e5e5 @ 0x7f3d9d70e2f5 @ 0x7f3d9d882c8a @ 0x7f3d9eaa049e Memory was written to after being freed. MallocBlock: 0x39c932b1e000, user ptr: 0x39c932b1e020, size: 1976. If you can't find the source of the error, try using ASan (http://code.google.com/p/address-sanitizer/), Valgrind, or Purify, or study the output of the deleter's stack printed above. Received signal 11 SEGV_MAPERR 000000000039 #0 0x7f3da55e636e base::debug::StackTrace::StackTrace() #1 0x7f3da55e5eaf base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7f3dad51dcb0 <unknown> #3 0x7f3da58ac458 tcmalloc::Abort() #4 0x7f3da58b446a LogPrintf() #5 0x7f3da58b42eb RAW_VLOG() #6 0x7f3da58dcd0e MallocBlock::CheckForCorruptedBuffer() #7 0x7f3da58dc9fb MallocBlock::CheckForDanglingWrites() #8 0x7f3da58da86b MallocBlock::ProcessFreeQueue() #9 0x7f3da58de774 MallocBlock::Deallocate() #10 0x7f3da58d7095 DebugDeallocate() #11 0x7f3da5905e83 tc_free #12 0x7f3da58ac399 (anonymous namespace)::TCFree() #13 0x7f3da55ed086 base::debug::(anonymous namespace)::FreeFn() #14 0x7f3da58abc97 ShimCppDelete #15 0x7f3dac231184 std::default_delete<>::operator()() #16 0x7f3dac22fc5c std::unique_ptr<>::reset() #17 0x7f3dac22fb59 std::unique_ptr<>::~unique_ptr() #18 0x7f3dac22e30f mojo::Message::~Message() #19 0x7f3dac233a15 mojo::internal::MessageBuilder::~MessageBuilder() #20 0x7f3da428ca4d IPC::mojom::ChannelProxy::Receive() #21 0x7f3da4243f5c IPC::internal::MessagePipeReader::Send() #22 0x7f3da421ffe1 IPC::ChannelMojo::Send() #23 0x7f3da422b97e IPC::ChannelProxy::Context::OnSendMessage() #24 0x7f3da4236bec _ZN4base8internal13FunctorTraitsIMN3IPC12ChannelProxy7ContextEFvSt10unique_ptrINS2_7MessageESt14default_deleteIS6_EEEvE6InvokeIRK13scoped_refptrIS4_EJS9_EEEvSB_OT_DpOT0_ #25 0x7f3da4236ab6 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN3IPC12ChannelProxy7ContextEFvSt10unique_ptrINS4_7MessageESt14default_deleteIS8_EEEJRK13scoped_refptrIS6_ESB_EEEvOT_DpOT0_ #26 0x7f3da4236a38 _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvSt10unique_ptrINS3_7MessageESt14default_deleteIS7_EEEJ13scoped_refptrIS5_ENS0_13PassedWrapperISA_EEEEEFvvEE7RunImplIRKSC_RKSt5tupleIJSE_SG_EEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE #27 0x7f3da423694c _ZN4base8internal7InvokerINS0_9BindStateIMN3IPC12ChannelProxy7ContextEFvSt10unique_ptrINS3_7MessageESt14default_deleteIS7_EEEJ13scoped_refptrIS5_ENS0_13PassedWrapperISA_EEEEEFvvEE3RunEPNS0_13BindStateBaseE #28 0x7f3da55ec191 _ZNO4base8internal8RunMixinINS_8CallbackIFvvELNS0_8CopyModeE0ELNS0_10RepeatModeE0EEEE3RunEv #29 0x7f3da55ebb82 base::debug::TaskAnnotator::RunTask() #30 0x7f3da567d3ba base::MessageLoop::RunTask() #31 0x7f3da567d644 base::MessageLoop::DeferOrRunPendingTask() #32 0x7f3da567d92e base::MessageLoop::DoWork() #33 0x7f3da5697fee base::MessagePumpLibevent::Run() #34 0x7f3da567cf3a base::MessageLoop::RunHandler() #35 0x7f3da572ad12 base::RunLoop::Run() #36 0x7f3da57d4348 base::Thread::Run() #37 0x7f3da57d4c8a base::Thread::ThreadMain() #38 0x7f3da57bac0a base::(anonymous namespace)::ThreadFunc() #39 0x7f3dad515e9a start_thread #40 0x7f3d9906f36d clone r8: 00007f3d8cba5680 r9: 0000000000000000 r10: 2e65766f62612064 r11: 0000000000000202 r12: 00007fff96c781d0 r13: 00007f3d8cba99c0 r14: 0000000000000000 r15: 0000000000000003 di: 0000000000000002 si: 00007f3d8cba5680 bp: 00007f3d8cba5620 bx: 0000000000000000 dx: 0000000000000126 ax: 0000000000000000 cx: 0000000000000000 sp: 00007f3d8cba5620 ip: 00007f3da58ac458 efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000006 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000039 [end of stack trace] [27930:27930:0124/111701.701928:6839663862:ERROR:browser_test_utils.cc(148)] Cannot communicate with DOMMessageQueue. ../../content/browser/site_per_process_browsertest.cc:6349: Failure Value of: ExecuteScriptAndExtractInt( root, "domAutomationController.send(frames.length)", &child_count) Actual: false Expected: true
,
Jan 24 2017
Repros on workstation with: ./content_browsertests --enable-browser-side-navigation --gtest_filter='SitePerProcessBrowserTest.NavigateAboutBlankAndDetach'
,
Jan 24 2017
And with ASan:
$ ./content_browsertests --enable-browser-side-navigation --gtest_filter='SitePerProcessBrowserTest.NavigateAboutBlankAndDetach' 2>&1 | ../../tools/valgrind/asan/asan_symbolize.py [88/481]
IMPORTANT DEBUGGING NOTE: each test is run inside its own process.
For debugging a test inside a debugger, use the
--gtest_filter=<your_test_name> flag along with either
--single_process (to run the test in one launcher/browser process) or
--single-process (to do the above, and also run Chrome in single-process mode).
Using sharding settings from environment. This is shard 0/1
Using 1 parallel jobs.
Note: Google Test filter = SitePerProcessBrowserTest.NavigateAboutBlankAndDetach
[==========] Running 1 test from 1 test case.
[----------] Global test environment set-up.
[----------] 1 test from SitePerProcessBrowserTest, where TypeParam =
[ RUN ] SitePerProcessBrowserTest.NavigateAboutBlankAndDetach
[17583:17583:0124/131247.724578:98235741069:WARNING:render_frame_host_impl.cc(2155)] OnDidStopLoading was called twice.
=================================================================
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00000b502 at pc 0x00000c9384bd bp 0x7ffdfdc9e5d0 sp 0x7ffdfdc9e5c8
WRITE of size 1 at 0x61b00000b502 thread T0 (content_browser)
#0 0xc9384bc in OnCommitNavigation ./out/asan/../../content/renderer/render_frame_impl.cc:5195:36
#1 0xc937d27 in DispatchToMethodImpl<content::RenderFrameImpl *, void (content::RenderFrameImpl::*)(const content::ResourceResponseHead &, const GURL &, const content::CommonNavigationParams &, const content::RequestNavigationParams &), const std::__1::tuple<content::ResourceResp
onseHead, GURL, content::CommonNavigationParams, content::RequestNavigationParams> &, 0, 1, 2, 3> ./out/asan/../../base/tuple.h:91:3
#2 0xc937d27 in DispatchToMethod<content::RenderFrameImpl *, void (content::RenderFrameImpl::*)(const content::ResourceResponseHead &, const GURL &, const content::CommonNavigationParams &, const content::RequestNavigationParams &), const std::__1::tuple<content::ResourceResponse
Head, GURL, content::CommonNavigationParams, content::RequestNavigationParams> &> ./out/asan/../../base/tuple.h:98:0
#3 0xc937d27 in DispatchToMethod<content::RenderFrameImpl, void (content::RenderFrameImpl::*)(const content::ResourceResponseHead &, const GURL &, const content::CommonNavigationParams &, const content::RequestNavigationParams &), void, std::__1::tuple<content::ResourceResponseHe
ad, GURL, content::CommonNavigationParams, content::RequestNavigationParams> > ./out/asan/../../ipc/ipc_message_templates.h:26:0
#4 0xc937d27 in Dispatch<content::RenderFrameImpl, content::RenderFrameImpl, void, void (content::RenderFrameImpl::*)(const content::ResourceResponseHead &, const GURL &, const content::CommonNavigationParams &, const content::RequestNavigationParams &)> ./out/asan/../../ipc/ipc_
message_templates.h:121:0
#5 0xc91e148 in OnMessageReceived ./out/asan/../../content/renderer/render_frame_impl.cc:1566:5
#6 0x840a1de in OnMessageReceived ./out/asan/../../content/child/child_thread_impl.cc:754:18
#7 0x630a8aa in OnDispatchMessage ./out/asan/../../ipc/ipc_channel_proxy.cc:340:14
#8 0x5ecd581 in Run ./out/asan/../../base/callback.h:68:12
#9 0x5ecd581 in RunTask ./out/asan/../../base/debug/task_annotator.cc:52:0
#10 0x88b5149 in ProcessTaskFromWorkQueue ./out/asan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:454:19
#11 0x88afe6e in DoWork ./out/asan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:307:13
#12 0x5ecd581 in Run ./out/asan/../../base/callback.h:68:12
#13 0x5ecd581 in RunTask ./out/asan/../../base/debug/task_annotator.cc:52:0
#14 0x5d701a8 in RunTask ./out/asan/../../base/message_loop/message_loop.cc:421:19
#15 0x5d70e55 in DeferOrRunPendingTask ./out/asan/../../base/message_loop/message_loop.cc:430:5
#16 0x5d71f5d in DoWork ./out/asan/../../base/message_loop/message_loop.cc:523:13
#17 0x5d79ffe in Run ./out/asan/../../base/message_loop/message_pump_default.cc:33:31
#18 0x5d6f601 in RunHandler ./out/asan/../../base/message_loop/message_loop.cc:386:10
#19 0x5dd3ec6 in Run ./out/asan/../../base/run_loop.cc:37:10
#20 0xca5c926 in RendererMain ./out/asan/../../content/renderer/renderer_main.cc:200:23
#21 0x3ff57a7 in RunZygote ./out/asan/../../content/app/content_main_runner.cc:345:14
#22 0x3ff87d2 in Run ./out/asan/../../content/app/content_main_runner.cc:796:12
#23 0x3bd703a in ContentMain ./out/asan/../../content/app/content_main.cc:20:28
#24 0x52faeb5 in LaunchTests ./out/asan/../../content/public/test/test_launcher.cc:526:12
#25 0x52ae086 in main ./out/asan/../../content/test/content_test_launcher.cc:131:10
#26 0x7f0969a2bf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
0x61b00000b502 is located 1410 bytes inside of 1432-byte region [0x61b00000af80,0x61b00000b518)
freed by thread T0 (content_browser) here:
#0 0x5b34cb in operator delete(void*) ??:?
#1 0xc9589f7 in frameDetached ./out/asan/../../content/renderer/render_frame_impl.cc:3153:3
#2 0x8b3b5d4 in detached ./out/asan/../../third_party/WebKit/Source/web/FrameLoaderClientImpl.cpp:338:11
#3 0xa155235 in detach ./out/asan/../../third_party/WebKit/Source/core/frame/Frame.cpp:79:13
#4 0xa21818f in detach ./out/asan/../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:458:10
#5 0x9b508fa in disconnectCollectedFrameOwners ./out/asan/../../third_party/WebKit/Source/core/dom/ChildFrameDisconnector.cpp:61:14
#6 0x9b4fdb3 in disconnect ./out/asan/../../third_party/WebKit/Source/core/dom/ChildFrameDisconnector.cpp:33:3
#7 0x9ae3d0f in willRemoveChild ./out/asan/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:447:33
#8 0x9ae2dae in removeChild ./out/asan/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:518:3
#9 0x9cb9ddf in removeChild ./out/asan/../../third_party/WebKit/Source/core/dom/Node.cpp:439:35
#10 0x8dfd46f in removeChildMethod ./out/asan/gen/blink/bindings/core/v8/V8Node.cpp:850:24
#11 0x8dfd46f in removeChildMethodCallback ./out/asan/gen/blink/bindings/core/v8/V8Node.cpp:859:0
#12 0x1e487b3 in Call ./out/asan/../../v8/src/api-arguments.cc:25:3
#13 0x200caaa in HandleApiCallHelper<false> ./out/asan/../../v8/src/builtins/builtins-api.cc:106:36
#14 0x2009e6c in Builtin_Impl_HandleApiCall ./out/asan/../../v8/src/builtins/builtins-api.cc:135:5
#14 0x7f093c904426 (<unknown module>)
#15 0x7f093ca861c6 (<unknown module>)
#16 0x7f093c905f14 (<unknown module>)
#17 0x7f093c9b32a2 (<unknown module>)
#18 0x7f093c92eee0 (<unknown module>)
#15 0x29e95f9 in Invoke ./out/asan/../../v8/src/execution.cc:144:13
#16 0x29e8cd8 in CallInternal ./out/asan/../../v8/src/execution.cc:180:10
#17 0x29e8cd8 in Call ./out/asan/../../v8/src/execution.cc:190:0
#18 0x1e9dab4 in Call ./out/asan/../../v8/src/api.cc:5101:7
#19 0x8c934bc in callFunction ./out/asan/../../third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:650:17
#20 0x8cfbf80 in callListenerFunction ./out/asan/../../third_party/WebKit/Source/bindings/core/v8/V8EventListener.cpp:111:8
#21 0x8cfeb2a in invokeEventHandler ./out/asan/../../third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:142:19
#22 0x8cfe65e in handleEvent ./out/asan/../../third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:101:3
#23 0x8cfe30c in handleEvent ./out/asan/../../third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:89:3
#24 0xa0e36fa in fireEventListeners ./out/asan/../../third_party/WebKit/Source/core/events/EventTarget.cpp:700:15 [8/481]
#25 0xa0e191b in fireEventListeners ./out/asan/../../third_party/WebKit/Source/core/events/EventTarget.cpp:562:27
#26 0x9cd29fd in handleLocalEvents ./out/asan/../../third_party/WebKit/Source/core/dom/Node.cpp:2077:3
previously allocated by thread T0 (content_browser) here:
#0 0x5b288b in operator new(unsigned long) ??:?
#1 0xc9117c8 in Create ./out/asan/../../content/renderer/render_frame_impl.cc:911:12
#2 0xc9117c8 in CreateFrame ./out/asan/../../content/renderer/render_frame_impl.cc:1012:0
#3 0xc9d311d in CreateFrame ./out/asan/../../content/renderer/render_thread_impl.cc:2096:3
#4 0x155f9d4 in Accept ./out/asan/gen/content/common/renderer.mojom.cc:476:13
#5 0x5591e77 in HandleValidatedMessage ./out/asan/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:350:32
#6 0x63250e0 in AcceptOnProxyThread ./out/asan/../../ipc/ipc_mojo_bootstrap.cc:687:24
#7 0x632143a in Invoke<const scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController> &, mojo::Message> ./out/asan/../../base/bind_internal.h:214:12
#8 0x632143a in MakeItSo<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*const &)(mojo::Message), const scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController> &, mojo::Message> ./out/asan/../../base/bind_internal.h:285:0
#9 0x632143a in RunImpl<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*const &)(mojo::Message), const std::__1::tuple<scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, base::internal::PassedWrapper<mojo::Message> > &, 0, 1> ./out/a
san/../../base/bind_internal.h:361:0
#10 0x632143a in Run ./out/asan/../../base/bind_internal.h:339:0
#11 0x5ecd581 in Run ./out/asan/../../base/callback.h:68:12
#12 0x5ecd581 in RunTask ./out/asan/../../base/debug/task_annotator.cc:52:0
#13 0x88b5149 in ProcessTaskFromWorkQueue ./out/asan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:454:19
#14 0x88afe6e in DoWork ./out/asan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:307:13
#15 0x5ecd581 in Run ./out/asan/../../base/callback.h:68:12
#16 0x5ecd581 in RunTask ./out/asan/../../base/debug/task_annotator.cc:52:0
#17 0x5d701a8 in RunTask ./out/asan/../../base/message_loop/message_loop.cc:421:19
#18 0x5d70e55 in DeferOrRunPendingTask ./out/asan/../../base/message_loop/message_loop.cc:430:5
#19 0x5d71f5d in DoWork ./out/asan/../../base/message_loop/message_loop.cc:523:13
#20 0x5d79ffe in Run ./out/asan/../../base/message_loop/message_pump_default.cc:33:31
#21 0x5d6f601 in RunHandler ./out/asan/../../base/message_loop/message_loop.cc:386:10
#22 0x5dd3ec6 in Run ./out/asan/../../base/run_loop.cc:37:10
#23 0xca5c926 in RendererMain ./out/asan/../../content/renderer/renderer_main.cc:200:23
#24 0x3ff57a7 in RunZygote ./out/asan/../../content/app/content_main_runner.cc:345:14
#25 0x3ff87d2 in Run ./out/asan/../../content/app/content_main_runner.cc:796:12
#26 0x3bd703a in ContentMain ./out/asan/../../content/app/content_main.cc:20:28
#27 0x52faeb5 in LaunchTests ./out/asan/../../content/public/test/test_launcher.cc:526:12
#28 0x52ae086 in main ./out/asan/../../content/test/content_test_launcher.cc:131:10
#29 0x7f0969a2bf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/local/google/home/maniscalco/chromium/src/out/asan/content_browsertests+0xc9384bc)
Shadow bytes around the buggy address:
0x0c367fff9650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fff9660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fff9670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fff9680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fff9690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c367fff96a0:[fd]fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff96d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fff96e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fff96f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1==ABORTING
../../content/browser/site_per_process_browsertest.cc:6349: Failure
Value of: ExecuteScriptAndExtractInt( root, "domAutomationController.send(frames.length)", &child_count)
Actual: false
Expected: true
[ FAILED ] SitePerProcessBrowserTest.NavigateAboutBlankAndDetach, where TypeParam = and GetParam() = (1773 ms)
[----------] 1 test from SitePerProcessBrowserTest (1773 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1773 ms total)
[ PASSED ] 0 tests.
[ FAILED ] 1 test, listed below:
[ FAILED ] SitePerProcessBrowserTest.NavigateAboutBlankAndDetach, where TypeParam = and GetParam() =
1 FAILED TEST
[1/1] SitePerProcessBrowserTest.NavigateAboutBlankAndDetach (2101 ms)
1 test failed:
SitePerProcessBrowserTest.NavigateAboutBlankAndDetach (../../content/browser/site_per_process_browsertest.cc:6326)
,
Jan 24 2017
Currently suspecting https://chromium.googlesource.com/chromium/src/+/f076d91e660f7289f0ee4bbda0cd1f89563760f3 as cause. Just a guess at this point.
,
Jan 24 2017
,
Jan 24 2017
Thanks for reporting! The test used to be disabled for Linux, and my r445515 re-enabled it, as I thought I fixed the site-per-process side of it. However, I can actually repro this failure locally with --enable-browser-side-navigation even without my r445515. (It's flaky; I hit the crash every other time or so.) So, this seems to be an independent failure in PlzNavigate + site-per-process modes. Assigning to clamy@ for further triage, and I'll go ahead and disable it for PlzNavigate for now.
,
Jan 24 2017
For reference, the test was previously disabled as part of issue 660622 . It doesn't seem to be failing with just --site-per-process (without --enable-browser-side-navigation) since I've re-enabled it, but it hasn't been that long, so we'll need to wait and see to confirm that this is specific to PlzNavigate.
,
Jan 25 2017
Thanks! I think this may be a PlzNavigate specific issue: we update browser_side_navigation_pending_ after calling NavigateInternal in RenderFrameImpl::OnCommitNavigation. But NavigateInternal may destroy the RenderFrameImpl, so this could cause a UAF. I'll work on a fix.
,
Jan 25 2017
Indeed. I've uploaded a fix at https://codereview.chromium.org/2650653006/. I've confirmed locally that a 100 runs of the test don't hit the UAF with the fix.
,
Jan 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d7d3ad002ee9f002bf7f7f763a6a815052602ac1 commit d7d3ad002ee9f002bf7f7f763a6a815052602ac1 Author: clamy <clamy@chromium.org> Date: Wed Jan 25 16:57:52 2017 PlzNavigate; fix UAF in RenderFrameImpl::OnCommitNavigation This CL fixes a UAF bug in RenderFrameImpl::OnCommitNavigation. This was uncovered by re-enabling SitePerProcessBrowserTest.NavigateAboutBlankAndDetach. BUG= 684699 Review-Url: https://codereview.chromium.org/2650653006 Cr-Commit-Position: refs/heads/master@{#446040} [modify] https://crrev.com/d7d3ad002ee9f002bf7f7f763a6a815052602ac1/content/renderer/render_frame_impl.cc
,
Jan 25 2017
,
Apr 20 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by manisca...@chromium.org
, Jan 24 2017