New issue
Advanced search Search tips

Issue 701558 link

Starred by 1 user
Status: Fixed
Owner:
grunell@chromium.org
Closed: Mar 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

Null Handle Used in base::GetProcId call

Project Member Reported by robliao@chromium.org, Mar 14 2017 
This happens at Chrome startup and was introduced with

https://codereview.chromium.org/1272223003/diff/250001/content/browser/renderer_host/render_process_host_impl.cc

=======================================
VERIFIER STOP 0000000000000303: pid 0x3568: NULL handle passed as parameter. A valid handle must be used. 
=======================================
This verifier stop is continuable.
After debugging it use `go' to continue.
=======================================

STACK:

0:000> kn20
 # Child-SP          RetAddr           Call Site
00 000000e0`452fbb30 00007ffb`85fcf55f vrfcore!VerifierStopMessageEx+0x6f9
01 000000e0`452fbeb0 00007ffb`85fd06a6 vfbasics!AVrfpHandleSanityChecks+0x3b
02 000000e0`452fbf00 00007ffb`945e2b7d vfbasics!AVrfpNtQueryInformationProcess+0x46
03 000000e0`452fbf40 00007ffb`6fa80347 KERNELBASE!GetProcessId+0x1d
04 000000e0`452fbfb0 00007ffb`6fa8274e chrome_7ffb6efd0000!content::RenderProcessHostImpl::CreateMessageFilters+0x3f7 [g:\src\content\browser\renderer_host\render_process_host_impl.cc @ 1088]
05 000000e0`452fc130 00007ffb`6f959550 chrome_7ffb6efd0000!content::RenderProcessHostImpl::Init+0x14e [g:\src\content\browser\renderer_host\render_process_host_impl.cc @ 866]
06 000000e0`452fc280 00007ffb`6f95a445 chrome_7ffb6efd0000!content::RenderFrameHostManager::InitRenderView+0x30 [g:\src\content\browser\frame_host\render_frame_host_manager.cc @ 1908]
07 000000e0`452fc2c0 00007ffb`6f959a5c chrome_7ffb6efd0000!content::RenderFrameHostManager::ReinitializeRenderFrame+0x45 [g:\src\content\browser\frame_host\render_frame_host_manager.cc @ 2085]
08 000000e0`452fc2f0 00007ffb`6f9422c8 chrome_7ffb6efd0000!content::RenderFrameHostManager::Navigate+0x15c [g:\src\content\browser\frame_host\render_frame_host_manager.cc @ 231]
09 000000e0`452fc3b0 00007ffb`6f942703 chrome_7ffb6efd0000!content::NavigatorImpl::NavigateToEntry+0x658 [g:\src\content\browser\frame_host\navigator_impl.cc @ 400]
0a 000000e0`452fd0b0 00007ffb`6f9361db chrome_7ffb6efd0000!content::NavigatorImpl::NavigateToPendingEntry+0x63 [g:\src\content\browser\frame_host\navigator_impl.cc @ 500]
0b 000000e0`452fd110 00007ffb`6f93609e chrome_7ffb6efd0000!content::NavigationControllerImpl::NavigateToPendingEntryInternal+0x10b [g:\src\content\browser\frame_host\navigation_controller_impl.cc @ 1934]
0c 000000e0`452fd1a0 00007ffb`6f935769 chrome_7ffb6efd0000!content::NavigationControllerImpl::NavigateToPendingEntry+0x30e [g:\src\content\browser\frame_host\navigation_controller_impl.cc @ 1892]
0d 000000e0`452fd1f0 00007ffb`6f935d38 chrome_7ffb6efd0000!content::NavigationControllerImpl::LoadEntry+0x49 [g:\src\content\browser\frame_host\navigation_controller_impl.cc @ 460]
0e 000000e0`452fd220 00007ffb`6f935865 chrome_7ffb6efd0000!content::NavigationControllerImpl::LoadURLWithParams+0x4a8 [g:\src\content\browser\frame_host\navigation_controller_impl.cc @ 788]
0f 000000e0`452fd390 00007ffb`6fbfcc50 chrome_7ffb6efd0000!content::NavigationControllerImpl::LoadURL+0xa5 [g:\src\content\browser\frame_host\navigation_controller_impl.cc @ 661]
10 000000e0`452fd710 00007ffb`6fbfc754 chrome_7ffb6efd0000!extensions::ExtensionHost::LoadInitialURL+0xb0 [g:\src\extensions\browser\extension_host.cc @ 233]
11 000000e0`452fd810 00007ffb`6fc2d2f5 chrome_7ffb6efd0000!extensions::ExtensionHost::CreateRenderViewNow+0xa4 [g:\src\extensions\browser\extension_host.cc @ 159]
12 000000e0`452fd9f0 00007ffb`70c0d37b chrome_7ffb6efd0000!extensions::SerialExtensionHostQueue::ProcessOneHost+0x25 [g:\src\extensions\browser\serial_extension_host_queue.cc @ 80]

CAUSE:

content::RenderProcessHostImpl::GetHandle returns base::kNullProcessHandle since child_process_launcher_ is null.

0:000> ?? this->child_process_launcher_._Mypair
class std::_Compressed_pair<std::default_delete<content::ChildProcessLauncher>,content::ChildProcessLauncher *,1>
   +0x000 _Myval2          : (null) 

FIX:

Obtain the child process launcher ID after it's been set.
Project Member

Comment 1 by bugdroid1@chromium.org, Mar 20 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/df14e3f7dd968466a056279eed4839ae9a900f18

commit df14e3f7dd968466a056279eed4839ae9a900f18
Author: grunell <grunell@chromium.org>
Date: Mon Mar 20 15:51:22 2017

Fix null argument to base::GetProcId in RenderProcessHostImpl::CreateMessageFilters.

Child process launcher hasn't been created at that time.

This doesn't actually cause a problem or bug (currently), but the misuse should be removed.

Note that the handling of debug recording should be moved to AudioManager (added todo) and then the renderer pid won't be used and all this code will be removed.

Fix:
* Removed renderer pid as argument to AudioInputRendererHost ctor. This is always 0 anyway. The pid is set later, so the ctor argument can simply be removed.
* Added DCHECK that the pid is > 0 when used.
* Ensured the pid member variabled is only accessed on IO thread.

BUG= 701558 

Review-Url: https://codereview.chromium.org/2761793002
Cr-Commit-Position: refs/heads/master@{#458073}

[modify] https://crrev.com/df14e3f7dd968466a056279eed4839ae9a900f18/content/browser/renderer_host/media/audio_input_renderer_host.cc
[modify] https://crrev.com/df14e3f7dd968466a056279eed4839ae9a900f18/content/browser/renderer_host/media/audio_input_renderer_host.h
[modify] https://crrev.com/df14e3f7dd968466a056279eed4839ae9a900f18/content/browser/renderer_host/media/audio_input_renderer_host_unittest.cc
[modify] https://crrev.com/df14e3f7dd968466a056279eed4839ae9a900f18/content/browser/renderer_host/render_process_host_impl.cc

Comment 2 by grunell@chromium.org, Mar 20 2017

Status: Fixed (was: Assigned)

Sign in to add a comment