New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 704647 link

Starred by 1 user
Status: Fixed
Owner:
nick@chromium.org
not working at Google anymore
Closed: Mar 2017
Cc:
creis@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Null Handle Used in base::GetProcId call

Project Member Reported by robliao@chromium.org, Mar 23 2017 
=======================================
VERIFIER STOP 0000000000000303: pid 0x47BC: NULL handle passed as parameter. A valid handle must be used. 

=======================================
This verifier stop is continuable.
After debugging it use `go' to continue.

=======================================

STACK:

(47bc.1bc0): Break instruction exception - code 80000003 (first chance)
vrfcore!VerifierStopMessageEx+0x6f9:
00007ffa`b1b62149 cc              int     3
0:000> kn20
 # Child-SP          RetAddr           Call Site
00 0000002f`1aafe5f0 00007ffa`b1acf55f vrfcore!VerifierStopMessageEx+0x6f9
01 0000002f`1aafe970 00007ffa`b1ad06a6 vfbasics!AVrfpHandleSanityChecks+0x3b
02 0000002f`1aafe9c0 00007ffa`c13a2b7d vfbasics!AVrfpNtQueryInformationProcess+0x46
03 0000002f`1aafea00 00007ffa`95cc6698 KERNELBASE!GetProcessId+0x1d
04 (Inline Function) --------`-------- chrome_7ffa93e70000!base::GetProcId+0x9 [c:\b\build\slave\win64-pgo\build\src\base\process\process_handle_win.cc @ 25]
05 0000002f`1aafea70 00007ffa`948ef13f chrome_7ffa93e70000!MemoryDetails::CollectChildInfoOnUIThread+0xd8 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\memory_details.cc @ 235]
06 (Inline Function) --------`-------- chrome_7ffa93e70000!base::Callback<void __cdecl(void),0,0>::Run+0x11 [c:\b\build\slave\win64-pgo\build\src\base\callback.h @ 91]
07 0000002f`1aafec50 00007ffa`948a24a6 chrome_7ffa93e70000!base::debug::TaskAnnotator::RunTask+0x1af [c:\b\build\slave\win64-pgo\build\src\base\debug\task_annotator.cc @ 59]
08 0000002f`1aafee00 00007ffa`948a305a chrome_7ffa93e70000!base::MessageLoop::RunTask+0x1f6 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 424]
09 (Inline Function) --------`-------- chrome_7ffa93e70000!base::MessageLoop::DeferOrRunPendingTask+0x56 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 434]
0a 0000002f`1aafef60 00007ffa`948ef6e1 chrome_7ffa93e70000!base::MessageLoop::DoWork+0x48a [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 527]
0b 0000002f`1aaff160 00007ffa`948ef334 chrome_7ffa93e70000!base::MessagePumpForUI::DoRunLoop+0x71 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 174]
0c 0000002f`1aaff1d0 00007ffa`948c86f0 chrome_7ffa93e70000!base::MessagePumpWin::Run+0x54 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 58]
0d (Inline Function) --------`-------- chrome_7ffa93e70000!base::MessageLoop::RunHandler+0x21 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 387]
0e 0000002f`1aaff220 00007ffa`947c85e8 chrome_7ffa93e70000!base::RunLoop::Run+0xc0 [c:\b\build\slave\win64-pgo\build\src\base\run_loop.cc @ 38]
0f 0000002f`1aaff2d0 00007ffa`942554cc chrome_7ffa93e70000!ChromeBrowserMainParts::MainMessageLoopRun+0x138 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\chrome_browser_main.cc @ 1963]
10 (Inline Function) --------`-------- chrome_7ffa93e70000!content::BrowserMainLoop::RunMainMessageLoopParts+0x62 [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_main_loop.cc @ 1191]
11 0000002f`1aaff350 00007ffa`9424d839 chrome_7ffa93e70000!content::BrowserMainRunnerImpl::Run+0x6c [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_main_runner.cc @ 140]
12 0000002f`1aaff3a0 00007ffa`94778a33 chrome_7ffa93e70000!content::BrowserMain+0x169 [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_main.cc @ 46]
13 (Inline Function) --------`-------- chrome_7ffa93e70000!content::RunNamedProcessTypeMain+0x157 [c:\b\build\slave\win64-pgo\build\src\content\app\content_main_runner.cc @ 437]
14 0000002f`1aaff430 00007ffa`9524352c chrome_7ffa93e70000!content::ContentMainRunnerImpl::Run+0x243 [c:\b\build\slave\win64-pgo\build\src\content\app\content_main_runner.cc @ 729]
15 0000002f`1aaff5e0 00007ffa`93f35ce1 chrome_7ffa93e70000!service_manager::Main+0x18c [c:\b\build\slave\win64-pgo\build\src\services\service_manager\embedder\main.cc @ 179]
16 (Inline Function) --------`-------- chrome_7ffa93e70000!content::ContentMain+0x8a [c:\b\build\slave\win64-pgo\build\src\content\app\content_main.cc @ 19]
17 0000002f`1aaff6c0 00007ff6`d96e76c1 chrome_7ffa93e70000!ChromeMain+0x191 [c:\b\build\slave\win64-pgo\build\src\chrome\app\chrome_main.cc @ 121]
18 0000002f`1aaff7a0 00007ff6`d96e279b chrome!MainDllLoader::Launch+0x399 [c:\b\build\slave\win64-pgo\build\src\chrome\app\main_dll_loader_win.cc @ 203]
19 0000002f`1aaff8d0 00007ff6`d9a358f3 chrome!wWinMain+0x2b7 [c:\b\build\slave\win64-pgo\build\src\chrome\app\chrome_exe_main_win.cc @ 272]
1a (Inline Function) --------`-------- chrome!invoke_main+0x21 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 113]
1b 0000002f`1aaffad0 00007ffa`c4a68102 chrome!__scrt_common_main_seh+0x117 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
1c 0000002f`1aaffb10 00007ffa`c4bbc5b4 KERNEL32!BaseThreadInitThunk+0x22
1d 0000002f`1aaffb40 00000000`00000000 ntdll!RtlUserThreadStart+0x34

POSSIBLE FIX:

  while (content::RenderWidgetHost* widget = widget_it->GetNextHost()) {
    // Ignore processes that don't have a connection, such as crashed tabs.
    if (!widget->GetProcess()->HasConnection())
      continue;

    // Check that the handle is not null before calling GetProcId.
    base::ProcessId pid = base::GetProcId(widget->GetProcess()->GetHandle()); <-------------------

    widgets_by_pid[pid].push_back(widget);
  }

Last changed CL: https://codereview.chromium.org/1406133002/diff/140001/chrome/browser/memory_details.cc

Comment 1 by creis@chromium.org, Mar 23 2017

Cc: creis@chromium.org
Owner: nick@chromium.org
Status: Started (was: Untriaged)
Thanks for the report!  Nick has a CL for it: https://codereview.chromium.org/2773853002/

Comment 2 by wfh@chromium.org, Mar 23 2017 

this is awesome

Comment 3 by wfh@chromium.org, Mar 23 2017 

is it possible to stand up an FYI bot with appverifier running?

Comment 4 by robliao@chromium.org, Mar 23 2017 

That's a good question. AppVerifier currently doesn't play nicely with the renderer processes, so I have to enable it and then disable it. This is probably easily scriptable with ImageFileExecutionOptions registry manipulations. To get the messages, you also need to run under a cdb/ntsd/windbg debugger.

It certainly is an interesting idea.

Comment 5 by wfh@chromium.org, Mar 23 2017 

right so basically it has to be enabled for browser but not renderer? can it be toggled on/off using !gflags in cdb?

Comment 6 by robliao@chromium.org, Mar 23 2017 

I'm going to move discussion of this to http://crbug.com/704749
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 24 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/96fb832e2f8abff293fb34fd320e2222707f585b

commit 96fb832e2f8abff293fb34fd320e2222707f585b
Author: nick <nick@chromium.org>
Date: Fri Mar 24 19:44:28 2017

HasConnection -> IsReady

The problem was that calling getProcId on a null process handle is an error.
IsReady checks both the connection as well as for a valid handle. It is
possible that we manage to connect to a child process before we actually
get its handle back from the process launcher.

BUG= 704647 

Review-Url: https://codereview.chromium.org/2773853002
Cr-Commit-Position: refs/heads/master@{#459526}

[modify] https://crrev.com/96fb832e2f8abff293fb34fd320e2222707f585b/chrome/browser/memory_details.cc

Comment 8 by nick@chromium.org, Mar 29 2017

Status: Fixed (was: Started)

Sign in to add a comment