Null Handle Used in base::GetProcId call |
||
Issue description
=======================================
VERIFIER STOP 0000000000000303: pid 0x47BC: NULL handle passed as parameter. A valid handle must be used.
=======================================
This verifier stop is continuable.
After debugging it use `go' to continue.
=======================================
STACK:
(47bc.1bc0): Break instruction exception - code 80000003 (first chance)
vrfcore!VerifierStopMessageEx+0x6f9:
00007ffa`b1b62149 cc int 3
0:000> kn20
# Child-SP RetAddr Call Site
00 0000002f`1aafe5f0 00007ffa`b1acf55f vrfcore!VerifierStopMessageEx+0x6f9
01 0000002f`1aafe970 00007ffa`b1ad06a6 vfbasics!AVrfpHandleSanityChecks+0x3b
02 0000002f`1aafe9c0 00007ffa`c13a2b7d vfbasics!AVrfpNtQueryInformationProcess+0x46
03 0000002f`1aafea00 00007ffa`95cc6698 KERNELBASE!GetProcessId+0x1d
04 (Inline Function) --------`-------- chrome_7ffa93e70000!base::GetProcId+0x9 [c:\b\build\slave\win64-pgo\build\src\base\process\process_handle_win.cc @ 25]
05 0000002f`1aafea70 00007ffa`948ef13f chrome_7ffa93e70000!MemoryDetails::CollectChildInfoOnUIThread+0xd8 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\memory_details.cc @ 235]
06 (Inline Function) --------`-------- chrome_7ffa93e70000!base::Callback<void __cdecl(void),0,0>::Run+0x11 [c:\b\build\slave\win64-pgo\build\src\base\callback.h @ 91]
07 0000002f`1aafec50 00007ffa`948a24a6 chrome_7ffa93e70000!base::debug::TaskAnnotator::RunTask+0x1af [c:\b\build\slave\win64-pgo\build\src\base\debug\task_annotator.cc @ 59]
08 0000002f`1aafee00 00007ffa`948a305a chrome_7ffa93e70000!base::MessageLoop::RunTask+0x1f6 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 424]
09 (Inline Function) --------`-------- chrome_7ffa93e70000!base::MessageLoop::DeferOrRunPendingTask+0x56 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 434]
0a 0000002f`1aafef60 00007ffa`948ef6e1 chrome_7ffa93e70000!base::MessageLoop::DoWork+0x48a [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 527]
0b 0000002f`1aaff160 00007ffa`948ef334 chrome_7ffa93e70000!base::MessagePumpForUI::DoRunLoop+0x71 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 174]
0c 0000002f`1aaff1d0 00007ffa`948c86f0 chrome_7ffa93e70000!base::MessagePumpWin::Run+0x54 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_win.cc @ 58]
0d (Inline Function) --------`-------- chrome_7ffa93e70000!base::MessageLoop::RunHandler+0x21 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 387]
0e 0000002f`1aaff220 00007ffa`947c85e8 chrome_7ffa93e70000!base::RunLoop::Run+0xc0 [c:\b\build\slave\win64-pgo\build\src\base\run_loop.cc @ 38]
0f 0000002f`1aaff2d0 00007ffa`942554cc chrome_7ffa93e70000!ChromeBrowserMainParts::MainMessageLoopRun+0x138 [c:\b\build\slave\win64-pgo\build\src\chrome\browser\chrome_browser_main.cc @ 1963]
10 (Inline Function) --------`-------- chrome_7ffa93e70000!content::BrowserMainLoop::RunMainMessageLoopParts+0x62 [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_main_loop.cc @ 1191]
11 0000002f`1aaff350 00007ffa`9424d839 chrome_7ffa93e70000!content::BrowserMainRunnerImpl::Run+0x6c [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_main_runner.cc @ 140]
12 0000002f`1aaff3a0 00007ffa`94778a33 chrome_7ffa93e70000!content::BrowserMain+0x169 [c:\b\build\slave\win64-pgo\build\src\content\browser\browser_main.cc @ 46]
13 (Inline Function) --------`-------- chrome_7ffa93e70000!content::RunNamedProcessTypeMain+0x157 [c:\b\build\slave\win64-pgo\build\src\content\app\content_main_runner.cc @ 437]
14 0000002f`1aaff430 00007ffa`9524352c chrome_7ffa93e70000!content::ContentMainRunnerImpl::Run+0x243 [c:\b\build\slave\win64-pgo\build\src\content\app\content_main_runner.cc @ 729]
15 0000002f`1aaff5e0 00007ffa`93f35ce1 chrome_7ffa93e70000!service_manager::Main+0x18c [c:\b\build\slave\win64-pgo\build\src\services\service_manager\embedder\main.cc @ 179]
16 (Inline Function) --------`-------- chrome_7ffa93e70000!content::ContentMain+0x8a [c:\b\build\slave\win64-pgo\build\src\content\app\content_main.cc @ 19]
17 0000002f`1aaff6c0 00007ff6`d96e76c1 chrome_7ffa93e70000!ChromeMain+0x191 [c:\b\build\slave\win64-pgo\build\src\chrome\app\chrome_main.cc @ 121]
18 0000002f`1aaff7a0 00007ff6`d96e279b chrome!MainDllLoader::Launch+0x399 [c:\b\build\slave\win64-pgo\build\src\chrome\app\main_dll_loader_win.cc @ 203]
19 0000002f`1aaff8d0 00007ff6`d9a358f3 chrome!wWinMain+0x2b7 [c:\b\build\slave\win64-pgo\build\src\chrome\app\chrome_exe_main_win.cc @ 272]
1a (Inline Function) --------`-------- chrome!invoke_main+0x21 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 113]
1b 0000002f`1aaffad0 00007ffa`c4a68102 chrome!__scrt_common_main_seh+0x117 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
1c 0000002f`1aaffb10 00007ffa`c4bbc5b4 KERNEL32!BaseThreadInitThunk+0x22
1d 0000002f`1aaffb40 00000000`00000000 ntdll!RtlUserThreadStart+0x34
POSSIBLE FIX:
while (content::RenderWidgetHost* widget = widget_it->GetNextHost()) {
// Ignore processes that don't have a connection, such as crashed tabs.
if (!widget->GetProcess()->HasConnection())
continue;
// Check that the handle is not null before calling GetProcId.
base::ProcessId pid = base::GetProcId(widget->GetProcess()->GetHandle()); <-------------------
widgets_by_pid[pid].push_back(widget);
}
Last changed CL: https://codereview.chromium.org/1406133002/diff/140001/chrome/browser/memory_details.cc
,
Mar 23 2017
this is awesome
,
Mar 23 2017
is it possible to stand up an FYI bot with appverifier running?
,
Mar 23 2017
That's a good question. AppVerifier currently doesn't play nicely with the renderer processes, so I have to enable it and then disable it. This is probably easily scriptable with ImageFileExecutionOptions registry manipulations. To get the messages, you also need to run under a cdb/ntsd/windbg debugger. It certainly is an interesting idea.
,
Mar 23 2017
right so basically it has to be enabled for browser but not renderer? can it be toggled on/off using !gflags in cdb?
,
Mar 23 2017
I'm going to move discussion of this to http://crbug.com/704749
,
Mar 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/96fb832e2f8abff293fb34fd320e2222707f585b commit 96fb832e2f8abff293fb34fd320e2222707f585b Author: nick <nick@chromium.org> Date: Fri Mar 24 19:44:28 2017 HasConnection -> IsReady The problem was that calling getProcId on a null process handle is an error. IsReady checks both the connection as well as for a valid handle. It is possible that we manage to connect to a child process before we actually get its handle back from the process launcher. BUG= 704647 Review-Url: https://codereview.chromium.org/2773853002 Cr-Commit-Position: refs/heads/master@{#459526} [modify] https://crrev.com/96fb832e2f8abff293fb34fd320e2222707f585b/chrome/browser/memory_details.cc
,
Mar 29 2017
|
||
►
Sign in to add a comment |
||
Comment 1 by creis@chromium.org
, Mar 23 2017Owner: nick@chromium.org
Status: Started (was: Untriaged)