New issue
Advanced search Search tips

Issue 706614 link

Starred by 1 user
Status: Fixed
Owner:
kojii@chromium.org
Closed: Jul 2017
Cc:
cbiesin...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug-Regression

Blocked on:
issue 721932
Blocking:
issue 706607



Sign in to add a comment

heap-use-after-free while calling InlineBox::deleteLine (google.com)

Project Member Reported by glebl@chromium.org, Mar 29 2017 
Type: heap-use-after-free
Please find the stack trace below

#0 0x7fb86a533c87 base::debug::StackTrace::StackTrace()
#1 0x7fb86a5337ff base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7fb86a25f330 <unknown>
#3 0x7fb864f483cd blink::LayoutObject::paintingLayer()
#4 0x7fb8650ae059 blink::ObjectPaintInvalidator::slowSetPaintingLayerNeedsRepaint()
#5 0x7fb864fc24ec blink::InlineBox::destroy()
#6 0x7fb864fc428a blink::InlineFlowBox::deleteLine()
#7 0x7fb864fcd149 blink::LineBoxList::deleteLineBoxTree()
#8 0x7fb864edfc6d blink::LayoutBlockFlow::removeChild()
#9 0x7fb864f4fb8a blink::LayoutObject::willBeDestroyed()
#10 0x7fb864f07062 blink::LayoutBoxModelObject::willBeDestroyed()

Here is a bit more detailed stack trace from the asan build
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200003ab80 at pc 0x0000098e5f4a bp 0x7ffcc71048b0 sp 0x7ffcc71048a8
READ of size 8 at 0x61200003ab80 thread T0 (content_shell)
==1==WARNING: invalid path to external symbolizer!
==1==WARNING: Failed to use and restart external symbolizer!
    #0 0x98e5f49 in isBox /usr/local/google/home/glebl/chromium/src/out/asan/../../third_party/WebKit/Source/core/layout/LayoutObject.h:2319:5
    #1 0x98e5f49 in isBox /usr/local/google/home/glebl/chromium/src/out/asan/../../third_party/WebKit/Source/core/layout/LayoutObject.h:762:0
    #2 0x98e5f49 in isBox /usr/local/google/home/glebl/chromium/src/out/asan/../../third_party/WebKit/Source/core/layout/api/LineLayoutItem.h:155:0
    #3 0x98e5f49 in blink::InlineBox::deleteLine() /usr/local/google/home/glebl/chromium/src/out/asan/../../third_party/WebKit/Source/core/layout/line/InlineBox.cpp:196:0
    #4 0x98edef8 in blink::InlineFlowBox::deleteLine() /usr/local/google/home/glebl/chromium/src/out/asan/../../third_party/WebKit/Source/core/layout/line/InlineFlowBox.cpp:231:12
    #5 0x991b81c in blink::LineBoxList::deleteLineBoxTree() /usr/local/google/home/glebl/chromium/src/out/asan/../../third_party/WebKit/Source/core/layout/line/LineBoxList.cpp:69:11
    #6 0x94edd8d in deleteLineBoxTree /usr/local/google/home/glebl/chromium/src/out/asan/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:2510:15
    #7 0x94edd8d in blink::LayoutBlockFlow::removeChild(blink::LayoutObject*) /usr/local/google/home/glebl/chromium/src/out/asan/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:3050:0
    #8 0x97129c4 in remove /usr/local/google/home/glebl/chromium/src/out/asan/../../third_party/WebKit/Source/core/layout/LayoutObject.h:1526:17

Comment 1 by cbiesin...@chromium.org, May 12 2017

Cc: cbiesin...@chromium.org

Comment 2 by kojii@chromium.org, May 16 2017

Blockedon: 721932

Comment 3 by kojii@chromium.org, Jul 17 2017

Status: Fixed (was: Assigned)
NG crashes by AssertLaidOut(), but no longer heap-use-after-free. Probably the following CL fixed this.
https://codereview.chromium.org/2975663002

Sign in to add a comment