Issue metadata
Sign in to add a comment
|
Browser frequently crashes when removing webusb device from host |
||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36 Steps to reproduce the problem: 1. Load a page that requests the user add a webusb device (or multiple) 2. Click the Secure icon to the left of the URL bar to open the permissions popup 3. Click the x next to a webusb device What is the expected behavior? The device permission is revoked from the current host What went wrong? The browser frequently crashes when I try to do this Crashed report ID: abcad8b480000000 How much crashed? Whole browser Is it a problem with a plugin? No Did this work before? N/A Chrome version: 57.0.2987.110 Channel: n/a OS Version: Flash Version:
,
Apr 3 2017
Users experienced this crash on the following builds: Linux Beta 58.0.3029.41 - 1.21 CPM, 10 reports, 1 clients (signature views::ColumnSet::CalculateSize) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Apr 5 2017
=================================================================
==7692==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000625080 at pc 0x7ff66e7817cd bp 0x7fff6d0362a0 sp 0x7fff6d036298
READ of size 8 at 0x618000625080 thread T0 (chrome)
#0 0x7ff66e7817cc in views::ColumnSet::CalculateSize() /src/chromium/src/out/ASan/../../ui/views/layout/grid_layout.cc:590:32
#1 0x7ff66e7863fb in views::GridLayout::SizeRowsAndColumns(bool, int, int, gfx::Size*) const /src/chromium/src/out/ASan/../../ui/views/layout/grid_layout.cc:840:17
#2 0x7ff66e788fb0 in views::GridLayout::GetPreferredSize(views::View const*) const /src/chromium/src/out/ASan/../../ui/views/layout/grid_layout.cc:810:3
#3 0x7ff66e7a4d91 in views::View::GetPreferredSize() const /src/chromium/src/out/ASan/../../ui/views/view.cc:426:29
#4 0x7ff66e780648 in views::ColumnSet::CalculateSize() /src/chromium/src/out/ASan/../../ui/views/layout/grid_layout.cc:590:32
#5 0x7ff66e7863fb in views::GridLayout::SizeRowsAndColumns(bool, int, int, gfx::Size*) const /src/chromium/src/out/ASan/../../ui/views/layout/grid_layout.cc:840:17
#6 0x7ff66e788fb0 in views::GridLayout::GetPreferredSize(views::View const*) const /src/chromium/src/out/ASan/../../ui/views/layout/grid_layout.cc:810:3
#7 0x7ff66e7a4d91 in views::View::GetPreferredSize() const /src/chromium/src/out/ASan/../../ui/views/view.cc:426:29
#8 0x7ff66e779878 in views::BoxLayout::GetPreferredSize(views::View const*) const /src/chromium/src/out/ASan/../../ui/views/layout/box_layout.cc:173:38
#9 0x7ff66e7a4d91 in views::View::GetPreferredSize() const /src/chromium/src/out/ASan/../../ui/views/view.cc:426:29
#10 0x5572a833ef77 in PageInfoPopupView::GetPreferredSize() const /src/chromium/src/out/ASan/../../chrome/browser/ui/views/page_info/page_info_popup_view.cc:523:36
#11 0x7ff66e7e62ab in views::ClientView::GetPreferredSize() const /src/chromium/src/out/ASan/../../ui/views/window/client_view.cc:51:43
#12 0x7ff66e7efd9e in views::DialogClientView::GetPreferredSize() const /src/chromium/src/out/ASan/../../ui/views/window/dialog_client_view.cc:134:19
#13 0x7ff66e643fa6 in views::BubbleDialogDelegateView::GetBubbleBounds() /src/chromium/src/out/ASan/../../ui/views/bubble/bubble_dialog_delegate.cc:232:52
#14 0x7ff66e640de9 in views::BubbleDialogDelegateView::SizeToContents() /src/chromium/src/out/ASan/../../ui/views/bubble/bubble_dialog_delegate.cc:287:26
#15 0x5572a833f723 in PageInfoPopupView::SetCookieInfo(std::__1::vector<PageInfoUI::CookieInfo, std::__1::allocator<PageInfoUI::CookieInfo> > const&) /src/chromium/src/out/ASan/../../chrome/browser/ui/views/page_info/page_info_popup_view.cc:596:3
#16 0x5572a84b441f in PageInfo::PresentSiteData() /src/chromium/src/out/ASan/../../chrome/browser/ui/page_info/page_info.cc:751:8
#17 0x5572a5763a97 in TabSpecificContentSettings::NotifySiteDataObservers() /src/chromium/src/out/ASan/../../chrome/browser/content_settings/tab_specific_content_settings.cc:841:14
#18 0x5572a576014a in TabSpecificContentSettings::OnCookiesRead(GURL const&, GURL const&, std::__1::vector<net::CanonicalCookie, std::__1::allocator<net::CanonicalCookie> > const&, bool) /src/chromium/src/out/ASan/../../chrome/browser/content_settings/tab_specific_content_settings.cc:409:3
#19 0x7ff67b64eae8 in Run /src/chromium/src/out/ASan/../../base/callback.h:91:12
#20 0x7ff67b64eae8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /src/chromium/src/out/ASan/../../base/debug/task_annotator.cc:59:0
#21 0x7ff67b6c993f in base::MessageLoop::RunTask(base::PendingTask*) /src/chromium/src/out/ASan/../../base/message_loop/message_loop.cc:423:19
#22 0x7ff67b6ca5e5 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) /src/chromium/src/out/ASan/../../base/message_loop/message_loop.cc:434:5
#23 0x7ff67b6cb71a in base::MessageLoop::DoWork() /src/chromium/src/out/ASan/../../base/message_loop/message_loop.cc:527:13
#24 0x7ff67b6d3126 in HandleDispatch /src/chromium/src/out/ASan/../../base/message_loop/message_pump_glib.cc:267:25
#25 0x7ff67b6d3126 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) /src/chromium/src/out/ASan/../../base/message_loop/message_pump_glib.cc:109:0
#26 0x7ff6665efe03 in g_main_context_dispatch ??:0:0
0x618000625080 is located 0 bytes inside of 840-byte region [0x618000625080,0x6180006253c8)
freed by thread T0 (chrome) here:
#0 0x5572a47fb032 in operator delete(void*) ??:0:0
#1 0x5572a84fd31d in ChosenObjectRow::ButtonPressed(views::Button*, ui::Event const&) /src/chromium/src/out/ASan/../../chrome/browser/ui/views/page_info/chosen_object_row.cc:76:3
#2 0x7ff66e65b6cf in views::CustomButton::OnMouseReleased(ui::MouseEvent const&) /src/chromium/src/out/ASan/../../ui/views/controls/button/custom_button.cc:0:5
#3 0x7ff66e61c055 in views::InkDropHostView::OnMouseEvent(ui::MouseEvent*) /src/chromium/src/out/ASan/../../ui/views/animation/ink_drop_host_view.cc:260:9
#4 0x7ff6703d06b0 in DispatchEvent /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:191:12
#5 0x7ff6703d06b0 in ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:139:0
#6 0x7ff6703d009d in ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:86:14
#7 0x7ff6703cfddf in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:58:15
#8 0x7ff66e7c958c in views::internal::RootView::OnMouseReleased(ui::MouseEvent const&) /src/chromium/src/out/ASan/../../ui/views/widget/root_view.cc:440:9
#9 0x7ff66e7df4b4 in views::Widget::OnMouseEvent(ui::MouseEvent*) /src/chromium/src/out/ASan/../../ui/views/widget/widget.cc:1222:20
#10 0x7ff6703d06b0 in DispatchEvent /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:191:12
#11 0x7ff6703d06b0 in ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:139:0
#12 0x7ff6703d009d in ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:86:14
#13 0x7ff6703cfddf in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:58:15
#14 0x7ff6703d4aee in ui::EventProcessor::OnEventFromSource(ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_processor.cc:46:15
#15 0x7ff6703d59a5 in DeliverEventToSink /src/chromium/src/out/ASan/../../ui/events/event_source.cc:73:16
#16 0x7ff6703d59a5 in ui::EventSource::SendEventToSink(ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_source.cc:51:0
#17 0x7ff66e868e32 in views::DesktopWindowTreeHostX11::DispatchMouseEvent(ui::MouseEvent*) /src/chromium/src/out/ASan/../../ui/views/widget/desktop_aura/desktop_window_tree_host_x11.cc:1797:24
#18 0x7ff66e86cd33 in views::DesktopWindowTreeHostX11::DispatchEvent(_XEvent* const&) /src/chromium/src/out/ASan/../../ui/views/widget/desktop_aura/desktop_window_tree_host_x11.cc:2134:11
#19 0x7ff66e86dd1f in non-virtual thunk to views::DesktopWindowTreeHostX11::DispatchEvent(_XEvent* const&) /src/chromium/src/out/ASan/../../ui/views/widget/desktop_aura/desktop_window_tree_host_x11.cc:0:0
#20 0x7ff677bdb457 in ui::PlatformEventSource::DispatchEvent(_XEvent*) /src/chromium/src/out/ASan/../../ui/events/platform/platform_event_source.cc:81:29
#21 0x7ff66caeeef6 in ui::X11EventSource::ExtractCookieDataDispatchEvent(_XEvent*) /src/chromium/src/out/ASan/../../ui/events/platform/x11/x11_event_source.cc:240:14
#22 0x7ff66caeed36 in ui::X11EventSource::DispatchXEvents() /src/chromium/src/out/ASan/../../ui/events/platform/x11/x11_event_source.cc:140:5
#23 0x7ff66caf88db in ui::(anonymous namespace)::XSourceDispatch(_GSource*, int (*)(void*), void*) /src/chromium/src/out/ASan/../../ui/events/platform/x11/x11_event_source_glib.cc:41:15
#24 0x7ff6665efce4 in g_main_context_dispatch ??:0:0
previously allocated by thread T0 (chrome) here:
#0 0x5572a47fa432 in operator new(unsigned long) ??:0:0
#1 0x5572a84fc83e in ChosenObjectRow::ChosenObjectRow(std::__1::unique_ptr<PageInfoUI::ChosenObjectInfo, std::__1::default_delete<PageInfoUI::ChosenObjectInfo> >) /src/chromium/src/out/ASan/../../chrome/browser/ui/views/page_info/chosen_object_row.cc:47:20
#2 0x5572a833ff44 in PageInfoPopupView::SetPermissionInfo(std::__1::vector<PageInfoUI::PermissionInfo, std::__1::allocator<PageInfoUI::PermissionInfo> > const&, std::__1::vector<std::__1::unique_ptr<PageInfoUI::ChosenObjectInfo, std::__1::default_delete<PageInfoUI::ChosenObjectInfo> >, std::__1::allocator<std::__1::unique_ptr<PageInfoUI::ChosenObjectInfo, std::__1::default_delete<PageInfoUI::ChosenObjectInfo> > > >) /src/chromium/src/out/ASan/../../chrome/browser/ui/views/page_info/page_info_popup_view.cc:648:29
#3 0x5572a84b3bbb in PageInfo::PresentSitePermissions() /src/chromium/src/out/ASan/../../chrome/browser/ui/page_info/page_info.cc:727:8
#4 0x5572a84accbb in PageInfo::PageInfo(PageInfoUI*, Profile*, TabSpecificContentSettings*, content::WebContents*, GURL const&, security_state::SecurityInfo const&) /src/chromium/src/out/ASan/../../chrome/browser/ui/page_info/page_info.cc:269:3
#5 0x5572a833ddf4 in PageInfoPopupView::PageInfoPopupView(views::View*, aura::Window*, Profile*, content::WebContents*, GURL const&, security_state::SecurityInfo const&) /src/chromium/src/out/ASan/../../chrome/browser/ui/views/page_info/page_info_popup_view.cc:445:24
#6 0x5572a833d5a4 in PageInfoPopupView::ShowPopup(views::View*, gfx::Rect const&, Profile*, content::WebContents*, GURL const&, security_state::SecurityInfo const&) /src/chromium/src/out/ASan/../../chrome/browser/ui/views/page_info/page_info_popup_view.cc:365:34
#7 0x5572a8018f98 in BrowserView::ShowPageInfo(Profile*, content::WebContents*, GURL const&, security_state::SecurityInfo const&) /src/chromium/src/out/ASan/../../chrome/browser/ui/views/frame/browser_view.cc:1294:3
#8 0x5572a7e4df89 in chrome::ShowPageInfo(Browser*, content::WebContents*) /src/chromium/src/out/ASan/../../chrome/browser/ui/browser_commands.cc:911:22
#9 0x5572a8049f8a in LocationIconView::OnActivate(ui::Event const&) /src/chromium/src/out/ASan/../../chrome/browser/ui/views/location_bar/location_icon_view.cc:104:30
#10 0x5572a8049667 in ProcessLocatedEvent /src/chromium/src/out/ASan/../../chrome/browser/ui/views/location_bar/location_icon_view.cc:144:5
#11 0x5572a8049667 in OnClickOrTap /src/chromium/src/out/ASan/../../chrome/browser/ui/views/location_bar/location_icon_view.cc:160:0
#12 0x5572a8049667 in LocationIconView::OnMouseReleased(ui::MouseEvent const&) /src/chromium/src/out/ASan/../../chrome/browser/ui/views/location_bar/location_icon_view.cc:79:0
#13 0x7ff66e61c055 in views::InkDropHostView::OnMouseEvent(ui::MouseEvent*) /src/chromium/src/out/ASan/../../ui/views/animation/ink_drop_host_view.cc:260:9
#14 0x7ff6703d06b0 in DispatchEvent /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:191:12
#15 0x7ff6703d06b0 in ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:139:0
#16 0x7ff6703d009d in ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:86:14
#17 0x7ff6703cfddf in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:58:15
#18 0x7ff66e7c958c in views::internal::RootView::OnMouseReleased(ui::MouseEvent const&) /src/chromium/src/out/ASan/../../ui/views/widget/root_view.cc:440:9
#19 0x7ff66e7df4b4 in views::Widget::OnMouseEvent(ui::MouseEvent*) /src/chromium/src/out/ASan/../../ui/views/widget/widget.cc:1222:20
#20 0x7ff6703d06b0 in DispatchEvent /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:191:12
#21 0x7ff6703d06b0 in ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:139:0
#22 0x7ff6703d009d in ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:86:14
#23 0x7ff6703cfddf in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_dispatcher.cc:58:15
#24 0x7ff6703d4aee in ui::EventProcessor::OnEventFromSource(ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_processor.cc:46:15
#25 0x7ff6703d59a5 in DeliverEventToSink /src/chromium/src/out/ASan/../../ui/events/event_source.cc:73:16
#26 0x7ff6703d59a5 in ui::EventSource::SendEventToSink(ui::Event*) /src/chromium/src/out/ASan/../../ui/events/event_source.cc:51:0
#27 0x7ff66e868e32 in views::DesktopWindowTreeHostX11::DispatchMouseEvent(ui::MouseEvent*) /src/chromium/src/out/ASan/../../ui/views/widget/desktop_aura/desktop_window_tree_host_x11.cc:1797:24
#28 0x7ff66e86cd33 in views::DesktopWindowTreeHostX11::DispatchEvent(_XEvent* const&) /src/chromium/src/out/ASan/../../ui/views/widget/desktop_aura/desktop_window_tree_host_x11.cc:2134:11
#29 0x7ff66e86dd1f in non-virtual thunk to views::DesktopWindowTreeHostX11::DispatchEvent(_XEvent* const&) /src/chromium/src/out/ASan/../../ui/views/widget/desktop_aura/desktop_window_tree_host_x11.cc:0:0
#30 0x7ff677bdb457 in ui::PlatformEventSource::DispatchEvent(_XEvent*) /src/chromium/src/out/ASan/../../ui/events/platform/platform_event_source.cc:81:29
#31 0x7ff66caeeef6 in ui::X11EventSource::ExtractCookieDataDispatchEvent(_XEvent*) /src/chromium/src/out/ASan/../../ui/events/platform/x11/x11_event_source.cc:240:14
#32 0x7ff66caeed36 in ui::X11EventSource::DispatchXEvents() /src/chromium/src/out/ASan/../../ui/events/platform/x11/x11_event_source.cc:140:5
#33 0x7ff66caf88db in ui::(anonymous namespace)::XSourceDispatch(_GSource*, int (*)(void*), void*) /src/chromium/src/out/ASan/../../ui/events/platform/x11/x11_event_source_glib.cc:41:15
#34 0x7ff6665efce4 in g_main_context_dispatch ??:0:0
SUMMARY: AddressSanitizer: heap-use-after-free (/src/chromium/src/out/ASan/./libviews.so+0x31b7cc)
Shadow bytes around the buggy address:
0x0c30800bc9c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c30800bc9d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c30800bc9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c30800bc9f0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c30800bca00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c30800bca10:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c30800bca20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c30800bca30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c30800bca40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c30800bca50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c30800bca60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7692==ABORTING
,
Apr 5 2017
,
Apr 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d74f628bb38bb54be59013dc01b13d7abb7b3423 commit d74f628bb38bb54be59013dc01b13d7abb7b3423 Author: reillyg <reillyg@chromium.org> Date: Thu Apr 06 00:39:30 2017 Fix a crash after removing button from site settings popup When the "x" button next to a USB device permission is clicked the permission is revoked and the button should disappear. Instead of trying to remove the button from the Views hierarchy (which GridLayout doesn't seem to notice, causing a crash) this patch just removes visibility from the button. BUG= 707423 Review-Url: https://codereview.chromium.org/2804883002 Cr-Commit-Position: refs/heads/master@{#462296} [modify] https://crrev.com/d74f628bb38bb54be59013dc01b13d7abb7b3423/chrome/browser/ui/views/page_info/chosen_object_row.cc
,
Apr 6 2017
,
Apr 6 2017
,
Apr 7 2017
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8058517532b691bcf51b677007749882403b2e7b commit 8058517532b691bcf51b677007749882403b2e7b Author: Reilly Grant <reillyg@chromium.org> Date: Fri Apr 07 01:07:31 2017 Fix a crash after removing button from site settings popup When the "x" button next to a USB device permission is clicked the permission is revoked and the button should disappear. Instead of trying to remove the button from the Views hierarchy (which GridLayout doesn't seem to notice, causing a crash) this patch just removes visibility from the button. BUG= 707423 Review-Url: https://codereview.chromium.org/2804883002 Cr-Commit-Position: refs/heads/master@{#462296} (cherry picked from commit d74f628bb38bb54be59013dc01b13d7abb7b3423) Review-Url: https://codereview.chromium.org/2804153002 . Cr-Commit-Position: refs/branch-heads/3029@{#620} Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471} [modify] https://crrev.com/8058517532b691bcf51b677007749882403b2e7b/chrome/browser/ui/views/website_settings/chosen_object_row.cc |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by durga.behera@chromium.org
, Apr 3 2017Labels: -Type-Bug M-58 Type-Bug-Regression
Owner: vmp...@chromium.org
Status: Assigned (was: Unconfirmed)