Issue metadata
Sign in to add a comment
|
Security: Crash in blink::ThreadHeap::isHeapObjectAlive
Reported by
chromium...@gmail.com,
Apr 7 2017
|
||||||||||||||||||||||
Issue descriptionChrome Version: 59.0.3064.0 (Official Build) canary (64-bit) (cohort: 64-Bit) Operating System: Windows 7 REPRODUCTION CASE This crash occurred when I visited gmail.com. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: Render WinDBG output: rax=000007fef122aff0 rbx=0000035bdf80ab68 rcx=00000000002ce3d0 rdx=0000000007aeea90 rsi=0000000001067b70 rdi=000004ccfbda6ca0 rip=000007feedccd0ec rsp=00000000002ce400 rbp=00000000002ce5c9 r8=00000353b0c20060 r9=002eab20d37dfd9b r10=002eab20d171eab2 r11=00000000002ce510 r12=0000000000000001 r13=000000000106bb28 r14=0000000000000001 r15=000000000085cf20 iopl=0 nv up ei pl nz na po nc cs=0033 ss=0000 ds=0000 es=0000 fs=0053 gs=002b efl=00010206 chrome_child!blink::ThreadHeap::isHeapObjectAlive<blink::LocalDOMWindow>+0x18: 000007fe`edccd0ec 8a43fc mov al,byte ptr [rbx-4] ds:0000035b`df80ab64=?? 0:000> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`002ce400 000007fe`edcce51b chrome_child!blink::ThreadHeap::isHeapObjectAlive<blink::LocalDOMWindow>+0x18 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\heap.h @ 253] 00000000`002ce430 000007fe`edccd591 chrome_child!blink::MemoryCacheEntry::clearResourceWeak+0x1b [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\loader\fetch\memorycache.cpp @ 70] 00000000`002ce460 000007fe`edccd473 chrome_child!blink::ThreadHeap::popAndInvokeWeakCallback+0x35 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\heap.cpp @ 258] 00000000`002ce490 000007fe`edccdb3b chrome_child!blink::ThreadHeap::weakProcessing+0x57 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\heap.cpp @ 359] 00000000`002ce520 000007fe`edcd3d9e chrome_child!blink::ThreadState::collectGarbage+0x167 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\threadstate.cpp @ 1497] 00000000`002ce630 000007fe`edca9e31 chrome_child!blink::GCTaskObserver::didProcessTask+0x6e [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\heap\gctaskrunner.h @ 68] 00000000`002ce660 000007fe`edca41a3 chrome_child!blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x385 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc @ 557] 00000000`002ce910 000007fe`edca2f5a chrome_child!blink::scheduler::TaskQueueManager::DoWork+0x123 [c:\b\build\slave\win64-pgo\build\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc @ 337] 00000000`002cea80 000007fe`edcaba96 chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl blink::scheduler::TaskQueueManager::*)(bool) __ptr64,base::WeakPtr<blink::scheduler::TaskQueueManager>,bool>,void __cdecl(void)>::Run+0x4a [c:\b\build\slave\win64-pgo\build\src\base\bind_internal.h @ 343] 00000000`002ceac0 000007fe`edca98df chrome_child!base::debug::TaskAnnotator::RunTask+0x276 [c:\b\build\slave\win64-pgo\build\src\base\debug\task_annotator.cc @ 59] 00000000`002cecc0 000007fe`edcab59c chrome_child!base::MessageLoop::RunTask+0xbf [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 424] 00000000`002cede0 000007fe`edcaa601 chrome_child!base::MessageLoop::DoWork+0x20c [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 527] 00000000`002cefe0 000007fe`edf75982 chrome_child!base::MessagePumpDefault::Run+0x21 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_pump_default.cc @ 34] 00000000`002cf080 000007fe`ee05980d chrome_child!base::RunLoop::Run+0xb2 [c:\b\build\slave\win64-pgo\build\src\base\run_loop.cc @ 38] 00000000`002cf130 000007fe`ee1ae792 chrome_child!content::RendererMain+0x1bd [c:\b\build\slave\win64-pgo\build\src\content\renderer\renderer_main.cc @ 200] 00000000`002cf250 000007fe`ee1ae863 chrome_child!content::RunNamedProcessTypeMain+0xb6 [c:\b\build\slave\win64-pgo\build\src\content\app\content_main_runner.cc @ 454] 00000000`002cf3a0 000007fe`ee1af78f chrome_child!content::ContentMainRunnerImpl::Run+0xb3 [c:\b\build\slave\win64-pgo\build\src\content\app\content_main_runner.cc @ 729] 00000000`002cf430 000007fe`ee1af512 chrome_child!service_manager::Main+0xa3 [c:\b\build\slave\win64-pgo\build\src\services\service_manager\embedder\main.cc @ 179] 00000000`002cf4a0 00000001`3f307511 chrome_child!ChromeMain+0x122 [c:\b\build\slave\win64-pgo\build\src\chrome\app\chrome_main.cc @ 123] 00000000`002cf570 00000001`3f3025db chrome!MainDllLoader::Launch+0x399 [c:\b\build\slave\win64-pgo\build\src\chrome\app\main_dll_loader_win.cc @ 204]
,
Apr 7 2017
,
Apr 7 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 11 2017
+ more people. Please take a look at this asap, thanks.
,
Apr 11 2017
Why is this a release-block bug? There is only one crash report in #0. I cannot find any other crash report: https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3AThreadHeap%3A%3AisHeapObjectAlive%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D
,
Apr 11 2017
SheriffBot automatically applies a ReleaseBlock label on bugs with a high enough impact. Since there's no other repros as yet, I'm going to remove RBB and drop the severity.
,
Apr 11 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 18 2017
Any updates on this bug? thanks.
,
Apr 20 2017
,
Apr 20 2017
chromium.khalil@ - do you have any reproduction steps or other conditions that you suspect caused the crash? Visiting gmail.com is a rather common occurrence :-)
,
Apr 20 2017
Soory, I don't have any reproduction steps, this was only a random crash.
,
Apr 21 2017
keishi: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2017
A friendly reminder that M59 Beta launch is coming soon! Your bug is labelled as Release Block Beta. All fixes need to be merged into the release branch (3071) latest by tomorrow, 04/26 4:00 PM PT in order to make into the desktop Beta final build cut. Thank you!
,
Apr 25 2017
,
May 2 2017
I've merged this fix (https://codereview.chromium.org/2857603002/) into M59. This will fix a bunch of crashes and I think this will be one of them.
,
May 4 2017
This seems like fixed.
,
May 5 2017
Can't verify due to c#12, closing.
,
May 6 2017
,
May 15 2017
,
Jun 9 2017
,
Jun 9 2017
This bug requires manual review: M60 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 13 2017
The fix was committed on 5/2 three weeks before M60 branch a merge isn't necessary. I'm not sure why SheriffBot flagged it. Removing the label
,
Aug 12 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Apr 7 2017Labels: Security_Severity-High Security_Impact-Head OS-Windows Pri-1
Owner: keishi@chromium.org
Status: Assigned (was: Unconfirmed)