Issue metadata
Sign in to add a comment
|
heap-use-after-free : views::MenuController::OpenMenuImpl |
||||||||||||||||||||||
Issue descriptionThis crash: go/crash/e670df9640000000 has been reported by the last SyzyASAN Canary (59.0.3067.1). Bad access information : Error Type : heap-use-after-free Location : 0x37d00448 Access Mode : write Access Size : 1 User Size : 432 Magic Stack: ============ Thread 0 CRASHED [EXCEPTION_BOUNDS_EXCEEDED @ 0x120455d6 ] MAGIC SIGNATURE THREAD Stack Quality97%Show frame trust levels 0x120455d6 (chrome.dll -menu_controller.cc:1840 ) views::MenuController::OpenMenuImpl(views::MenuItemView *,bool) 0x1204533a (chrome.dll -menu_controller.cc:1804 ) views::MenuController::OpenMenu(views::MenuItemView *) 0x12041f80 (chrome.dll -menu_controller.cc:1768 ) views::MenuController::CommitPendingSelection() 0x120468e4 (chrome.dll -menu_controller.cc:1175 ) views::MenuController::SetSelection(views::MenuItemView *,int) 0x12045df5 (chrome.dll -menu_controller.cc:478 ) views::MenuController::Run(views::Widget *,views::MenuButton *,views::MenuItemView *,gfx::Rect const &,views::MenuAnchorPosition,bool,bool,int *) 0x12058fef (chrome.dll -menu_runner_impl.cc:132 ) views::internal::MenuRunnerImpl::RunMenuAt(views::Widget *,views::MenuButton *,gfx::Rect const &,views::MenuAnchorPosition,int) 0x120286b9 (chrome.dll -menu_runner.cc:71 ) views::MenuRunner::RunMenuAt(views::Widget *,views::MenuButton *,gfx::Rect const &,views::MenuAnchorPosition,ui::MenuSourceType) 0x12032665 (chrome.dll -textfield.cc:1055 ) views::Textfield::ShowContextMenuForView(views::View *,gfx::Point const &,ui::MenuSourceType) 0x11ffc73c (chrome.dll -view.cc:1345 ) views::View::ShowContextMenu(gfx::Point const &,ui::MenuSourceType) 0x11ffaf84 (chrome.dll -view.cc:2462 ) views::View::ProcessMouseReleased(ui::MouseEvent const &) 0x11ffa21f (chrome.dll -view.cc:1104 ) views::View::OnMouseEvent(ui::MouseEvent *) 0x113efce5 (chrome.dll -event_handler.cc:27 ) ui::EventHandler::OnEvent(ui::Event *) 0x113f01bf (chrome.dll -event_dispatcher.cc:191 ) ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *) 0x113f0707 (chrome.dll -event_dispatcher.cc:139 ) ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *) 0x113f04e3 (chrome.dll -event_dispatcher.cc:86 ) ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *) 0x113f029f (chrome.dll -event_dispatcher.cc:58 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x1203890f (chrome.dll -root_view.cc:440 ) views::internal::RootView::OnMouseReleased(ui::MouseEvent const &) 0x1000ffff (chrome.dll -xtree:883 ) std::_Tree_comp_alloc<std::_Tmap_traits<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const ,base::debug::GlobalActivityTracker::ModuleInfoRecord *,std::less<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const >,std::allocator<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> > const ,base::debug::GlobalActivityTracker::ModuleInfoRecord *> >,0> >::_Buynode<std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::debug::GlobalActivityTracker::ModuleInfoRecord *> >(std::pair<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::debug::GlobalActivityTracker::ModuleInfoRecord *> &&) 0x11ff0313 (chrome.dll -widget.cc:1222 ) views::Widget::OnMouseEvent(ui::MouseEvent *) 0x113efce5 (chrome.dll -event_handler.cc:27 ) ui::EventHandler::OnEvent(ui::Event *) 0x113f01bf (chrome.dll -event_dispatcher.cc:191 ) ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *) 0x113f0707 (chrome.dll -event_dispatcher.cc:139 ) ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *) 0x113f04e3 (chrome.dll -event_dispatcher.cc:86 ) ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *) 0x113f029f (chrome.dll -event_dispatcher.cc:58 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x120f7dcc (chrome.dll -event_processor.cc:46 ) ui::EventProcessor::OnEventFromSource(ui::Event *) 0x120f79d7 (chrome.dll -event_source.cc:73 ) ui::EventSource::DeliverEventToSink(ui::Event *) 0x120f7a77 (chrome.dll -event_source.cc:51 ) ui::EventSource::SendEventToSink(ui::Event *) 0x12049542 (chrome.dll -desktop_window_tree_host_win.cc:835 ) views::DesktopWindowTreeHostWin::HandleScrollEvent(ui::ScrollEvent const &) 0x12063484 (chrome.dll -hwnd_message_handler.cc:2669 ) views::HWNDMessageHandler::HandleMouseEventInternal(unsigned int,unsigned int,long,bool) 0x12068d0b (chrome.dll -hwnd_message_handler.h:338 ) views::HWNDMessageHandler::_ProcessWindowMessage(HWND__ *,unsigned int,unsigned int,long,long &,unsigned long) 0x120677b9 (chrome.dll -hwnd_message_handler.cc:915 ) views::HWNDMessageHandler::OnWndProc(unsigned int,unsigned int,long) 0x11326dc2 (chrome.dll -window_impl.cc:303 ) gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long) 0x11326551 (chrome.dll -wrapped_window_proc.h:76 ) base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)>(HWND__ *,unsigned int,unsigned int,long) 0x74d2d2b2 (USER32.dll + 0x0002d2b2 ) _InternalCallWinProc 0x74d0e889 (USER32.dll + 0x0000e889 ) UserCallWinProcCheckWow 0x74d0e1e3 (USER32.dll + 0x0000e1e3 ) DispatchMessageWorker 0x74d0df9f (USER32.dll + 0x0000df9f ) DispatchMessageW 0x100787da (chrome.dll -message_pump_win.cc:363 ) base::MessagePumpForUI::ProcessMessageHelper(tagMSG const &) 0x100780a5 (chrome.dll -message_pump_win.cc:169 ) base::MessagePumpForUI::DoRunLoop() 0x10077a8b (chrome.dll -message_pump_win.cc:56 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x10043d1a (chrome.dll -run_loop.cc:37 ) base::RunLoop::Run() 0x10ea1c17 (chrome.dll -chrome_browser_main.cc:1970 ) ChromeBrowserMainParts::MainMessageLoopRun(int *) 0x109454a7 (chrome.dll -browser_main_loop.cc:1174 ) content::BrowserMainLoop::RunMainMessageLoopParts() 0x109468a0 (chrome.dll -browser_main_runner.cc:140 ) content::BrowserMainRunnerImpl::Run() 0x109410a5 (chrome.dll -browser_main.cc:46 ) content::BrowserMain(content::MainFunctionParams const &) 0x10e5036c (chrome.dll -content_main_runner.cc:437 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x10e502b6 (chrome.dll -content_main_runner.cc:729 ) content::ContentMainRunnerImpl::Run() 0x1155cde4 (chrome.dll -main.cc:179 ) service_manager::Main(service_manager::MainParams const &) 0x10e4fa9c (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &) 0x1065adaf (chrome.dll -chrome_main.cc:123 ) ChromeMain 0x010f5025 (chrome.exe -main_dll_loader_win.cc:202 ) MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks) 0x010f4547 (chrome.exe -chrome_exe_main_win.cc:271 ) wWinMain 0x01116b27 (chrome.exe -exe_common.inl:253 ) __scrt_common_main_seh 0x772b62c3 (KERNEL32.dll + 0x000162c3 ) BaseThreadInitThunk 0x773e0fd8 (ntdll.dll + 0x00060fd8 ) __RtlUserThreadStart 0x773e0fa3 (ntdll.dll + 0x00060fa3 ) _RtlUserThreadStart ASAN Free Stack Trace (TID: 23692) Stack QualityUnknownShow frame trust levels 0x5130b7fb (syzyasan_rtl.dll -block_heap_manager.cc:315 ) agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *) 0x5130421d (syzyasan_rtl.dll -rtl_impl.cc:124 ) asan_HeapFree 0x100604e6 (chrome.dll -allocator_shim_default_dispatch_to_winheap.cc:55 ) `anonymous namespace'::DefaultWinHeapFreeImpl 0x0ff9ff90 (chrome.dll -allocator_shim_override_ucrt_symbols_win.h:55 ) free 0x12040d67 (chrome.dll + 0x02170d67 ) views::MenuController::`scalar deleting destructor'(unsigned int) 0x12058b50 (chrome.dll -menu_runner_impl.cc:160 ) views::internal::MenuRunnerImpl::OnMenuClosed(views::internal::MenuControllerDelegate::NotifyType,views::MenuItemView *,int) 0x120422fc (chrome.dll -menu_controller.cc:2573 ) views::MenuController::ExitMenu() 0x12041b8b (chrome.dll -menu_controller.cc:546 ) views::MenuController::Cancel(views::MenuController::ExitType) 0x120608b8 (chrome.dll -menu_pre_target_handler.cc:44 ) views::MenuPreTargetHandler::OnWindowActivated(aura::client::ActivationChangeObserver::ActivationReason,aura::Window *,aura::Window *) 0x121a8d21 (chrome.dll -focus_controller.cc:212 ) wm::FocusController::FocusAndActivateWindow(aura::client::ActivationChangeObserver::ActivationReason,aura::Window *) 0x121a8d68 (chrome.dll -focus_controller.cc:108 ) wm::FocusController::FocusWindow(aura::Window *) 0x121a8c40 (chrome.dll -focus_controller.cc:72 ) wm::FocusController::DeactivateWindow(aura::Window *) 0x11ff3d35 (chrome.dll -desktop_native_widget_aura.cc:387 ) views::DesktopNativeWidgetAura::HandleActivationChanged(bool) 0x1204907c (chrome.dll -desktop_window_tree_host_win.cc:732 ) views::DesktopWindowTreeHostWin::HandleActivationChanged(bool) 0x12067a08 (chrome.dll -hwnd_message_handler.cc:1055 ) views::HWNDMessageHandler::PostProcessActivateMessage(int,bool,HWND__ *) 0x120678b6 (chrome.dll -hwnd_message_handler.cc:939 ) views::HWNDMessageHandler::OnWndProc(unsigned int,unsigned int,long) 0x11326dc3 (chrome.dll -window_impl.cc:303 ) gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long) 0x11326552 (chrome.dll -wrapped_window_proc.h:76 ) base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)>(HWND__ *,unsigned int,unsigned int,long) 0x74d2d2b3 (USER32.dll + 0x0002d2b3 ) _InternalCallWinProc 0x74d0e88a (USER32.dll + 0x0000e88a ) UserCallWinProcCheckWow 0x74d0e4c0 (USER32.dll + 0x0000e4c0 ) DispatchClientMessage 0x74d18b09 (USER32.dll + 0x00018b09 ) __fnDWORD 0x773f08c6 (ntdll.dll + 0x000708c6 ) KiUserCallbackDispatcher 0x113269eb (chrome.dll -window_impl.cc:212 ) gfx::WindowImpl::Init(HWND__ *,gfx::Rect const &) 0x12063e20 (chrome.dll -hwnd_message_handler.cc:369 ) views::HWNDMessageHandler::Init(HWND__ *,gfx::Rect const &) 0x12049cb5 (chrome.dll -desktop_window_tree_host_win.cc:133 ) views::DesktopWindowTreeHostWin::Init(aura::Window *,views::Widget::InitParams const &) 0x11ff40c7 (chrome.dll -desktop_native_widget_aura.cc:436 ) views::DesktopNativeWidgetAura::InitNativeWidget(views::Widget::InitParams const &) 0x11fefaac (chrome.dll -widget.cc:338 ) views::Widget::Init(views::Widget::InitParams const &) 0x1205f0b9 (chrome.dll -menu_host.cc:126 ) views::MenuHost::InitMenuHost(views::Widget *,gfx::Rect const &,views::View *,bool) 0x120400d6 (chrome.dll -submenu_view.cc:383 ) views::SubmenuView::ShowAt(views::Widget *,gfx::Rect const &,bool) 0x12045551 (chrome.dll -menu_controller.cc:1834 ) views::MenuController::OpenMenuImpl(views::MenuItemView *,bool) 0x1204533b (chrome.dll -menu_controller.cc:1805 ) views::MenuController::OpenMenu(views::MenuItemView *) 0x12041f81 (chrome.dll -menu_controller.cc:1769 ) views::MenuController::CommitPendingSelection() 0x120468e5 (chrome.dll -menu_controller.cc:1175 ) views::MenuController::SetSelection(views::MenuItemView *,int) 0x12045df6 (chrome.dll -menu_controller.cc:480 ) views::MenuController::Run(views::Widget *,views::MenuButton *,views::MenuItemView *,gfx::Rect const &,views::MenuAnchorPosition,bool,bool,int *) 0x12058ff0 (chrome.dll -menu_runner_impl.cc:132 ) views::internal::MenuRunnerImpl::RunMenuAt(views::Widget *,views::MenuButton *,gfx::Rect const &,views::MenuAnchorPosition,int) 0x120286ba (chrome.dll -menu_runner.cc:71 ) views::MenuRunner::RunMenuAt(views::Widget *,views::MenuButton *,gfx::Rect const &,views::MenuAnchorPosition,ui::MenuSourceType) 0x12032666 (chrome.dll -textfield.cc:1055 ) views::Textfield::ShowContextMenuForView(views::View *,gfx::Point const &,ui::MenuSourceType) 0x11ffc73d (chrome.dll -view.cc:1346 ) views::View::ShowContextMenu(gfx::Point const &,ui::MenuSourceType) 0x11ffaf85 (chrome.dll -view.cc:2464 ) views::View::ProcessMouseReleased(ui::MouseEvent const &) 0x11ffa220 (chrome.dll -view.cc:1105 ) views::View::OnMouseEvent(ui::MouseEvent *) 0x113efce6 (chrome.dll -event_handler.cc:27 ) ui::EventHandler::OnEvent(ui::Event *) 0x113f01c0 (chrome.dll -event_dispatcher.cc:192 ) ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *) 0x113f0708 (chrome.dll -event_dispatcher.cc:140 ) ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *) 0x113f04e4 (chrome.dll -event_dispatcher.cc:87 ) ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *) 0x113f02a0 (chrome.dll -event_dispatcher.cc:58 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x12038910 (chrome.dll -root_view.cc:440 ) views::internal::RootView::OnMouseReleased(ui::MouseEvent const &) 0x11ff0314 (chrome.dll -widget.cc:1223 ) views::Widget::OnMouseEvent(ui::MouseEvent *) 0x113efce6 (chrome.dll -event_handler.cc:27 ) ui::EventHandler::OnEvent(ui::Event *) 0x113f01c0 (chrome.dll -event_dispatcher.cc:192 ) ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *) 0x113f0708 (chrome.dll -event_dispatcher.cc:140 ) ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *) 0x113f04e4 (chrome.dll -event_dispatcher.cc:87 ) ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *) 0x113f02a0 (chrome.dll -event_dispatcher.cc:58 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x120f7dcd (chrome.dll -event_processor.cc:46 ) ui::EventProcessor::OnEventFromSource(ui::Event *) 0x120f79d8 (chrome.dll -event_source.cc:73 ) ui::EventSource::DeliverEventToSink(ui::Event *) 0x120f7a78 (chrome.dll -event_source.cc:52 ) ui::EventSource::SendEventToSink(ui::Event *) 0x12049543 (chrome.dll -desktop_window_tree_host_win.cc:835 ) views::DesktopWindowTreeHostWin::HandleScrollEvent(ui::ScrollEvent const &) 0x12063485 (chrome.dll -hwnd_message_handler.cc:2671 ) views::HWNDMessageHandler::HandleMouseEventInternal(unsigned int,unsigned int,long,bool) 0x12068d0c (chrome.dll -hwnd_message_handler.h:338 ) views::HWNDMessageHandler::_ProcessWindowMessage(HWND__ *,unsigned int,unsigned int,long,long &,unsigned long) 0x120677ba (chrome.dll -hwnd_message_handler.cc:916 ) views::HWNDMessageHandler::OnWndProc(unsigned int,unsigned int,long) 0x11326dc3 (chrome.dll -window_impl.cc:303 ) gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long) 0x11326552 (chrome.dll -wrapped_window_proc.h:76 ) base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)>(HWND__ *,unsigned int,unsigned int,long) ASAN Allocation Stack Trace (TID: 23692) Stack QualityUnknownShow frame trust levels 0x5130b539 (syzyasan_rtl.dll -block_heap_manager.cc:211 ) agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int) 0x51304173 (syzyasan_rtl.dll -rtl_impl.cc:103 ) asan_HeapAlloc 0x10060415 (chrome.dll -allocator_shim_default_dispatch_to_winheap.cc:18 ) `anonymous namespace'::DefaultWinHeapMallocImpl 0x0ff9ff43 (chrome.dll -allocator_shim_override_ucrt_symbols_win.h:51 ) malloc 0x11f8761e (chrome.dll -new_scalar.cpp:19 ) operator new(unsigned int) 0x12058e85 (chrome.dll -menu_runner_impl.cc:121 ) views::internal::MenuRunnerImpl::RunMenuAt(views::Widget *,views::MenuButton *,gfx::Rect const &,views::MenuAnchorPosition,int) 0x120286ba (chrome.dll -menu_runner.cc:71 ) views::MenuRunner::RunMenuAt(views::Widget *,views::MenuButton *,gfx::Rect const &,views::MenuAnchorPosition,ui::MenuSourceType) 0x12032666 (chrome.dll -textfield.cc:1055 ) views::Textfield::ShowContextMenuForView(views::View *,gfx::Point const &,ui::MenuSourceType) 0x11ffc73d (chrome.dll -view.cc:1346 ) views::View::ShowContextMenu(gfx::Point const &,ui::MenuSourceType) 0x11ffaf85 (chrome.dll -view.cc:2464 ) views::View::ProcessMouseReleased(ui::MouseEvent const &) 0x11ffa220 (chrome.dll -view.cc:1105 ) views::View::OnMouseEvent(ui::MouseEvent *) 0x113efce6 (chrome.dll -event_handler.cc:27 ) ui::EventHandler::OnEvent(ui::Event *) 0x113f01c0 (chrome.dll -event_dispatcher.cc:192 ) ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *) 0x113f0708 (chrome.dll -event_dispatcher.cc:140 ) ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *) 0x113f04e4 (chrome.dll -event_dispatcher.cc:87 ) ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *) 0x113f02a0 (chrome.dll -event_dispatcher.cc:58 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x12038910 (chrome.dll -root_view.cc:440 ) views::internal::RootView::OnMouseReleased(ui::MouseEvent const &) 0x11ff0314 (chrome.dll -widget.cc:1223 ) views::Widget::OnMouseEvent(ui::MouseEvent *) 0x113efce6 (chrome.dll -event_handler.cc:27 ) ui::EventHandler::OnEvent(ui::Event *) 0x113f01c0 (chrome.dll -event_dispatcher.cc:192 ) ui::EventDispatcher::DispatchEvent(ui::EventHandler *,ui::Event *) 0x113f0708 (chrome.dll -event_dispatcher.cc:140 ) ui::EventDispatcher::ProcessEvent(ui::EventTarget *,ui::Event *) 0x113f04e4 (chrome.dll -event_dispatcher.cc:87 ) ui::EventDispatcherDelegate::DispatchEventToTarget(ui::EventTarget *,ui::Event *) 0x113f02a0 (chrome.dll -event_dispatcher.cc:58 ) ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget *,ui::Event *) 0x120f7dcd (chrome.dll -event_processor.cc:46 ) ui::EventProcessor::OnEventFromSource(ui::Event *) 0x120f79d8 (chrome.dll -event_source.cc:73 ) ui::EventSource::DeliverEventToSink(ui::Event *) 0x120f7a78 (chrome.dll -event_source.cc:52 ) ui::EventSource::SendEventToSink(ui::Event *) 0x12049543 (chrome.dll -desktop_window_tree_host_win.cc:835 ) views::DesktopWindowTreeHostWin::HandleScrollEvent(ui::ScrollEvent const &) 0x12063485 (chrome.dll -hwnd_message_handler.cc:2671 ) views::HWNDMessageHandler::HandleMouseEventInternal(unsigned int,unsigned int,long,bool) 0x12068d0c (chrome.dll -hwnd_message_handler.h:338 ) views::HWNDMessageHandler::_ProcessWindowMessage(HWND__ *,unsigned int,unsigned int,long,long &,unsigned long) 0x120677ba (chrome.dll -hwnd_message_handler.cc:916 ) views::HWNDMessageHandler::OnWndProc(unsigned int,unsigned int,long) 0x11326dc3 (chrome.dll -window_impl.cc:303 ) gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long) 0x11326552 (chrome.dll -wrapped_window_proc.h:76 ) base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc(HWND__ *,unsigned int,unsigned int,long)>(HWND__ *,unsigned int,unsigned int,long) 0x74d2d2b3 (USER32.dll + 0x0002d2b3 ) _InternalCallWinProc 0x74d0e88a (USER32.dll + 0x0000e88a ) UserCallWinProcCheckWow 0x74d0e1e4 (USER32.dll + 0x0000e1e4 ) DispatchMessageWorker 0x74d0dfa0 (USER32.dll + 0x0000dfa0 ) DispatchMessageW 0x100787db (chrome.dll -message_pump_win.cc:365 ) base::MessagePumpForUI::ProcessMessageHelper(tagMSG const &) 0x100780a6 (chrome.dll -message_pump_win.cc:169 ) base::MessagePumpForUI::DoRunLoop() 0x10077a8c (chrome.dll -message_pump_win.cc:58 ) base::MessagePumpWin::Run(base::MessagePump::Delegate *) 0x10043d1b (chrome.dll -run_loop.cc:38 ) base::RunLoop::Run() 0x10ea1c18 (chrome.dll -chrome_browser_main.cc:1972 ) ChromeBrowserMainParts::MainMessageLoopRun(int *) 0x109454a8 (chrome.dll -browser_main_loop.cc:1176 ) content::BrowserMainLoop::RunMainMessageLoopParts() 0x10e5036d (chrome.dll -content_main_runner.cc:437 ) content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x10e502b7 (chrome.dll -content_main_runner.cc:729 ) content::ContentMainRunnerImpl::Run() 0x1155cde5 (chrome.dll -main.cc:179 ) service_manager::Main(service_manager::MainParams const &) 0x10e4fa9d (chrome.dll -content_main.cc:19 ) content::ContentMain(content::ContentMainParams const &) 0x1065adb0 (chrome.dll -chrome_main.cc:126 ) ChromeMain 0x010f5026 (chrome.exe -main_dll_loader_win.cc:204 ) MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks) 0x010f4548 (chrome.exe -chrome_exe_main_win.cc:272 ) wWinMain 0x01116b28 (chrome.exe -exe_common.inl:253 ) __scrt_common_main_seh 0x772b62c4 (KERNEL32.dll + 0x000162c4 ) BaseThreadInitThunk 0x773e0fd9 (ntdll.dll + 0x00060fd9 ) __RtlUserThreadStart 0x773e0fa4 (ntdll.dll + 0x00060fa4 ) _RtlUserThreadStart Crashes spiked on M-59 are seen only on Asan Builds, Link to the list of the builds: ==================================================================================== https://crash.corp.google.com/browse?q=special_protos.asan_report.is_actionable%3D1%20AND%20product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27views%3A%3AMenuController%3A%3AOpenMenuImpl%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D Unable to pin point to specific regression range. Based on code search on 'menu_controller.cc' and related work on this area assigning to jonross@ for further investigation of this. jonross@: Could you please take a look at these crashes. Appreciate your help!
,
Apr 12 2017
Issue 707129 has been merged into this issue.
,
Apr 12 2017
+sky@ FYI This issue shows that when we create a new window, one of the subsequent callbacks from Windows can be to deactivate that window. For code which relies on focus loss to perform teardown, this can lead to unexpected deletion timing. I've also just seen issue 710715 with a similar stack trace, though in that case the RenderWidgetHostImpl is requesting focus, only to have the window deactivate. But the similar pattern to menus is leading to a use-after-free.
,
Apr 12 2017
Users experienced this crash on the following builds: Win Canary 59.0.3067.0 - 1.16 CPM, 10 reports, 10 clients (signature views::MenuController::CommitPendingSelection) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Apr 12 2017
,
Apr 12 2017
I think this is a bug in gaming_spy.dll. Specifically it's hooking window creation and triggering a focus change when we create an HWND. We could work around this, but it would effectively mean menus don't work at all. Seems better to crash here.
,
Apr 12 2017
Yeah, far too much of menu code is based on being the focused window. That in order to not crash, we'd have to either: - close cleanly when losing focus during creation - redo large chunks of input handling Neither of which are desirable imo gaming_spy.dll appears to be a part of AVAST anti-virus, and running while a user is gaming. The reports with repro steps all involve games running. Do we have a contact with AVAST who we could reach out to?
,
Apr 12 2017
,
Apr 12 2017
Issue 708899 has been merged into this issue.
,
Apr 12 2017
+jschuh - maybe he has contacts at Avast. And even if did this, it would effectively means menus don't work.
,
Apr 12 2017
Users experienced this crash on the following builds: Win Beta 58.0.3029.54 - 0.13 CPM, 102 reports, 78 clients (signature views::View::SchedulePaint) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Apr 14 2017
,
Apr 16 2017
Users experienced this crash on the following builds: Win Canary 60.0.3072.0 - 1.01 CPM, 22 reports, 20 clients (signature views::MenuController::CommitPendingSelection) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Apr 18 2017
Issue 711270 has been merged into this issue.
,
Apr 18 2017
Issue 711259 has been merged into this issue.
,
Apr 18 2017
Issue 709757 has been merged into this issue.
,
Apr 20 2017
Issue 713536 has been merged into this issue.
,
Apr 20 2017
Issue 713528 has two different crashes in it. One of which is a duplicate of this. However the crash occurs when trying to theme the views.
,
Apr 21 2017
Issue 713689 has been merged into this issue.
,
Apr 21 2017
Issue 713623 has been merged into this issue.
,
Apr 21 2017
Issue 713519 has been merged into this issue.
,
Apr 21 2017
Issue 713604 has been merged into this issue.
,
Apr 24 2017
Issue 714470 has been merged into this issue.
,
Apr 24 2017
Crashes with magic signature 'views::MenuController::CommitPendingSelection' duped here in C#2(Issue 707129) is #1 browser crash on the latest canary(60.0.3078.0 -91 crashes from 73 clients). wfh@, chrisha@: Can we get an update on this as per C#12. Thanks in advance!
,
Apr 24 2017
,
May 1 2017
Issue 712146 has been merged into this issue.
,
May 2 2017
Other than adding the Stability-ThirdParty label (done by wfh@ in #26), there's not much to do here. Upcoming third-party blocking will be keep these things out of our process, but in the meantime its a WontFix. wfh: Confirmed that you have no escalation path with AVAST?
,
May 2 2017
I've marked this blocked on issue 690166 which tracks the feature mentioned in #29
,
May 2 2017
I'll open up this bug and see if I can get someone from avast! to look at it.
,
May 2 2017
Do we have a local repro for this? - that'll be the first thing they ask for.
,
May 2 2017
I have not reproed myself. From some user reports: 1) Avast, with gaming_spy.dll, installed. 2) Launch Chrome 3) Launch a fullscreen game. Overwatch and Dota2 were both quoted 4) Alt-tab to Chrome 5) Bring up a menu. Whether it be the settings menu, or right-clicking on a webpage
,
May 10 2017
Issue 714455 has been merged into this issue.
,
May 18 2017
Reminder that M59 Stable is launch is coming soon (less than 2 weeks)! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Jun 30 2017
Issue 738418 has been merged into this issue.
,
Jul 13 2017
This has an External Dependency on Avast. There are no further actions on our side. So marking as WontFix. If they get back to us, feel free to re-open
,
Oct 3
Issue 890975 has been merged into this issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jonr...@chromium.org
, Apr 12 2017