New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 748187 link

Starred by 1 user
Status: Fixed
Owner:
yzshen@chromium.org
Last visit > 30 days ago
Closed: Aug 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug
Proj-Servicification

Blocking:
issue 715673



Sign in to add a comment

SafeBrowsing + Network service: crash when back-to-safety from SB interstitial

Project Member Reported by yzshen@chromium.org, Jul 24 2017 
This doesn't affect the non-network-service code path.

I have seen this on Linux Debug build. Haven't tried other configurations.

Repo steps:
- Run
chrome --enable-features=NetworkService
- Navigate to 
http://testsafebrowsing.appspot.com/s/phishing.html
- On the SB interstitial page, click "Back to Safety".
- The browser crashes with the following output:
===========================================================
Found a corrupted memory buffer in MallocBlock (may be offset from user ptr): buffer index: 0, buffer ptr: 0x68927584840, size of buffer: 344
Buffer byte 128 is 0xce (should be 0xcd).
Deleted by thread 0x7f0ebcb03700
*** WARNING: Cannot convert addresses to symbols in output below.
*** Reason: Cannot find 'pprof' (is PPROF_PATH set correctly?)
*** If you cannot fix this, try running pprof directly.
    @ 0x7f0eeed64ca3 
    @ 0x7f0eeecfc35d 
    @ 0x7f0eeecfbbcf 
    @ 0x7f0eeecfb5b9 
    @ 0x7f0eeef2d290 
    @ 0x55fd000acce2 
    @ 0x55fd000a72ea 
    @ 0x55fd000a7bc5 
    @ 0x55fd000a7aef 
    @ 0x55fd000a7a85 
    @ 0x55fd000a79c9 
    @ 0x55fcff6f70e5 
    @ 0x55fd000ae0aa 
    @ 0x55fd000ae25e 
    @ 0x55fcffb0b947 
    @ 0x55fd000afb85 
Memory was written to after being freed.  MallocBlock: 0x68927584840, user ptr: 0x68927584860, size: 344.  If you can't find the source of the error, try using ASan (http://code.google.com/p/address-sanitizer/), Valgrind, or Purify, or study the output of the deleter's stack printed above.
Received signal 11 SEGV_MAPERR 000000000039
#0 0x7f0eee9bf7dd base::debug::StackTrace::StackTrace()
#1 0x7f0eee9bdbac base::debug::StackTrace::StackTrace()
#2 0x7f0eee9bf195 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7f0eef020330 <unknown>
#4 0x7f0eeed0aef8 tcmalloc::Abort()
#5 0x7f0eeed12f0a LogPrintf()
#6 0x7f0eeed12d8b RAW_VLOG()
#7 0x7f0eeed3c62f MallocBlock::CheckForCorruptedBuffer()
#8 0x7f0eeed3c35b MallocBlock::CheckForDanglingWrites()
#9 0x7f0eeed39256 MallocBlock::ProcessFreeQueue()
#10 0x7f0eeed3e114 MallocBlock::Deallocate()
#11 0x7f0eeed35ba5 DebugDeallocate()
#12 0x7f0eeed64ca3 tc_free
#13 0x7f0eeecfc35d (anonymous namespace)::TCFree()
#14 0x7f0eeecfbbcf ShimFree
#15 0x7f0eeecfb5b9 free
#16 0x7f0eeef2d290 operator delete()
#17 0x7f0eeeae4546 base::StatisticsRecorder::RegisterOrDeleteDuplicateRanges()
#18 0x7f0eeeac04ff base::PersistentHistogramAllocator::CreateHistogram()
#19 0x7f0eeeac271a base::PersistentHistogramAllocator::AllocateHistogram()
#20 0x7f0eeeaa9319 base::Histogram::Factory::Build()
#21 0x7f0eeeaaa03f base::Histogram::FactoryGet()
#22 0x7f0eeeaaf2cf base::Histogram::DeserializeInfoImpl()
#23 0x7f0eeeab6b95 base::DeserializeHistogramInfo()
#24 0x7f0eeeac338b base::PersistentHistogramAllocator::GetOrCreateStatisticsRecorderHistogram()
#25 0x7f0eeeac2f3c base::PersistentHistogramAllocator::MergeHistogramDeltaToStatisticsRecorder()
#26 0x55fd01522abd SubprocessMetricsProvider::MergeHistogramDeltasFromAllocator()
#27 0x55fd0152281c SubprocessMetricsProvider::DeregisterSubprocessAllocator()
#28 0x55fd01523f54 SubprocessMetricsProvider::RenderProcessExited()
#29 0x7f0ee89b425a content::RenderProcessHostImpl::Cleanup()
#30 0x7f0ee89adf55 content::RenderProcessHostImpl::RemoveRoute()
#31 0x7f0ee8a09b5e content::RenderWidgetHostImpl::Destroy()
#32 0x7f0ee8a0bb9b content::RenderWidgetHostImpl::ShutdownAndDestroyWidget()
#33 0x7f0ee89fe8b8 content::RenderViewHostImpl::ShutdownAndDestroy()
#34 0x7f0ee82f9b45 content::FrameTree::ReleaseRenderViewHostRef()
#35 0x7f0ee8374d82 content::RenderFrameHostImpl::~RenderFrameHostImpl()
#36 0x7f0ee83768b9 content::RenderFrameHostImpl::~RenderFrameHostImpl()
#37 0x7f0ee83d6041 content::RenderFrameHostManager::~RenderFrameHostManager()
#38 0x7f0ee8300fb2 content::FrameTreeNode::~FrameTreeNode()
#39 0x7f0ee82f6f4f content::FrameTree::~FrameTree()
#40 0x7f0ee83120a6 content::InterstitialPageImpl::~InterstitialPageImpl()
#41 0x7f0ee83124e9 content::InterstitialPageImpl::~InterstitialPageImpl()
#42 0x7f0ee831439b content::InterstitialPageImpl::Shutdown()
#43 0x7f0ee6f8d16f _ZN4base8internal13FunctorTraitsIMN7content13URLLoaderImplEFvvEvE6InvokeIRKNS_7WeakPtrIS3_EEJEEEvS5_OT_DpOT0_
#44 0x7f0ee831861a _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN7content20InterstitialPageImplEFvvERKNS_7WeakPtrIS5_EEJEEEvOT_OT0_DpOT1_
#45 0x7f0ee83185b0 _ZN4base8internal7InvokerINS0_9BindStateIMN7content20InterstitialPageImplEFvvEJNS_7WeakPtrIS4_EEEEEFvvEE7RunImplIRKS6_RKNSt3__15tupleIJS8_EEEJLm0EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#46 0x7f0ee83184fc _ZN4base8internal7InvokerINS0_9BindStateIMN7content20InterstitialPageImplEFvvEJNS_7WeakPtrIS4_EEEEEFvvEE3RunEPNS0_13BindStateBaseE
#47 0x7f0eee96ae91 _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE0ELNS2_10RepeatModeE0EE3RunEv
#48 0x7f0eee9c42f7 base::debug::TaskAnnotator::RunTask()
#49 0x7f0eeea7ca5d base::MessageLoop::RunTask()
#50 0x7f0eeea7cce7 base::MessageLoop::DeferOrRunPendingTask()
#51 0x7f0eeea7da6a base::MessageLoop::DoWork()
#52 0x7f0eeea84fe6 base::MessagePumpGlib::Run()
#53 0x7f0eeea7c384 base::MessageLoop::Run()
#54 0x7f0eeeb311bd base::RunLoop::Run()
#55 0x55fd012d0d7b ChromeBrowserMainParts::MainMessageLoopRun()
#56 0x7f0ee7f343f6 content::BrowserMainLoop::RunMainMessageLoopParts()
#57 0x7f0ee7f3ce9f content::BrowserMainRunnerImpl::Run()
#58 0x7f0ee7f28a9b content::BrowserMain()
#59 0x7f0ee9b4e494 content::RunNamedProcessTypeMain()
#60 0x7f0ee9b5107f content::ContentMainRunnerImpl::Run()
#61 0x7f0ee9b4bf4d content::ContentServiceManagerMainDelegate::RunEmbedderProcess()
  r8: 00007ffd4d748390  r9: 00007ffd4d7483b0 r10: 0000000000000000 r11: 0000000000000202
 r12: 000055fcff5d901b r13: 00007ffd4d752660 r14: da4587983a5f2f00 r15: 0000000000000000
  di: 0000000000000002  si: 00007ffd4d748390  bp: 00007ffd4d748330  bx: 00000689286ba080
  dx: 0000000000000123  ax: 0000000000000000  cx: 0000000000000000  sp: 00007ffd4d748330
  ip: 00007f0eeed0aef8 efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000006
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000039
[end of stack trace]
Calling _exit(1). Core file will not be generated.

Comment 1 by yzshen@chromium.org, Jul 24 2017

Blocking: 715673

Comment 2 by vakh@chromium.org, Jul 28 2017

Labels: SafeBrowsing-Triaged
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 22 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/161941e6a49a41314655dceb8e4da6782f8240f6

commit 161941e6a49a41314655dceb8e4da6782f8240f6
Author: Yuzhu Shen <yzshen@chromium.org>
Date: Tue Aug 22 16:34:57 2017

SafeBrowsingUrlCheckerImpl: make sure it is safe to destroy the object while it runs callbacks.

Bug:  715673 , 748187 
Change-Id: I2a127b64e7fab5fc8461dbbefdc600dff2e743dd
Reviewed-on: https://chromium-review.googlesource.com/624527
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Commit-Queue: Yuzhu Shen <yzshen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#496326}
[modify] https://crrev.com/161941e6a49a41314655dceb8e4da6782f8240f6/components/safe_browsing/browser/safe_browsing_url_checker_impl.cc
[modify] https://crrev.com/161941e6a49a41314655dceb8e4da6782f8240f6/components/safe_browsing/browser/safe_browsing_url_checker_impl.h

Comment 4 by yzshen@chromium.org, Aug 22 2017

Status: Fixed (was: Assigned)

Comment 5 by laforge@google.com, Nov 7 2017

Components: -Internals>Network>Service Internals>Services>Network
Apologies, applied the wrong component in bulk.

Sign in to add a comment