New issue
Advanced search Search tips

Issue 765475 link

Starred by 1 user
Status: Duplicate
Merged: issue 765733
Owner:
pmonette@chromium.org
Closed: Apr 2018
Cc:
fdoray@chromium.org
robliao@chromium.org
gab@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Use after free crasher in SchedulerWorkerPool::PostTaskWithSequence()

Project Member Reported by shrike@chromium.org, Sep 14 2017 
Chrome Version: 63.0.3216.0
OS: macOS 10.12

What steps will reproduce the problem?
(1) Compile unittests with ASAN enabled
(2) Run unit_tests

ExternalProtocolHandlerTest.TestLaunchSchemeUnBlockedChromeNotDefault crashes with use after free. It appears that the TaskScheduler frees the SchedulerWorkerPool's task_tracker_, but the SchedulerWorkerPool still has a non-null pointer to that task tracker.

Assigning to gab@ (cannot find suitable e-mail address for author of cl https://chromium-review.googlesource.com/c/chromium/src/+/618800).


[ RUN      ] ExternalProtocolHandlerTest.TestLaunchSchemeUnBlockedChromeNotDefault
=================================================================
==482==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000022a48 at pc 0x0001115754c0 bp 0x7fff5a66f790 sp 0x7fff5a66f788
READ of size 8 at 0x614000022a48 thread T0
    #0 0x1115754bf in base::internal::SchedulerWorkerPool::PostTaskWithSequence(std::__1::unique_ptr<base::internal::Task, std::__1::default_delete<base::internal::Task> >, scoped_refptr<base::internal::Sequence>) scheduler_worker_pool.cc:130
    #1 0x111575f96 in base::internal::SchedulerSequencedTaskRunner::PostDelayedTask(base::Location const&, base::OnceCallback<void ()>, base::TimeDelta) scheduler_worker_pool.cc:85
    #2 0x111569404 in base::TaskRunner::PostTask(base::Location const&, base::OnceCallback<void ()>) task_runner.cc:44
    #3 0x112135e2e in shell_integration::DefaultWebClientWorker::StartCheckIsDefault() shell_integration.cc:141
    #4 0x111d7e015 in ExternalProtocolHandler::LaunchUrlWithDelegate(GURL const&, int, int, ui::PageTransition, bool, ExternalProtocolHandler::Delegate*) external_protocol_handler.cc:250
    #5 0x105d787b4 in ExternalProtocolHandlerTest::DoTest(ExternalProtocolHandler::BlockState, shell_integration::DefaultWebClientState, ExternalProtocolHandlerTest::Action) external_protocol_handler_unittest.cc:141
    #6 0x10acab6c0 in testing::Test::Run() gtest.cc:2472
    #7 0x10acad4f3 in testing::TestInfo::Run() gtest.cc:2654
    #8 0x10acae826 in testing::TestCase::Run() gtest.cc:2772
    #9 0x10acc3276 in testing::internal::UnitTestImpl::RunAllTests() gtest.cc:4677
    #10 0x10acc2839 in testing::UnitTest::Run() gtest.cc:4285
    #11 0x10f4d1806 in base::TestSuite::Run() test_suite.cc:270
    #12 0x10f4fa6ad in base::(anonymous namespace)::LaunchUnitTestsInternal(base::RepeatingCallback<int ()> const&, unsigned long, int, bool, base::RepeatingCallback<void ()> const&) callback.h:92
    #13 0x10f4fa34b in base::LaunchUnitTests(int, char**, base::RepeatingCallback<int ()> const&) unit_test_launcher.cc:475
    #14 0x10f4b0fbc in main run_all_unittests.cc:30
    #15 0x7fff99bc4234 in start (libdyld.dylib:x86_64+0x5234)

0x614000022a48 is located 8 bytes inside of 424-byte region [0x614000022a40,0x614000022be8)
freed by thread T0 here:
    #0 0x12a08a232  (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x64232)
    #1 0x111581368 in base::internal::TaskSchedulerImpl::~TaskSchedulerImpl() memory:2233
    #2 0x1115815dd in base::internal::TaskSchedulerImpl::~TaskSchedulerImpl() task_scheduler_impl.cc:44
    #3 0x111580836 in base::TaskScheduler::SetInstance(std::__1::unique_ptr<base::TaskScheduler, std::__1::default_delete<base::TaskScheduler> >) task_scheduler.cc:70
    #4 0x10f4c65aa in base::test::ScopedTaskEnvironment::~ScopedTaskEnvironment() scoped_task_environment.cc:131
    #5 0x10f85d716 in content::TestBrowserThreadBundle::~TestBrowserThreadBundle() memory:2546
    #6 0x105d81457 in ExternalProtocolHandlerTest_TestLaunchSchemeUnBlockedChromeDefault_Test::~ExternalProtocolHandlerTest_TestLaunchSchemeUnBlockedChromeDefault_Test() external_protocol_handler_unittest.cc:111
    #7 0x10acad613 in testing::TestInfo::Run() gtest.h:453
    #8 0x10acae826 in testing::TestCase::Run() gtest.cc:2772
    #9 0x10acc3276 in testing::internal::UnitTestImpl::RunAllTests() gtest.cc:4677
    #10 0x10acc2839 in testing::UnitTest::Run() gtest.cc:4285
    #11 0x10f4d1806 in base::TestSuite::Run() test_suite.cc:270
    #12 0x10f4fa6ad in base::(anonymous namespace)::LaunchUnitTestsInternal(base::RepeatingCallback<int ()> const&, unsigned long, int, bool, base::RepeatingCallback<void ()> const&) callback.h:92
    #13 0x10f4fa34b in base::LaunchUnitTests(int, char**, base::RepeatingCallback<int ()> const&) unit_test_launcher.cc:475
    #14 0x10f4b0fbc in main run_all_unittests.cc:30
    #15 0x7fff99bc4234 in start (libdyld.dylib:x86_64+0x5234)

previously allocated by thread T0 here:
    #0 0x12a089c32  (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x63c32)
    #1 0x111580fb4 in base::internal::TaskSchedulerImpl::TaskSchedulerImpl(base::BasicStringPiece<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, std::__1::unique_ptr<base::internal::TaskTrackerPosix, std::__1::default_delete<base::internal::TaskTrackerPosix> >) memory:3026
    #2 0x10f4c5f42 in base::test::ScopedTaskEnvironment::ScopedTaskEnvironment(base::test::ScopedTaskEnvironment::MainThreadType, base::test::ScopedTaskEnvironment::ExecutionMode) memory:3026
    #3 0x10f85d020 in content::TestBrowserThreadBundle::Init() test_browser_thread_bundle.cc:107
    #4 0x105d8632f in testing::internal::TestFactoryImpl<ExternalProtocolHandlerTest_TestLaunchSchemeUnBlockedChromeDefault_Test>::CreateTest() external_protocol_handler_unittest.cc:113
    #5 0x10acad41e in testing::TestInfo::Run() gtest.cc:2645
    #6 0x10acae826 in testing::TestCase::Run() gtest.cc:2772
    #7 0x10acc3276 in testing::internal::UnitTestImpl::RunAllTests() gtest.cc:4677
    #8 0x10acc2839 in testing::UnitTest::Run() gtest.cc:4285
    #9 0x10f4d1806 in base::TestSuite::Run() test_suite.cc:270
    #10 0x10f4fa6ad in base::(anonymous namespace)::LaunchUnitTestsInternal(base::RepeatingCallback<int ()> const&, unsigned long, int, bool, base::RepeatingCallback<void ()> const&) callback.h:92
    #11 0x10f4fa34b in base::LaunchUnitTests(int, char**, base::RepeatingCallback<int ()> const&) unit_test_launcher.cc:475
    #12 0x10f4b0fbc in main run_all_unittests.cc:30
    #13 0x7fff99bc4234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-use-after-free scheduler_worker_pool.cc:130 in base::internal::SchedulerWorkerPool::PostTaskWithSequence(std::__1::unique_ptr<base::internal::Task, std::__1::default_delete<base::internal::Task> >, scoped_refptr<base::internal::Sequence>)
Shadow bytes around the buggy address:
  0x1c28000044f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x1c2800004500: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2800004510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2800004520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2800004530: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
=>0x1c2800004540: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
  0x1c2800004550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2800004560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2800004570: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x1c2800004580: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2800004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==482==ABORTING
Received signal 6
 [0x0001114346ac]
 [0x0001114343c5]
 [0x7fff99dd3b3a]
 [0x000139371551]
 [0x7fff99c58420]
 [0x00012a09e2e6]
 [0x00012a09d224]
 [0x00012a0838d7]
 [0x00012a083342]
 [0x00012a08407b]
 [0x0001115754c0]
 [0x000111575f97]
 [0x000111569405]
 [0x000112135e2f]
 [0x000111d7e016]
 [0x000105d787b5]
 [0x00010acab6c1]
 [0x00010acad4f4]
 [0x00010acae827]
 [0x00010acc3277]
 [0x00010acc283a]
 [0x00010f4d1807]
 [0x00010f4fa6ae]
 [0x00010f4fa34c]
 [0x00010f4b0fbd]
 [0x7fff99bc4235]
[end of stack trace]
[1159/8133] ExternalProtocolHandlerTest.TestLaunchSchemeUnBlockedChromeNotDefault (CRASHED)

For graphics-related bugs, please copy/paste the contents of the about:gpu
page at the end of this report.

Comment 1 by shrike@chromium.org, Sep 20 2017 

> (1) Compile unittests with ASAN enabled

That should be

(1) Compile unit_tests with ASAN enabled

Comment 2 by gab@chromium.org, Sep 20 2017

Cc: fdoray@chromium.org
Owner: pmonette@chromium.org
The use is in ExternalProtocolHandlerTest.TestLaunchSchemeUnBlockedChromeNotDefault

while the free is in 

~ExternalProtocolHandlerTest_TestLaunchSchemeUnBlockedChromeDefault

this is not the same test ("...NotDefault" vs "...Default") and as such it's expected that the task environment is gone.

The problem is the use of a static field for the SequencedTaskRunner in DefaultWebClientWorker::GetTaskRunner().

Instead this should be using lazy_task_runner.h (whose state is properly reset on ~base::test::ScopedTaskEnvironment()).

Comment 3 by gab@chromium.org, Apr 12 2018

Mergedinto: 765733
Status: Duplicate (was: Assigned)
Looks like this was fixed by benwells a while back, thanks!

Sign in to add a comment