New issue
Advanced search Search tips

Issue 772113 link

Starred by 1 user

Issue metadata

Status: Available
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Security: DCHECK in IDBRequest::~IDBRequest

Reported by aaspring@umich.edu, Oct 5 2017

Issue description

VULNERABILITY DETAILS

Visiting a URL with Ghostery installed and the Chrome inspector open causes the browser to segfault and crash.

Consistently triggered on macOS and Windows, inconsistent on Ubuntu (can be triggered but may take many visits to URL).

I have core-dumps from Ubuntu crashes but have so far been unable to create a paired core-dump + automatic report due to inconsistency. I will continue trying and will notify if successful.

This issue may or may not be related to  Issue #771848  as the same URL is used to trigger both bugs.

VERSION

Chrome Version: 61.0.3163.100 + stable
Operating System: Windows 7 Enterprise Version 6.1.7601 Service Pack 1 Build 7601

Chrome Version: 62.0.3202.45 + beta
Operating System: Windows 7 Enterprise Version 6.1.7601 Service Pack 1 Build 7601

Chrome Version: 63.0.3230.0 + dev
Operating System: Windows 7 Enterprise Version 6.1.7601 Service Pack 1 Build 7601

Chrome Version: 61.0.3163.100 + stable
Operating System: Vanilla Ubuntu 16.04 with all updated libraries


REPRODUCTION CASE

1) Install Ghostery extension from https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij/related?hl=en

2) When Ghostery's initial configuration window opens, click "No" on all voluntary reporting prompts then click "Block All" in Blocking Options

3) Allow Ghostery in Incognito Mode (Dots -> More Tools -> Extensions -> Click "Allow in incognito" under Ghostery extension)

4) Open Incognito window

5) Open Chrome Inspector

6) Navigate to https://umich.qualtrics.com/jfe/form/SV_b44dDpnanccGM8R

7) Observe that browser segfaults and crashes (consistent on Windows 7 and macOS, not on Ubuntu)

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

Type of crash: browser

Crash State: crash IDs:
    Chrome 61 stable + Windows 7 -- 1e62a84055b865d3 (Local Crash ID: 74f02d26-a6c1-4204-9218-896265557fdb)
    Chrome 62 beta + Windows 7 -- 4bdc0540bb2051d0 (Local Crash ID: 427b73e6-98de-4b32-80b9-dcf07d8effd9)
    Chrome 63 dev + Windows 7 -- a3b198e50d4fb919 (Local Crash ID: e3e5882b-8c2e-4a15-843b-a0f74e4111f5)
    Chrome 61 stable + Ubuntu 16.04 -- 8253084d879ccbe9

Client ID (if relevant):
    Ubuntu 16.04 -- 1c4ae869-fe08-4e8d-845d-1870550e8865
    Windows 7 Chrome 61 stable -- 4c4bca00-a726-4296-a052-4c9d12644357
    Windows 7 Chrome 62 beta -- a6e86e20-0db1-4e25-9bfb-20f88adff38e
    Windows 7 Chrome 63 dev -- e148421c-d4d4-4992-8fa2-d69561332df1

 
Components: Platform>DevTools
This appears to be an instance of Issue 742955

Comment 2 by aaspring@umich.edu, Oct 5 2017

Reported crash for macOS (didn't think to crash _before_ starting to write up issue report):

Chrome Version: 61.0.3163.100 + stable
Operating System: macOS Sierra 10.12.6
Crash ID: f29fcdedcace56fd (Local Crash ID: 302070e0-fa0e-481f-80ec-2ea93caf7a29)
Client ID: b18f1873-2f82-4d74-b5d8-7520ac1231f5
Owner: arthurso...@chromium.org
Status: Assigned (was: Unconfirmed)
arthursonzogni, could you please take a look to see if this is the same as Issue 742955 ?

Comment 4 by creis@chromium.org, Oct 5 2017

Cc: dgozman@chromium.org
Mergedinto: 742955
Status: Duplicate (was: Assigned)
Yep, that's issue 742955.  Arthur has a fix in progress.  Thanks for the report!
Cc: creis@chromium.org
I took a look with DCHECKs enabled.
It triggered a DCHECK (w/wo PlzNavigate) (w/wo my WIP CL for issue 742955).
IDBRequest.cpp(122)] Check failed: (ready_state_ == DONE && metrics_.IsEmpty()) || ready_state_ == kEarlyDeath || !GetExecutionContext()

If I disable this particular DCHECK, everything works fine (w/wo PlzNavigate) (w/wo my WIP CL.)
+CC creis@: FYI, maybe this isn't a duplicate? I don't know.

#Stacktrace
```
[195291:195291:1006/114150.154321:FATAL:IDBRequest.cpp(122)] Check failed: (ready_state_ == DONE && metrics_.IsEmpty()) || ready_state_ == kEarlyDeath || !GetExecutionContext(). 
#0 0x2b73a03c905d base::debug::StackTrace::StackTrace()
#1 0x2b73a03c742c base::debug::StackTrace::StackTrace()
#2 0x2b73a045892a logging::LogMessage::~LogMessage()
#3 0x2b73b4fe9ee3 blink::IDBRequest::~IDBRequest()
#4 0x2b73b466b574 blink::GarbageCollectedFinalized<>::FinalizeGarbageCollectedObject()
#5 0x2b73b466b545 blink::FinalizerTraitImpl<>::Finalize()
#6 0x2b73b4793b95 blink::FinalizerTrait<>::Finalize()
#7 0x2b73b3a8d0e1 blink::HeapObjectHeader::Finalize()
#8 0x2b73b3a946c0 blink::NormalPage::Sweep()
#9 0x2b73b3a8e4d9 blink::BaseArena::SweepUnsweptPage()
#10 0x2b73b3a8eb20 blink::BaseArena::CompleteSweep()
#11 0x2b73b3a9fa61 blink::ThreadState::CompleteSweep()
#12 0x2b73b3aa231b blink::ThreadState::ScheduleV8FollowupGCIfNeeded()
#13 0x2b73b0610d7c blink::V8GCController::GcEpilogue()
#14 0x2b73af5c7cc9 v8::internal::Heap::PerformGarbageCollection()
#15 0x2b73af5c632e v8::internal::Heap::CollectGarbage()
#16 0x2b73af6317c8 v8::internal::ScavengeJob::IdleTask::RunInternal()
#17 0x2b73b062d06a blink::V8IdleTaskAdapter::Run()
#18 0x2b73b3b7e60b blink::scheduler::WebSchedulerImpl::RunIdleTask()
#19 0x2b73b3b7f212 _ZN4base8internal13FunctorTraitsIPFvNSt3__110unique_ptrIN5blink9WebThread8IdleTaskENS2_14default_deleteIS6_EEEENS_9TimeTicksEEvE6InvokeIJS9_SA_EEEvSC_DpOT_
#20 0x2b73b3b7f080 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKPFvNSt3__110unique_ptrIN5blink9WebThread8IdleTaskENS4_14default_deleteIS8_EEEENS_9TimeTicksEEJSB_SC_EEEvOT_DpOT0_
#21 0x2b73b3b7ef70 _ZN4base8internal7InvokerINS0_9BindStateIPFvNSt3__110unique_ptrIN5blink9WebThread8IdleTaskENS3_14default_deleteIS7_EEEENS_9TimeTicksEEJNS0_13PassedWrapperISA_EEEEEFvSB_EE7RunImplIRKSD_RKNS3_5tupleIJSF_EEEJLm0EEEEvOT_OT0_NS3_16integer_sequenceImJXspT1_EEEEOSB_
#22 0x2b73b3b7ee94 _ZN4base8internal7InvokerINS0_9BindStateIPFvNSt3__110unique_ptrIN5blink9WebThread8IdleTaskENS3_14default_deleteIS7_EEEENS_9TimeTicksEEJNS0_13PassedWrapperISA_EEEEEFvSB_EE3RunEPNS0_13BindStateBaseEOSB_
#23 0x2b73b3b44d4d _ZNKR4base17RepeatingCallbackIFvNS_9TimeTicksEEE3RunES1_
#24 0x2b73b3b7bf39 blink::scheduler::SingleThreadIdleTaskRunner::RunTask()
#25 0x2b73b3b7d144 _ZN4base8internal13FunctorTraitsIMN5blink9scheduler26SingleThreadIdleTaskRunnerEFvNS_17RepeatingCallbackIFvNS_9TimeTicksEEEEEvE6InvokeIRKNS_7WeakPtrIS4_EEJRKS8_EEEvSA_OT_DpOT0_
#26 0x2b73b3b7d095 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink9scheduler26SingleThreadIdleTaskRunnerEFvNS_17RepeatingCallbackIFvNS_9TimeTicksEEEEERKNS_7WeakPtrIS6_EEJRKSA_EEEvOT_OT0_DpOT1_
#27 0x2b73b3b7d00d _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler26SingleThreadIdleTaskRunnerEFvNS_17RepeatingCallbackIFvNS_9TimeTicksEEEEEJNS_7WeakPtrIS5_EES9_EEEFvvEE7RunImplIRKSB_RKNSt3__15tupleIJSD_S9_EEEJLm0ELm1EEEEvOT_OT0_NSK_16integer_sequenceImJXspT1_EEEE
#28 0x2b73b3b7cf1c _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler26SingleThreadIdleTaskRunnerEFvNS_17RepeatingCallbackIFvNS_9TimeTicksEEEEEJNS_7WeakPtrIS5_EES9_EEEFvvEE3RunEPNS0_13BindStateBaseE
#29 0x2b73a0374811 _ZNO4base12OnceCallbackIFvvEE3RunEv
#30 0x2b73a03cdc8a base::debug::TaskAnnotator::RunTask()
#31 0x2b73b3b53f9a blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#32 0x2b73b3b4f074 blink::scheduler::TaskQueueManager::DoWork()
#33 0x2b73b3b5b317 _ZN4base8internal13FunctorTraitsIMN5blink9scheduler16TaskQueueManagerEFvbEvE6InvokeIRKNS_7WeakPtrIS4_EEJRKbEEEvS6_OT_DpOT0_
#34 0x2b73b3b5b275 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink9scheduler16TaskQueueManagerEFvbERKNS_7WeakPtrIS6_EEJRKbEEEvOT_OT0_DpOT1_
#35 0x2b73b3b5b1ed _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvbEJNS_7WeakPtrIS5_EEbEEEFvvEE7RunImplIRKS7_RKNSt3__15tupleIJS9_bEEEJLm0ELm1EEEEvOT_OT0_NSG_16integer_sequenceImJXspT1_EEEE
#36 0x2b73b3b5b0fc _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvbEJNS_7WeakPtrIS5_EEbEEEFvvEE3RunEPNS0_13BindStateBaseE
#37 0x2b73a0374811 _ZNO4base12OnceCallbackIFvvEE3RunEv
#38 0x2b73a03cdc8a base::debug::TaskAnnotator::RunTask()
#39 0x2b73a047d2c5 base::internal::IncomingTaskQueue::RunTask()
#40 0x2b73a04826c4 base::MessageLoop::RunTask()
#41 0x2b73a0482947 base::MessageLoop::DeferOrRunPendingTask()
#42 0x2b73a0483630 base::MessageLoop::DoWork()
#43 0x2b73a048a23a base::MessagePumpDefault::Run()
#44 0x2b73a0481e84 base::MessageLoop::Run()
#45 0x2b73a0538f85 base::RunLoop::Run()
#46 0x2b73a66ea1fb content::RendererMain()
#47 0x2b73a6b8ad4c content::RunZygote()
#48 0x2b73a6b8ba19 content::RunNamedProcessTypeMain()
#49 0x2b73a6b8e53e content::ContentMainRunnerImpl::Run()
#50 0x2b73a6b8904d content::ContentServiceManagerMainDelegate::RunEmbedderProcess()
#51 0x2b739fd088a5 service_manager::Main()
#52 0x2b73a6b8a6ef content::ContentMain()
#53 0x5601a8486d8e ChromeMain
#54 0x5601a8486ca2 main
#55 0x2b73b93cff45 __libc_start_main
#56 0x5601a8486b84 <unknown>

Received signal 6
#0 0x2b73a03c905d base::debug::StackTrace::StackTrace()
#1 0x2b73a03c742c base::debug::StackTrace::StackTrace()
#2 0x2b73a03c8a15 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x2b739fecd330 <unknown>
#4 0x2b73b93e4c37 gsignal
#5 0x2b73b93e8028 abort
#6 0x2b73a03c4426 base::debug::(anonymous namespace)::DebugBreak()
#7 0x2b73a03c4408 base::debug::BreakDebugger()
#8 0x2b73a04595e6 logging::LogMessage::~LogMessage()
#9 0x2b73b4fe9ee3 blink::IDBRequest::~IDBRequest()
#10 0x2b73b466b574 blink::GarbageCollectedFinalized<>::FinalizeGarbageCollectedObject()
#11 0x2b73b466b545 blink::FinalizerTraitImpl<>::Finalize()
#12 0x2b73b4793b95 blink::FinalizerTrait<>::Finalize()
#13 0x2b73b3a8d0e1 blink::HeapObjectHeader::Finalize()
#14 0x2b73b3a946c0 blink::NormalPage::Sweep()
#15 0x2b73b3a8e4d9 blink::BaseArena::SweepUnsweptPage()
#16 0x2b73b3a8eb20 blink::BaseArena::CompleteSweep()
#17 0x2b73b3a9fa61 blink::ThreadState::CompleteSweep()
#18 0x2b73b3aa231b blink::ThreadState::ScheduleV8FollowupGCIfNeeded()
#19 0x2b73b0610d7c blink::V8GCController::GcEpilogue()
#20 0x2b73af5c7cc9 v8::internal::Heap::PerformGarbageCollection()
#21 0x2b73af5c632e v8::internal::Heap::CollectGarbage()
#22 0x2b73af6317c8 v8::internal::ScavengeJob::IdleTask::RunInternal()
#23 0x2b73b062d06a blink::V8IdleTaskAdapter::Run()
#24 0x2b73b3b7e60b blink::scheduler::WebSchedulerImpl::RunIdleTask()
#25 0x2b73b3b7f212 _ZN4base8internal13FunctorTraitsIPFvNSt3__110unique_ptrIN5blink9WebThread8IdleTaskENS2_14default_deleteIS6_EEEENS_9TimeTicksEEvE6InvokeIJS9_SA_EEEvSC_DpOT_
#26 0x2b73b3b7f080 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKPFvNSt3__110unique_ptrIN5blink9WebThread8IdleTaskENS4_14default_deleteIS8_EEEENS_9TimeTicksEEJSB_SC_EEEvOT_DpOT0_
#27 0x2b73b3b7ef70 _ZN4base8internal7InvokerINS0_9BindStateIPFvNSt3__110unique_ptrIN5blink9WebThread8IdleTaskENS3_14default_deleteIS7_EEEENS_9TimeTicksEEJNS0_13PassedWrapperISA_EEEEEFvSB_EE7RunImplIRKSD_RKNS3_5tupleIJSF_EEEJLm0EEEEvOT_OT0_NS3_16integer_sequenceImJXspT1_EEEEOSB_
#28 0x2b73b3b7ee94 _ZN4base8internal7InvokerINS0_9BindStateIPFvNSt3__110unique_ptrIN5blink9WebThread8IdleTaskENS3_14default_deleteIS7_EEEENS_9TimeTicksEEJNS0_13PassedWrapperISA_EEEEEFvSB_EE3RunEPNS0_13BindStateBaseEOSB_
#29 0x2b73b3b44d4d _ZNKR4base17RepeatingCallbackIFvNS_9TimeTicksEEE3RunES1_
#30 0x2b73b3b7bf39 blink::scheduler::SingleThreadIdleTaskRunner::RunTask()
#31 0x2b73b3b7d144 _ZN4base8internal13FunctorTraitsIMN5blink9scheduler26SingleThreadIdleTaskRunnerEFvNS_17RepeatingCallbackIFvNS_9TimeTicksEEEEEvE6InvokeIRKNS_7WeakPtrIS4_EEJRKS8_EEEvSA_OT_DpOT0_
#32 0x2b73b3b7d095 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink9scheduler26SingleThreadIdleTaskRunnerEFvNS_17RepeatingCallbackIFvNS_9TimeTicksEEEEERKNS_7WeakPtrIS6_EEJRKSA_EEEvOT_OT0_DpOT1_
#33 0x2b73b3b7d00d _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler26SingleThreadIdleTaskRunnerEFvNS_17RepeatingCallbackIFvNS_9TimeTicksEEEEEJNS_7WeakPtrIS5_EES9_EEEFvvEE7RunImplIRKSB_RKNSt3__15tupleIJSD_S9_EEEJLm0ELm1EEEEvOT_OT0_NSK_16integer_sequenceImJXspT1_EEEE
#34 0x2b73b3b7cf1c _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler26SingleThreadIdleTaskRunnerEFvNS_17RepeatingCallbackIFvNS_9TimeTicksEEEEEJNS_7WeakPtrIS5_EES9_EEEFvvEE3RunEPNS0_13BindStateBaseE
#35 0x2b73a0374811 _ZNO4base12OnceCallbackIFvvEE3RunEv
#36 0x2b73a03cdc8a base::debug::TaskAnnotator::RunTask()
#37 0x2b73b3b53f9a blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#38 0x2b73b3b4f074 blink::scheduler::TaskQueueManager::DoWork()
#39 0x2b73b3b5b317 _ZN4base8internal13FunctorTraitsIMN5blink9scheduler16TaskQueueManagerEFvbEvE6InvokeIRKNS_7WeakPtrIS4_EEJRKbEEEvS6_OT_DpOT0_
#40 0x2b73b3b5b275 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink9scheduler16TaskQueueManagerEFvbERKNS_7WeakPtrIS6_EEJRKbEEEvOT_OT0_DpOT1_
#41 0x2b73b3b5b1ed _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvbEJNS_7WeakPtrIS5_EEbEEEFvvEE7RunImplIRKS7_RKNSt3__15tupleIJS9_bEEEJLm0ELm1EEEEvOT_OT0_NSG_16integer_sequenceImJXspT1_EEEE
#42 0x2b73b3b5b0fc _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvbEJNS_7WeakPtrIS5_EEbEEEFvvEE3RunEPNS0_13BindStateBaseE
#43 0x2b73a0374811 _ZNO4base12OnceCallbackIFvvEE3RunEv
#44 0x2b73a03cdc8a base::debug::TaskAnnotator::RunTask()
#45 0x2b73a047d2c5 base::internal::IncomingTaskQueue::RunTask()
#46 0x2b73a04826c4 base::MessageLoop::RunTask()
#47 0x2b73a0482947 base::MessageLoop::DeferOrRunPendingTask()
#48 0x2b73a0483630 base::MessageLoop::DoWork()
#49 0x2b73a048a23a base::MessagePumpDefault::Run()
#50 0x2b73a0481e84 base::MessageLoop::Run()
#51 0x2b73a0538f85 base::RunLoop::Run()
#52 0x2b73a66ea1fb content::RendererMain()
#53 0x2b73a6b8ad4c content::RunZygote()
#54 0x2b73a6b8ba19 content::RunNamedProcessTypeMain()
#55 0x2b73a6b8e53e content::ContentMainRunnerImpl::Run()
#56 0x2b73a6b8904d content::ContentServiceManagerMainDelegate::RunEmbedderProcess()
#57 0x2b739fd088a5 service_manager::Main()
#58 0x2b73a6b8a6ef content::ContentMain()
#59 0x5601a8486d8e ChromeMain
#60 0x5601a8486ca2 main
#61 0x2b73b93cff45 __libc_start_main
  r8: 00007ffebb314728  r9: fffffffffffffec8 r10: 0000000000000008 r11: 0000000000000206
 r12: 00001b42b8f88040 r13: 00001b42b8f9b268 r14: 00001b42b8f9b250 r15: 0000000000000001
  di: 000000000002fadb  si: 000000000002fadb  bp: 00007ffebb314c30  bx: 00001b42b8f88020
  dx: 0000000000000006  ax: 0000000000000000  cx: 00002b73b93e4c37  sp: 00007ffebb314af8
  ip: 00002b73b93e4c37 efl: 0000000000000206 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

```

Comment 6 by creis@chromium.org, Oct 9 2017

Status: Assigned (was: Duplicate)
Comment 5: Ah, sorry if I jumped the gun.  I didn't look closely-- I marked it as a duplicate just based on the matching stack.  I'll let you confirm whether it's still an issue or not.

Comment 7 by wfh@chromium.org, Oct 12 2017

Is this a dup of issue 742955? Can this bug be either duped or closed, I am struggling to know the priority or the impact of this bug at the moment.
Cc: arthurso...@chromium.org
Components: -Platform>DevTools Blink>Storage>IndexedDB
Owner: ----
Status: Untriaged (was: Assigned)
Summary: Security: DCHECK in IDBRequest::~IDBRequest (was: Security: Browser crashes on blocked redirect in incognito mode with inspector open)
The crash part is a dupe of 742955. Renaming the issue to focus on DCHECK from #c5, and marking Untriaged to find a proper owner from IndexedDB.

Comment 9 by wfh@chromium.org, Oct 16 2017

Owner: dmu...@chromium.org
Status: Assigned (was: Untriaged)
Does the DCHECK protect anything security sensitive? Security 8-ball says dmurph should be the owner of this until triaged. If this has no security implications feel free to switch to normal bug.
initial thoughts: It doesn't look security sensitive, just checking assumed state. We should definitely figure out what's happening though, because it looks like we're not closing this request correctly.

My initial thought - metrics_ isn't empty and we've hit some code path that doesn't trigger the metrics to record.

Comment 11 by kenrb@chromium.org, Oct 18 2017

Does that mean this no longer crashes a release build on trunk? If so then we should be fine to remove the Bug-Security tag, although it should remain view restricted for as long as issue 742955 is.
No, it would still be crashing a dcheck_always_on release build on trunk, but I'm guessing it's not a security issue.

Comment 13 by kenrb@chromium.org, Oct 19 2017

Labels: -Type-Bug-Security Type-Bug
Okay, changing to Type-Bug but leaving the view restriction in place because it has a PoC for a security bug whose fix hasn't reached Stable yet.
Cc: dmu...@chromium.org
Labels: -Restrict-View-SecurityTeam
Owner: ----
Status: Available (was: Assigned)
Perhaps we should just remove that DCHECK.

It's mostly there to make sure devs correctly trigger the async tracing code. This doesn't mean there is a security issue.
Labels: Pri-2
Setting defect without priority to Pri-2.

Sign in to add a comment