Security: Heap-use-after-free in payments::PaymentRequestRowView::ShowBottomSeparator()
Reported by
chromium...@gmail.com,
Dec 8 2017
|
|||||||||
Issue descriptionVERSION Chrome Version: 65.0.3288.0 Operating System: Ubuntu REPRODUCTION CASE 1. Go to https://emerald-eon.appspot.com/ 2. Edit an address and hit ENTER on the keyboard 3. Edit again another address and hit ENTER >> Crash ================================================================= ==3380==ERROR: AddressSanitizer: heap-use-after-free on address 0x6180000cd080 at pc 0x55556dd10ecd bp 0x7fffffff72f0 sp 0x7fffffff72e8 READ of size 8 at 0x6180000cd080 thread T0 (chrome) #0 0x55556dd10ecc in payments::PaymentRequestRowView::ShowBottomSeparator() chrome/browser/ui/views/payments/payment_request_row_view.cc:37:3 #1 0x55556dd122fa in payments::PaymentRequestRowView::SetIsHighlighted(bool) chrome/browser/ui/views/payments/payment_request_row_view.cc:59:22 #2 0x55556dd12453 in payments::PaymentRequestRowView::StateChanged(views::Button::ButtonState) chrome/browser/ui/views/payments/payment_request_row_view.cc:68:3 #3 0x7fffc6d74ae7 in views::Button::SetState(views::Button::ButtonState) ui/views/controls/button/button.cc:137:3 #4 0x7fffc6d78e09 in views::Button::ViewHierarchyChanged(views::View::ViewHierarchyChangedDetails const&) ui/views/controls/button/button.cc:438:5 #5 0x7fffc70e1198 in views::View::ViewHierarchyChangedImpl(bool, views::View::ViewHierarchyChangedDetails const&) ui/views/view.cc:2192:3 #6 0x7fffc7116a95 in views::View::PropagateRemoveNotifications(views::View*, views::View*, bool) ui/views/view.cc:2150:8 #7 0x7fffc71169bd in views::View::PropagateRemoveNotifications(views::View*, views::View*, bool) ui/views/view.cc:2143:14 #8 0x7fffc70dcfce in views::View::DoRemoveChildView(views::View*, bool, bool, bool, views::View*) ui/views/view.cc:2116:9 #9 0x7fffc70e2215 in views::View::RemoveAllChildViews(bool) ui/views/view.cc:300:5 #10 0x55556dd16f63 in payments::PaymentRequestSheetController::UpdateContentView() chrome/browser/ui/views/payments/payment_request_sheet_controller.cc:271:18 #11 0x55556dd541a7 in payments::PaymentSheetViewController::OnSelectedInformationChanged() chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:389:3 #12 0x55556f2d5b15 in payments::PaymentRequestState::NotifyOnSelectedInformationChanged() components/payments/content/payment_request_state.cc:462:14 #13 0x55556f2ce2c5 in payments::PaymentRequestState::UpdateIsReadyToPayAndNotifyObservers() components/payments/content/payment_request_state.cc:452:3 #14 0x55556f2ce1d8 in payments::PaymentRequestState::OnSpecUpdated() components/payments/content/payment_request_state.cc:152:3 #15 0x55556f29ef15 in payments::PaymentRequestSpec::NotifyOnSpecUpdated() components/payments/content/payment_request_spec.cc:304:14 #16 0x55556f29ecad in payments::PaymentRequestSpec::RecomputeSpecForDetails() components/payments/content/payment_request_spec.cc:109:3 #17 0x55556f29ec69 in payments::PaymentRequestSpec::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request_spec.cc:103:3 #18 0x55556f215688 in payments::PaymentRequest::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request.cc:212:10 #19 0x7fffdf453c57 in payments::mojom::PaymentRequestStubDispatch::Accept(payments::mojom::PaymentRequest*, mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.cc:1373:13 #20 0x55556f21c392 in payments::mojom::PaymentRequestStub<mojo::RawPtrImplRefTraits<payments::mojom::PaymentRequest> >::Accept(mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.h:347:12 #21 0x7ffff1383e3a in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:418:32 #22 0x7ffff1380ba7 in mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:132:18 #23 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #24 0x7ffff138b9b6 in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:305:19 #25 0x7ffff13dc4be in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:880:42 #26 0x7ffff13da726 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:604:38 #27 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #28 0x7ffff134738e in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:440:51 #29 0x7ffff134a2ec in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:469:10 #30 0x7ffff1349a43 in mojo::Connector::OnHandleReadyInternal(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:374:3 #31 0x7ffff1349737 in mojo::Connector::OnWatcherHandleReady(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:351:3 #32 0x7ffff135684b in void base::internal::FunctorTraits<void (mojo::Connector::*)(unsigned int), void>::Invoke<mojo::Connector*, unsigned int>(void (mojo::Connector::*)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:211:12 #33 0x7ffff1356482 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (mojo::Connector::* const&)(unsigned int), mojo::Connector*, unsigned int>(void (mojo::Connector::* const&)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:294:12 #34 0x7ffff13561de in void base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::RunImpl<void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, 0ul>(void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, std::__1::integer_sequence<unsigned long, 0ul>, unsigned int&&) base/bind_internal.h:368:12 #35 0x7ffff1355f3e in base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::Run(base::internal::BindStateBase*, unsigned int) base/bind_internal.h:350:12 #36 0x7ffff13361e3 in base::RepeatingCallback<void (unsigned int)>::Run(unsigned int) const & base/callback.h:94:12 #37 0x7ffff1353513 in mojo::SimpleWatcher::DiscardReadyState(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.h:194:14 #38 0x7ffff1353afb in void base::internal::FunctorTraits<void (*)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), void>::Invoke<base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&>(void (*)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> const&, unsigned int&&, mojo::HandleSignalsState const&) base/bind_internal.h:166:12 #39 0x7ffff1353a24 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (* const&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&>(void (* const&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> const&, unsigned int&&, mojo::HandleSignalsState const&) base/bind_internal.h:294:12 #40 0x7ffff1353971 in void base::internal::Invoker<base::internal::BindState<void (*)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> >, void (unsigned int, mojo::HandleSignalsState const&)>::RunImpl<void (* const&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::RepeatingCallback<void (unsigned int)> > const&, 0ul>(void (* const&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::RepeatingCallback<void (unsigned int)> > const&, std::__1::integer_sequence<unsigned long, 0ul>, unsigned int&&, mojo::HandleSignalsState const&) base/bind_internal.h:368:12 #41 0x7ffff135378f in base::internal::Invoker<base::internal::BindState<void (*)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> >, void (unsigned int, mojo::HandleSignalsState const&)>::Run(base::internal::BindStateBase*, unsigned int, mojo::HandleSignalsState const&) base/bind_internal.h:350:12 #42 0x7ffff11eb699 in base::RepeatingCallback<void (unsigned int, mojo::HandleSignalsState const&)>::Run(unsigned int, mojo::HandleSignalsState const&) const & base/callback.h:94:12 #43 0x7ffff11e91a4 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:276:14 #44 0x7ffff11ed241 in void base::internal::FunctorTraits<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), void>::Invoke<base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&>(void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&) base/bind_internal.h:211:12 #45 0x7ffff11ecd45 in void base::internal::InvokeHelper<true, void>::MakeItSo<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&>(void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&) base/bind_internal.h:314:5 #46 0x7ffff11eca5c in void base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::RunImpl<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, 0ul, 1ul, 2ul, 3ul>(void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>) base/bind_internal.h:368:12 #47 0x7ffff11ec802 in base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:350:12 #48 0x7ffff662a08f in base::OnceCallback<void ()>::Run() && base/callback.h:65:12 #49 0x7ffff67446c6 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:55:33 #50 0x7ffff6946cea in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) base/message_loop/incoming_task_queue.cc:128:19 #51 0x7ffff69625ce in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:391:25 #52 0x7ffff6962f2c in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:403:5 #53 0x7ffff6963890 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:447:16 #54 0x7ffff6989f7b in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:309:49 #55 0x7ffff6960b4d in base::MessageLoop::Run(bool) base/message_loop/message_loop.cc:342:12 #56 0x7ffff6be8d57 in base::RunLoop::Run() base/run_loop.cc:130:14 #57 0x5555601071c4 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1939:12 #58 0x7fffe0b46610 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:1196:29 #59 0x7fffe0b673ca in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:140:17 #60 0x7fffe0b2602d in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:46:28 #61 0x7fffe7c1a870 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:427:14 #62 0x7fffe7c238a1 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:705:12 #63 0x7fffe7c05885 in content::ContentServiceManagerMainDelegate::RunEmbedderProcess() content/app/content_service_manager_main_delegate.cc:51:32 #64 0x7ffff7947419 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:456:29 #65 0x7fffe7c17fbf in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 #66 0x55555a3e46b7 in ChromeMain chrome/app/chrome_main.cc:127:12 #67 0x55555a3e428e in main chrome/app/chrome_exe_main_aura.cc:17:10 #68 0x7fff99c9e82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 0x6180000cd080 is located 0 bytes inside of 816-byte region [0x6180000cd080,0x6180000cd3b0) freed by thread T0 (chrome) here: #0 0x55555a3e2012 in operator delete(void*) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:149:3 #1 0x55556dd113fb in payments::PaymentRequestRowView::~PaymentRequestRowView() chrome/browser/ui/views/payments/payment_request_row_view.cc:28:49 #2 0x7fffc70de78d in operator() buildtools/third_party/libc++/trunk/include/memory:2233:5 #3 0x7fffc70de78d in reset buildtools/third_party/libc++/trunk/include/memory:2546 #4 0x7fffc70de78d in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2500 #5 0x7fffc70de78d in views::View::DoRemoveChildView(views::View*, bool, bool, bool, views::View*) ui/views/view.cc:2135 #6 0x7fffc70e2215 in views::View::RemoveAllChildViews(bool) ui/views/view.cc:300:5 #7 0x55556dd16f63 in payments::PaymentRequestSheetController::UpdateContentView() chrome/browser/ui/views/payments/payment_request_sheet_controller.cc:271:18 #8 0x55556dd541a7 in payments::PaymentSheetViewController::OnSelectedInformationChanged() chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:389:3 #9 0x55556f2d5b15 in payments::PaymentRequestState::NotifyOnSelectedInformationChanged() components/payments/content/payment_request_state.cc:462:14 #10 0x55556f2ce2c5 in payments::PaymentRequestState::UpdateIsReadyToPayAndNotifyObservers() components/payments/content/payment_request_state.cc:452:3 #11 0x55556f2ce1d8 in payments::PaymentRequestState::OnSpecUpdated() components/payments/content/payment_request_state.cc:152:3 #12 0x55556f29ef15 in payments::PaymentRequestSpec::NotifyOnSpecUpdated() components/payments/content/payment_request_spec.cc:304:14 #13 0x55556f29ecad in payments::PaymentRequestSpec::RecomputeSpecForDetails() components/payments/content/payment_request_spec.cc:109:3 #14 0x55556f29ec69 in payments::PaymentRequestSpec::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request_spec.cc:103:3 #15 0x55556f215688 in payments::PaymentRequest::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request.cc:212:10 #16 0x7fffdf453c57 in payments::mojom::PaymentRequestStubDispatch::Accept(payments::mojom::PaymentRequest*, mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.cc:1373:13 #17 0x55556f21c392 in payments::mojom::PaymentRequestStub<mojo::RawPtrImplRefTraits<payments::mojom::PaymentRequest> >::Accept(mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.h:347:12 #18 0x7ffff1383e3a in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:418:32 #19 0x7ffff1380ba7 in mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:132:18 #20 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #21 0x7ffff138b9b6 in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:305:19 #22 0x7ffff13dc4be in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:880:42 #23 0x7ffff13da726 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:604:38 #24 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #25 0x7ffff134738e in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:440:51 #26 0x7ffff134a2ec in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:469:10 #27 0x7ffff1349a43 in mojo::Connector::OnHandleReadyInternal(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:374:3 #28 0x7ffff1349737 in mojo::Connector::OnWatcherHandleReady(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:351:3 #29 0x7ffff135684b in void base::internal::FunctorTraits<void (mojo::Connector::*)(unsigned int), void>::Invoke<mojo::Connector*, unsigned int>(void (mojo::Connector::*)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:211:12 #30 0x7ffff1356482 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (mojo::Connector::* const&)(unsigned int), mojo::Connector*, unsigned int>(void (mojo::Connector::* const&)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:294:12 #31 0x7ffff13561de in void base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::RunImpl<void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, 0ul>(void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, std::__1::integer_sequence<unsigned long, 0ul>, unsigned int&&) base/bind_internal.h:368:12 #32 0x7ffff1355f3e in base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::Run(base::internal::BindStateBase*, unsigned int) base/bind_internal.h:350:12 previously allocated by thread T0 (chrome) here: #0 0x55555a3e1432 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:92:3 #1 0x55556dd71609 in make_unique<payments::PaymentRequestRowView, views::ButtonListener *&, bool &, const gfx::Insets &> buildtools/third_party/libc++/trunk/include/memory:3026:28 #2 0x55556dd71609 in _ZN4base10MakeUniqueIN8payments21PaymentRequestRowViewEJRPN5views14ButtonListenerERbRKN3gfx6InsetsEEEEDTclsr3stdE11make_uniqueIT_Espclsr3stdE7forwardIT0_Efp_EEEDpOSD_ base/memory/ptr_util.h:25 #3 0x55556dd6c6a0 in payments::(anonymous namespace)::CreatePaymentSheetRow(views::ButtonListener*, std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, std::__1::unique_ptr<views::View, std::__1::default_delete<views::View> >, std::__1::unique_ptr<views::View, std::__1::default_delete<views::View> >, std::__1::unique_ptr<views::View, std::__1::default_delete<views::View> >, bool, bool, views::GridLayout::Alignment) chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:153:7 #4 0x55556dd68547 in payments::(anonymous namespace)::PaymentSheetRowBuilder::CreateWithChevron(std::__1::unique_ptr<views::View, std::__1::default_delete<views::View> >, std::__1::unique_ptr<views::View, std::__1::default_delete<views::View> >) chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:293:54 #5 0x55556dd58c22 in payments::PaymentSheetViewController::CreatePaymentSheetSummaryRow() chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:644:18 #6 0x55556dd54b5c in payments::PaymentSheetViewController::FillContentView(views::View*) chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:424:7 #7 0x55556dd16ff9 in payments::PaymentRequestSheetController::UpdateContentView() chrome/browser/ui/views/payments/payment_request_sheet_controller.cc:272:3 #8 0x55556dd540fb in payments::PaymentSheetViewController::OnSpecUpdated() chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:384:3 #9 0x55556f29ef15 in payments::PaymentRequestSpec::NotifyOnSpecUpdated() components/payments/content/payment_request_spec.cc:304:14 #10 0x55556f29ecad in payments::PaymentRequestSpec::RecomputeSpecForDetails() components/payments/content/payment_request_spec.cc:109:3 #11 0x55556f29ec69 in payments::PaymentRequestSpec::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request_spec.cc:103:3 #12 0x55556f215688 in payments::PaymentRequest::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request.cc:212:10 #13 0x7fffdf453c57 in payments::mojom::PaymentRequestStubDispatch::Accept(payments::mojom::PaymentRequest*, mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.cc:1373:13 #14 0x55556f21c392 in payments::mojom::PaymentRequestStub<mojo::RawPtrImplRefTraits<payments::mojom::PaymentRequest> >::Accept(mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.h:347:12 #15 0x7ffff1383e3a in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:418:32 #16 0x7ffff1380ba7 in mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:132:18 #17 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #18 0x7ffff138b9b6 in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:305:19 #19 0x7ffff13dc4be in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:880:42 #20 0x7ffff13da726 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:604:38 #21 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #22 0x7ffff134738e in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:440:51 #23 0x7ffff134a2ec in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:469:10 #24 0x7ffff1349a43 in mojo::Connector::OnHandleReadyInternal(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:374:3 #25 0x7ffff1349737 in mojo::Connector::OnWatcherHandleReady(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:351:3 #26 0x7ffff135684b in void base::internal::FunctorTraits<void (mojo::Connector::*)(unsigned int), void>::Invoke<mojo::Connector*, unsigned int>(void (mojo::Connector::*)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:211:12 #27 0x7ffff1356482 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (mojo::Connector::* const&)(unsigned int), mojo::Connector*, unsigned int>(void (mojo::Connector::* const&)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:294:12 #28 0x7ffff13561de in void base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::RunImpl<void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, 0ul>(void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, std::__1::integer_sequence<unsigned long, 0ul>, unsigned int&&) base/bind_internal.h:368:12 #29 0x7ffff1355f3e in base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::Run(base::internal::BindStateBase*, unsigned int) base/bind_internal.h:350:12 #30 0x7ffff13361e3 in base::RepeatingCallback<void (unsigned int)>::Run(unsigned int) const & base/callback.h:94:12 SUMMARY: AddressSanitizer: heap-use-after-free chrome/browser/ui/views/payments/payment_request_row_view.cc:37:3 in payments::PaymentRequestRowView::ShowBottomSeparator() Shadow bytes around the buggy address: 0x0c30800119c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c30800119d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c30800119e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c30800119f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c3080011a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c3080011a10:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080011a20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080011a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080011a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080011a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080011a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3380==ABORTING
,
Dec 11 2017
Thanks for the report. I'm not able to reproduce this crash in 65.0.3291.1 on Windows. Your original report notes this on Linux but the video shows you're also able to reproduce this on Windows? Are these both Chrome 65, or have you been able to reproduce in any earlier build?
,
Dec 11 2017
I'm able to repro this on Mac, Linux, windows on Canary and stable as well. Please don't forget to click on Enter (keyboard) to repro the crash.
,
Dec 11 2017
1. Go to https://emerald-eon.appspot.com/ and click on Demo. 2. Edit an address and press on Enter. 3. Edit again a another address and press on Enter. 4. Observe.
,
Dec 11 2017
,
Dec 11 2017
,
Dec 11 2017
anthonyvd@ could you please triage this bug? this seems like a UaF crash happens when the user tries to edit two different addresses with clicking on Enter.
,
Dec 11 2017
RE #4: Ah, thanks. The fact that you have to use the Enter key rather than hitting the button with the mouse turns out to be quite important. Technically, this is memory corruption in the browser process which calls for Severity-High, although given the user-interaction requirement here that's perhaps a bit overstated. Anthony, can you help find an owner?
,
Dec 11 2017
,
Dec 13 2017
,
Dec 13 2017
,
Dec 19 2017
Any update on this bug?
,
Dec 19 2017
We think this is the same root cause as Issue 794078 so I'll merge them. Rouslan, feel free to assign it to me if you can't get to it before going on leave.
,
Dec 19 2017
This is essentially the same as Issue 788514 which was marked as fixed in M65 but the fixed was incomplete. I can see there are two different crashes (use-after-free and NULL dereference) with different steps to repro.
,
Apr 7 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by elawrence@chromium.org
, Dec 8 2017Labels: OS-Chrome OS-Linux OS-Windows