Issue metadata
Sign in to add a comment
|
chrome_child!blink::AXARIAGrid::AddRow memory corruption
Reported by
j00sean....@gmail.com,
Dec 11 2017
|
||||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Steps to reproduce the problem:
+ Page heap turned on for chrome:
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64>gflags.exe /i chrome.exe
Current Registry Settings for chrome.exe executable are: 02109870
htc - Enable heap tail checking
hfc - Enable heap free checking
hpc - Enable heap parameter checking
htg - Enable heap tagging
ust - Create user mode stack trace database
htd - Enable heap tagging by DLL
scb - Enable system critical breaks
hpa - Enable page heap
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64>echo %CHROME_ALLOCATOR%
winheap
+ Launch chrome with switches --no-sandbox and --force-renderer-accessibility:
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64>windbg.exe -g -G -o "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox --force-renderer-accessibility http://127.0.0.1:8000/1.html
(38bc.1380): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chrome_child!blink::AXARIAGrid::AddRow+0x8 [inlined in chrome_child!blink::AXARIAGrid::ComputeRows+0x36]:
00007ffc`46b864aa ff9088000000 call qword ptr [rax+88h] ds:00007ffc`00000088=????????????????
4:038> k
# Child-SP RetAddr Call Site
00 (Inline Function) --------`-------- chrome_child!blink::AXARIAGrid::AddRow+0x8 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 49]
01 000000b3`3d3fdbb0 00007ffc`46b8657b chrome_child!blink::AXARIAGrid::ComputeRows+0x36 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 62]
02 000000b3`3d3fdbf0 00007ffc`46b8657b chrome_child!blink::AXARIAGrid::ComputeRows+0x107 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 61]
03 000000b3`3d3fdc30 00007ffc`46b8657b chrome_child!blink::AXARIAGrid::ComputeRows+0x107 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 61]
04 000000b3`3d3fdc70 00007ffc`46b8657b chrome_child!blink::AXARIAGrid::ComputeRows+0x107 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 61]
05 000000b3`3d3fdcb0 00007ffc`46b862b5 chrome_child!blink::AXARIAGrid::ComputeRows+0x107 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 61]
06 000000b3`3d3fdcf0 00007ffc`46b7a618 chrome_child!blink::AXARIAGrid::AddChildren+0x3d [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 113]
07 (Inline Function) --------`-------- chrome_child!blink::AXObject::UpdateChildrenIfNecessary+0x12 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axobject.cpp @ 1750]
08 000000b3`3d3fdd30 00007ffc`46b6e6ea chrome_child!blink::AXLayoutObject::UpdateChildrenIfNecessary+0x34 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axlayoutobject.cpp @ 1665]
09 (Inline Function) --------`-------- chrome_child!blink::AXObject::Children+0xc [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axobject.cpp @ 1682]
0a 000000b3`3d3fdd60 00007ffc`460b7adc chrome_child!blink::AXTableRow::Cells+0x12 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axtablerow.h @ 57]
0b 000000b3`3d3fdd90 00007ffc`461c6afb chrome_child!blink::WebAXObject::ChildCount+0x28 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\exported\webaxobject.cpp @ 208]
0c 000000b3`3d3fddc0 00007ffc`4618c9fc chrome_child!content::BlinkAXTreeSource::GetChildren+0xbf [c:\b\c\b\win64_pgo\src\content\renderer\accessibility\blink_ax_tree_source.cc @ 379]
0d 000000b3`3d3fde30 00007ffc`4618ca3c chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::WalkAllDescendants+0x58 [c:\b\c\b\win64_pgo\src\ui\accessibility\ax_tree_serializer.h @ 546]
0e 000000b3`3d3fde80 00007ffc`4618c2fc chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::WalkAllDescendants+0x98 [c:\b\c\b\win64_pgo\src\ui\accessibility\ax_tree_serializer.h @ 546]
0f 000000b3`3d3fded0 00007ffc`4618b6fb chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::SerializeChanges+0x204 [c:\b\c\b\win64_pgo\src\ui\accessibility\ax_tree_serializer.h @ 382]
10 000000b3`3d3fe040 00007ffc`443413c2 chrome_child!content::RenderAccessibilityImpl::SendPendingAccessibilityEvents+0x237 [c:\b\c\b\win64_pgo\src\content\renderer\accessibility\render_accessibility_impl.cc @ 420]
11 (Inline Function) --------`-------- chrome_child!base::internal::FunctorTraits<void (__cdecl cc::ResourcePool::*)(void),void>::Invoke+0x1f [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 194]
12 (Inline Function) --------`-------- chrome_child!base::internal::InvokeHelper<1,void>::MakeItSo+0x2e [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 297]
13 (Inline Function) --------`-------- chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl cc::ResourcePool::*)(void),base::WeakPtr<cc::ResourcePool> >,void __cdecl(void)>::RunImpl+0x32 [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 349]
14 000000b3`3d3fe4b0 00007ffc`443ceb8e chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl cc::ResourcePool::*)(void) __ptr64,base::WeakPtr<cc::ResourcePool> >,void __cdecl(void)>::RunOnce+0x3e [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 322]
15 (Inline Function) --------`-------- chrome_child!base::OnceCallback<void __cdecl(void)>::Run+0x22 [c:\b\c\b\win64_pgo\src\base\callback.h @ 64]
16 000000b3`3d3fe4f0 00007ffc`44360106 chrome_child!base::debug::TaskAnnotator::RunTask+0xda [c:\b\c\b\win64_pgo\src\base\debug\task_annotator.cc @ 57]
17 000000b3`3d3fe5e0 00007ffc`443ce2a6 chrome_child!blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x1b2 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc @ 534]
18 000000b3`3d3fe8a0 00007ffc`44358a3b chrome_child!blink::scheduler::TaskQueueManager::DoWork+0x18e [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc @ 322]
19 (Inline Function) --------`-------- chrome_child!base::internal::FunctorTraits<void (__cdecl blink::scheduler::TaskQueueManager::*)(bool),void>::Invoke+0x27 [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 194]
1a (Inline Function) --------`-------- chrome_child!base::internal::InvokeHelper<1,void>::MakeItSo+0x40 [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 297]
1b (Inline Function) --------`-------- chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl blink::scheduler::TaskQueueManager::*)(bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,bool>,void __cdecl(void)>::RunImpl+0x44 [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 349]
1c 000000b3`3d3fea20 00007ffc`443ceb8e chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl blink::scheduler::TaskQueueManager::*)(bool) __ptr64,base::WeakPtr<blink::scheduler::TaskQueueManager>,bool>,void __cdecl(void)>::Run+0x4b [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 334]
1d (Inline Function) --------`-------- chrome_child!base::OnceCallback<void __cdecl(void)>::Run+0x22 [c:\b\c\b\win64_pgo\src\base\callback.h @ 64]
1e 000000b3`3d3fea60 00007ffc`4435edd1 chrome_child!base::debug::TaskAnnotator::RunTask+0xda [c:\b\c\b\win64_pgo\src\base\debug\task_annotator.cc @ 57]
1f (Inline Function) --------`-------- chrome_child!base::internal::IncomingTaskQueue::RunTask+0x1a [c:\b\c\b\win64_pgo\src\base\message_loop\incoming_task_queue.cc @ 130]
20 000000b3`3d3feb50 00007ffc`443cf052 chrome_child!base::MessageLoop::RunTask+0xb9 [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 395]
21 (Inline Function) --------`-------- chrome_child!base::MessageLoop::DeferOrRunPendingTask+0x12 [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 406]
22 000000b3`3d3fec70 00007ffc`443ce035 chrome_child!base::MessageLoop::DoWork+0x1aa [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 450]
23 000000b3`3d3fedc0 00007ffc`444df55c chrome_child!base::MessagePumpDefault::Run+0x31 [c:\b\c\b\win64_pgo\src\base\message_loop\message_pump_default.cc @ 37]
24 000000b3`3d3fee50 00007ffc`444df4fc chrome_child!base::MessageLoop::Run+0x28 [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 347]
25 000000b3`3d3fee80 00007ffc`447f15a6 chrome_child!base::RunLoop::Run+0x68 [c:\b\c\b\win64_pgo\src\base\run_loop.cc @ 120]
26 000000b3`3d3feef0 00007ffc`446cf612 chrome_child!content::RendererMain+0x1ee [c:\b\c\b\win64_pgo\src\content\renderer\renderer_main.cc @ 220]
27 000000b3`3d3ff090 00007ffc`445a3b7c chrome_child!content::RunNamedProcessTypeMain+0xb6 [c:\b\c\b\win64_pgo\src\content\app\content_main_runner.cc @ 448]
28 000000b3`3d3ff1e0 00007ffc`446d018f chrome_child!content::ContentMainRunnerImpl::Run+0xbc [c:\b\c\b\win64_pgo\src\content\app\content_main_runner.cc @ 710]
29 000000b3`3d3ff270 00007ffc`44385b87 chrome_child!service_manager::Main+0x1e7 [c:\b\c\b\win64_pgo\src\services\service_manager\embedder\main.cc @ 458]
2a 000000b3`3d3ff400 00007ffc`44385b2a chrome_child!content::ContentMain+0x27 [c:\b\c\b\win64_pgo\src\content\app\content_main.cc @ 19]
2b 000000b3`3d3ff470 00007ff7`6e027164 chrome_child!ChromeMain+0x17e [c:\b\c\b\win64_pgo\src\chrome\app\chrome_main.cc @ 125]
2c 000000b3`3d3ff520 00007ff7`6e02256e chrome!MainDllLoader::Launch+0x3c4 [c:\b\c\b\win64_pgo\src\chrome\app\main_dll_loader_win.cc @ 201]
2d 000000b3`3d3ff650 00007ff7`6e0f73e3 chrome!wWinMain+0x336 [c:\b\c\b\win64_pgo\src\chrome\app\chrome_exe_main_win.cc @ 231]
2e (Inline Function) --------`-------- chrome!invoke_main+0x21 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 118]
2f 000000b3`3d3ff840 00007ffc`75121fe4 chrome!__scrt_common_main_seh+0x117 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283]
30 000000b3`3d3ff880 00007ffc`7658ef91 KERNEL32!BaseThreadInitThunk+0x14
31 000000b3`3d3ff8b0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
+ Tescase (1.html):
<html>
<head><style>#divparent {-webkit-user-modify: read-only }</style></head>
<body>
<div id="divparent"><div role="grid"><div><canvas><div><div role="row"></div></canvas>
</body>
</html>
+ Tested on:
OS => Microsoft Windows [Version 10.0.16299.98]
Chrome => Version 63.0.3239.84 (Official Build) (64-bit)
OS => Microsoft Windows [Version 6.1.7601]
Chrome => Version 63.0.3239.84 (Official Build) (32-bit)
+ Note this bug didn't reproduce in canary channel.
+ This bug was found thanks to Domato: https://github.com/google/domato
What is the expected behavior?
testcase works fine
What went wrong?
tab crash
Did this work before? N/A
Chrome version: 63.0.3239.84 Channel: stable
OS Version: 10.0
Flash Version:
,
Dec 13 2017
,
Dec 15 2017
@elawrence, I think the CL that should have fixed this was already cherry picked. For reference: https://chromium-review.googlesource.com/c/chromium/src/+/747982#message-4ba87989a8a6977e1981a575ba32f0c93d09f446
,
Dec 15 2017
,
Dec 15 2017
This was originally fixed on trunk (in the dupe), and I did the merge to M63 incorrectly until just now.
,
Dec 15 2017
Could someone give me access into the issue 778966?
,
Jan 11 2018
Still waiting for accessing to the first report
,
Mar 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Dec 11 2017Labels: Security_Severity-Medium M-63 Security_Impact-Stable
Owner: aleventhal@chromium.org
Status: Assigned (was: Unconfirmed)