Issue metadata
Sign in to add a comment
|
Browser crash - UAF in payments::PaymentRequestRowView::ShowBottomSeparator()
Reported by
jackwill...@gmail.com,
Jan 25 2018
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Firefox/60.0 Steps to reproduce the problem: 1. visit https://rsolomakhin.github.io/pr/us/ 2. Click on "Choose" 3. Add an address and fill the fields and click on "Enter" key 4. Repeat the step number 3 What is the expected behavior? No crash. What went wrong? Browser crash. Did this work before? N/A Chrome version: <Copy from: 'about:version'> Channel: n/a OS Version: 7 Flash Version: Shockwave Flash 28.0 r0 ================================================================= ==1748==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000247c80 at pc 0x55556dd10ecd bp 0x7fffffff72f0 sp 0x7fffffff72e8 READ of size 8 at 0x618000247c80 thread T0 (chrome) #0 0x55556dd10ecc in payments::PaymentRequestRowView::ShowBottomSeparator() chrome/browser/ui/views/payments/payment_request_row_view.cc:37:3 #1 0x55556dd122fa in payments::PaymentRequestRowView::SetIsHighlighted(bool) chrome/browser/ui/views/payments/payment_request_row_view.cc:59:22 #2 0x55556dd12453 in payments::PaymentRequestRowView::StateChanged(views::Button::ButtonState) chrome/browser/ui/views/payments/payment_request_row_view.cc:68:3 #3 0x7fffc6d74ae7 in views::Button::SetState(views::Button::ButtonState) ui/views/controls/button/button.cc:137:3 #4 0x7fffc6d78e09 in views::Button::ViewHierarchyChanged(views::View::ViewHierarchyChangedDetails const&) ui/views/controls/button/button.cc:438:5 #5 0x7fffc70e1198 in views::View::ViewHierarchyChangedImpl(bool, views::View::ViewHierarchyChangedDetails const&) ui/views/view.cc:2192:3 #6 0x7fffc7116a95 in views::View::PropagateRemoveNotifications(views::View*, views::View*, bool) ui/views/view.cc:2150:8 #7 0x7fffc71169bd in views::View::PropagateRemoveNotifications(views::View*, views::View*, bool) ui/views/view.cc:2143:14 #8 0x7fffc70dcfce in views::View::DoRemoveChildView(views::View*, bool, bool, bool, views::View*) ui/views/view.cc:2116:9 #9 0x7fffc70e2215 in views::View::RemoveAllChildViews(bool) ui/views/view.cc:300:5 #10 0x55556dd16f63 in payments::PaymentRequestSheetController::UpdateContentView() chrome/browser/ui/views/payments/payment_request_sheet_controller.cc:271:18 #11 0x55556dd541a7 in payments::PaymentSheetViewController::OnSelectedInformationChanged() chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:389:3 #12 0x55556f2d5b15 in payments::PaymentRequestState::NotifyOnSelectedInformationChanged() components/payments/content/payment_request_state.cc:462:14 #13 0x55556f2ce2c5 in payments::PaymentRequestState::UpdateIsReadyToPayAndNotifyObservers() components/payments/content/payment_request_state.cc:452:3 #14 0x55556f2ce1d8 in payments::PaymentRequestState::OnSpecUpdated() components/payments/content/payment_request_state.cc:152:3 #15 0x55556f29ef15 in payments::PaymentRequestSpec::NotifyOnSpecUpdated() components/payments/content/payment_request_spec.cc:304:14 #16 0x55556f29ecad in payments::PaymentRequestSpec::RecomputeSpecForDetails() components/payments/content/payment_request_spec.cc:109:3 #17 0x55556f29ec69 in payments::PaymentRequestSpec::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request_spec.cc:103:3 #18 0x55556f215688 in payments::PaymentRequest::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request.cc:212:10 #19 0x7fffdf453c57 in payments::mojom::PaymentRequestStubDispatch::Accept(payments::mojom::PaymentRequest*, mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.cc:1373:13 #20 0x55556f21c392 in payments::mojom::PaymentRequestStub<mojo::RawPtrImplRefTraits<payments::mojom::PaymentRequest> >::Accept(mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.h:347:12 #21 0x7ffff1383e3a in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:418:32 #22 0x7ffff1380ba7 in mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:132:18 #23 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #24 0x7ffff138b9b6 in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:305:19 #25 0x7ffff13dc4be in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:880:42 #26 0x7ffff13da726 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:604:38 #27 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #28 0x7ffff134738e in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:440:51 #29 0x7ffff134a2ec in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:469:10 #30 0x7ffff1349a43 in mojo::Connector::OnHandleReadyInternal(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:374:3 #31 0x7ffff1349737 in mojo::Connector::OnWatcherHandleReady(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:351:3 #32 0x7ffff135684b in void base::internal::FunctorTraits<void (mojo::Connector::*)(unsigned int), void>::Invoke<mojo::Connector*, unsigned int>(void (mojo::Connector::*)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:211:12 #33 0x7ffff1356482 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (mojo::Connector::* const&)(unsigned int), mojo::Connector*, unsigned int>(void (mojo::Connector::* const&)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:294:12 #34 0x7ffff13561de in void base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::RunImpl<void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, 0ul>(void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, std::__1::integer_sequence<unsigned long, 0ul>, unsigned int&&) base/bind_internal.h:368:12 #35 0x7ffff1355f3e in base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::Run(base::internal::BindStateBase*, unsigned int) base/bind_internal.h:350:12 #36 0x7ffff13361e3 in base::RepeatingCallback<void (unsigned int)>::Run(unsigned int) const & base/callback.h:94:12 #37 0x7ffff1353513 in mojo::SimpleWatcher::DiscardReadyState(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.h:194:14 #38 0x7ffff1353afb in void base::internal::FunctorTraits<void (*)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), void>::Invoke<base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&>(void (*)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> const&, unsigned int&&, mojo::HandleSignalsState const&) base/bind_internal.h:166:12 #39 0x7ffff1353a24 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (* const&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&>(void (* const&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> const&, unsigned int&&, mojo::HandleSignalsState const&) base/bind_internal.h:294:12 #40 0x7ffff1353971 in void base::internal::Invoker<base::internal::BindState<void (*)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> >, void (unsigned int, mojo::HandleSignalsState const&)>::RunImpl<void (* const&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::RepeatingCallback<void (unsigned int)> > const&, 0ul>(void (* const&)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::RepeatingCallback<void (unsigned int)> > const&, std::__1::integer_sequence<unsigned long, 0ul>, unsigned int&&, mojo::HandleSignalsState const&) base/bind_internal.h:368:12 #41 0x7ffff135378f in base::internal::Invoker<base::internal::BindState<void (*)(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&), base::RepeatingCallback<void (unsigned int)> >, void (unsigned int, mojo::HandleSignalsState const&)>::Run(base::internal::BindStateBase*, unsigned int, mojo::HandleSignalsState const&) base/bind_internal.h:350:12 #42 0x7ffff11eb699 in base::RepeatingCallback<void (unsigned int, mojo::HandleSignalsState const&)>::Run(unsigned int, mojo::HandleSignalsState const&) const & base/callback.h:94:12 #43 0x7ffff11e91a4 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:276:14 #44 0x7ffff11ed241 in void base::internal::FunctorTraits<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), void>::Invoke<base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&>(void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&) base/bind_internal.h:211:12 #45 0x7ffff11ecd45 in void base::internal::InvokeHelper<true, void>::MakeItSo<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&>(void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher> const&, int const&, unsigned int const&, mojo::HandleSignalsState const&) base/bind_internal.h:314:5 #46 0x7ffff11eca5c in void base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::RunImpl<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, 0ul, 1ul, 2ul, 3ul>(void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>) base/bind_internal.h:368:12 #47 0x7ffff11ec802 in base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:350:12 #48 0x7ffff662a08f in base::OnceCallback<void ()>::Run() && base/callback.h:65:12 #49 0x7ffff67446c6 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:55:33 #50 0x7ffff6946cea in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) base/message_loop/incoming_task_queue.cc:128:19 #51 0x7ffff69625ce in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:391:25 #52 0x7ffff6962f2c in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:403:5 #53 0x7ffff6963890 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:447:16 #54 0x7ffff6989f7b in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:309:49 #55 0x7ffff6960b4d in base::MessageLoop::Run(bool) base/message_loop/message_loop.cc:342:12 #56 0x7ffff6be8d57 in base::RunLoop::Run() base/run_loop.cc:130:14 #57 0x5555601071c4 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1939:12 #58 0x7fffe0b46610 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:1196:29 #59 0x7fffe0b673ca in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:140:17 #60 0x7fffe0b2602d in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:46:28 #61 0x7fffe7c1a870 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:427:14 #62 0x7fffe7c238a1 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:705:12 #63 0x7fffe7c05885 in content::ContentServiceManagerMainDelegate::RunEmbedderProcess() content/app/content_service_manager_main_delegate.cc:51:32 #64 0x7ffff7947419 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:456:29 #65 0x7fffe7c17fbf in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 #66 0x55555a3e46b7 in ChromeMain chrome/app/chrome_main.cc:127:12 #67 0x55555a3e428e in main chrome/app/chrome_exe_main_aura.cc:17:10 #68 0x7fff99c9e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 0x618000247c80 is located 0 bytes inside of 816-byte region [0x618000247c80,0x618000247fb0) freed by thread T0 (chrome) here: #0 0x55555a3e2012 in operator delete(void*) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:149:3 #1 0x55556dd113fb in payments::PaymentRequestRowView::~PaymentRequestRowView() chrome/browser/ui/views/payments/payment_request_row_view.cc:28:49 #2 0x7fffc70de78d in operator() buildtools/third_party/libc++/trunk/include/memory:2233:5 #3 0x7fffc70de78d in reset buildtools/third_party/libc++/trunk/include/memory:2546 #4 0x7fffc70de78d in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2500 #5 0x7fffc70de78d in views::View::DoRemoveChildView(views::View*, bool, bool, bool, views::View*) ui/views/view.cc:2135 #6 0x7fffc70e2215 in views::View::RemoveAllChildViews(bool) ui/views/view.cc:300:5 #7 0x55556dd16f63 in payments::PaymentRequestSheetController::UpdateContentView() chrome/browser/ui/views/payments/payment_request_sheet_controller.cc:271:18 #8 0x55556dd541a7 in payments::PaymentSheetViewController::OnSelectedInformationChanged() chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:389:3 #9 0x55556f2d5b15 in payments::PaymentRequestState::NotifyOnSelectedInformationChanged() components/payments/content/payment_request_state.cc:462:14 #10 0x55556f2ce2c5 in payments::PaymentRequestState::UpdateIsReadyToPayAndNotifyObservers() components/payments/content/payment_request_state.cc:452:3 #11 0x55556f2ce1d8 in payments::PaymentRequestState::OnSpecUpdated() components/payments/content/payment_request_state.cc:152:3 #12 0x55556f29ef15 in payments::PaymentRequestSpec::NotifyOnSpecUpdated() components/payments/content/payment_request_spec.cc:304:14 #13 0x55556f29ecad in payments::PaymentRequestSpec::RecomputeSpecForDetails() components/payments/content/payment_request_spec.cc:109:3 #14 0x55556f29ec69 in payments::PaymentRequestSpec::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request_spec.cc:103:3 #15 0x55556f215688 in payments::PaymentRequest::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request.cc:212:10 #16 0x7fffdf453c57 in payments::mojom::PaymentRequestStubDispatch::Accept(payments::mojom::PaymentRequest*, mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.cc:1373:13 #17 0x55556f21c392 in payments::mojom::PaymentRequestStub<mojo::RawPtrImplRefTraits<payments::mojom::PaymentRequest> >::Accept(mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.h:347:12 #18 0x7ffff1383e3a in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:418:32 #19 0x7ffff1380ba7 in mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:132:18 #20 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #21 0x7ffff138b9b6 in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:305:19 #22 0x7ffff13dc4be in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:880:42 #23 0x7ffff13da726 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:604:38 #24 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #25 0x7ffff134738e in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:440:51 #26 0x7ffff134a2ec in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:469:10 #27 0x7ffff1349a43 in mojo::Connector::OnHandleReadyInternal(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:374:3 #28 0x7ffff1349737 in mojo::Connector::OnWatcherHandleReady(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:351:3 #29 0x7ffff135684b in void base::internal::FunctorTraits<void (mojo::Connector::*)(unsigned int), void>::Invoke<mojo::Connector*, unsigned int>(void (mojo::Connector::*)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:211:12 #30 0x7ffff1356482 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (mojo::Connector::* const&)(unsigned int), mojo::Connector*, unsigned int>(void (mojo::Connector::* const&)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:294:12 #31 0x7ffff13561de in void base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::RunImpl<void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, 0ul>(void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, std::__1::integer_sequence<unsigned long, 0ul>, unsigned int&&) base/bind_internal.h:368:12 #32 0x7ffff1355f3e in base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::Run(base::internal::BindStateBase*, unsigned int) base/bind_internal.h:350:12 previously allocated by thread T0 (chrome) here: #0 0x55555a3e1432 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:92:3 #1 0x55556dd71609 in make_unique<payments::PaymentRequestRowView, views::ButtonListener *&, bool &, const gfx::Insets &> buildtools/third_party/libc++/trunk/include/memory:3026:28 #2 0x55556dd71609 in _ZN4base10MakeUniqueIN8payments21PaymentRequestRowViewEJRPN5views14ButtonListenerERbRKN3gfx6InsetsEEEEDTclsr3stdE11make_uniqueIT_Espclsr3stdE7forwardIT0_Efp_EEEDpOSD_ base/memory/ptr_util.h:25 #3 0x55556dd6c6a0 in payments::(anonymous namespace)::CreatePaymentSheetRow(views::ButtonListener*, std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, std::__1::basic_string<unsigned short, base::string16_internals::string16_char_traits, std::__1::allocator<unsigned short> > const&, std::__1::unique_ptr<views::View, std::__1::default_delete<views::View> >, std::__1::unique_ptr<views::View, std::__1::default_delete<views::View> >, std::__1::unique_ptr<views::View, std::__1::default_delete<views::View> >, bool, bool, views::GridLayout::Alignment) chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:153:7 #4 0x55556dd68547 in payments::(anonymous namespace)::PaymentSheetRowBuilder::CreateWithChevron(std::__1::unique_ptr<views::View, std::__1::default_delete<views::View> >, std::__1::unique_ptr<views::View, std::__1::default_delete<views::View> >) chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:293:54 #5 0x55556dd58c22 in payments::PaymentSheetViewController::CreatePaymentSheetSummaryRow() chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:644:18 #6 0x55556dd54b5c in payments::PaymentSheetViewController::FillContentView(views::View*) chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:424:7 #7 0x55556dd16ff9 in payments::PaymentRequestSheetController::UpdateContentView() chrome/browser/ui/views/payments/payment_request_sheet_controller.cc:272:3 #8 0x55556dd540fb in payments::PaymentSheetViewController::OnSpecUpdated() chrome/browser/ui/views/payments/payment_sheet_view_controller.cc:384:3 #9 0x55556f29ef15 in payments::PaymentRequestSpec::NotifyOnSpecUpdated() components/payments/content/payment_request_spec.cc:304:14 #10 0x55556f29ecad in payments::PaymentRequestSpec::RecomputeSpecForDetails() components/payments/content/payment_request_spec.cc:109:3 #11 0x55556f29ec69 in payments::PaymentRequestSpec::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request_spec.cc:103:3 #12 0x55556f215688 in payments::PaymentRequest::UpdateWith(mojo::StructPtr<payments::mojom::PaymentDetails>) components/payments/content/payment_request.cc:212:10 #13 0x7fffdf453c57 in payments::mojom::PaymentRequestStubDispatch::Accept(payments::mojom::PaymentRequest*, mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.cc:1373:13 #14 0x55556f21c392 in payments::mojom::PaymentRequestStub<mojo::RawPtrImplRefTraits<payments::mojom::PaymentRequest> >::Accept(mojo::Message*) out/Debug/gen/third_party/WebKit/public/platform/modules/payments/payment_request.mojom.h:347:12 #15 0x7ffff1383e3a in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:418:32 #16 0x7ffff1380ba7 in mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:132:18 #17 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #18 0x7ffff138b9b6 in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:305:19 #19 0x7ffff13dc4be in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:880:42 #20 0x7ffff13da726 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:604:38 #21 0x7ffff137b562 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #22 0x7ffff134738e in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:440:51 #23 0x7ffff134a2ec in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:469:10 #24 0x7ffff1349a43 in mojo::Connector::OnHandleReadyInternal(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:374:3 #25 0x7ffff1349737 in mojo::Connector::OnWatcherHandleReady(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:351:3 #26 0x7ffff135684b in void base::internal::FunctorTraits<void (mojo::Connector::*)(unsigned int), void>::Invoke<mojo::Connector*, unsigned int>(void (mojo::Connector::*)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:211:12 #27 0x7ffff1356482 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (mojo::Connector::* const&)(unsigned int), mojo::Connector*, unsigned int>(void (mojo::Connector::* const&)(unsigned int), mojo::Connector*&&, unsigned int&&) base/bind_internal.h:294:12 #28 0x7ffff13561de in void base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::RunImpl<void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, 0ul>(void (mojo::Connector::* const&)(unsigned int), std::__1::tuple<base::internal::UnretainedWrapper<mojo::Connector> > const&, std::__1::integer_sequence<unsigned long, 0ul>, unsigned int&&) base/bind_internal.h:368:12 #29 0x7ffff1355f3e in base::internal::Invoker<base::internal::BindState<void (mojo::Connector::*)(unsigned int), base::internal::UnretainedWrapper<mojo::Connector> >, void (unsigned int)>::Run(base::internal::BindStateBase*, unsigned int) base/bind_internal.h:350:12 #30 0x7ffff13361e3 in base::RepeatingCallback<void (unsigned int)>::Run(unsigned int) const & base/callback.h:94:12 SUMMARY: AddressSanitizer: heap-use-after-free chrome/browser/ui/views/payments/payment_request_row_view.cc:37:3 in payments::PaymentRequestRowView::ShowBottomSeparator() Shadow bytes around the buggy address: 0x0c3080040f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080040f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080040f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080040f70: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c3080040f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c3080040f90:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080040fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080040fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080040fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080040fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3080040fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
,
Jan 29 2018
Yes, also same issue as bug 793440 which was duplicated into 794078.
,
May 8 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jan 25 2018