Issue metadata
Sign in to add a comment
|
Use-after-free: site isolation doesn't work with OOPIF with perspective transform |
||||||||||||||||||||||||
Issue descriptionFor this test case, http://jsbin.com/tepozag, where we apply perspective transform to a div that contains an iframe. With --site-per-process, OOPIF can't load and display correctly [p1] (correct one looks like [p2]). stacktrace: ==1==ERROR: AddressSanitizer: use-after-poison on address 0x7e97cb52e848 at pc 0x7f2e49d8de56 bp 0x7ffef6468a10 sp 0x7ffef6468a08 READ of size 8 at 0x7e97cb52e848 thread T0 (chrome) #0 0x7f2e49d8de55 in operator bool /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/platform/heap/Member.h:85:43 #1 0x7f2e49d8de55 in blink::ComputePresentationAttributeStyle(blink::Element&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/PresentationAttributeStyle.cpp:172:0 #2 0x7f2e49c3c002 in blink::Element::UpdatePresentationAttributeStyle() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:4598:7 #3 0x7f2e499bf7da in PresentationAttributeStyle /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.h:1231:5 #4 0x7f2e499bf7da in blink::StyleResolver::MatchAllRules(blink::StyleResolverState&, blink::ElementRuleCollector&, bool) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:420:0 #5 0x7f2e499c3a3b in blink::StyleResolver::StyleForElement(blink::Element*, blink::ComputedStyle const*, blink::ComputedStyle const*, blink::RuleMatchingBehavior) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:652:5 #6 0x7f2e49c1044b in blink::Element::OriginalStyleForLayoutObject() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2004:46 #7 0x7f2e4a96ea11 in blink::HTMLImageElement::CustomStyleForLayoutObject() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/html/HTMLImageElement.cpp:802:14 #8 0x7f2e49c0f74b in blink::Element::StyleForLayoutObject() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:1973:46 #9 0x7f2e49c15406 in blink::Element::RecalcStyleForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2208:53 #10 0x7f2e49a92c02 in blink::ContainerNode::RecalcDescendantStylesForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1307:25 #11 0x7f2e49c156ca in RecalcShadowIncludingDescendantStylesForReattach /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2224:3 #12 0x7f2e49c156ca in blink::Element::RecalcStyleForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2213:0 #13 0x7f2e49a92c02 in blink::ContainerNode::RecalcDescendantStylesForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1307:25 #14 0x7f2e49c156ca in RecalcShadowIncludingDescendantStylesForReattach /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2224:3 #15 0x7f2e49c156ca in blink::Element::RecalcStyleForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2213:0 #16 0x7f2e49a92c02 in blink::ContainerNode::RecalcDescendantStylesForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1307:25 #17 0x7f2e49c156ca in RecalcShadowIncludingDescendantStylesForReattach /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2224:3 #18 0x7f2e49c156ca in blink::Element::RecalcStyleForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2213:0 #19 0x7f2e49a92c02 in blink::ContainerNode::RecalcDescendantStylesForReattach() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1307:25 #20 0x7f2e49c12575 in RecalcShadowIncludingDescendantStylesForReattach /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2224:3 #21 0x7f2e49c12575 in blink::Element::RecalcOwnStyle(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2160:0 #22 0x7f2e49c10d7d in blink::Element::RecalcStyle(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2049:16 #23 0x7f2e49a927f8 in blink::ContainerNode::RecalcDescendantStyles(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1299:18 #24 0x7f2e49c10fcb in blink::Element::RecalcStyle(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2075:7 #25 0x7f2e49a927f8 in blink::ContainerNode::RecalcDescendantStyles(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:1299:18 #26 0x7f2e49c10fcb in blink::Element::RecalcStyle(blink::StyleRecalcChange) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Element.cpp:2075:7 #27 0x7f2e49b0b628 in blink::Document::UpdateStyle() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Document.cpp:2301:25 #28 0x7f2e49afbd6c in blink::Document::UpdateStyleAndLayoutTree() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/dom/Document.cpp:2217:3 #29 0x7f2e4a686295 in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursiveInternal() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3424:26 #30 0x7f2e4a6801d4 in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursive() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3403:3 #31 0x7f2e4a67b9e5 in blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3144:3 #32 0x7f2e4a67b193 in blink::LocalFrameView::UpdateAllLifecyclePhases() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/frame/LocalFrameView.cpp:2965:39 #33 0x7f2e4bd61857 in blink::PageAnimator::UpdateAllLifecyclePhases(blink::LocalFrame&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/page/PageAnimator.cpp:100:9 #34 0x7f2e4a7c1c1c in blink::WebFrameWidgetImpl::UpdateLifecycle(blink::WebWidget::LifecycleUpdate) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/core/frame/WebFrameWidgetImpl.cpp:291:3 #35 0x7f2e62886037 in UpdateVisualState /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/renderer/render_widget.cc:1095:19 #36 0x7f2e62886037 in non-virtual thunk to content::RenderWidget::UpdateVisualState(cc::LayerTreeHostClient::VisualStateUpdate) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/renderer/render_widget.cc:0:0 #37 0x7f2e5cd3e650 in cc::ProxyMain::BeginMainFrame(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../cc/trees/proxy_main.cc:223:21 #38 0x7f2e5cd392a0 in Invoke<base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:211:12 #39 0x7f2e5cd392a0 in void base::internal::InvokeHelper<true, void>::MakeItSo<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > >(void (cc::ProxyMain::*&&)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>&&, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >&&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:314:0 #40 0x7f2e5cd38eda in RunImpl<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, 0, 1> /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:368:12 #41 0x7f2e5cd38eda in base::internal::Invoker<base::internal::BindState<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, void ()>::RunOnce(base::internal::BindStateBase*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:336:0 #42 0x7f2e6a03c29f in Run /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/callback.h:65:12 #43 0x7f2e6a03c29f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/debug/task_annotator.cc:55:0 #44 0x7f2e44515496 in blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::Sequence::WorkType) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../third_party/WebKit/Source/platform/scheduler/base/thread_controller_impl.cc:162:21 #45 0x7f2e4451b33b in Invoke<const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> &, const blink::scheduler::internal::Sequence::WorkType &> /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:211:12 #46 0x7f2e4451b33b in MakeItSo<void (blink::scheduler::internal::ThreadControllerImpl::*const &)(blink::scheduler::internal::Sequence::WorkType), const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> &, const blink::scheduler::internal::Sequence::WorkType &> /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:314:0 #47 0x7f2e4451b33b in RunImpl<void (blink::scheduler::internal::ThreadControllerImpl::*const &)(blink::scheduler::internal::Sequence::WorkType), const std::__1::tuple<base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::Sequence::WorkType> &, 0, 1> /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:368:0 #48 0x7f2e4451b33b in base::internal::Invoker<base::internal::BindState<void (blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::Sequence::WorkType), base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::Sequence::WorkType>, void ()>::Run(base::internal::BindStateBase*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/bind_internal.h:350:0 #49 0x7f2e6a03c29f in Run /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/callback.h:65:12 #50 0x7f2e6a03c29f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/debug/task_annotator.cc:55:0 #51 0x7f2e6a0ea1a1 in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/incoming_task_queue.cc:124:19 #52 0x7f2e6a0f8f2c in base::MessageLoop::RunTask(base::PendingTask*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/message_loop.cc:395:25 #53 0x7f2e6a0fa178 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/message_loop.cc:407:5 #54 0x7f2e6a0faab6 in base::MessageLoop::DoWork() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/message_loop.cc:451:16 #55 0x7f2e6a101af9 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/message_pump_default.cc:37:31 #56 0x7f2e6a0f7848 in base::MessageLoop::Run(bool) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/message_loop/message_loop.cc:346:12 #57 0x7f2e6a1c3fea in base::RunLoop::Run() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../base/run_loop.cc:133:14 #58 0x7f2e628cf8a3 in content::RendererMain(content::MainFunctionParams const&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/renderer/renderer_main.cc:241:23 #59 0x7f2e62f26706 in content::RunZygote(content::ContentMainDelegate*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/app/content_main_runner.cc:352:14 #60 0x7f2e62f27a4b in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/app/content_main_runner.cc:431:12 #61 0x7f2e62f2b139 in content::ContentMainRunnerImpl::Run() /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/app/content_main_runner.cc:713:12 #62 0x7f2e6a79af0b in service_manager::Main(service_manager::MainParams const&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../services/service_manager/embedder/main.cc:456:29 #63 0x7f2e62f25e74 in content::ContentMain(content::ContentMainParams const&) /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../content/app/content_main.cc:19:10 #64 0x55e87bc79f40 in ChromeMain /usr/local/google/home/riajiang/chromium/src/out/oxygencros/../../chrome/app/chrome_main.cc:144:12 #65 0x7f2e395812b0 in __libc_start_main ??:0:0 Address 0x7e97cb52e848 is a wild pointer. SUMMARY: AddressSanitizer: use-after-poison (/usr/local/google/home/riajiang/chromium/src/out/oxygencros/./libblink_core.so+0x494ae55) Shadow bytes around the buggy address: 0x0fd37969dcb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fd37969dcc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fd37969dcd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fd37969dce0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fd37969dcf0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x0fd37969dd00: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 0x0fd37969dd10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fd37969dd20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fd37969dd30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fd37969dd40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0fd37969dd50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1==ABORTING This seems to have the same stacktrace as 810894, except in that bug, the whole page crash all together not just the OOPIF.
,
Feb 9 2018
sry, saved the test case this time http://jsbin.com/tepozag
,
Feb 9 2018
chrishtr@, would you be able to do a first line triage?
,
Feb 9 2018
,
Feb 9 2018
Revert in CQ - https://chromium-review.googlesource.com/c/chromium/src/+/912091
,
May 20 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by nasko@chromium.org
, Feb 9 2018Summary: Use-after-free: site isolation doesn't work with OOPIF with perspective transform (was: site isolation doesn't work with OOPIF with perspective transform)