Issue 820464 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	jamescook@chromium.org
Closed:	Mar 2018
Cc:	sadrul@chromium.org █ warx@chromium.org afakhry@chromium.org mustash-bugs@google.com
Components:	UI>Accessibility UI>Input>Text>IME
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	2
Type:	Bug
Proj-Mustash-Mash
Team-Accessibility

mash: Use a single shared InputMethod instance instead of one per display

Project Member Reported by jamescook@chromium.org, Mar 9 2018

Issue description

While trying to clean up shelf shutdown I hit a mash-only use-after-free in MagnificationControllerTest.MoveToSecondDisplayWithTouch. See below.

The problem is that classic ash assumes a single IME / InputMethodBase:
https://cs.chromium.org/chromium/src/ash/display/window_tree_host_manager.cc?q=window_tree_host_manager.cc&sq=package:chromium&l=800

but mash has one per WindowTreeHostMus:
https://cs.chromium.org/chromium/src/ui/aura/mus/window_tree_host_mus.cc?q=window_tree_host_mus&sq=package:chromium&l=90

MagnificationController seems to assume GetInputMethod(root_window_) always returns the same IME, so it doesn't clean up all observers, and one observer calls into a deleted MagnificationController at shutdown.

I'm not sure if the problem is having two IME instances, or whether MagnficationController is mis-managing observers.

I wonder if MagnificationControllerImpl::SwitchTargetRootWindow() should add and remove itself as an IME observer.

Thoughts?


==203287==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140000020d0 at pc 0x0000065e78f4 bp 0x7ffe710c1390 sp 0x7ffe710c1388
READ of size 8 at 0x6140000020d0 thread T0
    #0 0x65e78f3 in ui::InputMethodBase::~InputMethodBase() /w/chrome/src/out/asan/../../ui/base/ime/input_method_base.cc:41:14
    #1 0x6567b9d in aura::InputMethodMus::~InputMethodMus() /w/chrome/src/out/asan/../../ui/aura/mus/input_method_mus.cc:34:35
    #2 0x65230ba in operator() /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2286:5
    #3 0x65230ba in reset /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2599:0
    #4 0x65230ba in ~unique_ptr /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2553:0
    #5 0x65230ba in aura::WindowTreeHostMus::~WindowTreeHostMus() /w/chrome/src/out/asan/../../ui/aura/mus/window_tree_host_mus.cc:110:0
    #6 0x8cc3091 in ~AshWindowTreeHostMus /w/chrome/src/out/asan/../../ash/host/ash_window_tree_host_mus.cc:30:45
    #7 0x8cc3091 in ash::AshWindowTreeHostMus::~AshWindowTreeHostMus() /w/chrome/src/out/asan/../../ash/host/ash_window_tree_host_mus.cc:30:0
    #8 0x4cbe3fd in operator() /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2286:5
    #9 0x4cbe3fd in reset /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2599:0
    #10 0x4cbe3fd in ash::RootWindowController::~RootWindowController() /w/chrome/src/out/asan/../../ash/root_window_controller.cc:282:0
    #11 0x4bdb114 in ash::WindowTreeHostManager::Shutdown() /w/chrome/src/out/asan/../../ash/display/window_tree_host_manager.cc:226:3
    #12 0x4d45e43 in ash::Shell::~Shell() /w/chrome/src/out/asan/../../ash/shell.cc:830:30
    #13 0x4d4aa3d in ash::Shell::~Shell() /w/chrome/src/out/asan/../../ash/shell.cc:671:17
    #14 0x8c73e29 in Shutdown /w/chrome/src/out/asan/../../ash/window_manager.cc:288:3
    #15 0x8c73e29 in ash::WindowManager::~WindowManager() /w/chrome/src/out/asan/../../ash/window_manager.cc:134:0
    #16 0x8c7439d in ash::WindowManager::~WindowManager() /w/chrome/src/out/asan/../../ash/window_manager.cc:133:33
    #17 0x8c79f14 in operator() /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2286:5
    #18 0x8c79f14 in reset /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2599:0
    #19 0x8c79f14 in ash::WindowManagerService::~WindowManagerService() /w/chrome/src/out/asan/../../ash/window_manager_service.cc:54:0
    #20 0x8c7a2ed in ash::WindowManagerService::~WindowManagerService() /w/chrome/src/out/asan/../../ash/window_manager_service.cc:46:47
    #21 0x8b77d2d in operator() /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2286:5
    #22 0x8b77d2d in reset /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2599:0
    #23 0x8b77d2d in ash::AshTestHelper::TearDown() /w/chrome/src/out/asan/../../ash/test/ash_test_helper.cc:216:0
    #24 0x8b71b71 in ash::AshTestBase::TearDown() /w/chrome/src/out/asan/../../ash/test/ash_test_base.cc:186:21
    #25 0x32bd124 in testing::TestInfo::Run() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:2661:11
    #26 0x32be486 in testing::TestCase::Run() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:2779:28
    #27 0x32e2c26 in testing::internal::UnitTestImpl::RunAllTests() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:5003:43
    #28 0x32e1e96 in testing::UnitTest::Run() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:0:0
    #29 0x5240e2b in RUN_ALL_TESTS /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/include/gtest/gtest.h:2314:46
    #30 0x5240e2b in base::TestSuite::Run() /w/chrome/src/out/asan/../../base/test/test_suite.cc:271:0
    #31 0x5245d38 in Run /w/chrome/src/out/asan/../../base/callback.h:95:12
    #32 0x5245d38 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::OnceCallback<int ()>, unsigned long, int, bool, base::OnceCallback<void ()>) /w/chrome/src/out/asan/../../base/test/launcher/unit_test_launcher.cc:225:0
    #33 0x524596d in base::LaunchUnitTests(int, char**, base::OnceCallback<int ()>) /w/chrome/src/out/asan/../../base/test/launcher/unit_test_launcher.cc:576:10
    #34 0x142680c in main /w/chrome/src/out/asan/../../ash/test/ash_unittests.cc:14:10
    #35 0x7fb020b422b0 in __libc_start_main ??:0:0

0x6140000020d0 is located 144 bytes inside of 408-byte region [0x614000002040,0x6140000021d8)
freed by thread T0 here:
    #0 0x668952 in operator delete(void*) _asan_rtl_:3
    #1 0x4d4515e in operator() /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2286:5
    #2 0x4d4515e in reset /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2599:0
    #3 0x4d4515e in ash::Shell::~Shell() /w/chrome/src/out/asan/../../ash/shell.cc:771:0
    #4 0x4d4aa3d in ash::Shell::~Shell() /w/chrome/src/out/asan/../../ash/shell.cc:671:17
    #5 0x8c73e29 in Shutdown /w/chrome/src/out/asan/../../ash/window_manager.cc:288:3
    #6 0x8c73e29 in ash::WindowManager::~WindowManager() /w/chrome/src/out/asan/../../ash/window_manager.cc:134:0
    #7 0x8c7439d in ash::WindowManager::~WindowManager() /w/chrome/src/out/asan/../../ash/window_manager.cc:133:33
    #8 0x8c79f14 in operator() /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2286:5
    #9 0x8c79f14 in reset /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2599:0
    #10 0x8c79f14 in ash::WindowManagerService::~WindowManagerService() /w/chrome/src/out/asan/../../ash/window_manager_service.cc:54:0
    #11 0x8c7a2ed in ash::WindowManagerService::~WindowManagerService() /w/chrome/src/out/asan/../../ash/window_manager_service.cc:46:47
    #12 0x8b77d2d in operator() /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2286:5
    #13 0x8b77d2d in reset /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2599:0
    #14 0x8b77d2d in ash::AshTestHelper::TearDown() /w/chrome/src/out/asan/../../ash/test/ash_test_helper.cc:216:0
    #15 0x8b71b71 in ash::AshTestBase::TearDown() /w/chrome/src/out/asan/../../ash/test/ash_test_base.cc:186:21
    #16 0x32bd124 in testing::TestInfo::Run() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:2661:11
    #17 0x32be486 in testing::TestCase::Run() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:2779:28
    #18 0x32e2c26 in testing::internal::UnitTestImpl::RunAllTests() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:5003:43
    #19 0x32e1e96 in testing::UnitTest::Run() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:0:0
    #20 0x5240e2b in RUN_ALL_TESTS /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/include/gtest/gtest.h:2314:46
    #21 0x5240e2b in base::TestSuite::Run() /w/chrome/src/out/asan/../../base/test/test_suite.cc:271:0
    #22 0x5245d38 in Run /w/chrome/src/out/asan/../../base/callback.h:95:12
    #23 0x5245d38 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::OnceCallback<int ()>, unsigned long, int, bool, base::OnceCallback<void ()>) /w/chrome/src/out/asan/../../base/test/launcher/unit_test_launcher.cc:225:0
    #24 0x524596d in base::LaunchUnitTests(int, char**, base::OnceCallback<int ()>) /w/chrome/src/out/asan/../../base/test/launcher/unit_test_launcher.cc:576:10
    #25 0x142680c in main /w/chrome/src/out/asan/../../ash/test/ash_unittests.cc:14:10
    #26 0x7fb020b422b0 in __libc_start_main ??:0:0

previously allocated by thread T0 here:
    #0 0x667d72 in operator new(unsigned long) _asan_rtl_:3
    #1 0x4c8ac9f in ash::MagnificationController::CreateInstance() /w/chrome/src/out/asan/../../ash/magnifier/magnification_controller.cc:1140:10
    #2 0x4d37aee in ash::Shell::Init(ui::ContextFactory*, ui::ContextFactoryPrivate*) /w/chrome/src/out/asan/../../ash/shell.cc:1084:35
    #3 0x4d34c1d in ash::Shell::CreateInstance(ash::ShellInitParams) /w/chrome/src/out/asan/../../ash/shell.cc:243:14
    #4 0x8c767b5 in ash::WindowManager::CreateShell() /w/chrome/src/out/asan/../../ash/window_manager.cc:228:3
    #5 0x8c77258 in ash::WindowManager::OnWmConnected() /w/chrome/src/out/asan/../../ash/window_manager.cc:337:3
    #6 0x8b775c0 in ash::AshTestHelper::CreateMashWindowManager() /w/chrome/src/out/asan/../../ash/test/ash_test_helper.cc:320:32
    #7 0x8b768d9 in ash::AshTestHelper::SetUp(bool, bool) /w/chrome/src/out/asan/../../ash/test/ash_test_helper.cc:171:5
    #8 0x8b7182d in ash::AshTestBase::SetUp() /w/chrome/src/out/asan/../../ash/test/ash_test_base.cc:158:21
    #9 0xdba47e in ash::MagnificationControllerTest::SetUp() /w/chrome/src/out/asan/../../ash/magnifier/magnification_controller_unittest.cc:58:18
    #10 0x32bb0bc in testing::Test::Run() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest-internal-inl.h:0:10
    #11 0x32bd124 in testing::TestInfo::Run() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:2661:11
    #12 0x32be486 in testing::TestCase::Run() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:2779:28
    #13 0x32e2c26 in testing::internal::UnitTestImpl::RunAllTests() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:5003:43
    #14 0x32e1e96 in testing::UnitTest::Run() /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/src/gtest.cc:0:0
    #15 0x5240e2b in RUN_ALL_TESTS /w/chrome/src/out/asan/../../third_party/googletest/src/googletest/include/gtest/gtest.h:2314:46
    #16 0x5240e2b in base::TestSuite::Run() /w/chrome/src/out/asan/../../base/test/test_suite.cc:271:0
    #17 0x5245d38 in Run /w/chrome/src/out/asan/../../base/callback.h:95:12
    #18 0x5245d38 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::OnceCallback<int ()>, unsigned long, int, bool, base::OnceCallback<void ()>) /w/chrome/src/out/asan/../../base/test/launcher/unit_test_launcher.cc:225:0
    #19 0x524596d in base::LaunchUnitTests(int, char**, base::OnceCallback<int ()>) /w/chrome/src/out/asan/../../base/test/launcher/unit_test_launcher.cc:576:10
    #20 0x142680c in main /w/chrome/src/out/asan/../../ash/test/ash_unittests.cc:14:10
    #21 0x7fb020b422b0 in __libc_start_main ??:0:0

Comment 1 by afakhry@chromium.org, Mar 9 2018

> I wonder if MagnificationControllerImpl::SwitchTargetRootWindow() should add and remove itself as an IME observer.

I think it should. This is what I do for the Docked Magnifier here: https://cs.chromium.org/chromium/src/ash/magnifier/docked_magnifier_controller.cc?q=DockedMagnifierController::SwitchCurrentSourceRootWindowIfNeeded&sq=package:chromium&l=426

Comment 2 by jamescook@chromium.org, Mar 9 2018

Owner: jamescook@chromium.org
Status: Started (was: Untriaged)

Yep, I think that's the right thing to do.

Comment 3 by jamescook@chromium.org, Mar 13 2018

Summary: mash: Use a single shared InputMethod instance instead of one per display (was: mash: Magnification controller assumes single IME instance, but mash has one per display)

Chatted with Sadrul. We suspect the right solution is to have a single shared IME instance across all displays for mash. This is what classic ash does.

Comment 4 by jamescook@chromium.org, Mar 13 2018

Status: WontFix (was: Started)

Actually, I think what mash is doing with multiple IME instances is correct, and similar to what other desktop platforms do. The magnification feature will need more significant changes to support mash. I think this issue will go away when the other changes are made. Filed issue 821551 to track that work.

For now I'm going to leave the test disabled (most of the other MagnificationController tests are already disabled under mash). I'll update the filter file with links to bugs.

Project Member

Comment 5 by bugdroid1@chromium.org, Mar 14 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d2ce7bb151b14049e7a130f279f389d8ddb47746

commit d2ce7bb151b14049e7a130f279f389d8ddb47746
Author: James Cook <jamescook@chromium.org>
Date: Wed Mar 14 02:16:35 2018

Update mash_ash_unittests.filter for MagnificationController

The comment on the disabled tests was wrong.

Bug:  820464 , 821551
Change-Id: Icad7c41fdb814eea44be2fa4c16528404a816176
Reviewed-on: https://chromium-review.googlesource.com/961487
Reviewed-by: Ahmed Fakhry <afakhry@chromium.org>
Cr-Commit-Position: refs/heads/master@{#542987}
[modify] https://crrev.com/d2ce7bb151b14049e7a130f279f389d8ddb47746/testing/buildbot/filters/mash.ash_unittests.filter

►

Issue 820464 link

Issue metadata

mash: Use a single shared InputMethod instance instead of one per display

Issue description

Comment 1 by afakhry@chromium.org, Mar 9 2018

Comment 1 Deleted

Comment 2 by jamescook@chromium.org, Mar 9 2018

Comment 2 Deleted

Comment 3 by jamescook@chromium.org, Mar 13 2018

Comment 3 Deleted

Comment 4 by jamescook@chromium.org, Mar 13 2018

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Mar 14 2018

Comment 5 Deleted

Sign in to add a comment