Issue 828907 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	----
Closed:	Apr 2018
Cc:	jam@chromium.org rsleevi@chromium.org
Components:	Internals>Network>SSL Internals>Services>Network
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	2
Type:	Bug

Proj-Servicification

Crash (heap-use-after-free)/fail in SSLUIWorkerFetchTest.MixedContentSettings/0 on asan bot

Project Member Reported by brat...@opera.com, Apr 4 2018

Issue description

Was about to file this as a flaky test case but maybe there is something more to this considering it seems to be a heap-use-after-free crash in network loading.

https://ci.chromium.org/buildbot/tryserver.chromium.linux/linux_chromium_asan_rel_ng/575548

[ RUN      ] SSLUIWorkerFetchTest.MixedContentSettings/0
Xlib:  extension "RANDR" missing on display ":99".
[9449:9581:0403/101501.220731:ERROR:bus.cc(394)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are "tcp" and on UNIX "unix")
[9449:9449:0403/101501.286330:WARNING:password_store_factory.cc(240)] Using basic (unencrypted) store for password storage. See https://chromium.googlesource.com/chromium/src/+/master/docs/linux_password_storage.md for more information about password storage options.
(browser_tests:9449): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Unknown or unsupported transport 'disabled' for address 'disabled:'
[9449:9449:0403/101501.964656:WARNING:gaia_auth_fetcher.cc(873)] Could not reach Google Accounts servers: errno -11
[9449:9650:0403/101502.767564:WARNING:embedded_test_server.cc(228)] Request not handled. Returning 404: /favicon.ico
[9449:9449:0403/101502.899767:WARNING:gaia_auth_fetcher.cc(873)] Could not reach Google Accounts servers: errno -102
[9449:9449:0403/101503.600798:INFO:CONSOLE(1)] "Mixed Content: The page at 'https://127.0.0.1:56407/worker.js' was loaded over HTTPS, but requested an insecure resource 'http://example.com:54695/worker_test_data.txt'. This request has been blocked; the content must be served over HTTPS.", source: https://127.0.0.1:56407/worker.js (1)
[9449:9449:0403/101504.153174:INFO:CONSOLE(1)] "Mixed Content: The page at 'https://127.0.0.1:56407/worker.js' was loaded over HTTPS, but requested an insecure resource 'http://example.com:54695/worker_test_data.txt'. This request has been blocked; the content must be served over HTTPS.", source: https://127.0.0.1:56407/worker.js (1)
[9449:9449:0403/101505.863054:WARNING:gaia_auth_fetcher.cc(873)] Could not reach Google Accounts servers: errno -102
[9449:9449:0403/101505.876258:INFO:CONSOLE(1)] "Mixed Content: The page at 'https://127.0.0.1:56407/worker.js' was loaded over HTTPS, but requested an insecure resource 'http://example.com:54695/worker_test_data.txt'. This request has been blocked; the content must be served over HTTPS.", source: https://127.0.0.1:56407/worker.js (1)
[9449:9449:0403/101506.303243:INFO:CONSOLE(1)] "Mixed Content: The page at 'https://127.0.0.1:56407/worker.js' was loaded over HTTPS, but requested an insecure resource 'http://example.com:54695/worker_test_data.txt'. This request has been blocked; the content must be served over HTTPS.", source: https://127.0.0.1:56407/worker.js (1)
[9449:9449:0403/101508.157769:WARNING:web_contents_impl.cc(3982)] https://127.0.0.1:56407/ ran insecure content from http://example.com:54695/worker_test_data.txt
[9449:9449:0403/101508.183681:INFO:CONSOLE(1)] "Mixed Content: The page at 'https://127.0.0.1:56407/worker.js' was loaded over HTTPS, but requested an insecure resource 'http://example.com:54695/worker_test_data.txt'. This content should also be served over HTTPS.", source: https://127.0.0.1:56407/worker.js (1)
[9449:9449:0403/101508.740794:WARNING:web_contents_impl.cc(3982)] https://127.0.0.1:56407/ ran insecure content from http://example.com:54695/worker_test_data.txt
[9449:9449:0403/101508.767741:INFO:CONSOLE(1)] "Mixed Content: The page at 'https://127.0.0.1:56407/worker.js' was loaded over HTTPS, but requested an insecure resource 'http://example.com:54695/worker_test_data.txt'. This content should also be served over HTTPS.", source: https://127.0.0.1:56407/worker.js (1)
-----------------------------------------------------
Suppressions used:
  count      bytes template
      2        208 blink::DOMWrapperWorld::Create
      2        208 blink::ScriptState::Create
-----------------------------------------------------
[9449:9449:0403/101511.068460:WARNING:web_contents_impl.cc(3982)] https://127.0.0.1:56407/ ran insecure content from http://example.com:54695/worker_test_data.txt
[9449:9449:0403/101511.097758:INFO:CONSOLE(1)] "Mixed Content: The page at 'https://127.0.0.1:56407/worker.js' was loaded over HTTPS, but requested an insecure resource 'http://example.com:54695/worker_test_data.txt'. This content should also be served over HTTPS.", source: https://127.0.0.1:56407/worker.js (1)
=================================================================
==9449==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030006fcb5d at pc 0x000007cec482 bp 0x7fff609eaef0 sp 0x7fff609eaee8
READ of size 1 at 0x6030006fcb5d thread T0 (browser_tests)
-----------------------------------------------------
Suppressions used:
  count      bytes template
      2        208 blink::DOMWrapperWorld::Create
      2        208 blink::ScriptState::Create
-----------------------------------------------------
-----------------------------------------------------
Suppressions used:
  count      bytes template
      2        208 blink::DOMWrapperWorld::Create
      2        208 blink::ScriptState::Create
-----------------------------------------------------
    #0 0x7cec481 in AddRefImpl base/memory/ref_counted.h:191:5
    #1 0x7cec481 in base::subtle::RefCountedThreadSafeBase::AddRef() const base/memory/ref_counted.h:171
    #2 0x10ed73c5 in AddRef base/memory/ref_counted.h:381:39
    #3 0x10ed73c5 in AddRef base/memory/scoped_refptr.h:274
    #4 0x10ed73c5 in scoped_refptr base/memory/scoped_refptr.h:176
    #5 0x10ed73c5 in AdoptRefIfNeeded<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState> base/memory/scoped_refptr.h:77
    #6 0x10ed73c5 in scoped_refptr<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState> base::MakeRefCounted<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState, scoped_refptr<net::URLRequestContextGetter>&, mojo::InterfaceRequest<network::mojom::NetworkContext> >(scoped_refptr<net::URLRequestContextGetter>&&&, mojo::InterfaceRequest<network::mojom::NetworkContext>&&) base/memory/scoped_refptr.h:92
    #7 0x10ed650c in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::GetNetworkContext() components/safe_browsing/browser/safe_browsing_network_context.cc:36:25
    #8 0x10ed93b2 in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::GetURLLoaderFactory() components/safe_browsing/browser/safe_browsing_network_context.cc:67:7
    #9 0x10ed8c8a in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::CreateLoaderAndStart(mojo::InterfaceRequest<network::mojom::URLLoader>, int, int, unsigned int, network::ResourceRequest const&, mojo::InterfacePtr<network::mojom::URLLoaderClient>, net::MutableNetworkTrafficAnnotationTag const&) components/safe_browsing/browser/safe_browsing_network_context.cc:59:5
    #10 0x16908ee5 in network::(anonymous namespace)::SimpleURLLoaderImpl::StartRequest(network::mojom::URLLoaderFactory*) services/network/public/cpp/simple_url_loader.cc:1276:23
    #11 0x16903c81 in network::(anonymous namespace)::SimpleURLLoaderImpl::Start(network::mojom::URLLoaderFactory*) services/network/public/cpp/simple_url_loader.cc:1255:3
    #12 0x168fe975 in network::(anonymous namespace)::SimpleURLLoaderImpl::DownloadToStringOfUnboundedSizeUntilCrashAndDie(network::mojom::URLLoaderFactory*, base::OnceCallback<void (std::__1::unique_ptr<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::default_delete<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >)>) services/network/public/cpp/simple_url_loader.cc:1058:3
    #13 0x1d2ea130 in safe_browsing::ModelLoader::StartFetch() chrome/browser/safe_browsing/client_side_model_loader.cc:162:16
    #14 0x1d2ec7a9 in Invoke<base::WeakPtr<safe_browsing::ModelLoader>> base/bind_internal.h:447:12
    #15 0x1d2ec7a9 in MakeItSo<void (safe_browsing::ModelLoader::*)(), base::WeakPtr<safe_browsing::ModelLoader>> base/bind_internal.h:550
    #16 0x1d2ec7a9 in RunImpl<void (safe_browsing::ModelLoader::*)(), std::__1::tuple<base::WeakPtr<safe_browsing::ModelLoader> >, 0> base/bind_internal.h:604
    #17 0x1d2ec7a9 in base::internal::Invoker<base::internal::BindState<void (safe_browsing::ModelLoader::*)(), base::WeakPtr<safe_browsing::ModelLoader> >, void ()>::RunOnce(base::internal::BindStateBase*) base/bind_internal.h:572
    #18 0x14260fd0 in Run base/callback.h:95:12
    #19 0x14260fd0 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:61
    #20 0x142f9ff1 in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) base/message_loop/incoming_task_queue.cc:124:19
    #21 0x142f35eb in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:391:25
    #22 0x142f4168 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:403:5
    #23 0x142f54a3 in base::MessageLoop::DoDelayedWork(base::TimeTicks*) base/message_loop/message_loop.cc:487:10
    #24 0x143034c2 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:314:27
    #25 0x142f1f08 in base::MessageLoop::Run(bool) base/message_loop/message_loop.cc:342:12
    #26 0x143acf0a in base::RunLoop::Run() base/run_loop.cc:130:14
    #27 0x15a045f6 in content::TitleWatcher::WaitAndGetTitle() content/public/test/browser_test_utils.cc:1647:13
    #28 0x94bb973 in SSLUIWorkerFetchTest::RunMixedContentSettingsTest((anonymous namespace)::ChromeContentBrowserClientForMixedContentTest*, bool, bool, bool, bool, bool, bool, bool, bool, bool) chrome/browser/ssl/ssl_browsertest.cc:3556:7
    #29 0x94ba0a0 in SSLUIWorkerFetchTest_MixedContentSettings_Test::RunTestOnMainThread() chrome/browser/ssl/ssl_browsertest.cc
    #30 0x159e779f in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop() content/public/test/browser_test_base.cc:379:5
    #31 0x1476f721 in Run base/callback.h:124:12
    #32 0x1476f721 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl() chrome/browser/chrome_browser_main.cc:2051
    #33 0x1476c60b in ChromeBrowserMainParts::PreMainMessageLoopRun() chrome/browser/chrome_browser_main.cc:1442:18
    #34 0xece7154 in content::BrowserMainLoop::PreMainMessageLoopRun() content/browser/browser_main_loop.cc:1042:13
    #35 0xfe11c47 in Run base/callback.h:124:12
    #36 0xfe11c47 in content::StartupTaskRunner::RunAllTasksNow() content/browser/startup_task_runner.cc:45
    #37 0xece307b in content::BrowserMainLoop::CreateStartupTasks() content/browser/browser_main_loop.cc:955:25
    #38 0xecf1880 in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) content/browser/browser_main_runner.cc:140:17
    #39 0xecdb52c in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:42:32
    #40 0x13ea43d7 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:427:14
    #41 0x13ea7925 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:706:12
    #42 0x1ae8bcf2 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:453:29
    #43 0x13ea2928 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
    #44 0x159e63b8 in content::BrowserTestBase::SetUp() content/public/test/browser_test_base.cc:320:3
    #45 0x145ec0c0 in InProcessBrowserTest::SetUp() chrome/test/base/in_process_browser_test.cc:230:20
    #46 0x9553dd9 in SSLUITestBase::SetUp() chrome/browser/ssl/ssl_browsertest.cc:507:27
    #47 0xbe64f8c in testing::Test::Run() third_party/googletest/src/googletest/src/gtest-internal-inl.h
    #48 0xbe67214 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2661:11
    #49 0xbe685c6 in testing::TestCase::Run() third_party/googletest/src/googletest/src/gtest.cc:2779:28
    #50 0xbe8e2c6 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5036:43
    #51 0xbe8d513 in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc
    #52 0x14635e98 in RUN_ALL_TESTS third_party/googletest/src/googletest/include/gtest/gtest.h:2314:46
    #53 0x14635e98 in base::TestSuite::Run() base/test/test_suite.cc:275
    #54 0x142311df in ChromeTestSuiteRunner::RunTestSuite(int, char**) chrome/test/base/chrome_test_launcher.cc:66:38
    #55 0x15a74a0c in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) content/public/test/test_launcher.cc:625:31
    #56 0x14231fbb in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) chrome/test/base/chrome_test_launcher.cc:171:10
    #57 0x14230fdb in main chrome/test/base/browser_tests_main.cc:36:10
    #58 0x7f3d4c4e4f44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287
0x6030006fcb5d is located 13 bytes inside of 24-byte region [0x6030006fcb50,0x6030006fcb68)
freed by thread T2 (Chrome_IOThread) here:
    #0 0x7c67302 in operator delete(void*) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:149:3
    #1 0x10ed82ed in DeleteInternal<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState> base/memory/ref_counted.h:398:5
    #2 0x10ed82ed in Destruct base/memory/ref_counted.h:351
    #3 0x10ed82ed in Release base/memory/ref_counted.h:387
    #4 0x10ed82ed in Release base/memory/scoped_refptr.h:280
    #5 0x10ed82ed in ~scoped_refptr base/memory/scoped_refptr.h:208
    #6 0x10ed82ed in ~__tuple_leaf buildtools/third_party/libc++/trunk/include/tuple:170
    #7 0x10ed82ed in ~__tuple_impl buildtools/third_party/libc++/trunk/include/tuple:364
    #8 0x10ed82ed in ~tuple buildtools/third_party/libc++/trunk/include/tuple:469
    #9 0x10ed82ed in ~BindState base/bind_internal.h:723
    #10 0x10ed82ed in base::internal::BindState<void (safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState::*)(scoped_refptr<net::URLRequestContextGetter>, mojo::InterfaceRequest<network::mojom::NetworkContext>), scoped_refptr<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState>, scoped_refptr<net::URLRequestContextGetter>, mojo::InterfaceRequest<network::mojom::NetworkContext> >::Destroy(base::internal::BindStateBase const*) base/bind_internal.h:726
    #11 0x14260fd8 in Run base/callback.h:96:3
    #12 0x14260fd8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:61
    #13 0x142f9ff1 in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) base/message_loop/incoming_task_queue.cc:124:19
    #14 0x142f35eb in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:391:25
    #15 0x142f4168 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:403:5
    #16 0x142f4aa6 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:447:16
    #17 0x14307390 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:212:31
    #18 0x142f1f08 in base::MessageLoop::Run(bool) base/message_loop/message_loop.cc:342:12
    #19 0x143acf0a in base::RunLoop::Run() base/run_loop.cc:130:14
    #20 0x1446c854 in base::Thread::Run(base::RunLoop*) base/threading/thread.cc:255:13
    #21 0xed1014d in content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*) content/browser/browser_process_sub_thread.cc:155:11
    #22 0xed0fe3b in content::BrowserProcessSubThread::Run(base::RunLoop*) content/browser/browser_process_sub_thread.cc:105:7
    #23 0x1446d38d in base::Thread::ThreadMain() base/threading/thread.cc:338:3
    #24 0x1445f302 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13
    #25 0x7f3d52fba183 in start_thread /build/eglibc-ripdx6/eglibc-2.19/nptl/pthread_create.c:312
previously allocated by thread T0 (browser_tests) here:
    #0 0x7c66722 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:92:3
    #1 0x10ed70c6 in scoped_refptr<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState> base::MakeRefCounted<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState, scoped_refptr<net::URLRequestContextGetter>&, mojo::InterfaceRequest<network::mojom::NetworkContext> >(scoped_refptr<net::URLRequestContextGetter>&&&, mojo::InterfaceRequest<network::mojom::NetworkContext>&&) base/memory/scoped_refptr.h:91:12
    #2 0x10ed650c in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::GetNetworkContext() components/safe_browsing/browser/safe_browsing_network_context.cc:36:25
    #3 0x10ed93b2 in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::GetURLLoaderFactory() components/safe_browsing/browser/safe_browsing_network_context.cc:67:7
    #4 0x10ed8c8a in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::CreateLoaderAndStart(mojo::InterfaceRequest<network::mojom::URLLoader>, int, int, unsigned int, network::ResourceRequest const&, mojo::InterfacePtr<network::mojom::URLLoaderClient>, net::MutableNetworkTrafficAnnotationTag const&) components/safe_browsing/browser/safe_browsing_network_context.cc:59:5
    #5 0x16908ee5 in network::(anonymous namespace)::SimpleURLLoaderImpl::StartRequest(network::mojom::URLLoaderFactory*) services/network/public/cpp/simple_url_loader.cc:1276:23
    #6 0x16903c81 in network::(anonymous namespace)::SimpleURLLoaderImpl::Start(network::mojom::URLLoaderFactory*) services/network/public/cpp/simple_url_loader.cc:1255:3
    #7 0x168fe975 in network::(anonymous namespace)::SimpleURLLoaderImpl::DownloadToStringOfUnboundedSizeUntilCrashAndDie(network::mojom::URLLoaderFactory*, base::OnceCallback<void (std::__1::unique_ptr<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::default_delete<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >)>) services/network/public/cpp/simple_url_loader.cc:1058:3
    #8 0x1d2ea130 in safe_browsing::ModelLoader::StartFetch() chrome/browser/safe_browsing/client_side_model_loader.cc:162:16
    #9 0x1d2ec7a9 in Invoke<base::WeakPtr<safe_browsing::ModelLoader>> base/bind_internal.h:447:12
    #10 0x1d2ec7a9 in MakeItSo<void (safe_browsing::ModelLoader::*)(), base::WeakPtr<safe_browsing::ModelLoader>> base/bind_internal.h:550
    #11 0x1d2ec7a9 in RunImpl<void (safe_browsing::ModelLoader::*)(), std::__1::tuple<base::WeakPtr<safe_browsing::ModelLoader> >, 0> base/bind_internal.h:604
    #12 0x1d2ec7a9 in base::internal::Invoker<base::internal::BindState<void (safe_browsing::ModelLoader::*)(), base::WeakPtr<safe_browsing::ModelLoader> >, void ()>::RunOnce(base::internal::BindStateBase*) base/bind_internal.h:572
    #13 0x14260fd0 in Run base/callback.h:95:12
    #14 0x14260fd0 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:61
    #15 0x142f9ff1 in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) base/message_loop/incoming_task_queue.cc:124:19
    #16 0x142f35eb in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:391:25
    #17 0x142f4168 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:403:5
    #18 0x142f54a3 in base::MessageLoop::DoDelayedWork(base::TimeTicks*) base/message_loop/message_loop.cc:487:10
    #19 0x143034c2 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:314:27
    #20 0x142f1f08 in base::MessageLoop::Run(bool) base/message_loop/message_loop.cc:342:12
    #21 0x143acf0a in base::RunLoop::Run() base/run_loop.cc:130:14
    #22 0x15a045f6 in content::TitleWatcher::WaitAndGetTitle() content/public/test/browser_test_utils.cc:1647:13
    #23 0x94bb973 in SSLUIWorkerFetchTest::RunMixedContentSettingsTest((anonymous namespace)::ChromeContentBrowserClientForMixedContentTest*, bool, bool, bool, bool, bool, bool, bool, bool, bool) chrome/browser/ssl/ssl_browsertest.cc:3556:7
    #24 0x94ba0a0 in SSLUIWorkerFetchTest_MixedContentSettings_Test::RunTestOnMainThread() chrome/browser/ssl/ssl_browsertest.cc
    #25 0x159e779f in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop() content/public/test/browser_test_base.cc:379:5
    #26 0x1476f721 in Run base/callback.h:124:12
    #27 0x1476f721 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl() chrome/browser/chrome_browser_main.cc:2051
    #28 0x1476c60b in ChromeBrowserMainParts::PreMainMessageLoopRun() chrome/browser/chrome_browser_main.cc:1442:18
    #29 0xece7154 in content::BrowserMainLoop::PreMainMessageLoopRun() content/browser/browser_main_loop.cc:1042:13
    #30 0xfe11c47 in Run base/callback.h:124:12
    #31 0xfe11c47 in content::StartupTaskRunner::RunAllTasksNow() content/browser/startup_task_runner.cc:45
    #32 0xece307b in content::BrowserMainLoop::CreateStartupTasks() content/browser/browser_main_loop.cc:955:25
    #33 0xecf1880 in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) content/browser/browser_main_runner.cc:140:17
    #34 0xecdb52c in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:42:32
    #35 0x13ea43d7 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:427:14
Thread T2 (Chrome_IOThread) created by T0 (browser_tests) here:
    #0 0x7c2492d in __interceptor_pthread_create /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x1445e24c in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:115:13
    #2 0x1446afe6 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:112:15
    #3 0xece1859 in content::BrowserMainLoop::InitializeIOThread() content/browser/browser_main_loop.cc:1584:20
    #4 0xecdf659 in content::BrowserMainLoop::PostMainMessageLoopStart() content/browser/browser_main_loop.cc:736:5
    #5 0xecf204d in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) content/browser/browser_main_runner.cc:129:19
    #6 0xecdb52c in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:42:32
    #7 0x13ea43d7 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:427:14
    #8 0x13ea7925 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:706:12
    #9 0x1ae8bcf2 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:453:29
    #10 0x13ea2928 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
    #11 0x159e63b8 in content::BrowserTestBase::SetUp() content/public/test/browser_test_base.cc:320:3
    #12 0x145ec0c0 in InProcessBrowserTest::SetUp() chrome/test/base/in_process_browser_test.cc:230:20
    #13 0x9553dd9 in SSLUITestBase::SetUp() chrome/browser/ssl/ssl_browsertest.cc:507:27
    #14 0xbe64f8c in testing::Test::Run() third_party/googletest/src/googletest/src/gtest-internal-inl.h
    #15 0xbe67214 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2661:11
    #16 0xbe685c6 in testing::TestCase::Run() third_party/googletest/src/googletest/src/gtest.cc:2779:28
    #17 0xbe8e2c6 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5036:43
    #18 0xbe8d513 in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc
    #19 0x14635e98 in RUN_ALL_TESTS third_party/googletest/src/googletest/include/gtest/gtest.h:2314:46
    #20 0x14635e98 in base::TestSuite::Run() base/test/test_suite.cc:275
    #21 0x142311df in ChromeTestSuiteRunner::RunTestSuite(int, char**) chrome/test/base/chrome_test_launcher.cc:66:38
    #22 0x15a74a0c in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) content/public/test/test_launcher.cc:625:31
    #23 0x14231fbb in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) chrome/test/base/chrome_test_launcher.cc:171:10
    #24 0x14230fdb in main chrome/test/base/browser_tests_main.cc:36:10
    #25 0x7f3d4c4e4f44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-use-after-free base/memory/ref_counted.h:191:5 in AddRefImpl
Shadow bytes around the buggy address:
  0x0c06800d7910: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c06800d7920: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c06800d7930: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c06800d7940: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c06800d7950: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
=>0x0c06800d7960: 00 fa fa fa fd fd fd fa fa fa fd[fd]fd fa fa fa
  0x0c06800d7970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c06800d7980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c06800d7990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c06800d79a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c06800d79b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Cannot upload crash dump: failed to open
==9449==ABORTING

Comment 1 by davidben@chromium.org, Apr 4 2018

Components: Internals>Services>Network

This looks like something going on in the network service side of things. (Folks who hang around Internals>Network>SSL tend to touch a much lower level bit of the stack.)

Comment 2 by jam@chromium.org, Apr 4 2018

Status: Fixed (was: Untriaged)

this was fixed yesterday in https://chromium.googlesource.com/chromium/src/+/b1de19fafd15eca9ab03ce0a190050d2eae9782e

►

Issue 828907 link

Issue metadata

Crash (heap-use-after-free)/fail in SSLUIWorkerFetchTest.MixedContentSettings/0 on asan bot

Issue description

Comment 1 by davidben@chromium.org, Apr 4 2018

Comment 1 Deleted

Comment 2 by jam@chromium.org, Apr 4 2018

Comment 2 Deleted

Sign in to add a comment