Async policy loading uses freed string in chromium builds |
||||||
Issue description1. On Debug build: Version 68.0.3399.0 (Developer Build) (64-bit) 1. Visit: https://musiclab.chromeexperiments.com/Piano-Roll 2. Press play button and let it run for a while. 3. Crash with the following stack trace. It took ~20 minutes to crash the build locally. --- 2018-04-17 12:16:22.401 Chromium[64233:13244740] *** Owner supplied to -[NSTrackingArea initWithRect:options:owner:userInfo:] referenced a deallocating object. Tracking area behavior is undefined. Break on NSTrackingAreaDeallocatingOwnerError to debug. [64238:775:0417/121622.432410:WARNING:vt_video_decode_accelerator_mac.cc(177)] Failed to create VTDecompressionSession: Error Domain=NSOSStatusErrorDomain Code=-12913 "(null)" (-12913) [64238:775:0417/121622.433843:WARNING:vt_video_decode_accelerator_mac.cc(199)] Failed to create hardware VideoToolbox session AVDCreateGPUAccelerator: Error loading GPU renderer [64238:775:0417/121622.472046:ERROR:vt_video_encode_accelerator_mac.cc(517)] VTCompressionSessionCreate failed: -12915 [64233:35587:0417/121623.021328:ERROR:keychain_password_mac.mm(76)] Keychain lookup failed: Error Domain=NSOSStatusErrorDomain Code=-25293 "errKCAuthFailed / errSecAuthFailed: / Authorization/Authentication failed." (-25293) [64233:33283:0417/121623.025809:WARNING:simple_synchronous_entry.cc(1255)] Could not open platform files for entry. [64233:775:0417/121625.176411:INFO:CONSOLE(7)] "The AudioContext was not allowed to start. It must be resume (or created) after a user gesture on the page. https://goo.gl/7K7WLu", source: https://gweb-musiclab-site.appspot.com/static/js/Tone.min.js (7) [64233:775:0417/121625.182549:INFO:CONSOLE(7)] "%c * Tone.js r6 * ", source: https://gweb-musiclab-site.appspot.com/static/js/Tone.min.js (7) [64233:775:0417/121625.414882:INFO:CONSOLE(2)] "ready", source: https://musiclab.chromeexperiments.com/js/app.js (2) [64233:775:0417/121625.593913:INFO:CONSOLE(102)] "pascalprecht.translate.$translateSanitization: No sanitization strategy has been configured. This can have serious security implications. See http://angular-translate.github.io/docs/#/guide/19_security for details.", source: https://ajax.googleapis.com/ajax/libs/angularjs/1.3.14/angular.min.js (102) [64233:775:0417/121625.852648:WARNING:render_frame_host_impl.cc(424)] InterfaceRequest was dropped, the document is no longer active: content::mojom::RendererAudioOutputStreamFactory [64233:775:0417/121625.886279:INFO:CONSOLE(1)] "hello", source: https://musiclab.chromeexperiments.com/js/app.js (1) [64233:775:0417/121625.887436:INFO:CONSOLE(1)] "hello", source: https://musiclab.chromeexperiments.com/js/app.js (1) [64233:775:0417/121626.257278:INFO:CONSOLE(1)] "The AudioContext was not allowed to start. It must be resume (or created) after a user gesture on the page. https://goo.gl/7K7WLu", source: https://musiclab.chromeexperiments.com/pianoroll-service/build/0.js (1) [64233:775:0417/121626.258416:INFO:CONSOLE(1)] "%c * Tone.js r7-dev * ", source: https://musiclab.chromeexperiments.com/pianoroll-service/build/0.js (1) [64233:36355:0417/121653.205619:WARNING:sqlite_persistent_cookie_store.cc(1312)] Could not encrypt a cookie, skipping add. [64233:36355:0417/121653.205779:WARNING:sqlite_persistent_cookie_store.cc(1312)] Could not encrypt a cookie, skipping add. [64233:36355:0417/121653.205837:WARNING:sqlite_persistent_cookie_store.cc(1312)] Could not encrypt a cookie, skipping add. [64233:36355:0417/121653.205889:WARNING:sqlite_persistent_cookie_store.cc(1312)] Could not encrypt a cookie, skipping add. Received signal 11 SEGV_MAPERR 7ff6232ea9b0 0 libbase.dylib 0x0000000106417f1e base::debug::StackTrace::StackTrace(unsigned long) + 174 1 libbase.dylib 0x0000000106417fdd base::debug::StackTrace::StackTrace(unsigned long) + 29 2 libbase.dylib 0x000000010641648c base::debug::StackTrace::StackTrace() + 28 3 libbase.dylib 0x0000000106417d0f base::debug::(anonymous namespace)::StackDumpSignalHandler(int, __siginfo*, void*) + 1407 4 libsystem_platform.dylib 0x00007fff7ebfdf5a _sigtramp + 26 5 ??? 0x00007ff526097e10 0x0 + 140690881871376 6 CoreFoundation 0x00007fff57127b82 -[_CFXPreferences appSynchronizeWithIdentifier:container:] + 114 7 CoreFoundation 0x00007fff56fc7f64 CFPreferencesAppSynchronize + 100 8 libpolicy_component.dylib 0x00000001373d82c9 MacPreferences::AppSynchronize(__CFString const*) + 25 9 libpolicy_component.dylib 0x00000001373b229a policy::PolicyLoaderMac::Load() + 138 10 libpolicy_component.dylib 0x00000001372c631a policy::AsyncPolicyLoader::Reload(bool) + 346 11 libpolicy_component.dylib 0x00000001372c8387 void base::internal::FunctorTraits<void (policy::AsyncPolicyLoader::*)(bool), void>::Invoke<base::WeakPtr<policy::AsyncPolicyLoader> const&, bool const&>(void (policy::AsyncPolicyLoader::*)(bool), base::WeakPtr<policy::AsyncPolicyLoader> const&&&, bool const&&&) + 151 12 libpolicy_component.dylib 0x00000001372c8255 void base::internal::InvokeHelper<true, void>::MakeItSo<void (policy::AsyncPolicyLoader::* const&)(bool), base::WeakPtr<policy::AsyncPolicyLoader> const&, bool const&>(void (policy::AsyncPolicyLoader::* const&&&)(bool), base::WeakPtr<policy::AsyncPolicyLoader> const&&&, bool const&&&) + 117 13 libpolicy_component.dylib 0x00000001372c81cd void base::internal::Invoker<base::internal::BindState<void (policy::AsyncPolicyLoader::*)(bool), base::WeakPtr<policy::AsyncPolicyLoader>, bool>, void ()>::RunImpl<void (policy::AsyncPolicyLoader::* const&)(bool), std::__1::tuple<base::WeakPtr<policy::AsyncPolicyLoader>, bool> const&, 0ul, 1ul>(void (policy::AsyncPolicyLoader::* const&&&)(bool), std::__1::tuple<base::WeakPtr<policy::AsyncPolicyLoader>, bool> const&&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) + 125 14 libpolicy_component.dylib 0x00000001372c80dc base::internal::Invoker<base::internal::BindState<void (policy::AsyncPolicyLoader::*)(bool), base::WeakPtr<policy::AsyncPolicyLoader>, bool>, void ()>::Run(base::internal::BindStateBase*) + 44 15 libbase.dylib 0x00000001063b8a1c base::OnceCallback<void ()>::Run() && + 92 16 libbase.dylib 0x000000010641a7f9 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) + 1033 17 libbase.dylib 0x00000001066f40ed base::internal::TaskTracker::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) + 3581 18 libbase.dylib 0x00000001066f996e base::internal::TaskTrackerPosix::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) + 318 19 libbase.dylib 0x00000001066f1c84 base::internal::TaskTracker::RunAndPopNextTask(scoped_refptr<base::internal::Sequence>, base::internal::CanScheduleSequenceObserver*) + 612 20 libbase.dylib 0x00000001066d5f80 base::internal::SchedulerWorker::Thread::ThreadMain() + 1968 21 libbase.dylib 0x0000000106705f5a base::(anonymous namespace)::ThreadFunc(void*) + 682 22 libsystem_pthread.dylib 0x00007fff7ec076c1 _pthread_body + 340 23 libsystem_pthread.dylib 0x00007fff7ec0756d _pthread_body + 0 24 libsystem_pthread.dylib 0x00007fff7ec06c5d thread_start + 13 [end of stack trace] Segmentation fault: 11 ---
,
Apr 17 2018
,
Apr 17 2018
erikchen@ Could you also add the appropriate component label? I would like to know what this crash is about.
,
Apr 18 2018
Relevant crash stack: Thread 25 Crashed:: TaskSchedulerBackgroundBlockingWorker 0 libobjc.A.dylib 0x00007fff5288be9d objc_msgSend + 29 1 com.apple.CoreFoundation 0x00007fff2acf1862 -[_CFXPreferences(SearchListAdditions) withSearchListForIdentifier:container:cloudConfigurationURL:perform:] + 146 2 com.apple.CoreFoundation 0x00007fff2ad19a82 -[_CFXPreferences appSynchronizeWithIdentifier:container:] + 114 3 com.apple.CoreFoundation 0x00007fff2abb91e4 CFPreferencesAppSynchronize + 100 4 libpolicy_component.dylib 0x000000011218a94c policy::PolicyLoaderMac::Load() + 44 (policy_loader_mac.mm:67) 5 libpolicy_component.dylib 0x0000000112153d31 policy::AsyncPolicyLoader::Reload(bool) + 257 (async_policy_loader.cc:56) 6 libpolicy_component.dylib 0x000000011215475c base::internal::Invoker<base::internal::BindState<void (policy::AsyncPolicyLoader::*)(bool), base::WeakPtr<policy::AsyncPolicyLoader>, bool>, void ()>::Run(base::internal::BindStateBase*) + 188 (bind_internal.h:589) 7 libbase.dylib 0x000000010a8ee443 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) + 323 (callback.h:95) 8 libbase.dylib 0x000000010a9b1466 base::internal::TaskTracker::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) + 870 (trace_event.h:1106) 9 libbase.dylib 0x000000010a9b2a18 base::internal::TaskTrackerPosix::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) + 168 (task_tracker_posix.cc:23) 10 libbase.dylib 0x000000010a9b0806 base::internal::TaskTracker::RunAndPopNextTask(scoped_refptr<base::internal::Sequence>, base::internal::CanScheduleSequenceObserver*) + 502 (task_tracker.cc:371) 11 libbase.dylib 0x000000010a9a662c base::internal::SchedulerWorker::Thread::ThreadMain() + 796 (type_traits:4644) 12 libbase.dylib 0x000000010a9bcdcf base::(anonymous namespace)::ThreadFunc(void*) + 95 (platform_thread_posix.cc:78) 13 libsystem_pthread.dylib 0x00007fff537c8661 _pthread_body + 340 14 libsystem_pthread.dylib 0x00007fff537c850d _pthread_start + 377 15 libsystem_pthread.dylib 0x00007fff537c7bf9 thread_start + 13
,
Apr 18 2018
Over to avi@. The culprit CL landed after M67 branch so a fix only needs to be targeted for M68. I believe this was introduced by avi@'s 5e21e0b54de518d58507a2c8492a131607696690. chrome/browser/policy/chrome_browser_policy_connector.cc: #if defined(GOOGLE_CHROME_BUILD) // Explicitly watch the "com.google.Chrome" bundle ID, no matter what this // app's bundle ID actually is. All channels of Chrome should obey the same // policies. CFStringRef bundle_id = CFSTR("com.google.Chrome"); #else base::ScopedCFTypeRef<CFStringRef> bundle_id( base::SysUTF8ToCFStringRef(base::mac::BaseBundleID())); #endif Note that in the OFFICIAL_BUILD case bundle_id's lifetime is indefinite (CFSTR strings are valid forever) but in the other case bundle_id's lifetime is *only* until the last ref drops. A ref is held in ChromeBrowserPolicyConnector::CreatePlatformProvider(), but PolicyLoaderMac does *not* either retain or copy the string, so it becomes invalid only on non-release builds before PolicyLoaderMac needs it. To make this crash happen right away, in AsyncPolicyLoader::Init(), change these lines: if (LastModificationTime() != last_modification_time_) Reload(false); To: // if (LastModificationTime() != last_modification_time_) Reload(true); to always force a reload as soon as ::Init() runs.
,
Apr 18 2018
Dropping RVG also - this is a crash bug, but not a security-sensitive one.
,
Apr 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0104f8b9ff36f8c255729a4271d077cae1500c43 commit 0104f8b9ff36f8c255729a4271d077cae1500c43 Author: Avi Drissman <avi@chromium.org> Date: Fri Apr 20 14:38:49 2018 Have PolicyLoaderMac copy the bundle id. PolicyLoaderMac needs it for a while and needs to ensure it doesn't change, so have it make a copy. BUG= 834005 , 831577 Change-Id: I472aa355770c2a938343b4f230a034387b2711b2 Reviewed-on: https://chromium-review.googlesource.com/1019354 Reviewed-by: Elly Fong-Jones <ellyjones@chromium.org> Reviewed-by: Drew Wilson <atwilson@chromium.org> Commit-Queue: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#552331} [modify] https://crrev.com/0104f8b9ff36f8c255729a4271d077cae1500c43/components/policy/core/common/policy_loader_mac.h [modify] https://crrev.com/0104f8b9ff36f8c255729a4271d077cae1500c43/components/policy/core/common/policy_loader_mac.mm
,
Apr 20 2018
Issue 834267 has been merged into this issue.
,
Apr 20 2018
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by hongchan@chromium.org
, Apr 17 2018