Issue metadata
Sign in to add a comment
|
heap-use-after-free in cc::VideoResourceUpdater::AllocateResource
Reported by
cdsrc2...@gmail.com,
Apr 18 2018
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Steps to reproduce the problem:
chrome version: Version 68.0.3398.0 (Developer Build) (64-bit)
OS Version:Ubuntu 16.04
1.Get new version chrome:
a) Build source code
config args.gn file as below:
is_asan = true
is_debug = false
enable_nacl = false
treat_warnings_as_errors = false
ninja -j16 -C out/chrome_asan chrome
2.Build a mini web server.
I used python twisted module to build the webserver.
1) cp 1.txt webserver/res/1.txt
2) cp 1.ogv webserver/res/1.ogv
2) python webserver/web.py
3.
1) Run chrome --no-sandbox.
2) Drag crash.html to chrome browser.
3) It may need to run several times
4) And get "heap-use-after-free",sometimes get "signal 11 SEGV_MAPERR 000000000000".
What is the expected behavior?
What went wrong?
==4463==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000090400 at pc 0x560ac4758273 bp 0x7fbeedcb0010 sp 0x7fbeedcb0008
READ of size 8 at 0x615000090400 thread T20 (Media)
#0 0x560ac4758272 in cc::VideoResourceUpdater::AllocateResource(gfx::Size const&, viz::ResourceFormat, gfx::ColorSpace const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../cc/resources/video_resource_updater.cc:601:28
#1 0x560ac47537b1 in RecycleOrAllocateResource /home/cowboy/chromium/src/out/chrome_asan_shared/../../cc/resources/video_resource_updater.cc:581:10
#2 0x560ac47537b1 in cc::VideoResourceUpdater::CreateForSoftwarePlanes(scoped_refptr<media::VideoFrame>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../cc/resources/video_resource_updater.cc:808:0
#3 0x560ac474f9be in cc::VideoResourceUpdater::CreateExternalResourcesFromVideoFrame(scoped_refptr<media::VideoFrame>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../cc/resources/video_resource_updater.cc:543:12
#4 0x560ac474ebf3 in cc::VideoResourceUpdater::ObtainFrameResources(scoped_refptr<media::VideoFrame>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../cc/resources/video_resource_updater.cc:368:7
#5 0x560ac474d8bb in blink::VideoFrameResourceProvider::AppendQuads(viz::RenderPass*, scoped_refptr<media::VideoFrame>, media::VideoRotation) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/graphics/video_frame_resource_provider.cc:94:22
#6 0x560ac4748ab4 in blink::VideoFrameSubmitter::SubmitFrame(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/graphics/video_frame_submitter.cc:130:23
#7 0x560ac474c5b7 in Invoke<base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:447:12
#8 0x560ac474c5b7 in MakeItSo<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:550:0
#9 0x560ac474c5b7 in RunImpl<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), std::__1::tuple<base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> >, 0, 1, 2> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:604:0
#10 0x560ac474c5b7 in base::internal::Invoker<base::internal::BindState<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> >, void ()>::RunOnce(base::internal::BindStateBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:572:0
#11 0x560ab7e17db8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:95:12
#12 0x560ab7e17db8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#13 0x560ab7e7f0c2 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#14 0x560ab7e8033f in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#15 0x560ab7e8033f in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#16 0x560ab7e8889f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#17 0x560ab7f05bf0 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:130:14
#18 0x560ab7f95fb0 in base::Thread::ThreadMain() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/thread.cc:337:3
#19 0x560ab7f8f940 in base::(anonymous namespace)::ThreadFunc(void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/platform_thread_posix.cc:76:13
#20 0x7fbf1b15d6b9 in start_thread ??:0:0
0x615000090400 is located 0 bytes inside of 464-byte region [0x615000090400,0x6150000905d0)
freed by thread T20 (Media) here:
#0 0x560ab0bb67d2 in operator delete(void*) _asan_rtl_:3
#1 0x560ac5bd2c7d in Release /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:280:8
#2 0x560ac5bd2c7d in ~scoped_refptr /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:208:0
#3 0x560ac5bd2c7d in operator= /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:223:0
#4 0x560ac5bd2c7d in content::GpuVideoAcceleratorFactoriesImpl::ReleaseContextProvider() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc:394:0
#5 0x560ac5bd5015 in CheckContextLost /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc:124:7
#6 0x560ac5bd5015 in content::GpuVideoAcceleratorFactoriesImpl::VideoFrameOutputFormat(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc:292:0
#7 0x560ab22e158e in media::GpuMemoryBufferVideoFramePool::PoolImpl::CreateHardwareFrame(scoped_refptr<media::VideoFrame> const&, base::OnceCallback<void (scoped_refptr<media::VideoFrame> const&)>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../media/video/gpu_memory_buffer_video_frame_pool.cc:554:25
#8 0x560ab22ec7ee in media::GpuMemoryBufferVideoFramePool::MaybeCreateHardwareFrame(scoped_refptr<media::VideoFrame> const&, base::OnceCallback<void (scoped_refptr<media::VideoFrame> const&)>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../media/video/gpu_memory_buffer_video_frame_pool.cc:1108:15
#9 0x560ab24674b9 in Invoke<media::GpuMemoryBufferVideoFramePool *, const scoped_refptr<media::VideoFrame> &, base::OnceCallback<void (const scoped_refptr<media::VideoFrame> &)> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:447:12
#10 0x560ab24674b9 in MakeItSo<void (media::GpuMemoryBufferVideoFramePool::*const &)(const scoped_refptr<media::VideoFrame> &, base::OnceCallback<void (const scoped_refptr<media::VideoFrame> &)>), media::GpuMemoryBufferVideoFramePool *, const scoped_refptr<media::VideoFrame> &, base::OnceCallback<void (const scoped_refptr<media::VideoFrame> &)> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:530:0
#11 0x560ab24674b9 in RunImpl<void (media::GpuMemoryBufferVideoFramePool::*const &)(const scoped_refptr<media::VideoFrame> &, base::OnceCallback<void (const scoped_refptr<media::VideoFrame> &)>), const std::__1::tuple<base::internal::UnretainedWrapper<media::GpuMemoryBufferVideoFramePool> > &, 0> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:604:0
#12 0x560ab24674b9 in base::internal::Invoker<base::internal::BindState<void (media::GpuMemoryBufferVideoFramePool::*)(scoped_refptr<media::VideoFrame> const&, base::OnceCallback<void (scoped_refptr<media::VideoFrame> const&)>), base::internal::UnretainedWrapper<media::GpuMemoryBufferVideoFramePool> >, void (scoped_refptr<media::VideoFrame> const&, base::OnceCallback<void (scoped_refptr<media::VideoFrame> const&)>)>::Run(base::internal::BindStateBase*, scoped_refptr<media::VideoFrame> const&, base::OnceCallback<void (scoped_refptr<media::VideoFrame> const&)>&&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:586:0
#13 0x560ab21ee564 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:124:12
#14 0x560ab21ee564 in media::DecoderStream<(media::DemuxerStream::Type)2>::MaybePrepareAnotherOutput() /home/cowboy/chromium/src/out/chrome_asan_shared/../../media/filters/decoder_stream.cc:877:0
#15 0x560ab21f0fbf in media::DecoderStream<(media::DemuxerStream::Type)2>::OnDecodeOutputReady(scoped_refptr<media::VideoFrame> const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../media/filters/decoder_stream.cc:549:5
#16 0x560ab22e0bfa in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:124:12
#17 0x560ab22e0bfa in media::FFmpegVideoDecoder::OnNewFrame(AVFrame*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../media/filters/ffmpeg_video_decoder.cc:395:0
#18 0x560ab230d1ff in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:124:12
#19 0x560ab230d1ff in media::FFmpegDecodingLoop::DecodePacket(AVPacket const*, base::RepeatingCallback<bool (AVFrame*)>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../media/ffmpeg/ffmpeg_decoding_loop.cc:60:0
#20 0x560ab22dfc2a in media::FFmpegVideoDecoder::FFmpegDecode(media::DecoderBuffer const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../media/filters/ffmpeg_video_decoder.cc:355:27
#21 0x560ab22df639 in media::FFmpegVideoDecoder::Decode(scoped_refptr<media::DecoderBuffer>, base::RepeatingCallback<void (media::DecodeStatus)> const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../media/filters/ffmpeg_video_decoder.cc:306:8
#22 0x560ab21f2ffd in media::DecoderStream<(media::DemuxerStream::Type)2>::DecodeInternal(scoped_refptr<media::DecoderBuffer>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../media/filters/decoder_stream.cc:417:13
#23 0x560ab21f2522 in media::DecoderStream<(media::DemuxerStream::Type)2>::Decode(scoped_refptr<media::DecoderBuffer>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../media/filters/decoder_stream.cc:389:5
#24 0x560ab21f5786 in media::DecoderStream<(media::DemuxerStream::Type)2>::OnBufferReady(media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../media/filters/decoder_stream.cc:724:3
#25 0x560ab220260e in Invoke<const base::WeakPtr<media::DecoderStream<DemuxerStream::VIDEO> > &, media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:447:12
#26 0x560ab220260e in MakeItSo<void (media::DecoderStream<DemuxerStream::VIDEO>::*const &)(media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer>), const base::WeakPtr<media::DecoderStream<DemuxerStream::VIDEO> > &, media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:550:0
#27 0x560ab220260e in RunImpl<void (media::DecoderStream<DemuxerStream::VIDEO>::*const &)(media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer>), const std::__1::tuple<base::WeakPtr<media::DecoderStream<DemuxerStream::VIDEO> > > &, 0> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:604:0
#28 0x560ab220260e in base::internal::Invoker<base::internal::BindState<void (media::DecoderStream<(media::DemuxerStream::Type)2>::*)(media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer>), base::WeakPtr<media::DecoderStream<(media::DemuxerStream::Type)2> > >, void (media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer>)>::Run(base::internal::BindStateBase*, media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer>&&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:586:0
#29 0x560ab21dd1fd in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:135:12
#30 0x560ab21dd1fd in Invoke<base::RepeatingCallback<void (media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer>)>, media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:506:0
#31 0x560ab21dd1fd in MakeItSo<base::RepeatingCallback<void (media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer>)>, media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:530:0
#32 0x560ab21dd1fd in RunImpl<base::RepeatingCallback<void (media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer>)>, std::__1::tuple<media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer> >, 0, 1> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:604:0
#33 0x560ab21dd1fd in base::internal::Invoker<base::internal::BindState<base::RepeatingCallback<void (media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer>)>, media::DemuxerStream::Status, scoped_refptr<media::DecoderBuffer> >, void ()>::RunOnce(base::internal::BindStateBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:572:0
#34 0x560ab7e17db8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:95:12
#35 0x560ab7e17db8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#36 0x560ab7e7f0c2 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#37 0x560ab7e8033f in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#38 0x560ab7e8033f in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#39 0x560ab7e8889f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#40 0x560ab7f05bf0 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:130:14
#41 0x560ab7f95fb0 in base::Thread::ThreadMain() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/thread.cc:337:3
#42 0x560ab7f8f940 in base::(anonymous namespace)::ThreadFunc(void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/platform_thread_posix.cc:76:13
#43 0x7fbf1b15d6b9 in start_thread ??:0:0
previously allocated by thread T0 (chrome) here:
#0 0x560ab0bb5b92 in operator new(unsigned long) _asan_rtl_:3
#1 0x560ac497643d in MakeRefCounted<ui::ContextProviderCommandBuffer, scoped_refptr<gpu::GpuChannelHost>, gpu::GpuMemoryBufferManager *&, int &, gpu::SchedulingPriority &, const unsigned long &, GURL, const bool &, bool &, bool &, const gpu::SharedMemoryLimits &, gpu::ContextCreationAttribs &, nullptr_t, ui::command_buffer_metrics::ContextType &> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:91:12
#2 0x560ac497643d in content::(anonymous namespace)::CreateOffscreenContext(scoped_refptr<gpu::GpuChannelHost>, gpu::GpuMemoryBufferManager*, gpu::SharedMemoryLimits const&, bool, bool, bool, bool, bool, ui::command_buffer_metrics::ContextType, int, gpu::SchedulingPriority) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_thread_impl.cc:397:0
#3 0x560ac49749b7 in content::RenderThreadImpl::GetGpuFactories() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_thread_impl.cc:1573:7
#4 0x560ac4744e4e in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:95:12
#5 0x560ac4744e4e in void base::internal::ReturnAsParamAdapter<media::GpuVideoAcceleratorFactories*>(base::OnceCallback<media::GpuVideoAcceleratorFactories* ()>, media::GpuVideoAcceleratorFactories**) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/post_task_and_reply_with_result_internal.h:20:0
#6 0x560ac4745175 in Invoke<base::OnceCallback<media::GpuVideoAcceleratorFactories *()>, media::GpuVideoAcceleratorFactories **> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:402:12
#7 0x560ac4745175 in MakeItSo<void (*)(base::OnceCallback<media::GpuVideoAcceleratorFactories *()>, media::GpuVideoAcceleratorFactories **), base::OnceCallback<media::GpuVideoAcceleratorFactories *()>, media::GpuVideoAcceleratorFactories **> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:530:0
#8 0x560ac4745175 in RunImpl<void (*)(base::OnceCallback<media::GpuVideoAcceleratorFactories *()>, media::GpuVideoAcceleratorFactories **), std::__1::tuple<base::OnceCallback<media::GpuVideoAcceleratorFactories *()>, media::GpuVideoAcceleratorFactories **>, 0, 1> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:604:0
#9 0x560ac4745175 in base::internal::Invoker<base::internal::BindState<void (*)(base::OnceCallback<media::GpuVideoAcceleratorFactories* ()>, media::GpuVideoAcceleratorFactories**), base::OnceCallback<media::GpuVideoAcceleratorFactories* ()>, media::GpuVideoAcceleratorFactories**>, void ()>::RunOnce(base::internal::BindStateBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:572:0
#10 0x560ab7f8fe79 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:95:12
#11 0x560ab7f8fe79 in base::(anonymous namespace)::PostTaskAndReplyRelay::RunTaskAndPostReply(base::(anonymous namespace)::PostTaskAndReplyRelay) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/post_task_and_reply_impl.cc:79:0
#12 0x560ab7f9061b in Invoke<base::(anonymous namespace)::PostTaskAndReplyRelay> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:402:12
#13 0x560ab7f9061b in MakeItSo<void (*)(base::(anonymous namespace)::PostTaskAndReplyRelay), base::(anonymous namespace)::PostTaskAndReplyRelay> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:530:0
#14 0x560ab7f9061b in RunImpl<void (*)(base::(anonymous namespace)::PostTaskAndReplyRelay), std::__1::tuple<base::(anonymous namespace)::PostTaskAndReplyRelay>, 0> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:604:0
#15 0x560ab7f9061b in base::internal::Invoker<base::internal::BindState<void (*)(base::(anonymous namespace)::PostTaskAndReplyRelay), base::(anonymous namespace)::PostTaskAndReplyRelay>, void ()>::RunOnce(base::internal::BindStateBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:572:0
#16 0x560ab7e17db8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:95:12
#17 0x560ab7e17db8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#18 0x560ab6d89027 in blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::SequencedTaskSource::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:162:21
#19 0x560ab7e17db8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:95:12
#20 0x560ab7e17db8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#21 0x560ab7e7f0c2 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#22 0x560ab7e8033f in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#23 0x560ab7e8033f in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#24 0x560ab7e8889f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#25 0x560ab7f05bf0 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:130:14
#26 0x560ac5ce1b8d in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:248:23
#27 0x560ab73c3f6c in content::ContentMainRunnerImpl::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner.cc:922:12
#28 0x560ab73e8af8 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:452:29
#29 0x560ab73bebb7 in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
#30 0x560ab0bb92d2 in ChromeMain /home/cowboy/chromium/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12
#31 0x7fbf143c882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291:0
Thread T20 (Media) created by T0 (chrome) here:
#0 0x560ab0b7333d in __interceptor_pthread_create _asan_rtl_:3
#1 0x560ab7f8ebba in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/platform_thread_posix.cc:115:13
#2 0x560ab7f95275 in base::Thread::StartWithOptions(base::Thread::Options const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/thread.cc:112:15
#3 0x560ab7f94ec7 in base::Thread::Start() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/thread.cc:75:10
#4 0x560ac4975a3c in content::RenderThreadImpl::GetMediaThreadTaskRunner() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_thread_impl.cc:2489:20
#5 0x560ac47412b6 in content::MediaFactory::CreateMediaPlayer(blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebMediaPlayerEncryptedMediaClient*, blink::WebContentDecryptionModule*, blink::WebString const&, blink::WebLayerTreeView*, cc::LayerTreeSettings const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/media/media_factory.cc:270:24
#6 0x560ac46b4874 in CreateMediaPlayer /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_frame_impl.cc:3518:25
#7 0x560ac46b4874 in non-virtual thunk to content::RenderFrameImpl::CreateMediaPlayer(blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebMediaPlayerEncryptedMediaClient*, blink::WebContentDecryptionModule*, blink::WebString const&, blink::WebLayerTreeView*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_frame_impl.cc:0:0
#8 0x560ac49a1be1 in blink::ModulesInitializer::CreateWebMediaPlayer(blink::WebFrameClient*, blink::HTMLMediaElement&, blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebLayerTreeView*) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/modules_initializer.cc:252:45
#9 0x560ac24d9f80 in blink::LocalFrameClientImpl::CreateWebMediaPlayer(blink::HTMLMediaElement&, blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebLayerTreeView*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/exported/local_frame_client_impl.cc:852:41
#10 0x560ac2a54d21 in blink::HTMLMediaElement::StartPlayerLoad() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/html/media/html_media_element.cc:1266:40
#11 0x560ac2a5113b in blink::HTMLMediaElement::LoadResource(blink::WebMediaPlayerSource const&, WTF::String const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/html/media/html_media_element.cc:1208:7
#12 0x560ac2a4fc33 in blink::HTMLMediaElement::LoadSourceFromAttribute() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/html/media/html_media_element.cc:1119:3
#13 0x560ac2a4f139 in blink::HTMLMediaElement::SelectMediaResource() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/html/media/html_media_element.cc:1072:7
#14 0x560ac2a4aabc in blink::HTMLMediaElement::LoadInternal() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/html/media/html_media_element.cc:1006:3
#15 0x560ac2a43b7d in blink::HTMLMediaElement::LoadTimerFired(blink::TimerBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/html/media/html_media_element.cc:771:7
#16 0x560ac077075b in blink::TimerBase::RunInternal() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/timer.cc:161:3
#17 0x560ab7e17db8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:95:12
#18 0x560ab7e17db8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#19 0x560ab6d89027 in blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::SequencedTaskSource::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:162:21
#20 0x560ab7e17db8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:95:12
#21 0x560ab7e17db8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#22 0x560ab7e7f0c2 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#23 0x560ab7e8033f in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#24 0x560ab7e8033f in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#25 0x560ab7e8889f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#26 0x560ab7f05bf0 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:130:14
#27 0x560ac5ce1b8d in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:248:23
#28 0x560ab73c3f6c in content::ContentMainRunnerImpl::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner.cc:922:12
#29 0x560ab73e8af8 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:452:29
#30 0x560ab73bebb7 in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
#31 0x560ab0bb92d2 in ChromeMain /home/cowboy/chromium/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12
#32 0x7fbf143c882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291:0
SUMMARY: AddressSanitizer: heap-use-after-free (/home/cowboy/chromium/src/out/chrome_asan_shared/chrome+0x1b11b272)
Shadow bytes around the buggy address:
0x0c2a8000a030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8000a040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8000a050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8000a060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8000a070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a8000a080:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8000a090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8000a0a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a8000a0b0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c2a8000a0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a8000a0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4463==ABORTING
Did this work before? N/A
Chrome version: Version 68.0.3398.0 (Developer Build) (64-bit) Channel: beta
OS Version: 16.04
Flash Version:
,
Apr 18 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4809799028703232.
,
Apr 18 2018
kylechar@, danakj@ -- could you please help triage this issue? Thanks.
,
Apr 18 2018
,
Apr 18 2018
AllocateResource after the contextprovider is gone.
,
Apr 18 2018
This is caused by the UseSurfaceLayerForVideo experiment.
,
Apr 18 2018
Per #c6 -- does this impact only Canary and Dev?
,
Apr 19 2018
,
Apr 19 2018
The feature is not enabled in Canary/Dev by default. The Finch experiment was turned off.
,
Apr 19 2018
Adding ReleaseBlock-NA as per #c7
,
Apr 19 2018
,
Apr 20 2018
,
May 16 2018
,
Aug 22
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Apr 18 2018