Issue metadata
Sign in to add a comment
|
Security: chrome_child!ui::ClientTreeNode UAF
Reported by
puzzo...@gmail.com,
May 3 2018
|
||||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.
VERSION
Chrome Version: [66.0.3359.139] + [stable]
Operating System: [Windows7 x64]
REPRODUCTION CASE
Run chrome with "--force-renderer-accessibility", and open the PoC.(Sorry for the large PoC, for we have little time to reduce it)
CREDIT
This vulnerability was discovered by Berserker(@icepng) of VARAS@IIE
Type of crash: [tab]
Crash State:
(3f8.dc8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=feeefeee ebx=0039ee88 ecx=042021ac edx=042021a0 esi=0039eec0 edi=054b3e34
eip=68579447 esp=0039ee74 ebp=0039eeb0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::LeastCommonAncestor+0x10d:
68579447 8b4008 mov eax,dword ptr [eax+8] ds:002b:feeefef6=????????
As the crash context shows, EAX points to an invalid memory region, from the previous experience, we infer this a UAF problem.
4:051> dd esi
0039eec0 feeefeee 0039eed4 054b3ed8 0039ef08
0039eed0 0039eec4 041bffe0 00000030 cc2c31f5
0039eee0 0039ef08 054b3e34 0039eef4 0039efc0
0039eef0 6857593c 0039ef08 2c408680 69efc7f0
0039ef00 00000004 0039eefc 2d1a20d0 00000005
0039ef10 0039ef3c 69450e1c ffffffff ffffffff
0039ef20 ffffffff 6c6d7468 69efc700 0039ef48
0039ef30 6631c274 00000004 0000000f 6631c201
As we can see from the above ouput, ESI locates in the stack and it may point to an object. Then we are going to debug what object it is.
Before the debugging process, we will first enable PageHeap.
We first set a breakpoint at chrome_child+0x22C9447 to observe the object. The breakpoint will hit several times, there is a chance to get something like this:
6:092> g
Breakpoint 0 hit
eax=088bd468 ebx=003ff240 ecx=0895f540 edx=0895f538 esi=003ff278 edi=08a6581c
eip=68579447 esp=003ff22c ebp=003ff268 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::LeastCommonAncestor+0x10d:
68579447 8b4008 mov eax,dword ptr [eax+8] ds:002b:088bd470=f0f0f0f0
6:092> dd eax
088bd468 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0
088bd478 f0f0f0f0 f0f0f0f0 a0a0a0a0 a0a0a0a0
088bd488 00000000 00000000 2a7ff041 1401f7c1
088bd498 abcdaaaa 87881000 0000000c 00000034
088bd4a8 0888c7b8 089391c8 04ed5db4 dcbaaaaa
088bd4b8 089c2408 087b4458 0891ea00 a0a0a0a0
088bd4c8 a0a0a0a0 a0a0a0a0 00000000 00000000
088bd4d8 2e7ff045 1801f7c2 abcdaaaa 87881000
Since we have enabled Pageheap, EAX points to a block of buffer which is full of 0xf0f0f0f0, we can make sure this memory region is freed. So we use !heap -p -a eax to see what object is it.
6:092> !heap -p -a eax
address 088bd468 found in
_HEAP @ 7b30000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
088bd440 000a 0000 [00] 088bd468 00018 - (free DelayedFree)
72bda7d6 verifier!AVrfpDphNormalHeapFree+0x000000b6
72bd90d3 verifier!AVrfDebugPageHeapFree+0x000000e3
77f1180c ntdll!RtlDebugFreeHeap+0x0000002f
77eca8fe ntdll!RtlpFreeHeap+0x0000005d
77e72c45 ntdll!RtlFreeHeap+0x00000142
72becc4f verifier!AVrfpRtlFreeHeap+0x00000086
75ce14ad kernel32!HeapFree+0x00000014
72bedd48 verifier!AVrfpHeapFree+0x00000097
662b120a chrome_child!base::allocator::WinHeapFree+0x0000001a
6756754b chrome_child!`anonymous namespace'::DefaultWinHeapFreeImpl+0x0000000b
662b11e1 chrome_child!free+0x00000011
67f3db08 chrome_child!ui::ClientTreeNode::~ClientTreeNode+0x00000020
68578c5e chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::DeleteClientSubtree+0x00000050
6857645b chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::Reset+0x00000125
68579332 chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::SerializeChangedNodes+0x0000060c
68579250 chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::SerializeChangedNodes+0x0000052a
68575b51 chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::SerializeChanges+0x00000473
68577336 chrome_child!content::RenderAccessibilityImpl::SendPendingAccessibilityEvents+0x000001ca
662fbb4f chrome_child!base::debug::TaskAnnotator::RunTask+0x0000009f
6631e93b chrome_child!blink::scheduler::internal::ThreadControllerImpl::DoWork+0x000000e1
6631e851 chrome_child!base::internal::Invoker<base::internal::BindState<void (media::AudioRendererImpl::*)(media::PipelineStatus) __attribute__((thiscall)),base::WeakPtr<media::AudioRendererImpl>,media::PipelineStatus>,void ()>::Run+0x00000041
662fbb4f chrome_child!base::debug::TaskAnnotator::RunTask+0x0000009f
662fbaa3 chrome_child!base::internal::IncomingTaskQueue::RunTask+0x00000013
662fb7a6 chrome_child!base::MessageLoop::RunTask+0x000001b6
662fb5c3 chrome_child!base::MessageLoop::DeferOrRunPendingTask+0x00000053
662f2b13 chrome_child!base::MessageLoop::DoWork+0x000000d3
662f2a27 chrome_child!base::MessagePumpDefault::Run+0x00000087
662f297f chrome_child!base::MessageLoop::Run+0x0000001f
662f27de chrome_child!base::RunLoop::Run+0x0000002e
662dfaf0 chrome_child!content::RendererMain+0x00000378
662df72b chrome_child!content::RunNamedProcessTypeMain+0x0000010c
662d9826 chrome_child!content::ContentMainRunnerImpl::Run+0x0000008e
So this is a ClientTreeNode UAF.
Next, we are going to see what causes this object freed.Then we will set a breakpoint at chrome_child!ui::ClientTreeNode::~ClientTreeNode (chrome_child+0x01c8db03)
6:092> u 67f3db08 L-10
chrome_child!ui::ClientTreeNode::~ClientTreeNode+0x10 [C:\b\c\b\win_clang\src\ui\accessibility\ax_tree_serializer.cc @ 12]:
67f3daf8 d80e fmul dword ptr [esi]
67f3dafa 39fe cmp esi,edi
67f3dafc 837d0800 cmp dword ptr [ebp+8],0
67f3db00 7409 je chrome_child!ui::ClientTreeNode::~ClientTreeNode+0x23 (67f3db0b)
67f3db02 56 push esi
67f3db03 e8e3934501 call chrome_child!operator delete (69396eeb)
The output of windbg is as follows:
We could know when the program tried to reffer the object (0x08661468), the object has been freed.
eax=00000000 ebx=08624218 ecx=72bedd73 edx=00300002 esi=08661468 edi=08728a48
eip=67f3db03 esp=002fecf0 ebp=002fecf8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
chrome_child!ui::ClientTreeNode::~ClientTreeNode+0x1b:
67f3db03 e8e3934501 call chrome_child!operator delete (69396eeb)
ChildEBP RetAddr Args to Child
002fed14 68576480 00000001 697b8fa0 ffffffff chrome_child!ui::ClientTreeNode::~ClientTreeNode+0x1b [C:\b\c\b\win_clang\src\ui\accessibility\ax_tree_serializer.cc @ 12]
002fedc8 68579332 087289a4 00000000 002fedd0 chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::Reset+0x14a [C:\b\c\b\win_clang\src\ui\accessibility\ax_tree_serializer.h @ 209]
002fef30 68579250 5aa08728 002ff2b0 087289a4 chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::SerializeChangedNodes+0x60c [C:\b\c\b\win_clang\src\ui\accessibility\ax_tree_serializer.h @ 459]
002ff09c 68575b51 5aa08ae8 002ff2b0 08728a48 chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::SerializeChangedNodes+0x52a [C:\b\c\b\win_clang\src\ui\accessibility\ax_tree_serializer.h @ 527]
002ff170 68577336 5aa08af0 002ff2b0 002ff180 chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::SerializeChanges+0x473 [C:\b\c\b\win_clang\src\ui\accessibility\ax_tree_serializer.h @ 381]
002ff38c 662fbb4f 087aded8 685761ad 002ff3c0 chrome_child!content::RenderAccessibilityImpl::SendPendingAccessibilityEvents+0x1ca [C:\b\c\b\win_clang\src\content\renderer\accessibility\render_accessibility_impl.cc @ 453]
002ff3f8 6631e93b 69529028 002ff468 0087a6c8 chrome_child!base::debug::TaskAnnotator::RunTask+0x9f [C:\b\c\b\win_clang\src\base\debug\task_annotator.cc @ 61]
002ff4e0 6631e851 00000000 6631e85a 002ff528 chrome_child!blink::scheduler::internal::ThreadControllerImpl::DoWork+0xe1 [C:\b\c\b\win_clang\src\third_party\WebKit\Source\platform\scheduler\base\thread_controller_impl.cc @ 164]
002ff4fc 662fbb4f 0087a770 0872bac0 002ff4a8 chrome_child!base::internal::Invoker<base::internal::BindState<void (media::AudioRendererImpl::*)(media::PipelineStatus) __attribute__((thiscall)),base::WeakPtr<media::AudioRendererImpl>,media::PipelineStatus>,void ()>::Run+0x41 [C:\b\c\b\win_clang\src\base\bind_internal.h @ 589]
002ff564 662fbaa3 69547474 002ff620 002ff5f8 chrome_child!base::debug::TaskAnnotator::RunTask+0x9f [C:\b\c\b\win_clang\src\base\debug\task_annotator.cc @ 61]
002ff574 662fb7a6 002ff620 69528f4d 00876ea8 chrome_child!base::internal::IncomingTaskQueue::RunTask+0x13 [C:\b\c\b\win_clang\src\base\message_loop\incoming_task_queue.cc @ 125]
002ff5f8 662fb5c3 002ff620 662f9acc a2e494d8 chrome_child!base::MessageLoop::RunTask+0x1b6 [C:\b\c\b\win_clang\src\base\message_loop\message_loop.cc @ 396]
002ff618 662f2b13 00000000 69529045 69528f4d chrome_child!base::MessageLoop::DeferOrRunPendingTask+0x53 [C:\b\c\b\win_clang\src\base\message_loop\message_loop.cc @ 407]
002ff6c4 662f2a27 00859de0 00859dd8 00876e3c chrome_child!base::MessageLoop::DoWork+0xd3 [C:\b\c\b\win_clang\src\base\message_loop\message_loop.cc @ 451]
002ff6e0 662f297f 00876e38 002ff718 002ff700 chrome_child!base::MessagePumpDefault::Run+0x87 [C:\b\c\b\win_clang\src\base\message_loop\message_pump_default.cc @ 38]
002ff6f0 662f27de 00000001 002ff708 002ff7d4 chrome_child!base::MessageLoop::Run+0x1f [C:\b\c\b\win_clang\src\base\message_loop\message_loop.cc @ 346]
002ff700 662dfaf0 00000000 01876d00 00856030 chrome_child!base::RunLoop::Run+0x2e [C:\b\c\b\win_clang\src\base\run_loop.cc @ 139]
002ff7d4 662df72b 002ff8bc 00893410 00000010 chrome_child!content::RendererMain+0x378 [C:\b\c\b\win_clang\src\content\renderer\renderer_main.cc @ 235]
002ff8a4 662d9826 002ff8d0 002ff8bc 002ffa70 chrome_child!content::RunNamedProcessTypeMain+0x10c [C:\b\c\b\win_clang\src\content\app\content_main_runner.cc @ 423]
002ff8f8 662b4597 00000000 00000003 002ffa14 chrome_child!content::ContentMainRunnerImpl::Run+0x8e [C:\b\c\b\win_clang\src\content\app\content_main_runner.cc @ 703]
002ffa04 662b4278 002ffa10 002ffa14 695427a0 chrome_child!service_manager::Main+0x26e [C:\b\c\b\win_clang\src\services\service_manager\embedder\main.cc @ 453]
002ffa40 662b1925 002ffa5c 002ffa4c 002ffa48 chrome_child!content::ContentMain+0x33 [C:\b\c\b\win_clang\src\content\app\content_main.cc @ 19]
002ffaa0 011c3002 011c0000 002ffae8 aa1a7059 chrome_child!ChromeMain+0x108 [C:\b\c\b\win_clang\src\chrome\app\chrome_main.cc @ 104]
WARNING: Stack unwind information not available. Following frames may be wrong.
002ffb2c 011c145d 011c0000 aa1a7059 00000007 chrome+0x3002
002ffc98 0127df68 011c0000 00000000 008b2082 chrome+0x145d
002ffce4 75ce343d fffde000 002ffd30 77e79832 chrome!IsSandboxedProcess+0x526c8
002ffcf0 77e79832 fffde000 762e3dd1 00000000 kernel32!BaseThreadInitThunk+0xe
002ffd30 77e79805 0127dfe0 fffde000 00000000 ntdll!__RtlUserThreadStart+0x70
002ffd48 00000000 0127dfe0 fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b
eax=00000000 ebx=00000000 ecx=72bedd73 edx=00300004 esi=08624218 edi=0000000f
eip=67f3db03 esp=002fed0c ebp=002fed14 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
chrome_child!ui::ClientTreeNode::~ClientTreeNode+0x1b:
67f3db03 e8e3934501 call chrome_child!operator delete (69396eeb)
Breakpoint 0 hit
eax=08788290 ebx=002ff038 ecx=0873524c edx=08735248 esi=002ff070 edi=087289a4
eip=68579447 esp=002ff024 ebp=002ff060 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::LeastCommonAncestor+0x10d:
68579447 8b4008 mov eax,dword ptr [eax+8] ds:002b:08788298=08661468
6:093> g
Breakpoint 0 hit
eax=08661468 ebx=002ff038 ecx=085f6890 edx=085f6888 esi=002ff070 edi=087289a4
eip=68579447 esp=002ff024 ebp=002ff060 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::LeastCommonAncestor+0x10d:
68579447 8b4008 mov eax,dword ptr [eax+8] ds:002b:08661470=f0f0f0f0
,
May 4 2018
dmazzoni@ - could you take a peek at this as it seems accessibility related? Feel free to re-assign as appropriate, or bounce back to me if unrelated. Thanks!
,
May 4 2018
,
May 5 2018
Does it mean the ClusterFuzz has discovered this vulnerability before?
,
May 5 2018
,
May 18 2018
dmazzoni: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 18 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6632606331043840.
,
May 18 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6523108555751424.
,
May 18 2018
dmazzoni@, this is a high severity security bug affecting stable, please take a look as per c#2.
,
May 23 2018
hi, Any updates? or do you need we provide some extra info?
,
May 25 2018
I'm unable to reproduce on Linux ToT with ASAN. Clusterfuzz also says unreproducible. I can maybe try the version above, and I can try on Windows.
,
May 25 2018
I just rechecked it and this may still there in the latest stable version of 66.0.3359.181.
4:041> lmvm chrome_child
start end module name
64a50000 688a6000 chrome_child (export symbols) C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.
Loaded symbol image file: C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.181\chrome_child.dll
Image path: C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.181\chrome_child.dll
Image name: chrome_child.dll
Timestamp: Tue May 15 10:58:10 2018 (5AFA4CC2)
CheckSum: 03CF20C3
ImageSize: 03E56000
File version: 66.0.3359.181
Product version: 66.0.3359.181
File flags: 0 (Mask 17)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Google Inc.
ProductName: Google Chrome
InternalName: chrome_dll
OriginalFilename: chrome.dll
ProductVersion: 66.0.3359.181
FileVersion: 66.0.3359.181
FileDescription: Google Chrome
LegalCopyright: Copyright 2017 Google Inc. All rights reserved.
The following is the command I use to reproduce(I use Math.cos to debug so I added some breakpoints there,delete them if you don't need)
"C:\Users\Puzzor\Desktop\Debugging Tools for Windows (x86)\cdb.exe" -c ".childdbg 1;g;g;g;g;bu chrome_child!v8::base::ieee754::cos \"dd esp L3;g;\";bu chrome_child!ui::ClientTreeNode::~ClientTreeNode \"r ecx;.echo \\"freed\\";g\";bu chrome_child!ui::ClientTreeNode::ClientTreeNode \"r ecx;.echo \\"created\\";g\";.sympath cache*c:\mysymbol;" "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --force-renderer-accessibility --no-sandbox C:\Users\Puzzor\Desktop\PoC.html
,
May 25 2018
Did you forget the commandline "--force-renderer-accessibility"? this is important to reproduce the case
,
May 25 2018
I used that command line. Have you tested it on anything more recent than 66 or on any other platform? Does it crash when no memory debuggers are running? Or does it trigger a silent UAF that doesn't usually crash?
,
May 25 2018
nope, I only tested on the latest version so far. yes, it will crash even without debuggers. BUT when I tried to analyze it with debugger,sometimes it crashes with strange context(but I think the root cause is a UAF?): ########################################################################### (e0c.ce0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000064 ebx=0031eb78 ecx=0565a2e0 edx=0565a2d0 esi=0031ebb0 edi=055fddbc eip=612395bd esp=0031eb64 ebp=0031eba0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.181\chrome_child.dll - chrome_child!IsSandboxedProcess+0x593695: 612395bd 8b4008 mov eax,dword ptr [eax+8] ds:002b:0000006c=???????? ########################################################################### (e14.c98): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=001be710 ecx=054079ec edx=054079e0 esi=001be748 edi=042ce0cc eip=681395bd esp=001be6fc ebp=001be738 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.181\chrome_child.dll - chrome_child!IsSandboxedProcess+0x593695: 681395bd 8b4008 mov eax,dword ptr [eax+8] ds:002b:00000009=???????? BTW, if you cannot reproduce it at first time, try to refresh the page, sometimes you need to refresh it 2 or 3 times to trigger, but in general, the first time you open it will trigger the crash
,
May 28 2018
Can you reproduce it now?
,
Jun 3 2018
Any updates?
,
Jun 8 2018
Still no updates?
,
Jun 9 2018
dmazzoni: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 27 2018
Doug, maybe there's someone else in your org who might have time to take a stab at this besides Dominic?
,
Jul 1
Almost 2 months after we submitted this bug, you still have no time to verify it? Plz take time to look at it. We will disclose it after 90 days by default, if you have any problems reproducing it plz let us know. Thank you very much
,
Jul 1
I attempted to reproduce this using the poc without any success this morning. puzzorsj@gmail.com: if I simply load the poc.html with the accessibility flag set, should I see a crash or something in the debugger? Or specifically, is this potential UAF triggerable without extra debugging tooling.
,
Jul 2
What version did you try? I just tried the latest version and it cannot be reproduced. But you can see, when we first opened this issue on May 3, the stable version at then was 66.0.3359.1xx, on May 25, I could also reproduce this issue, to prove this, I uploaded a video in case you need it. The following is the shared link: https://drive.google.com/open?id=10CTYKFtVSR80P52WBKSlFv46EbCdbPAD
,
Jul 2
Yes, I could reproduce with the same version you used in your initial comment: > content.dll!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::LeastCommonAncestor(blink::WebAXObject node, ui::ClientTreeNode * client_node) Line 236 C++ content.dll!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::LeastCommonAncestor(blink::WebAXObject node) Line 269 C++ content.dll!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::SerializeChanges(blink::WebAXObject node, ui::AXTreeUpdateBase<content::AXContentNodeData,content::AXContentTreeData> * out_update) Line 335 C++ content.dll!content::RenderAccessibilityImpl::SendPendingAccessibilityEvents() Line 453 C++ content.dll!content::RenderAccessibilityImpl::OnEventsAck(int ack_token) Line 637 C++ content.dll!base::DispatchToMethodImpl<content::RenderAccessibilityImpl *,void (content::RenderAccessibilityImpl::*)(int) __attribute__((thiscall)),std::tuple<int>,0>(content::RenderAccessibilityImpl * const & obj, void(content::RenderAccessibilityImpl::*)(int) method, std::tuple<int> && args, std::integer_sequence<unsigned int,0>) Line 53 C++ content.dll!base::DispatchToMethod<content::RenderAccessibilityImpl *,void (content::RenderAccessibilityImpl::*)(int) __attribute__((thiscall)),std::tuple<int> >(content::RenderAccessibilityImpl * const & obj, void(content::RenderAccessibilityImpl::*)(int) method, std::tuple<int> && args) Line 60 C++ content.dll!IPC::DispatchToMethod<content::RenderAccessibilityImpl,void (content::RenderAccessibilityImpl::*)(int) __attribute__((thiscall)),void,std::tuple<int> >(content::RenderAccessibilityImpl * obj, void(content::RenderAccessibilityImpl::*)(int) method, void *, std::tuple<int> && tuple) Line 51 C++ content.dll!IPC::MessageT<AccessibilityMsg_Events_ACK_Meta,std::tuple<int>,void>::Dispatch<content::RenderAccessibilityImpl,content::RenderAccessibilityImpl,void,void (content::RenderAccessibilityImpl::*)(int) __attribute__((thiscall))>(const IPC::Message * msg, content::RenderAccessibilityImpl * obj, content::RenderAccessibilityImpl * sender, void * parameter, void(content::RenderAccessibilityImpl::*)(int) func) Line 147 C++ content.dll!content::RenderAccessibilityImpl::OnMessageReceived(const IPC::Message & message) Line 188 C++ content.dll!content::RenderFrameImpl::OnMessageReceived(const IPC::Message & msg) Line 1719 C++ ipc.dll!IPC::MessageRouter::RouteMessage(const IPC::Message & msg) Line 56 C++ content.dll!content::ChildThreadImpl::ChildThreadMessageRouter::RouteMessage(const IPC::Message & msg) Line 363 C++ ipc.dll!IPC::MessageRouter::OnMessageReceived(const IPC::Message & msg) Line 48 C++ content.dll!content::ChildThreadImpl::OnMessageReceived(const IPC::Message & msg) Line 731 C++ content.dll!content::RenderThreadImpl::OnMessageReceived(const IPC::Message & msg) Line 1694 C++ ipc.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const IPC::Message & message) Line 320 C++ ipc.dll!base::internal::FunctorTraits<void (IPC::ChannelProxy::Context::*)(const IPC::Message &) __attribute__((thiscall)),void>::Invoke<const scoped_refptr<IPC::ChannelProxy::Context> &,const IPC::Message &>(void(IPC::ChannelProxy::Context::*)(const IPC::Message &) method, const scoped_refptr<IPC::ChannelProxy::Context> & receiver_ptr, const IPC::Message & args) Line 447 C++ ipc.dll!base::internal::InvokeHelper<0,void>::MakeItSo<void (IPC::ChannelProxy::Context::*const &)(const IPC::Message &) __attribute__((thiscall)),const scoped_refptr<IPC::ChannelProxy::Context> &,const IPC::Message &>(void(IPC::ChannelProxy::Context::*)(const IPC::Message &) & functor, const scoped_refptr<IPC::ChannelProxy::Context> & args, const IPC::Message & args) Line 530 C++ ipc.dll!base::internal::Invoker<base::internal::BindState<void (IPC::ChannelProxy::Context::*)(const IPC::Message &) __attribute__((thiscall)),scoped_refptr<IPC::ChannelProxy::Context>,IPC::Message>,void ()>::RunImpl<void (IPC::ChannelProxy::Context::*const &)(const IPC::Message &) __attribute__((thiscall)),const std::tuple<scoped_refptr<IPC::ChannelProxy::Context>,IPC::Message> &,0,1>(void(IPC::ChannelProxy::Context::*)(const IPC::Message &) & functor, const std::tuple<scoped_refptr<IPC::ChannelProxy::Context>,IPC::Message> & bound, std::integer_sequence<unsigned int,0,1>) Line 604 C++ ipc.dll!base::internal::Invoker<base::internal::BindState<void (IPC::ChannelProxy::Context::*)(const IPC::Message &) __attribute__((thiscall)),scoped_refptr<IPC::ChannelProxy::Context>,IPC::Message>,void ()>::Run(base::internal::BindStateBase * base) Line 586 C++ base.dll!base::OnceCallback<void ()>::Run() Line 95 C++ base.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 61 C++ blink_platform.dll!blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::Sequence::WorkType work_type) Line 162 C++ blink_platform.dll!base::internal::FunctorTraits<void (blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::Sequence::WorkType) __attribute__((thiscall)),void>::Invoke<const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> &,const blink::scheduler::internal::Sequence::WorkType &>(void(blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::Sequence::WorkType) method, const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> & receiver_ptr, const blink::scheduler::internal::Sequence::WorkType & args) Line 447 C++ blink_platform.dll!base::internal::InvokeHelper<1,void>::MakeItSo<void (blink::scheduler::internal::ThreadControllerImpl::*const &)(blink::scheduler::internal::Sequence::WorkType) __attribute__((thiscall)),const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> &,const blink::scheduler::internal::Sequence::WorkType &>(void(blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::Sequence::WorkType) & functor, const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> & weak_ptr, const blink::scheduler::internal::Sequence::WorkType & args) Line 553 C++ blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::Sequence::WorkType) __attribute__((thiscall)),base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>,blink::scheduler::internal::Sequence::WorkType>,void ()>::RunImpl<void (blink::scheduler::internal::ThreadControllerImpl::*const &)(blink::scheduler::internal::Sequence::WorkType) __attribute__((thiscall)),const std::tuple<base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>,blink::scheduler::internal::Sequence::WorkType> &,0,1>(void(blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::Sequence::WorkType) & functor, const std::tuple<base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>,blink::scheduler::internal::Sequence::WorkType> & bound, std::integer_sequence<unsigned int,0,1>) Line 604 C++ blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::Sequence::WorkType) __attribute__((thiscall)),base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>,blink::scheduler::internal::Sequence::WorkType>,void ()>::Run(base::internal::BindStateBase * base) Line 586 C++ base.dll!base::OnceCallback<void ()>::Run() Line 95 C++ base.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 61 C++ base.dll!base::internal::IncomingTaskQueue::RunTask(base::PendingTask * pending_task) Line 124 C++ base.dll!base::MessageLoop::RunTask(base::PendingTask * pending_task) Line 395 C++ base.dll!base::MessageLoop::DeferOrRunPendingTask(base::PendingTask pending_task) Line 410 C++ base.dll!base::MessageLoop::DoWork() Line 451 C++ base.dll!base::MessagePumpDefault::Run(base::MessagePump::Delegate * delegate) Line 37 C++ base.dll!base::MessageLoop::Run(bool application_tasks_allowed) Line 346 C++ base.dll!base::RunLoop::Run() Line 133 C++ content.dll!content::RendererMain(const content::MainFunctionParams & parameters) Line 235 C++ content.dll!content::RunNamedProcessTypeMain(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & process_type, const content::MainFunctionParams & main_function_params, content::ContentMainDelegate * delegate) Line 423 C++ content.dll!content::ContentMainRunnerImpl::Run() Line 703 C++ content.dll!content::ContentServiceManagerMainDelegate::RunEmbedderProcess() Line 51 C++ embedder.dll!service_manager::Main(const service_manager::MainParams & params) Line 453 C++ content.dll!content::ContentMain(const content::ContentMainParams & params) Line 19 C++ chrome.dll!ChromeMain(HINSTANCE__ * instance, sandbox::SandboxInterfaceInfo * sandbox_info, __int64 exe_entry_point_ticks) Line 101 C++ chrome.exe!MainDllLoader::Launch(HINSTANCE__ * instance, base::TimeTicks exe_entry_point_ticks) Line 199 C++ chrome.exe!wWinMain(HINSTANCE__ * instance, HINSTANCE__ * prev, wchar_t *, int) Line 230 C++ This crash appears to be the same one as in Bug 704045.
,
Jul 2
,
Jul 2
Duplicate one? I have no permission to view issue 704045, could you please take a look when that issue was opened?
,
Jul 3
The code change in that issue I mentioned is:
https://chromium.googlesource.com/chromium/src.git/+/898335c93b9fd3adfa8f9a75c1b65cd4c153161d
,
Jul 3
Thanks
,
Oct 9
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, May 4 2018