Issue metadata
Sign in to add a comment
|
use-after-free in operator* (WebAudio thread)
Reported by
cdsrc2...@gmail.com,
Jun 15 2018
|
||||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Steps to reproduce the problem:
Version 69.0.3451.0 (Developer Build) (64-bit)
use-after-free in operator* (WebAudio thread)
1.Get new version chrome:
a) Build source code
config args.gn file as below:
use_sanitizer_coverage = true
is_asan = true
is_debug = false
enable_nacl = false
treat_warnings_as_errors = false
ninja -j16 -C out/chrome_asan chrome
2.python3.5m -m http.server 8605
3. Because of race issues, it is impossible to reproduce directly and stably. So I wrote a simple script(launcher.html) to achieve stable reproduction.
./crhome ./launcher.html
What is the expected behavior?
What went wrong?
4. Get UAF in 30s~10min, occasionally get sig11 0x00 or heap-buffer-overflow(hbo just reproduced once,so I did't get symbolised log).
The poc file and res files are not minimized files. There may be a lot of useless codes. Please note that.
=================================================================
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002bb348 at pc 0x5633645de868 bp 0x7f6f5a4711d0 sp 0x7f6f5a4711c8
READ of size 8 at 0x6110002bb348 thread T19 (WebAudio thread)
#0 0x5633645de867 in operator* /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:215:13
#1 0x5633645de867 in blink::AudioWorkletHandler::SetProcessorOnRenderThread(blink::AudioWorkletProcessor*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_node.cc:173:0
#2 0x5633645b7f07 in blink::AudioWorkletMessagingProxy::CreateProcessorOnRenderingThread(blink::WorkerThread*, blink::AudioWorkletHandler*, WTF::String const&, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_messaging_proxy.cc:53:12
#3 0x5633645bad89 in Invoke<void (blink::AudioWorkletMessagingProxy::*)(blink::WorkerThread *, blink::AudioWorkletHandler *, const WTF::String &, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue>), const blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy> &, blink::WorkerThread *, blink::AudioWorkletHandler *, const WTF::String &, const blink::MessagePortChannel &, const scoped_refptr<blink::SerializedScriptValue> &> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:507:12
#4 0x5633645bad89 in MakeItSo<void (blink::AudioWorkletMessagingProxy::*const &)(blink::WorkerThread *, blink::AudioWorkletHandler *, const WTF::String &, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue>), const blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy> &, blink::WorkerThread *, blink::AudioWorkletHandler *, const WTF::String &, const blink::MessagePortChannel &, const scoped_refptr<blink::SerializedScriptValue> &> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:607:0
#5 0x5633645bad89 in RunImpl<void (blink::AudioWorkletMessagingProxy::*const &)(blink::WorkerThread *, blink::AudioWorkletHandler *, const WTF::String &, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue>), const std::__1::tuple<blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy>, WTF::CrossThreadUnretainedWrapper<blink::WorkerThread>, WTF::CrossThreadUnretainedWrapper<blink::AudioWorkletHandler>, WTF::String, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue> > &, 0, 1, 2, 3, 4, 5> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:681:0
#6 0x5633645bad89 in base::internal::Invoker<base::internal::BindState<void (blink::AudioWorkletMessagingProxy::*)(blink::WorkerThread*, blink::AudioWorkletHandler*, WTF::String const&, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue>), blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy>, WTF::CrossThreadUnretainedWrapper<blink::WorkerThread>, WTF::CrossThreadUnretainedWrapper<blink::AudioWorkletHandler>, WTF::String, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue> >, void ()>::Run(base::internal::BindStateBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:663:0
#7 0x56335ed0ada5 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:136:12
#8 0x56335ed0ada5 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/wtf/functional.h:320:0
#9 0x56335ed0ada5 in blink::(anonymous namespace)::RunCrossThreadClosure(WTF::CrossThreadFunction<void ()>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/web_task_runner.cc:15:0
#10 0x56335ed0bc2d in Invoke<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:407:12
#11 0x56335ed0bc2d in MakeItSo<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:607:0
#12 0x56335ed0bc2d in RunImpl<void (*)(WTF::CrossThreadFunction<void ()>), std::__1::tuple<WTF::CrossThreadFunction<void ()> >, 0> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:681:0
#13 0x56335ed0bc2d in base::internal::Invoker<base::internal::BindState<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> >, void ()>::RunOnce(base::internal::BindStateBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:649:0
#14 0x5633560f52d8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#15 0x5633560f52d8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#16 0x563355039297 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21
#17 0x5633560f52d8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#18 0x5633560f52d8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#19 0x563356154a12 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#20 0x563356155c8f in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#21 0x563356155c8f in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#22 0x56335615e5ef in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#23 0x5633561cfdc0 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
#24 0x56335625a000 in base::Thread::ThreadMain() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/thread.cc:337:3
#25 0x563356313050 in base::(anonymous namespace)::ThreadFunc(void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/platform_thread_posix.cc:76:13
#26 0x7f6f84c026b9 in start_thread ??:0:0
0x6110002bb348 is located 200 bytes inside of 208-byte region [0x6110002bb280,0x6110002bb350)
freed by thread T0 (chrome) here:
#0 0x56334eb15e02 in __interceptor_free _asan_rtl_:3
#1 0x5633645e2b20 in DeleteInternal<blink::AudioHandler> /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/wtf/thread_safe_ref_counted.h:64:5
#2 0x5633645e2b20 in Destruct /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/wtf/thread_safe_ref_counted.h:44:0
#3 0x5633645e2b20 in Release /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/ref_counted.h:387:0
#4 0x5633645e2b20 in Release /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:280:0
#5 0x5633645e2b20 in ~scoped_refptr /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:208:0
#6 0x5633645e2b20 in ~AudioNode /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_node.h:313:0
#7 0x5633645e2b20 in blink::AudioWorkletNode::~AudioWorkletNode() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_node.h:90:0
#8 0x563354ecd444 in Finalize /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/heap/heap_page.cc:103:5
#9 0x563354ecd444 in blink::NormalPage::Sweep() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/heap/heap_page.cc:1370:0
#10 0x563354ec6c10 in SweepUnsweptPage /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/heap/heap_page.cc:290:11
#11 0x563354ec6c10 in blink::BaseArena::CompleteSweep() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/heap/heap_page.cc:345:0
#12 0x563354eb2647 in blink::ThreadHeap::CompleteSweep() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/heap/heap.cc:539:17
#13 0x563354eda42d in blink::ThreadState::CompleteSweep() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/heap/thread_state.cc:988:12
#14 0x563354ee8c31 in blink::ThreadState::RunAtomicPause(blink::BlinkGC::StackState, blink::BlinkGC::MarkingType, blink::BlinkGC::SweepingType, blink::BlinkGC::GCReason) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/heap/thread_state.cc:1533:5
#15 0x563354edae35 in blink::ThreadState::CollectGarbage(blink::BlinkGC::StackState, blink::BlinkGC::MarkingType, blink::BlinkGC::SweepingType, blink::BlinkGC::GCReason) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/heap/thread_state.cc:1462:5
#16 0x56336026a3a4 in blink::V8GCController::GcEpilogue(v8::Isolate*, v8::GCType, v8::GCCallbackFlags) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/bindings/core/v8/v8_gc_controller.cc:270:29
#17 0x563354091e86 in CallGCEpilogueCallbacks /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/heap.cc:1841:7
#18 0x563354091e86 in v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/heap.cc:1810:0
#19 0x56335408bb26 in v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/heap.cc:1395:11
#20 0x5633540a7b7d in CollectAllGarbage /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/heap.cc:1156:3
#21 0x5633540a7b7d in v8::internal::Heap::CollectGarbageOnMemoryPressure() /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/heap.cc:3399:0
#22 0x563354088146 in v8::internal::Heap::CheckMemoryPressure() /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/heap.cc:3377:5
#23 0x56335361bf88 in v8::Isolate::MemoryPressureNotification(v8::MemoryPressureLevel) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/api.cc:8764:20
#24 0x563363c1ddab in content::RenderThreadImpl::OnTrimMemoryImmediately() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_thread_impl.cc:2518:33
#25 0x563363c1d0f7 in content::RenderThreadImpl::OnPurgeMemory() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_thread_impl.cc:2334:3
#26 0x563356143e05 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:125:12
#27 0x563356143e05 in base::ObserverListThreadSafe<base::MemoryCoordinatorClient>::NotifyWrapper(base::MemoryCoordinatorClient*, base::ObserverListThreadSafe<base::MemoryCoordinatorClient>::NotificationData const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/observer_list_threadsafe.h:215:0
#28 0x5633560f52d8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#29 0x5633560f52d8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#30 0x563355039297 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21
#31 0x5633560f52d8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#32 0x5633560f52d8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#33 0x563356154a12 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#34 0x563356155c8f in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#35 0x563356155c8f in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#36 0x56335615e5ef in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#37 0x5633561cfdc0 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
#38 0x56336503b635 in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:218:23
#39 0x563355691695 in content::RunZygote(content::ContentMainDelegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:567:14
#40 0x56335569518d in content::ContentMainRunnerImpl::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:969:10
#41 0x5633556b4c63 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:459:29
#42 0x56335568fca7 in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
#43 0x56334eb456ef in ChromeMain /home/cowboy/chromium/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12
previously allocated by thread T0 (chrome) here:
#0 0x56334eb16143 in __interceptor_malloc _asan_rtl_:3
#1 0x5633645dc383 in PartitionAllocGenericFlags /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/allocator/partition_allocator/partition_alloc.h:318:18
#2 0x5633645dc383 in Alloc /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/allocator/partition_allocator/partition_alloc.h:338:0
#3 0x5633645dc383 in FastMalloc /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/wtf/allocator/partitions.h:121:0
#4 0x5633645dc383 in operator new /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/wtf/thread_safe_ref_counted.h:54:0
#5 0x5633645dc383 in blink::AudioWorkletHandler::Create(blink::AudioNode&, float, WTF::String, WTF::HashMap<WTF::String, scoped_refptr<blink::AudioParamHandler>, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<scoped_refptr<blink::AudioParamHandler> >, WTF::PartitionAllocator>, blink::AudioWorkletNodeOptions const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_node.cc:78:0
#6 0x5633645dfaf7 in blink::AudioWorkletNode::AudioWorkletNode(blink::BaseAudioContext&, WTF::String const&, blink::AudioWorkletNodeOptions const&, WTF::Vector<blink::CrossThreadAudioParamInfo, 0ul, WTF::PartitionAllocator>, blink::MessagePort*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_node.cc:243:14
#7 0x5633645e0754 in blink::AudioWorkletNode::Create(blink::ScriptState*, blink::BaseAudioContext*, WTF::String const&, blink::AudioWorkletNodeOptions const&, blink::ExceptionState&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_node.cc:321:11
#8 0x5633645f9386 in constructor /home/cowboy/chromium/src/out/chrome_asan_shared/gen/third_party/blink/renderer/bindings/modules/v8/v8_audio_worklet_node.cc:169:28
#9 0x5633645f9386 in blink::V8AudioWorkletNode::constructorCallback(v8::FunctionCallbackInfo<v8::Value> const&) /home/cowboy/chromium/src/out/chrome_asan_shared/gen/third_party/blink/renderer/bindings/modules/v8/v8_audio_worklet_node.cc:226:0
#10 0x563353730515 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/api-arguments-inl.h:94:3
#11 0x56335372cdc2 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<true>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/builtins/builtins-api.cc:109:36
#12 0x56335372b79d in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/builtins/builtins-api.cc:135:5
#8 0x7e99b7d588fc (<unknown module>)
#9 0x7e99b7d0a305 (<unknown module>)
#10 0x7e99b7d8bbc9 (<unknown module>)
#11 0x7e99b7d0ea44 (<unknown module>)
#12 0x7e99b7d07805 (<unknown module>)
#13 0x7e99b7d3f350 (<unknown module>)
#14 0x7e99b7d1ca4b (<unknown module>)
#15 0x7e99b7d04d00 (<unknown module>)
#13 0x563353fb238b in Call /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/simulator.h:113:12
#14 0x563353fb238b in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/execution.cc:155:0
#15 0x563353fb2bc3 in CallInternal /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/execution.cc:191:10
#16 0x563353fb2bc3 in v8::internal::Execution::TryCall(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Execution::MessageHandling, v8::internal::MaybeHandle<v8::internal::Object>*, v8::internal::Execution::Target) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/execution.cc:241:0
#17 0x563353fb2eec in v8::internal::Execution::RunMicrotasks(v8::internal::Isolate*, v8::internal::Execution::MessageHandling, v8::internal::MaybeHandle<v8::internal::Object>*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/execution.cc:272:10
#18 0x5633542f7fac in v8::internal::Isolate::RunMicrotasks() /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/isolate.cc:3925:40
#19 0x56336024b65e in blink::Microtask::PerformCheckpoint(v8::Isolate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/bindings/microtask.cc:44:3
#20 0x563363c2ea5c in blink::(anonymous namespace)::EndOfTaskRunner::DidProcessTask() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/controller/blink_initializer.cc:69:5
#21 0x563355030519 in base::sequence_manager::TaskQueueManagerImpl::NotifyDidProcessTask(base::sequence_manager::TaskQueueManagerImpl::ExecutingTask const&, base::sequence_manager::LazyNow*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/task_queue_manager_impl.cc:502:16
#22 0x563355031f66 in DidRunTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/task_queue_manager_impl.cc:364:3
#23 0x563355031f66 in non-virtual thunk to base::sequence_manager::TaskQueueManagerImpl::DidRunTask() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/task_queue_manager_impl.cc:0:0
#24 0x56335503931c in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:171:16
#25 0x5633560f52d8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#26 0x5633560f52d8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#27 0x563356154a12 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#28 0x563356155c8f in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#29 0x563356155c8f in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#30 0x56335615e5ef in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#31 0x5633561cfdc0 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
Thread T19 (WebAudio thread) created by T0 (chrome) here:
#0 0x56334eafeb7d in __interceptor_pthread_create _asan_rtl_:3
#1 0x5633563122ca in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/platform_thread_posix.cc:115:13
#2 0x5633562592c5 in base::Thread::StartWithOptions(base::Thread::Options const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/thread.cc:112:15
#3 0x563355049463 in blink::scheduler::WebThreadImplForWorkerScheduler::WebThreadImplForWorkerScheduler(blink::WebThreadCreationParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/child/webthread_impl_for_worker_scheduler.cc:30:27
#4 0x563355048753 in make_unique<blink::scheduler::WebThreadImplForWorkerScheduler, const blink::WebThreadCreationParams &> /home/cowboy/chromium/src/out/chrome_asan_shared/../../buildtools/third_party/libc++/trunk/include/memory:3114:32
#5 0x563355048753 in blink::scheduler::WebThreadBase::CreateWorkerThread(blink::WebThreadCreationParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/child/webthread_base.cc:134:0
#6 0x56335e8dea45 in content::BlinkPlatformImpl::CreateWebAudioThread() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/child/blink_platform_impl.cc:385:7
#7 0x5633645bd769 in EnsureSharedBackingThread /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_thread.cc:79:46
#8 0x5633645bd769 in AudioWorkletThread /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_thread.cc:45:0
#9 0x5633645bd769 in blink::AudioWorkletThread::Create(blink::ThreadableLoadingContext*, blink::WorkerReportingProxy&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_thread.cc:36:0
#10 0x5633645b8d03 in blink::AudioWorkletMessagingProxy::CreateWorkerThread() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_messaging_proxy.cc:96:10
#11 0x563362494b0a in blink::ThreadedMessagingProxyBase::InitializeWorkerThread(std::__1::unique_ptr<blink::GlobalScopeCreationParams, std::__1::default_delete<blink::GlobalScopeCreationParams> >, base::Optional<blink::WorkerBackingThreadStartupData> const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/workers/threaded_messaging_proxy_base.cc:95:20
#12 0x563364604a77 in blink::ThreadedWorkletMessagingProxy::Initialize(blink::WorkerClients*, blink::WorkletModuleResponsesMap*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/workers/threaded_worklet_messaging_proxy.cc:70:3
#13 0x5633645b61a1 in blink::AudioWorklet::CreateGlobalScope() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet.cc:82:10
#14 0x5633624dbae8 in blink::Worklet::FetchAndInvokeScript(blink::KURL const&, blink::WorkletOptions const&, blink::WorkletPendingTasks*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/workers/worklet.cc:145:24
#15 0x5633560f52d8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#16 0x5633560f52d8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#17 0x563355039297 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21
#18 0x5633560f52d8 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#19 0x5633560f52d8 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#20 0x563356154a12 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#21 0x563356155c8f in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#22 0x563356155c8f in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#23 0x56335615e5ef in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#24 0x5633561cfdc0 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
#25 0x56336503b635 in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:218:23
#26 0x563355691695 in content::RunZygote(content::ContentMainDelegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:567:14
#27 0x56335569518d in content::ContentMainRunnerImpl::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:969:10
#28 0x5633556b4c63 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:459:29
#29 0x56335568fca7 in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
#30 0x56334eb456ef in ChromeMain /home/cowboy/chromium/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12
#31 0x7f6f7de6c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291:0
SUMMARY: AddressSanitizer: heap-use-after-free (/home/cowboy/chromium/src/out/chrome_asan_shared/chrome+0x1d59a867)
Shadow bytes around the buggy address:
0x0c228004f610: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c228004f620: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c228004f630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228004f640: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c228004f650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c228004f660: fd fd fd fd fd fd fd fd fd[fd]fa fa fa fa fa fa
0x0c228004f670: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c228004f680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228004f690: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c228004f6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c228004f6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1==ABORTING
Received signal 6
#0 0x56334eabbc31 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3980:13
#1 0x5633562e3d1e in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
#2 0x5633562e2c6d in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
#3 0x7f6f84c0c390 in __funlockfile ??:?
#4 0x7f6f84c0c390 in ?? ??:0
#5 0x7f6f7de81428 in gsignal /build/glibc-Cl5G7W/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54:0
#6 0x7f6f7de8302a in abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:89:0
#7 0x56334eb313f7 in __sanitizer::Abort() /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc:151:3
#8 0x56334eb2fe61 in __sanitizer::Die() /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:59:5
#9 0x56334eb1c279 in __asan::ScopedInErrorReport::~ScopedInErrorReport() _asan_rtl_:7
#10 0x56334eb1b773 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) _asan_rtl_:1
#11 0x56334eb1c63b in __asan_report_load8 _asan_rtl_:1
#12 0x5633645de868 in operator* /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:215:13
#13 0x5633645de868 in blink::AudioWorkletHandler::SetProcessorOnRenderThread(blink::AudioWorkletProcessor*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_node.cc:173:0
#14 0x5633645b7f08 in blink::AudioWorkletMessagingProxy::CreateProcessorOnRenderingThread(blink::WorkerThread*, blink::AudioWorkletHandler*, WTF::String const&, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_messaging_proxy.cc:53:12
#15 0x5633645bad8a in Invoke<void (blink::AudioWorkletMessagingProxy::*)(blink::WorkerThread *, blink::AudioWorkletHandler *, const WTF::String &, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue>), const blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy> &, blink::WorkerThread *, blink::AudioWorkletHandler *, const WTF::String &, const blink::MessagePortChannel &, const scoped_refptr<blink::SerializedScriptValue> &> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:507:12
#16 0x5633645bad8a in MakeItSo<void (blink::AudioWorkletMessagingProxy::*const &)(blink::WorkerThread *, blink::AudioWorkletHandler *, const WTF::String &, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue>), const blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy> &, blink::WorkerThread *, blink::AudioWorkletHandler *, const WTF::String &, const blink::MessagePortChannel &, const scoped_refptr<blink::SerializedScriptValue> &> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:607:0
#17 0x5633645bad8a in RunImpl<void (blink::AudioWorkletMessagingProxy::*const &)(blink::WorkerThread *, blink::AudioWorkletHandler *, const WTF::String &, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue>), const std::__1::tuple<blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy>, WTF::CrossThreadUnretainedWrapper<blink::WorkerThread>, WTF::CrossThreadUnretainedWrapper<blink::AudioWorkletHandler>, WTF::String, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue> > &, 0, 1, 2, 3, 4, 5> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:681:0
#18 0x5633645bad8a in base::internal::Invoker<base::internal::BindState<void (blink::AudioWorkletMessagingProxy::*)(blink::WorkerThread*, blink::AudioWorkletHandler*, WTF::String const&, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue>), blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy>, WTF::CrossThreadUnretainedWrapper<blink::WorkerThread>, WTF::CrossThreadUnretainedWrapper<blink::AudioWorkletHandler>, WTF::String, blink::MessagePortChannel, scoped_refptr<blink::SerializedScriptValue> >, void ()>::Run(base::internal::BindStateBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:663:0
#19 0x56335ed0ada6 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:136:12
#20 0x56335ed0ada6 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/wtf/functional.h:320:0
#21 0x56335ed0ada6 in blink::(anonymous namespace)::RunCrossThreadClosure(WTF::CrossThreadFunction<void ()>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/web_task_runner.cc:15:0
#22 0x56335ed0bc2e in Invoke<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:407:12
#23 0x56335ed0bc2e in MakeItSo<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:607:0
#24 0x56335ed0bc2e in RunImpl<void (*)(WTF::CrossThreadFunction<void ()>), std::__1::tuple<WTF::CrossThreadFunction<void ()> >, 0> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:681:0
#25 0x56335ed0bc2e in base::internal::Invoker<base::internal::BindState<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> >, void ()>::RunOnce(base::internal::BindStateBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:649:0
#26 0x5633560f52d9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#27 0x5633560f52d9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#28 0x563355039298 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21
#29 0x5633560f52d9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#30 0x5633560f52d9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#31 0x563356154a13 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#32 0x563356155c90 in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#33 0x563356155c90 in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#34 0x56335615e5f0 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#35 0x5633561cfdc1 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
#36 0x56335625a001 in base::Thread::ThreadMain() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/thread.cc:337:3
#37 0x563356313051 in base::(anonymous namespace)::ThreadFunc(void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/platform_thread_posix.cc:76:13
#38 0x7f6f84c026ba in start_thread ??:0:0
#39 0x7f6f7df5341d in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109:0
r8: 000000000000d578 r9: 0000000000000000 r10: 0000000000000008 r11: 0000000000000202
r12: 0000000000000000 r13: 00007f6f5a4711c8 r14: 00007f6f5a471170 r15: 0000563368324758
di: 0000000000000001 si: 0000000000000014 bp: 00007f6f5a4711a0 bx: 00005633682922a0
dx: 0000000000000006 ax: 0000000000000000 cx: 00007f6f7de81428 sp: 00007f6f5a470328
ip: 00007f6f7de81428 efl: 0000000000000202 cgf: 002b000000000033 erf: 0000000000000000
trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.
Did this work before? N/A
Chrome version: Version 69.0.3451.0 (Developer Build) (64-bit) Channel: dev
OS Version: Ubuntu16.04
Flash Version:
,
Jun 15 2018
I can repro crashes... I get a use-after-poison, but different from yours.
==1==ERROR: AddressSanitizer: use-after-poison on address 0x7eeaa4433cb0 at pc 0x5572e2f7856b bp 0x7fffbaa39400 sp 0x7fffbaa393f8
READ of size 8 at 0x7eeaa4433cb0 thread T0 (chrome)
#0 0x5572e2f7856a in operator blink::ExecutionContext * ./../../third_party/blink/renderer/platform/heap/member.h:88:32
#1 0x5572e2f7856a in LifecycleContext ./../../third_party/blink/renderer/platform/lifecycle_observer.h:44:0
#2 0x5572e2f7856a in GetExecutionContext ./../../third_party/blink/renderer/core/dom/context_lifecycle_observer.h:71:0
#3 0x5572e2f7856a in blink::BaseAudioContext::GetExecutionContext() const ./../../third_party/blink/renderer/modules/webaudio/base_audio_context.cc:843:0
#4 0x5572e3052829 in blink::AudioWorkletHandler::NotifyProcessorError(blink::AudioWorkletProcessorErrorState) ./../../third_party/blink/renderer/modules/webaudio/audio_worklet_node.cc:205:33
#5 0x5572dc9d8944 in Run ./../../base/callback.h:136:12
#6 0x5572dc9d8944 in Run ./../../third_party/blink/renderer/platform/wtf/functional.h:320:0
#7 0x5572dc9d8944 in blink::(anonymous namespace)::RunCrossThreadClosure(WTF::CrossThreadFunction<void ()>) ./../../third_party/blink/renderer/platform/web_task_runner.cc:15:0
#8 0x5572dc9d98b4 in Invoke<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> > ./../../base/bind_internal.h:407:12
#9 0x5572dc9d98b4 in MakeItSo<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> > ./../../base/bind_internal.h:607:0
#10 0x5572dc9d98b4 in RunImpl<void (*)(WTF::CrossThreadFunction<void ()>), std::__1::tuple<WTF::CrossThreadFunction<void ()> >, 0> ./../../base/bind_internal.h:681:0
#11 0x5572dc9d98b4 in base::internal::Invoker<base::internal::BindState<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> >, void ()>::RunOnce(base::internal::BindStateBase*) ./../../base/bind_internal.h:649:0
#12 0x5572d252b1dd in Run ./../../base/callback.h:96:12
#13 0x5572d252b1dd in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:101:0
#14 0x5572d1189cc5 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) ./../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21
#15 0x5572d252b1dd in Run ./../../base/callback.h:96:12
#16 0x5572d252b1dd in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:101:0
#17 0x5572d259a069 in base::MessageLoop::RunTask(base::PendingTask*) ./../../base/message_loop/message_loop.cc:319:25
#18 0x5572d259b5f2 in DeferOrRunPendingTask ./../../base/message_loop/message_loop.cc:329:5
#19 0x5572d259b5f2 in base::MessageLoop::DoWork() ./../../base/message_loop/message_loop.cc:373:0
#20 0x5572d25a58bb in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_default.cc:37:31
#21 0x5572d262a971 in base::RunLoop::Run() ./../../base/run_loop.cc:102:14
#22 0x5572e3c05800 in content::RendererMain(content::MainFunctionParams const&) ./../../content/renderer/renderer_main.cc:218:23
#23 0x5572d18f9cd7 in content::RunZygote(content::ContentMainDelegate*) ./../../content/app/content_main_runner_impl.cc:568:14
#24 0x5572d18fe28c in content::ContentMainRunnerImpl::Run() ./../../content/app/content_main_runner_impl.cc:988:10
#25 0x5572d19231c4 in service_manager::Main(service_manager::MainParams const&) ./../../services/service_manager/embedder/main.cc:459:29
#26 0x5572d18f7cb7 in content::ContentMain(content::ContentMainParams const&) ./../../content/app/content_main.cc:19:10
#27 0x5572c9be3113 in ChromeMain ./../../chrome/app/chrome_main.cc:101:12
#28 0x7efcd33cb2b0 in __libc_start_main ??:0:0
it seems a lot of renderers are being launched and killed as part of your testcase. Some kind of race is happening here.
I'll see if I can persuade CF to repro this, but in the meantime, do you know a regression range - does this happen on M67 stable?
Assining to hongchan@chromium.org to take a look at.
,
Jun 15 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4806500690952192.
,
Jun 15 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5484611736698880.
,
Jun 15 2018
Ah,the crash log seems like my another issue(https://bugs.chromium.org/p/chromium/issues/detail?id=848306). I just tested in range 68.0.3430.0(UAP) to 69.0.3451.0(UAF).
,
Jun 15 2018
Re #5: It seems so. I think it comes from the same root cause.
,
Jun 15 2018
if this is same root cause then please dup into issue 848306
,
Jun 15 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6280598830972928.
,
Jun 15 2018
,
Jun 15 2018
Are you really sure? The backtraces the report and from c#2 seem quite different.
,
Jun 15 2018
See this part:
#3 0x5572e2f7856a in blink::BaseAudioContext::GetExecutionContext() const ./../../third_party/blink/renderer/modules/webaudio/base_audio_context.cc:843:0
#4 0x5572e3052829 in blink::AudioWorkletHandler::NotifyProcessorError(blink::AudioWorkletProcessorErrorState)
So basically this happens when the main thread performs the Notify* function after requested by CrossThreadPostTask from the other thread. The stack traces are not identical but it is exactly the same pattern.
,
Oct 27
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by wfh@chromium.org
, Jun 15 2018Components: Blink>WebAudio
Labels: -Pri-2 Pri-1
Status: Untriaged (was: Unconfirmed)