New issue
Advanced search Search tips

Issue 854355 link

Starred by 2 users
Status: Duplicate
Merged: issue 851854
Owner: ----
Closed: Jul 23
Cc:
jam@chromium.org
rdevlin....@chromium.org
tapted@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

ASan reports use-after-free on Windows in ExtensionInstalledBubbleBrowserTest.InvokeUi_* tests

Project Member Reported by r...@chromium.org, Jun 19 2018 
Various ExtensionsInstalledBubbleBrowserTest tests fail:
ExtensionInstalledBubbleBrowserTest.InvokeUi_PageAction
ExtensionInstalledBubbleBrowserTest.InvokeUi_Omnibox
ExtensionInstalledBubbleBrowserTest.InvokeUi_SignInPromo
ExtensionInstalledBubbleBrowserTest.InvokeUi_BrowserAction
ExtensionInstalledBubbleBrowserTest.InvokeUi_NoAction
ExtensionInstalledBubbleBrowserTest.InvokeUi_InstalledByDefault

Example build:
https://ci.chromium.org/buildbot/chromium.clang/CrWinAsan/800

I think this is a real memory bug. ASan gives a relatively understandable UAF report:

==7200==ERROR: AddressSanitizer: heap-use-after-free on address 0x11cdb6d58b68 at pc 0x7ff685100ea2 bp 0x0032198f8260 sp 0x0032198f8268
    #0 0x7ff685100ea1 in ExtensionInstalledBubbleView::GetWindowTitle C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\extensions\extension_installed_bubble_view.cc:219
    #1 0x7ff678038bb5 in SkFontMgr::legacyMakeTypeface C:\b\c\b\CrWinAsan\src\third_party\skia\src\core\SkFontMgr.cpp:164
    #2 0x7ff6833b3661 in views::internal::RootView::GetAccessibleNodeData C:\b\c\b\CrWinAsan\src\ui\views\widget\root_view.cc:601
    #3 0x7ff67f565e54 in views::ViewAccessibility::GetAccessibleNodeData C:\b\c\b\CrWinAsan\src\ui\views\accessibility\view_accessibility.cc:62
    #4 0x7ff682c25c61 in `anonymous namespace'::DoesViewHaveAccessibilityErrorsRecursive C:\b\c\b\CrWinAsan\src\chrome\test\views\accessibility_checker.cc:101
    #5 0x7ff682c25873 in AddFailureOnWidgetAccessibilityError C:\b\c\b\CrWinAsan\src\chrome\test\views\accessibility_checker.cc:118
    #6 0x7ff67f6291e3 in views::Widget::OnNativeWidgetVisibilityChanged C:\b\c\b\CrWinAsan\src\ui\views\widget\widget.cc:1063
    #7 0x7ff68732e4ff in views::HWNDMessageHandler::OnWindowPosChanged C:\b\c\b\CrWinAsan\src\ui\views\win\hwnd_message_handler.cc:2665
    #8 0x7ff68731a39e in views::HWNDMessageHandler::_ProcessWindowMessage C:\b\c\b\CrWinAsan\src\ui\views\win\hwnd_message_handler.h:414
    #9 0x7ff687315bc9 in views::HWNDMessageHandler::OnWndProc C:\b\c\b\CrWinAsan\src\ui\views\win\hwnd_message_handler.cc:935
    #10 0x7ff683804d16 in base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc> C:\b\c\b\CrWinAsan\src\base\win\wrapped_window_proc.h:76
    #11 0x7ffb373dbc4f in CallWindowProcW+0x4cf (C:\Windows\System32\USER32.dll+0x18000bc4f)
    #12 0x7ffb373db94b in CallWindowProcW+0x1cb (C:\Windows\System32\USER32.dll+0x18000b94b)
    #13 0x7ffb373f3e7f in IsThreadMessageQueueAttached+0x3f (C:\Windows\System32\USER32.dll+0x180023e7f)
    #14 0x7ffb393790a3 in KiUserCallbackDispatcher+0x23 (C:\Windows\SYSTEM32\ntdll.dll+0x1800a90a3)
    #15 0x7ffb367c23c3 in NtUserDestroyWindow+0x13 (C:\Windows\System32\win32u.dll+0x1800023c3)
    #16 0x7ff67f6256bf in views::Widget::CloseNow C:\b\c\b\CrWinAsan\src\ui\views\widget\widget.cc:602
    #17 0x7ff67eb3ac41 in base::debug::TaskAnnotator::RunTask C:\b\c\b\CrWinAsan\src\base\debug\task_annotator.cc:101
    #18 0x7ff67ebb0f9d in base::MessageLoop::RunTask C:\b\c\b\CrWinAsan\src\base\message_loop\message_loop.cc:319
    #19 0x7ff67ebb2387 in base::MessageLoop::DoWork C:\b\c\b\CrWinAsan\src\base\message_loop\message_loop.cc:373
    #20 0x7ff67ebb6c10 in base::MessagePumpForUI::DoRunLoop C:\b\c\b\CrWinAsan\src\base\message_loop\message_pump_win.cc:173
    #21 0x7ff67ebb57b8 in base::MessagePumpWin::Run C:\b\c\b\CrWinAsan\src\base\message_loop\message_pump_win.cc:56
    #22 0x7ff67ec39344 in base::RunLoop::Run C:\b\c\b\CrWinAsan\src\base\run_loop.cc:102
    #23 0x7ff6767274db in TestBrowserDialog::DismissUi C:\b\c\b\CrWinAsan\src\chrome\browser\ui\test\test_browser_dialog.cc:123
    #24 0x7ff6767294ab in TestBrowserUi::ShowAndVerifyUi C:\b\c\b\CrWinAsan\src\chrome\browser\ui\test\test_browser_ui.cc:40
    #25 0x7ff67eead514 in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop C:\b\c\b\CrWinAsan\src\content\public\test\browser_test_base.cc:409
    #26 0x7ff682c34516 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl C:\b\c\b\CrWinAsan\src\chrome\browser\chrome_browser_main.cc:1996
    #27 0x7ff682c30ea5 in ChromeBrowserMainParts::PreMainMessageLoopRun C:\b\c\b\CrWinAsan\src\chrome\browser\chrome_browser_main.cc:1380
    #28 0x7ff67a399abc in content::BrowserMainLoop::PreMainMessageLoopRun C:\b\c\b\CrWinAsan\src\content\browser\browser_main_loop.cc:961
    #29 0x7ff67b1ceda1 in content::StartupTaskRunner::RunAllTasksNow C:\b\c\b\CrWinAsan\src\content\browser\startup_task_runner.cc:43
    #30 0x7ff67a394e5f in content::BrowserMainLoop::CreateStartupTasks C:\b\c\b\CrWinAsan\src\content\browser\browser_main_loop.cc:872
    #31 0x7ff67a3a1740 in content::BrowserMainRunnerImpl::Initialize C:\b\c\b\CrWinAsan\src\content\browser\browser_main_runner_impl.cc:148
    #32 0x7ff67a38e2c6 in content::BrowserMain C:\b\c\b\CrWinAsan\src\content\browser\browser_main.cc:47
    #33 0x7ff67e9e0ca0 in content::RunBrowserProcessMain C:\b\c\b\CrWinAsan\src\content\app\content_main_runner_impl.cc:621
    #34 0x7ff67e9e2d1e in content::ContentMainRunnerImpl::Run C:\b\c\b\CrWinAsan\src\content\app\content_main_runner_impl.cc:983
    #35 0x7ff68046f7ea in service_manager::Main C:\b\c\b\CrWinAsan\src\services\service_manager\embedder\main.cc:459
    #36 0x7ff67e9e0996 in content::ContentMain C:\b\c\b\CrWinAsan\src\content\app\content_main.cc:19
    #37 0x7ff67eeac6c3 in content::BrowserTestBase::SetUp C:\b\c\b\CrWinAsan\src\content\public\test\browser_test_base.cc:325
    #38 0x7ff67ed9ee86 in InProcessBrowserTest::SetUp C:\b\c\b\CrWinAsan\src\chrome\test\base\in_process_browser_test.cc:248
    #39 0x7ff677ec6996 in testing::Test::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2487
    #40 0x7ff677ec8582 in testing::TestInfo::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2667
    #41 0x7ff677ec9621 in testing::TestCase::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2785
    #42 0x7ff677ee159d in testing::internal::UnitTestImpl::RunAllTests C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:5047
    #43 0x7ff677ee0ae5 in testing::UnitTest::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:4663
    #44 0x7ff67eddcc29 in base::TestSuite::Run C:\b\c\b\CrWinAsan\src\base\test\test_suite.cc:275
    #45 0x7ff68e3c3c97 in ChromeTestSuiteRunner::RunTestSuite C:\b\c\b\CrWinAsan\src\chrome\test\base\chrome_test_launcher.cc:65
    #46 0x7ff67ef0de7e in content::LaunchTests C:\b\c\b\CrWinAsan\src\content\public\test\test_launcher.cc:625
    #47 0x7ff68e3c4a41 in LaunchChromeTests C:\b\c\b\CrWinAsan\src\chrome\test\base\chrome_test_launcher.cc:170
    #48 0x7ff68e3c3ab9 in main C:\b\c\b\CrWinAsan\src\chrome\test\base\browser_tests_main.cc:36
    #49 0x7ff68e4269bb in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
    #50 0x7ffb37532773 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180012773)
    #51 0x7ffb39340d50 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180070d50)
0x11cdb6d58b68 is located 8 bytes inside of 104-byte region [0x11cdb6d58b60,0x11cdb6d58bc8)
freed by thread T0 here:
    #0 0x7ff68e3ea421 in free c:\b\c\b\crwinasan\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44
    #1 0x7ff6816e3515 in ExtensionInstalledBubble::~ExtensionInstalledBubble C:\b\c\b\CrWinAsan\src\chrome\browser\ui\extensions\extension_installed_bubble.cc:201
    #2 0x7ff6812e1126 in BubbleController::~BubbleController C:\b\c\b\CrWinAsan\src\components\bubble\bubble_controller.cc:23
    #3 0x7ff6812e1c49 in BubbleController::~BubbleController C:\b\c\b\CrWinAsan\src\components\bubble\bubble_controller.cc:20
    #4 0x7ff6753d0e94 in std::vector<std::unique_ptr<MockSpellCheckHost,std::default_delete<MockSpellCheckHost> >,std::allocator<std::unique_ptr<MockSpellCheckHost,std::default_delete<MockSpellCheckHost> > > >::_Tidy C:\b\c\win_toolchain\vs_files\3bc0ec615cf20ee342f3bc29bc991b5ad66d8d2c\VC\Tools\MSVC\14.14.26428\include\vector:2014
    #5 0x7ff6812e2a2c in BubbleManager::CloseAllMatchingBubbles C:\b\c\b\CrWinAsan\src\components\bubble\bubble_manager.cc:133
    #6 0x7ff6812e24ed in BubbleManager::CloseBubble C:\b\c\b\CrWinAsan\src\components\bubble\bubble_manager.cc:51
    #7 0x7ff6812e1304 in BubbleController::CloseBubble C:\b\c\b\CrWinAsan\src\components\bubble\bubble_controller.cc:27
    #8 0x7ff685102515 in ExtensionInstalledBubbleUi::OnWidgetClosing C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\extensions\extension_installed_bubble_view.cc:391
    #9 0x7ff67f625617 in views::Widget::CloseNow C:\b\c\b\CrWinAsan\src\ui\views\widget\widget.cc:601
    #10 0x7ff67eb3ac41 in base::debug::TaskAnnotator::RunTask C:\b\c\b\CrWinAsan\src\base\debug\task_annotator.cc:101
    #11 0x7ff67ebb0f9d in base::MessageLoop::RunTask C:\b\c\b\CrWinAsan\src\base\message_loop\message_loop.cc:319
    #12 0x7ff67ebb2387 in base::MessageLoop::DoWork C:\b\c\b\CrWinAsan\src\base\message_loop\message_loop.cc:373
    #13 0x7ff67ebb6c10 in base::MessagePumpForUI::DoRunLoop C:\b\c\b\CrWinAsan\src\base\message_loop\message_pump_win.cc:173
    #14 0x7ff67ebb57b8 in base::MessagePumpWin::Run C:\b\c\b\CrWinAsan\src\base\message_loop\message_pump_win.cc:56
    #15 0x7ff67ec39344 in base::RunLoop::Run C:\b\c\b\CrWinAsan\src\base\run_loop.cc:102
    #16 0x7ff6767274db in TestBrowserDialog::DismissUi C:\b\c\b\CrWinAsan\src\chrome\browser\ui\test\test_browser_dialog.cc:123
    #17 0x7ff6767294ab in TestBrowserUi::ShowAndVerifyUi C:\b\c\b\CrWinAsan\src\chrome\browser\ui\test\test_browser_ui.cc:40
    #18 0x7ff67eead514 in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop C:\b\c\b\CrWinAsan\src\content\public\test\browser_test_base.cc:409
    #19 0x7ff682c34516 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl C:\b\c\b\CrWinAsan\src\chrome\browser\chrome_browser_main.cc:1996
    #20 0x7ff682c30ea5 in ChromeBrowserMainParts::PreMainMessageLoopRun C:\b\c\b\CrWinAsan\src\chrome\browser\chrome_browser_main.cc:1380
    #21 0x7ff67a399abc in content::BrowserMainLoop::PreMainMessageLoopRun C:\b\c\b\CrWinAsan\src\content\browser\browser_main_loop.cc:961
    #22 0x7ff67b1ceda1 in content::StartupTaskRunner::RunAllTasksNow C:\b\c\b\CrWinAsan\src\content\browser\startup_task_runner.cc:43
    #23 0x7ff67a394e5f in content::BrowserMainLoop::CreateStartupTasks C:\b\c\b\CrWinAsan\src\content\browser\browser_main_loop.cc:872
    #24 0x7ff67a3a1740 in content::BrowserMainRunnerImpl::Initialize C:\b\c\b\CrWinAsan\src\content\browser\browser_main_runner_impl.cc:148
    #25 0x7ff67a38e2c6 in content::BrowserMain C:\b\c\b\CrWinAsan\src\content\browser\browser_main.cc:47
    #26 0x7ff67e9e0ca0 in content::RunBrowserProcessMain C:\b\c\b\CrWinAsan\src\content\app\content_main_runner_impl.cc:621
    #27 0x7ff67e9e2d1e in content::ContentMainRunnerImpl::Run C:\b\c\b\CrWinAsan\src\content\app\content_main_runner_impl.cc:983
    #28 0x7ff68046f7ea in service_manager::Main C:\b\c\b\CrWinAsan\src\services\service_manager\embedder\main.cc:459
    #29 0x7ff67e9e0996 in content::ContentMain C:\b\c\b\CrWinAsan\src\content\app\content_main.cc:19
previously allocated by thread T0 here:
    #0 0x7ff68e3ea541 in malloc c:\b\c\b\crwinasan\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60
    #1 0x7ff68e403292 in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:35
    #2 0x7ff67655e61a in ExtensionInstalledBubbleBrowserTest::MakeBubble C:\b\c\b\CrWinAsan\src\chrome\browser\ui\extensions\extension_installed_bubble_browsertest.cc:83
    #3 0x7ff67655ebb6 in ExtensionInstalledBubbleBrowserTest::ShowUi C:\b\c\b\CrWinAsan\src\chrome\browser\ui\extensions\extension_installed_bubble_browsertest.cc:109
    #4 0x7ff67672924e in TestBrowserUi::ShowAndVerifyUi C:\b\c\b\CrWinAsan\src\chrome\browser\ui\test\test_browser_ui.cc:34
    #5 0x7ff67eead514 in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop C:\b\c\b\CrWinAsan\src\content\public\test\browser_test_base.cc:409
    #6 0x7ff682c34516 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl C:\b\c\b\CrWinAsan\src\chrome\browser\chrome_browser_main.cc:1996
    #7 0x7ff682c30ea5 in ChromeBrowserMainParts::PreMainMessageLoopRun C:\b\c\b\CrWinAsan\src\chrome\browser\chrome_browser_main.cc:1380
    #8 0x7ff67a399abc in content::BrowserMainLoop::PreMainMessageLoopRun C:\b\c\b\CrWinAsan\src\content\browser\browser_main_loop.cc:961
    #9 0x7ff67b1ceda1 in content::StartupTaskRunner::RunAllTasksNow C:\b\c\b\CrWinAsan\src\content\browser\startup_task_runner.cc:43
    #10 0x7ff67a394e5f in content::BrowserMainLoop::CreateStartupTasks C:\b\c\b\CrWinAsan\src\content\browser\browser_main_loop.cc:872
    #11 0x7ff67a3a1740 in content::BrowserMainRunnerImpl::Initialize C:\b\c\b\CrWinAsan\src\content\browser\browser_main_runner_impl.cc:148
    #12 0x7ff67a38e2c6 in content::BrowserMain C:\b\c\b\CrWinAsan\src\content\browser\browser_main.cc:47
    #13 0x7ff67e9e0ca0 in content::RunBrowserProcessMain C:\b\c\b\CrWinAsan\src\content\app\content_main_runner_impl.cc:621
    #14 0x7ff67e9e2d1e in content::ContentMainRunnerImpl::Run C:\b\c\b\CrWinAsan\src\content\app\content_main_runner_impl.cc:983
    #15 0x7ff68046f7ea in service_manager::Main C:\b\c\b\CrWinAsan\src\services\service_manager\embedder\main.cc:459
    #16 0x7ff67e9e0996 in content::ContentMain C:\b\c\b\CrWinAsan\src\content\app\content_main.cc:19
    #17 0x7ff67eeac6c3 in content::BrowserTestBase::SetUp C:\b\c\b\CrWinAsan\src\content\public\test\browser_test_base.cc:325
    #18 0x7ff67ed9ee86 in InProcessBrowserTest::SetUp C:\b\c\b\CrWinAsan\src\chrome\test\base\in_process_browser_test.cc:248
    #19 0x7ff677ec6996 in testing::Test::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2487
    #20 0x7ff677ec8582 in testing::TestInfo::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2667
    #21 0x7ff677ec9621 in testing::TestCase::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2785
    #22 0x7ff677ee159d in testing::internal::UnitTestImpl::RunAllTests C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:5047
    #23 0x7ff677ee0ae5 in testing::UnitTest::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:4663
    #24 0x7ff67eddcc29 in base::TestSuite::Run C:\b\c\b\CrWinAsan\src\base\test\test_suite.cc:275
    #25 0x7ff68e3c3c97 in ChromeTestSuiteRunner::RunTestSuite C:\b\c\b\CrWinAsan\src\chrome\test\base\chrome_test_launcher.cc:65
    #26 0x7ff67ef0de7e in content::LaunchTests C:\b\c\b\CrWinAsan\src\content\public\test\test_launcher.cc:625
    #27 0x7ff68e3c4a41 in LaunchChromeTests C:\b\c\b\CrWinAsan\src\chrome\test\base\chrome_test_launcher.cc:170
    #28 0x7ff68e3c3ab9 in main C:\b\c\b\CrWinAsan\src\chrome\test\base\browser_tests_main.cc:36
    #29 0x7ff68e4269bb in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
SUMMARY: AddressSanitizer: heap-use-after-free C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\extensions\extension_installed_bubble_view.cc:219 in ExtensionInstalledBubbleView::GetWindowTitle

Please take a look. We should disable these tests. These tests always fail with Windows ASan, but without ASan, they will be flaky.
Project Member

Comment 1 by bugdroid1@chromium.org, Jun 20 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/21fbf9f352d4b328f0090527567b27887772ce46

commit 21fbf9f352d4b328f0090527567b27887772ce46
Author: Reid Kleckner <rnk@google.com>
Date: Wed Jun 20 00:47:36 2018

Disable ExtensionInstalledBubbleBrowserTest.InvokeUI_* tests

Windows ASan reports a use-after-free on an ExtensionInstalledBubble
object. While these tests don't fail on other bots, it's likely that
they are flaky elsewhere, so we should disable them until the issue is
resolved.

R=rdevlin.cronin@chromium.org
BUG= 854355 , 844398 

Change-Id: I19f5d646022847ab20a9fef54c5917a13153805c
Reviewed-on: https://chromium-review.googlesource.com/1107001
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Commit-Queue: Reid Kleckner <rnk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#568668}
[modify] https://crrev.com/21fbf9f352d4b328f0090527567b27887772ce46/chrome/browser/ui/extensions/extension_installed_bubble_browsertest.cc

Comment 2 by tapted@chromium.org, Jun 20 2018

Components: -Internals>Views Platform>Extensions
Labels: Stability-Memory-AddressSanitizer
-> Extensions for triage.

These are coming from src\chrome\test\views\accessibility_checker.cc

I expect this is a Real bug in release builds for a11y users. If accessibility_checker.cc can access the Widget in this state, then so can Windows a11y tools.

See Issue 624560 and other crashes on GetWindowTitle for bugs that have happened in the wild around this.

Comment 3 by rdevlin....@chromium.org, Jun 22 2018

Cc: jam@chromium.org
jam@, I wonder if this is the same issue you're targeting in https://chromium-review.googlesource.com/c/chromium/src/+/1093023?

Comment 4 by rdevlin....@chromium.org, Jun 22 2018

Cc: rdevlin....@chromium.org

Comment 5 by karandeepb@chromium.org, Jul 23

Mergedinto: 851854
Status: Duplicate (was: Untriaged)
Seems to be a dupe of issue 851854

Sign in to add a comment