Potential race condition in safe_browsing::ThreatDetails::OnReceivedThreatDOMDetails |
|||
Issue descriptionIn MSAN build 10704 and test case MaybeSetMetadata/SafeBrowsingServiceMetadataTest.MalwareImg/0 of viz_browser_tests, after aplpying my CL https://chromium-review.googlesource.com/c/chromium/src/+/1109964 https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Linux%20MSan%20Tests/10704 MSAN finds an uninitialized variable read in #0 0xf0eb789 in safe_browsing::ThreatDetails::OnReceivedThreatDOMDetails(mojo::InterfacePtr<safe_browsing::mojom::ThreatReporter>, content::RenderFrameHost*, std::__1::vector<mojo::StructPtr<safe_browsing::mojom::ThreatDOMDetailsNode>, std::__1::allocator<mojo::StructPtr<safe_browsing::mojom::ThreatDOMDetailsNode> > >) ./../../components/safe_browsing/browser/threat_details.cc:593:41 From the log [1] it looks like the RenderFrameHost object (which is the sender variable in that function) has gone away due to all tabs being closed: Uninitialized value was created by a heap deallocation #0 0x2ad3e29 in operator delete(void*) /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/msan/msan_new_delete.cc:75:44 #1 0xccc81d2 in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2321:5 #2 0xccc81d2 in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2634:0 #3 0xccc81d2 in ~unique_ptr ./../../buildtools/third_party/libc++/trunk/include/memory:2588:0 #4 0xccc81d2 in content::RenderFrameHostManager::~RenderFrameHostManager() ./../../content/browser/frame_host/render_frame_host_manager.cc:96:0 #5 0xcafcc26 in content::FrameTreeNode::~FrameTreeNode() ./../../content/browser/frame_host/frame_tree_node.cc:172:1 #6 0xcaee4fc in content::FrameTree::~FrameTree() ./../../content/browser/frame_host/frame_tree.cc:119:3 #7 0xdb7a20d in content::WebContentsImpl::~WebContentsImpl() ./../../content/browser/web_contents/web_contents_impl.cc:793:1 #8 0xdb7d17c in content::WebContentsImpl::~WebContentsImpl() ./../../content/browser/web_contents/web_contents_impl.cc:688:37 #9 0x20c7cbde in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2321:5 #10 0x20c7cbde in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2634:0 #11 0x20c7cbde in TabStripModel::SendDetachWebContentsNotifications(TabStripModel::DetachNotifications*) ./../../chrome/browser/ui/tabs/tab_strip_model.cc:468:0 #12 0x20c96d02 in TabStripModel::CloseWebContentses(base::span<content::WebContents* const, 18446744073709551615ul>, unsigned int) ./../../chrome/browser/ui/tabs/tab_strip_model.cc:1383:3 #13 0x20c84be1 in TabStripModel::InternalCloseTabs(base::span<content::WebContents* const, 18446744073709551615ul>, unsigned int) ./../../chrome/browser/ui/tabs/tab_strip_model.cc:1296:27 #14 0x20c83a0d in TabStripModel::CloseAllTabs() ./../../chrome/browser/ui/tabs/tab_strip_model.cc:590:3 [1] https://logs.chromium.org/v/?s=chromium%2Fbuildbucket%2Fcr-buildbucket.appspot.com%2F8941906168571925216%2F%2B%2Fsteps%2Fviz_browser_tests%2F0%2Flogs%2FMaybeSetMetadata__x2f_SafeBrowsingServiceMetadataTest.MalwareImg__x2f_0%2F0 I don't think this is a failure that my CL introduced, but rather an existing race condition in this safe browsing test. Also, this test is part of a set of tests #ifdef'ed by: ENABLE_FLAKY_PVER3_TESTS - I am not sure what the history of this #ifdef is. This issue was the trigger for FindIt to report my CL as the culprit, compare issue 860349 .
,
Jul 9
Similarly, in https://findit-for-me.appspot.com/waterfall/flake/flake-culprit?key=ag9zfmZpbmRpdC1mb3ItbWVyQwsSDEZsYWtlQ3VscHJpdCIxY2hyb21pdW0vYWMyNDAwNGUzODMxZThhNjNhODBjOTBjZmZiY2JkZDUyYjM5OGU3Yww this pattern shows for SafeBrowsingServiceTest.SubResourceHitWithMainFrameReferrer MaybeSetMetadata/V4SafeBrowsingServiceMetadataTest.MalwareImg/2 of viz_browser_tests.
,
Jul 9
Disabling those under MSAN in https://chromium-review.googlesource.com/c/chromium/src/+/1128746
,
Jul 20
,
Jul 23
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/302605c6e8274f39e667aa4e5051b9c41b55a3e2 commit 302605c6e8274f39e667aa4e5051b9c41b55a3e2 Author: Daniel Rubery <drubery@chromium.org> Date: Mon Jul 23 18:31:25 2018 Fix race condition in OnReceivedThreatDOMDetails. If the window is closed after GetThreatDOMDetails finishes, but before OnReceivedThreatDOMDetails is run, |sender| is invalid. Instead, we observe FrameDeleted and track which frames are closed. Then we know to skip this RenderFrameHost when GetThreatDOMDetails runs. Bug: 817724, 860445 Change-Id: I2c8ed6c6a160264d91ca9b5a4760e53a7606f487 Reviewed-on: https://chromium-review.googlesource.com/1146997 Reviewed-by: Jialiu Lin <jialiul@chromium.org> Commit-Queue: Daniel Rubery <drubery@chromium.org> Cr-Commit-Position: refs/heads/master@{#577206} [modify] https://crrev.com/302605c6e8274f39e667aa4e5051b9c41b55a3e2/components/safe_browsing/browser/threat_details.cc [modify] https://crrev.com/302605c6e8274f39e667aa4e5051b9c41b55a3e2/components/safe_browsing/browser/threat_details.h
,
Jul 24
Daniel, thanks a lot for addressing this! It might be okay to re-enable the tests then that I disabled?
,
Jul 25
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a30c58ea7443b6895c21c3ade5e9fd3ad0f11d91 commit a30c58ea7443b6895c21c3ade5e9fd3ad0f11d91 Author: Daniel Rubery <drubery@chromium.org> Date: Wed Jul 25 17:27:36 2018 Enable SafeBrowsingServiceMetadataTest.MalwareImg with MSAN This test was disabled with MSAN due to the race condition in OnReceivedThreatDOMDetails. Repeated local runs with MSAN now succeed, so I think it's safe to re-enable. Bug: 860445 Change-Id: I4d01568c79562ac1125c4410dbe2c52c17056c2d Reviewed-on: https://chromium-review.googlesource.com/1149260 Reviewed-by: Jialiu Lin <jialiul@chromium.org> Commit-Queue: Daniel Rubery <drubery@chromium.org> Cr-Commit-Position: refs/heads/master@{#577959} [modify] https://crrev.com/a30c58ea7443b6895c21c3ade5e9fd3ad0f11d91/chrome/browser/safe_browsing/safe_browsing_service_browsertest.cc
,
Aug 7
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/33eecedfb576f3a4fa394c83805590641036bc45 commit 33eecedfb576f3a4fa394c83805590641036bc45 Author: Daniel Rubery <drubery@chromium.org> Date: Tue Aug 07 00:57:18 2018 Observe RenderFrameHostChanged in ThreatDetails to fix race condition RenderFrameHosts can be deleted when a navigation commits, and this does not call FrameDeleted(). This can trigger the same race condition as https://chromium-review.googlesource.com/1146997. If GetThreatDomDetails completes, then the navigation commits (and the old RenderFrameHosts is deleted), then OnReceivedThreatDOMDetails runs, we will crash. Bug: 817724, 860445 Change-Id: Iae81a1c3dc724113d30e17652b75a88bcd7f4de5 Reviewed-on: https://chromium-review.googlesource.com/1162422 Commit-Queue: Daniel Rubery <drubery@chromium.org> Reviewed-by: Varun Khaneja <vakh@chromium.org> Cr-Commit-Position: refs/heads/master@{#581079} [modify] https://crrev.com/33eecedfb576f3a4fa394c83805590641036bc45/components/safe_browsing/browser/threat_details.cc [modify] https://crrev.com/33eecedfb576f3a4fa394c83805590641036bc45/components/safe_browsing/browser/threat_details.h
,
Aug 21
The previous CL landed in 3515, which has been in Dev for a week with no crashes. I think this is fixed.
,
Sep 18
|
|||
►
Sign in to add a comment |
|||
Comment 1 by bugdroid1@chromium.org
, Jul 6