use-after-free in browser_tests PlatformAppBrowserTest.PictureInPicture detected by Windows ASan |
||||
Issue descriptionExample build: https://ci.chromium.org/buildbot/chromium.clang/CrWinAsan/1081 To reproduce, build browser_tests on Windows with is_asan=true in gn args. Separately, it looks like something is wrong with ASan report symbolization. Normally this comes back with line numbers. ASan report: ==4328==ERROR: AddressSanitizer: heap-use-after-free on address 0x12574d85bea8 at pc 0x7ff7ae620c79 bp 0x008efc0f8470 sp 0x008efc0f8478 #0 0x7ff7ae620c78 in views::DesktopNativeWidgetAura::OnHostClosed+0x5ce (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b250c78) #1 0x7ff7b6707126 in views::HWNDMessageHandler::OnWndProc+0x35a (C:\b\s\w\ir\out\Release\browser_tests.exe+0x153337126) #2 0x7ff7b2b6aebe in base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc>+0xe (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14f79aebe) #3 0x7ffb133abc4f in CallWindowProcW+0x4cf (C:\Windows\System32\USER32.dll+0x18000bc4f) #4 0x7ffb133ab94b in CallWindowProcW+0x1cb (C:\Windows\System32\USER32.dll+0x18000b94b) #5 0x7ffb133c4557 in ScrollWindowEx+0x57 (C:\Windows\System32\USER32.dll+0x180024557) #6 0x7ffb13b790a3 in KiUserCallbackDispatcher+0x23 (C:\Windows\SYSTEM32\ntdll.dll+0x1800a90a3) #7 0x7ffb100923c3 in NtUserDestroyWindow+0x13 (C:\Windows\System32\win32u.dll+0x1800023c3) #8 0x7ff7ae6035c3 in views::Widget::CloseNow+0x289 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b2335c3) #9 0x7ff7ae631771 in views::Widget::CloseAllSecondaryWidgets+0x65 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b261771) #10 0x7ffb133b084d in GetClassLongPtrW+0x39d (C:\Windows\System32\USER32.dll+0x18001084d) #11 0x7ffb133b3143 in EnumThreadWindows+0x23 (C:\Windows\System32\USER32.dll+0x180013143) #12 0x7ff7b1bbd329 in chrome::HandleAppExitingForPlatform+0x75 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14e7ed329) #13 0x7ff7b0489175 in BrowserList::RemoveBrowser+0x567 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d0b9175) #14 0x7ff7b0469e79 in Browser::~Browser+0x339 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d099e79) #15 0x7ff7b0479bd7 in Browser::`scalar deleting destructor'+0xf (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d0a9bd7) #16 0x7ff7b0628baf in BrowserView::~BrowserView+0x885 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d258baf) #17 0x7ff7b06398c2 in BrowserView::`vector deleting destructor'+0x16 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d2698c2) #18 0x7ff7ae5dce31 in views::View::~View+0x2a7 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b20ce31) #19 0x7ff7ae617de3 in views::NonClientView::`scalar deleting destructor'+0xf (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b247de3) #20 0x7ff7ae5df282 in views::View::DoRemoveChildView+0x6f2 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b20f282) #21 0x7ff7ae5e0765 in views::View::RemoveAllChildViews+0x83 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b210765) #22 0x7ff7b286f118 in views::internal::RootView::~RootView+0x190 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14f49f118) #23 0x7ff7b41d3a9b in BrowserRootView::`scalar deleting destructor'+0xf (C:\b\s\w\ir\out\Release\browser_tests.exe+0x150e03a9b) #24 0x7ff7ae5fd74f in views::Widget::~Widget+0x83 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b22d74f) #25 0x7ff7b062328d in BrowserFrame::`scalar deleting destructor'+0xf (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d25328d) #26 0x7ff7ae61fffb in views::DesktopNativeWidgetAura::~DesktopNativeWidgetAura+0x161 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b24fffb) #27 0x7ff7ba16983b in DesktopBrowserFrameAura::`scalar deleting destructor'+0xf (C:\b\s\w\ir\out\Release\browser_tests.exe+0x156d9983b) #28 0x7ff7b6707126 in views::HWNDMessageHandler::OnWndProc+0x35a (C:\b\s\w\ir\out\Release\browser_tests.exe+0x153337126) #29 0x7ff7b2b6aebe in base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc>+0xe (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14f79aebe) #30 0x7ffb133abc4f in CallWindowProcW+0x4cf (C:\Windows\System32\USER32.dll+0x18000bc4f) #31 0x7ffb133ab94b in CallWindowProcW+0x1cb (C:\Windows\System32\USER32.dll+0x18000b94b) #32 0x7ffb133c4557 in ScrollWindowEx+0x57 (C:\Windows\System32\USER32.dll+0x180024557) #33 0x7ffb13b790a3 in KiUserCallbackDispatcher+0x23 (C:\Windows\SYSTEM32\ntdll.dll+0x1800a90a3) #34 0x7ffb100923c3 in NtUserDestroyWindow+0x13 (C:\Windows\System32\win32u.dll+0x1800023c3) #35 0x7ff7b189e42d in base::debug::TaskAnnotator::RunTask+0x35d (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14e4ce42d) #36 0x7ff7ad58e618 in base::MessageLoop::RunTask+0x5f8 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14a1be618) #37 0x7ff7ad58f9ff in base::MessageLoop::DoWork+0x61f (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14a1bf9ff) #38 0x7ff7ad594410 in base::MessagePumpForUI::DoRunLoop+0x200 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14a1c4410) #39 0x7ff7ad5931bb in base::MessagePumpWin::Run+0x19b (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14a1c31bb) #40 0x7ff7ad61b434 in base::RunLoop::Run+0xa4 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14a24b434) #41 0x7ff7ad7e9bdd in InProcessBrowserTest::QuitBrowsers+0x2a5 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14a419bdd) #42 0x7ff7ad7e9827 in InProcessBrowserTest::PostRunTestOnMainThread+0xf3 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14a419827) #43 0x7ff7adf03acc in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop+0xa98 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14ab33acc) #44 0x7ff7b19661fa in ChromeBrowserMainParts::PreMainMessageLoopRunImpl+0x32e2 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14e5961fa) #45 0x7ff7b1962abc in ChromeBrowserMainParts::PreMainMessageLoopRun+0x22a (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14e592abc) #46 0x7ff7a8bd714c in content::BrowserMainLoop::PreMainMessageLoopRun+0x180 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14580714c) #47 0x7ff7a9abf821 in content::StartupTaskRunner::RunAllTasksNow+0x11b (C:\b\s\w\ir\out\Release\browser_tests.exe+0x1466ef821) #48 0x7ff7a8bd1f46 in content::BrowserMainLoop::CreateStartupTasks+0x720 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x145801f46) #49 0x7ff7a8bdf218 in content::BrowserMainRunnerImpl::Initialize+0x236 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14580f218) #50 0x7ff7a8bcb520 in content::BrowserMain+0x214 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x1457fb520) #51 0x7ff7ad3ac693 in content::RunBrowserProcessMain+0x193 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x149fdc693) #52 0x7ff7ad3ae48a in content::ContentMainRunnerImpl::Run+0x722 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x149fde48a) #53 0x7ff7af438335 in service_manager::Main+0xf25 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14c068335) #54 0x7ff7ad3ac3e0 in content::ContentMain+0x108 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x149fdc3e0) #55 0x7ff7adf02796 in content::BrowserTestBase::SetUp+0x110e (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14ab32796) #56 0x7ff7ad7e5b37 in InProcessBrowserTest::SetUp+0x67d (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14a415b37) #57 0x7ff7a637c07e in testing::Test::Run+0xe6 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x142fac07e) #58 0x7ff7a637dc6a in testing::TestInfo::Run+0x306 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x142fadc6a) #59 0x7ff7a637ed09 in testing::TestCase::Run+0x417 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x142faed09) #60 0x7ff7a6396c91 in testing::internal::UnitTestImpl::RunAllTests+0x899 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x142fc6c91) #61 0x7ff7a63961d9 in testing::UnitTest::Run+0x205 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x142fc61d9) #62 0x7ff7ad82ac0d in base::TestSuite::Run+0x1c7 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14a45ac0d) #63 0x7ff7bd658d61 in ChromeTestSuiteRunner::RunTestSuite+0x10b (C:\b\s\w\ir\out\Release\browser_tests.exe+0x15a288d61) #64 0x7ff7adf6a0a6 in content::LaunchTests+0x47b (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14ab9a0a6) #65 0x7ff7bd659b16 in LaunchChromeTests+0x2dc (C:\b\s\w\ir\out\Release\browser_tests.exe+0x15a289b16) #66 0x7ff7bd658b81 in main+0x161 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x15a288b81) #67 0x7ff7bd6bd06b in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283 #68 0x7ffb12a62773 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180012773) #69 0x7ffb13b40d50 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180070d50) 0x12574d85bea8 is located 104 bytes inside of 408-byte region [0x12574d85be40,0x12574d85bfd8) freed by thread T0 here: #0 0x7ff7bd680b21 in free c:\b\c\b\crwinasan\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44 #1 0x7ff7ae628ec7 in AppWindowDesktopNativeWidgetAuraWin::`scalar deleting destructor'+0x1b (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b258ec7) #2 0x7ff7ae5fd7b6 in views::Widget::~Widget+0xea (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b22d7b6) #3 0x7ff7b05d9e47 in OverlayWindowViews::`scalar deleting destructor'+0xf (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d209e47) #4 0x7ff7a956e33d in content::PictureInPictureWindowControllerImpl::OnWindowDestroyed+0x51 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14619e33d) #5 0x7ff7ae620bfc in views::DesktopNativeWidgetAura::OnHostClosed+0x552 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b250bfc) #6 0x7ff7b6707126 in views::HWNDMessageHandler::OnWndProc+0x35a (C:\b\s\w\ir\out\Release\browser_tests.exe+0x153337126) #7 0x7ff7b2b6aebe in base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc>+0xe (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14f79aebe) #8 0x7ffb133abc4f in CallWindowProcW+0x4cf (C:\Windows\System32\USER32.dll+0x18000bc4f) #9 0x7ffb133ab94b in CallWindowProcW+0x1cb (C:\Windows\System32\USER32.dll+0x18000b94b) #10 0x7ffb133c4557 in ScrollWindowEx+0x57 (C:\Windows\System32\USER32.dll+0x180024557) #11 0x7ffb13b790a3 in KiUserCallbackDispatcher+0x23 (C:\Windows\SYSTEM32\ntdll.dll+0x1800a90a3) #12 0x7ffb100923c3 in NtUserDestroyWindow+0x13 (C:\Windows\System32\win32u.dll+0x1800023c3) #13 0x7ff7ae6035c3 in views::Widget::CloseNow+0x289 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b2335c3) #14 0x7ff7ae631771 in views::Widget::CloseAllSecondaryWidgets+0x65 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b261771) #15 0x7ffb133b084d in GetClassLongPtrW+0x39d (C:\Windows\System32\USER32.dll+0x18001084d) #16 0x7ffb133b3143 in EnumThreadWindows+0x23 (C:\Windows\System32\USER32.dll+0x180013143) #17 0x7ff7b1bbd329 in chrome::HandleAppExitingForPlatform+0x75 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14e7ed329) #18 0x7ff7b0489175 in BrowserList::RemoveBrowser+0x567 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d0b9175) #19 0x7ff7b0469e79 in Browser::~Browser+0x339 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d099e79) #20 0x7ff7b0479bd7 in Browser::`scalar deleting destructor'+0xf (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d0a9bd7) #21 0x7ff7b0628baf in BrowserView::~BrowserView+0x885 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d258baf) #22 0x7ff7b06398c2 in BrowserView::`vector deleting destructor'+0x16 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d2698c2) #23 0x7ff7ae5dce31 in views::View::~View+0x2a7 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b20ce31) #24 0x7ff7ae617de3 in views::NonClientView::`scalar deleting destructor'+0xf (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b247de3) #25 0x7ff7ae5df282 in views::View::DoRemoveChildView+0x6f2 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b20f282) #26 0x7ff7ae5e0765 in views::View::RemoveAllChildViews+0x83 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b210765) #27 0x7ff7b286f118 in views::internal::RootView::~RootView+0x190 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14f49f118) #28 0x7ff7b41d3a9b in BrowserRootView::`scalar deleting destructor'+0xf (C:\b\s\w\ir\out\Release\browser_tests.exe+0x150e03a9b) #29 0x7ff7ae5fd74f in views::Widget::~Widget+0x83 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b22d74f) previously allocated by thread T0 here: #0 0x7ff7bd680c41 in malloc c:\b\c\b\crwinasan\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60 #1 0x7ff7bd699972 in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:35 #2 0x7ff7b8f53e01 in CreateNativeWidget+0x75 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x155b83e01) #3 0x7ff7b5caa393 in ChromeViewsDelegate::OnBeforeWidgetInit+0xc9 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x1528da393) #4 0x7ff7b1958a70 in AccessibilityChecker::OnBeforeWidgetInit+0xc4 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14e588a70) #5 0x7ff7ae5fea57 in views::Widget::Init+0x2ab (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b22ea57) #6 0x7ff7b05d547b in OverlayWindowViews::OverlayWindowViews+0x54d (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d20547b) #7 0x7ff7b05d4f05 in content::OverlayWindow::Create+0x2d (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d204f05) #8 0x7ff7ad9140a6 in ChromeContentBrowserClient::CreateWindowForPictureInPicture+0x12 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14a5440a6) #9 0x7ff7a956db85 in content::PictureInPictureWindowControllerImpl::EnsureWindow+0x13d (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14619db85) #10 0x7ff7a956d4fa in content::WebContentsUserData<content::PictureInPictureWindowControllerImpl>::CreateForWebContents+0x1f0 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14619d4fa) #11 0x7ff7a956d2e4 in content::PictureInPictureWindowController::GetOrCreateForWebContents+0xc (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14619d2e4) #12 0x7ff7a35049f5 in extensions::PlatformAppBrowserTest_PictureInPicture_Test::RunTestOnMainThread+0x2ef (C:\b\s\w\ir\out\Release\browser_tests.exe+0x1401349f5) #13 0x7ff7adf036a5 in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop+0x671 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14ab336a5) #14 0x7ff7b19661fa in ChromeBrowserMainParts::PreMainMessageLoopRunImpl+0x32e2 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14e5961fa) #15 0x7ff7b1962abc in ChromeBrowserMainParts::PreMainMessageLoopRun+0x22a (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14e592abc) #16 0x7ff7a8bd714c in content::BrowserMainLoop::PreMainMessageLoopRun+0x180 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14580714c) #17 0x7ff7a9abf821 in content::StartupTaskRunner::RunAllTasksNow+0x11b (C:\b\s\w\ir\out\Release\browser_tests.exe+0x1466ef821) #18 0x7ff7a8bd1f46 in content::BrowserMainLoop::CreateStartupTasks+0x720 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x145801f46) #19 0x7ff7a8bdf218 in content::BrowserMainRunnerImpl::Initialize+0x236 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14580f218) #20 0x7ff7a8bcb520 in content::BrowserMain+0x214 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x1457fb520) #21 0x7ff7ad3ac693 in content::RunBrowserProcessMain+0x193 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x149fdc693) #22 0x7ff7ad3ae48a in content::ContentMainRunnerImpl::Run+0x722 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x149fde48a) #23 0x7ff7af438335 in service_manager::Main+0xf25 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14c068335) #24 0x7ff7ad3ac3e0 in content::ContentMain+0x108 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x149fdc3e0) #25 0x7ff7adf02796 in content::BrowserTestBase::SetUp+0x110e (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14ab32796) #26 0x7ff7ad7e5b37 in InProcessBrowserTest::SetUp+0x67d (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14a415b37) #27 0x7ff7a637c07e in testing::Test::Run+0xe6 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x142fac07e) #28 0x7ff7a637dc6a in testing::TestInfo::Run+0x306 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x142fadc6a) #29 0x7ff7a637ed09 in testing::TestCase::Run+0x417 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x142faed09) SUMMARY: AddressSanitizer: heap-use-after-free (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14b250c78) in views::DesktopNativeWidgetAura::OnHostClosed+0x5ce
,
Aug 17
,
Aug 19
We fixed stacks, here's the error stack with line numbers (from https://ci.chromium.org/buildbot/chromium.clang/CrWinAsan/1155): ==3564==ERROR: AddressSanitizer: heap-use-after-free on address 0x12649b45aea8 at pc 0x7ff6754f6223 bp 0x00c2c0758430 sp 0x00c2c0758438 READ of size 4 at 0x12649b45aea8 thread T0 ==3564==*** WARNING: Failed to initialize DbgHelp! *** ==3564==*** Most likely this means that the app is already *** ==3564==*** using DbgHelp, possibly with incompatible flags. *** ==3564==*** Due to technical reasons, symbolization might crash *** ==3564==*** or produce wrong results. *** #0 0x7ff6754f6222 in views::DesktopNativeWidgetAura::OnHostClosed C:\b\c\b\CrWinAsan\src\ui\views\widget\desktop_aura\desktop_native_widget_aura.cc:325 #1 0x7ff67d5c779e in views::HWNDMessageHandler::OnWndProc C:\b\c\b\CrWinAsan\src\ui\views\win\hwnd_message_handler.cc:986 #2 0x7ff679a1bc42 in base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc> C:\b\c\b\CrWinAsan\src\base\win\wrapped_window_proc.h:76 #3 0x7ffb6580bc4f in CallWindowProcW+0x4cf (C:\Windows\System32\USER32.dll+0x18000bc4f) #4 0x7ffb6580b94b in CallWindowProcW+0x1cb (C:\Windows\System32\USER32.dll+0x18000b94b) #5 0x7ffb65824557 in ScrollWindowEx+0x57 (C:\Windows\System32\USER32.dll+0x180024557) #6 0x7ffb66b390a3 in KiUserCallbackDispatcher+0x23 (C:\Windows\SYSTEM32\ntdll.dll+0x1800a90a3) #7 0x7ffb62fb23c3 in NtUserDestroyWindow+0x13 (C:\Windows\System32\win32u.dll+0x1800023c3) #8 0x7ff6754d8883 in views::Widget::CloseNow C:\b\c\b\CrWinAsan\src\ui\views\widget\widget.cc:600 #9 0x7ff675506d53 in views::`anonymous namespace'::WindowCallbackProc C:\b\c\b\CrWinAsan\src\ui\views\widget\native_widget_aura.cc:1063 #10 0x7ffb6581084d in GetClassLongPtrW+0x39d (C:\Windows\System32\USER32.dll+0x18001084d) #11 0x7ffb65813143 in EnumThreadWindows+0x23 (C:\Windows\System32\USER32.dll+0x180013143) #12 0x7ff678a873bd in chrome::HandleAppExitingForPlatform C:\b\c\b\CrWinAsan\src\chrome\browser\lifetime\application_lifetime_aura.cc:48 #13 0x7ff677319491 in BrowserList::RemoveBrowser C:\b\c\b\CrWinAsan\src\chrome\browser\ui\browser_list.cc:125 #14 0x7ff6772fa537 in Browser::~Browser C:\b\c\b\CrWinAsan\src\chrome\browser\ui\browser.cc:503 #15 0x7ff67730a227 in Browser::~Browser C:\b\c\b\CrWinAsan\src\chrome\browser\ui\browser.cc:487 #16 0x7ff6774c03b7 in BrowserView::~BrowserView C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\frame\browser_view.cc:454 #17 0x7ff6774d10a0 in BrowserView::`vector deleting destructor'+0x16 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d3c10a0) #18 0x7ff6754b201d in views::View::~View C:\b\c\b\CrWinAsan\src\ui\views\view.cc:162 #19 0x7ff6754ed383 in views::NonClientView::~NonClientView C:\b\c\b\CrWinAsan\src\ui\views\window\non_client_view.cc:52 #20 0x7ff6754b448d in views::View::DoRemoveChildView C:\b\c\b\CrWinAsan\src\ui\views\view.cc:2047 #21 0x7ff6754b5959 in views::View::RemoveAllChildViews C:\b\c\b\CrWinAsan\src\ui\views\view.cc:300 #22 0x7ff679720c74 in views::internal::RootView::~RootView C:\b\c\b\CrWinAsan\src\ui\views\widget\root_view.cc:183 #23 0x7ff67b05583b in BrowserRootView::~BrowserRootView C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\frame\browser_root_view.cc:109 #24 0x7ff6754d2997 in views::Widget::~Widget C:\b\c\b\CrWinAsan\src\ui\views\widget\widget.cc:182 #25 0x7ff6774ba579 in BrowserFrame::~BrowserFrame C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\frame\browser_frame.cc:61 #26 0x7ff6754f55a5 in views::DesktopNativeWidgetAura::~DesktopNativeWidgetAura C:\b\c\b\CrWinAsan\src\ui\views\widget\desktop_aura\desktop_native_widget_aura.cc:258 #27 0x7ff681097983 in DesktopBrowserFrameAura::~DesktopBrowserFrameAura C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\frame\desktop_browser_frame_aura.cc:39 #28 0x7ff67d5c779e in views::HWNDMessageHandler::OnWndProc C:\b\c\b\CrWinAsan\src\ui\views\win\hwnd_message_handler.cc:986 #29 0x7ff679a1bc42 in base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc> C:\b\c\b\CrWinAsan\src\base\win\wrapped_window_proc.h:76 #30 0x7ffb6580bc4f in CallWindowProcW+0x4cf (C:\Windows\System32\USER32.dll+0x18000bc4f) #31 0x7ffb6580b94b in CallWindowProcW+0x1cb (C:\Windows\System32\USER32.dll+0x18000b94b) #32 0x7ffb65824557 in ScrollWindowEx+0x57 (C:\Windows\System32\USER32.dll+0x180024557) #33 0x7ffb66b390a3 in KiUserCallbackDispatcher+0x23 (C:\Windows\SYSTEM32\ntdll.dll+0x1800a90a3) #34 0x7ffb62fb23c3 in NtUserDestroyWindow+0x13 (C:\Windows\System32\win32u.dll+0x1800023c3) #35 0x7ff67875163c in base::debug::TaskAnnotator::RunTask C:\b\c\b\CrWinAsan\src\base\debug\task_annotator.cc:101 #36 0x7ff6744230f8 in base::MessageLoop::RunTask C:\b\c\b\CrWinAsan\src\base\message_loop\message_loop.cc:431 #37 0x7ff6744244df in base::MessageLoop::DoWork C:\b\c\b\CrWinAsan\src\base\message_loop\message_loop.cc:514 #38 0x7ff674429330 in base::MessagePumpForUI::DoRunLoop C:\b\c\b\CrWinAsan\src\base\message_loop\message_pump_win.cc:179 #39 0x7ff674427d1b in base::MessagePumpWin::Run C:\b\c\b\CrWinAsan\src\base\message_loop\message_pump_win.cc:52 #40 0x7ff6744b0c94 in base::RunLoop::Run C:\b\c\b\CrWinAsan\src\base\run_loop.cc:102 #41 0x7ff674689c39 in InProcessBrowserTest::QuitBrowsers C:\b\c\b\CrWinAsan\src\chrome\test\base\in_process_browser_test.cc:570 #42 0x7ff674689883 in InProcessBrowserTest::PostRunTestOnMainThread C:\b\c\b\CrWinAsan\src\chrome\test\base\in_process_browser_test.cc:545 #43 0x7ff674dc79a0 in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop C:\b\c\b\CrWinAsan\src\content\public\test\browser_test_base.cc:431 #44 0x7ff6788208d8 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl C:\b\c\b\CrWinAsan\src\chrome\browser\chrome_browser_main.cc:2000 #45 0x7ff67881d152 in ChromeBrowserMainParts::PreMainMessageLoopRun C:\b\c\b\CrWinAsan\src\chrome\browser\chrome_browser_main.cc:1384 #46 0x7ff66f9d0622 in content::BrowserMainLoop::PreMainMessageLoopRun C:\b\c\b\CrWinAsan\src\content\browser\browser_main_loop.cc:1023 #47 0x7ff6708f2641 in content::StartupTaskRunner::RunAllTasksNow C:\b\c\b\CrWinAsan\src\content\browser\startup_task_runner.cc:43 #48 0x7ff66f9cb3ca in content::BrowserMainLoop::CreateStartupTasks C:\b\c\b\CrWinAsan\src\content\browser\browser_main_loop.cc:934 #49 0x7ff66f9d87cc in content::BrowserMainRunnerImpl::Initialize C:\b\c\b\CrWinAsan\src\content\browser\browser_main_runner_impl.cc:141 #50 0x7ff66f9c4928 in content::BrowserMain C:\b\c\b\CrWinAsan\src\content\browser\browser_main.cc:43 #51 0x7ff674238133 in content::RunBrowserProcessMain C:\b\c\b\CrWinAsan\src\content\app\content_main_runner_impl.cc:536 #52 0x7ff674239f2a in content::ContentMainRunnerImpl::Run C:\b\c\b\CrWinAsan\src\content\app\content_main_runner_impl.cc:888 #53 0x7ff676302ee5 in service_manager::Main C:\b\c\b\CrWinAsan\src\services\service_manager\embedder\main.cc:472 #54 0x7ff674237e80 in content::ContentMain C:\b\c\b\CrWinAsan\src\content\app\content_main.cc:19 #55 0x7ff674dc666a in content::BrowserTestBase::SetUp C:\b\c\b\CrWinAsan\src\content\public\test\browser_test_base.cc:322 #56 0x7ff674685b59 in InProcessBrowserTest::SetUp C:\b\c\b\CrWinAsan\src\chrome\test\base\in_process_browser_test.cc:251 #57 0x7ff66d1046de in testing::Test::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2502 #58 0x7ff66d1062c6 in testing::TestInfo::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2682 #59 0x7ff66d107365 in testing::TestCase::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2800 #60 0x7ff66d11f299 in testing::internal::UnitTestImpl::RunAllTests C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:5124 #61 0x7ff66d11e7e1 in testing::UnitTest::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:4733 #62 0x7ff6746cb13d in base::TestSuite::Run C:\b\c\b\CrWinAsan\src\base\test\test_suite.cc:277 #63 0x7ff684612e89 in ChromeTestSuiteRunner::RunTestSuite C:\b\c\b\CrWinAsan\src\chrome\test\base\chrome_test_launcher.cc:65 #64 0x7ff674e31d9a in content::LaunchTests C:\b\c\b\CrWinAsan\src\content\public\test\test_launcher.cc:645 #65 0x7ff684613c3e in LaunchChromeTests C:\b\c\b\CrWinAsan\src\chrome\test\base\chrome_test_launcher.cc:170 #66 0x7ff684612ca9 in main C:\b\c\b\CrWinAsan\src\chrome\test\base\browser_tests_main.cc:36 #67 0x7ff68467733b in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283 #68 0x7ffb661c2773 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180012773) #69 0x7ffb66b00d50 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180070d50) 0x12649b45aea8 is located 104 bytes inside of 408-byte region [0x12649b45ae40,0x12649b45afd8) freed by thread T0 here: #0 0x7ff68463adf1 in free c:\b\c\b\crwinasan\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44 #1 0x7ff6754fe3a1 in views::DesktopNativeWidgetAura::~DesktopNativeWidgetAura C:\b\c\b\CrWinAsan\src\ui\views\widget\desktop_aura\desktop_native_widget_aura.cc:256 #2 0x7ff6754d29fe in views::Widget::~Widget C:\b\c\b\CrWinAsan\src\ui\views\widget\widget.cc:184 #3 0x7ff677470af3 in OverlayWindowViews::~OverlayWindowViews C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\overlay\overlay_window_views.cc:160 #4 0x7ff67038b123 in content::PictureInPictureWindowControllerImpl::OnWindowDestroyed C:\b\c\b\CrWinAsan\src\content\browser\picture_in_picture\picture_in_picture_window_controller_impl.cc:98 #5 0x7ff6754f61a6 in views::DesktopNativeWidgetAura::OnHostClosed C:\b\c\b\CrWinAsan\src\ui\views\widget\desktop_aura\desktop_native_widget_aura.cc:324 #6 0x7ff67d5c779e in views::HWNDMessageHandler::OnWndProc C:\b\c\b\CrWinAsan\src\ui\views\win\hwnd_message_handler.cc:986 #7 0x7ff679a1bc42 in base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc> C:\b\c\b\CrWinAsan\src\base\win\wrapped_window_proc.h:76 #8 0x7ffb6580bc4f in CallWindowProcW+0x4cf (C:\Windows\System32\USER32.dll+0x18000bc4f) #9 0x7ffb6580b94b in CallWindowProcW+0x1cb (C:\Windows\System32\USER32.dll+0x18000b94b) #10 0x7ffb65824557 in ScrollWindowEx+0x57 (C:\Windows\System32\USER32.dll+0x180024557) #11 0x7ffb66b390a3 in KiUserCallbackDispatcher+0x23 (C:\Windows\SYSTEM32\ntdll.dll+0x1800a90a3) #12 0x7ffb62fb23c3 in NtUserDestroyWindow+0x13 (C:\Windows\System32\win32u.dll+0x1800023c3) #13 0x7ff6754d8883 in views::Widget::CloseNow C:\b\c\b\CrWinAsan\src\ui\views\widget\widget.cc:600 #14 0x7ff675506d53 in views::`anonymous namespace'::WindowCallbackProc C:\b\c\b\CrWinAsan\src\ui\views\widget\native_widget_aura.cc:1063 #15 0x7ffb6581084d in GetClassLongPtrW+0x39d (C:\Windows\System32\USER32.dll+0x18001084d) #16 0x7ffb65813143 in EnumThreadWindows+0x23 (C:\Windows\System32\USER32.dll+0x180013143) #17 0x7ff678a873bd in chrome::HandleAppExitingForPlatform C:\b\c\b\CrWinAsan\src\chrome\browser\lifetime\application_lifetime_aura.cc:48 #18 0x7ff677319491 in BrowserList::RemoveBrowser C:\b\c\b\CrWinAsan\src\chrome\browser\ui\browser_list.cc:125 #19 0x7ff6772fa537 in Browser::~Browser C:\b\c\b\CrWinAsan\src\chrome\browser\ui\browser.cc:503 #20 0x7ff67730a227 in Browser::~Browser C:\b\c\b\CrWinAsan\src\chrome\browser\ui\browser.cc:487 #21 0x7ff6774c03b7 in BrowserView::~BrowserView C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\frame\browser_view.cc:454 #22 0x7ff6774d10a0 in BrowserView::`vector deleting destructor'+0x16 (C:\b\s\w\ir\out\Release\browser_tests.exe+0x14d3c10a0) #23 0x7ff6754b201d in views::View::~View C:\b\c\b\CrWinAsan\src\ui\views\view.cc:162 #24 0x7ff6754ed383 in views::NonClientView::~NonClientView C:\b\c\b\CrWinAsan\src\ui\views\window\non_client_view.cc:52 #25 0x7ff6754b448d in views::View::DoRemoveChildView C:\b\c\b\CrWinAsan\src\ui\views\view.cc:2047 #26 0x7ff6754b5959 in views::View::RemoveAllChildViews C:\b\c\b\CrWinAsan\src\ui\views\view.cc:300 #27 0x7ff679720c74 in views::internal::RootView::~RootView C:\b\c\b\CrWinAsan\src\ui\views\widget\root_view.cc:183 #28 0x7ff67b05583b in BrowserRootView::~BrowserRootView C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\frame\browser_root_view.cc:109 #29 0x7ff6754d2997 in views::Widget::~Widget C:\b\c\b\CrWinAsan\src\ui\views\widget\widget.cc:182 previously allocated by thread T0 here: #0 0x7ff68463af11 in malloc c:\b\c\b\crwinasan\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60 #1 0x7ff684653c42 in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:35 #2 0x7ff67fe67fed in CreateNativeWidget C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\native_widget_factory.cc:33 #3 0x7ff67cb74bdb in ChromeViewsDelegate::OnBeforeWidgetInit C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\chrome_views_delegate.cc:171 #4 0x7ff67881327f in AccessibilityChecker::OnBeforeWidgetInit C:\b\c\b\CrWinAsan\src\chrome\test\views\accessibility_checker.cc:133 #5 0x7ff6754d3c9d in views::Widget::Init C:\b\c\b\CrWinAsan\src\ui\views\widget\widget.cc:317 #6 0x7ff67746a4c2 in OverlayWindowViews::OverlayWindowViews C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\overlay\overlay_window_views.cc:153 #7 0x7ff677469ec9 in content::OverlayWindow::Create C:\b\c\b\CrWinAsan\src\chrome\browser\ui\views\overlay\overlay_window_views.cc:35 #8 0x7ff6747b4b18 in ChromeContentBrowserClient::CreateWindowForPictureInPicture C:\b\c\b\CrWinAsan\src\chrome\browser\chrome_content_browser_client.cc:4672 #9 0x7ff67038a905 in content::PictureInPictureWindowControllerImpl::EnsureWindow C:\b\c\b\CrWinAsan\src\content\browser\picture_in_picture\picture_in_picture_window_controller_impl.cc:220 #10 0x7ff67038a27a in content::WebContentsUserData<content::PictureInPictureWindowControllerImpl>::CreateForWebContents C:\b\c\b\CrWinAsan\src\content\public\browser\web_contents_user_data.h:36 #11 0x7ff67038a064 in content::PictureInPictureWindowController::GetOrCreateForWebContents C:\b\c\b\CrWinAsan\src\content\browser\picture_in_picture\picture_in_picture_window_controller_impl.cc:23 #12 0x7ff66a23ec09 in extensions::PlatformAppBrowserTest_PictureInPicture_Test::RunTestOnMainThread C:\b\c\b\CrWinAsan\src\chrome\browser\apps\platform_apps\app_browsertest.cc:1411 #13 0x7ff674dc7579 in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop C:\b\c\b\CrWinAsan\src\content\public\test\browser_test_base.cc:406 #14 0x7ff6788208d8 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl C:\b\c\b\CrWinAsan\src\chrome\browser\chrome_browser_main.cc:2000 #15 0x7ff67881d152 in ChromeBrowserMainParts::PreMainMessageLoopRun C:\b\c\b\CrWinAsan\src\chrome\browser\chrome_browser_main.cc:1384 #16 0x7ff66f9d0622 in content::BrowserMainLoop::PreMainMessageLoopRun C:\b\c\b\CrWinAsan\src\content\browser\browser_main_loop.cc:1023 #17 0x7ff6708f2641 in content::StartupTaskRunner::RunAllTasksNow C:\b\c\b\CrWinAsan\src\content\browser\startup_task_runner.cc:43 #18 0x7ff66f9cb3ca in content::BrowserMainLoop::CreateStartupTasks C:\b\c\b\CrWinAsan\src\content\browser\browser_main_loop.cc:934 #19 0x7ff66f9d87cc in content::BrowserMainRunnerImpl::Initialize C:\b\c\b\CrWinAsan\src\content\browser\browser_main_runner_impl.cc:141 #20 0x7ff66f9c4928 in content::BrowserMain C:\b\c\b\CrWinAsan\src\content\browser\browser_main.cc:43 #21 0x7ff674238133 in content::RunBrowserProcessMain C:\b\c\b\CrWinAsan\src\content\app\content_main_runner_impl.cc:536 #22 0x7ff674239f2a in content::ContentMainRunnerImpl::Run C:\b\c\b\CrWinAsan\src\content\app\content_main_runner_impl.cc:888 #23 0x7ff676302ee5 in service_manager::Main C:\b\c\b\CrWinAsan\src\services\service_manager\embedder\main.cc:472 #24 0x7ff674237e80 in content::ContentMain C:\b\c\b\CrWinAsan\src\content\app\content_main.cc:19 #25 0x7ff674dc666a in content::BrowserTestBase::SetUp C:\b\c\b\CrWinAsan\src\content\public\test\browser_test_base.cc:322 #26 0x7ff674685b59 in InProcessBrowserTest::SetUp C:\b\c\b\CrWinAsan\src\chrome\test\base\in_process_browser_test.cc:251 #27 0x7ff66d1046de in testing::Test::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2502 #28 0x7ff66d1062c6 in testing::TestInfo::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2682 #29 0x7ff66d107365 in testing::TestCase::Run C:\b\c\b\CrWinAsan\src\third_party\googletest\src\googletest\src\gtest.cc:2800 SUMMARY: AddressSanitizer: heap-use-after-free C:\b\c\b\CrWinAsan\src\ui\views\widget\desktop_aura\desktop_native_widget_aura.cc:325 in views::DesktopNativeWidgetAura::OnHostClosed Shadow bytes around the buggy address: 0x04892e98b580: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x04892e98b590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x04892e98b5a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x04892e98b5b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x04892e98b5c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x04892e98b5d0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd 0x04892e98b5e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x04892e98b5f0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x04892e98b600: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x04892e98b610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x04892e98b620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3564==ABORTING
,
Aug 20
I reverted the Cl that added the failing test, so the test also no longer runs. I can either mark this fixed (since browser_tests now runs on win/asan as of https://chromium-review.googlesource.com/1180763), or you can use the bug for re-enabling the test and we can remove the blocking relationship to issue 869973 -- up to you.
,
Aug 28
I've just merged https://chromium-review.googlesource.com/c/chromium/src/+/1145261 which contains fix for the ASan crash. Expect https://chromium-review.googlesource.com/c/chromium/src/+/1181124 to reland soon.
,
Aug 28
I'm going to watch https://ci.chromium.org/buildbot/chromium.clang/CrWinAsan/ to see if that issue is fixed.
,
Aug 28
There's now https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/win-asan on the main waterfall, and an optional win-asan trybot that mirrors it. So you can send a try job for your patch, and it's better to watch the new bot (it's mostly the same as CrWinAsan, but CrWinAsan uses trunk clang while win-asan uses the pinned clang that almost all bots and devs use).
,
Aug 28
Much better. Thank you! It looks like https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/win-asan is running smoothly for now.
,
Aug 29
Marking as fixed as there are no pip crashes anymore. |
||||
►
Sign in to add a comment |
||||
Comment 1 by thakis@chromium.org
, Aug 17Owner: fbeaufort@chromium.org
Summary: use-after-free in browser_tests PlatformAppBrowserTest.PictureInPicture detected by Windows ASan (was: use-after-free in PlatformAppBrowserTest.PictureInPicture detected by Windows ASan)