Heap-use-after-free in browser_tests |
||
Issue descriptionFiled by sheriff-o-matic@appspot.gserviceaccount.com on behalf of yosin@chromium.org https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/win-asan/1067 https://chromium-swarm.appspot.com/task?id=3f78cfd59ad2b210&refresh=10&show_raw=1 [ RUN ] NotificationPermissionContextApiTest.Granted [4416:8172:0821/221638.226:WARNING:discovery_network_list_win.cc(195)] Failed to open Wlan client handle: 1062 [4416:7720:0821/221638.366:WARNING:chrome_browser_main_win.cc(641)] Command line too long for RegisterApplicationRestart: --brave-new-test-launcher --cfi-diag=0 --disable-gpu-process-for-dx12-vulkan-info-collection --gtest_also_run_disabled_tests --gtest_filter=NotificationPermissionContextApiTest.Granted --no-sandbox --single_process --test-launcher-bot-mode --test-launcher-output="C:\b\s\w\itv7q8ro\scoped_dir580_14831\results580_15077\test_results.xml" --test-launcher-summary-output="C:\b\s\w\ioea8zkc\output.json" --user-data-dir="C:\b\s\w\itv7q8ro\scoped_dir580_14831\d580_24049" --disable-offline-auto-reload --disable-renderer-backgrounding --no-first-run --no-default-browser-check --enable-logging=stderr --disable-default-apps --wm-window-animations-disabled --disable-component-update --test-type=browser --force-color-profile=srgb --disable-zero-browsers-open-for-tests --ipc-connection-timeout=90 --allow-file-access-from-files --dom-automation --log-gpu-control-list-decisions --disable-backgrounding-occluded-windows --disable-gl-drawing-for-tests --override-use-software-gl-for-tests --force-color-profile=srgb --disable-compositor-ukm-for-tests --enable-features=TestFeatureForBrowserTest1 --disable-features=NetworkPrediction,SpeculativePreconnect,TestFeatureForBrowserTest2 --disable-gpu-process-for-dx12-vulkan-info-collection --flag-switches-begin --flag-switches-end --file-url-path-alias="/gen=C:\b\s\w\ir\out\Release_x64\gen" --restore-last-session about:blank [4416:7720:0821/221643.085:INFO:CONSOLE(0)] "[SUCCESS] notificationPermissionDocument", source: chrome-extension://kldmohojikfedoijphndogbggljpgonn/_generated_background_page.html (0) [4416:7720:0821/221643.101:INFO:CONSOLE(0)] "[SUCCESS] notificationPermissionServiceWorker", source: chrome-extension://kldmohojikfedoijphndogbggljpgonn/_generated_background_page.html (0) [4416:7720:0821/221643.114:INFO:CONSOLE(0)] "[SUCCESS] pushManagerPermissionStateDocument", source: chrome-extension://kldmohojikfedoijphndogbggljpgonn/_generated_background_page.html (0) [4416:7720:0821/221643.118:INFO:CONSOLE(0)] "[SUCCESS] pushManagerPermissionStateServiceWorker", source: chrome-extension://kldmohojikfedoijphndogbggljpgonn/_generated_background_page.html (0) [4416:7720:0821/221643.138:INFO:CONSOLE(0)] "[SUCCESS] permissionsQueryDocument", source: chrome-extension://kldmohojikfedoijphndogbggljpgonn/_generated_background_page.html (0) [4416:7720:0821/221643.148:INFO:CONSOLE(0)] "[SUCCESS] permissionsQueryServiceWorker", source: chrome-extension://kldmohojikfedoijphndogbggljpgonn/_generated_background_page.html (0) [4416:7720:0821/221643.237:INFO:CONSOLE(0)] "[SUCCESS] nonPersistentNotification", source: chrome-extension://kldmohojikfedoijphndogbggljpgonn/_generated_background_page.html (0) [4416:7720:0821/221643.285:INFO:CONSOLE(0)] "[SUCCESS] persistentNotification", source: chrome-extension://kldmohojikfedoijphndogbggljpgonn/_generated_background_page.html (0) [4416:7720:0821/221643.875:WARNING:pref_notifier_impl.cc(23)] Pref observer found at shutdown. [4416:7720:0821/221643.875:WARNING:pref_notifier_impl.cc(23)] Pref observer found at shutdown. [ OK ] NotificationPermissionContextApiTest.Granted (6562 ms) [----------] 1 test from NotificationPermissionContextApiTest (6564 ms total) [----------] Global test environment tear-down [==========] 1 test from 1 test case ran. (6566 ms total) [ PASSED ] 1 test. ================================================================= ==4416==ERROR: AddressSanitizer: heap-use-after-free on address 0x12358e83d530 at pc 0x7ff65aba1c45 bp 0x00a71aafea90 sp 0x00a71aafead8 WRITE of size 4 at 0x12358e83d530 thread T0 ==4416==*** WARNING: Failed to initialize DbgHelp! *** ==4416==*** Most likely this means that the app is already *** ==4416==*** using DbgHelp, possibly with incompatible flags. *** ==4416==*** Due to technical reasons, symbolization might crash *** ==4416==*** or produce wrong results. *** #0 0x7ff65aba1c44 in base::AtomicFlag::Set C:\b\swarming\w\ir\cache\builder\src\base\synchronization\atomic_flag.cc:22 #1 0x7ff65abaa412 in base::CancelableTaskTracker::TryCancelAll C:\b\swarming\w\ir\cache\builder\src\base\task\cancelable_task_tracker.cc:154 #2 0x7ff65abaa197 in base::CancelableTaskTracker::~CancelableTaskTracker C:\b\swarming\w\ir\cache\builder\src\base\task\cancelable_task_tracker.cc:64 #3 0x7ff65efc87f9 in PlatformNotificationServiceImpl::~PlatformNotificationServiceImpl C:\b\swarming\w\ir\cache\builder\src\chrome\browser\notifications\platform_notification_service_impl.cc:117 #4 0x7ff65efcbe0b in PlatformNotificationServiceImpl::~PlatformNotificationServiceImpl C:\b\swarming\w\ir\cache\builder\src\chrome\browser\notifications\platform_notification_service_impl.cc:117 #5 0x7ff65efcbe5d in base::Singleton<PlatformNotificationServiceImpl,base::DefaultSingletonTraits<PlatformNotificationServiceImpl>,PlatformNotificationServiceImpl>::OnExit C:\b\swarming\w\ir\cache\builder\src\base\memory\singleton.h:251 #6 0x7ff65aa31554 in base::AtExitManager::ProcessCallbacksNow C:\b\swarming\w\ir\cache\builder\src\base\at_exit.cc:90 #7 0x7ff65aa31098 in base::AtExitManager::~AtExitManager C:\b\swarming\w\ir\cache\builder\src\base\at_exit.cc:45 #8 0x7ff65a8abdf6 in std::unique_ptr<base::AtExitManager,std::default_delete<base::AtExitManager> >::~unique_ptr C:\b\swarming\w\ir\cache\builder\src\third_party\depot_tools\win_toolchain\vs_files\3bc0ec615cf20ee342f3bc29bc991b5ad66d8d2c\VC\Tools\MSVC\14.14.26428\include\memory:2267 #9 0x7ff66ad01d68 in ChromeTestSuiteRunner::RunTestSuite C:\b\swarming\w\ir\cache\builder\src\chrome\test\base\chrome_test_launcher.cc:65 #10 0x7ff65b4d7a2b in content::LaunchTests C:\b\swarming\w\ir\cache\builder\src\content\public\test\test_launcher.cc:645 #11 0x7ff66ad02b0a in LaunchChromeTests C:\b\swarming\w\ir\cache\builder\src\chrome\test\base\chrome_test_launcher.cc:170 #12 0x7ff66ad01b75 in main C:\b\swarming\w\ir\cache\builder\src\chrome\test\base\browser_tests_main.cc:36 #13 0x7ff66ad2e54f in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283 #14 0x7ffe16152773 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180012773) #15 0x7ffe166a0d50 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180070d50) 0x12358e83d530 is located 0 bytes inside of 4-byte region [0x12358e83d530,0x12358e83d534) freed by thread T0 here: #0 0x7ff65aa08f00 in free C:\b\rr\tmpwi75sb\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44 #1 0x7ff65abadb11 in base::internal::BindState<void (*)(const base::CancellationFlag *, base::OnceCallback<void ()>, base::OnceCallback<void ()>),base::internal::OwnedWrapper<base::CancellationFlag>,base::OnceCallback<void ()>,base::OnceCallback<void ()> >::Destroy C:\b\swarming\w\ir\cache\builder\src\base\bind_internal.h:874 #2 0x7ff65ee7fa32 in base::`anonymous namespace'::PostTaskAndReplyRelay::~PostTaskAndReplyRelay C:\b\swarming\w\ir\cache\builder\src\base\threading\post_task_and_reply_impl.cc:70 #3 0x7ff65ee7ff95 in base::internal::BindState<void (*)(base::(anonymous namespace)::PostTaskAndReplyRelay),base::(anonymous namespace)::PostTaskAndReplyRelay>::Destroy C:\b\swarming\w\ir\cache\builder\src\base\bind_internal.h:874 #4 0x7ff65aacb8f9 in base::MessageLoop::DeletePendingTasks C:\b\swarming\w\ir\cache\builder\src\base\message_loop\message_loop.cc:481 #5 0x7ff65aacf48b in base::MessageLoop::~MessageLoop C:\b\swarming\w\ir\cache\builder\src\base\message_loop\message_loop.cc:174 #6 0x7ff65a5d745f in base::MessageLoopForIO::~MessageLoopForIO C:\b\swarming\w\ir\cache\builder\src\base\message_loop\message_loop.h:420 #7 0x7ff65a8adcf4 in content::ContentMainRunnerImpl::Shutdown C:\b\swarming\w\ir\cache\builder\src\content\app\content_main_runner_impl.cc:909 #8 0x7ff65c9c7520 in service_manager::Main C:\b\swarming\w\ir\cache\builder\src\services\service_manager\embedder\main.cc:492 #9 0x7ff65a8ab6a4 in content::ContentMain C:\b\swarming\w\ir\cache\builder\src\content\app\content_main.cc:19 #10 0x7ff65b46c136 in content::BrowserTestBase::SetUp C:\b\swarming\w\ir\cache\builder\src\content\public\test\browser_test_base.cc:322 #11 0x7ff65ad2f9d7 in InProcessBrowserTest::SetUp C:\b\swarming\w\ir\cache\builder\src\chrome\test\base\in_process_browser_test.cc:251 #12 0x7ff65377ed0e in testing::Test::Run C:\b\swarming\w\ir\cache\builder\src\third_party\googletest\src\googletest\src\gtest.cc:2502 #13 0x7ff6537808fa in testing::TestInfo::Run C:\b\swarming\w\ir\cache\builder\src\third_party\googletest\src\googletest\src\gtest.cc:2682 #14 0x7ff653781999 in testing::TestCase::Run C:\b\swarming\w\ir\cache\builder\src\third_party\googletest\src\googletest\src\gtest.cc:2800 #15 0x7ff653799921 in testing::internal::UnitTestImpl::RunAllTests C:\b\swarming\w\ir\cache\builder\src\third_party\googletest\src\googletest\src\gtest.cc:5124 #16 0x7ff653798e69 in testing::UnitTest::Run C:\b\swarming\w\ir\cache\builder\src\third_party\googletest\src\googletest\src\gtest.cc:4733 #17 0x7ff65ad75009 in base::TestSuite::Run C:\b\swarming\w\ir\cache\builder\src\base\test\test_suite.cc:277 #18 0x7ff66ad01d55 in ChromeTestSuiteRunner::RunTestSuite C:\b\swarming\w\ir\cache\builder\src\chrome\test\base\chrome_test_launcher.cc:65 #19 0x7ff65b4d7a2b in content::LaunchTests C:\b\swarming\w\ir\cache\builder\src\content\public\test\test_launcher.cc:645 #20 0x7ff66ad02b0a in LaunchChromeTests C:\b\swarming\w\ir\cache\builder\src\chrome\test\base\chrome_test_launcher.cc:170 #21 0x7ff66ad01b75 in main C:\b\swarming\w\ir\cache\builder\src\chrome\test\base\browser_tests_main.cc:36 #22 0x7ff66ad2e54f in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283 #23 0x7ffe16152773 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180012773) #24 0x7ffe166a0d50 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180070d50) previously allocated by thread T0 here: #0 0x7ff65aa08fd0 in malloc C:\b\rr\tmpwi75sb\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60 #1 0x7ff66ad0ae3a in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:35 #2 0x7ff65abaab3e in base::CancelableTaskTracker::PostTaskAndReply C:\b\swarming\w\ir\cache\builder\src\base\task\cancelable_task_tracker.cc:87 #3 0x7ff65ccc33a4 in history::HistoryService::QueryURL C:\b\swarming\w\ir\cache\builder\src\components\history\core\browser\history_service.cc:729 #4 0x7ff65efcb147 in PlatformNotificationServiceImpl::RecordNotificationUkmEvent C:\b\swarming\w\ir\cache\builder\src\chrome\browser\notifications\platform_notification_service_impl.cc:257 #5 0x7ff656980769 in base::internal::Invoker<base::internal::BindState<base::RepeatingCallback<void (const content::NotificationDatabaseData &)>,content::NotificationDatabaseData>,void ()>::RunOnce C:\b\swarming\w\ir\cache\builder\src\base\bind_internal.h:658 #6 0x7ff65ee3883d in base::debug::TaskAnnotator::RunTask C:\b\swarming\w\ir\cache\builder\src\base\debug\task_annotator.cc:101 #7 0x7ff65aacd0e8 in base::MessageLoop::RunTask C:\b\swarming\w\ir\cache\builder\src\base\message_loop\message_loop.cc:434 #8 0x7ff65aacdfdf in base::MessageLoop::DoWork C:\b\swarming\w\ir\cache\builder\src\base\message_loop\message_loop.cc:517 #9 0x7ff65aad2a00 in base::MessagePumpForUI::DoRunLoop C:\b\swarming\w\ir\cache\builder\src\base\message_loop\message_pump_win.cc:179 #10 0x7ff65aad13cb in base::MessagePumpWin::Run C:\b\swarming\w\ir\cache\builder\src\base\message_loop\message_pump_win.cc:52 #11 0x7ff65ab5a6b4 in base::RunLoop::Run C:\b\swarming\w\ir\cache\builder\src\base\run_loop.cc:102 #12 0x7ff65ad33ab7 in InProcessBrowserTest::QuitBrowsers C:\b\swarming\w\ir\cache\builder\src\chrome\test\base\in_process_browser_test.cc:570 #13 0x7ff65ad33701 in InProcessBrowserTest::PostRunTestOnMainThread C:\b\swarming\w\ir\cache\builder\src\chrome\test\base\in_process_browser_test.cc:545 #14 0x7ff65b46d47a in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop C:\b\swarming\w\ir\cache\builder\src\content\public\test\browser_test_base.cc:431 #15 0x7ff65ef07b6a in ChromeBrowserMainParts::PreMainMessageLoopRunImpl C:\b\swarming\w\ir\cache\builder\src\chrome\browser\chrome_browser_main.cc:2000 #16 0x7ff65ef0442c in ChromeBrowserMainParts::PreMainMessageLoopRun C:\b\swarming\w\ir\cache\builder\src\chrome\browser\chrome_browser_main.cc:1384 #17 0x7ff65604ae62 in content::BrowserMainLoop::PreMainMessageLoopRun C:\b\swarming\w\ir\cache\builder\src\content\browser\browser_main_loop.cc:1016 #18 0x7ff656f563e9 in content::StartupTaskRunner::RunAllTasksNow C:\b\swarming\w\ir\cache\builder\src\content\browser\startup_task_runner.cc:43 #19 0x7ff656045c0a in content::BrowserMainLoop::CreateStartupTasks C:\b\swarming\w\ir\cache\builder\src\content\browser\browser_main_loop.cc:927 #20 0x7ff656053020 in content::BrowserMainRunnerImpl::Initialize C:\b\swarming\w\ir\cache\builder\src\content\browser\browser_main_runner_impl.cc:141 #21 0x7ff65603f144 in content::BrowserMain C:\b\swarming\w\ir\cache\builder\src\content\browser\browser_main.cc:43 #22 0x7ff65a8ab957 in content::RunBrowserProcessMain C:\b\swarming\w\ir\cache\builder\src\content\app\content_main_runner_impl.cc:536 #23 0x7ff65a8ad74e in content::ContentMainRunnerImpl::Run C:\b\swarming\w\ir\cache\builder\src\content\app\content_main_runner_impl.cc:888 #24 0x7ff65c9c6e66 in service_manager::Main C:\b\swarming\w\ir\cache\builder\src\services\service_manager\embedder\main.cc:472 #25 0x7ff65a8ab6a4 in content::ContentMain C:\b\swarming\w\ir\cache\builder\src\content\app\content_main.cc:19 #26 0x7ff65b46c136 in content::BrowserTestBase::SetUp C:\b\swarming\w\ir\cache\builder\src\content\public\test\browser_test_base.cc:322 #27 0x7ff65ad2f9d7 in InProcessBrowserTest::SetUp C:\b\swarming\w\ir\cache\builder\src\chrome\test\base\in_process_browser_test.cc:251 #28 0x7ff65377ed0e in testing::Test::Run C:\b\swarming\w\ir\cache\builder\src\third_party\googletest\src\googletest\src\gtest.cc:2502 #29 0x7ff6537808fa in testing::TestInfo::Run C:\b\swarming\w\ir\cache\builder\src\third_party\googletest\src\googletest\src\gtest.cc:2682 SUMMARY: AddressSanitizer: heap-use-after-free C:\b\swarming\w\ir\cache\builder\src\base\synchronization\atomic_flag.cc:22 in base::AtomicFlag::Set Shadow bytes around the buggy address: 0x047840287a50: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x047840287a60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x047840287a70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x047840287a80: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa 0x047840287a90: fa fa 00 fa fa fa fd fa fa fa fd fa fa fa fd fa =>0x047840287aa0: fa fa fd fa fa fa[fd]fa fa fa 00 fa fa fa fd fd 0x047840287ab0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x047840287ac0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x047840287ad0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa 0x047840287ae0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa 0x047840287af0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==4416==ABORTING [477/905] NotificationPermissionContextApiTest.Granted (16239 ms)
,
Aug 22
,
Aug 22
Looks like this happened because the message loop got destroyed prior to our CancelableTaskTracker, and ownership of the flag isn't stored with the CTT. This is a rather unlikely situation, so I guess we can wait until we migrate the PlatformNotificationServiceImpl to be owned by the BrowserContext as opposed to being a singleton? |
||
►
Sign in to add a comment |
||
Comment 1 by yosin@chromium.org
, Aug 22Owner: peter@chromium.org
Status: Assigned (was: Available)