ProcessManagementTest.TestForkingBehaviorForUninstalledAndNonAccessibleExtensions failing on mac-cocoa-rel |
||||
Issue descriptionProcessManagementTest.TestForkingBehaviorForUninstalledAndNonAccessibleExtensions fails badly on Mac. [ RUN ] ProcessManagementTest.TestForkingBehaviorForUninstalledAndNonAccessibleExtensions [99968:2819:0910/173100.824024:WARNING:notification_platform_bridge_mac.mm(510)] AlertNotificationService: XPC connection invalidated. 2018-09-10 17:31:00.943 browser_tests[99968:1230436] *** Owner supplied to -[NSTrackingArea initWithRect:options:owner:userInfo:] referenced a deallocating object. Tracking area behavior is undefined. Break on NSTrackingAreaDeallocatingOwnerError to debug. [99968:775:0910/173101.104702:ERROR:delegated_frame_host.cc(174)] Not implemented reached in void content::DelegatedFrameHost::SetNeedsBeginFrames(bool) [99968:91143:0910/173101.794877:WARNING:embedded_test_server.cc(238)] Request not handled. Returning 404: /favicon.ico [99968:775:0910/173101.800972:ERROR:delegated_frame_host.cc(174)] Not implemented reached in void content::DelegatedFrameHost::SetNeedsBeginFrames(bool) [99968:775:0910/173102.118841:ERROR:delegated_frame_host.cc(174)] Not implemented reached in void content::DelegatedFrameHost::SetNeedsBeginFrames(bool) browser_tests(99968,0x700013f3c000) malloc: *** error for object 0x7ff048588af8: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug Received signal 6 [0x0001043edaac] [0x0001043ed9c1] [0x7fff51e09f5a] [0x7ff04d27b190] [0x7fff51ba71ae] [0x7fff51cb0ad4] [0x7fff51ca5616] [0x7fff51ca43bf] [0x0001043f7e0d] [0x0001043f7e0d] [0x7fff51ca41bd] [0x0001061ce5e9] [0x0001060f50b8] [0x00010610a871] [0x000106124a47] [0x000106135f9b] [0x00010612f580] [0x0001060fe410] [0x0001060f2e61] [0x0001060f2fae] [0x000106657491] [0x00010661dcda] [0x000104338902] [0x00010435603e] [0x0001043563a3] [0x000104357be9] [0x00010437cca5] [0x0001043c28c1] [0x0001043f7597] [0x7fff51e13661] [0x7fff51e1350d] [0x7fff51e12bf9] [end of stack trace] https://logs.chromium.org/logs/chromium/buildbucket/cr-buildbucket.appspot.com/8935725335062430160/+/steps/browser_tests_on__none__GPU_on_Mac/0/logs/ProcessManagementTest.TestForkingBehaviorForUninstalledAndNonAccessibleExtensions/0 According to https://test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=ProcessManagementTest.TestForkingBehaviorForUninstalledAndNonAccessibleExtensions This fails in about 80% on mac-cocoa-rel but is fine on all other mac builders. http://dev.chromium.org/developers/coding-style/cocoa-dos-and-donts points to http://crbug.com/48709 , therefore assigning to rsesek. The first flake happened here: https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/mac-cocoa-rel/1060, which ended at commit position 586563
,
Sep 11
The NSTrackingArea message is not relevant (c.f. issue 815291). What does seem relevant is this: browser_tests(99968,0x700013f3c000) malloc: *** error for object 0x7ff048588af8: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug The test or the code under test likely has a use-after-free.
,
Sep 13
I reproed this under ASAN.
==26737==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000193541 at pc 0x0001349e6cbc bp 0x7ffee3b9eff0 sp 0x7ffee3b9efe8
WRITE of size 1 at 0x615000193541 thread T0
#0 0x1349e6cbb in viz::HostFrameSinkManager::InvalidateFrameSinkId(viz::FrameSinkId const&) host_frame_sink_manager.cc:91
#1 0x1351382a1 in ui::Compositor::~Compositor() compositor.cc:254
#2 0x1351a66c4 in ui::RecyclableCompositorMac::~RecyclableCompositorMac() recyclable_compositor_mac.cc:59
#3 0x1351a7475 in ui::RecyclableCompositorMacFactory::RecycleCompositor(std::__1::unique_ptr<ui::RecyclableCompositorMac, std::__1::default_delete<ui::RecyclableCompositorMac> >) memory:2321
#4 0x12f9d72f0 in content::BrowserCompositorMac::TransitionToState(content::BrowserCompositorMac::State) browser_compositor_view_mac.mm:319
#5 0x12f6f6be7 in content::WebContentsImpl::WasHidden() web_contents_impl.cc:1643
#6 0x7fff443bf345 in -[NSView _setWindow:] (AppKit:x86_64+0x24345)
#7 0x7fff46e5229e in -[__NSArrayM enumerateObjectsWithOptions:usingBlock:] (CoreFoundation:x86_64+0x8829e)
#8 0x7fff44c851ac in __21-[NSView _setWindow:]_block_invoke.604 (AppKit:x86_64+0x8ea1ac)
#9 0x7fff443bf296 in -[NSView _setWindow:] (AppKit:x86_64+0x24296)
#10 0x7fff443c17ae in -[NSView removeFromSuperview] (AppKit:x86_64+0x267ae)
Still waiting for the following processes to finish:
out/rel-asan/browser_tests --disable-features=ViewsBrowserWindows --disable-gpu-process-for-dx12-vulkan-info-collection --gtest_also_run_disabled_tests --gtest_filter=ProcessManagementTest.TestForkingBehaviorForUninstalledAndNonAccessibleExtensions --single_process --test-launcher-output=/var/folders/yd/p_tdv3gs24904_gjb44140tc003h8w/T/.org.chromium.Chromium.iEMC69/resultsEDT6uv/test_results.xml --user-data-dir=/var/folders/yd/p_tdv3gs24904_gjb44140tc003h8w/T/.org.chromium.Chromium.iEMC69/d3lzLYZ
#11 0x116834714 in -[TabStripControllerCocoa swapInTabAtIndex:] tab_strip_controller.mm:621
#12 0x11683d639 in -[TabStripControllerCocoa activateTabWithContents:previousContents:atIndex:reason:] tab_strip_controller.mm:1383
#13 0x1162cc9f7 in TabStripModel::NotifyIfActiveTabChanged(TabStripSelectionChange const&) tab_strip_model.cc:1481
#14 0x1162cba30 in TabStripModel::SendDetachWebContentsNotifications(TabStripModel::DetachNotifications*) tab_strip_model.cc:533
#15 0x1162db0dc in TabStripModel::CloseWebContentses(base::span<content::WebContents* const, 18446744073709551615ul>, unsigned int) tab_strip_model.cc:1456
#16 0x1162d0449 in TabStripModel::InternalCloseTabs(base::span<content::WebContents* const, 18446744073709551615ul>, unsigned int) tab_strip_model.cc:1369
#17 0x1162d0a56 in TabStripModel::CloseWebContentsAt(int, unsigned int) tab_strip_model.cc:664
#18 0x1161e2d26 in chrome::CloseWebContents(Browser*, content::WebContents*, bool) browser_tabstrip.cc:80
#19 0x12f22a39c in bool IPC::MessageT<ViewHostMsg_Close_Meta, std::__1::tuple<>, void>::Dispatch<content::RenderViewHostImpl, content::RenderViewHostImpl, void, void (content::RenderViewHostImpl::*)()>(IPC::Message const*, content::RenderViewHostImpl*, content::RenderViewHostImpl*, void*, void (content::RenderViewHostImpl::*)()) tuple.h:52
#20 0x12f228577 in content::RenderViewHostImpl::OnMessageReceived(IPC::Message const&) render_view_host_impl.cc:783
#21 0x12f23f45f in content::RenderWidgetHostImpl::OnMessageReceived(IPC::Message const&) render_widget_host_impl.cc:631
#22 0x12f1c1edd in content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const&) render_process_host_impl.cc:3310
#23 0x1281c9c20 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ipc_channel_proxy.cc:320
#24 0x1281d194b in base::internal::Invoker<base::internal::BindState<void (IPC::ChannelProxy::Context::*)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message>, void ()>::Run(base::internal::BindStateBase*) bind_internal.h:516
#25 0x11eff7507 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) callback.h:99
#26 0x11f09de00 in base::MessageLoop::RunTask(base::PendingTask*) message_loop.cc:434
#27 0x11f09ec30 in base::MessageLoop::DoWork() message_loop.cc:445
#28 0x11f0af0dc in base::MessagePumpCFRunLoopBase::RunWork() message_pump_mac.mm:455
#29 0x11f058db9 in base::mac::CallWithEHFrame(void () block_pointer) (libbase.dylib:x86_64+0xafdb9)
#30 0x11f0ad5f5 in base::MessagePumpCFRunLoopBase::RunWorkSource(void*) message_pump_mac.mm:431
#31 0x7fff46e69d30 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (CoreFoundation:x86_64+0x9fd30)
#32 0x7fff46f2160b in __CFRunLoopDoSource0 (CoreFoundation:x86_64+0x15760b)
#33 0x7fff46e4ccdf in __CFRunLoopDoSources0 (CoreFoundation:x86_64+0x82cdf)
#34 0x7fff46e4c15c in __CFRunLoopRun (CoreFoundation:x86_64+0x8215c)
#35 0x7fff46e4b9b6 in CFRunLoopRunSpecific (CoreFoundation:x86_64+0x819b6)
#36 0x7fff4612bd95 in RunCurrentEventLoopInMode (HIToolbox:x86_64+0x2fd95)
#37 0x7fff4612bb05 in ReceiveNextEventCommon (HIToolbox:x86_64+0x2fb05)
#38 0x7fff4612b883 in _BlockUntilNextEventMatchingListInModeWithFilter (HIToolbox:x86_64+0x2f883)
#39 0x7fff443dca72 in _DPSNextEvent (AppKit:x86_64+0x41a72)
#40 0x7fff44b72e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (AppKit:x86_64+0x7d7e33)
#41 0x111c52e00 in __71-[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:]_block_invoke chrome_browser_application_mac.mm:242
#42 0x11f058db9 in base::mac::CallWithEHFrame(void () block_pointer) (libbase.dylib:x86_64+0xafdb9)
#43 0x111c529b1 in -[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:] chrome_browser_application_mac.mm:241
#44 0x7fff443d1884 in -[NSApplication run] (AppKit:x86_64+0x36884)
#45 0x11f0b2595 in base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) message_pump_mac.mm:808
#46 0x11f0ac3b5 in base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) message_pump_mac.mm:184
#47 0x11f09cde5 in base::MessageLoop::Run(bool) message_loop.cc:386
#48 0x11f15c99c in base::RunLoop::Run() run_loop.cc:102
#49 0x1131b9234 in content::DOMMessageQueue::WaitForMessage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*) browser_test_utils.cc:2118
#50 0x1131ae745 in content::(anonymous namespace)::ExecuteScriptHelper(content::RenderFrameHost*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, bool, int, std::__1::unique_ptr<base::Value, std::__1::default_delete<base::Value> >*) browser_test_utils.cc:193
#51 0x1131ad7e1 in content::(anonymous namespace)::ExecuteScriptWithUserGestureControl(content::RenderFrameHost*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, bool) browser_test_utils.cc:231
#52 0x10f54b3f3 in extensions::ProcessManagementTest_TestForkingBehaviorForUninstalledAndNonAccessibleExtensions_Test::RunTestOnMainThread()::$_0::operator()(GURL const&) const process_management_browsertest.cc:598
#53 0x10f54a801 in extensions::ProcessManagementTest_TestForkingBehaviorForUninstalledAndNonAccessibleExtensions_Test::RunTestOnMainThread() process_management_browsertest.cc:613
#54 0x11319cc77 in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop() browser_test_base.cc:415
#55 0x111c66b50 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl() callback.h:129
#56 0x111c63bfd in ChromeBrowserMainParts::PreMainMessageLoopRun() chrome_browser_main.cc:1402
#57 0x12e393942 in content::BrowserMainLoop::PreMainMessageLoopRun() browser_main_loop.cc:1022
#58 0x12f657f7e in content::StartupTaskRunner::RunAllTasksNow() callback.h:129
#59 0x12e38ef0c in content::BrowserMainLoop::CreateStartupTasks() browser_main_loop.cc:933
#60 0x12e39c16b in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) browser_main_runner_impl.cc:140
#61 0x12e387a0b in content::BrowserMain(content::MainFunctionParams const&) browser_main.cc:43
#62 0x130a86e17 in content::ContentMainRunnerImpl::Run(bool) content_main_runner_impl.cc:537
#63 0x12b34814d in service_manager::Main(service_manager::MainParams const&) main.cc:472
#64 0x130a8455f in content::ContentMain(content::ContentMainParams const&) content_main.cc:19
#65 0x11319b7fd in content::BrowserTestBase::SetUp() browser_test_base.cc:327
#66 0x111ab7c9c in InProcessBrowserTest::SetUp() in_process_browser_test.cc:250
#67 0x110391e34 in testing::Test::Run() gtest.cc
#68 0x110394295 in testing::TestInfo::Run() gtest.cc:2698
#69 0x110395726 in testing::TestCase::Run() gtest.cc:2816
#70 0x1103bd416 in testing::internal::UnitTestImpl::RunAllTests() gtest.cc:5182
#71 0x1103bc866 in testing::UnitTest::Run() gtest.cc:4791
#72 0x111afb846 in base::TestSuite::Run() test_suite.cc:295
#73 0x111a1c04a in ChromeTestSuiteRunner::RunTestSuite(int, char**) chrome_test_launcher.cc:71
#74 0x11323da51 in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) test_launcher.cc:645
#75 0x111a1cdc2 in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) chrome_test_launcher.cc:182
#76 0x111a1be7c in main browser_tests_main.cc:36
#77 0x7fff6ed25014 in start (libdyld.dylib:x86_64+0x1014)
0x615000193541 is located 65 bytes inside of 480-byte region [0x615000193500,0x6150001936e0)
freed by thread T0 here:
#0 0x144bc5d62 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x66d62)
#1 0x1349f0a22 in std::__1::__wrap_iter<std::__1::pair<viz::FrameSinkId, viz::HostFrameSinkManager::FrameSinkData>*> std::__1::vector<std::__1::pair<viz::FrameSinkId, viz::HostFrameSinkManager::FrameSinkData>, std::__1::allocator<std::__1::pair<viz::FrameSinkId, viz::HostFrameSinkManager::FrameSinkData> > >::emplace<viz::FrameSinkId const&, viz::HostFrameSinkManager::FrameSinkData>(std::__1::__wrap_iter<std::__1::pair<viz::FrameSinkId, viz::HostFrameSinkManager::FrameSinkData> const*>, viz::FrameSinkId const&&&, viz::HostFrameSinkManager::FrameSinkData&&) vector:1873
#2 0x1349e6202 in base::flat_map<viz::FrameSinkId, viz::HostFrameSinkManager::FrameSinkData, std::__1::less<void> >::operator[](viz::FrameSinkId const&) flat_map.h:292
#3 0x1349e5ce5 in viz::HostFrameSinkManager::RegisterFrameSinkId(viz::FrameSinkId const&, viz::HostFrameSinkClient*) host_frame_sink_manager.cc:68
#4 0x12f9dc4e6 in content::DelegatedFrameHost::DelegatedFrameHost(viz::FrameSinkId const&, content::DelegatedFrameHostClient*, bool) delegated_frame_host.cc:53
#5 0x12f9d5923 in content::BrowserCompositorMac::BrowserCompositorMac(ui::AcceleratedWidgetMacNSView*, content::BrowserCompositorMacClient*, bool, display::Display const&, viz::FrameSinkId const&) browser_compositor_view_mac.mm:62
#6 0x12f2acdbd in content::RenderWidgetHostViewMac::RenderWidgetHostViewMac(content::RenderWidgetHost*, bool) render_widget_host_view_mac.mm:172
#7 0x12f75534b in content::WebContentsViewMac::CreateViewForWidget(content::RenderWidgetHost*, bool) web_contents_view_mac.mm:364
#8 0x12f705275 in content::WebContentsImpl::CreateNewWindow(content::RenderFrameHost*, int, int, int, content::mojom::CreateNewWindowParams const&, content::SessionStorageNamespace*) web_contents_impl.cc:2683
#9 0x12ea1317a in content::RenderFrameHostImpl::CreateNewWindow(mojo::StructPtr<content::mojom::CreateNewWindowParams>, base::OnceCallback<void (content::mojom::CreateNewWindowStatus, mojo::StructPtr<content::mojom::CreateNewWindowReply>)>) render_frame_host_impl.cc:3255
#10 0x12d579142 in content::mojom::FrameHostStubDispatch::AcceptWithResponder(content::mojom::FrameHost*, mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) frame.mojom.cc:3761
#11 0x12ea44950 in content::mojom::FrameHostStub<mojo::RawPtrImplRefTraits<content::mojom::FrameHost> >::AcceptWithResponder(mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) frame.mojom.h:874
#12 0x12738ac9b in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) interface_endpoint_client.cc:398
#13 0x127389240 in mojo::FilterChain::Accept(mojo::Message*) filter_chain.cc:40
#14 0x12738e9ab in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) interface_endpoint_client.cc:306
#15 0x1281f853c in IPC::(anonymous namespace)::ChannelAssociatedGroupController::Endpoint::OnSyncMessageEventReady() ipc_mojo_bootstrap.cc:553
#16 0x1273bc34c in mojo::SequenceLocalSyncEventWatcher::SequenceLocalState::OnEventSignaled() callback.h:129
#17 0x1273c5dfb in mojo::SyncHandleRegistry::Wait(bool const**, unsigned long) callback.h:129
#18 0x1273c1f10 in mojo::SyncEventWatcher::SyncWatch(bool const**, unsigned long) sync_event_watcher.cc:51
#19 0x1273bce8a in mojo::SequenceLocalSyncEventWatcher::SyncWatch(bool const*) sequence_local_sync_event_watcher.cc:161
#20 0x1273a9055 in mojo::internal::MultiplexRouter::InterfaceEndpoint::SyncWatch(bool const*) multiplex_router.cc:146
#21 0x12738df5b in mojo::InterfaceEndpointClient::AcceptWithResponder(mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiver, std::__1::default_delete<mojo::MessageReceiver> >) interface_endpoint_client.cc:285
#22 0x134a21ca5 in viz::mojom::FrameSinkManagerProxy::DestroyCompositorFrameSink(viz::FrameSinkId const&) frame_sink_manager.mojom.cc:442
#23 0x1349e676a in viz::HostFrameSinkManager::InvalidateFrameSinkId(viz::FrameSinkId const&) host_frame_sink_manager.cc:87
#24 0x1351382a1 in ui::Compositor::~Compositor() compositor.cc:254
#25 0x1351a66c4 in ui::RecyclableCompositorMac::~RecyclableCompositorMac() recyclable_compositor_mac.cc:59
#26 0x1351a7475 in ui::RecyclableCompositorMacFactory::RecycleCompositor(std::__1::unique_ptr<ui::RecyclableCompositorMac, std::__1::default_delete<ui::RecyclableCompositorMac> >) memory:2321
#27 0x12f9d72f0 in content::BrowserCompositorMac::TransitionToState(content::BrowserCompositorMac::State) browser_compositor_view_mac.mm:319
#28 0x12f6f6be7 in content::WebContentsImpl::WasHidden() web_contents_impl.cc:1643
#29 0x7fff443bf345 in -[NSView _setWindow:] (AppKit:x86_64+0x24345)
previously allocated by thread T0 here:
#0 0x144bc5762 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x66762)
#1 0x1349f0455 in std::__1::__wrap_iter<std::__1::pair<viz::FrameSinkId, viz::HostFrameSinkManager::FrameSinkData>*> std::__1::vector<std::__1::pair<viz::FrameSinkId, viz::HostFrameSinkManager::FrameSinkData>, std::__1::allocator<std::__1::pair<viz::FrameSinkId, viz::HostFrameSinkManager::FrameSinkData> > >::emplace<viz::FrameSinkId const&, viz::HostFrameSinkManager::FrameSinkData>(std::__1::__wrap_iter<std::__1::pair<viz::FrameSinkId, viz::HostFrameSinkManager::FrameSinkData> const*>, viz::FrameSinkId const&&&, viz::HostFrameSinkManager::FrameSinkData&&) __split_buffer:311
#2 0x1349e6202 in base::flat_map<viz::FrameSinkId, viz::HostFrameSinkManager::FrameSinkData, std::__1::less<void> >::operator[](viz::FrameSinkId const&) flat_map.h:292
#3 0x1349e5ce5 in viz::HostFrameSinkManager::RegisterFrameSinkId(viz::FrameSinkId const&, viz::HostFrameSinkClient*) host_frame_sink_manager.cc:68
#4 0x12f9dc4e6 in content::DelegatedFrameHost::DelegatedFrameHost(viz::FrameSinkId const&, content::DelegatedFrameHostClient*, bool) delegated_frame_host.cc:53
#5 0x12f9d5923 in content::BrowserCompositorMac::BrowserCompositorMac(ui::AcceleratedWidgetMacNSView*, content::BrowserCompositorMacClient*, bool, display::Display const&, viz::FrameSinkId const&) browser_compositor_view_mac.mm:62
#6 0x12f2acdbd in content::RenderWidgetHostViewMac::RenderWidgetHostViewMac(content::RenderWidgetHost*, bool) render_widget_host_view_mac.mm:172
#7 0x12f75534b in content::WebContentsViewMac::CreateViewForWidget(content::RenderWidgetHost*, bool) web_contents_view_mac.mm:364
#8 0x12f705275 in content::WebContentsImpl::CreateNewWindow(content::RenderFrameHost*, int, int, int, content::mojom::CreateNewWindowParams const&, content::SessionStorageNamespace*) web_contents_impl.cc:2683
#9 0x12ea1317a in content::RenderFrameHostImpl::CreateNewWindow(mojo::StructPtr<content::mojom::CreateNewWindowParams>, base::OnceCallback<void (content::mojom::CreateNewWindowStatus, mojo::StructPtr<content::mojom::CreateNewWindowReply>)>) render_frame_host_impl.cc:3255
#10 0x12d579142 in content::mojom::FrameHostStubDispatch::AcceptWithResponder(content::mojom::FrameHost*, mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) frame.mojom.cc:3761
#11 0x12ea44950 in content::mojom::FrameHostStub<mojo::RawPtrImplRefTraits<content::mojom::FrameHost> >::AcceptWithResponder(mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) frame.mojom.h:874
#12 0x12738ac9b in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) interface_endpoint_client.cc:398
#13 0x127389240 in mojo::FilterChain::Accept(mojo::Message*) filter_chain.cc:40
#14 0x12738e9ab in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) interface_endpoint_client.cc:306
#15 0x1281fd8a7 in IPC::(anonymous namespace)::ChannelAssociatedGroupController::AcceptSyncMessage(unsigned int, unsigned int) ipc_mojo_bootstrap.cc:896
#16 0x1281ff12d in base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(unsigned int, unsigned int), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, unsigned int, unsigned int>, void ()>::Run(base::internal::BindStateBase*) bind_internal.h:516
#17 0x11eff7507 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) callback.h:99
#18 0x11f09de00 in base::MessageLoop::RunTask(base::PendingTask*) message_loop.cc:434
#19 0x11f09ec30 in base::MessageLoop::DoWork() message_loop.cc:445
#20 0x11f0af0dc in base::MessagePumpCFRunLoopBase::RunWork() message_pump_mac.mm:455
#21 0x11f058db9 in base::mac::CallWithEHFrame(void () block_pointer) (libbase.dylib:x86_64+0xafdb9)
#22 0x11f0ad5f5 in base::MessagePumpCFRunLoopBase::RunWorkSource(void*) message_pump_mac.mm:431
#23 0x7fff46e69d30 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (CoreFoundation:x86_64+0x9fd30)
#24 0x7fff46f2160b in __CFRunLoopDoSource0 (CoreFoundation:x86_64+0x15760b)
#25 0x7fff46e4ccdf in __CFRunLoopDoSources0 (CoreFoundation:x86_64+0x82cdf)
#26 0x7fff46e4c15c in __CFRunLoopRun (CoreFoundation:x86_64+0x8215c)
#27 0x7fff46e4b9b6 in CFRunLoopRunSpecific (CoreFoundation:x86_64+0x819b6)
#28 0x7fff4612bd95 in RunCurrentEventLoopInMode (HIToolbox:x86_64+0x2fd95)
#29 0x7fff4612bb05 in ReceiveNextEventCommon (HIToolbox:x86_64+0x2fb05)
,
Sep 13
I can't figure out from the stack traces what the bug is but I do not *think* this is a test-specific bug. kylechar@, can you take a look?
,
Sep 13
This is a bit strange. The UAF is at [1] when accessing |data|. When we initialize |data| it uses the flat_map::operator[] which ensures the entry exists. The free for |data| happens at [2], which I believe would mean a new entry is inserted into |frame_sink_data_map_| between [3] and [1] and the underlying vector had to be resized. That's not supposed to happen, the two function calls between [1] and [3] are IPCs with no side effects. The free also happened on the same thread so that's not the issue. There is a sync IPC in the middle there, which blocks the current task runner until a response has been received, but nothing else should run on the UI thread while it's blocked. I know mac has a second task runner used on the UI thread, for high priority compositing tasks, I'm wondering if it's possible that task runner started to run while the main task runner was blocked on the sync IPC? If HostFrameSinkManager::RegisterFrameSinkId() was called on the other task runner, it could invalidate |data| and cause the error we see here. It would all happen on the same thread too. Can the other task runner interrupt mid task? [1] https://cs.chromium.org/chromium/src/components/viz/host/host_frame_sink_manager.cc?l=91&rcl=b9a41a63d0677b05f4d46257b3f659ee39a721e3 [2] https://cs.chromium.org/chromium/src/components/viz/host/host_frame_sink_manager.cc?l=68&rcl=b9a41a63d0677b05f4d46257b3f659ee39a721e3 [3] https://cs.chromium.org/chromium/src/components/viz/host/host_frame_sink_manager.cc?l=79&rcl=b9a41a63d0677b05f4d46257b3f659ee39a721e3
,
Sep 13
This repros reliably for me locally - is there a CHECK I can add somewhere to detect that scenario?
,
Sep 13
You could put a LOG(ERROR) at the start and end of HostFrameSinkManager::RegisterFrameSinkId() and HostFrameSinkManager::InvalidateFrameSinkId(). You could check if this order occurs: InvalidateFrameSinkId() start RegisterFrameSinkId() start RegisterFrameSinkId() end InvalidateFrameSinkId() end (or crash before here) Also you could try looking FrameSinkData& in the map again between lines 90 and 91, and not using the original |data| after that, which would confirm at least what the issue is.
,
Sep 13
Oh also, could this have to do with --disable-features=ViewsBrowserWindows being passed into the test. Both ViewsBrowserWindows and VizDisplayCompositor features are enabled by fieldtrial_testing_config.json. I thought that VizDisplayCompositor required ViewsBrowserWindows to work correctly, so that could be causing the issue? ccameron would know more here.
,
Sep 13
#7,#8: I did not see any signs of distress when I added that logging. However, if Viz is expected to not work with Cocoa mode, I don't care about this bug at all any more - Cocoa mode is deprecated and will be removed in M71. WontFix :) |
||||
►
Sign in to add a comment |
||||
Comment 1 by battre@chromium.org
, Sep 11Owner: ccameron@chromium.org