Filed by sheriff-o-matic@appspot.gserviceaccount.com on behalf of wittman@google.com
Flaky use-after-free in single_process_mash_browser_tests
Multiple tests are failing with a similar UAF:
[ RUN ] LockScreenNoteTakingTest.DataCreation
[26629:26629:1101/000731.033729:WARNING:easy_unlock_service_regular.cc(524)] EasyUnlockServiceRegular::IsInLegacyHostMode: DeviceSyncClient not ready. Returning false.
[26629:26629:1101/000731.033886:INFO:easy_unlock_service_regular.cc(152)] DeviceSyncClient is not ready yet, delaying UseLoadedRemoteDevices().
[26629:26629:1101/000731.197578:WARNING:wallpaper_controller_client.cc(358)] Cannot get wallpaper files id in RemovePolicyWallpaper. This should never happen under normal circumstances.
[26629:26629:1101/000731.766719:INFO:secure_channel_service.cc(25)] SecureChannelService::OnStart()
[26629:26629:1101/000731.766868:INFO:secure_channel_initializer.cc(64)] SecureChannelInitializer::SecureChannelInitializer(): Fetching Bluetooth adapter. All requests received before the adapter is fetched will be queued.
[26629:26629:1101/000731.767195:INFO:secure_channel_service.cc(38)] SecureChannelService::OnBindInterface() for interface chromeos.secure_channel.mojom.SecureChannel.
[26629:26629:1101/000731.767910:INFO:device_sync_service.cc(31)] DeviceSyncService::OnStart()
[26629:26629:1101/000731.768307:INFO:device_sync_service.cc(48)] DeviceSyncService::OnBindInterface() from interface chromeos.device_sync.mojom.DeviceSync.
[26629:26629:1101/000731.769003:INFO:multidevice_setup_service.cc(62)] MultiDeviceSetupService::OnStart()
[26629:26629:1101/000731.769322:INFO:multidevice_setup_service.cc(75)] MultiDeviceSetupService::OnBindInterface() from interface chromeos.multidevice_setup.mojom.MultiDeviceSetup.
[26629:26629:1101/000731.838479:INFO:secure_channel_initializer.cc(119)] SecureChannelInitializer::OnBluetoothAdapterReceived(): Bluetooth adapter has been fetched. Passing all queued requests to the service.
[26629:26629:1101/000731.849749:ERROR:gpu_interface_provider.cc(87)] Not implemented reached in virtual void content::GpuInterfaceProvider::RegisterOzoneGpuInterfaces(service_manager::BinderRegistry *)
[26629:26629:1101/000732.025907:ERROR:layer_tree_host_impl.cc(3122)] Forcing zero-copy tile initialization as worker context is missing
[26629:26629:1101/000732.047082:ERROR:layer_tree_host_impl.cc(3122)] Forcing zero-copy tile initialization as worker context is missing
[26629:26629:1101/000732.069634:INFO:multidevice_setup_service.cc(75)] MultiDeviceSetupService::OnBindInterface() from interface chromeos.multidevice_setup.mojom.MultiDeviceSetup.
[26629:26629:1101/000732.154926:ERROR:remote_text_input_client.cc(158)] Not implemented reached in virtual void RemoteTextInputClient::OnInputMethodChanged()
[26629:26629:1101/000732.155000:ERROR:remote_text_input_client.cc(115)] Not implemented reached in virtual ui::TextInputClient::FocusReason RemoteTextInputClient::GetFocusReason() const
[26629:26629:1101/000732.155050:ERROR:remote_text_input_client.cc(200)] Not implemented reached in virtual bool RemoteTextInputClient::ShouldDoLearning()
[26629:26629:1101/000732.155129:ERROR:remote_text_input_client.cc(109)] Not implemented reached in virtual bool RemoteTextInputClient::HasCompositionText() const
[26629:26629:1101/000732.155172:ERROR:remote_text_input_client.cc(121)] Not implemented reached in virtual bool RemoteTextInputClient::GetTextRange(gfx::Range *) const
[26629:26629:1101/000732.155211:ERROR:remote_text_input_client.cc(176)] Not implemented reached in virtual void RemoteTextInputClient::EnsureCaretNotInRect(const gfx::Rect &)
[26629:26629:1101/000733.755908:ERROR:multi_user_window_manager_stub.cc(54)] Not implemented reached in virtual void MultiUserWindowManagerStub::AddObserver(MultiUserWindowManager::Observer *)
[26629:26629:1101/000733.801115:ERROR:render_widget_host_view_aura.cc(1282)] Not implemented reached in virtual base::i18n::TextDirection content::RenderWidgetHostViewAura::GetTextDirection() const
[26629:26629:1101/000733.848064:ERROR:layer_tree_host_impl.cc(3122)] Forcing zero-copy tile initialization as worker context is missing
[26629:26629:1101/000733.956268:ERROR:layer_tree_host_impl.cc(3122)] Forcing zero-copy tile initialization as worker context is missing
[26629:26629:1101/000734.228333:INFO:CONSOLE(0)] "[SUCCESS] createNote", source: chrome-extension://cadfeochfldmbdgoccgbeianhamecbae/test.html (0)
[26629:26629:1101/000734.262939:INFO:CONSOLE(0)] "[SUCCESS] createAndResetNoteContent", source: chrome-extension://cadfeochfldmbdgoccgbeianhamecbae/test.html (0)
[26629:26629:1101/000734.329553:INFO:CONSOLE(0)] "[SUCCESS] createAndDeleteNote", source: chrome-extension://cadfeochfldmbdgoccgbeianhamecbae/test.html (0)
[26629:26629:1101/000734.351128:INFO:CONSOLE(0)] "[SUCCESS] createEmptyNote", source: chrome-extension://cadfeochfldmbdgoccgbeianhamecbae/test.html (0)
[26629:26629:1101/000734.391811:INFO:CONSOLE(0)] "[SUCCESS] getAll", source: chrome-extension://cadfeochfldmbdgoccgbeianhamecbae/test.html (0)
[26629:26629:1101/000734.398715:INFO:CONSOLE(0)] "[SUCCESS] reportReadyToClose", source: chrome-extension://cadfeochfldmbdgoccgbeianhamecbae/test.html (0)
==26629==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x5649b07c48e5 in find_if<std::__1::__wrap_iter<const base::internal::UncheckedObserverAdapter *>, (lambda at ../../base/observer_list.h:303:25)> ./../../buildtools/third_party/libc++/trunk/include/algorithm:877:5
#1 0x5649b07c48e5 in HasObserver ./../../base/observer_list.h:302:0
#2 0x5649b07c48e5 in aura::Window::HasObserver(aura::WindowObserver const*) const ./../../ui/aura/window.cc:563:0
#3 0x5649b07fc5b5 in aura::WindowObserver::OnUnobservingWindow(aura::Window*) ./../../ui/aura/window_observer.cc:25:15
#4 0x5649b07b27ba in aura::Window::RemoveObserver(aura::WindowObserver*) ./../../ui/aura/window.cc:558:13
#5 0x564998e5dfec in RemoveAll ./../../base/scoped_observer.h:45:20
#6 0x564998e5dfec in lock_screen_apps::FirstAppRunToastManager::Reset() ./../../chrome/browser/chromeos/lock_screen_apps/first_app_run_toast_manager.cc:73:0
#7 0x564998e6e0f6 in lock_screen_apps::StateController::ResetNoteTakingWindowAndMoveToNextState(bool, ash::mojom::CloseLockScreenNoteReason) ./../../chrome/browser/chromeos/lock_screen_apps/state_controller.cc:499:35
#8 0x5649a033c0ae in extensions::AppWindowRegistry::RemoveAppWindow(extensions::AppWindow*) ./../../extensions/browser/app_window/app_window_registry.cc:85:14
#9 0x5649a031c590 in extensions::AppWindow::OnNativeClose() ./../../extensions/browser/app_window/app_window.cc:493:45
#10 0x5649aaf5f345 in views::Widget::OnNativeWidgetDestroyed() ./../../ui/views/widget/widget.cc:1111:21
#11 0x5649c166134e in views::DesktopNativeWidgetAura::OnHostClosed() ./../../ui/views/widget/desktop_aura/desktop_native_widget_aura.cc:330:28
#12 0x5649b323a5a3 in views::DesktopWindowTreeHostMus::CloseNow() ./../../ui/views/mus/desktop_window_tree_host_mus.cc:571:32
#13 0x5649a723949a in Run ./../../base/callback.h:99:12
#14 0x5649a723949a in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:99:0
#15 0x5649a6efe842 in base::MessageLoop::RunTask(base::PendingTask*) ./../../base/message_loop/message_loop.cc:545:46
#16 0x5649a6effabd in DeferOrRunPendingTask ./../../base/message_loop/message_loop.cc:556:5
#17 0x5649a6effabd in base::MessageLoop::DoWork() ./../../base/message_loop/message_loop.cc:628:0
#18 0x5649a7225780 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_libevent.cc:210:31
#19 0x5649a6fc8f1f in base::RunLoop::Run() ./../../base/run_loop.cc:102:14
#20 0x5649a90068e4 in content::RunThisRunLoop(base::RunLoop*) ./../../content/public/test/test_utils.cc:130:13
#21 0x5649c0bc8937 in extensions::ResultCatcher::GetNextResult() ./../../extensions/test/result_catcher.cc:35:5
#22 0x5649971c0ad7 in (anonymous namespace)::LockScreenNoteTakingTest::RunTestAppInLockScreenContext(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*) ./../../chrome/browser/chromeos/lock_screen_apps/note_taking_browsertest.cc:169:18
#23 0x5649971c4b90 in LockScreenNoteTakingTest_DataCreation_Test::RunTestOnMainThread() ./../../chrome/browser/chromeos/lock_screen_apps/note_taking_browsertest.cc:236:3
#24 0x5649a8f4316b in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop() ./../../content/public/test/browser_test_base.cc:422:5
#25 0x5649a75dc8d5 in Run ./../../base/callback.h:129:12
#26 0x5649a75dc8d5 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl() ./../../chrome/browser/chrome_browser_main.cc:1844:0
#27 0x5649a75d7f3f in ChromeBrowserMainParts::PreMainMessageLoopRun() ./../../chrome/browser/chrome_browser_main.cc:1228:18
#28 0x564998a2ec34 in chromeos::ChromeBrowserMainPartsChromeos::PreMainMessageLoopRun() ./../../chrome/browser/chromeos/chrome_browser_main_chromeos.cc:661:32
#29 0x56499e069634 in content::BrowserMainLoop::PreMainMessageLoopRun() ./../../content/browser/browser_main_loop.cc:977:13
#30 0x56499f83405c in Run ./../../base/callback.h:129:12
#31 0x56499f83405c in content::StartupTaskRunner::RunAllTasksNow() ./../../content/browser/startup_task_runner.cc:41:0
#32 0x56499e061c7a in content::BrowserMainLoop::CreateStartupTasks() ./../../content/browser/browser_main_loop.cc:911:25
#33 0x56499e075952 in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) ./../../content/browser/browser_main_runner_impl.cc:144:15
#34 0x56499e055f82 in content::BrowserMain(content::MainFunctionParams const&) ./../../content/browser/browser_main.cc:43:32
#35 0x5649a5aca19a in RunBrowserProcessMain ./../../content/app/content_main_runner_impl.cc:537:10
#36 0x5649a5aca19a in content::ContentMainRunnerImpl::Run(bool) ./../../content/app/content_main_runner_impl.cc:902:0
#37 0x5649b141e43e in service_manager::Main(service_manager::MainParams const&) ./../../services/service_manager/embedder/main.cc:472:29
#38 0x5649a5ac127e in content::ContentMain(content::ContentMainParams const&) ./../../content/app/content_main.cc:19:10
#39 0x5649a8f41632 in content::BrowserTestBase::SetUp() ./../../content/public/test/browser_test_base.cc:335:3
#40 0x5649a7406c06 in InProcessBrowserTest::SetUp() ./../../chrome/test/base/in_process_browser_test.cc:283:20
#41 0x56499a30e925 in HandleExceptionsInMethodIfSupported<testing::Test, void> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0
#42 0x56499a30e925 in testing::Test::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2518:0
#43 0x56499a3129bb in testing::TestInfo::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2698:11
#44 0x56499a3144a9 in testing::TestCase::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2816:28
#45 0x56499a34d564 in testing::internal::UnitTestImpl::RunAllTests() ./../../third_party/googletest/src/googletest/src/gtest.cc:5182:43
#46 0x56499a34be37 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0
#47 0x56499a34be37 in testing::UnitTest::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:4791:0
#48 0x5649a747fd00 in RUN_ALL_TESTS ./../../third_party/googletest/src/googletest/include/gtest/gtest.h:2333:46
#49 0x5649a747fd00 in base::TestSuite::Run() ./../../base/test/test_suite.cc:294:0
#50 0x5649a6e25a4c in ChromeTestSuiteRunner::RunTestSuite(int, char**) ./../../chrome/test/base/chrome_test_launcher.cc:71:21
#51 0x5649a8ff6c45 in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) ./../../content/public/test/test_launcher.cc:647:31
#52 0x5649a6e27195 in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) ./../../chrome/test/base/chrome_test_launcher.cc:182:10
#53 0x5649a6e25800 in main ./../../chrome/test/base/browser_tests_main_chromeos.cc:21:10
#54 0x7f72e78baf44 in __libc_start_main ??:0:0
#55 0x564991522c49 in _start ??:0:0
Uninitialized value was created by a heap deallocation
#0 0x5649915968b9 in operator delete(void*) /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/msan/msan_new_delete.cc:75:44
#1 0x5649b07af673 in RemoveOrDestroyChildren ./../../ui/aura/window.cc:802:7
#2 0x5649b07af673 in aura::Window::~Window() ./../../ui/aura/window.cc:131:0
#3 0x5649b07b405c in aura::Window::~Window() ./../../ui/aura/window.cc:94:19
#4 0x5649b08221c4 in aura::WindowTreeHost::DestroyDispatcher() ./../../ui/aura/window_tree_host.cc:317:3
#5 0x5649b07aabcc in aura::WindowTreeHostMus::~WindowTreeHostMus() ./../../ui/aura/mus/window_tree_host_mus.cc:100:3
#6 0x5649b32368a3 in views::DesktopWindowTreeHostMus::~DesktopWindowTreeHostMus() ./../../ui/views/mus/desktop_window_tree_host_mus.cc:351:1
#7 0x5649b3236cf3 in ~DesktopWindowTreeHostMus ./../../ui/views/mus/desktop_window_tree_host_mus.cc:341:55
#8 0x5649b3236cf3 in non-virtual thunk to views::DesktopWindowTreeHostMus::~DesktopWindowTreeHostMus() ./../../ui/views/mus/desktop_window_tree_host_mus.cc:0:0
#9 0x5649c1661292 in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2325:5
#10 0x5649c1661292 in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2638:0
#11 0x5649c1661292 in views::DesktopNativeWidgetAura::OnHostClosed() ./../../ui/views/widget/desktop_aura/desktop_native_widget_aura.cc:321:0
#12 0x5649b323a5a3 in views::DesktopWindowTreeHostMus::CloseNow() ./../../ui/views/mus/desktop_window_tree_host_mus.cc:571:32
#13 0x5649a723949a in Run ./../../base/callback.h:99:12
#14 0x5649a723949a in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:99:0
#15 0x5649a6efe842 in base::MessageLoop::RunTask(base::PendingTask*) ./../../base/message_loop/message_loop.cc:545:46
#16 0x5649a6effabd in DeferOrRunPendingTask ./../../base/message_loop/message_loop.cc:556:5
#17 0x5649a6effabd in base::MessageLoop::DoWork() ./../../base/message_loop/message_loop.cc:628:0
#18 0x5649a7225780 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_libevent.cc:210:31
#19 0x5649a6fc8f1f in base::RunLoop::Run() ./../../base/run_loop.cc:102:14
#20 0x5649a90068e4 in content::RunThisRunLoop(base::RunLoop*) ./../../content/public/test/test_utils.cc:130:13
#21 0x5649c0bc8937 in extensions::ResultCatcher::GetNextResult() ./../../extensions/test/result_catcher.cc:35:5
#22 0x5649971c0ad7 in (anonymous namespace)::LockScreenNoteTakingTest::RunTestAppInLockScreenContext(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*) ./../../chrome/browser/chromeos/lock_screen_apps/note_taking_browsertest.cc:169:18
#23 0x5649971c4b90 in LockScreenNoteTakingTest_DataCreation_Test::RunTestOnMainThread() ./../../chrome/browser/chromeos/lock_screen_apps/note_taking_browsertest.cc:236:3
#24 0x5649a8f4316b in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop() ./../../content/public/test/browser_test_base.cc:422:5
#25 0x5649a75dc8d5 in Run ./../../base/callback.h:129:12
#26 0x5649a75dc8d5 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl() ./../../chrome/browser/chrome_browser_main.cc:1844:0
SUMMARY: MemorySanitizer: use-of-uninitialized-value (/b/s/w/ir/out/Release/browser_tests+0x21b248e5)
Builders failed on:
- Linux Chromium OS ASan LSan Tests (1):
https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Linux%20Chromium%20OS%20ASan%20LSan%20Tests%20%281%29
- Linux ChromiumOS MSan Tests:
https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Linux%20ChromiumOS%20MSan%20Tests
Comment 1 by wittman@chromium.org
, Nov 1