Issue 907820 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	dalecur...@chromium.org
Closed:	Nov 27
Cc:	andruud@chromium.org
Components:	Blink>Media
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	2
Type:	----
Filed-Via-SoM

Blocking:
issue 521176

AddressSanitizer: heap-use-after-free: media::DefaultRendererFactory::CreateAudioDecoders

Project Member Reported by sheriff-...@appspot.gserviceaccount.com, Nov 22

Issue description

Filed by sheriff-o-matic@appspot.gserviceaccount.com on behalf of andruud@google.com

http/.../video.html in webkit_layout_tests failing on chromium.webkit/WebKit Linux Trusty ASAN

Builders failed on: 
- WebKit Linux Trusty ASAN: 
  https://ci.chromium.org/buildbot/chromium.webkit/WebKit%20Linux%20Trusty%20ASAN

Comment 1 by andruud@chromium.org, Nov 22

Build: https://ci.chromium.org/buildbot/chromium.webkit/WebKit%20Linux%20Trusty%20ASAN/18327

Stack:

crash log for renderer (pid <unknown>):
STDOUT: <empty>
STDERR: =================================================================
STDERR: ==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000b1b30 at pc 0x5583f26a47a5 bp 0x7fe502f5e0f0 sp 0x7fe502f5e0e8
STDERR: READ of size 8 at 0x6030000b1b30 thread T15 (Media)
STDERR:     #0 0x5583f26a47a4 in media::DefaultRendererFactory::CreateAudioDecoders(scoped_refptr<base::SingleThreadTaskRunner> const&) ./../../media/renderers/default_renderer_factory.cc:38:3
STDERR:     #1 0x5583f26a52ec in Invoke<std::__1::vector<std::__1::unique_ptr<media::AudioDecoder, std::__1::default_delete<media::AudioDecoder> >, std::__1::allocator<std::__1::unique_ptr<media::AudioDecoder, std::__1::default_delete<media::AudioDecoder> > > > (media::DefaultRendererFactory::*)(const scoped_refptr<base::SingleThreadTaskRunner> &), media::DefaultRendererFactory *, const scoped_refptr<base::SingleThreadTaskRunner> &> ./../../base/bind_internal.h:516:12
STDERR:     #2 0x5583f26a52ec in MakeItSo<std::__1::vector<std::__1::unique_ptr<media::AudioDecoder, std::__1::default_delete<media::AudioDecoder> >, std::__1::allocator<std::__1::unique_ptr<media::AudioDecoder, std::__1::default_delete<media::AudioDecoder> > > > (media::DefaultRendererFactory::*const &)(const scoped_refptr<base::SingleThreadTaskRunner> &), media::DefaultRendererFactory *, const scoped_refptr<base::SingleThreadTaskRunner> &> ./../../base/bind_internal.h:616:0
STDERR:     #3 0x5583f26a52ec in RunImpl<std::__1::vector<std::__1::unique_ptr<media::AudioDecoder, std::__1::default_delete<media::AudioDecoder> >, std::__1::allocator<std::__1::unique_ptr<media::AudioDecoder, std::__1::default_delete<media::AudioDecoder> > > > (media::DefaultRendererFactory::*const &)(const scoped_refptr<base::SingleThreadTaskRunner> &), const std::__1::tuple<base::internal::UnretainedWrapper<media::DefaultRendererFactory>, scoped_refptr<base::SingleThreadTaskRunner> > &, 0, 1> ./../../base/bind_internal.h:689:0
STDERR:     #4 0x5583f26a52ec in base::internal::Invoker<base::internal::BindState<std::__1::vector<std::__1::unique_ptr<media::AudioDecoder, std::__1::default_delete<media::AudioDecoder> >, std::__1::allocator<std::__1::unique_ptr<media::AudioDecoder, std::__1::default_delete<media::AudioDecoder> > > > (media::DefaultRendererFactory::*)(scoped_refptr<base::SingleThreadTaskRunner> const&), base::internal::UnretainedWrapper<media::DefaultRendererFactory>, scoped_refptr<base::SingleThreadTaskRunner> >, std::__1::vector<std::__1::unique_ptr<media::AudioDecoder, std::__1::default_delete<media::AudioDecoder> >, std::__1::allocator<std::__1::unique_ptr<media::AudioDecoder, std::__1::default_delete<media::AudioDecoder> > > > ()>::Run(base::internal::BindStateBase*) ./../../base/bind_internal.h:671:0
STDERR:     #5 0x5583f22ec7b1 in Run ./../../base/callback.h:129:12
STDERR:     #6 0x5583f22ec7b1 in media::DecoderSelector<(media::DemuxerStream::Type)1>::SelectDecoder(base::OnceCallback<void (std::__1::unique_ptr<media::AudioDecoder, std::__1::default_delete<media::AudioDecoder> >, std::__1::unique_ptr<media::DecryptingDemuxerStream, std::__1::default_delete<media::DecryptingDemuxerStream> >)>, base::RepeatingCallback<void (scoped_refptr<media::AudioBuffer> const&)>) ./../../media/filters/decoder_selector.cc:90:0
STDERR:     #7 0x5583f230247c in media::DecoderStream<(media::DemuxerStream::Type)1>::SelectDecoder() ./../../media/filters/decoder_stream.cc:322:21
STDERR:     #8 0x5583f230206f in media::DecoderStream<(media::DemuxerStream::Type)1>::Initialize(media::DemuxerStream*, base::OnceCallback<void (bool)>, media::CdmContext*, base::RepeatingCallback<void (media::PipelineStatistics const&)>, base::RepeatingCallback<void ()>) ./../../media/filters/decoder_stream.cc:173:3
STDERR:     #9 0x5583f269a23d in media::AudioRendererImpl::Initialize(media::DemuxerStream*, media::CdmContext*, media::RendererClient*, base::RepeatingCallback<void (media::PipelineStatus)> const&) ./../../media/renderers/audio_renderer_impl.cc:538:26
STDERR:     #10 0x5583f26b77dd in media::RendererImpl::InitializeAudioRenderer() ./../../media/renderers/renderer_impl.cc:382:20
STDERR:     #11 0x5583f26b6de6 in media::RendererImpl::Initialize(media::MediaResource*, media::RendererClient*, base::RepeatingCallback<void (media::PipelineStatus)> const&) ./../../media/renderers/renderer_impl.cc:164:3
STDERR:     #12 0x5583f219dd8e in media::PipelineImpl::RendererWrapper::InitializeRenderer(base::RepeatingCallback<void (media::PipelineStatus)> const&) ./../../media/base/pipeline_impl.cc:911:27
STDERR:     #13 0x5583f21b31da in Run ./../../base/callback.h:129:12
STDERR:     #14 0x5583f21b31da in media::SerialRunner::RunNextInSeries(media::PipelineStatus) ./../../media/base/serial_runner.cc:109:0
STDERR:     #15 0x5583f2172cee in Run ./../../base/callback.h:140:12
STDERR:     #16 0x5583f2172cee in Invoke<base::RepeatingCallback<void (media::PipelineStatus)>, media::PipelineStatus> ./../../base/bind_internal.h:592:0
STDERR:     #17 0x5583f2172cee in MakeItSo<base::RepeatingCallback<void (media::PipelineStatus)>, media::PipelineStatus> ./../../base/bind_internal.h:616:0
STDERR:     #18 0x5583f2172cee in RunImpl<base::RepeatingCallback<void (media::PipelineStatus)>, std::__1::tuple<media::PipelineStatus>, 0> ./../../base/bind_internal.h:689:0
STDERR:     #19 0x5583f2172cee in base::internal::Invoker<base::internal::BindState<base::RepeatingCallback<void (media::PipelineStatus)>, media::PipelineStatus>, void ()>::RunOnce(base::internal::BindStateBase*) ./../../base/bind_internal.h:658:0
STDERR:     #20 0x5583f7b192a1 in Run ./../../base/callback.h:99:12
STDERR:     #21 0x5583f7b192a1 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:99:0
STDERR:     #22 0x5583f7b16ad5 in base::MessageLoopImpl::RunTask(base::PendingTask*) ./../../base/message_loop/message_loop_impl.cc:350:46
STDERR:     #23 0x5583f7b17d99 in DeferOrRunPendingTask ./../../base/message_loop/message_loop_impl.cc:361:5
STDERR:     #24 0x5583f7b17d99 in base::MessageLoopImpl::DoWork() ./../../base/message_loop/message_loop_impl.cc:449:0
STDERR:     #25 0x5583f7b1e2cf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_default.cc:39:31
STDERR:     #26 0x5583f7b7f711 in base::RunLoop::Run() ./../../base/run_loop.cc:102:14
STDERR:     #27 0x5583f7c4bbb1 in base::Thread::ThreadMain() ./../../base/threading/thread.cc:332:3
STDERR:     #28 0x5583f7d0a281 in base::(anonymous namespace)::ThreadFunc(void*) ./../../base/threading/platform_thread_posix.cc:81:13
STDERR:     #29 0x7fe52cf99183 in start_thread ??:0:0
STDERR: 
STDERR: 0x6030000b1b30 is located 16 bytes inside of 32-byte region [0x6030000b1b20,0x6030000b1b40)
STDERR: freed by thread T0 (content_shell) here:
STDERR:     #0 0x5583f0dd6852 in operator delete(void*) _asan_rtl_:3
STDERR:     #1 0x5583f21b0048 in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2325:5
STDERR:     #2 0x5583f21b0048 in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2638:0
STDERR:     #3 0x5583f21b0048 in ~unique_ptr ./../../buildtools/third_party/libc++/trunk/include/memory:2592:0
STDERR:     #4 0x5583f21b0048 in media::RendererFactorySelector::~RendererFactorySelector() ./../../media/base/renderer_factory_selector.cc:13:0
STDERR:     #5 0x558401d76bea in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2325:5
STDERR:     #6 0x558401d76bea in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2638:0
STDERR:     #7 0x558401d76bea in ~unique_ptr ./../../buildtools/third_party/libc++/trunk/include/memory:2592:0
STDERR:     #8 0x558401d76bea in media::WebMediaPlayerImpl::~WebMediaPlayerImpl() ./../../media/blink/webmediaplayer_impl.cc:454:0
STDERR:     #9 0x558401d77d5d in media::WebMediaPlayerImpl::~WebMediaPlayerImpl() ./../../media/blink/webmediaplayer_impl.cc:400:43
STDERR:     #10 0x5583feb6a845 in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2325:5
STDERR:     #11 0x5583feb6a845 in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2638:0
STDERR:     #12 0x5583feb6a845 in ClearMediaPlayerAndAudioSourceProviderClientWithoutLocking ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:3561:0
STDERR:     #13 0x5583feb6a845 in blink::HTMLMediaElement::ResetMediaPlayerAndMediaSource() ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:3921:0
STDERR:     #14 0x5583feb66272 in blink::HTMLMediaElement::InvokeLoadAlgorithm() ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:903:3
STDERR:     #15 0x5583febbabad in blink::HTMLVideoElement::ParseAttribute(blink::Element::AttributeModificationParams const&) ./../../third_party/blink/renderer/core/html/media/html_video_element.cc:236:23
STDERR:     #16 0x5583fde65f02 in blink::Element::AttributeChanged(blink::Element::AttributeModificationParams const&) ./../../third_party/blink/renderer/core/dom/element.cc:1593:3
STDERR:     #17 0x5583fea4ab14 in blink::HTMLElement::AttributeChanged(blink::Element::AttributeModificationParams const&) ./../../third_party/blink/renderer/core/html/html_element.cc:591:12
STDERR:     #18 0x5583fde990c7 in blink::Element::DidModifyAttribute(blink::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&) ./../../third_party/blink/renderer/core/dom/element.cc:4489:3
STDERR:     #19 0x5583fde4f0e7 in SetAttributeInternal ./../../third_party/blink/renderer/core/dom/element.cc:1568:5
STDERR:     #20 0x5583fde4f0e7 in blink::Element::setAttribute(blink::QualifiedName const&, WTF::AtomicString const&) ./../../third_party/blink/renderer/core/dom/element.cc:1464:0
STDERR:     #21 0x5583fde65a2d in blink::Element::setAttribute(blink::QualifiedName const&, blink::USVStringOrTrustedURL const&, blink::ExceptionState&) ./../../third_party/blink/renderer/core/dom/element.cc:1536:5
STDERR:     #22 0x5583fcef833d in srcAttributeSetter ./gen/third_party/blink/renderer/bindings/core/v8/v8_html_media_element.cc:123:9
STDERR:     #23 0x5583fcef833d in blink::V8HTMLMediaElement::srcAttributeSetterCallback(v8::FunctionCallbackInfo<v8::Value> const&) ./gen/third_party/blink/renderer/bindings/core/v8/v8_html_media_element.cc:716:0
STDERR:     #24 0x5583f39ccb7c in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) ./../../v8/src/api-arguments-inl.h:146:3
STDERR:     #25 0x5583f39ca69d in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) ./../../v8/src/builtins/builtins-api.cc:108:36
STDERR:     #26 0x5583f39c9464 in v8::internal::Builtins::InvokeApiFunction(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::HeapObject>) ./../../v8/src/builtins/builtins-api.cc:236:16
STDERR:     #27 0x5583f4768a9b in v8::internal::Object::SetPropertyWithAccessor(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::ShouldThrow) ./../../v8/src/objects.cc:1740:5
STDERR:     #28 0x5583f479d772 in v8::internal::Object::SetPropertyInternal(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode, v8::internal::StoreOrigin, bool*) ./../../v8/src/objects.cc:5120:16
STDERR:     #29 0x5583f479d03c in v8::internal::Object::SetProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode, v8::internal::StoreOrigin) ./../../v8/src/objects.cc:5175:9
STDERR:     #30 0x5583f4553d06 in v8::internal::StoreIC::Store(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::StoreOrigin) ./../../v8/src/ic/ic.cc:1429:3
STDERR:     #31 0x5583f4565b4d in __RT_impl_Runtime_StoreIC_Miss ./../../v8/src/ic/ic.cc:2285:5
STDERR:     #32 0x5583f4565b4d in v8::internal::Runtime_StoreIC_Miss(int, unsigned long*, v8::internal::Isolate*) ./../../v8/src/ic/ic.cc:2271:0
STDERR:     #33 0x5583f52ff4ca in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit ??:0:0
STDERR:     #34 0x5583f5334dae in Builtins_StaNamedPropertyHandler ??:0:0
STDERR:     #35 0x5583f526579a in Builtins_InterpreterEntryTrampoline ??:0:0
STDERR:     #36 0x5583f525ef45 in Builtins_ArgumentsAdaptorTrampoline ??:0:0
STDERR:     #37 0x5583f526579a in Builtins_InterpreterEntryTrampoline ??:0:0
STDERR:     #38 0x5583f525ef45 in Builtins_ArgumentsAdaptorTrampoline ??:0:0
STDERR:     #39 0x5583f526579a in Builtins_InterpreterEntryTrampoline ??:0:0
STDERR:     #40 0x5583f525ef45 in Builtins_ArgumentsAdaptorTrampoline ??:0:0
STDERR:     #41 0x5583f5262bc2 in Builtins_JSEntryTrampoline ??:0:0
STDERR: 
STDERR: previously allocated by thread T0 (content_shell) here:
STDERR:     #0 0x5583f0dd5c12 in operator new(unsigned long) _asan_rtl_:3
STDERR:     #1 0x558401d62aee in make_unique<media::DefaultRendererFactory, media::MediaLog *&, media::DecoderFactory *&, base::RepeatingCallback<media::GpuVideoAcceleratorFactories *()> > ./../../buildtools/third_party/libc++/trunk/include/memory:3118:28
STDERR:     #2 0x558401d62aee in content::MediaFactory::CreateRendererFactorySelector(media::MediaLog*, bool, media::DecoderFactory*, std::__1::unique_ptr<media::RemotePlaybackClientWrapper, std::__1::default_delete<media::RemotePlaybackClientWrapper> >, base::WeakPtr<media::MediaObserver>*) ./../../content/renderer/media/media_factory.cc:497:0
STDERR:     #3 0x558401d5ff5c in content::MediaFactory::CreateMediaPlayer(blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebMediaPlayerEncryptedMediaClient*, blink::WebContentDecryptionModule*, blink::WebString const&, blink::WebLayerTreeView*, cc::LayerTreeSettings const&) ./../../content/renderer/media/media_factory.cc:317:27
STDERR:     #4 0x558401cbf15f in CreateMediaPlayer ./../../content/renderer/render_frame_impl.cc:3667:25
STDERR:     #5 0x558401cbf15f in non-virtual thunk to content::RenderFrameImpl::CreateMediaPlayer(blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebMediaPlayerEncryptedMediaClient*, blink::WebContentDecryptionModule*, blink::WebString const&, blink::WebLayerTreeView*) ./../../content/renderer/render_frame_impl.cc:0:0
STDERR:     #6 0x55840295d033 in blink::ModulesInitializer::CreateWebMediaPlayer(blink::WebLocalFrameClient*, blink::HTMLMediaElement&, blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebLayerTreeView*) const ./../../third_party/blink/renderer/modules/modules_initializer.cc:261:45
STDERR:     #7 0x5583fe7674f3 in blink::LocalFrameClientImpl::CreateWebMediaPlayer(blink::HTMLMediaElement&, blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebLayerTreeView*) ./../../third_party/blink/renderer/core/exported/local_frame_client_impl.cc:844:41
STDERR:     #8 0x5583feb7329a in blink::HTMLMediaElement::StartPlayerLoad() ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:1282:40
STDERR:     #9 0x5583feb6f4a4 in blink::HTMLMediaElement::LoadResource(blink::WebMediaPlayerSource const&, WTF::String const&) ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:1224:7
STDERR:     #10 0x5583feb6df33 in blink::HTMLMediaElement::LoadSourceFromAttribute() ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:1135:3
STDERR:     #11 0x5583feb6d493 in blink::HTMLMediaElement::SelectMediaResource() ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:1088:7
STDERR:     #12 0x5583feb695b0 in blink::HTMLMediaElement::LoadInternal() ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:1022:3
STDERR:     #13 0x5583feb62151 in blink::HTMLMediaElement::LoadTimerFired(blink::TimerBase*) ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:782:7
STDERR:     #14 0x5583fd2a508a in blink::TimerBase::RunInternal() ./../../third_party/blink/renderer/platform/timer.cc:156:3
STDERR:     #15 0x5583f7b192a1 in Run ./../../base/callback.h:99:12
STDERR:     #16 0x5583f7b192a1 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:99:0
STDERR:     #17 0x5583f7bee3c4 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) ./../../base/task/sequence_manager/thread_controller_impl.cc:209:23
STDERR:     #18 0x5583f7b192a1 in Run ./../../base/callback.h:99:12
STDERR:     #19 0x5583f7b192a1 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:99:0
STDERR:     #20 0x5583f7b16ad5 in base::MessageLoopImpl::RunTask(base::PendingTask*) ./../../base/message_loop/message_loop_impl.cc:350:46
STDERR:     #21 0x5583f7b17d99 in DeferOrRunPendingTask ./../../base/message_loop/message_loop_impl.cc:361:5
STDERR:     #22 0x5583f7b17d99 in base::MessageLoopImpl::DoWork() ./../../base/message_loop/message_loop_impl.cc:449:0
STDERR:     #23 0x5583f7b1e2cf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_default.cc:39:31
STDERR:     #24 0x5583f7b7f711 in base::RunLoop::Run() ./../../base/run_loop.cc:102:14
STDERR:     #25 0x55840343580d in content::RendererMain(content::MainFunctionParams const&) ./../../content/renderer/renderer_main.cc:201:16
STDERR:     #26 0x5583f58e7bcf in content::RunZygote(content::ContentMainDelegate*) ./../../content/app/content_main_runner_impl.cc:495:14
STDERR:     #27 0x5583f58eadc8 in content::ContentMainRunnerImpl::Run(bool) ./../../content/app/content_main_runner_impl.cc:906:10
STDERR:     #28 0x5583fc4b037f in service_manager::Main(service_manager::MainParams const&) ./../../services/service_manager/embedder/main.cc:472:29
STDERR:     #29 0x5583f33e8bd2 in content::ContentMain(content::ContentMainParams const&) ./../../content/app/content_main.cc:19:10
STDERR:     #30 0x5583f0dd8cab in main ./../../content/shell/app/shell_main.cc:39:10
STDERR:     #31 0x7fe526e74f44 in __libc_start_main ??:0:0
STDERR: 
STDERR: Thread T15 (Media) created by T0 (content_shell) here:
STDERR:     #0 0x5583f0d91fbd in __interceptor_pthread_create _asan_rtl_:3
STDERR:     #1 0x5583f7d0956e in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) ./../../base/threading/platform_thread_posix.cc:120:13
STDERR:     #2 0x5583f7c4ae66 in base::Thread::StartWithOptions(base::Thread::Options const&) ./../../base/threading/thread.cc:112:15
STDERR:     #3 0x5584029338ae in content::RenderThreadImpl::GetMediaThreadTaskRunner() ./../../content/renderer/render_thread_impl.cc:2276:20
STDERR:     #4 0x558401d6034f in content::MediaFactory::CreateMediaPlayer(blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebMediaPlayerEncryptedMediaClient*, blink::WebContentDecryptionModule*, blink::WebString const&, blink::WebLayerTreeView*, cc::LayerTreeSettings const&) ./../../content/renderer/media/media_factory.cc:344:22
STDERR:     #5 0x558401cbf15f in CreateMediaPlayer ./../../content/renderer/render_frame_impl.cc:3667:25
STDERR:     #6 0x558401cbf15f in non-virtual thunk to content::RenderFrameImpl::CreateMediaPlayer(blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebMediaPlayerEncryptedMediaClient*, blink::WebContentDecryptionModule*, blink::WebString const&, blink::WebLayerTreeView*) ./../../content/renderer/render_frame_impl.cc:0:0
STDERR:     #7 0x55840295d033 in blink::ModulesInitializer::CreateWebMediaPlayer(blink::WebLocalFrameClient*, blink::HTMLMediaElement&, blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebLayerTreeView*) const ./../../third_party/blink/renderer/modules/modules_initializer.cc:261:45
STDERR:     #8 0x5583fe7674f3 in blink::LocalFrameClientImpl::CreateWebMediaPlayer(blink::HTMLMediaElement&, blink::WebMediaPlayerSource const&, blink::WebMediaPlayerClient*, blink::WebLayerTreeView*) ./../../third_party/blink/renderer/core/exported/local_frame_client_impl.cc:844:41
STDERR:     #9 0x5583feb7329a in blink::HTMLMediaElement::StartPlayerLoad() ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:1282:40
STDERR:     #10 0x5583feb6f4a4 in blink::HTMLMediaElement::LoadResource(blink::WebMediaPlayerSource const&, WTF::String const&) ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:1224:7
STDERR:     #11 0x5583feb6df33 in blink::HTMLMediaElement::LoadSourceFromAttribute() ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:1135:3
STDERR:     #12 0x5583feb6d493 in blink::HTMLMediaElement::SelectMediaResource() ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:1088:7
STDERR:     #13 0x5583feb695b0 in blink::HTMLMediaElement::LoadInternal() ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:1022:3
STDERR:     #14 0x5583feb62151 in blink::HTMLMediaElement::LoadTimerFired(blink::TimerBase*) ./../../third_party/blink/renderer/core/html/media/html_media_element.cc:782:7
STDERR:     #15 0x5583fd2a508a in blink::TimerBase::RunInternal() ./../../third_party/blink/renderer/platform/timer.cc:156:3
STDERR:     #16 0x5583f7b192a1 in Run ./../../base/callback.h:99:12
STDERR:     #17 0x5583f7b192a1 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:99:0
STDERR:     #18 0x5583f7bee3c4 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) ./../../base/task/sequence_manager/thread_controller_impl.cc:209:23
STDERR:     #19 0x5583f7b192a1 in Run ./../../base/callback.h:99:12
STDERR:     #20 0x5583f7b192a1 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:99:0
STDERR:     #21 0x5583f7b16ad5 in base::MessageLoopImpl::RunTask(base::PendingTask*) ./../../base/message_loop/message_loop_impl.cc:350:46
STDERR:     #22 0x5583f7b17d99 in DeferOrRunPendingTask ./../../base/message_loop/message_loop_impl.cc:361:5
STDERR:     #23 0x5583f7b17d99 in base::MessageLoopImpl::DoWork() ./../../base/message_loop/message_loop_impl.cc:449:0
STDERR:     #24 0x5583f7b1e2cf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_default.cc:39:31
STDERR:     #25 0x5583f7b7f711 in base::RunLoop::Run() ./../../base/run_loop.cc:102:14
STDERR:     #26 0x55840343580d in content::RendererMain(content::MainFunctionParams const&) ./../../content/renderer/renderer_main.cc:201:16
STDERR:     #27 0x5583f58e7bcf in content::RunZygote(content::ContentMainDelegate*) ./../../content/app/content_main_runner_impl.cc:495:14
STDERR:     #28 0x5583f58eadc8 in content::ContentMainRunnerImpl::Run(bool) ./../../content/app/content_main_runner_impl.cc:906:10
STDERR:     #29 0x5583fc4b037f in service_manager::Main(service_manager::MainParams const&) ./../../services/service_manager/embedder/main.cc:472:29
STDERR:     #30 0x5583f33e8bd2 in content::ContentMain(content::ContentMainParams const&) ./../../content/app/content_main.cc:19:10
STDERR:     #31 0x5583f0dd8cab in main ./../../content/shell/app/shell_main.cc:39:10
STDERR:     #32 0x7fe526e74f44 in __libc_start_main ??:0:0
STDERR: 
STDERR: SUMMARY: AddressSanitizer: heap-use-after-free (/b/s/w/ir/out/Release/content_shell+0x75e67a4)
STDERR: Shadow bytes around the buggy address:
STDERR:   0x0c068000e310: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
STDERR:   0x0c068000e320: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
STDERR:   0x0c068000e330: fd fa fa fa fd fd fd fd fa fa 00 00 02 fa fa fa
STDERR:   0x0c068000e340: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
STDERR:   0x0c068000e350: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
STDERR: =>0x0c068000e360: 00 00 fa fa fd fd[fd]fd fa fa fd fd fd fa fa fa
STDERR:   0x0c068000e370: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
STDERR:   0x0c068000e380: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa fd fd
STDERR:   0x0c068000e390: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
STDERR:   0x0c068000e3a0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd
STDERR:   0x0c068000e3b0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
STDERR: Shadow byte legend (one shadow byte represents 8 application bytes):
STDERR:   Addressable:           00
STDERR:   Partially addressable: 01 02 03 04 05 06 07
STDERR:   Heap left redzone:       fa
STDERR:   Freed heap region:       fd
STDERR:   Stack left redzone:      f1
STDERR:   Stack mid redzone:       f2
STDERR:   Stack right redzone:     f3
STDERR:   Stack after return:      f5
STDERR:   Stack use after scope:   f8
STDERR:   Global redzone:          f9
STDERR:   Global init order:       f6
STDERR:   Poisoned by user:        f7
STDERR:   Container overflow:      fc
STDERR:   Array cookie:            ac
STDERR:   Intra object redzone:    bb
STDERR:   ASan internal:           fe
STDERR:   Left alloca redzone:     ca
STDERR:   Right alloca redzone:    cb
STDERR:   Shadow gap:              cc
STDERR: ==1==ABORTING

Comment 2 by andruud@chromium.org, Nov 22

Cc: -andruud@google.com andruud@chromium.org
Components: Blink>Media
Labels: -Sheriff-Chromium
Owner: dalecur...@chromium.org
Status: Untriaged (was: Available)

dalecurtis@, ptal.

Comment 3 by dalecur...@chromium.org, Nov 26

Status: Assigned (was: Untriaged)

Comment 4 by dalecur...@chromium.org, Nov 26

Blocking: 521176

Comment 5 by dalecur...@chromium.org, Nov 27

Status: Fixed (was: Assigned)

►

Issue 907820 link

Issue metadata

AddressSanitizer: heap-use-after-free: media::DefaultRendererFactory::CreateAudioDecoders

Issue description

Comment 1 by andruud@chromium.org, Nov 22

Comment 1 Deleted

Comment 2 by andruud@chromium.org, Nov 22

Comment 2 Deleted

Comment 3 by dalecur...@chromium.org, Nov 26

Comment 3 Deleted

Comment 4 by dalecur...@chromium.org, Nov 26

Comment 4 Deleted

Comment 5 by dalecur...@chromium.org, Nov 27

Comment 5 Deleted

Sign in to add a comment