CL https://chromium-review.googlesource.com/c/chromium/src/+/1368828 makes AutomationManagerAura indirectly owns an aura::Window via AccessibilityAlertWindow in ash::Shell's env.
The problem is that AutomationManagerAura is a singleton and released after ash::Shell. Hence the UAF.
example failure build:
https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Linux%20Chromium%20OS%20ASan%20LSan%20Tests%20%281%29/30533
https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Linux%20ChromiumOS%20MSan%20Tests/10129
ASan failure log:
====
=================================================================
==12926==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000074228 at pc 0x5624128303d0 bp 0x7ffd40f62d20 sp 0x7ffd40f62d18
READ of size 4 at 0x616000074228 thread T0 (browser_tests)
#0 0x5624128303cf in aura::Env::PauseWindowOcclusionTracking() ./../../ui/aura/env.cc:249:11
#1 0x5624128987fc in aura::Window::~Window() ./../../ui/aura/window.cc:95:39
#2 0x56241289a92d in aura::Window::~Window() ./../../ui/aura/window.cc:94:19
#3 0x562417aabac8 in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2325:5
#4 0x562417aabac8 in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2638:0
#5 0x562417aabac8 in ~unique_ptr ./../../buildtools/third_party/libc++/trunk/include/memory:2592:0
#6 0x562417aabac8 in AutomationManagerAura::~AutomationManagerAura() ./../../chrome/browser/ui/aura/accessibility/automation_manager_aura.cc:164:0
#7 0x562417aabded in AutomationManagerAura::~AutomationManagerAura() ./../../chrome/browser/ui/aura/accessibility/automation_manager_aura.cc:162:49
#8 0x562417aac0d8 in Delete ./../../base/memory/singleton.h:54:5
#9 0x562417aac0d8 in base::Singleton<AutomationManagerAura, base::DefaultSingletonTraits<AutomationManagerAura>, AutomationManagerAura>::OnExit(void*) ./../../base/memory/singleton.h:268:0
#10 0x56240b6ed548 in Run ./../../base/callback.h:129:12
#11 0x56240b6ed548 in base::AtExitManager::ProcessCallbacksNow() ./../../base/at_exit.cc:93:0
#12 0x56240b6ecf84 in base::AtExitManager::~AtExitManager() ./../../base/at_exit.cc:44:5
#13 0x56240bbe9ede in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2325:5
#14 0x56240bbe9ede in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2638:0
#15 0x56240bbe9ede in ~unique_ptr ./../../buildtools/third_party/libc++/trunk/include/memory:2592:0
#16 0x56240bbe9ede in base::TestSuite::~TestSuite() ./../../base/test/test_suite.cc:198:0
#17 0x56240b6b9f6c in ChromeTestSuiteRunner::RunTestSuite(int, char**) ./../../chrome/test/base/chrome_test_launcher.cc:72:1
#18 0x56240d2c6ad5 in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) ./../../content/public/test/test_launcher.cc:647:31
#19 0x56240b6bad46 in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) ./../../chrome/test/base/chrome_test_launcher.cc:184:10
#20 0x56240b6b99fe in main ./../../chrome/test/base/browser_tests_main_chromeos.cc:21:10
#21 0x7f3823d9cf44 in __libc_start_main ??:0:0
0x616000074228 is located 168 bytes inside of 616-byte region [0x616000074180,0x6160000743e8)
freed by thread T0 (browser_tests) here:
#0 0x5623f9bc7c92 in operator delete(void*) _asan_rtl_:3
#1 0x5624163a750f in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2325:5
#2 0x5624163a750f in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2638:0
#3 0x5624163a750f in ~unique_ptr ./../../buildtools/third_party/libc++/trunk/include/memory:2592:0
#4 0x5624163a750f in ash::Shell::~Shell() ./../../ash/shell.cc:957:0
#5 0x5624163a92cd in ash::Shell::~Shell() ./../../ash/shell.cc:707:17
#6 0x5624174d8c73 in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2325:5
#7 0x5624174d8c73 in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2638:0
#8 0x5624174d8c73 in ChromeBrowserMainExtraPartsAsh::PostMainMessageLoopRun() ./../../chrome/browser/ui/ash/chrome_browser_main_extra_parts_ash.cc:348:0
#9 0x56240bd0063c in ChromeBrowserMainParts::PostMainMessageLoopRun() ./../../chrome/browser/chrome_browser_main.cc:1875:29
#10 0x5623fe8468a7 in chromeos::ChromeBrowserMainPartsChromeos::PostMainMessageLoopRun() ./../../chrome/browser/chromeos/chrome_browser_main_chromeos.cc:1131:32
#11 0x562403b2b10f in content::BrowserMainLoop::ShutdownThreadsAndCleanUp() ./../../content/browser/browser_main_loop.cc:1032:13
#12 0x562403b32a63 in content::BrowserMainRunnerImpl::Shutdown() ./../../content/browser/browser_main_runner_impl.cc:221:17
#13 0x562403b210f1 in content::BrowserMain(content::MainFunctionParams const&) ./../../content/browser/browser_main.cc:49:16
#14 0x56240a642638 in RunBrowserProcessMain ./../../content/app/content_main_runner_impl.cc:545:10
#15 0x56240a642638 in content::ContentMainRunnerImpl::RunServiceManager(content::MainFunctionParams&, bool) ./../../content/app/content_main_runner_impl.cc:954:0
#16 0x56240a641987 in content::ContentMainRunnerImpl::Run(bool) ./../../content/app/content_main_runner_impl.cc:868:12
#17 0x5624132f03eb in service_manager::Main(service_manager::MainParams const&) ./../../services/service_manager/embedder/main.cc:460:29
#18 0x56240a63cb25 in content::ContentMain(content::ContentMainParams const&) ./../../content/app/content_main.cc:19:10
#19 0x56240d230efa in content::BrowserTestBase::SetUp() ./../../content/public/test/browser_test_base.cc:349:3
#20 0x56240bb93c3b in InProcessBrowserTest::SetUp() ./../../chrome/test/base/in_process_browser_test.cc:284:20
#21 0x5623ffe3c52b in HandleExceptionsInMethodIfSupported<testing::Test, void> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0
#22 0x5623ffe3c52b in testing::Test::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2517:0
#23 0x5623ffe3eba8 in testing::TestInfo::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2703:11
#24 0x5623ffe40066 in testing::TestCase::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2825:28
#25 0x5623ffe686c6 in testing::internal::UnitTestImpl::RunAllTests() ./../../third_party/googletest/src/googletest/src/gtest.cc:5227:43
#26 0x5623ffe67a45 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0
#27 0x5623ffe67a45 in testing::UnitTest::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:4835:0
#28 0x56240bbe95ca in RUN_ALL_TESTS ./../../third_party/googletest/src/googletest/include/gtest/gtest.h:2369:46
#29 0x56240bbe95ca in base::TestSuite::Run() ./../../base/test/test_suite.cc:294:0
#30 0x56240b6b9f61 in ChromeTestSuiteRunner::RunTestSuite(int, char**) ./../../chrome/test/base/chrome_test_launcher.cc:71:21
#31 0x56240d2c6ad5 in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) ./../../content/public/test/test_launcher.cc:647:31
#32 0x56240b6bad46 in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) ./../../chrome/test/base/chrome_test_launcher.cc:184:10
#33 0x56240b6b99fe in main ./../../chrome/test/base/browser_tests_main_chromeos.cc:21:10
#34 0x7f3823d9cf44 in __libc_start_main ??:0:0
previously allocated by thread T0 (browser_tests) here:
#0 0x5623f9bc7052 in operator new(unsigned long) _asan_rtl_:3
#1 0x56241282d2a1 in aura::Env::CreateLocalInstanceForInProcess() ./../../ui/aura/env.cc:122:28
#2 0x5624163a097b in ash::Shell::Shell(std::__1::unique_ptr<ash::ShellDelegate, std::__1::default_delete<ash::ShellDelegate> >, service_manager::Connector*) ./../../ash/shell.cc:652:29
#3 0x56241639203c in ash::Shell::CreateInstance(ash::ShellInitParams) ./../../ash/shell.cc:269:19
#4 0x5624174c90e6 in CreateClassicShell ./../../chrome/browser/ui/ash/ash_shell_init.cc:40:3
#5 0x5624174c90e6 in AshShellInit::AshShellInit() ./../../chrome/browser/ui/ash/ash_shell_init.cc:53:0
#6 0x5624174d6365 in make_unique<AshShellInit> ./../../buildtools/third_party/libc++/trunk/include/memory:3118:32
#7 0x5624174d6365 in ChromeBrowserMainExtraPartsAsh::PreProfileInit() ./../../chrome/browser/ui/ash/chrome_browser_main_extra_parts_ash.cc:193:0
#8 0x56240bcfec6f in ChromeBrowserMainParts::PreProfileInit() ./../../chrome/browser/chrome_browser_main.cc:1196:29
#9 0x56240bd01756 in ChromeBrowserMainPartsLinux::PreProfileInit() ./../../chrome/browser/chrome_browser_main_linux.cc:87:32
#10 0x5623fe8421ea in chromeos::ChromeBrowserMainPartsChromeos::PreProfileInit() ./../../chrome/browser/chromeos/chrome_browser_main_chromeos.cc:760:32
#11 0x56240bcfbeef in ChromeBrowserMainParts::PreMainMessageLoopRunImpl() ./../../chrome/browser/chrome_browser_main.cc:1488:3
#12 0x56240bcfad9c in ChromeBrowserMainParts::PreMainMessageLoopRun() ./../../chrome/browser/chrome_browser_main.cc:1175:18
#13 0x5623fe841398 in chromeos::ChromeBrowserMainPartsChromeos::PreMainMessageLoopRun() ./../../chrome/browser/chromeos/chrome_browser_main_chromeos.cc:660:32
#14 0x562403b2a306 in content::BrowserMainLoop::PreMainMessageLoopRun() ./../../content/browser/browser_main_loop.cc:983:13
#15 0x562404ecb42b in Run ./../../base/callback.h:129:12
#16 0x562404ecb42b in content::StartupTaskRunner::RunAllTasksNow() ./../../content/browser/startup_task_runner.cc:41:0
#17 0x562403b26ed8 in content::BrowserMainLoop::CreateStartupTasks() ./../../content/browser/browser_main_loop.cc:917:25
#18 0x562403b313bf in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) ./../../content/browser/browser_main_runner_impl.cc:144:15
#19 0x562403b21076 in content::BrowserMain(content::MainFunctionParams const&) ./../../content/browser/browser_main.cc:43:32
#20 0x56240a642638 in RunBrowserProcessMain ./../../content/app/content_main_runner_impl.cc:545:10
#21 0x56240a642638 in content::ContentMainRunnerImpl::RunServiceManager(content::MainFunctionParams&, bool) ./../../content/app/content_main_runner_impl.cc:954:0
#22 0x56240a641987 in content::ContentMainRunnerImpl::Run(bool) ./../../content/app/content_main_runner_impl.cc:868:12
#23 0x5624132f03eb in service_manager::Main(service_manager::MainParams const&) ./../../services/service_manager/embedder/main.cc:460:29
#24 0x56240a63cb25 in content::ContentMain(content::ContentMainParams const&) ./../../content/app/content_main.cc:19:10
#25 0x56240d230efa in content::BrowserTestBase::SetUp() ./../../content/public/test/browser_test_base.cc:349:3
#26 0x56240bb93c3b in InProcessBrowserTest::SetUp() ./../../chrome/test/base/in_process_browser_test.cc:284:20
#27 0x5623ffe3c52b in HandleExceptionsInMethodIfSupported<testing::Test, void> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0
#28 0x5623ffe3c52b in testing::Test::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2517:0
#29 0x5623ffe3eba8 in testing::TestInfo::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2703:11
#30 0x5623ffe40066 in testing::TestCase::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2825:28
#31 0x5623ffe686c6 in testing::internal::UnitTestImpl::RunAllTests() ./../../third_party/googletest/src/googletest/src/gtest.cc:5227:43
#32 0x5623ffe67a45 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0
#33 0x5623ffe67a45 in testing::UnitTest::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:4835:0
#34 0x56240bbe95ca in RUN_ALL_TESTS ./../../third_party/googletest/src/googletest/include/gtest/gtest.h:2369:46
#35 0x56240bbe95ca in base::TestSuite::Run() ./../../base/test/test_suite.cc:294:0
#36 0x56240b6b9f61 in ChromeTestSuiteRunner::RunTestSuite(int, char**) ./../../chrome/test/base/chrome_test_launcher.cc:71:21
Comment 1 by xiy...@chromium.org
, Dec 13Status: Duplicate (was: Untriaged)