SingleProcessMash: LockScreenAppStateTest.AppWindowClosedBeforeBeingShown use-after-free |
|||
Issue descriptionOnly happen in single_process_mash_unit_tests, not regular unit_tests. First failure build in MSan/Asan: https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Linux%20Chromium%20OS%20ASan%20LSan%20Tests%20%281%29/30540 https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Linux%20ChromiumOS%20MSan%20Tests/10130 Asan failure log: ==== [ RUN ] LockScreenAppStateTest.AppWindowClosedBeforeBeingShown ================================================================= ==1610==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000038778 at pc 0x5617ce891535 bp 0x7ffd23340750 sp 0x7ffd23340748 READ of size 8 at 0x614000038778 thread T0 #0 0x5617ce891534 in begin ./../../buildtools/third_party/libc++/trunk/include/vector:1506:30 #1 0x5617ce891534 in base::ObserverList<aura::WindowObserver, true, true, base::internal::CheckedObserverAdapter>::RemoveObserver(aura::WindowObserver const*) ./../../base/observer_list.h:282:0 #2 0x5617c2ad5154 in RemoveAll ./../../base/scoped_observer.h:45:20 #3 0x5617c2ad5154 in lock_screen_apps::StateController::ResetNoteTakingWindowAndMoveToNextState(bool, ash::mojom::CloseLockScreenNoteReason) ./../../chrome/browser/chromeos/lock_screen_apps/state_controller.cc:495:0 #4 0x5617c08b6bba in extensions::AppWindowRegistry::RemoveAppWindow(extensions::AppWindow*) ./../../extensions/browser/app_window/app_window_registry.cc:85:14 #5 0x5617c08a19e1 in extensions::AppWindow::OnNativeClose() ./../../extensions/browser/app_window/app_window.cc:493:45 #6 0x5617c9a9b266 in views::Widget::OnNativeWidgetDestroyed() ./../../ui/views/widget/widget.cc:1115:21 #7 0x5617c9b0fef2 in views::DesktopNativeWidgetAura::OnHostClosed() ./../../ui/views/widget/desktop_aura/desktop_native_widget_aura.cc:330:28 #8 0x5617d0977f17 in views::DesktopWindowTreeHostMus::CloseNow() ./../../ui/views/mus/desktop_window_tree_host_mus.cc:612:32 #9 0x5617d0981aa8 in Invoke<void (views::DesktopWindowTreeHostMus::*)(), base::WeakPtr<views::DesktopWindowTreeHostMus>> ./../../base/bind_internal.h:516:12 #10 0x5617d0981aa8 in MakeItSo<void (views::DesktopWindowTreeHostMus::*)(), base::WeakPtr<views::DesktopWindowTreeHostMus>> ./../../base/bind_internal.h:636:0 #11 0x5617d0981aa8 in RunImpl<void (views::DesktopWindowTreeHostMus::*)(), std::__1::tuple<base::WeakPtr<views::DesktopWindowTreeHostMus> >, 0> ./../../base/bind_internal.h:689:0 #12 0x5617d0981aa8 in base::internal::Invoker<base::internal::BindState<void (views::DesktopWindowTreeHostMus::*)(), base::WeakPtr<views::DesktopWindowTreeHostMus> >, void ()>::RunOnce(base::internal::BindStateBase*) ./../../base/bind_internal.h:658:0 #13 0x5617c9e8ec26 in Run ./../../base/callback.h:99:12 #14 0x5617c9e8ec26 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:99:0 #15 0x5617c9bdbd35 in base::MessageLoopImpl::RunTask(base::PendingTask*) ./../../base/message_loop/message_loop_impl.cc:374:46 #16 0x5617c9bdd409 in DeferOrRunPendingTask ./../../base/message_loop/message_loop_impl.cc:385:5 #17 0x5617c9bdd409 in base::MessageLoopImpl::DoWork() ./../../base/message_loop/message_loop_impl.cc:473:0 #18 0x5617c9e7a560 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_libevent.cc:210:31 #19 0x5617c9bdabd8 in base::MessageLoopImpl::Run(bool) ./../../base/message_loop/message_loop_impl.cc:326:12 #20 0x5617c9c7988d in base::RunLoop::Run() ./../../base/run_loop.cc:102:14 #21 0x5617b9b3e286 in (anonymous namespace)::TestAppWindow::Close() ./../../chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc:349:23 #22 0x5617b9b3ec56 in LockScreenAppStateTest_AppWindowClosedBeforeBeingShown_Test::TestBody() ./../../chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc:1289:15 #23 0x5617bad6aef2 in HandleExceptionsInMethodIfSupported<testing::Test, void> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0 #24 0x5617bad6aef2 in testing::Test::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2522:0 #25 0x5617bad6d1f8 in testing::TestInfo::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2703:11 #26 0x5617bad6e6b6 in testing::TestCase::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2825:28 #27 0x5617bad96d16 in testing::internal::UnitTestImpl::RunAllTests() ./../../third_party/googletest/src/googletest/src/gtest.cc:5227:43 #28 0x5617bad96095 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0 #29 0x5617bad96095 in testing::UnitTest::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:4835:0 #30 0x5617c76f89ca in RUN_ALL_TESTS ./../../third_party/googletest/src/googletest/include/gtest/gtest.h:2369:46 #31 0x5617c76f89ca in base::TestSuite::Run() ./../../base/test/test_suite.cc:294:0 #32 0x5617c76ffb34 in Run ./../../base/callback.h:99:12 #33 0x5617c76ffb34 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::OnceCallback<int ()>, unsigned long, int, bool, base::OnceCallback<void ()>) ./../../base/test/launcher/unit_test_launcher.cc:225:0 #34 0x5617c76ff600 in base::LaunchUnitTests(int, char**, base::OnceCallback<int ()>) ./../../base/test/launcher/unit_test_launcher.cc:575:10 #35 0x5617c76ceea8 in main ./../../chrome/test/base/run_all_unittests.cc:30:10 #36 0x7f9cda9cdf44 in __libc_start_main ??:0:0 0x614000038778 is located 312 bytes inside of 416-byte region [0x614000038640,0x6140000387e0) freed by thread T0 here: #0 0x5617b340afd2 in operator delete(void*) _asan_rtl_:3 #1 0x5617ce886e54 in aura::Window::RemoveOrDestroyChildren() ./../../ui/aura/window.cc:800:7 #2 0x5617ce885de1 in aura::Window::~Window() ./../../ui/aura/window.cc:131:3 #3 0x5617ce88798d in aura::Window::~Window() ./../../ui/aura/window.cc:94:19 #4 0x5617ce8ca20e in aura::WindowTreeHost::DestroyDispatcher() ./../../ui/aura/window_tree_host.cc:368:3 #5 0x5617ce8819c5 in aura::WindowTreeHostMus::~WindowTreeHostMus() ./../../ui/aura/mus/window_tree_host_mus.cc:100:3 #6 0x5617d0974f9d in views::DesktopWindowTreeHostMus::~DesktopWindowTreeHostMus() ./../../ui/views/mus/desktop_window_tree_host_mus.cc:358:1 #7 0x5617d09751e4 in ~DesktopWindowTreeHostMus ./../../ui/views/mus/desktop_window_tree_host_mus.cc:346:55 #8 0x5617d09751e4 in non-virtual thunk to views::DesktopWindowTreeHostMus::~DesktopWindowTreeHostMus() ./../../ui/views/mus/desktop_window_tree_host_mus.cc:0:0 #9 0x5617c9b0fe34 in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2325:5 #10 0x5617c9b0fe34 in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2638:0 #11 0x5617c9b0fe34 in views::DesktopNativeWidgetAura::OnHostClosed() ./../../ui/views/widget/desktop_aura/desktop_native_widget_aura.cc:321:0 #12 0x5617d0977f17 in views::DesktopWindowTreeHostMus::CloseNow() ./../../ui/views/mus/desktop_window_tree_host_mus.cc:612:32 #13 0x5617d0981aa8 in Invoke<void (views::DesktopWindowTreeHostMus::*)(), base::WeakPtr<views::DesktopWindowTreeHostMus>> ./../../base/bind_internal.h:516:12 #14 0x5617d0981aa8 in MakeItSo<void (views::DesktopWindowTreeHostMus::*)(), base::WeakPtr<views::DesktopWindowTreeHostMus>> ./../../base/bind_internal.h:636:0 #15 0x5617d0981aa8 in RunImpl<void (views::DesktopWindowTreeHostMus::*)(), std::__1::tuple<base::WeakPtr<views::DesktopWindowTreeHostMus> >, 0> ./../../base/bind_internal.h:689:0 #16 0x5617d0981aa8 in base::internal::Invoker<base::internal::BindState<void (views::DesktopWindowTreeHostMus::*)(), base::WeakPtr<views::DesktopWindowTreeHostMus> >, void ()>::RunOnce(base::internal::BindStateBase*) ./../../base/bind_internal.h:658:0 #17 0x5617c9e8ec26 in Run ./../../base/callback.h:99:12 #18 0x5617c9e8ec26 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:99:0 #19 0x5617c9bdbd35 in base::MessageLoopImpl::RunTask(base::PendingTask*) ./../../base/message_loop/message_loop_impl.cc:374:46 #20 0x5617c9bdd409 in DeferOrRunPendingTask ./../../base/message_loop/message_loop_impl.cc:385:5 #21 0x5617c9bdd409 in base::MessageLoopImpl::DoWork() ./../../base/message_loop/message_loop_impl.cc:473:0 #22 0x5617c9e7a560 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_libevent.cc:210:31 #23 0x5617c9bdabd8 in base::MessageLoopImpl::Run(bool) ./../../base/message_loop/message_loop_impl.cc:326:12 #24 0x5617c9c7988d in base::RunLoop::Run() ./../../base/run_loop.cc:102:14 #25 0x5617b9b3e286 in (anonymous namespace)::TestAppWindow::Close() ./../../chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc:349:23 #26 0x5617b9b3ec56 in LockScreenAppStateTest_AppWindowClosedBeforeBeingShown_Test::TestBody() ./../../chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc:1289:15 #27 0x5617bad6aef2 in HandleExceptionsInMethodIfSupported<testing::Test, void> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0 #28 0x5617bad6aef2 in testing::Test::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2522:0 #29 0x5617bad6d1f8 in testing::TestInfo::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2703:11 #30 0x5617bad6e6b6 in testing::TestCase::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2825:28 #31 0x5617bad96d16 in testing::internal::UnitTestImpl::RunAllTests() ./../../third_party/googletest/src/googletest/src/gtest.cc:5227:43 #32 0x5617bad96095 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0 #33 0x5617bad96095 in testing::UnitTest::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:4835:0 #34 0x5617c76f89ca in RUN_ALL_TESTS ./../../third_party/googletest/src/googletest/include/gtest/gtest.h:2369:46 #35 0x5617c76f89ca in base::TestSuite::Run() ./../../base/test/test_suite.cc:294:0 #36 0x5617c76ffb34 in Run ./../../base/callback.h:99:12 #37 0x5617c76ffb34 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::OnceCallback<int ()>, unsigned long, int, bool, base::OnceCallback<void ()>) ./../../base/test/launcher/unit_test_launcher.cc:225:0 #38 0x5617c76ff600 in base::LaunchUnitTests(int, char**, base::OnceCallback<int ()>) ./../../base/test/launcher/unit_test_launcher.cc:575:10 #39 0x5617c76ceea8 in main ./../../chrome/test/base/run_all_unittests.cc:30:10 #40 0x7f9cda9cdf44 in __libc_start_main ??:0:0 previously allocated by thread T0 here: #0 0x5617b340a392 in operator new(unsigned long) _asan_rtl_:3 #1 0x5617c9b0e967 in views::DesktopNativeWidgetAura::DesktopNativeWidgetAura(views::internal::NativeWidgetDelegate*) ./../../ui/views/widget/desktop_aura/desktop_native_widget_aura.cc:245:23 #2 0x5617d09551bd in views::MusClient::CreateNativeWidget(views::Widget::InitParams const&, views::internal::NativeWidgetDelegate*) ./../../ui/views/mus/mus_client.cc:281:11 #3 0x5617c9a8e119 in Run ./../../base/callback.h:129:12 #4 0x5617c9a8e119 in CreateNativeWidget ./../../ui/views/widget/widget.cc:74:0 #5 0x5617c9a8e119 in views::Widget::Init(views::Widget::InitParams const&) ./../../ui/views/widget/widget.cc:339:0 #6 0x5617d3f0b940 in ChromeNativeAppWindowViews::InitializeDefaultWindow(extensions::AppWindow::CreateParams const&) ./../../chrome/browser/ui/views/apps/chrome_native_app_window_views.cc:129:13 #7 0x5617d3f0e4f2 in ChromeNativeAppWindowViews::InitializeWindow(extensions::AppWindow*, extensions::AppWindow::CreateParams const&) ./../../chrome/browser/ui/views/apps/chrome_native_app_window_views.cc:351:3 #8 0x5617d3e176d2 in ChromeNativeAppWindowViewsAuraAsh::InitializeWindow(extensions::AppWindow*, extensions::AppWindow::CreateParams const&) ./../../chrome/browser/ui/views/apps/chrome_native_app_window_views_aura_ash.cc:108:35 #9 0x5617d4596db0 in native_app_window::NativeAppWindowViews::Init(extensions::AppWindow*, extensions::AppWindow::CreateParams const&) ./../../extensions/components/native_app_window/native_app_window_views.cc:48:3 #10 0x5617d3ae7232 in ChromeAppWindowClient::CreateNativeAppWindowImpl(extensions::AppWindow*, extensions::AppWindow::CreateParams const&) ./../../chrome/browser/ui/views/apps/chrome_app_window_client_views_chromeos.cc:15:11 #11 0x5617c089cfc9 in extensions::AppWindow::Init(GURL const&, extensions::AppWindowContents*, content::RenderFrameHost*, extensions::AppWindow::CreateParams const&) ./../../extensions/browser/app_window/app_window.cc:299:26 #12 0x5617b9b3da36 in (anonymous namespace)::TestAppWindow::Initialize(bool) ./../../chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc:334:14 #13 0x5617b9b3ec4e in LockScreenAppStateTest_AppWindowClosedBeforeBeingShown_Test::TestBody() ./../../chrome/browser/chromeos/lock_screen_apps/state_controller_unittest.cc:1287:15 #14 0x5617bad6aef2 in HandleExceptionsInMethodIfSupported<testing::Test, void> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0 #15 0x5617bad6aef2 in testing::Test::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2522:0 #16 0x5617bad6d1f8 in testing::TestInfo::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2703:11 #17 0x5617bad6e6b6 in testing::TestCase::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2825:28 #18 0x5617bad96d16 in testing::internal::UnitTestImpl::RunAllTests() ./../../third_party/googletest/src/googletest/src/gtest.cc:5227:43 #19 0x5617bad96095 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0 #20 0x5617bad96095 in testing::UnitTest::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:4835:0 #21 0x5617c76f89ca in RUN_ALL_TESTS ./../../third_party/googletest/src/googletest/include/gtest/gtest.h:2369:46 #22 0x5617c76f89ca in base::TestSuite::Run() ./../../base/test/test_suite.cc:294:0 #23 0x5617c76ffb34 in Run ./../../base/callback.h:99:12 #24 0x5617c76ffb34 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::OnceCallback<int ()>, unsigned long, int, bool, base::OnceCallback<void ()>) ./../../base/test/launcher/unit_test_launcher.cc:225:0 #25 0x5617c76ff600 in base::LaunchUnitTests(int, char**, base::OnceCallback<int ()>) ./../../base/test/launcher/unit_test_launcher.cc:575:10 #26 0x5617c76ceea8 in main ./../../chrome/test/base/run_all_unittests.cc:30:10 #27 0x7f9cda9cdf44 in __libc_start_main ??:0:0 SUMMARY: AddressSanitizer: heap-use-after-free (/b/s/w/ir/out/Release/unit_tests+0x2565e534) Shadow bytes around the buggy address: 0x0c287ffff090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287ffff0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287ffff0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa 0x0c287ffff0c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c287ffff0d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c287ffff0e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd] 0x0c287ffff0f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c287ffff100: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c287ffff110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287ffff120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287ffff130: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1610==ABORTING
,
Dec 13
,
Dec 13
Hmm. I can't reproduce this locally with: dcheck_always_on = true is_asan = true is_component_build = false is_debug = false is_lsan = true strip_absolute_paths_from_debug_symbols = true symbol_level = 1 target_os = "chromeos" use_goma = true
,
Dec 14
Did you run it "--enable-features=SingleProcessMash" ? i.e. unit_tests --enable-features=SingleProcessMash --gtest_filter=LockScreenAppStateTest.AppWindowClosedBeforeBeingShown Seems repro for me... Looks like when StateController::ResetNoteTakingWindowAndMoveToNextState [1] from OnAppWindowRemoved, the window observed by |note_window_observer_| is already destructed in SPM mode. I have seem something similar before. The subtle difference here is that when OnNativeWidgetDestroyed is called for NativeWidgetAura, aura::Window dtor is in stack and not yet released. But for DesktopNativeWidgetAura, it is called in DesktopNativeWidgetAura::OnHostClosed [2]. The aura::Window is relased just above in "host_.reset();" at L321. [1] https://cs.chromium.org/chromium/src/chrome/browser/chromeos/lock_screen_apps/state_controller.cc?rcl=04c2ac7664eabd318ca9166cd5575d06d25b5f9c&l=495 [2] https://cs.chromium.org/chromium/src/ui/views/widget/desktop_aura/desktop_native_widget_aura.cc?rcl=64a1626cbc2a6dec88feb47db72c2d9073ea34f0&l=330
,
Dec 14
Yes :P I'll update my repro and try again.
,
Dec 14
Heh. It would help if I spelled SingleProcesMash correctly. Sigh. I wonder how many tests I've been copy/pasting the wrong flag :( We relaly need validation for --enable-features. Sigh. I can repro this now. WIll investigate tomorrow.
,
Dec 14
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bbfa243d61bb12cb6f21781ed85345004b5c9362 commit bbfa243d61bb12cb6f21781ed85345004b5c9362 Author: Steven Bennetts <stevenjb@chromium.org> Date: Fri Dec 14 20:05:52 2018 lock_screen_apps::StateController: Remove app window on close This fixes a memory leak in unit tests in SingleProcessMash where shutdown timing is slightly different. Bug: 914823 Change-Id: Id23bba801e331a433b9cfff65a18caa8e08220eb Reviewed-on: https://chromium-review.googlesource.com/c/1377376 Commit-Queue: Steven Bennetts <stevenjb@chromium.org> Reviewed-by: Toni Baržić <tbarzic@chromium.org> Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Cr-Commit-Position: refs/heads/master@{#616800} [modify] https://crrev.com/bbfa243d61bb12cb6f21781ed85345004b5c9362/chrome/browser/chromeos/lock_screen_apps/state_controller.cc [modify] https://crrev.com/bbfa243d61bb12cb6f21781ed85345004b5c9362/chrome/browser/chromeos/lock_screen_apps/state_controller.h [modify] https://crrev.com/bbfa243d61bb12cb6f21781ed85345004b5c9362/testing/buildbot/filters/chromeos.single_process_mash.unit_tests.filter
,
Dec 14
|
|||
►
Sign in to add a comment |
|||
Comment 1 by bugdroid1@chromium.org
, Dec 13