New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Sep 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Use after free in media BufferedResourceLoader::Start
Project Member Reported by infe...@chromium.org, Sep 12 2011 Back to list
found in my fuzzing + ASAN + ClusterFuzz

Bot CLUSTER_FUZZ_422 on platform LINUX
Revision : 100523
Webkit Revision : 94856

Testcase was a one time crasher, so looks like this is a timing related issue. But ASAN has a free stack which looks to tell that the resource loader is already freed. this does not look to be DRT specific, since i see this a lot on the crash reports too. e.g. http://crash/reportdetail?reportid=b3e61200b6b4b9d2

/mnt/scratch0/chrome/src/out/Release/DumpRenderTree 

ASAN:SIGILL
=================================================================
HINT: if your stack trace looks short or garbled, use ASAN_OPTIONS=fast_unwind=0
==18890== ERROR: AddressSanitizer heap-use-after-free on address 0x00007fa5a5b71480 at pc 0x33afa95 bp 0x7fff1aadd130 sp 0x7fff1aadc580
READ of size 8 at 0x00007fa5a5b71480 thread T0
    #0 0x33afa95 in webkit_glue::BufferedResourceLoader::Start(CallbackRunner<Tuple1<int> >*, CallbackRunner<Tuple0>*, WebKit::WebFrame*) 
    #1 0x33a77d7 in webkit_glue::BufferedDataSource::InitializeTask() 
    #2 0x89a899 in base::subtle::TaskClosureAdapter::Run() 
    #3 0x858efe in MessageLoop::RunTask(MessageLoop::PendingTask const&) 
    #4 0x8594f2 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) 
    #5 0x85a6e1 in MessageLoop::DoWork() 
    #6 0x8a0fff in (anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_pump_glib.cc:0
    #7 0x7fa5abd228c2 in g_main_dispatch /build/buildd/glib2.0-2.24.1/glib/gmain.c:1960
    #8 0x7fa5abd26748 in g_main_context_iterate /build/buildd/glib2.0-2.24.1/glib/gmain.c:2591
    #9 0x7fa5abd268fc in IA__g_main_context_iteration /build/buildd/glib2.0-2.24.1/glib/gmain.c:2654
    #10 0x8a33a1 in base::MessagePumpGtk::RunOnce(_GMainContext*, bool) 
    #11 0x8a1b7d in base::MessagePumpGlib::RunWithDispatcher(base::MessagePump::Delegate*, base::MessagePumpDispatcher*) 
    #12 0x857dda in MessageLoop::RunInternal() 
    #13 0x856cd9 in MessageLoop::Run() 
    #14 0x487da5 in TestShell::waitTestFinished() 
    #15 0x47f455 in TestShell::runFileTest(TestParams const&) 
    #16 0x42f79a in runTest(TestShell&, TestParams&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) third_party/WebKit/Tools/DumpRenderTree/chromium/DumpRenderTree.cpp:0
    #17 0x42e667 in main 
    #18 0x7fa5a99c3c4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258
    #19 0x4194c9 in _start 
0x00007fa5a5b71480 is located 0 bytes inside of 392-byte region [0x00007fa5a5b71480,0x00007fa5a5b71608)
freed by thread T0 here:
    #1 0x1e5d649 in WebCore::FrameLoader::~FrameLoader() 
    #2 0x1faf8e2 in WebCore::Frame::~Frame() 
    #3 0x1fbd81a in WebCore::FrameView::~FrameView() 
    #4 0x1fbd0b1 in WebCore::FrameView::~FrameView() 
    #5 0x27ebf80 in WebCore::RenderWidget::resumeWidgetHierarchyUpdates() 
    #6 0x12e4374 in WebCore::Element::detach() 
    #7 0x1259c0b in WebCore::ContainerNode::removeChild(WebCore::Node*, int&) 
    #8 0x1319da3 in WebCore::Node::removeChild(WebCore::Node*, int&) 
    #9 0x198aa71 in WebCore::V8Node::removeChildCallback(v8::Arguments const&) 
    #10 0xaeb4c4 in v8::internal::Builtin_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:0
    #11 0x7fa581dac14e in 
    #12 0x7fa581dd42d0 in 
    #13 0x7fa581dd3f87 in 
    #14 0x7fa581dc6b67 in 
    #15 0x7fa581db14e1 in 
    #16 0xb33b71 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Object***, bool*) v8/src/execution.cc:0
    #17 0xa88ef2 in v8::Script::Run() 
    #18 0x195deb6 in WebCore::V8Proxy::runScript(v8::Handle<v8::Script>, bool) 
    #19 0x195cc89 in WebCore::V8Proxy::evaluate(WebCore::ScriptSourceCode const&, WebCore::Node*) 
    #20 0x21a482f in WebCore::ScheduledAction::execute(WebCore::V8Proxy*) 
    #21 0x1f4d80b in WebCore::DOMTimer::fired() 
    #22 0x16b36af in WebCore::ThreadTimers::sharedTimerFiredInternal() 
    #23 0x89a899 in base::subtle::TaskClosureAdapter::Run() 
    #24 0x858efe in MessageLoop::RunTask(MessageLoop::PendingTask const&) 
    #25 0x8594f2 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) 
    #26 0x85a6e1 in MessageLoop::DoWork() 
    #27 0x8a1bf5 in base::MessagePumpGlib::RunWithDispatcher(base::MessagePump::Delegate*, base::MessagePumpDispatcher*) 
    #28 0x857dda in MessageLoop::RunInternal() 
    #29 0x856cd9 in MessageLoop::Run() 
previously allocated by thread T0 here:
    #1 0x7e92fb in WTF::fastMalloc(unsigned long) 
    #2 0x4d6e86 in WebKit::WebFrameImpl::createChildFrame(WebCore::FrameLoadRequest const&, WebCore::HTMLFrameOwnerElement*) 
    #3 0x568bf7 in WebKit::FrameLoaderClientImpl::createFrame(WebCore::KURL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int) 
    #4 0x1edb97a in WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement*, WebCore::KURL const&, WTF::String const&, WTF::String const&) 
    #5 0x1ed64bb in WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement*, WebCore::KURL const&, WTF::AtomicString const&, bool, bool) 
    #6 0x1ed5cb2 in WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement*, WTF::String const&, WTF::AtomicString const&, bool, bool) 
    #7 0x145029b in WebCore::HTMLFrameElementBase::openURL(bool, bool) 
    #8 0x125703e in WebCore::ContainerNode::parserAddChild(WTF::PassRefPtr<WebCore::Node>) 
    #9 0x1645826 in WTF::PassRefPtr<WebCore::Element> WebCore::HTMLConstructionSite::attach<WebCore::Element>(WebCore::ContainerNode*, WTF::PassRefPtr<WebCore::Element>) 
    #10 0x164a106 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&) 
    #11 0x15c416b in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&) 
    #12 0x15b0df8 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&) 
    #13 0x15afe64 in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken&) 
    #14 0x15af9f5 in WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken(WebCore::AtomicHTMLToken&) 
    #15 0x15af8e0 in WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken&) 
    #16 0x156335e in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) 
    #17 0x1565f3b in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() 
    #18 0x156623f in WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) 
    #19 0x1efc86d in WebCore::CachedResource::checkNotify() 
    #20 0x1f13204 in WebCore::CachedResourceRequest::didFinishLoading(WebCore::SubresourceLoader*, double) 
    #21 0x1edefb2 in WebCore::SubresourceLoader::didFinishLoading(double) 
    #22 0x337e945 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) 
    #23 0x34a5283 in (anonymous namespace)::RequestProxy::NotifyCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) webkit/tools/test_shell/simple_resource_loader_bridge.cc:0
==18890== ABORTING
Shadow byte and word:
  0x00001ff4b4b6e290: fd
  0x00001ff4b4b6e290: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x00001ff4b4b6e270: fa fa fa fa fa fa fa fa
  0x00001ff4b4b6e278: fa fa fa fa fa fa fa fa
  0x00001ff4b4b6e280: fa fa fa fa fa fa fa fa
  0x00001ff4b4b6e288: fa fa fa fa fa fa fa fa
=>0x00001ff4b4b6e290: fd fd fd fd fd fd fd fd
  0x00001ff4b4b6e298: fd fd fd fd fd fd fd fd
  0x00001ff4b4b6e2a0: fd fd fd fd fd fd fd fd
  0x00001ff4b4b6e2a8: fd fd fd fd fd fd fd fd
  0x00001ff4b4b6e2b0: fd fd fd fd fd fd fd fd
	base::debug::StackTrace::StackTrace() [0x8b5f76]
	base::(anonymous namespace)::StackDumpSignalHandler() [0x88370f]
	0x7fa5a99d8af0
	0x7fa5a99d8a75
	0x7fa5a99dc5c0
	asan_report_error() [0x47b743b]
	0x7fa5aa8ca8f0
	webkit_glue::BufferedResourceLoader::Start() [0x33afa95]
	webkit_glue::BufferedDataSource::InitializeTask() [0x33a77d7]
	base::subtle::TaskClosureAdapter::Run() [0x89a899]
	MessageLoop::RunTask() [0x858efe]
	MessageLoop::DeferOrRunPendingTask() [0x8594f2]
	MessageLoop::DoWork() [0x85a6e1]
	(anonymous namespace)::WorkSourceDispatch() [0x8a0fff]
	0x7fa5abd228c2
	0x7fa5abd26748
	0x7fa5abd268fc
	base::MessagePumpGtk::RunOnce() [0x8a33a1]
	base::MessagePumpGlib::RunWithDispatcher() [0x8a1b7d]
	MessageLoop::RunInternal() [0x857dda]
	MessageLoop::Run() [0x856cd9]
	TestShell::waitTestFinished() [0x487da5]
	TestShell::runFileTest() [0x47f455]
	runTest() [0x42f79a]
	main [0x42e667]
	0x7fa5a99c3c4d
	0x4194c9

 
Comment 1 by kcc@chromium.org, Sep 12 2011
Cc: glider@chromium.org
glider@: please check with tsan too
Testcase has to run from Layouttests/media dir
test.html
6.2 KB View Download
Comment 3 Deleted
@inferno: can you give explicit repro instructions?  I fail to see the crash.
I followed the linux instructions on http://dev.chromium.org/developers/testing/addresssanitizer to build DumpRenderTree w/ asan, saved test.html from #2 as media/test-96292.html, and then ran:
export RUNNING_ON_VALGRIND=1
./Tools/Scripts/new-run-webkit-tests -f media/test-96292.html --print=everything --full-results-html
the first run complains about missing expectations (and writes an -expected.txt file with just SUCCESS) and subsequent runs of n-r-w-t pass just fine.  n-r-w-t's output includes the path to the DumpRenderTree binary it's running, and it's the right one AFAICT.  Speculatively adding these flags doesn't make it crash, either: --platform=chromium-gpu --enable-hardware-gpu 

(FWIW, the sanity test of base_unittests from that page correctly triggers asan)
Comment 5 by glider@chromium.org, Sep 14 2011
@fischman: please note you shouldn't need RUNNING_ON_VALGRIND for Webkit tests, it's just to enable the sanity tests.
you should do like ./out/Release/DumpRenderTree `pwd`/third_party/WebKit/LayoutTests/media/test.html

Anything, this was a one timer crasher, not always reproducible. So, wonder if there is a race. I thought the free part of the stack could be useful to know where the free happened ?
Hmm.  Running 100 serial or 30 parallel instances failed to trigger it at all, but 100 parallel instances did trigger the problem:

for i in $(seq 0 100) ; do ./out/Release/DumpRenderTree `pwd`/third_party/WebKit/LayoutTests/media/test-96292.html > /tmp/x11/log.$i 2>&1 & done; wait

Will look into it.

This is awesome!!!!! That explains it, the ClusterFuzz runs on slow single core VM with 30 parallel instances. So, your z600 will need like 100 :)
Project Member Comment 9 by bugdroid1@chromium.org, Sep 27 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=103008

------------------------------------------------------------------------
r103008 | fischman@chromium.org | Tue Sep 27 13:55:29 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/media/buffered_data_source.cc?r1=103008&r2=103007&pathrev=103008
 M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/media/buffered_data_source.h?r1=103008&r2=103007&pathrev=103008

Cleaned up threadiness of BufferedDataSource.

BUG= 96292 
TEST=trybots


Review URL: http://codereview.chromium.org/8046023
------------------------------------------------------------------------
Status: FixUnreleased
I'm done with this bug (I think), now that the fix is in trunk.

@inferno: do you want to keep this FixUnreleased until 16 goes stable, or do you want to backport it into 14/15, or what?  I don't really see the security implications.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
We will merge to m15. m14 is a little too late, today is the deadline for m14 first patch merges and this change is quite new. Good to let it bake on trunk and we will merge to m15.
Labels: -Mstone-14 -Merge-Approved Mstone-15 Merge-Merged merge-merged-874
merged to m15 in r103384
Project Member Comment 13 by bugdroid1@chromium.org, Sep 29 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=103384

------------------------------------------------------------------------
r103384 | inferno@chromium.org | Thu Sep 29 16:03:34 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/874/src/webkit/glue/media/buffered_data_source.cc?r1=103384&r2=103383&pathrev=103384
 M http://src.chromium.org/viewvc/chrome/branches/874/src/webkit/glue/media/buffered_data_source.h?r1=103384&r2=103383&pathrev=103384

Merge 103008 - Cleaned up threadiness of BufferedDataSource.
BUG= 96292 
Review URL: http://codereview.chromium.org/8080005
------------------------------------------------------------------------
Labels: SecImpacts-Stable
Batch update.
Labels: CVE-2011-3882
Comment 16 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 17 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 18 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Feature-Media -SecSeverity-High -Mstone-15 -Stability-AddressSanitizer -SecImpacts-Stable Cr-Internals-Media Security-Severity-High Security-Impact-Stable M-15 Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member Comment 19 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 20 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 22 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 23 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 24 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Labels: ClusterFuzz
Project Member Comment 26 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 27 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment