[Webkit-unassigned] [Bug 109220] [Chromium] Fix use after free in ContextMenuClientImpl.cpp

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 8 09:04:50 PST 2013


https://bugs.webkit.org/show_bug.cgi?id=109220





--- Comment #3 from Rouslan Solomakhin <rouslan+webkit at chromium.org>  2013-02-08 09:06:59 PST ---
(In reply to comment #2)
> (From update of attachment 187154 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=187154&action=review
> 
> > Source/WebKit/chromium/ChangeLog:8
> > +
> > +        * src/ContextMenuClientImpl.cpp:
> 
> Please provide more information here.  At a minimum, how people are triggering the crash and why this is the right fix.  It's not clear to me why this would fix a crash.

I have uploaded this patch to start a conversion and let the original reporter try the patch on their build, as I was not able to reproduce this myself. I have not settled on this being the right fix yet. We now have better stack traces that show the use-after-free, the free, and the original allocation. That should lead us to the right fix.

> It would also be OK to link to the chromium bug.

Chromium bug is https://code.google.com/p/chromium/issues/detail?id=174629, but it has Restrict-View-SecurityNotify flag, which might prevent people from viewing it.

> Do you know if this is a recent regression?  It would be nice to know when this crash was introduced.

We have similar stack traces that go as far back as Chrome 24 (current stable). I think that we are finding this only now because some people started to use address sanitizer (ASAN) in their Chrome build. ASAN provides better crash reports more frequently.

This is the stack of the use-after-free:

==27020== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f4bb5733450 at pc 0x7f4bd0d0bd81 bp 0x7fff9cb0f870 sp 0x7fff9cb0f868
READ of size 8 at 0x7f4bb5733450 thread T0 (chrome)
    #0 0x7f4bd0d0bd80 in WTF::RefPtr<WebCore::DocumentMarkerDetails>::get() const /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/RefPtr.h:58:0
    #1 0x7f4bd0d0bd80 in WebCore::DocumentMarker::description() const /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/DocumentMarker.cpp:147:0
    #2 0x7f4bcda72670 in WebKit::ContextMenuClientImpl::getCustomMenuFromDefaultItems(WebCore::ContextMenu*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebKit/chromium/src/ContextMenuClientImpl.cpp:315:0
    #3 0x7f4bd029ed6b in WebCore::ContextMenuController::showContextMenu(WebCore::Event*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/page/ContextMenuController.cpp:174:0
    #4 0x7f4bd029ed6b in WebCore::ContextMenuController::handleContextMenuEvent(WebCore::Event*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/page/ContextMenuController.cpp:117:0
    #5 0x7f4bd0da2ebf in WebCore::Node::defaultEventHandler(WebCore::Event*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Node.cpp:2469:0
    #6 0x7f4bd0e69252 in WebCore::EventDispatcher::dispatchEventPostProcess(WTF::PassRefPtr<WebCore::Event>, void*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/EventDispatcher.cpp:357:0
    #7 0x7f4bd0e67f09 in WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/EventDispatcher.cpp:272:0
    #8 0x7f4bd0d6d570 in WebCore::MouseEventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/MouseEvent.cpp:279:0
    #9 0x7f4bd0e60afc in WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/EventDispatcher.cpp:135:0
    #10 0x7f4bd0d9ffc4 in WebCore::Node::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomicString const&, int, WebCore::Node*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/Node.cpp:2387:0
    #11 0x7f4bd02f2e26 in WebCore::EventHandler::dispatchMouseEvent(WTF::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/page/EventHandler.cpp:2238:0
    #12 0x7f4bd0302ac0 in WebCore::EventHandler::sendContextMenuEvent(WebCore::PlatformMouseEvent const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/page/EventHandler.cpp:2830:0
    #13 0x7f4bcda0295b in WebKit::WebViewImpl::mouseContextMenu(WebKit::WebMouseEvent const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:632:0
    #14 0x7f4bcda02100 in WebKit::WebViewImpl::handleMouseDown(WebCore::Frame&, WebKit::WebMouseEvent const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:606:0
    #15 0x7f4bcdaac1d0 in WebKit::PageWidgetDelegate::handleInputEvent(WebCore::Page*, WebKit::PageWidgetEventHandler&, WebKit::WebInputEvent const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebKit/chromium/src/PageWidgetDelegate.cpp:120:0
    #16 0x7f4bcda15e10 in WebKit::WebViewImpl::handleInputEvent(WebKit::WebInputEvent const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:2104:0
    #17 0x7f4bd2210d44 in content::RenderWidget::OnHandleInputEvent(WebKit::WebInputEvent const*, bool) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/renderer/render_widget.cc:655:0
    #18 0x7f4bd220c81a in void DispatchToMethod<content::RenderWidget, void (content::RenderWidget::*)(WebKit::WebInputEvent const*, bool), WebKit::WebInputEvent const*, bool>(content::RenderWidget*, void (content::RenderWidget::*)(WebKit::WebInputEvent const*, bool), Tuple2<WebKit::WebInputEvent const*, bool> const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../base/tuple.h:553:0
    #19 0x7f4bd220c81a in bool ViewMsg_HandleInputEvent::Dispatch<content::RenderWidget, content::RenderWidget, void (content::RenderWidget::*)(WebKit::WebInputEvent const*, bool)>(IPC::Message const*, content::RenderWidget*, content::RenderWidget*, void (content::RenderWidget::*)(WebKit::WebInputEvent const*, bool)) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/common/view_messages.h:845:0
    #20 0x7f4bd220c81a in content::RenderWidget::OnMessageReceived(IPC::Message const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/renderer/render_widget.cc:291:0
    #21 0x7f4bd21a85ed in content::RenderViewImpl::OnMessageReceived(IPC::Message const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/renderer/render_view_impl.cc:1113:0
    #22 0x7f4bd1207f98 in content::MessageRouter::RouteMessage(IPC::Message const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/common/message_router.cc:49:0
    #23 0x7f4bd1207e14 in content::MessageRouter::OnMessageReceived(IPC::Message const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/common/message_router.cc:41:0
    #24 0x7f4bd11058d5 in content::ChildThread::OnMessageReceived(IPC::Message const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/common/child_thread.cc:276:0
    #25 0x7f4bcd34c227 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../ipc/ipc_channel_proxy.cc:261:0
    #26 0x7f4bce14b9a0 in base::Callback<void ()>::Run() const /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../base/callback.h:396:0
    #27 0x7f4bce14b9a0 in MessageLoop::RunTask(base::PendingTask const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../base/message_loop.cc:476:0
    #28 0x7f4bce14c00f in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../base/message_loop.cc:488:0
    #29 0x7f4bce14cd60 in MessageLoop::DoWork() /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../base/message_loop.cc:671:0
    #30 0x7f4bce157756 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../base/message_pump_default.cc:29:0
    #31 0x7f4bce14a7d3 in MessageLoop::RunInternal() /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../base/message_loop.cc:433:0
    #32 0x7f4bce191881 in base::RunLoop::Run() /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../base/run_loop.cc:45:0
    #33 0x7f4bce148b87 in MessageLoop::Run() /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../base/message_loop.cc:313:0
    #34 0x7f4bd223a315 in content::RendererMain(content::MainFunctionParams const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/renderer/renderer_main.cc:226:0
    #35 0x7f4bd216502e in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/app/content_main_runner.cc:402:0
    #36 0x7f4bd216659a in content::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/app/content_main_runner.cc:458:0
    #37 0x7f4bd2167cc9 in content::ContentMainRunnerImpl::Run() /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/app/content_main_runner.cc:754:0
    #38 0x7f4bd21647a7 in content::ContentMain(int, char const**, content::ContentMainDelegate*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../content/app/content_main.cc:35:0
    #39 0x7f4bcbfe8470 in ChromeMain /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../chrome/app/chrome_main.cc:32:0
    #40 0x7f4bcbfe83ca in main /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../chrome/app/chrome_exe_main_gtk.cc:31:0
    #41 0x7f4bc4cf476c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226


This is the stack of the thread that freed the memory:

0x7f4bb5733450 is located 16 bytes inside of 640-byte region [0x7f4bb5733440,0x7f4bb57336c0)
freed by thread T0 (chrome) here:
    #0 0x7f4bcbfdf562 in free ??:0
    #1 0x7f4bd0d0222c in WTF::VectorBufferBase<WebCore::RenderedDocumentMarker>::buffer() /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/Vector.h:303:0
    #2 0x7f4bd0d0222c in ~VectorBuffer /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/Vector.h:362:0
    #3 0x7f4bd0d0222c in ~VectorBuffer /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/Vector.h:361:0
    #4 0x7f4bd0d0222c in ~Vector /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/Vector.h:532:0
    #5 0x7f4bd0d0222c in ~Vector /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/Vector.h:529:0
    #6 0x7f4bd0d0222c in WebCore::DocumentMarkerController::removeMarkers(WebCore::Node*, unsigned int, int, WebCore::DocumentMarker::MarkerTypes, WebCore::DocumentMarkerController::RemovePartiallyOverlappingMarkerOrNot) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/DocumentMarkerController.cpp:289:0
    #7 0x7f4bd0d00b1c in WebCore::DocumentMarkerController::removeMarkers(WebCore::Range*, WebCore::DocumentMarker::MarkerTypes, WebCore::DocumentMarkerController::RemovePartiallyOverlappingMarkerOrNot) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/DocumentMarkerController.cpp:122:0
    #8 0x7f4bcff02da0 in WebCore::SpellChecker::didCheckSucceed(int, WTF::Vector<WebCore::TextCheckingResult, 0ul> const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/editing/SpellChecker.cpp:230:0
    #9 0x7f4bcff02bf9 in WebCore::SpellCheckRequest::didSucceed(WTF::Vector<WebCore::TextCheckingResult, 0ul> const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/editing/SpellChecker.cpp:80:0
    #10 0x7f4bcdab8031 in WebKit::WebTextCheckingCompletionImpl::didFinishCheckingText(WebKit::WebVector<WebKit::WebTextCheckingResult> const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebKit/chromium/src/WebTextCheckingCompletionImpl.cpp:55:0
    #11 0x7f4bcc128330 in SpellCheckProvider::SatisfyRequestFromCache(WebKit::WebString const&, WebKit::WebTextCheckingCompletion*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../chrome/renderer/spellchecker/spellcheck_provider.cc:354:0
    #12 0x7f4bcc12739b in SpellCheckProvider::RequestTextChecking(WebKit::WebString const&, WebKit::WebTextCheckingCompletion*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../chrome/renderer/spellchecker/spellcheck_provider.cc:75:0
    #13 0x7f4bcc12b13e in SpellCheckProvider::requestCheckingOfText(WebKit::WebString const&, WebKit::WebTextCheckingCompletion*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../chrome/renderer/spellchecker/spellcheck_provider.cc:179:0
    #14 0x7f4bcda7f083 in WebKit::EditorClientImpl::requestCheckingOfString(WTF::PassRefPtr<WebCore::TextCheckingRequest>) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebKit/chromium/src/EditorClientImpl.cpp:759:0
    #15 0x7f4bcff03dad in WebCore::SpellChecker::invokeRequest(WTF::PassRefPtr<WebCore::SpellCheckRequest>) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/editing/SpellChecker.cpp:184:0
    #16 0x7f4bcff046ad in WebCore::SpellChecker::requestCheckingFor(WTF::PassRefPtr<WebCore::SpellCheckRequest>) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/editing/SpellChecker.cpp:175:0
    #17 0x7f4bcfe6a3c8 in WebCore::Editor::markAllMisspellingsAndBadGrammarInRanges(unsigned int, WebCore::Range*, WebCore::Range*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/editing/Editor.cpp:2072:0
    #18 0x7f4bcfe6791f in WebCore::Editor::markMisspellingsAndBadGrammar(WebCore::VisibleSelection const&, bool, WebCore::VisibleSelection const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/editing/Editor.cpp:2290:0
    #19 0x7f4bcfe76b05 in WebCore::Editor::respondToChangedSelection(WebCore::VisibleSelection const&, unsigned int) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/editing/Editor.cpp:2918:0

This is the stack of the thread that allocated the memory originally:

previously allocated by thread T0 (chrome) here:
    #0 0x7f4bcbfdf642 in malloc ??:0
    #1 0x7f4bd40be178 in WTF::fastMalloc(unsigned long) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/FastMalloc.cpp:283:0
    #2 0x7f4bd0d0919f in WTF::VectorBufferBase<WebCore::RenderedDocumentMarker>::allocateBuffer(unsigned long) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/Vector.h:259:0
    #3 0x7f4bd0d0919f in WTF::Vector<WebCore::RenderedDocumentMarker, 0ul>::reserveCapacity(unsigned long) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/Vector.h:899:0
    #4 0x7f4bd0d0884d in WTF::Vector<WebCore::RenderedDocumentMarker, 0ul>::expandCapacity(unsigned long) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/Vector.h:816:0
    #5 0x7f4bd0d0884d in WTF::Vector<WebCore::RenderedDocumentMarker, 0ul>::expandCapacity(unsigned long, WebCore::RenderedDocumentMarker const*) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/Vector.h:823:0
    #6 0x7f4bd0d0a370 in void WTF::Vector<WebCore::RenderedDocumentMarker, 0ul>::appendSlowCase<WebCore::RenderedDocumentMarker>(WebCore::RenderedDocumentMarker const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/Vector.h:1013:0
    #7 0x7f4bd0cfe69e in RenderedDocumentMarker /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WTF/wtf/Vector.h:1004:0
    #8 0x7f4bd0cfe69e in WebCore::DocumentMarkerController::addMarker(WebCore::Node*, WebCore::DocumentMarker const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/DocumentMarkerController.cpp:141:0
    #9 0x7f4bd0cfd054 in WebCore::DocumentMarkerController::addMarker(WebCore::Range*, WebCore::DocumentMarker::MarkerType, WTF::String const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/dom/DocumentMarkerController.cpp:67:0
    #10 0x7f4bcfe6d865 in WebCore::Editor::markAndReplaceFor(WTF::PassRefPtr<WebCore::SpellCheckRequest>, WTF::Vector<WebCore::TextCheckingResult, 0ul> const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/editing/Editor.cpp:2139:0
    #11 0x7f4bcff04f97 in WebCore::SpellChecker::didCheck(int, WTF::Vector<WebCore::TextCheckingResult, 0ul> const&) /usr/local/google/home/dpolukhin/chrome/src/out/Release/../../third_party/WebKit/Source/WebCore/editing/SpellChecker.cpp:211:0

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


More information about the webkit-unassigned mailing list