Chromium Code Reviews Chromium Code Reviews
Issue
2690993002:
Fix heap-use-after-free surfaced by https://crrev.com/2672753002 (Closed)
DescriptionFix heap-use-after-free surfaced by https://crrev.com/2672753002
ASAN tests were failing with the message attached below. The cause seems
to be that the HistoryBackend's ObserverList is destroyed before
TypedUrlSyncableService is, and the later actually unregisters itself
as observer during destruction (via ScopedObserver).
==9722==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000082f50 at pc 0x00001097f504 bp 0x7fffb4bda990 sp 0x7fffb4bda988
READ of size 8 at 0x602000082f50 thread T0
#0 0x1097f503 in __find<__gnu_cxx::__normal_iterator<history::HistoryBackendObserver **, std::vector<history::HistoryBackendObserver *, std::allocator<history::HistoryBackendObserver *> > >, history::HistoryBackendObserver *> build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_algo.h:190:8
#1 0x1097f503 in find<__gnu_cxx::__normal_iterator<history::HistoryBackendObserver **, std::vector<history::HistoryBackendObserver *, std::allocator<history::HistoryBackendObserver *> > >, history::HistoryBackendObserver *> build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_algo.h:4402
#2 0x1097f503 in base::ObserverListBase<history::HistoryBackendObserver>::RemoveObserver(history::HistoryBackendObserver*) base/observer_list.h:286
#3 0x10a07594 in RemoveAll base/scoped_observer.h:45:20
#4 0x10a07594 in ~ScopedObserver base/scoped_observer.h:26
#5 0x10a07594 in history::TypedUrlSyncableService::~TypedUrlSyncableService() components/history/core/browser/typed_url_syncable_service.cc:78
#6 0x10a077cd in history::TypedUrlSyncableService::~TypedUrlSyncableService() components/history/core/browser/typed_url_syncable_service.cc:77:53
#7 0x1097416d in operator() build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
#8 0x1097416d in reset build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245
#9 0x1097416d in ~unique_ptr build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169
#10 0x1097416d in history::HistoryBackend::~HistoryBackend() components/history/core/browser/history_backend.cc:201
#11 0x234ffed in history::(anonymous namespace)::TestHistoryBackend::~TestHistoryBackend() components/history/core/browser/typed_url_syncable_service_unittest.cc:209:34
#12 0x234de64 in DeleteInternal base/memory/ref_counted.h:194:44
#13 0x234de64 in Destruct base/memory/ref_counted.h:157
#14 0x234de64 in Release base/memory/ref_counted.h:185
#15 0x234de64 in Release base/memory/ref_counted.h:409
#16 0x234de64 in ~scoped_refptr base/memory/ref_counted.h:311
#17 0x234de64 in ~TypedUrlSyncableServiceTest components/history/core/browser/typed_url_syncable_service_unittest.cc:217
#18 0x234de64 in history::TypedUrlSyncableServiceTest_DeleteUrlAndVisits_Test::~TypedUrlSyncableServiceTest_DeleteUrlAndVisits_Test() components/history/core/browser/typed_url_syncable_service_unittest.cc:1199
#19 0x105e1eb8 in testing::TestInfo::Run() testing/gtest/include/gtest/gtest.h
#20 0x105e2a36 in testing::TestCase::Run() testing/gtest/src/gtest.cc:2774:28
#21 0x105f70b6 in testing::internal::UnitTestImpl::RunAllTests() testing/gtest/src/gtest.cc:4647:43
#22 0x105f6639 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> testing/gtest/src/gtest.cc:2458:12
#23 0x105f6639 in testing::UnitTest::Run() testing/gtest/src/gtest.cc:4255
#24 0x10547d18 in RUN_ALL_TESTS testing/gtest/include/gtest/gtest.h:2237:46
#25 0x10547d18 in base::TestSuite::Run() base/test/test_suite.cc:271
#26 0x1054f360 in Run base/callback.h:85:12
#27 0x1054f360 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) base/test/launcher/unit_test_launcher.cc:211
#28 0x1054ee16 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) base/test/launcher/unit_test_launcher.cc:453:10
#29 0xbb6c38 in main components/test/run_all_unittests.cc:8:10
#30 0x7f53517b17ec in __libc_start_main /build/eglibc-oqps9y/eglibc-2.15/csu/libc-start.c:226
BUG=691414
Review-Url: https://codereview.chromium.org/2690993002
Cr-Commit-Position: refs/heads/master@{#450907}
Committed: https://chromium.googlesource.com/chromium/src/+/f4870e7333d7ea4a4da5b2e30a8fa7472a3ac917
Patch Set 1 #
Messages
Total messages: 12 (6 generated)
|
|||||||||||||||||||
