Status: Available Owner: ---- Labels: Type-Bug Pri-1 OS-Mac Area-Misc Size-Medium Valgrind Mstone-4 ReleaseBlock-Beta
New issue 22451 by [email protected]: Use-after-free in IPC::Channel::ChannelImpl::ProcessOutgoingMessages() in UtilityProcessHostTest.ExtensionUnpacker http://code.google.com/p/chromium/issues/detail?id=22451 This happened fairly reliably during a -O1 -fno-inlining big-redzone valgrind fishing expedition on mac 'caliban'. Valgrind complained e.g.: Invalid write of size 1 IPC::Channel::ChannelImpl::ProcessOutgoingMessages() (ipc/ipc_channel_posix.cc:693) IPC::Channel::ChannelImpl::OnFileCanReadWithoutBlocking(int) (ipc/ipc_channel_posix.cc:918) base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) (base/message_pump_libevent.cc:210) event_process_active (third_party/libevent/event.c:385) event_base_loop (third_party/libevent/event.c:522) base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) (base/message_pump_libevent.cc:245) MessageLoop::RunInternal() (base/message_loop.cc:199) MessageLoop::RunHandler() (base/message_loop.cc:181) MessageLoop::Run() (base/message_loop.cc:155) (anonymous namespace)::ProcessClosedObserver::RunUntilClose(int) (chrome/browser/utility_process_host_unittest.cc:105) (anonymous namespace)::UtilityProcessHostTest_ExtensionUnpacker_Test::TestBody() (chrome/browser/utility_process_host_unittest.cc:149) Address 0x17f7c2d0 is 32 bytes inside a block of size 5,256 free'd operator delete(void*) (tools/valgrind/valgrind-10880/coregrind/m_replacemalloc/vg_replace_malloc.c:346) IPC::Channel::ChannelImpl::~ChannelImpl() (ipc_channel_posix.h:39) IPC::Channel::~Channel() (ipc/ipc_channel_posix.cc:991) scoped_ptr<IPC::Channel>::~scoped_ptr() (scoped_ptr.h:72) scoped_ptr<IPC::Channel>::~scoped_ptr() (scoped_ptr.h:72) ChildProcessHost::~ChildProcessHost() (chrome/common/child_process_host.cc:83) UtilityProcessHost::~UtilityProcessHost() (chrome/browser/utility_process_host.cc:34) (anonymous namespace)::TestUtilityProcessHost::~TestUtilityProcessHost() (chrome/browser/utility_process_host_unittest.cc:70) ChildProcessHost::OnChildDied() (chrome/common/child_process_host.cc:211) ChildProcessHost::ListenerHook::OnChannelError() (chrome/common/child_process_host.cc:270) IPC::Channel::ChannelImpl::OnFileCanReadWithoutBlocking(int) (ipc/ipc_channel_posix.cc:907) base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) (base/message_pump_libevent.cc:210) event_process_active (third_party/libevent/event.c:385) event_base_loop (third_party/libevent/event.c:522) base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) (base/message_pump_libevent.cc:245) MessageLoop::RunInternal() (base/message_loop.cc:199) MessageLoop::RunHandler() (base/message_loop.cc:181) MessageLoop::Run() (base/message_loop.cc:155) (anonymous namespace)::ProcessClosedObserver::RunUntilClose(int) (chrome/browser/utility_process_host_unittest.cc:105) (anonymous namespace)::UtilityProcessHostTest_ExtensionUnpacker_Test::TestBody() (chrome/browser/utility_process_host_unittest.cc:149) -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---
