Linux: trunk: heap-use-after-free in CefBrowserMessageFilter::OnFrameFocused

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Build with ASan on Ubuntu 14.04 LTS 64-bit Linux at trunk revision 2042.
2. Run the OSRTest unit tests.

What is the expected output? What do you see instead?
The test run should complete successfully. Instead, get a heap-use-after-free 
error while running OSRTests.

Please use labels and text to provide additional information.

$ ./out/Release/cef_unittests --gtest_filter=OSRTest.* 2>&1 | 
tools/valgrind/asan/asan_symbolize.py

[ RUN      ] OSRTest.ScreenPoint2x
=================================================================
==54352==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000f4e80 
at pc 0x7f71b9dac8de bp 0x7fff06a28930 sp 0x7fff06a28928
READ of size 8 at 0x6160000f4e80 thread T0 (cef_unittests)
    #0 0x7f71b9dac8dd in CefBrowserMessageFilter::OnFrameFocused(int) cef/libcef/browser/browser_message_filter.cc:128:46
    #1 0x7f71b9fda626 in Run base/callback.h:396:12
    #2 0x7f71b9fda626 in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:63:0
    #3 0x7f71ba03577c in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:442:3
    #4 0x7f71ba0366a7 in DeferOrRunPendingTask base/message_loop/message_loop.cc:452:5
    #5 0x7f71ba0366a7 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:564:0
    #6 0x7f71b9fc2c77 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:313:31
    #7 0x7f71ba06b30a in base::RunLoop::Run() base/run_loop.cc:55:3
    #8 0x7f71ba034261 in base::MessageLoop::Run() base/message_loop/message_loop.cc:301:3
    #9 0x7c94e8 in main cef/tests/unittests/run_all_unittests.cc:180:5
    #10 0x7f71b34efec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0

0x6160000f4e80 is located 0 bytes inside of 608-byte region 
[0x6160000f4e80,0x6160000f50e0)
freed by thread T0 (cef_unittests) here:
    #0 0x4b4519 in operator delete(void*) ??:0:0
    #1 0x7f71b9fda626 in Run base/callback.h:396:12
    #2 0x7f71b9fda626 in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:63:0
    #3 0x7f71ba03577c in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:442:3
    #4 0x7f71ba0366a7 in DeferOrRunPendingTask base/message_loop/message_loop.cc:452:5
    #5 0x7f71ba0366a7 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:564:0
    #6 0x7f71b9fc3576 in HandleDispatch base/message_loop/message_pump_glib.cc:267:7
    #7 0x7f71b9fc3576 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:109:0
    #8 0x7f71b783ce03 in g_main_context_dispatch ??:0:0

previously allocated by thread T0 (cef_unittests) here:
    #0 0x4b3f99 in operator new(unsigned long) ??:0:0
    #1 0x7f71c21f0f2c in content::SiteInstanceImpl::GetProcess() content/browser/site_instance_impl.cc:107:9
    #2 0x7f71c1c9aaae in content::RenderFrameHostManager::CreateRenderFrameHost(content::SiteInstance*, int, int, int) content/browser/frame_host/render_frame_host_manager.cc:1261:24
    #3 0x7f71c1c9a76b in content::RenderFrameHostManager::Init(content::BrowserContext*, content::SiteInstance*, int, int) content/browser/frame_host/render_frame_host_manager.cc:109:22
    #4 0x7f71c228ab19 in content::WebContentsImpl::Init(content::WebContents::CreateParams const&) content/browser/web_contents/web_contents_impl.cc:1211:3
    #5 0x7f71c2271ad8 in content::WebContentsImpl::CreateWithOpener(content::WebContents::CreateParams const&, content::WebContentsImpl*) content/browser/web_contents/web_contents_impl.cc:456:3
    #6 0x7f71b9d6ddb7 in CefBrowserHostImpl::CreateInternal(CefWindowInfo const&, CefStructBase<CefBrowserSettingsTraits> const&, CefRefPtr<CefClient>, content::WebContents*, scoped_refptr<CefBrowserInfo>, unsigned long, CefRefPtr<CefRequestContext>) cef/libcef/browser/browser_host_impl.cc:419:20
    #7 0x7f71b9d6d315 in CefBrowserHostImpl::Create(CefWindowInfo const&, CefRefPtr<CefClient>, CefStringBase<CefStringTraitsUTF16> const&, CefStructBase<CefBrowserSettingsTraits> const&, unsigned long, bool, CefRefPtr<CefRequestContext>) cef/libcef/browser/browser_host_impl.cc:373:7
    #8 0x7f71b9d6cc40 in CefBrowserHost::CreateBrowserSync(CefWindowInfo const&, CefRefPtr<CefClient>, CefStringBase<CefStringTraitsUTF16> const&, CefStructBase<CefBrowserSettingsTraits> const&, CefRefPtr<CefRequestContext>) cef/libcef/browser/browser_host_impl.cc:338:7
    #9 0x7f71b9d6c29a in (anonymous namespace)::CreateBrowserWithHelper((anonymous namespace)::CreateBrowserHelper*) cef/libcef/browser/browser_host_impl.cc:96:3
    #10 0x7f71b9fda626 in Run base/callback.h:396:12
    #11 0x7f71b9fda626 in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) base/debug/task_annotator.cc:63:0
    #12 0x7f71ba03577c in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:442:3
    #13 0x7f71ba0366a7 in DeferOrRunPendingTask base/message_loop/message_loop.cc:452:5
    #14 0x7f71ba0366a7 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:564:0
    #15 0x7f71b9fc3576 in HandleDispatch base/message_loop/message_pump_glib.cc:267:7
    #16 0x7f71b9fc3576 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:109:0
    #17 0x7f71b783ce03 in g_main_context_dispatch ??:0:0

Original issue reported on code.google.com by magreenb...@gmail.com on 3 Mar 2015 at 11:11

[GoogleCodeExporter]

Fixed in trunk revision 2049, 2272 branch revision 2050 and 2171 branch 
revision 2051.

Original comment by magreenb...@gmail.com on 4 Mar 2015 at 7:25

• Changed state: Fixed