I just suffered a DCHECK in my SyzyASAN canary, which brought up the WER dialog. Looking at the crash (I have a full memory dump), there are several interesting things to note.
There is no indication in the 32 bit state which thread is faulting.
In the 64 bit state, it's apparent what's up though (see below).
SyzyASAN probably doesn't want to handle debug breaks.
SyzyASAN is in the UEF, scrubbing through the heap, and takes an AV.
I'm guessing an unhandled exception in the UEF goes to WER - easy enough to check.
The crashing thread is 0x00021fd0 iterations into a block, which has been unmapped.
This is clearly a race, as even though the fault is on a page boundary, the previous page has been unmapped too.
Apparently the other threads are still frolicking in the heap (see below), I'm guessing our locking-at-crash-time is best effort?
In any case, I think at minimum the heap scrubbing, and perhaps all of the UEF should be under an SEH, so that the UEF can defer to the next-in-line UEF on exception...
--- thread at fault in amd64 ---
9 Id: d480.9514 Suspend: 1 Teb: 00000000`05050000 Unfrozen
I just suffered a DCHECK in my SyzyASAN canary, which brought up the WER dialog. Looking at the crash (I have a full memory dump), there are several interesting things to note.
In any case, I think at minimum the heap scrubbing, and perhaps all of the UEF should be under an SEH, so that the UEF can defer to the next-in-line UEF on exception...
--- thread at fault in amd64 --- 9 Id: d480.9514 Suspend: 1 Teb: 00000000`05050000 Unfrozen
Call Site
00 wow64!Wow64NotifyDebugger 01 wow64!HandleRaiseException 02 wow64!Wow64NtRaiseException 03 wow64!whNtRaiseException 04 wow64!Wow64SystemServiceEx 05 wow64cpu!ServiceNoTurbo 06 wow64!RunCpuSimulation 07 wow64!Wow64LdrpInitialize 08 ntdll!_LdrpInitialize 09 ntdll!LdrInitializeThunk
--- thread at fault in x86 --- 0:009:x86> kc
00 syzyasan_rtl!agent::asan::BlockBodyIsFloodFilled 01 syzyasan_rtl!agent::asan::IsBlockCorrupt 02 syzyasan_rtl!agent::asan::HeapChecker::GetCorruptRangesInSlab 03 syzyasan_rtl!agent::asan::HeapChecker::IsHeapCorrupt 04 syzyasan_rtl!agent::asan::AsanRuntime::ExceptionFilterImpl 05 syzyasan_rtl!agent::asan::AsanRuntime::UnhandledExceptionFilter 06 KERNELBASE!UnhandledExceptionFilter 07 ntdll_77c60000!__RtlUserThreadStart 08 ntdll_77c60000!_RtlUserThreadStart
--- exception being handled --- 0:009:x86> kc *** Stack trace for last set context - .thread/.cxr resets it
00 chrome_65980000!base::debug::BreakDebugger 01 chrome_65980000!logging::LogMessage::~LogMessage 02 chrome_65980000!base::debug::GlobalActivityTracker::RecordProcessLaunch 03 chrome_65980000!content::StartSandboxedProcessInternal 04 chrome_65980000!content::StartSandboxedProcess 05 chrome_65980000!content::internal::ChildProcessLauncherHelper::LaunchProcessOnLauncherThread 06 chrome_65980000!content::internal::ChildProcessLauncherHelper::LaunchOnLauncherThread 07 chrome_65980000!base::internal::FunctorTraits<void (thiscall DevToolsFileWatcher::SharedFileWatcher::*)(void),void>::Invoke 08 chrome_65980000!base::internal::InvokeHelper<0,void>::MakeItSo 09 chrome_65980000!base::internal::Invoker<base::internal::BindState<void (thiscall DevToolsFileWatcher::SharedFileWatcher::)(void),scoped_refptr >,void __cdecl(void)>::RunImpl
0a chrome_65980000!base::internal::Invoker<base::internal::BindState<void (__thiscall DevToolsFileWatcher::SharedFileWatcher:: )(void),scoped_refptr >,void __cdecl(void)>::RunOnce
0b chrome_65980000!base::OnceCallback<void cdecl(void)>::Run
0c chrome_65980000!base::debug::TaskAnnotator::RunTask
0d chrome_65980000!base::internal::TaskTracker::RunOrSkipTask
0e chrome_65980000!base::internal::TaskTracker::RunNextTask
0f chrome_65980000!base::internal::SchedulerWorker::Thread::ThreadMain
10 chrome_65980000!base::`anonymous namespace'::ThreadFunc
11 KERNEL32!BaseThreadInitThunk
12 ntdll_77c60000!RtlUserThreadStart
13 ntdll_77c60000!_RtlUserThreadStart
--- frolicking thread --- 0:013:x86> kc
00 syzyasan_rtl!SuperFastHash 01 syzyasan_rtl!base::SuperFastHash 02 syzyasan_rtl!agent::asan::BlockSetChecksum 03 syzyasan_rtl!agent::asan::heap_managers::BlockHeapManager::Free 04 syzyasan_rtl!agent::asan::WindowsHeapAdapter::HeapFree 05 syzyasan_rtl!asan_HeapFree 06 chrome_65980000!base::allocator::WinHeapFree 07 chrome_65980000!::{dtor}
11 chrome_65980000!SkBitmap::~SkBitmap
12 chrome_65980000!SkImage_Raster::{dtor}
13 chrome_65980000!SkImage_Raster::::{dtor}
1d chrome_65980000!SkPaint::~SkPaint
1e chrome_65980000!SkColorSpaceXformCanvas::onDrawRect
1f chrome_65980000!SkCanvas::drawRect
20 chrome_65980000!cc::DrawRectOp::RasterWithFlags
21 chrome_65980000!cc::Rasterizer<cc::DrawRectOp,1>::Raster
22 chrome_65980000!cc::::operator()
23 chrome_65980000!::
24 chrome_65980000!cc::PaintOp::Raster
25 chrome_65980000!cc::PaintOpBuffer::Playback
anonymous namespace'::DefaultWinHeapFreeImpl 08 chrome_65980000!ShimFree 09 chrome_65980000!free 0a chrome_65980000!sk_free 0b chrome_65980000!SkMallocPixelRef::{dtor} 0c chrome_65980000!SkMallocPixelRef::scalar deleting destructor' 0d chrome_65980000!SkRefCntBase::internal_dispose 0e chrome_65980000!SkRefCntBase::unref 0f chrome_65980000!SkSafeUnref 10 chrome_65980000!sk_spscalar deleting destructor' 14 chrome_65980000!SkRefCntBase::internal_dispose 15 chrome_65980000!SkRefCntBase::unref 16 chrome_65980000!SkSafeUnref 17 chrome_65980000!sk_sp<SkImage>::{dtor} 18 chrome_65980000!SkImageShader::scalar deleting destructor' 19 chrome_65980000!SkRefCntBase::internal_dispose 1a chrome_65980000!SkRefCntBase::unref 1b chrome_65980000!SkSafeUnref 1c chrome_65980000!sk_sp