Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UAF in gin_helper::CallbackHolderBase::SecondWeakCallback (integration test crash) #192119

Open
bpasero opened this issue Sep 4, 2023 · 6 comments
Open

UAF in gin_helper::CallbackHolderBase::SecondWeakCallback (integration test crash) #192119

bpasero opened this issue Sep 4, 2023 · 6 comments
Assignees
@deepak1556
Labels
bug Issue identified by VS Code Team member as probable bug electron Issues and items related to Electron freeze-slow-crash-leak VS Code crashing, performance, freeze and memory leak issues integration-test-failure linux Issues with VS Code on Linux macos Issues with VS Code on MAC/OS X upstream Issue identified as 'upstream' component related (exists outside of VS Code) windows VS Code on Windows issues

Comments

@bpasero
Copy link
Member

bpasero commented Sep 4, 2023

https://dev.azure.com/vscode/VSCode/_build/results?buildId=102349&view=results

crash-dump-linux-x64-integration-1.zip
@bpasero bpasero added the freeze-slow-crash-leak VS Code crashing, performance, freeze and memory leak issues label Sep 4, 2023
@deepak1556
Copy link
Contributor 

Operating system: Linux
                  5.15.0 -1042-azure #49~20.04.1-Ubuntu SMP Wed Jul 12 12:44:56 UTC 2023 x86_64
CPU: amd64
     family 6 model 106 stepping 6
     4 CPUs

GPU: UNKNOWN

Crash reason:  SIGSEGV /0x00000080
Crash address: 0x0
Process uptime: 10 seconds

Thread 0 (crashed)
 0  code-oss!gin_helper::CallbackHolderBase::SecondWeakCallback(v8::WeakCallbackInfo<gin_helper::CallbackHolderBase> const&) [function_template.cc : 33 + 0x1]
    rax = 0xf074a30178340000   rdx = 0x0000560587f54ca0
    rcx = 0x0000347800f7cae0   rbx = 0x00003478002abe20
    rsi = 0x0000347801a34540   rdi = 0x0000347801a34540
    rbp = 0x00007ffd31210f20   rsp = 0x00007ffd31210e18
     r8 = 0x00007ffd313f4080    r9 = 0x00000000000006e8
    r10 = 0x00007ffd313f4090   r11 = 0x000000000006dba6
    r12 = 0x0000347800329800   r13 = 0x0000000000000000
    r14 = 0x00007ffd31210ec0   r15 = 0x00007ffd31210ed8
    rip = 0x0000560587f54cb1
    Found by: given as instruction pointer in context
 1  code-oss!v8::internal::GlobalHandles::InvokeSecondPassPhantomCallbacks() [global-handles.cc : 865 + 0x5]
    rbx = 0x00003478002abe20   rbp = 0x00007ffd31210f20
    rsp = 0x00007ffd31210e20   r12 = 0x0000347800329800
    r13 = 0x0000000000000000   r14 = 0x00007ffd31210ec0
    r15 = 0x00007ffd31210ed8   rip = 0x00005605891ce7f8
    Found by: call frame info
 2  code-oss!node::PerIsolatePlatformData::RunForegroundTask(std::Cr::unique_ptr<v8::Task, std::Cr::default_delete<v8::Task>>) [node_platform.cc : 425 + 0x6]
    rbx = 0x00007ffd31210fe0   rbp = 0x00007ffd31210fa0
    rsp = 0x00007ffd31210f30   r12 = 0x000034780031e400
    r13 = 0x00007ffd31210f38   r14 = 0xaaaaaaaaaaaaaaaa
    r15 = 0x000034780038a318   rip = 0x000056058f08bffc
    Found by: call frame info
 3  code-oss!node::PerIsolatePlatformData::FlushForegroundTasksInternal() [node_platform.cc : 494 + 0xc]
    rbx = 0x000034780038a318   rbp = 0x00007ffd31211020
    rsp = 0x00007ffd31210fb0   r12 = 0x0000000000000000
    r13 = 0x0000000000000001   r14 = 0x0000000000000000
    r15 = 0x00003478021361e0   rip = 0x000056058f08af2f
    Found by: call frame info
 4  code-oss!uv__async_io [async.c : 162 + 0x5]
    rbx = 0x000056058f86f2e0   rbp = 0x00007ffd31211470
    rsp = 0x00007ffd31211030   r12 = 0x000034780024bc68
    r13 = 0x0000000000000000   r14 = 0x000034780024bc00
    r15 = 0x000056058f86f490   rip = 0x0000560587dddcb2
    Found by: call frame info
 5  code-oss!uv__io_poll [epoll.c : 374 + 0x7]
    rbx = 0x0000000000000002   rbp = 0x00007ffd31214580
    rsp = 0x00007ffd31211480   r12 = 0x0000000000000002
    r13 = 0x000056058f86f4a8   r14 = 0x0000000000000000
    r15 = 0x00007ffd31211480   rip = 0x0000560587dec793
    Found by: call frame info
 6  code-oss!uv_run [core.c : 406 + 0x8]
    rbx = 0x000056058f86f2e0   rbp = 0x00007ffd312145f0
    rsp = 0x00007ffd31214590   r12 = 0x000034780031ec01
    r13 = 0x000056058f86f328   r14 = 0x00007ffd312145b0
    r15 = 0x0000000000000001   rip = 0x0000560587dde0a6
    Found by: call frame info
 7  code-oss!node::Environment::CleanupHandles() [env.cc : 963 + 0xa]
    rbx = 0x000034780031e400   rbp = 0x00007ffd31214630
    rsp = 0x00007ffd31214600   r12 = 0x000034780031ec50
    r13 = 0x00007ffd312148c0   r14 = 0x000034780031ec30
    r15 = 0x000034780031ec50   rip = 0x000056058ef9fdcd
    Found by: call frame info
 8  code-oss!node::Environment::RunCleanup() [env.cc : 1016 + 0x8]
    rbx = 0x000034780031e400   rbp = 0x00007ffd31214880
    rsp = 0x00007ffd31214640   r12 = 0x00003478002eba00
    r13 = 0x00007ffd312148c0   r14 = 0x0000000000000000
    r15 = 0x0000000000000000   rip = 0x000056058efa0535
    Found by: call frame info
 9  code-oss!node::FreeEnvironment(node::Environment*) [environment.cc : 445 + 0x8]
    rbx = 0x000034780031e400   rbp = 0x00007ffd31214910
    rsp = 0x00007ffd31214890   r12 = 0x00003478002eba00
    r13 = 0x00007ffd312148c0   r14 = 0x00003478003e4000
    r15 = 0xaaaaaaaaaaaaaaaa   rip = 0x000056058ef5f1e9
    Found by: call frame info
10  code-oss!electron::NodeEnvironment::~NodeEnvironment() [javascript_environment.cc : 346 + 0x5]
    rbx = 0x00003478006ac000   rbp = 0x00007ffd31214930
    rsp = 0x00007ffd31214920   r12 = 0x0000347800290f01
    r13 = 0x0000000000000016   r14 = 0x000034780024dbc0
    r15 = 0x00007ffd31214940   rip = 0x0000560587edfda5
    Found by: call frame info
11  code-oss!electron::ElectronBrowserMainParts::PostMainMessageLoopRun() [unique_ptr.h : 65 + 0x8]
    rbx = 0x00003478003dacb0   rbp = 0x00007ffd312149b0
    rsp = 0x00007ffd31214940   r12 = 0x0000347800290f01
    r13 = 0x0000000000000016   r14 = 0x000034780024dbc0
    r15 = 0x00007ffd31214940   rip = 0x0000560587ec96c5
    Found by: call frame info
12  code-oss!content::BrowserMainLoop::ShutdownThreadsAndCleanUp() [browser_main_loop.cc : 1131 + 0x5]
    rbx = 0x0000000000000000   rbp = 0x00007ffd31214a50
    rsp = 0x00007ffd312149c0   r12 = 0x0000347800290f00
    r13 = 0xaaaaaaaaaaaaaaaa   r14 = 0x00007ffd31214a00
    r15 = 0xaaaaaaaaaaaaaaaa   rip = 0x000056058a2d9e85
    Found by: call frame info
13  code-oss!content::BrowserMainRunnerImpl::Shutdown() [browser_main_runner_impl.cc : 176 + 0x5]
    rbx = 0x0000347800377660   rbp = 0x00007ffd31214a90
    rsp = 0x00007ffd31214a60   r12 = 0xaaaaaaaaaaaaaaaa
    r13 = 0x00007ffd31214c00   r14 = 0x0000000000000000
    r15 = 0xaaaaaaaaaaaaaaaa   rip = 0x000056058a2dbade
    Found by: call frame info
14  code-oss!content::BrowserMain(content::MainFunctionParams) [browser_main.cc : 43 + 0x5]
    rbx = 0x0000000000000000   rbp = 0x00007ffd31214af0
    rsp = 0x00007ffd31214aa0   r12 = 0x00007ffd31214b08
    r13 = 0x00007ffd31214c30   r14 = 0x0000347800377660
    r15 = 0x00007ffd31214aa0   rip = 0x000056058a2d72f8
    Found by: call frame info
15  code-oss!content::RunBrowserProcessMain(content::MainFunctionParams, content::ContentMainDelegate*) [content_main_runner_impl.cc : 710 + 0x8]
    rbx = 0x00007ffd31215050   rbp = 0x00007ffd31214bc0
    rsp = 0x00007ffd31214b00   r12 = 0x00007ffd31214b08
    r13 = 0x00007ffd31214c30   r14 = 0x00007ffd31214b30
    r15 = 0x00007ffd31214b70   rip = 0x00005605880b2374
    Found by: call frame info
16  code-oss!content::ContentMainRunnerImpl::RunBrowser(content::MainFunctionParams, bool) [content_main_runner_impl.cc : 1280 + 0x8]
    rbx = 0x0000347800248200   rbp = 0x00007ffd31214c80
    rsp = 0x00007ffd31214bd0   r12 = 0x00000000ffffffff
    r13 = 0x00007ffd31214c30   r14 = 0x00007ffd31214c90
    r15 = 0x00007ffd31214bd0   rip = 0x00005605880b3bfe
    Found by: call frame info
17  code-oss!content::ContentMainRunnerImpl::Run() [content_main_runner_impl.cc : 1134 + 0xf]
    rbx = 0x0000347800248200   rbp = 0x00007ffd31214d70
    rsp = 0x00007ffd31214c90   r12 = 0x00007ffd31214d30
    r13 = 0xaaaaaaaaaaaaaaaa   r14 = 0x00007ffd31214c90
    r15 = 0x0000000000000000   rip = 0x00005605880b3a18
    Found by: call frame info
18  code-oss!content::RunContentProcess(content::ContentMainParams, content::ContentMainRunner*) [content_main.cc : 330 + 0x8]
    rbx = 0x0000347800248200   rbp = 0x00007ffd31214fd0
    rsp = 0x00007ffd31214d80   r12 = 0x0000000000000000
    r13 = 0x0000000000000000   r14 = 0x0000000000000000
    r15 = 0x00007ffd31214e61   rip = 0x00005605880b1355
    Found by: call frame info
19  code-oss!content::ContentMain(content::ContentMainParams) [content_main.cc : 347 + 0x5]
    rbx = 0x00007ffd31215010   rbp = 0x00007ffd31215040
    rsp = 0x00007ffd31214fe0   r12 = 0x00007ffd31215000
    r13 = 0x0000000000000000   r14 = 0x00007ffd31214ff8
    r15 = 0x00007ffd312150a0   rip = 0x00005605880b1445
    Found by: call frame info

@deepak1556 deepak1556 added bug Issue identified by VS Code Team member as probable bug upstream Issue identified as 'upstream' component related (exists outside of VS Code) electron Issues and items related to Electron linux Issues with VS Code on Linux labels Sep 5, 2023
@rzhao271 rzhao271 mentioned this issue Sep 14, 2023
Closed
@deepak1556 deepak1556 added the windows VS Code on Windows issues label Sep 14, 2023
@deepak1556 deepak1556 changed the title Crash in linux remote integration tests UAF in gin_helper::CallbackHolderBase::SecondWeakCallback Sep 14, 2023
@deepak1556 deepak1556 mentioned this issue Sep 27, 2023
Closed
@rzhao271 rzhao271 mentioned this issue Oct 6, 2023
Closed
@deepak1556 deepak1556 mentioned this issue Oct 9, 2023
Closed
@roblourens roblourens changed the title UAF in gin_helper::CallbackHolderBase::SecondWeakCallback UAF in gin_helper::CallbackHolderBase::SecondWeakCallback (integration test crash) Oct 9, 2023
@deepak1556 deepak1556 added the macos Issues with VS Code on MAC/OS X label Oct 10, 2023
@deepak1556 deepak1556 mentioned this issue Oct 17, 2023
Closed
@deepak1556 deepak1556 mentioned this issue Nov 14, 2023
Closed
@deepak1556 deepak1556 added the important Issue identified as high-priority label Nov 14, 2023
@deepak1556 deepak1556 added this to the November 2023 milestone Nov 14, 2023
@deepak1556 deepak1556 mentioned this issue Nov 14, 2023
Closed
@deepak1556
Copy link
Contributor

Crash keys added to help narrow down the source of crash https://domoreexp.visualstudio.com/Teamspace/_git/electron-build/pullrequest/901475

@deepak1556 deepak1556 removed the important Issue identified as high-priority label Nov 15, 2023
This was referenced Nov 22, 2023
Closed
Closed
@deepak1556 deepak1556 modified the milestones: November 2023, December 2023 Nov 27, 2023
@roblourens roblourens mentioned this issue Nov 27, 2023
Closed
@deepak1556 deepak1556 mentioned this issue Dec 6, 2023
Closed
@deepak1556
Copy link
Contributor

#200101 is the first build with above crash keys annotated, result

MDRawCrashpadInfo
  version = 1
  report_id = 06ae6d0c-7c21-462d-ae30-fd96e332ec88
  client_id = 1cc5fe5c-9da4-4a1a-b58f-fc53c37d69d0
  simple_annotations["_companyName"] = Microsoft
  simple_annotations["_productName"] = VSCode
  simple_annotations["_version"] = 1.85.0-insider
  simple_annotations["plat"] = Win64
  simple_annotations["prod"] = Electron
  simple_annotations["ver"] = 25.9.7
  module_list[0].minidump_module_list_index = 0
  module_list[0].version = 1
  module_list[0].crashpad_annotations["gin-wrappable-fatal-location"] (type = 1) = Deleted kWrapperInfo does not ma
  module_list[0].crashpad_annotations["ui_scheduler_async_stack"] (type = 1) = 0x7FF699E9F625 0x0
  module_list[0].crashpad_annotations["io_scheduler_async_stack"] (type = 1) = 0x7FF69AFC8AB7 0x7FF69AFC8492
  module_list[0].crashpad_annotations["osarch"] (type = 1) = x86_64
  module_list[0].crashpad_annotations["pid"] (type = 1) = 2492
  module_list[0].crashpad_annotations["ptype"] (type = 1) = browser
  module_list[0].crashpad_annotations["platform"] (type = 1) = win32
  module_list[0].crashpad_annotations["process_type"] (type = 1) = browser
  address_mask = 0

Wrapper class is not the one from the list, need to add the missing ones Screen, PowerMonitor, ReplyChannel, ChunkedDataPipeReadableStream and JSChunkedDataPipeGetter

@deepak1556 deepak1556 mentioned this issue Dec 7, 2023
Closed
@deepak1556
Copy link
Contributor

Crash has not been triggered with updating to Electron 27, closing optimistically.

@bpasero bpasero added the verified Verification succeeded label Jan 23, 2024
@bpasero
Copy link
Member Author

bpasero commented Jan 23, 2024

I am not sure how to verify this but I will monitor again for new integration test crashes if there are any crashes attached.

@aiday-mar aiday-mar added this to the December / January 2024 milestone Feb 6, 2024
@deepak1556 deepak1556 reopened this Mar 5, 2024
@deepak1556 deepak1556 removed the verified Verification succeeded label Mar 5, 2024
@deepak1556 deepak1556 removed this from the December / January 2024 milestone Mar 5, 2024
@deepak1556 deepak1556 mentioned this issue Mar 5, 2024
Closed
@deepak1556
Copy link
Contributor

We have a new instance of this crash with Electron 28, reopening for debugging.

@deepak1556 deepak1556 mentioned this issue Mar 5, 2024
Closed
This was referenced Mar 5, 2024
Merged
Merged
@kachick kachick mentioned this issue May 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@deepak1556 deepak1556

Labels
bug Issue identified by VS Code Team member as probable bug electron Issues and items related to Electron freeze-slow-crash-leak VS Code crashing, performance, freeze and memory leak issues integration-test-failure linux Issues with VS Code on Linux macos Issues with VS Code on MAC/OS X upstream Issue identified as 'upstream' component related (exists outside of VS Code) windows VS Code on Windows issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@roblourens @bpasero @deepak1556 @rzhao271 @aiday-mar