(Solved) heap corruption on Windows when allocating objects in chrome.exe and freeing in chrome.dll

[Alex Gough]

Emailing a list as I had trouble searching for a solution to this problem I encountered while adding functionality to the sandbox.

TL;DR; Chrome still uses different heaps for different modules in release builds, but uses a single heap in debug builds. Pass POD types or virtual base classes if they're going to be free'd in a different module.

Siggi helpfully pointed to the implementation here:- https://cs.chromium.org/chromium/src/base/allocator/allocator_shim_override_ucrt_symbols_win.h?q=allocator+override+ucrt&dr=CSs&l=159

Cheers,

Alex

Pasted stuff for searches to hit on:-

Problem: Chrome.exe and chrome.dll use different heaps in release mode. The code I wrote that works fine in debug/component builds suddenly explodes with heap exceptions in release builds. Application Verifier tells me I am freeing from the wrong heap.

Solution: POD types and virtual base classes can be allocated in one module and free’d in another as they are simple, or know how to destroy themselves. See sandbox::BrokerServices as an example class.

Problem:-

Chrome is crashing with Critical error detected c0000374.

Stack Trace (Browser - PS this is nothing to do with media/mojom/PlaneStrides):-

Critical error detected c0000374

0:000> k

 # Child-SP          RetAddr Call Site

00 0000005d`881fe1e0 00007ffd`f7e1389e ntdll!RtlReportCriticalFailure+0x56

01 0000005d`881fe2d0 00007ffd`f7e13baa ntdll!RtlpHeapHandleError+0x12

02 0000005d`881fe300 00007ffd`f7daecb1 ntdll!RtlpHpHeapHandleError+0x7a

03 0000005d`881fe330 00007ffd`f7dbd0ca ntdll!RtlpLogHeapFailure+0x45

04 0000005d`881fe360 00007ffd`823513b0 ntdll!RtlFreeHeap+0x9ac4a

05 (Inline Function) --------`-------- chrome!std::__1::default_delete<media::mojom::PlaneStrides>::operator()+0x8 [C:\src\chromium\src\buildtools\third_party\libc++\trunk\include\memory @ 2338] 

06 0000005d`881fe400 00007ffd`832b08b9 chrome!std::__1::unique_ptr<media::mojom::PlaneStrides,std::__1::default_delete<media::mojom::PlaneStrides> >::reset+0x18 [C:\src\chromium\src\buildtools\third_party\libc++\trunk\include\memory @ 2651] 

…

Dig in using AppVerifier:-

Enable AppVerifier (as Admin):-

"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\gflags.exe" /p /full /enable chrome.exe

Debug Chrome (don’t follow children):-

"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -loga c:\src\windbg.log  -srcpath c:\src\chromium\src .\out\release\chrome.exe

Disable AppVerfier once initial bp is hit as I'm not interested in renderers:-

"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\gflags.exe" /p /disable chrome.exe

Continue chrome:-

sxn ibp

sxn epr

g

{do whatever causes the crash}

Now get App Verifier crash - indicates wrong heap used for allocation/dealloc:-

===========================================================

VERIFIER STOP 0000000000000006: pid 0x5D34: corrupted heap pointer or using wrong heap 

000001F919FE1000 : Heap used in the call

000001F967D88FF0 : Heap block

0000000000000004 : Block size

000001F917691000 : Heap owning the block

===========================================================

This verifier stop is not continuable. Process will be terminated 

when you use the `go' debugger command.

===========================================================

(5d34.6ad4): Break instruction exception - code 80000003 (first chance)

verifier!VerifierCaptureContextAndReportStop+0x100:

00007ffd`d29a633c cc              int 3

0:000> !heap

Failed to read heap keySEGMENT HEAP ERROR: failed to initialize the extention

HEAPEXT: Unable to get address of ntdll!RtlpHeapInvalidBadAddress.

Index   Address Name      Debugging options enabled

  1:   1f914200000                

  2:   1f914190000                

  3:   1f9117e0000                

  4:   1f9164a0000                

  5:   1f917680000                

  6:   1f914140000                

  7:   1f917660000                

  8:   1f91cbc0000                

  9:   1f94f910000   

See source of allocation:-

!heap -p -a 000001F967D88FF0 

    address 000001f967d88ff0 found in

    _DPH_HEAP_ROOT @ 1f917691000

    in busy allocation (  DPH_HEAP_BLOCK:   UserAddr UserSize -         VirtAddr VirtSize)

                             1f9689f5b60:      1f967d88ff0         4 - 1f967d88000       2000

    00007ffdf7e16cf7 ntdll!RtlDebugAllocateHeap+0x000000000000003f

    00007ffdf7dbca9e ntdll!RtlpAllocateHeap+0x000000000009d23e

    00007ffdf7d1da21 ntdll!RtlpAllocateHeapInternal+0x0000000000000991

    00007ff612b709eb chrome_exe!malloc+0x000000000000002b [C:\src\chromium\src\base\allocator\allocator_shim_override_ucrt_symbols_win.h @ 53]

    00007ff612c37bef chrome_exe!operator new+0x000000000000001f [d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\heap\new_scalar.cpp @ 35]

    00007ff612bdc4eb chrome_exe!sandbox::PolicyInfo::PolicyInfo+0x00000000000000db [C:\src\chromium\src\sandbox\win\src\sandbox_policy_info.cc @ 35]

    00007ff612b9d492 chrome_exe!sandbox::BrokerServicesBase::TargetEventsThread+0x0000000000000452 [C:\src\chromium\src\sandbox\win\src\broker_services.cc @ 347]

    00007ffdf4f47974 KERNEL32!BaseThreadInitThunk+0x0000000000000014

    00007ffdf7d7a271 ntdll!RtlUserThreadStart+0x0000000000000021