New issue
Advanced search Search tips

Issue 593338 link

Starred by 1 user
Status: WontFix
Owner:
kylec...@chromium.org
Closed: Mar 2016
Cc:
rjkroege@chromium.org
mustash-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

When ash_sysui crashes mus also crashes

Project Member Reported by kylec...@chromium.org, Mar 9 2016 
When running mash_shell on a device, the ash_sysui process crashes for unknown reasons. Immediately after ash_sysui process crashes the mus process also crashes.

It's not known if the two crashes are linked. The ash_sysui process always crashes first and mus process is always the first process to crash immediately after so it looks like they might be.

The ash_sysui stack trace looks the following:

../../third_party/tcmalloc/chromium/src/tcmalloc.cc:289] Attempt to free invalid pointer 0x322ecce34000 11081 
Received signal 11 SEGV_MAPERR 000000000039
#0 0x7f3469f37174 base::debug::StackTrace::StackTrace()
#1 0x7f3469f374b0 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f3468def180 <unknown>
#3 0x7f3469e78490 <unknown>
#4 0x7f3469e7c20f tcmalloc::Log()
#5 0x7f3469e82d04 (anonymous namespace)::InvalidFree()
#6 0x7f3467c8663e SkMallocPixelRef::~SkMallocPixelRef()
#7 0x7f3467c866b1 SkMallocPixelRef::~SkMallocPixelRef()
#8 0x7f3467bf3bba SkBitmap::freePixels()
#9 0x7f3467bfbce0 SkBitmapDevice::~SkBitmapDevice()
#10 0x7f3467c3d3e9 SkCanvas::internalRestore()
#11 0x7f3467c3d4e8 SkCanvas::restore()
#12 0x7f346801471f SkBitmapOperations::CreateDropShadow()
#13 0x7f3468020110 gfx::(anonymous namespace)::DropShadowSource::GetImageForScale()
#14 0x7f346800b1de gfx::ImageSkia::GetRepresentation()
#15 0x7f346801d63a gfx::Canvas::DrawImageInt()
#16 0x7f346801d759 gfx::Canvas::DrawImageInt()
#17 0x7f346830a75a views::ImageView::OnPaintImage()
#18 0x7f346830a80d views::ImageView::OnPaint()
#19 0x7f3468340fab views::View::Paint()
#20 0x7f346836f98b ui::Layer::PaintContentsToDisplayList()
#21 0x7f3467b2ae93 cc::DisplayListRecordingSource::UpdateAndExpandInvalidation()
#22 0x7f3467ad8e33 cc::PictureLayer::Update()
#23 0x7f3467b97490 cc::LayerTreeHost::DoUpdateLayers()
#24 0x7f3467b9782e cc::LayerTreeHost::UpdateLayers()
#25 0x7f3467bd1b25 cc::SingleThreadProxy::DoBeginMainFrame()
#26 0x7f3467bd1dbf cc::SingleThreadProxy::BeginMainFrame()
#27 0x7f3467bcd2e3 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1EEEENS0_9BindStateINS0_15RunnableAdapterIMN2cc17SingleThreadProxyEFvRKNS6_14BeginFrameArgsEEEEFvPS7_SA_EJNS_7WeakPtrIS7_EESA_EEENS0_12InvokeHelperILb1EvSD_EEFvvEE3RunEPNS0_13BindStateBaseE
#28 0x7f3468520d3a base::debug::TaskAnnotator::RunTask()
#29 0x7f34685350ae base::MessageLoop::RunTask()
#30 0x7f34685354be base::MessageLoop::DeferOrRunPendingTask()
#31 0x7f34685363e4 base::MessageLoop::DoWork()
#32 0x7f3468538793 base::MessagePumpDefault::Run()
#33 0x7f3468535d49 base::MessageLoop::RunHandler()
#34 0x7f3468549fd8 base::RunLoop::Run()
#35 0x7f3468534f46 base::MessageLoop::Run()
#36 0x7f34684fbe8d mojo::ApplicationRunner::Run()
#37 0x7f346784c8f2 MojoMain
#38 0x7f3469f26210 mojo::shell::RunNativeApplication()
#39 0x7f3469f20b1c mojo::shell::(anonymous namespace)::RunNativeLibrary()
#40 0x7f3469f20a30 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0EEEENS0_9BindStateINS0_15RunnableAdapterIPFvPvN4mojo16InterfaceRequestINS7_5shell5mojom11ShellClientEEEEEESD_JRS6_EEENS0_12InvokeHelperILb0EvSF_EEFvSC_EE3RunEPNS0_13BindStateBaseESC_
#41 0x7f3469f242e5 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0EEEENS0_9BindStateINS_8CallbackIFvN4mojo16InterfaceRequestINS6_5shell5mojom11ShellClientEEEEEESC_JNS0_13PassedWrapperISB_EEEEENS0_12InvokeHelperILb0EvSD_EEFvvEE3RunEPNS0_13BindStateBaseE
#42 0x7f3469f25449 mojo::shell::ChildProcessMain()
#43 0x7f3469f20ea0 mojo::shell::ChildProcessMain()
#44 0x7f3469e76e65 mojo::shell::StandaloneShellMain()
#45 0x7f3468a45fb6 __libc_start_main
#46 0x7f3469e724d9 <unknown>
  r8: 00007ffca5c97b90  r9: 00007f3469fb2f20 r10: 0000000000000001 r11: 0000000000000000
 r12: 000000000000006f r13: 00007f346a014018 r14: 0000000000000000 r15: 00007ffca5c990d0
  di: 0000000000000000  si: 00007ffca5c97be0  bp: 00007ffca5c97cd0  bx: 00007ffca5c97bd0
  dx: 000000000000006f  ax: 000000000000006f  cx: 00007f3468dee21d  sp: 00007ffca5c97bb8
  ip: 00007f3469e78490 efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000006
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000039
[end of stack trace]

This is followed immediately by the following stack trace from mus:

../../third_party/tcmalloc/chromium/src/tcmalloc.cc:289] Attempt to free invalid pointer 0xfffffd8864e448f9 11086 
Received signal 11 SEGV_MAPERR 000000000039
#0 0x7f1fa8be3174 base::debug::StackTrace::StackTrace()
#1 0x7f1fa8be34b0 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f1fa7a9b180 <unknown>
#3 0x7f1fa8b24490 <unknown>
#4 0x7f1fa8b2820f tcmalloc::Log()
#5 0x7f1fa8b2ed04 (anonymous namespace)::InvalidFree()
#6 0x7f1fa6bb07d1 mojo::internal::Connector::HandleError()
#7 0x7f1fa6bb0de4 mojo::internal::Connector::OnHandleReadyInternal()
#8 0x7f1fa6be4dd5 mojo::Watcher::OnHandleReady()
#9 0x7f1fa6baf56f _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1EEEENS0_9BindStateINS0_15RunnableAdapterIMN4mojo8internal9ConnectorEFvjEEEFvPS8_jEJNS_7WeakPtrIS8_EERjEEENS0_12InvokeHelperILb1EvSB_EEFvvEE3RunEPNS0_13BindStateBaseE
#10 0x7f1fa72fe2fa base::debug::TaskAnnotator::RunTask()
#11 0x7f1fa730e74e base::MessageLoop::RunTask()
#12 0x7f1fa730eb5e base::MessageLoop::DeferOrRunPendingTask()
#13 0x7f1fa730fa84 base::MessageLoop::DoWork()
#14 0x7f1fa7312279 base::MessagePumpLibevent::Run()
#15 0x7f1fa730f3e9 base::MessageLoop::RunHandler()
#16 0x7f1fa7322b88 base::RunLoop::Run()
#17 0x7f1fa730e616 base::MessageLoop::Run()
#18 0x7f1fa6ba8f0d mojo::ApplicationRunner::Run()
#19 0x7f1fa6ba4e3f MojoMain
#20 0x7f1fa8bd2210 mojo::shell::RunNativeApplication()
#21 0x7f1fa8bccb1c mojo::shell::(anonymous namespace)::RunNativeLibrary()
#22 0x7f1fa8bcca30 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0EEEENS0_9BindStateINS0_15RunnableAdapterIPFvPvN4mojo16InterfaceRequestINS7_5shell5mojom11ShellClientEEEEEESD_JRS6_EEENS0_12InvokeHelperILb0EvSF_EEFvSC_EE3RunEPNS0_13BindStateBaseESC_
#23 0x7f1fa8bd02e5 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0EEEENS0_9BindStateINS_8CallbackIFvN4mojo16InterfaceRequestINS6_5shell5mojom11ShellClientEEEEEESC_JNS0_13PassedWrapperISB_EEEEENS0_12InvokeHelperILb0EvSD_EEFvvEE3RunEPNS0_13BindStateBaseE
#24 0x7f1fa8bd1449 mojo::shell::ChildProcessMain()
#25 0x7f1fa8bccea0 mojo::shell::ChildProcessMain()
#26 0x7f1fa8b22e65 mojo::shell::StandaloneShellMain()
#27 0x7f1fa76f1fb6 __libc_start_main
#28 0x7f1fa8b1e4d9 <unknown>
  r8: 00007ffe03ef4d80  r9: 00007f1fa8c5ef20 r10: fffffd8863ae2f69 r11: 0000000000000000
 r12: 0000000000000073 r13: 00007f1fa8cc0018 r14: 0000000000000000 r15: 00007ffe03ef5750
  di: 0000000000000000  si: 00007ffe03ef4dd0  bp: 00007ffe03ef4ec0  bx: 00007ffe03ef4dc0
  dx: 0000000000000073  ax: 0000000000000073  cx: 00007f1fa7a9a21d  sp: 00007ffe03ef4da8
  ip: 00007f1fa8b24490 efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000006
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000039
[end of stack trace]

Comment 1 by kylec...@chromium.org, Mar 9 2016

Cc: -kylec...@chromium.org
Owner: kylec...@chromium.org
Status: WontFix (was: Untriaged)
This problem appears to be linked to tcmalloc in static builds. For unknown reasons ash_sysui, mus, etc. all crash trying to free memory. This only happens with a static build and not in a component build.

Adding the following to gn args used to build mash:all fixes the problem.

use_allocator = "none"

This uses the default allocator instead of tcmalloc.

Comment 2 by rjkroege@chromium.org, Mar 10 2016

Status: Assigned (was: WontFix)
So... before you can mark this "WontFix": does Chrome (built statically) use tcmalloc? If it does, this needs to be fixed. Maybe by someone else. And maybe later. But still fixed.

Comment 3 by kylec...@chromium.org, Mar 10 2016 

Yes, I believe chrome static builds use tcmalloc. Whatever is broken with mash + ozone + tcmalloc + static builds needs to be fixed but that should probably be a different bug.

As far as I can tell it has nothing to do with ash_sysui causing mus to crash. It's tcmalloc causes everything to crash in weird places. I have no idea why but once I get a bit more context I'll file a new bug for it.

Comment 4 by kylec...@chromium.org, Mar 16 2016

Labels: -mustash mustash1
Status: WontFix (was: Assigned)
Filed  crbug.com/594674  instead. Closing this one.

Comment 5 by lafo...@chromium.org, Feb 26 2018

Components: -MUS Internals>Services>WindowService

Sign in to add a comment