New issue
Advanced search Search tips

Issue 601371 link

Starred by 2 users
Status: Untriaged
Owner: ----
Cc:
bcwh...@chromium.org
primiano@chromium.org
changwan@chromium.org
EstimatedDays: ----
NextAction: 2019-07-09
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

crash in md5sum / hashmetricname

Project Member Reported by changwan@chromium.org, Apr 7 2016 
Version: 49.0.2623.91
OS: Android

What steps will reproduce the problem?
STEPS TO REPRODUCE: (please be specific) 
1. Open Chrome (issue has been observed on device having ram less than 1 GB)
2. Browse http://www.vecernji.hr/  and sometimes issue observed on  http://mob.hr/  also
3. frequently crash observed

REPRODUCE RATE: 

frequently crash observed

OBSERVED RESULTS:

03-15 10:40:38.094  4920  4996 F libc    : Fatal signal 6 (SIGABRT) at 0x00001338 (code=-6), thread 4996 (Chrome_IOThread)
03-15 10:40:38.164   118   118 I DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-15 10:40:38.164   118   118 I DEBUG   : Build fingerprint: 'samsung/lt023gxx/lt023g:4.4.2/KOT49H/T211XXBOA3:user/release-keys'
03-15 10:40:38.164   118   118 I DEBUG   : Revision: '8'
03-15 10:40:38.164   118   118 I DEBUG   : pid: 4920, tid: 4996, name: Chrome_IOThread  >>> com.android.chrome <<<
03-15 10:40:38.164   118   118 I DEBUG   : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
03-15 10:40:38.174   118   118 I DEBUG   : Abort message: 'stack corruption detected'
03-15 10:40:38.384   625   645 D SensorService:  [AR] 4.8 0.5 8.5
03-15 10:40:38.384   625   645 D SensorService: AutoRotationSensor::process: Ar_SensorChanged oldrotation = [255], rotation = [1]
03-15 10:40:38.384   625   652 V WindowOrientationListener: Rotation Sensor : x=1.0
03-15 10:40:38.424   118   118 I DEBUG   :     r0 00000000  r1 00001384  r2 00000006  r3 00000000
03-15 10:40:38.424   118   118 I DEBUG   :     r4 00000006  r5 00000000  r6 00001384  r7 0000010c
03-15 10:40:38.424   118   118 I DEBUG   :     r8 7ef02724  r9 833380c5  sl 8020add8  fp 0000000b
03-15 10:40:38.424   118   118 I DEBUG   :     ip 98badcfe  sp 7ef02608  lr 4008f0a5  pc 4009e60c  cpsr 000e0010
03-15 10:40:38.424   118   118 I DEBUG   :     d0  0000000000000000  d1  0000000000000000
03-15 10:40:38.424   118   118 I DEBUG   :     d2  0000000000000000  d3  0000000000000000
03-15 10:40:38.424   118   118 I DEBUG   :     d4  3fc39a09d078c69f  d5  bebbbcdb6774cecb
03-15 10:40:38.424   118   118 I DEBUG   :     d6  3e66376972bea4d0  d7  000f4240fffffffc
03-15 10:40:38.424   118   118 I DEBUG   :     d8  0000000000000000  d9  0000000000000000
03-15 10:40:38.424   118   118 I DEBUG   :     d10 0000000000000000  d11 0000000000000000
03-15 10:40:38.424   118   118 I DEBUG   :     d12 0000000000000000  d13 0000000000000000
03-15 10:40:38.424   118   118 I DEBUG   :     d14 0000000000000000  d15 0000000000000000
03-15 10:40:38.424   118   118 I DEBUG   :     d16 3f6293aba995d5fb  d17 4000000000000000
03-15 10:40:38.424   118   118 I DEBUG   :     d18 4000000000000000  d19 bfa8492508006000
03-15 10:40:38.424   118   118 I DEBUG   :     d20 3fc55520e8e8967f  d21 bf66c11c34a12eec
03-15 10:40:38.424   118   118 I DEBUG   :     d22 bfa87a4b027e9bda  d23 4130000000000000
03-15 10:40:38.424   118   118 I DEBUG   :     d24 3f5224a519195837  d25 bf5224a1000bf7dc
03-15 10:40:38.424   118   118 I DEBUG   :     d26 402b148710c79339  d27 4000000000000000
03-15 10:40:38.424   118   118 I DEBUG   :     d28 400061e92c09fa6f  d29 3fa7b80000000041
03-15 10:40:38.424   118   118 I DEBUG   :     d30 3ff0000000000000  d31 412e847ffffffffc
03-15 10:40:38.424   118   118 I DEBUG   :     scr 60000010
03-15 10:40:38.424   118   118 I DEBUG   : 
03-15 10:40:38.424   118   118 I DEBUG   : backtrace:
03-15 10:40:38.424   118   118 I DEBUG   :     #00  pc 0002260c  /system/lib/libc.so (tgkill+12)
03-15 10:40:38.424   118   118 I DEBUG   :     #01  pc 000130a1  /system/lib/libc.so (pthread_kill+48)
03-15 10:40:38.424   118   118 I DEBUG   :     #02  pc 000132b5  /system/lib/libc.so (raise+10)
03-15 10:40:38.424   118   118 I DEBUG   :     #03  pc 00011feb  /system/lib/libc.so
03-15 10:40:38.424   118   118 I DEBUG   :     #04  pc 00021ec0  /system/lib/libc.so (abort+4)
03-15 10:40:38.424   118   118 I DEBUG   :     #05  pc 00012ad1  /system/lib/libc.so
03-15 10:40:38.424   118   118 I DEBUG   :     #06  pc 00011fbb  /system/lib/libc.so (__stack_chk_fail+6)
03-15 10:40:38.424   118   118 I DEBUG   :     #07  pc 0007f279  /data/app-lib/com.android.chrome-1/libchrome.so

Originally reported by samsung at b/27708549,

primiano@ manually symbolized the microdump as follows:

Crash reason:
Crash address: 0x0
Process uptime: not available

Thread 0 (crashed)
 0  libc.so + 0x2260c
     r0 = 0x00000000    r1 = 0x00001384    r2 = 0x00000006    r3 = 0x00000000
     r4 = 0x00000006    r5 = 0x00000000    r6 = 0x00001384    r7 = 0x0000010c
     r8 = 0x7ef02724    r9 = 0x833380c5   r10 = 0x8020add8   r12 = 0x98badcfe
     fp = 0x0000000b    sp = 0x7ef02608    lr = 0x4008f0a5    pc = 0x4009e60c
    Found by: given as instruction pointer in context
 1  libc.so + 0x130a3
     sp = 0x7ef02620    pc = 0x4008f0a5
    Found by: stack scanning
 2  libc.so + 0x132b7
     sp = 0x7ef02630    pc = 0x4008f2b9
    Found by: stack scanning
 3  libc.so + 0x11fed
     sp = 0x7ef02638    pc = 0x4008dfef
    Found by: stack scanning
 4  libc.so + 0x21ec2
     sp = 0x7ef02660    pc = 0x4009dec4
    Found by: stack scanning
 5  libc.so + 0x12ad3
     sp = 0x7ef02668    pc = 0x4008ead5
    Found by: stack scanning
 6  libc.so + 0x4065e
     sp = 0x7ef0266c    pc = 0x400bc660
    Found by: stack scanning
 7  libc.so + 0x11fbd
     sp = 0x7ef02678    pc = 0x4008dfbf
    Found by: stack scanning
 8  libc.so + 0x4065e
     sp = 0x7ef0267c    pc = 0x400bc660
    Found by: stack scanning
 9  libchrome.so!base::MD5Sum [md5.cc : 291 + 0x11]
     sp = 0x7ef02690    pc = 0x7859727d
    Found by: stack scanning
10  libchrome.so!base::HashMetricName [metrics_hashes.cc : 27 + 0x5]
     r4 = 0x00000000    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x803ab6c8    r9 = 0x00000024    sp = 0x7ef02718    pc = 0x785971e7
    Found by: call frame info
11  libchrome.so!base::StatisticsRecorder::FindHistogram [statistics_recorder.cc : 245 + 0x5]
     r4 = 0x778aad88    r5 = 0x7ef02798    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x803ab6c8    r9 = 0x00000024    sp = 0x7ef02748    pc = 0x7859718b
    Found by: call frame info
12  libchrome.so!base::SparseHistogram::FactoryGet [sparse_histogram.cc : 24 + 0x3]
     r4 = 0x00000001    r5 = 0x7ef02798    r6 = 0x0000001f    r7 = 0x7ef0278c
     r8 = 0x803ab6c8    r9 = 0x00000024    sp = 0x7ef02768    pc = 0x785bf58f
    Found by: call frame info
13  libchrome.so!data_use_measurement::DataUseMeasurement::ReportDataUsageServices [data_use_measurement.cc : 41 + 0x7]
     r4 = 0x7ef02798    r5 = 0x00000010    r6 = 0x0000001f    r7 = 0x7ef0278c
     r8 = 0x803ab6c8    r9 = 0x00000024    sp = 0x7ef02778    pc = 0x7874000d
    Found by: call frame info
14  libchrome.so!data_use_measurement::DataUseMeasurement::ReportDataUseUMA [data_use_measurement.cc : 97 + 0xd]
     r4 = 0x0000000b    r5 = 0x7ef027e0    r6 = 0x000000ee    r7 = 0x00000000
     r8 = 0x00000145    r9 = 0x00000000   r10 = 0x7f5a2b68    fp = 0x8020e338
     sp = 0x7ef027d0    pc = 0x7873fdc1
    Found by: call frame info
15  libchrome.so!ChromeNetworkDelegate::OnCompleted [chrome_network_delegate.cc : 523 + 0x3]
     r4 = 0x8020e338    r5 = 0x400ca384    r6 = 0x7f5a2b30    r7 = 0x00000001
     r8 = 0x8020e338    r9 = 0x00000000   r10 = 0x00000001    fp = 0x7a3d9f7c
     sp = 0x7ef02818    pc = 0x7873f959
    Found by: call frame info
16  libchrome.so!net::NetworkDelegate::NotifyCompleted [network_delegate.cc : 119 + 0xb]
     r4 = 0x7ef02900    r5 = 0x7ef02910    r6 = 0x7f5a2b30    r7 = 0x00000001
     r8 = 0x8020e338    r9 = 0x00000000   r10 = 0x7e803a7c    fp = 0x7a3d9f7c
     sp = 0x7ef028f8    pc = 0x7873f35b
    Found by: call frame info
17  libchrome.so!net::NetworkDelegate::NotifyCompleted [network_delegate.cc : 119 + 0xb]
     r4 = 0x7ef02948    r5 = 0x7ef02958    r6 = 0x7f5acac0    r7 = 0x00000001
     r8 = 0x8020e338    r9 = 0x00000000   r10 = 0x7e803a7c    fp = 0x7a3d9f7c
     sp = 0x7ef02940    pc = 0x7873f35b
    Found by: call frame info
18  libchrome.so!net::URLRequest::NotifyReadCompleted [url_request.cc : 1156 + 0x3]
     r4 = 0x8020e338    r5 = 0xffffffff    r6 = 0x7ef02a00    r7 = 0x7a92c5d3
     r8 = 0x7e803b18    r9 = 0x00000000   r10 = 0x7e803a7c    fp = 0x7a3d9f7c
     sp = 0x7ef02988    pc = 0x78b52381
    Found by: call frame info
19  libchrome.so!base::debug::TaskAnnotator::RunTask [callback.h : 394 + 0x5]
     r4 = 0x7ef02b20    r5 = 0x7ef02a08    r6 = 0x7ef02a00    r7 = 0x7a92c5d3
     r8 = 0x7e803b18    r9 = 0x00000000   r10 = 0x7e803a7c    fp = 0x7a3d9f7c
     sp = 0x7ef02998    pc = 0x786dc4ff
    Found by: call frame info
20  libchrome.so!base::MessageLoop::RunTask [message_loop.cc : 486 + 0xd]
     r4 = 0x7e803a70    r5 = 0x7a92c5cc    r6 = 0x7ef02b20    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0xc0c0c0c1   r10 = 0x7e803a7c    fp = 0x7ef02b28
     sp = 0x7ef02a58    pc = 0x786dc33f
    Found by: call frame info
21  libchrome.so!base::MessageLoop::DeferOrRunPendingTask [message_loop.cc : 495 + 0x7]
     r4 = 0x7ef02b20    r5 = 0x7e803a70    r6 = 0x7e803a70    r7 = 0x00000001
     r8 = 0x7ef02b38    r9 = 0xc0c0c0c1   r10 = 0x7e803a7c    fp = 0x7ef02b28
     sp = 0x7ef02b00    pc = 0x786dc2cd
    Found by: call frame info
22  libchrome.so!base::MessageLoop::DoWork [message_loop.cc : 607 + 0x3]
     r3 = 0x00000000    r4 = 0x7e7ef118    r5 = 0x7ef02b20    r6 = 0x7e803a70
     r7 = 0x7ef02b30    r8 = 0x7ef02b38    r9 = 0xc0c0c0c1   r10 = 0x7e803a7c
     fp = 0x7ef02b28    sp = 0x7ef02b20    pc = 0x786dc145
    Found by: call frame info
23  libchrome.so!base::MessagePumpLibevent::Run [message_pump_libevent.cc : 229 + 0x7]
     r4 = 0x7e7e9d30    r5 = 0x7e803a70    r6 = 0x7e7e9d38    r7 = 0x00000001
     r8 = 0x00000000    r9 = 0x765e9710   r10 = 0x7874d9ad    fp = 0x400c82ec
     sp = 0x7ef02b78    pc = 0x786daeb3
    Found by: call frame info
24  libchrome.so!base::RunLoop::Run [run_loop.cc : 56 + 0x5]
     r4 = 0x7ef02bf0    r5 = 0x7ef02bcc    r6 = 0x400ca384    r7 = 0x7e803a70
     r8 = 0x786d62dd    r9 = 0x7ee05000   r10 = 0xbeebbeac    fp = 0x400c82ec
     sp = 0x7ef02bc8    pc = 0x786dbed9
    Found by: call frame info
25  libchrome.so!base::MessageLoop::Run [message_loop.cc : 293 + 0x5]
     r4 = 0x400ca384    r5 = 0x7e803a70    r6 = 0x400ca384    r7 = 0x7e803a70
     r8 = 0x786d62dd    r9 = 0x7ee05000   r10 = 0xbeebbeac    fp = 0x400c82ec
     sp = 0x7ef02bf0    pc = 0x786dbe91
    Found by: call frame info
26  libchrome.so!content::BrowserThreadImpl::IOThreadRun [browser_thread_impl.cc : 215 + 0x3]
     r4 = 0x400ca384    r5 = 0x7e803a70    r6 = 0x400ca384    r7 = 0x7e803a70
     r8 = 0x786d62dd    r9 = 0x7ee05000   r10 = 0xbeebbeac    fp = 0x400c82ec
     sp = 0x7ef02c10    pc = 0x786fc8e7
    Found by: call frame info
27  libchrome.so!content::BrowserThreadImpl::Run [browser_thread_impl.cc : 250 + 0x7]
     r4 = 0x7e7e5d88    r5 = 0x7e803a70    r6 = 0x400ca384    r7 = 0x7e803a70
     r8 = 0x786d62dd    r9 = 0x7ee05000   r10 = 0xbeebbeac    fp = 0x400c82ec
     sp = 0x7ef02cc8    pc = 0x78761a61
    Found by: call frame info
28  libchrome.so!base::Thread::ThreadMain [thread.cc : 252 + 0x5]
     r4 = 0x7e7e5d88    r5 = 0x400ca384    r6 = 0x7e7e5d90    r7 = 0x7e803a70
     r8 = 0x786d62dd    r9 = 0x7ee05000   r10 = 0xbeebbeac    fp = 0x400c82ec
     sp = 0x7ef02d80    pc = 0x786d64cf
    Found by: call frame info
29  libchrome.so!base::::ThreadFunc [platform_thread_posix.cc : 67 + 0x7]
     r4 = 0x7e802868    r5 = 0x7e7e5d88    r6 = 0x7cd7d3d0    r7 = 0x78128590
     r8 = 0x786d62dd    r9 = 0x7ee05000   r10 = 0xbeebbeac    fp = 0x400c82ec
     sp = 0x7ef02da8    pc = 0x786d6319
    Found by: call frame info
30  libc.so + 0xd232
     r4 = 0x7ef02dd0    r5 = 0x7e802868    r6 = 0x786d62dd    r7 = 0x78128590
     r8 = 0x786d62dd    r9 = 0x7ee05000   r10 = 0xbeebbeac    fp = 0x400c82ec
     sp = 0x7ef02db8    pc = 0x40089234
    Found by: call frame info
31  libc.so + 0xd3ca
     sp = 0x7ef02dd0    pc = 0x400893cc
    Found by: stack scanning

bcwhite@, you're making lots of changes to metrics_hashes.cc. Could you take a look? Is this already fixed?

Comment 1 by bcwh...@chromium.org, Apr 7 2016 

Has anyone reproduced this locally?  My N4 isn't crashing.

I'm not sure how to read this.  The crash is SIGABRT saying "stack corruption detected" but also "Crash address: 0x0".  What it trying to execute at 0?  I'm assuming that a basic memory address would be SIGSEGV.

The stack trace shows that it got into MD5 correctly but then goes into libc.  There's no call from MD5Sum to libc.  It seems unlikely the compiler would inline MD5Final into MD5Sum which tells me that the MD5Final stack frame is the top-most frame that is corrupted (and thus fails to appear in the stack trace).

This doesn't appear to be a problem with the metrics code (which is just passing a StringPiece derived from a std::string down to MD5) but then MD5 has been stable for a long time.

The two changes I've made that would affect this are:

1) HashMetricName takes a StringPiece instead of std::string, though in this case the Piece was constructed from string.

2) Hashes are used as keys to the internal histogram map so are being created during FactoryGet() whereas previously it the key was a string.  The result is more calls to HashMetricName().

Comment 2 by bcwh...@chromium.org, Apr 19 2016

Cc: bcwh...@chromium.org
Owner: ----
Status: Available (was: Assigned)
Not likely due to anything in HashMetricName.

Comment 3 by primiano@chromium.org, Apr 19 2016 

> There's no call from MD5Sum to libc.
MD5 -> MD5Update -> memcpy -> libc

> which tells me that the MD5Final stack frame is the top-most frame that is corrupted (and thus fails to appear in the stack trace).
I think more likely the topmost thing was MD5Update (I guess stack unwinding ate one frame somehow)
Project Member

Comment 4 by sheriffbot@chromium.org, Apr 20 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been available for more than 365 days, and should be re-evaluated. Please re-triage this issue.
The Hotlist-Recharge-Cold label is applied for tracking purposes, and should not be removed after re-triaging the issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by benhenry@google.com, Jan 10

Labels: Pri-3
NextAction: 2019-07-09
Downgrading P2s that haven't been modified in more than 6 months, which have no component or owner.

Sign in to add a comment