New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 604501 link

Starred by 2 users

Issue metadata

Status: Untriaged
Owner: ----
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome
Pri: 1
Type: Bug



Sign in to add a comment

RenderProcessHost::AllHostsIterator() returning null/deleted RPHs?

Project Member Reported by jyasskin@chromium.org, Apr 18 2016

Issue description

This appeared between CLs r387843 and r387853 inclusive on lots of bots, but I don't see a guilty-looking CL in there. 

https://build.chromium.org/p/chromium.memory.fyi/builders/Linux%20Tests%20%28valgrind%29%283%29/builds/50614/steps/memory_test%3A%20unit_tests_1_of_3/logs/stdio shows:

InvalidRead
Invalid read of size 8
  ExtensionService::NotifyExtensionLoaded(extensions::Extension const*) (chrome/browser/extensions/extension_service.cc:1035)
  ExtensionService::AddExtension(extensions::Extension const*) (chrome/browser/extensions/extension_service.cc:1521)
  BackgroundApplicationListModelTest_AddRemovePermissionsTest_Test::TestBody() (chrome/browser/background/background_application_list_model_unittest.cc:240)
Address 0xc0 is not stack'd, malloc'd or (recently) free'd

https://build.chromium.org/p/chromium.memory.fyi/builders/Chromium%20OS%20%28valgrind%29%285%29/builds/38023/steps/memory%20test%3A%20unit/logs/stdio shows the same, but at a wild address, not null:

InvalidRead
Invalid read of size 4
  std::__atomic2::__atomic_base<int>::fetch_add(int, std::memory_order) volatile (/mnt/data/b/build/slave/chromium-rel-chromeos-valgrind-tests-5/build/src/out/Release/unit_tests)
  base::subtle::Barrier_AtomicIncrement(int volatile*, int) (/mnt/data/b/build/slave/chromium-rel-chromeos-valgrind-tests-5/build/src/out/Release/unit_tests)
  base::AtomicRefCountDecN(int volatile*, int) (base/atomic_ref_count.h:29)
  base::AtomicRefCountDec(int volatile*) (/mnt/data/b/build/slave/chromium-rel-chromeos-valgrind-tests-5/build/src/out/Release/unit_tests)
  base::subtle::RefCountedThreadSafeBase::Release() const (base/memory/ref_counted.cc:42)
  base::RefCountedThreadSafe<base::Flag, base::DefaultRefCountedThreadSafeTraits<base::Flag> >::Release() const (base/memory/ref_counted.h:183)
  scoped_refptr<base::Flag>::Release(base::Flag*) (base/memory/ref_counted.h:419)
  scoped_refptr<base::Flag>::~scoped_refptr() (base/memory/ref_counted.h:304)
  base::AsyncWaiter::~AsyncWaiter() (/mnt/data/b/build/slave/chromium-rel-chromeos-valgrind-tests-5/build/src/out/Release/unit_tests)
  base::AsyncWaiter::~AsyncWaiter() (/mnt/data/b/build/slave/chromium-rel-chromeos-valgrind-tests-5/build/src/out/Release/unit_tests)
  ExtensionService::NotifyExtensionLoaded(extensions::Extension const*) (chrome/browser/extensions/extension_service.cc:1035)
  ExtensionService::AddExtension(extensions::Extension const*) (chrome/browser/extensions/extension_service.cc:1521)
  BackgroundApplicationListModelTest_AddRemovePermissionsTest_Test::TestBody() (chrome/browser/background/background_application_list_model_unittest.cc:240)
Address 0x1c7d3c18 is 8 bytes inside a block of size 24 free'd

https://build.chromium.org/p/chromium.memory.fyi/builders/Windows%20Unit%20%28DrMemory%29/builds/4627/steps/memory%20test%3A%20unit/logs/stdio reports

~~Dr.M~~ 
~~Dr.M~~ Error #1: UNADDRESSABLE ACCESS beyond heap bounds: reading 0x106b5c20-0x106b5c24 4 byte(s)
~~Dr.M~~ # 0 ExtensionService::NotifyExtensionLoaded                                    [chrome\browser\extensions\extension_service.cc:1035]
~~Dr.M~~ # 1 ExtensionService::AddExtension                                             [chrome\browser\extensions\extension_service.cc:1521]
~~Dr.M~~ # 2 BackgroundApplicationListModelTest_ExplicitTest_Test::TestBody             [chrome\browser\background\background_application_list_model_unittest.cc:167]
~~Dr.M~~ # 3 testing::internal::HandleExceptionsInMethodIfSupported<>                   [testing\gtest\src\gtest.cc:2458]
~~Dr.M~~ Note: @0:11:20.752 in thread 3236
~~Dr.M~~ Note: prev lower malloc:  0x106b5be8-0x106b5c18
~~Dr.M~~ Note: instruction: mov    (%edi) -> %edx
~~Dr.M~~ 
~~Dr.M~~ Error #2: UNADDRESSABLE ACCESS: reading 0xf1fdf15c-0xf1fdf160 4 byte(s)
~~Dr.M~~ # 0 ExtensionService::NotifyExtensionLoaded                                    [chrome\browser\extensions\extension_service.cc:1035]
~~Dr.M~~ # 1 ExtensionService::AddExtension                                             [chrome\browser\extensions\extension_service.cc:1521]
~~Dr.M~~ # 2 BackgroundApplicationListModelTest_ExplicitTest_Test::TestBody             [chrome\browser\background\background_application_list_model_unittest.cc:167]
~~Dr.M~~ # 3 testing::internal::HandleExceptionsInMethodIfSupported<>                   [testing\gtest\src\gtest.cc:2458]
~~Dr.M~~ Note: @0:11:20.767 in thread 3236
~~Dr.M~~ Note: instruction: call   0x5c(%edx) %esp -> %esp 0xfffffffc(%esp)

https://build.chromium.org/p/chromium.memory.fyi/builders/Windows%20Unit%20%28DrMemory%20full%29%20%284%29/builds/10081/steps/memory%20test%3A%20unit/logs/stdio and https://build.chromium.org/p/chromium.memory.fyi/builders/Windows%20Unit%20%28DrMemory%20full%29%20%284%29/builds/10081/steps/memory%20test%3A%20unit_1/logs/stdio show different tests:

~~Dr.M~~ Error #1: UNADDRESSABLE ACCESS beyond heap bounds: reading 0x0f8a34d0-0x0f8a34d4 4 byte(s)
~~Dr.M~~ # 0 ExtensionService::NotifyExtensionLoaded                                [chrome\browser\extensions\extension_service.cc:1035]
~~Dr.M~~ # 1 ExtensionService::AddExtension                                         [chrome\browser\extensions\extension_service.cc:1521]
~~Dr.M~~ # 2 extensions::TestExtensionEnvironment::MakeExtension                    [chrome\browser\extensions\test_extension_environment.cc:148]
~~Dr.M~~ # 3 SavedFilesServiceUnitTest::SetUp                                       [apps\saved_files_service_unittest.cc:40]
~~Dr.M~~ # 4 testing::internal::HandleExceptionsInMethodIfSupported<>               [testing\gtest\src\gtest.cc:2458]
~~Dr.M~~ Note: @0:17:27.025 in thread 2448
~~Dr.M~~ Note: next higher malloc: 0x0f8a34d8-0x0f8a351c
~~Dr.M~~ Note: prev lower malloc:  0x0f8a3488-0x0f8a34b8
~~Dr.M~~ Note: instruction: mov    (%edi) -> %edx

~~Dr.M~~ Error #1: UNADDRESSABLE ACCESS beyond heap bounds: reading 0x0a1c7848-0x0a1c784c 4 byte(s)
~~Dr.M~~ # 0 ExtensionService::NotifyExtensionLoaded                                    [chrome\browser\extensions\extension_service.cc:1035]
~~Dr.M~~ # 1 ExtensionService::AddExtension                                             [chrome\browser\extensions\extension_service.cc:1521]
~~Dr.M~~ # 2 ExtensionService::FinishInstallation                                       [chrome\browser\extensions\extension_service.cc:1937]
~~Dr.M~~ # 3 ExtensionService::AddNewOrUpdatedExtension                                 [chrome\browser\extensions\extension_service.cc:1866]
~~Dr.M~~ # 4 ExtensionService::OnExtensionInstalled                                     [chrome\browser\extensions\extension_service.cc:1816]
~~Dr.M~~ # 5 extensions::UnpackedInstaller::InstallExtension                            [chrome\browser\extensions\unpacked_installer.cc:361]
~~Dr.M~~ # 6 extensions::UnpackedInstaller::OnInstallChecksComplete                     [chrome\browser\extensions\unpacked_installer.cc:250]
~~Dr.M~~ # 7 base::internal::Invoker<>::Run                                             [base\bind_internal.h:372]
~~Dr.M~~ # 8 extensions::ExtensionInstallChecker::MaybeInvokeCallback                   [chrome\browser\extensions\extension_install_checker.cc:170]
~~Dr.M~~ # 9 extensions::ExtensionInstallChecker::OnRequirementsCheckDone               [chrome\browser\extensions\extension_install_checker.cc:111]
~~Dr.M~~ #10 base::internal::Invoker<>::Run                                             [base\bind_internal.h:372]
~~Dr.M~~ #11 base::internal::Invoker<>::Run                                             [base\bind_internal.h:372]
~~Dr.M~~ #12 base.dll!base::debug::TaskAnnotator::RunTask                               [base\debug\task_annotator.cc:51]
~~Dr.M~~ #13 base.dll!base::MessageLoop::RunTask                                        [base\message_loop\message_loop.cc:479]
~~Dr.M~~ #14 base.dll!base::MessageLoop::DeferOrRunPendingTask                          [base\message_loop\message_loop.cc:488]
~~Dr.M~~ #15 base.dll!base::MessageLoop::DoWork                                         [base\message_loop\message_loop.cc:600]
~~Dr.M~~ #16 base.dll!base::MessagePumpForIO::DoRunLoop                                 [base\message_loop\message_pump_win.cc:493]
~~Dr.M~~ #17 base.dll!base::MessageLoop::RunHandler                                     [base\message_loop\message_loop.cc:443]
~~Dr.M~~ #18 extensions::`anonymous namespace'::KeywordExtensionsDelegateImplTest::RunTest [chrome\browser\autocomplete\keyword_extensions_delegate_impl_unittest.cc:106]
~~Dr.M~~ #19 extensions::`anonymous namespace'::KeywordExtensionsDelegateImplTest_IsEnabledExtension_Test::TestBody [chrome\browser\autocomplete\keyword_extensions_delegate_impl_unittest.cc:139]
~~Dr.M~~ #20 testing::Test::Run                                                         [testing\gtest\src\gtest.cc:2474]


AddressSanitizer is not reporting anything: https://chromium-swarm.appspot.com/user/task/2e43eaea5360dc10
 
Labels: Stability-Memory-DrMemory
Owner: amistry@chromium.org
Status: Started (was: Available)
I'll take a look.
`tools/valgrind/chrome_tests.sh -b out_valgrind/Release/ -t unit` does reproduce the error, but running the specific tests at the root of the failure stacks doesn't on their own. Something in the process before they run is corrupting things.
Cc: groby@chromium.org
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 1 2016

Labels: -M-52 M-53 MovedFrom-52
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 13 2016

Labels: -M-53 -Pri-1 M-54 MovedFrom-53 Pri-2
This issue is Pri-1 but has already been moved once. Lowering the priority and moving to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Pri-2 Pri-1
Owner: ----
Status: Available (was: Started)
Project Member

Comment 8 by sheriffbot@chromium.org, Jul 21 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment