Issue metadata
Sign in to add a comment
|
Mojo using V8 after it's destroyed |
||||||||||||||||||||||
Issue descriptionThis appeared in https://build.chromium.org/p/chromium.memory.full/builders/Linux%20MSan%20Tests/builds/1328: ==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x49b0d0c in CreateHandle v8/src/handles-inl.h:103:7 #1 0x49b0d0c in CreateHandle v8/src/api.cc:886:0 #2 0x120573fd in New v8/include/v8.h:8266:40 #3 0x120573fd in New v8/include/v8.h:8257:0 #4 0x120573fd in context gin/public/context_holder.h:37:0 #5 0x120573fd in Scope gin/runner.cc:18:0 #6 0xab96f72 in OnHandleReady mojo/edk/js/waiting_callback.cc:72:22 #7 0x3c2dcc4 in Run base/callback.h:64:12 #8 0x3c2dcc4 in OnHandleReady mojo/public/cpp/system/watcher.cc:122:0 #9 0x3c2dcc4 in WillDestroyCurrentMessageLoop mojo/public/cpp/system/watcher.cc:32:0 #10 0xaed33dc in ~MessageLoop base/message_loop/message_loop.cc:174:3 #11 0xaecaa4c in ?? base/message_loop/message_loop.cc:139:29 #12 0x1c2de68d in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13 #13 0x1c2de68d in reset buildtools/third_party/libc++/trunk/include/memory:2735:0 #14 0x1c2de68d in Shutdown content/renderer/render_thread_impl.cc:981:0 #15 0x16469972 in ~ChildProcess content/child/child_process.cc:73:19 #16 0x1c3c8883 in RendererMain content/renderer/renderer_main.cc:207:3 #17 0xaddc092 in RunZygote content/app/content_main_runner.cc:343:14 #18 0xaddf0ec in RunNamedProcessTypeMain content/app/content_main_runner.cc:426:12 #19 0xade2601 in Run content/app/content_main_runner.cc:786:12 #20 0xadda7d0 in ContentMain content/app/content_main.cc:20:28 #21 0xcc56b08 in LaunchTests content/public/test/test_launcher.cc:523:12 #22 0xae1273c in main chrome/test/base/browser_tests_main.cc:15:10 #23 0x7f3f812c27ec in __libc_start_main /build/eglibc-oqps9y/eglibc-2.15/csu/libc-start.c:226:0 #24 0x6fec18 in _start ??:0 Uninitialized value was created by a heap deallocation #0 0x768ca2 in operator delete(void*) ??:0 #1 0x60eab66 in TearDown v8/src/isolate.cc:2029:3 #2 0x1f02716f in ~IsolateHolder gin/isolate_holder.cc:75:13 #3 0x170ebfee in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13 #4 0x170ebfee in reset buildtools/third_party/libc++/trunk/include/memory:2735:0 #5 0x170ebfee in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2703:0 #6 0x170ebfee in ~V8PerIsolateData third_party/WebKit/Source/bindings/core/v8/V8PerIsolateData.cpp:79:0 #7 0x170ed43c in destroy third_party/WebKit/Source/bindings/core/v8/V8PerIsolateData.cpp:258:5 #8 0x16d7e9fe in shutdown third_party/WebKit/Source/web/WebKit.cpp:113:5 #9 0x1c2de5fd in Shutdown content/renderer/render_thread_impl.cc:970:5 #10 0x16469972 in ~ChildProcess content/child/child_process.cc:73:19 #11 0x1c3c8883 in RendererMain content/renderer/renderer_main.cc:207:3 #12 0xaddc092 in RunZygote content/app/content_main_runner.cc:343:14 #13 0xaddf0ec in RunNamedProcessTypeMain content/app/content_main_runner.cc:426:12 #14 0xade2601 in Run content/app/content_main_runner.cc:786:12 #15 0xadda7d0 in ContentMain content/app/content_main.cc:20:28 #16 0xcc56b08 in LaunchTests content/public/test/test_launcher.cc:523:12 #17 0xae1273c in main chrome/test/base/browser_tests_main.cc:15:10 #18 0x7f3f812c27ec in __libc_start_main /build/eglibc-oqps9y/eglibc-2.15/csu/libc-start.c:226:0 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/b/swarm_slave/w/iretxVzj/out/Release/browser_tests+0x49b0d0c) RenderThreadImpl::Shutdown() calls blink::shutdown() at line 970, which destroys V8, and then main_message_loop_.reset() at line 981, which Mojo intercepts and tries to use V8.
,
Sep 15 2016
Closing this as a dupe of the clusterfuzz bug since it has more stuff going on and they seem to be clearly the same issue.
,
Sep 16 2016
To resolve this kind of problem, I'm now working on removing the shutdown sequence entirely. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by roc...@chromium.org
, Sep 15 2016