New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 658753 link

Starred by 1 user
Status: Fixed
Owner:
sadrul@chromium.org
Closed: Nov 2016
Cc:
vollick@chromium.org
rjkroege@chromium.org
sadrul@chromium.org
mfomitchev@chromium.org
kylec...@chromium.org
sky@chromium.org
mustash-bugs@google.com
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Mus+Ash tear down crash

Project Member Reported by fsam...@chromium.org, Oct 24 2016 
Received signal 11 <unknown> 000000000000
#0 0x7f2553ca2a8e base::debug::StackTrace::StackTrace()
#1 0x7f2553ca25cf base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f25540b5330 <unknown>
#3 0x7f255a414d04 ui::ws::ServerWindow::SetBounds()
#4 0x7f255a3da8e3 ui::ws::WindowTree::SetWindowBounds()
#5 0x7f2555fa875f ui::mojom::WindowTreeStubDispatch::Accept()
#6 0x7f255a3ecd63 ui::mojom::WindowTreeStub<>::Accept()
#7 0x7f2554464002 mojo::InterfaceEndpointClient::HandleValidatedMessage()
#8 0x7f25544639f1 mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept()
#9 0x7f255446184a mojo::FilterChain::Accept()
#10 0x7f2554465886 mojo::InterfaceEndpointClient::HandleIncomingMessage()
#11 0x7f25544763b9 mojo::internal::MultiplexRouter::ProcessIncomingMessage()
#12 0x7f255447468f mojo::internal::MultiplexRouter::ProcessTasks()
#13 0x7f2554476fc0 mojo::internal::MultiplexRouter::LockAndCallProcessTasks()
#14 0x7f255447fe5e _ZN4base8internal13FunctorTraitsIMN4mojo8internal15MultiplexRouterEFvvEvE6InvokeIRK13scoped_refptrIS4_EJEEEvS6_OT_DpOT0_
#15 0x7f255447fdb1 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN4mojo8internal15MultiplexRouterEFvvEJRK13scoped_refptrIS6_EEEEvOT_DpOT0_
#16 0x7f255447fd52 _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo8internal15MultiplexRouterEFvvEJ13scoped_refptrIS5_EEEEFvvEE7RunImplIRKS7_RKSt5tupleIJS9_EEJLm0EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#17 0x7f255447fc9c _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo8internal15MultiplexRouterEFvvEJ13scoped_refptrIS5_EEEEFvvEE3RunEPNS0_13BindStateBaseE
#18 0x7f2553ca8061 _ZNO4base8internal8RunMixinINS_8CallbackIFvvELNS0_8CopyModeE0ELNS0_10RepeatModeE0EEEE3RunEv
#19 0x7f2553ca7a99 base::debug::TaskAnnotator::RunTask()
#20 0x7f2553d313df base::MessageLoop::RunTask()
#21 0x7f2553d31644 base::MessageLoop::DeferOrRunPendingTask()
#22 0x7f2553d3192e base::MessageLoop::DoWork()
#23 0x7f2553d47dac base::MessagePumpLibevent::Run()
#24 0x7f2553d30fa5 base::MessageLoop::RunHandler()

Comment 1 by fsam...@chromium.org, Oct 24 2016

Cc: kylec...@chromium.org
Owner: sadrul@chromium.org
Status: Assigned (was: Untriaged)
Assigning to sadrul@ for triage.

Comment 2 by sadrul@chromium.org, Oct 24 2016 

How do you trigger the tear down in this case? Close the X11 window?

Comment 3 by fsam...@chromium.org, Oct 24 2016 

Yes

Comment 4 by sadrul@chromium.org, Oct 24 2016 

Looks like a uaf issue:

READ of size 8 at 0x612000001240 thread T0
    #0 0x7f235b382210 in SetBounds ./out/cros/../../services/ui/ws/server_window.cc:171:14
    #1 0x7f235b34427d in SetWindowBounds ./out/cros/../../services/ui/ws/window_tree.cc:1298:13
    #2 0x7f2355ebd4d6 in Accept ./out/cros/gen/services/ui/public/interfaces/window_tree.mojom.cc:1501:13
    #3 0x7f2352d33c89 in HandleValidatedMessage ./out/cros/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:339:32
    #4 0x7f2352d323c6 in Accept ./out/cros/../../mojo/public/cpp/bindings/lib/filter_chain.cc:40:17
    #5 0x7f2352d36f0e in HandleIncomingMessage ./out/cros/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:273:19
    #6 0x7f2352d4b685 in ProcessIncomingMessage ./out/cros/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:824:22
    #7 0x7f2352d46c3e in ProcessTasks ./out/cros/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:656:15
    #8 0x7f2352d4d891 in LockAndCallProcessTasks ./out/cros/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:851:3
    #9 0x7f23527c672b in Run ./out/cros/../../base/callback.h:47:12
    #10 0x7f23527c672b in RunTask ./out/cros/../../base/debug/task_annotator.cc:52:0
    #11 0x7f2352850c92 in RunTask ./out/cros/../../base/message_loop/message_loop.cc:413:19
    #12 0x7f2352851b5b in DeferOrRunPendingTask ./out/cros/../../base/message_loop/message_loop.cc:422:5
    #13 0x7f2352852ced in DoWork ./out/cros/../../base/message_loop/message_loop.cc:515:13
    #14 0x7f235285e550 in Run ./out/cros/../../base/message_loop/message_pump_libevent.cc:218:31
    #15 0x7f23528502d2 in RunHandler ./out/cros/../../base/message_loop/message_loop.cc:378:10
    #16 0x7f23528ec5fe in Run ./out/cros/../../base/run_loop.cc:35:10
    #17 0x7f23548942fe in StartChildApp ./out/cros/../../chrome/app/mash/mash_runner.cc:188:19
    #18 0x7f2354898329 in Invoke<MashRunner *, mojo::InterfaceRequest<service_manager::mojom::Service> > ./out/cros/../../base/bind_internal.h:214:12
    #19 0x7f2354898329 in MakeItSo<void (MashRunner::*const &)(mojo::InterfaceRequest<service_manager::mojom::Service>), MashRunner *, mojo::InterfaceRequest<service_manager::mojom::Service> > ./out/cros/../../base/bind_internal.h:285:0
    #20 0x7f2354898329 in RunImpl<void (MashRunner::*const &)(mojo::InterfaceRequest<service_manager::mojom::Service>), const std::tuple<base::internal::UnretainedWrapper<MashRunner> > &, 0> ./out/cros/../../base/bind_internal.h:361:0
    #21 0x7f2354898329 in Run ./out/cros/../../base/bind_internal.h:339:0
    #22 0x7f23565f9bb6 in Run ./out/cros/../../base/callback.h:64:12
    #23 0x7f23565f9bb6 in ChildProcessMainWithCallback ./out/cros/../../services/service_manager/runner/host/child_process_base.cc:125:0
    #24 0x7f235489229d in RunChild ./out/cros/../../chrome/app/mash/mash_runner.cc:174:3
    #25 0x7f235489457b in Run ./out/cros/../../chrome/app/mash/mash_runner.cc:120:5
    #26 0x7f235489457b in MashMain ./out/cros/../../chrome/app/mash/mash_runner.cc:222:0
    #27 0x7f235488da4b in ChromeMain ./out/cros/../../chrome/app/chrome_main.cc:93:14
    #28 0x7f233753cf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0

0x612000001240 is located 0 bytes inside of 264-byte region [0x612000001240,0x612000001348)
freed by thread T0 here:
    #0 0x7f235488b3cb in operator delete(void*) ??:?
    #1 0x7f235b37ac23 in operator() ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
    #2 0x7f235b37ac23 in reset ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245:0
    #3 0x7f235b37ac23 in ~DefaultPlatformDisplay ./out/cros/../../services/ui/ws/platform_display.cc:101:0
    #4 0x7f235b37ac23 in ~DefaultPlatformDisplay ./out/cros/../../services/ui/ws/platform_display.cc:97:0
    #5 0x7f235b35f805 in operator() ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:63:2
    #6 0x7f235b35f805 in reset ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:245:0
    #7 0x7f235b35f805 in ~unique_ptr ./out/cros/../../build/linux/ubuntu_precise_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:169:0
    #8 0x7f235b35f805 in ~Display ./out/cros/../../services/ui/ws/display.cc:67:0
    #9 0x7f235b35fa1d in ?? ./out/cros/../../services/ui/ws/display.cc:46:21
    #10 0x7f235b2e7a08 in DestroyDisplay ./out/cros/../../services/ui/ws/display_manager.cc:64:3
    #11 0x7f235b2e9318 in OnDisplayRemoved ./out/cros/../../services/ui/ws/display_manager.cc:192:5
    #12 0x7f235653c572 in UpdateCachedDisplays ./out/cros/../../services/ui/display/platform_screen_ozone.cc:219:18
    #13 0x7f235653d383 in OnDisplayModeChanged ./out/cros/../../services/ui/display/platform_screen_ozone.cc:296:3
    #14 0x7f23471b320e in NotifyDisplayStateObservers ./out/cros/../../ui/display/chromeos/display_configurator.cc:1113:16
    #15 0x7f23471ad2a1 in OnConfigured ./out/cros/../../ui/display/chromeos/display_configurator.cc:1062:3
    #16 0x7f23471c522f in Run ./out/cros/../../base/callback.h:64:12
    #17 0x7f23471c522f in FinishConfiguration ./out/cros/../../ui/display/chromeos/update_display_configuration_task.cc:154:0
    #18 0x7f23471c522f in OnStateEntered ./out/cros/../../ui/display/chromeos/update_display_configuration_task.cc:139:0
    #19 0x7f23471c4bf3 in Run ./out/cros/../../base/callback.h:64:12
    #20 0x7f23471c4bf3 in EnterState ./out/cros/../../ui/display/chromeos/update_display_configuration_task.cc:103:0
    #21 0x7f23471c373f in OnDisplaysUpdated ./out/cros/../../ui/display/chromeos/update_display_configuration_task.cc:75:5
    #22 0x7f23471d183a in Run ./out/cros/../../base/callback.h:64:12
    #23 0x7f23471d183a in GetDisplays ./out/cros/../../ui/display/fake_display_delegate.cc:129:0
    #24 0x7f23471c2e72 in Run ./out/cros/../../ui/display/chromeos/update_display_configuration_task.cc:42:14
    #25 0x7f23471abc65 in RunPendingConfiguration ./out/cros/../../ui/display/chromeos/display_configurator.cc:1020:24
    #26 0x7f23529b8e94 in Run ./out/cros/../../base/callback.h:64:12
    #27 0x7f23529b8e94 in RunScheduledTask ./out/cros/../../base/timer/timer.cc:213:0
    #28 0x7f23527c672b in Run ./out/cros/../../base/callback.h:47:12
    #29 0x7f23527c672b in RunTask ./out/cros/../../base/debug/task_annotator.cc:52:0
    #30 0x7f2352850c92 in RunTask ./out/cros/../../base/message_loop/message_loop.cc:413:19
    #31 0x7f2352851b5b in DeferOrRunPendingTask ./out/cros/../../base/message_loop/message_loop.cc:422:5
    #32 0x7f235285337e in DoDelayedWork ./out/cros/../../base/message_loop/message_loop.cc:554:10
    #33 0x7f235285e2d5 in Run ./out/cros/../../base/message_loop/message_pump_libevent.cc:228:27
    #34 0x7f23528502d2 in RunHandler ./out/cros/../../base/message_loop/message_loop.cc:378:10
    #35 0x7f23528ec5fe in Run ./out/cros/../../base/run_loop.cc:35:10

Looks like FrameGenerator adds itself as an observer to ServerWindows, but doesn't always remove itself from the observer list when it is destroyed, causing the issue.
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 27 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5c957cc407f5599935fdb3a2de0c5a80415e9557

commit 5c957cc407f5599935fdb3a2de0c5a80415e9557
Author: sadrul <sadrul@chromium.org>
Date: Thu Oct 27 18:22:37 2016

mus: Fix a teardown crash.

FrameGenerator installs itself as an observer to a number of windows.
When a window is destroyed, it removes itself from the observer list.
However, if the FrameGenerator is destroyed before the windows (which
is the case during teardown), then FrameGenerator does not remove
itself from the set of observers for the windows. To fix this, change
FrameGenerator to use the ServerWindowTracker to track the windows,
so that it is correctly removed from the observer list during tear
down.

BUG= 658753 

Review-Url: https://codereview.chromium.org/2451863003
Cr-Commit-Position: refs/heads/master@{#428082}

[modify] https://crrev.com/5c957cc407f5599935fdb3a2de0c5a80415e9557/services/ui/ws/frame_generator.cc
[modify] https://crrev.com/5c957cc407f5599935fdb3a2de0c5a80415e9557/services/ui/ws/frame_generator.h

Comment 6 by sadrul@chromium.org, Nov 2 2016

Status: Fixed (was: Assigned)

Sign in to add a comment