Issue 667742 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	█ roc...@chromium.org please use my google.com address
Closed:	Mar 2017
Cc:	█ ben@chromium.org lukasza@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	3
Type:	Bug
Stability-ThreadSanitizer

TSan reports a data race in WebUIMojoTest.EndToEndPing

Project Member Reported by glider@chromium.org, Nov 22 2016

Issue description

See https://build.chromium.org/p/chromium.memory.full/builders/Linux%20TSan%20Tests/builds/3797/steps/content_browsertests%20on%20Ubuntu-12.04/logs/stdio:

[ RUN      ] WebUIMojoTest.EndToEndPing
[6393:6393:1122/033841:39210502062:WARNING:audio_manager.cc(317)] Multiple instances of AudioManager detected
[6393:6393:1122/033841:39210502287:WARNING:audio_manager.cc(278)] Multiple instances of AudioManager detected
Xlib:  extension "RANDR" missing on display ":9".
==================
WARNING: ThreadSanitizer: heap-use-after-free (pid=6424)
  Read of size 8 at 0x7b9400000060 by main thread:
    #0 New v8/include/v8.h:8467:54 (content_browsertests+0x000005ea69a0)
    #1 New v8/include/v8.h:8457 (content_browsertests+0x000005ea69a0)
    #2 context gin/public/context_holder.h:37 (content_browsertests+0x000005ea69a0)
    #3 gin::Runner::Scope::Scope(gin::Runner*) gin/runner.cc:18 (content_browsertests+0x000005ea69a0)
    #4 mojo::edk::js::WaitingCallback::OnHandleReady(unsigned int) mojo/edk/js/waiting_callback.cc:72:22 (content_browsertests+0x0000058fc8d7)
    #5 Invoke<mojo::edk::js::WaitingCallback *, unsigned int> base/bind_internal.h:214:12 (content_browsertests+0x0000058fd004)
    #6 MakeItSo<void (mojo::edk::js::WaitingCallback::*const &)(unsigned int), mojo::edk::js::WaitingCallback *, unsigned int> base/bind_internal.h:285 (content_browsertests+0x0000058fd004)
    #7 RunImpl<void (mojo::edk::js::WaitingCallback::*const &)(unsigned int), const std::__1::tuple<base::internal::UnretainedWrapper<mojo::edk::js::WaitingCallback> > &, 0> base/bind_internal.h:361 (content_browsertests+0x0000058fd004)
    #8 base::internal::Invoker<base::internal::BindState<void (mojo::edk::js::WaitingCallback::*)(unsigned int), base::internal::UnretainedWrapper<mojo::edk::js::WaitingCallback> >, void (unsigned int)>::Run(base::internal::BindStateBase*, unsigned int&&) base/bind_internal.h:339 (content_browsertests+0x0000058fd004)
    #9 Run base/callback.h:85:12 (content_browsertests+0x000002b9035c)
    #10 OnHandleReady mojo/public/cpp/system/watcher.cc:122 (content_browsertests+0x000002b9035c)
    #11 mojo::Watcher::MessageLoopObserver::WillDestroyCurrentMessageLoop() mojo/public/cpp/system/watcher.cc:32 (content_browsertests+0x000002b9035c)
    #12 base::MessageLoop::~MessageLoop() base/message_loop/message_loop.cc:128:14 (content_browsertests+0x000002912f59)
    #13 base::MessageLoop::~MessageLoop() base/message_loop/message_loop.cc:92:29 (content_browsertests+0x000002910a89)
    #14 operator() buildtools/third_party/libc++/trunk/include/memory:2529:13 (content_browsertests+0x000003d0b27e)
    #15 reset buildtools/third_party/libc++/trunk/include/memory:2735 (content_browsertests+0x000003d0b27e)
    #16 content::RenderThreadImpl::Shutdown() content/renderer/render_thread_impl.cc:1041 (content_browsertests+0x000003d0b27e)
    #17 non-virtual thunk to content::RenderThreadImpl::Shutdown() content/renderer/render_thread_impl.cc:919:24 (content_browsertests+0x000003d0b35d)
    #18 content::ChildProcess::~ChildProcess() content/child/child_process.cc:73:19 (content_browsertests+0x000003c1a33a)
    #19 content::RenderProcessImpl::~RenderProcessImpl() content/renderer/render_process_impl.cc:116:1 (content_browsertests+0x000003d03bcf)
    #20 content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:208:3 (content_browsertests+0x000003d4acab)
    #21 content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:337:14 (content_browsertests+0x000001d20588)
    #22 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:417:12 (content_browsertests+0x000001d21137)
    #23 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:775:12 (content_browsertests+0x000001d21dd7)
    #24 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28 (content_browsertests+0x000001d190ce)
    #25 content::LaunchTests(content::TestLauncherDelegate*, int, int, char**) content/public/test/test_launcher.cc:526:12 (content_browsertests+0x000002491a0a)
    #26 main content/test/content_test_launcher.cc:131:10 (content_browsertests+0x000002476f02)

  Previous write of size 8 at 0x7b9400000060 by main thread:
    #0 operator delete(void*) <null> (content_browsertests+0x00000051188d)
    #1 v8::internal::GlobalHandles::~GlobalHandles() v8/src/global-handles.cc:552:5 (content_browsertests+0x00000149af2a)
    #2 v8::internal::Isolate::~Isolate() v8/src/isolate.cc:2358:3 (content_browsertests+0x0000015f1d87)
    #3 v8::internal::Isolate::TearDown() v8/src/isolate.cc:2197:3 (content_browsertests+0x0000015f0dc0)
    #4 v8::Isolate::Dispose() v8/src/api.cc:7991:12 (content_browsertests+0x000000eeef58)
    #5 gin::IsolateHolder::~IsolateHolder() gin/isolate_holder.cc:75:13 (content_browsertests+0x000005ea65f2)
    #6 operator() buildtools/third_party/libc++/trunk/include/memory:2529:13 (content_browsertests+0x000004255be8)
    #7 reset buildtools/third_party/libc++/trunk/include/memory:2735 (content_browsertests+0x000004255be8)
    #8 ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2703 (content_browsertests+0x000004255be8)
    #9 blink::V8PerIsolateData::~V8PerIsolateData() third_party/WebKit/Source/bindings/core/v8/V8PerIsolateData.cpp:76 (content_browsertests+0x000004255be8)
    #10 blink::V8PerIsolateData::destroy(v8::Isolate*) third_party/WebKit/Source/bindings/core/v8/V8PerIsolateData.cpp:254:3 (content_browsertests+0x000004256289)
    #11 blink::V8Initializer::shutdownMainThread() third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp:442:3 (content_browsertests+0x000004250986)
    #12 blink::shutdown() third_party/WebKit/Source/web/WebKit.cpp:105:3 (content_browsertests+0x000004171d6a)
    #13 content::RenderThreadImpl::Shutdown() content/renderer/render_thread_impl.cc:1030:5 (content_browsertests+0x000003d0b24c)
    #14 non-virtual thunk to content::RenderThreadImpl::Shutdown() content/renderer/render_thread_impl.cc:919:24 (content_browsertests+0x000003d0b35d)
    #15 content::ChildProcess::~ChildProcess() content/child/child_process.cc:73:19 (content_browsertests+0x000003c1a33a)
    #16 content::RenderProcessImpl::~RenderProcessImpl() content/renderer/render_process_impl.cc:116:1 (content_browsertests+0x000003d03bcf)
    #17 content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:208:3 (content_browsertests+0x000003d4acab)
    #18 content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:337:14 (content_browsertests+0x000001d20588)
    #19 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:417:12 (content_browsertests+0x000001d21137)
    #20 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:775:12 (content_browsertests+0x000001d21dd7)
    #21 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28 (content_browsertests+0x000001d190ce)
    #22 content::LaunchTests(content::TestLauncherDelegate*, int, int, char**) content/public/test/test_launcher.cc:526:12 (content_browsertests+0x000002491a0a)
    #23 main content/test/content_test_launcher.cc:131:10 (content_browsertests+0x000002476f02)

SUMMARY: ThreadSanitizer: heap-use-after-free v8/include/v8.h:8467:54 in New
==================
Received signal 11 SEGV_MAPERR 000000000014
#0 0x0000004cbd26 __interceptor_backtrace
#1 0x0000028f1601 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x0000004b9353 __tsan::CallUserSignalHandler()
#3 0x0000004b97f7 rtl_sigaction()
#4 0x7fc1556d6cb0 <unknown>
#5 0x0000014a2887 v8::internal::HandleScope::Extend()
#6 0x000000eef9e1 v8::HandleScope::CreateHandle()
#7 0x000005ea69ac gin::Runner::Scope::Scope()
#8 0x0000058fc8d8 mojo::edk::js::WaitingCallback::OnHandleReady()
#9 0x0000058fd005 _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo3edk2js15WaitingCallbackEFvjEJNS0_17UnretainedWrapperIS6_EEEEEFvjEE3RunEPNS0_13BindStateBaseEOj
#10 0x000002b9035d mojo::Watcher::MessageLoopObserver::WillDestroyCurrentMessageLoop()
#11 0x000002912f5a base::MessageLoop::~MessageLoop()
#12 0x000002910a8a base::MessageLoop::~MessageLoop()
#13 0x000003d0b27f content::RenderThreadImpl::Shutdown()
#14 0x000003d0b35e content::RenderThreadImpl::Shutdown()
#15 0x000003c1a33b content::ChildProcess::~ChildProcess()
#16 0x000003d03bd0 content::RenderProcessImpl::~RenderProcessImpl()
#17 0x000003d4acac content::RendererMain()
#18 0x000001d20589 content::RunZygote()
#19 0x000001d21138 content::RunNamedProcessTypeMain()
#20 0x000001d21dd8 content::ContentMainRunnerImpl::Run()
#21 0x000001d190cf content::ContentMain()
#22 0x000002491a0b content::LaunchTests()
#23 0x000002476f03 main
#24 0x7fc154edb7ed __libc_start_main
#25 0x00000048f221 <unknown>
  r8: 0000800000000000  r9: 0003ffffffffffff r10: 0001800000000000 r11: 00007c0000000000
 r12: 0000000000000008 r13: 0000000000000000 r14: 0000000000000001 r15: 0000000000000000
  di: 0000600000000000  si: 0000d00000c48919  bp: 00007fff8ad36d90  bx: 00007ba800000000
  dx: 00001c0000c48919  ax: 0000100000000040  cx: 0000000000048919  sp: 00007fff8ad36d40
  ip: 00000000014a2887 efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000014
[end of stack trace]
[       OK ] WebUIMojoTest.EndToEndPing (3453 ms)

Comment 1 by roc...@chromium.org, Mar 21 2017

Status: WontFix (was: Assigned)

This is obsolete. Watcher was made to stop observing MessageLoop destruction a while ago, and has since been refactored completely.

►

Issue 667742 link

Issue metadata

TSan reports a data race in WebUIMojoTest.EndToEndPing

Issue description

Comment 1 by roc...@chromium.org, Mar 21 2017

Comment 1 Deleted

Sign in to add a comment