New issue
Advanced search Search tips

Issue 711431 link

Starred by 0 users
Status: Verified
Owner:
spang@chromium.org
Closed: Apr 2017
Cc:
xiy...@chromium.org
abodenha@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Crash on exit: tcmalloc unhappy in EvdevThread::CleanUp

Project Member Reported by xiy...@chromium.org, Apr 13 2017 
Happened with ToT chrome (r464460, not sure when it starts) consistently. Exiting chrome (no need to login, just do "restart ui" is enough) creates the following line in ui log:

../../third_party/tcmalloc/chromium/src/free_list.h:118] Memory corruption detected. 

The stack:
Core was generated by `/opt/google/chrome/chrome --ppapi-flash-path=/opt/google/chrome/pepper/libpepfl'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  tcmalloc::Abort() () at ../../third_party/tcmalloc/chromium/src/base/abort.cc:15
15        *(reinterpret_cast<volatile char*>(NULL) + 57) = 0x21;
(gdb) bt
#0  tcmalloc::Abort() () at ../../third_party/tcmalloc/chromium/src/base/abort.cc:15
#1  0x000060e776f82c77 in Log () at ../../third_party/tcmalloc/chromium/src/internal_logging.cc:120
#2  0x000060e776f8144f in FL_EqualityCheck<void*> () at ../../third_party/tcmalloc/chromium/src/free_list.h:65
#3  FL_Next () at ../../third_party/tcmalloc/chromium/src/free_list.h:118
#4  ReleaseListToSpans () at ../../third_party/tcmalloc/chromium/src/central_freelist.cc:83
#5  InsertRange () at ../../third_party/tcmalloc/chromium/src/central_freelist.cc:241
#6  0x000060e776f86ea9 in ReleaseToCentralCache () at ../../third_party/tcmalloc/chromium/src/thread_cache.cc:242
#7  0x000060e776f87087 in ListTooLong () at ../../third_party/tcmalloc/chromium/src/thread_cache.cc:203
#8  0x000060e776f8a018 in Deallocate () at ../../third_party/tcmalloc/chromium/src/thread_cache.h:397
#9  do_free_with_callback () at ../../third_party/tcmalloc/chromium/src/tcmalloc.cc:1198
#10 0x000060e7793eda20 in _M_dispose ()
    at .../samus-cheets+9428.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/basic_string.h:249
#11 ~basic_string ()
    at .../samus-cheets+9428.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/basic_string.h:547
#12 ~InputDevice () at ../../ui/events/devices/input_device.cc:38
#13 0x000060e7795cb3f0 in ui::EventConverterEvdev::~EventConverterEvdev() () at ../../ui/events/ozone/evdev/event_converter_evdev.cc:42
#14 0x000060e7795cbb9c in ~EventConverterEvdevImpl () at ../../ui/events/ozone/evdev/event_converter_evdev_impl.cc:57
#15 ~EventConverterEvdevImpl () at ../../ui/events/ozone/evdev/event_converter_evdev_impl.cc:55
#16 0x000060e7795b8bb3 in operator() ()
    at .../samus-cheets+9428.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/unique_ptr.h:76
#17 ~unique_ptr ()
    at .../samus-cheets+9428.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/unique_ptr.h:236
#18 ~pair ()
    at .../samus-cheets+9428.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/stl_pair.h:96
#19 destroy<std::pair<base::FilePath const, std::unique_ptr<ui::EventConverterEvdev, std::default_delete<ui::EventConverterEvdev> > > > ()
    at .../samus-cheets+9428.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/ext/new_allocator.h:131
#20 _S_destroy<std::pair<base::FilePath const, std::unique_ptr<ui::EventConverterEvdev, std::default_delete<ui::EventConverterEvdev> > > > ()
    at .../samus-cheets+9428.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/alloc_traits.h:282
#21 destroy<std::pair<base::FilePath const, std::unique_ptr<ui::EventConverterEvdev, std::default_delete<ui::EventConverterEvdev> > > > ()
    at .../samus-cheets+9428.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/alloc_traits.h:411
#22 _M_destroy_node ()
    at .../samus-cheets+9428.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/stl_tree.h:435
#23 _M_erase ()
    at .../samus-cheets+9428.0.0+target_toolchain/usr/bin/../lib/gcc/x86_64-cros-linux-gnu/4.9.x/include/g++-v4/bits/stl_tree.h:1277
#24 0x000060e7795b61a4 in CleanUp () at ../../ui/events/ozone/evdev/event_thread_evdev.cc:55
#25 0x000060e778b2d3bf in ThreadMain () at ../../base/threading/thread.cc:341
#26 0x000060e778b28963 in ThreadFunc () at ../../base/threading/platform_thread_posix.cc:71
#27 0x00007eac89dc7578 in start_thread (arg=0x7eac783a9700) at pthread_create.c:333
#28 0x00007eac88aee6dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

It could be one of the members of InputDeviceFactoryEvdev since stl was in the stack.
spang@, could you help to take a look or triage? Thanks.
Project Member

Comment 1 by bugdroid1@chromium.org, Apr 21 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/419dd2a3447f1d39c092f4259d87906c192ed0da

commit 419dd2a3447f1d39c092f4259d87906c192ed0da
Author: spang <spang@chromium.org>
Date: Fri Apr 21 15:00:56 2017

Fix unsafe destruction order of InputDeviceFactoryEvdev

This was never destroyed prior to 60a7c584a9be ("mash: Don't synthesize
extra key press events in the window server").

Now it's destroyed in a couple places, so try to make this safe.
Particularly, destroy devices prior to shared state such as the gestures
properties object, and make devices stop DCHECKing that they are
destroyed gently (i.e., by getting disabled and stopped from the hotplug
handler). Shutdown destruction is abrupt.

This should fix a couple issues people are seeing since we started
calling the destructor (at least the input related ones).

BUG= 711431 ,  713624 , 713968
TEST=just compile

Review-Url: https://codereview.chromium.org/2828843002
Cr-Commit-Position: refs/heads/master@{#466336}

[modify] https://crrev.com/419dd2a3447f1d39c092f4259d87906c192ed0da/ui/events/ozone/evdev/event_converter_evdev.cc
[modify] https://crrev.com/419dd2a3447f1d39c092f4259d87906c192ed0da/ui/events/ozone/evdev/event_converter_evdev_impl.cc
[modify] https://crrev.com/419dd2a3447f1d39c092f4259d87906c192ed0da/ui/events/ozone/evdev/input_device_factory_evdev.h
[modify] https://crrev.com/419dd2a3447f1d39c092f4259d87906c192ed0da/ui/events/ozone/evdev/libgestures_glue/event_reader_libevdev_cros.cc

Comment 2 by spang@chromium.org, Apr 21 2017

Status: Fixed (was: Untriaged)
It should be fixed, but I have not tested. Please apply this patch and see if it helps.

Comment 3 by xiy...@chromium.org, Apr 21 2017

Status: Verified (was: Fixed)
The crash is gone with the CL. Thanks for the fix.
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 22 2017

Labels: merge-merged-3071
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/955a01b06b3cb7fb6ca51acd085313439c0ef5bb

commit 955a01b06b3cb7fb6ca51acd085313439c0ef5bb
Author: Stéphane Marchesin <marcheu@chromium.org>
Date: Sat Apr 22 01:35:20 2017

Fix unsafe destruction order of InputDeviceFactoryEvdev

This was never destroyed prior to 60a7c584a9be ("mash: Don't synthesize
extra key press events in the window server").

Now it's destroyed in a couple places, so try to make this safe.
Particularly, destroy devices prior to shared state such as the gestures
properties object, and make devices stop DCHECKing that they are
destroyed gently (i.e., by getting disabled and stopped from the hotplug
handler). Shutdown destruction is abrupt.

This should fix a couple issues people are seeing since we started
calling the destructor (at least the input related ones).

BUG= 711431 ,  713624 , 713968
TEST=just compile

Review-Url: https://codereview.chromium.org/2828843002
Cr-Commit-Position: refs/heads/master@{#466336}
(cherry picked from commit 419dd2a3447f1d39c092f4259d87906c192ed0da)

Review-Url: https://codereview.chromium.org/2833243002 .
Cr-Commit-Position: refs/branch-heads/3071@{#140}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/955a01b06b3cb7fb6ca51acd085313439c0ef5bb/ui/events/ozone/evdev/event_converter_evdev.cc
[modify] https://crrev.com/955a01b06b3cb7fb6ca51acd085313439c0ef5bb/ui/events/ozone/evdev/event_converter_evdev_impl.cc
[modify] https://crrev.com/955a01b06b3cb7fb6ca51acd085313439c0ef5bb/ui/events/ozone/evdev/input_device_factory_evdev.h
[modify] https://crrev.com/955a01b06b3cb7fb6ca51acd085313439c0ef5bb/ui/events/ozone/evdev/libgestures_glue/event_reader_libevdev_cros.cc

Sign in to add a comment