New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 728470 link

Starred by 0 users
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
paulmiller@chromium.org
tobiasjs@chromium.org
sgu...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug



Sign in to add a comment

MessageLoop::BindToCurrentThread crashes in field

Project Member Reported by paulmiller@chromium.org, Jun 1 2017

Comment 1 by gsennton@chromium.org, Jun 2 2017 

Do we have any idea why this happens? (is anyone looking into it?)

Comment 2 by paulmiller@chromium.org, Jun 3 2017

Cc: sgu...@chromium.org
In the b/ bug it was memory corruption. Possibly Amazon's fault. The other reports are from a bunch of different apps, though.

more specific link:

https://crash.corp.google.com/browse?q=product.name%3D%27AndroidWebView%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%20LIKE%20%27%25MessageLoop%3A%3ABindToCurrentThread%25%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#-property-selector,samplereports:5,packagename

15 of the 18 reports are on version 58.0.3029.83.

Looking through some of the reports, there's a bunch segfaulting on the same address, libwebviewchromium.so+0x29f98f, at the same instruction, libwebviewchromium.so+0x29ddaa:

0029dd20 <_ZN4base11MessageLoop19BindToCurrentThreadEv>:
  29dd20:       b570            push    {r4, r5, r6, lr} 
  29dd22:       f8d0 508c       ldr.w   r5, [r0, #140]  ; 0x8c
  29dd26:       b082            sub     sp, #8
  29dd28:       4604            mov     r4, r0
  29dd2a:       2d00            cmp     r5, #0  
  29dd2c:       d036            beq.n   29dd9c <_ZN4base11MessageLoop19BindToCurrentThreadEv+0x7c>
...
  29dd9c:       a801            add     r0, sp, #4 ; "else" case
  29dd9e:       68a1            ldr     r1, [r4, #8] ; r1 = this->type_
  29dda0:       f7ff fd84       bl      29d8ac <_ZN4base11MessageLoop24CreateMessagePumpForTypeENS0_4TypeE>
  29dda4:       9b01            ldr     r3, [sp, #4] 
  29dda6:       6860            ldr     r0, [r4, #4] 
  29dda8:       9501            str     r5, [sp, #4] 
  29ddaa:       6063            str     r3, [r4, #4]
...

So if I'm interpreting this correctly, the "this" pointer is pointing into libwebviewchromium.so code, which is Wrong(TM). And it's not even aligned. Suggests memory corruption, although the regularity across reports and packages is interesting.
MessageLoop-BindToCurrentThread-asm.txt
3.3 KB View Download

Comment 3 by paulmiller@chromium.org, Jun 5 2017

Status: WontFix (was: Available)
Closing on tobiasjs@'s advice, as we can't make any more progress without a repro.

Sign in to add a comment