New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 740527 link

Starred by 1 user
Status: Fixed
Owner:
sadrul@chromium.org
Closed: Jul 2017
Cc:
sadrul@chromium.org
kylec...@chromium.org
jonr...@chromium.org
mutash-bugs@google.com
mustash-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

DestroyGpuMemoryBuffer crash

Project Member Reported by jonr...@chromium.org, Jul 10 2017 
I synced to fae14c9c5320d1e0b0672cf67c98bbdcf92318af

New crash a few seconds into running chrome --mash

../../build/linux/debian_jessie_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/debug/safe_iterator.279:
    error: attempt to dereference a singular iterator.

Objects involved in the operation:
iterator "this" @ 0x0x7fffa81768d8 {
  state = singular;
  references sequence @ 0x0x7fffa81768d8
}
Received signal 6
#0 0x7efd0e85c7cb base::debug::StackTrace::StackTrace()
#1 0x7efd0e85b50c base::debug::StackTrace::StackTrace()
#2 0x7efd0e85c2df base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7efd0ecc1330 <unknown>
#4 0x7efcf2740c37 gsignal
#5 0x7efcf2744028 abort
#6 0x7efcf2d98fe5 __gnu_debug::_Error_formatter::_M_error()
#7 0x7efcf4796287 __gnu_debug::_Safe_iterator<>::operator->()
#8 0x7efcf4793b5f viz::ServerGpuMemoryBufferManager::DestroyGpuMemoryBuffer()
#9 0x562dd5662840 ui::ws::GpuClient::DestroyGpuMemoryBuffer()
#10 0x562dd08fb3e9 ui::mojom::GpuStubDispatch::Accept()
#11 0x562dd55d37e6 ui::mojom::GpuStub<>::Accept()
#12 0x7efd0ccba1d5 mojo::InterfaceEndpointClient::HandleValidatedMessage()
#13 0x7efd0ccb9b91 mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept()
#14 0x7efd0ccb7b80 mojo::FilterChain::Accept()
#15 0x7efd0ccbba0f mojo::InterfaceEndpointClient::HandleIncomingMessage()
#16 0x7efd0cccff55 mojo::internal::MultiplexRouter::ProcessIncomingMessage()
#17 0x7efd0cccf7d4 mojo::internal::MultiplexRouter::Accept()
#18 0x7efd0ccb7b80 mojo::FilterChain::Accept()
#19 0x7efd0ccacd02 mojo::Connector::ReadSingleMessage()
#20 0x7efd0ccad88e mojo::Connector::ReadAllAvailableMessages()
#21 0x7efd0ccad6de mojo::Connector::OnHandleReadyInternal()
#22 0x7efd0ccad5db mojo::Connector::OnWatcherHandleReady()
#23 0x7efd0ccb03c4 _ZN4base8internal13FunctorTraitsIMN4mojo9ConnectorEFvjEvE6InvokeIPS3_JjEEEvS5_OT_DpOT0_
#24 0x7efd0ccb02d6 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN4mojo9ConnectorEFvjEJPS5_jEEEvOT_DpOT0_
#25 0x7efd0ccb0267 _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo9ConnectorEFvjEJNS0_17UnretainedWrapperIS4_EEEEEFvjEE7RunImplIRKS6_RKSt5tupleIJS8_EEJLm0EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEEOj
#26 0x7efd0ccb019c _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo9ConnectorEFvjEJNS0_17UnretainedWrapperIS4_EEEEEFvjEE3RunEPNS0_13BindStateBaseEOj
#27 0x7efd0cc48ca1 _ZNKR4base8CallbackIFvjELNS_8internal8CopyModeE1ELNS2_10RepeatModeE1EE3RunEj
#28 0x7efd0cc4815f mojo::SimpleWatcher::OnHandleReady()
#29 0x7efd0cc497bb _ZN4base8internal13FunctorTraitsIMN4mojo13SimpleWatcherEFvijEvE6InvokeIRKNS_7WeakPtrIS3_EEJRKiRKjEEEvS5_OT_DpOT0_
#30 0x7efd0cc49614 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN4mojo13SimpleWatcherEFvijERKNS_7WeakPtrIS5_EEJRKiRKjEEEvOT_OT0_DpOT1_
#31 0x7efd0cc49574 _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo13SimpleWatcherEFvijEJNS_7WeakPtrIS4_EEijEEEFvvEE7RunImplIRKS6_RKSt5tupleIJS8_ijEEJLm0ELm1ELm2EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#32 0x7efd0cc4941c _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo13SimpleWatcherEFvijEJNS_7WeakPtrIS4_EEijEEEFvvEE3RunEPNS0_13BindStateBaseE
#33 0x7efd0e81b99e _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE0ELNS2_10RepeatModeE0EE3RunEv
#34 0x7efd0e861cd1 base::debug::TaskAnnotator::RunTask()
#35 0x7efd0e8efeee base::MessageLoop::RunTask()
#36 0x7efd0e8f0157 base::MessageLoop::DeferOrRunPendingTask()
#37 0x7efd0e8f046f base::MessageLoop::DoWork()
#38 0x7efd0e9028cc base::MessagePumpLibevent::Run()
#39 0x7efd0e8ef953 base::MessageLoop::Run()
#40 0x7efd0e98f257 base::RunLoop::Run()
#41 0x7efd0ef7422c service_manager::(anonymous namespace)::RunService()::$_0::operator()()
#42 0x7efd0ef73efd _ZN4base8internal13FunctorTraitsIZN15service_manager12_GLOBAL__N_110RunServiceEPNS2_12MainDelegateEE3$_0vE6InvokeIJRKS5_RKPiN4mojo16InterfaceRequestINS2_5mojom7ServiceEEEEEEvRKS6_DpOT_
#43 0x7efd0ef73e6c _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKZN15service_manager12_GLOBAL__N_110RunServiceEPNS4_12MainDelegateEE3$_0JRKS7_RKPiN4mojo16InterfaceRequestINS4_5mojom7ServiceEEEEEEvOT_DpOT0_
#44 0x7efd0ef73e08 _ZN4base8internal7InvokerINS0_9BindStateIZN15service_manager12_GLOBAL__N_110RunServiceEPNS3_12MainDelegateEE3$_0JS6_PiEEEFvN4mojo16InterfaceRequestINS3_5mojom7ServiceEEEEE7RunImplIRKS7_RKSt5tupleIJS6_S8_EEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEEOSE_
#45 0x7efd0ef73d0c _ZN4base8internal7InvokerINS0_9BindStateIZN15service_manager12_GLOBAL__N_110RunServiceEPNS3_12MainDelegateEE3$_0JS6_PiEEEFvN4mojo16InterfaceRequestINS3_5mojom7ServiceEEEEE3RunEPNS0_13BindStateBaseEOSE_
#46 0x7efd0ef819d5 _ZNKR4base8CallbackIFvN4mojo16InterfaceRequestIN15service_manager5mojom7ServiceEEEELNS_8internal8CopyModeE1ELNS8_10RepeatModeE1EE3RunES6_
#47 0x7efd0ef815a3 service_manager::RunStandaloneService()
#48 0x7efd0ef736e8 service_manager::(anonymous namespace)::RunService()
#49 0x7efd0ef72d68 service_manager::Main()
#50 0x7efd0941fdcb content::ContentMain()
#51 0x562dcef6c0ac ChromeMain
#52 0x562dcef6bfa2 main
#53 0x7efcf272bf45 __libc_start_main
#54 0x562dcef6be84 <unknown>
  r8: 00007efcf2ace9d0  r9: 00007fffa8176248 r10: 0000000000000008 r11: 0000000000000206
 r12: 0000000000000001 r13: 00007fffa817b730 r14: 0000000000000000 r15: 0000000000000000
  di: 0000000000000ae4  si: 0000000000000ae4  bp: 00007fffa81764d0  bx: 00007fffa8176488
  dx: 0000000000000006  ax: 0000000000000000  cx: 00007efcf2740c37  sp: 00007fffa8176298
  ip: 00007efcf2740c37 efl: 0000000000000206 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.

Comment 1 by fsam...@chromium.org, Jul 10 2017

Owner: sadrul@chromium.org
Status: Assigned (was: Untriaged)
Reassigning to Sadrul@ who likely caused this regression.

Comment 2 by jonr...@chromium.org, Jul 10 2017 

I don't have a more narrow bisect, but this wasn't on 2bed5f8ad793e4ca0f43ae96c80c113293c8d9a5 which my side branch is on

Comment 3 by sadrul@chromium.org, Jul 10 2017

Status: Started (was: Assigned)
I think it's https://codereview.chromium.org/2971903003/. I have a fix, writing a tests now.

Comment 4 by sadrul@chromium.org, Jul 10 2017 

Fix out for review at https://chromium-review.googlesource.com/c/565540/
Project Member

Comment 5 by bugdroid1@chromium.org, Jul 10 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e09bd49015c4c0cf461ad65ecface21eae4ad562

commit e09bd49015c4c0cf461ad65ecface21eae4ad562
Author: Sadrul Habib Chowdhury <sadrul@chromium.org>
Date: Mon Jul 10 18:49:59 2017

viz: Fix a use-after-free during gmb deallocation.

BUG= 740527 

Change-Id: Icd7be15d4b677770d5d4b4910490262d7aba7e9f
Reviewed-on: https://chromium-review.googlesource.com/565540
Commit-Queue: Sadrul Chowdhury <sadrul@chromium.org>
Reviewed-by: David Reveman <reveman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#485326}
[modify] https://crrev.com/e09bd49015c4c0cf461ad65ecface21eae4ad562/components/viz/host/server_gpu_memory_buffer_manager.cc
[modify] https://crrev.com/e09bd49015c4c0cf461ad65ecface21eae4ad562/components/viz/host/server_gpu_memory_buffer_manager_unittest.cc

Comment 6 by sadrul@chromium.org, Jul 11 2017

Status: Fixed (was: Started)

Comment 7 by lafo...@chromium.org, Feb 26 2018

Components: -MUS Internals>Services>WindowService

Sign in to add a comment