New issue
Advanced search Search tips

Issue 746463 link

Starred by 1 user
Status: Assigned
Owner:
hashimoto@chromium.org
Cc:
tzik@chromium.org
hidehiko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

DCHECK hit: CalledOnValidSequence() related to chromeos::NetworkCertMigrator

Project Member Reported by emaxx@chromium.org, Jul 19 2017 
Chrome Version: ToT (M61)
OS: Chrome OS

What steps will reproduce the problem?
(1) Log into the Chromebook, wait a few seconds.

What happens instead?
Crash:

[FATAL:ref_counted.h(95)] Check failed: CalledOnValidSequence(). 
#0 0x7fcd90f0511d base::debug::StackTrace::StackTrace()
#1 0x7fcd90f03b8c base::debug::StackTrace::StackTrace()
#2 0x7fcd90f51bf3 logging::LogMessage::~LogMessage()
#3 0x7fcd8ac24b81 base::subtle::RefCountedBase::Release()
#4 0x7fcd8be1b44f base::RefCounted<>::Release()
#5 0x7fcd8be1b429 scoped_refptr<>::Release()
#6 0x7fcd92d7be3a scoped_refptr<>::~scoped_refptr()
#7 0x7fcd92d7cee5 std::_Head_base<>::~_Head_base()
#8 0x7fcd92d7cec5 _ZNSt11_Tuple_implILm0EJ13scoped_refptrIN8chromeos19NetworkCer
tMigrator13MigrationTaskEEEED2Ev
#9 0x7fcd92d7cea5 _ZNSt5tupleIJ13scoped_refptrIN8chromeos19NetworkCertMigrator13
MigrationTaskEEEED2Ev
#10 0x7fcd92d7ce73 _ZN4base8internal9BindStateIMN8chromeos19NetworkCertMigrator1
3MigrationTaskEFvRKSsRKNS_15DictionaryValueEEJ13scoped_refptrIS4_EEED2Ev
#11 0x7fcd92d7cdf7 _ZN4base8internal9BindStateIMN8chromeos19NetworkCertMigrator1
3MigrationTaskEFvRKSsRKNS_15DictionaryValueEEJ13scoped_refptrIS4_EEE7DestroyEPKN
S0_13BindStateBaseE
#12 0x7fcd90edf8c5 base::internal::BindStateBaseRefCountTraits::Destruct()
#13 0x7fcd90ee0338 base::RefCountedThreadSafe<>::Release()
#14 0x7fcd90ee02f5 scoped_refptr<>::Release()
#15 0x7fcd90ee029a scoped_refptr<>::~scoped_refptr()
#16 0x7fcd90edfdb5 base::internal::CallbackBase<>::~CallbackBase()
#17 0x7fcd8aa8eb85 base::internal::CallbackBase<>::~CallbackBase()
#18 0x7fcd8aa8dcf5 base::Callback<>::~Callback()
#19 0x7fcd8ac58b75 std::_Head_base<>::~_Head_base()
#20 0x7fcd90f491f3 _ZNSt11_Tuple_implILm2EJN4base8CallbackIFvvELNS0_8internal8Co
pyModeE1ELNS3_10RepeatModeE1EEENS1_IFvbELS4_1ELS5_1EEESsEED2Ev
#21 0x7fcd92d7c815 _ZNSt5tupleIJN4base8CallbackIFvRKSsRKNS0_15DictionaryValueEEL
NS0_8internal8CopyModeE1ELNS8_10RepeatModeE1EEENS1_IFvS3_St10unique_ptrIS4_St14d
efault_deleteIS4_EEE
LS9_1ELSA_1EEESsEED2Ev
#22 0x7fcd92d7c7e3 _ZN4base8internal9BindStateIPFvRKNS_8CallbackIFvRKSsRKNS_15Di
ctionaryValueEELNS0_8CopyModeE1ELNS0_10RepeatModeE1EEERKNS2_IFvS4_St10unique_ptr
IS5_St14default_deleteIS5_EEELS9_1ELSA_1EEES4_N8chromeos20DBusMethodCallStatusES
7_EJSB_SJ_SsEED2Ev
#23 0x7fcd92d7c747 _ZN4base8internal9BindStateIPFvRKNS_8CallbackIFvRKSsRKNS_15Di
ctionaryValueEELNS0_8CopyModeE1ELNS0_10RepeatModeE1EEERKNS2_IFvS4_St10unique_ptr
IS5_St14default_deleteIS5_EEELS9_1ELSA_1EEES4_N8chromeos20DBusMethodCallStatusES
7_EJSB_SJ_SsEE7DestroyEPKNS0_13BindStateBaseE
#24 0x7fcd90edf8c5 base::internal::BindStateBaseRefCountTraits::Destruct()
#25 0x7fcd90ee0338 base::RefCountedThreadSafe<>::Release()
#26 0x7fcd90ee02f5 scoped_refptr<>::Release()
#27 0x7fcd90ee029a scoped_refptr<>::~scoped_refptr()
#28 0x7fcd90edfdb5 base::internal::CallbackBase<>::~CallbackBase()
#29 0x7fcd8aa8eb85 base::internal::CallbackBase<>::~CallbackBase()
#30 0x7fcd8aa8dcf5 base::Callback<>::~Callback()
#31 0x7fcd8ac58b75 std::_Head_base<>::~_Head_base()
#32 0x7fcd8ac58b55 _ZNSt11_Tuple_implILm1EJN4base8CallbackIFvN11google_apis17Dri
veApiErrorCodeERKSsELNS0_8internal8CopyModeE1ELNS7_10RepeatModeE1EEEEED2Ev
#33 0x7fcd92cb6b0f _ZNSt11_Tuple_implILm1EJN4dbus10ObjectPathEN4base8CallbackIFv
N8chromeos20DBusMethodCallStatusERKNS2_15DictionaryValueEELNS2_8internal8CopyMod
eE1ELNSA_10RepeatModeE1EEEEED2Ev
#34 0x7fcd92d34f85 _ZNSt11_Tuple_implILm0EJPKcN4dbus10ObjectPathEN4base8Callback
IFvN8chromeos20DBusMethodCallStatusERKNS4_15DictionaryValueEELNS4_8internal8Copy
ModeE1ELNSC_10RepeatModeE1EEEEED2Ev
#35 0x7fcd92d34f65 _ZNSt5tupleIJPKcN4dbus10ObjectPathEN4base8CallbackIFvN8chrome
os20DBusMethodCallStatusERKNS4_15DictionaryValueEELNS4_8internal8CopyModeE1ELNSC
_10RepeatModeE1EEEEED2Ev
#36 0x7fcd92d34f33 _ZN4base8internal9BindStateIPFvRKSsRKN4dbus10ObjectPathERKNS_
8CallbackIFvN8chromeos20DBusMethodCallStatusERKNS_15DictionaryValueEELNS0_8CopyM
odeE1ELNS0_10RepeatModeE1EEES3_S3_EJPKcS5_SH_EED2Ev
#37 0x7fcd92d34eb7 _ZN4base8internal9BindStateIPFvRKSsRKN4dbus10ObjectPathERKNS_
8CallbackIFvN8chromeos20DBusMethodCallStatusERKNS_15DictionaryValueEELNS0_8CopyM
odeE1ELNS0_10RepeatModeE1EEES3_S3_EJPKcS5_SH_EE7DestroyEPKNS0_13BindStateBaseE
#38 0x7fcd90edf8c5 base::internal::BindStateBaseRefCountTraits::Destruct()
#39 0x7fcd90ee0338 base::RefCountedThreadSafe<>::Release()
#40 0x7fcd90ee02f5 scoped_refptr<>::Release()
#41 0x7fcd90ee029a scoped_refptr<>::~scoped_refptr()
#42 0x7fcd90edfdb5 base::internal::CallbackBase<>::~CallbackBase()
#43 0x7fcd8aa8eb85 base::internal::CallbackBase<>::~CallbackBase()
#44 0x7fcd8aa8dcf5 base::Callback<>::~Callback()
#45 0x7fcd8ac58b75 std::_Head_base<>::~_Head_base()
#46 0x7fcd8ac58b55 _ZNSt11_Tuple_implILm1EJN4base8CallbackIFvN11google_apis17Dri
veApiErrorCodeERKSsELNS0_8internal8CopyModeE1ELNS7_10RepeatModeE1EEEEED2Ev
#47 0x7fcd8ccec93f _ZNSt11_Tuple_implILm1EJN4base8CallbackIFvvELNS0_8internal8Co
pyModeE1ELNS3_10RepeatModeE1EEES6_EED2Ev
#48 0x7fcd92dbee9f _ZNSt11_Tuple_implILm0EJN4base8internal12OwnedWrapperIN8chrom
eos17ShillClientHelper9RefHolderEEENS0_8CallbackIFvRKN4dbus10ObjectPathEELNS1_8C
opyModeE1ELNS1_10RepeatModeE1EEENS7_IFvRKSsSH_ELSD_1ELSE_1EEEEED2Ev
#49 0x7fcd92dc0c55 _ZNSt5tupleIJN4base8internal12OwnedWrapperIN8chromeos17ShillC
lientHelper9RefHolderEEENS0_8CallbackIFvRKNS0_15DictionaryValueEELNS1_8CopyModeE
1ELNS1_10RepeatModeE1EEENS7_IFvRKSsSG_ELSC_1ELSD_1EEEEED2Ev
#50 0x7fcd92dc0c23 _ZN4base8internal9BindStateIPFvPN8chromeos17ShillClientHelper
9RefHolderERKNS_8CallbackIFvRKNS_15DictionaryValueEELNS0_8CopyModeE1ELNS0_10Repe
atModeE1EEERKNS6_IFvRKSsSH_ELSB_1ELSC_1EEEPN4dbus8ResponseEEJNS0_12OwnedWrapperI
S4_EESD_SJ_EED2Ev
#51 0x7fcd92dc0b87 _ZN4base8internal9BindStateIPFvPN8chromeos17ShillClientHelper
9RefHolderERKNS_8CallbackIFvRKNS_15DictionaryValueEELNS0_8CopyModeE1ELNS0_10Repe
atModeE1EEERKNS6_IFvRKSsSH_ELSB_1ELSC_1EEEPN4dbus8ResponseEEJNS0_12OwnedWrapperI
S4_EESD_SJ_EE7DestroyEPKNS0_13BindStateBaseE
#52 0x7fcd90edf8c5 base::internal::BindStateBaseRefCountTraits::Destruct()
#53 0x7fcd90ee0338 base::RefCountedThreadSafe<>::Release()
#54 0x7fcd90ee02f5 scoped_refptr<>::Release()
#55 0x7fcd90ee029a scoped_refptr<>::~scoped_refptr()
#56 0x7fcd90edfdb5 base::internal::CallbackBase<>::~CallbackBase()
#57 0x7fcd8aa8eb85 base::internal::CallbackBase<>::~CallbackBase()
#58 0x7fcd8aa8dcf5 base::Callback<>::~Callback()
#59 0x7fcd92e05033 dbus::ObjectProxy::OnPendingCallIsCompleteData::~OnPendingCal
lIsCompleteData()
#60 0x7fcd92e07c57 dbus::DeleteVoidPointer<>()
#61 0x7fcd892858e3 <unknown>

Comment 1 by emaxx@chromium.org, Jul 19 2017

Owner: hidehiko@chromium.org
hidehiko@: Could you please check whether this could be caused by change e9cfddfdd90e83c4d7753f8ec9c502500d32b4c0? It was touching shill_client_helper.cc, which is on the crash stack trace.

Comment 2 by hidehiko@chromium.org, Jul 20 2017

Cc: hidehiko@chromium.org tzik@chromium.org
Owner: hashimoto@chromium.org
The CL looks not unrelated, because the stacktrace is not void callback.
It looks like this is a race.

The scenario is (probably);
- The callback is bound on a thread where NetworkCertMigrator lives.
- Via Shill interface, the callback is passed to ObjectProxy::CallMethod() or its family, which post a task ObjectProxy::StartAsyncMethodCall with the passed callback.
- In StartAsyncMethodCall, the callback is stored in OnPendingCallIsCompleteData.
- When DBus reply (or error) comes, OnPendingCallIsCompleteThunk is called, which invokes ObjectProxy::OnPendingCallIsComplete.
- In the function, a task is post to the original caller thread with callback. Note that, this callback object is copied, so both original thread and DBus thread will have references. Then, the DBus pending object is destroyed, so callback is also destroyed. (Here, callback destroy means refcount is decremented).
- If callback on the original thread is called and completed (= callback refcount is decremeneted) *earlier* than DBus's pending object destroying, then, the object will be destroyed on DBus thread, not on the original caller thread, because the last refcount decrement will be done on DBus thread. So, it'd hit the DCHECK.

Fortunately, a CL hashimoto@ sent today https://chromium-review.googlesource.com/c/578541/ (for a different goal) will fix the issue, I believe, so assigned to him.

Comment 3 by hashimoto@chromium.org, Jul 21 2017 

https://chromium-review.googlesource.com/c/578541/ may make this bug less likely to happen, but not fix it.
If the object proxy is destryoed before the method call completes, OnPendingCallIsCompleteData is destroyed with the callback which still owns a scoped_refptr of NetworkCertMigrator::MigrationTask.

Comment 4 by benhenry@chromium.org, Aug 1

Status: Assigned (was: Untriaged)

Sign in to add a comment