New issue
Advanced search Search tips

Issue 754813 link

Starred by 2 users
Status: Fixed
Owner:
apronin@chromium.org
Closed: Aug 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

trunksd crashes during reboot

Project Member Reported by apronin@chromium.org, Aug 11 2017 
During reboot trunksd crashes inside ~BackgroundCommandTransceiver().
It seems to happen when destroying WeakPtrFactory. The background thread at this point still runs through the message loop, and can be holding the WeakPointer to the transceiver. So, it will crash when invalidating the owner in the factory destructor, since the weak pointers must be invalidated from the same thread that acquired them.

The likely fix is calling Thread::Stop for the background thread before destroying objects created by the main thread.
The current destruction order is:
 - PowerManager
 - BackgroundCommandTransceiver
 - ResourceManager
 - TrunksFactoryImpl
 - and only then background thread.
If one of these objects is accessed from a still running background thread during shutdown that may cause a crash.

It is possible that in other cases (https://crbug.com/752811), the thread may crash on accessing ResourceManager instead of freeing the BackgroundCommandTransceiver.
Project Member

Comment 1 by bugdroid1@chromium.org, Aug 22 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/aosp/platform/system/tpm/+/f5b51caa68658f1b5983d8de206775be46fe166a

commit f5b51caa68658f1b5983d8de206775be46fe166a
Author: Andrey Pronin <apronin@chromium.org>
Date: Tue Aug 22 05:03:58 2017

trunks: Stop background thread when exiting trunksd

The background thread may access and holds references to
BackgroundCommandTransceiver, ResourceManager and other objects,
created by the main thread. Stop the background thread
before these objects are destroyed when the daemon exits.

BUG= chromium:754813 
BUG=chromium:752811
TEST=reboot without trunksd coredump in /var/spool/crash

Change-Id: I0ed0a2a6853114066a683ae6be977dcc977b4c34
Reviewed-on: https://chromium-review.googlesource.com/612265
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>

[modify] https://crrev.com/f5b51caa68658f1b5983d8de206775be46fe166a/trunks/trunksd.cc

Comment 2 by apronin@chromium.org, Aug 22 2017

Status: Fixed (was: Untriaged)
Project Member

Comment 3 by bugdroid1@chromium.org, Sep 15 2017

Labels: merge-merged-release-R61-9765.B
The following revision refers to this bug:
  https://chromium.googlesource.com/aosp/platform/system/tpm/+/3964508230c148f65a5a3369e266a843af972baa

commit 3964508230c148f65a5a3369e266a843af972baa
Author: Andrey Pronin <apronin@chromium.org>
Date: Fri Sep 15 01:24:01 2017

trunks: Stop background thread when exiting trunksd

The background thread may access and holds references to
BackgroundCommandTransceiver, ResourceManager and other objects,
created by the main thread. Stop the background thread
before these objects are destroyed when the daemon exits.

BUG= chromium:754813 
BUG=chromium:752811
TEST=reboot without trunksd coredump in /var/spool/crash

Change-Id: I0ed0a2a6853114066a683ae6be977dcc977b4c34
Reviewed-on: https://chromium-review.googlesource.com/612265
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
(cherry picked from commit f5b51caa68658f1b5983d8de206775be46fe166a)

[modify] https://crrev.com/3964508230c148f65a5a3369e266a843af972baa/trunks/trunksd.cc

Comment 4 by apronin@chromium.org, Jan 2 2018 

Issue 752812 has been merged into this issue.

Sign in to add a comment