services_unittests failing on ClangToTLinuxUBSanVptr tester / null deref in ui::ws::Display::OnFocusChanged |
|||||
Issue descriptionFor example: https://build.chromium.org/p/chromium.fyi/builders/ClangToTLinuxUBSanVptr%20tester/builds/1492 The bot has been red for a long time, but these specific failures look somewhat new, so maybe something changed. [ RUN ] WindowTreeTest.MoveCaptureWindowToModalParent Received signal 11 SEGV_MAPERR 000000000000 #0 0x00000236db7d base::debug::StackTrace::StackTrace() #1 0x00000236d5a3 base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7f1f6c4ca330 <unknown> #3 0x0000076f1f9f ui::ws::Display::OnFocusChanged() #4 0x00000771698f ui::ws::FocusController::SetFocusedWindowImpl() #5 0x00000771bd16 ui::ws::FocusController::ProcessDrawnOrRootChange() #6 0x000007732650 ui::ws::ServerWindow::~ServerWindow() #7 0x000007734b0d ui::ws::ServerWindow::~ServerWindow() #8 0x00000777e79b ui::ws::WindowTree::DestroyWindows() #9 0x00000777da6f ui::ws::WindowTree::~WindowTree() #10 0x00000777ea1d ui::ws::WindowTree::~WindowTree() #11 0x00000776aa2c ui::ws::WindowServer::DestroyTree() #12 0x0000076e9dea ui::ws::Display::~Display() #13 0x0000076ea5ad ui::ws::Display::~Display() #14 0x0000076f7481 ui::ws::DisplayManager::DestroyDisplay() #15 0x0000076f3cda ui::ws::DisplayManager::DestroyAllDisplays() #16 0x000007769546 ui::ws::WindowServer::~WindowServer() #17 0x00000776ac6d ui::ws::WindowServer::~WindowServer() #18 0x0000008a3581 ui::ws::test::WindowServerTestHelper::~WindowServerTestHelper() #19 0x000000a092f8 ui::ws::test::WindowTreeTest_MoveCaptureWindowToModalParent_Test::~WindowTreeTest_MoveCaptureWindowToModalParent_Test() #20 0x000000c429a6 testing::TestInfo::Run() #21 0x000000c44223 testing::TestCase::Run() #22 0x000000c554e8 testing::internal::UnitTestImpl::RunAllTests() #23 0x000000c54484 testing::UnitTest::Run() #24 0x0000038d31fa base::TestSuite::Run() #25 0x0000038de4f4 base::(anonymous namespace)::LaunchUnitTestsInternal() #26 0x0000038de33a base::LaunchUnitTests() #27 0x000002364c28 service_manager::InitializeAndLaunchUnitTests() #28 0x000000aa75f6 main #29 0x7f1f66802f45 __libc_start_main #30 0x0000004a2ebb <unknown> r8: 000000000034e6e7 r9: 0000000000000000 r10: 00003f638223ac24 r11: 00007f1f6696b110 r12: 000000000c996ec0 r13: 9ddfea08eb382d69 r14: 00003f63821f3000 r15: 00003f6382234c80 di: 000000000bd414f4 si: 0000000000000000 bp: 00007ffd071686c0 bx: 1b2e3caa4ee6f3ff dx: 00000000076f1f9a ax: 0000000000000000 cx: 0000000000000000 sp: 00007ffd07168660 ip: 00000000076f1f9f efl: 0000000000010202 cgf: 0000000000000033 erf: 0000000000000004 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000 [end of stack trace]
,
Aug 29 2017
,
Aug 29 2017
Looks like new_focused_window is null at the end of ui::ws::Display::OnFocusChanged
UpdateTextInputState(new_focused_window,
new_focused_window->text_input_state());
ServerWindow::text_input_state() returns a reference, so it's not dereferencing the this-pointer, just indexing off it.
const ui::TextInputState& text_input_state() const {
return text_input_state_;
}
Presumably the failure comes further down the line when the reference is accessed.
,
Aug 29 2017
riajiang, can you take a look?
The following check shows the problem also in an non-ubsan build:
diff --git a/services/ui/ws/display.cc b/services/ui/ws/display.cc
index 377fc2c28203..b922a399c609 100644
--- a/services/ui/ws/display.cc
+++ b/services/ui/ws/display.cc
@@ -396,6 +396,7 @@ void Display::OnFocusChanged(FocusControllerChangeSource change_source,
}
}
+ CHECK(new_focused_window);
UpdateTextInputState(new_focused_window,
new_focused_window->text_input_state());
}
Note: Google Test filter = WindowTreeTest.MoveCaptureWindowToModalParent
[==========] Running 1 test from 1 test case.
[----------] Global test environment set-up.
[----------] 1 test from WindowTreeTest
[ RUN ] WindowTreeTest.MoveCaptureWindowToModalParent
[64402:64402:0829/162018.846305:11434541467815:FATAL:display.cc(399)] Check failed: new_focused_window.
#0 0x000000f97637 base::debug::StackTrace::StackTrace()
#1 0x000000fa5371 logging::LogMessage::~LogMessage()
#2 0x0000025a661c ui::ws::Display::OnFocusChanged()
#3 0x0000025addd8 ui::ws::FocusController::SetFocusedWindowImpl()
#4 0x0000025ae9db ui::ws::FocusController::ProcessDrawnOrRootChange()
#5 0x0000025b3142 ui::ws::ServerWindow::~ServerWindow()
#6 0x0000025b39c9 ui::ws::ServerWindow::~ServerWindow()
#7 0x0000025c1def ui::ws::WindowTree::DestroyWindows()
#8 0x0000025c1abe ui::ws::WindowTree::~WindowTree()
#9 0x0000025c1eb9 ui::ws::WindowTree::~WindowTree()
#10 0x0000025bde1a ui::ws::WindowServer::DestroyTree()
#11 0x0000025a5429 ui::ws::Display::~Display()
#12 0x0000025a5589 ui::ws::Display::~Display()
#13 0x0000025a7a73 ui::ws::DisplayManager::DestroyDisplay()
#14 0x0000025a69f0 ui::ws::DisplayManager::DestroyAllDisplays()
#15 0x0000025bd861 ui::ws::WindowServer::~WindowServer()
#16 0x0000025bde79 ui::ws::WindowServer::~WindowServer()
#17 0x00000056d051 ui::ws::test::WindowServerTestHelper::~WindowServerTestHelper()
#18 0x0000005d0c17 ui::ws::test::WindowTreeTest_Embed_Test::~WindowTreeTest_Embed_Test()
#19 0x0000006c56a1 testing::TestInfo::Run()
#20 0x0000006c5b37 testing::TestCase::Run()
#21 0x0000006cbe27 testing::internal::UnitTestImpl::RunAllTests()
#22 0x0000006cbab3 testing::UnitTest::Run()
#23 0x0000015c3334 base::TestSuite::Run()
#24 0x0000015c9a1a base::(anonymous namespace)::LaunchUnitTestsInternal()
#25 0x0000015c98da base::LaunchUnitTests()
#26 0x000000f92d40 service_manager::InitializeAndLaunchUnitTests()
#27 0x0000005fdafe main
#28 0x7f084c6e2f45 __libc_start_main
#29 0x0000004303d0 <unknown>
[1/1] WindowTreeTest.MoveCaptureWindowToModalParent (CRASHED)
1 test crashed:
WindowTreeTest.MoveCaptureWindowToModalParent (../../services/ui/ws/window_tree_unittest.cc:1156)
Tests took 0 seconds.
,
Aug 30 2017
hans, could you tell me how to repro this locally? How do I get "a pinned clang" and can you specify "in an non-ubsan build"? Thanks.
,
Aug 30 2017
> hans, could you tell me how to repro this locally? How do I get "a pinned clang" and can you specify "in an non-ubsan build"? Thanks. Just insert the CHECK I showed in #4, build services_unittests in any build configuration and run it: $ ninja -C out/foo -j 500 services_unittests $ out/foo/services_unittests --gtest_filter=WindowTreeTest.MoveCaptureWindowToModalParent IMPORTANT DEBUGGING NOTE: batches of tests are run inside their own process. For debugging a test inside a debugger, use the --gtest_filter=<your_test_name> flag along with --single-process-tests. Using sharding settings from environment. This is shard 0/1 Using 1 parallel jobs. Note: Google Test filter = WindowTreeTest.MoveCaptureWindowToModalParent [==========] Running 1 test from 1 test case. [----------] Global test environment set-up. [----------] 1 test from WindowTreeTest [ RUN ] WindowTreeTest.MoveCaptureWindowToModalParent [20051:20051:0830/090257.987272:11494700608787:FATAL:display.cc(402)] Check failed: new_focused_window.
,
Aug 30 2017
,
Aug 31 2017
Thanks hans for debugging this! CL in review to address this https://chromium-review.googlesource.com/c/chromium/src/+/646266.
,
Aug 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/802d81aeef96551dee7f69dca5fd0cd46788b24f commit 802d81aeef96551dee7f69dca5fd0cd46788b24f Author: Ria Jiang <riajiang@chromium.org> Date: Thu Aug 31 22:59:51 2017 Do not update text input state when there's no new focused window. Bug: 760335 Test: covered by tests Change-Id: I7c326c19593fa5e1a1ed392bd229f0b12644d4a0 Reviewed-on: https://chromium-review.googlesource.com/646266 Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org> Commit-Queue: Ria Jiang <riajiang@chromium.org> Cr-Commit-Position: refs/heads/master@{#499058} [modify] https://crrev.com/802d81aeef96551dee7f69dca5fd0cd46788b24f/services/ui/ws/display.cc
,
Sep 1 2017
,
Feb 26 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by h...@chromium.org
, Aug 29 2017