New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 763412 link

Starred by 1 user
Status: Fixed
Owner:
kylec...@chromium.org
Closed: Sep 2017
Cc:
e...@chromium.org
mfomitchev@chromium.org
mustash-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

mash: Shutdown crashes in ui::CursorLoaderOzone::~CursorLoaderOzone

Project Member Reported by jamescook@chromium.org, Sep 8 2017 
chrome ToT r500595, but I think this has been happening for a few weeks

* Run chrome --mash
* Click system tray > sign out

Crash:

Received signal 11 SEGV_MAPERR ffffc9be0f0c8a9a
#0 0x7fa634d94f6c base::debug::StackTrace::StackTrace()
#1 0x7fa634d94a61 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7fa634f16330 <unknown>
#3 0x7fa6351ca7dc ui::CursorLoaderOzone::~CursorLoaderOzone()
#4 0x564c07ce6112 std::__1::__tree<>::destroy()
#5 0x564c07e1863d ui::(anonymous namespace)::ThreadedImageCursorsFactoryImpl::~ThreadedImageCursorsFactoryImpl()
#6 0x564c07e14e5c ui::Service::~Service()
#7 0x564c07e14fbe ui::Service::~Service()
#8 0x7fa630fdf2f1 service_manager::ServiceContext::~ServiceContext()
#9 0x7fa6352e2a99 _ZN4base8internal7InvokerINS0_9BindStateIZN15service_manager12_GLOBAL__N_110RunServiceEPNS3_12MainDelegateEE3$_0JS6_PiEEEFvN4mojo16InterfaceRequestINS3_5mojom7ServiceEEEEE3RunEPNS0_13BindStateBaseEOSE_
#10 0x7fa6352e4866 service_manager::RunStandaloneService()
#11 0x7fa6352e22e7 service_manager::Main()
#12 0x7fa632ab1a04 content::ContentMain()
#13 0x564c074645e8 ChromeMain
#14 0x7fa628fe3f45 __libc_start_main
#15 0x564c07464424 <unknown>

This used to shutdown cleanly. To kylechar based on git blame, but feel free to reassign if there's a better owner.

Comment 1 by e...@chromium.org, Sep 8 2017

Cc: mfomitchev@chromium.org
+mfomitchev, since this might be a threaded image cursor factory timing issue.

Comment 2 by kylec...@chromium.org, Sep 8 2017 

We are destroying the OzoneCursorFactory before we destroy CursorLoaderOzone (via ThreadedImageCursorsFactory). I recently fixed CursorLoaderOzone so it doesn't leak cursors on shutdown, but that requires accessing OzoneCursorFactory, which explains the crash. It's hopefully a matter of changing the destruction order?
Project Member

Comment 3 by bugdroid1@chromium.org, Sep 8 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6d5d2dc4c4ce5cb2649c17bdb357d231e4714da5

commit 6d5d2dc4c4ce5cb2649c17bdb357d231e4714da5
Author: kylechar <kylechar@chromium.org>
Date: Fri Sep 08 21:33:35 2017

mash: Fix cursor shutdown.

CursorLoaderOzone was accessing the OzoneCursorFactory instance after it
ws destroyed. Reverse destruction order to fix this. Also unnest some
ifdefs that don't need to be nested anymore.

Bug:  763412 
Change-Id: I4f63ecdc396aa174eef482f47f4b8f828fe9578b
Reviewed-on: https://chromium-review.googlesource.com/657628
Reviewed-by: Elliot Glaysher <erg@chromium.org>
Commit-Queue: kylechar <kylechar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#500692}
[modify] https://crrev.com/6d5d2dc4c4ce5cb2649c17bdb357d231e4714da5/services/ui/service.cc
[modify] https://crrev.com/6d5d2dc4c4ce5cb2649c17bdb357d231e4714da5/services/ui/service.h

Comment 4 by kylec...@chromium.org, Sep 11 2017

Status: Fixed (was: Assigned)
I wasn't able to reproduce the crash itself locally, but I have fixed the use after free I think was causing it. If this isn't fixed please reopen!

Comment 5 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Comment 6 by dchan@chromium.org, Jan 23 2018

Status: Fixed (was: Archived)

Comment 7 by lafo...@chromium.org, Feb 26 2018

Components: -Internals>MUS Internals>Services>WindowService

Sign in to add a comment