mash: Shutdown use-after-free in discardable_memory::DiscardableSharedMemoryManager::ClientRemoved |
||||
Issue descriptionPretty much every browser_test --mash has this shutdown UAF. The tests still pass, but it makes it tricky to use ASAN to debug other browser_tests issues. Chrome ToT r520856 for chromeos under ASAN is_asan = true is_debug = false use_goma = true target_os="chromeos" testing/xvfb.py out/asan/browser_tests --gtest_filter="BrowserTest.WindowOpenClose1" --mash 2>&1 | tools/valgrind/asan/asan_symbolize.py ==51846==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100026a3d0 at pc 0x000011c42536 bp 0x7fff27ac5bb0 sp 0x7fff27ac5ba8 READ of size 8 at 0x61100026a3d0 thread T0 (browser_tests) #0 0x11c42535 in size /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__hash_table:815:55 #1 0x11c42535 in bucket_count /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__hash_table:1168:0 #2 0x11c42535 in find<int> /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__hash_table:2220:0 #3 0x11c42535 in find /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/unordered_map:1102:0 #4 0x11c42535 in discardable_memory::DiscardableSharedMemoryManager::ClientRemoved(int) /w/chrome/src/out/asan/../../components/discardable_memory/service/discardable_shared_memory_manager.cc:332:0 #5 0x11c44d67 in ~MojoDiscardableSharedMemoryManagerImpl /w/chrome/src/out/asan/../../components/discardable_memory/service/discardable_shared_memory_manager.cc:61:15 #6 0x11c44d67 in discardable_memory::(anonymous namespace)::MojoDiscardableSharedMemoryManagerImpl::~MojoDiscardableSharedMemoryManagerImpl() /w/chrome/src/out/asan/../../components/discardable_memory/service/discardable_shared_memory_manager.cc:58:0 #7 0x11c465b9 in operator() /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2233:5 #8 0x11c465b9 in reset /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2546:0 #9 0x11c465b9 in ~unique_ptr /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2500:0 #10 0x11c465b9 in ~StrongBinding /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/strong_binding.h:111:0 #11 0x11c465b9 in mojo::StrongBinding<discardable_memory::mojom::DiscardableSharedMemoryManager>::Close() /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/strong_binding.h:91:0 #12 0x11c45e32 in mojo::StrongBinding<discardable_memory::mojom::DiscardableSharedMemoryManager>::OnConnectionError(unsigned int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/strong_binding.h:121:5 #13 0xeb38613 in Run /w/chrome/src/out/asan/../../base/callback.h:65:12 #14 0xeb38613 in mojo::InterfaceEndpointClient::NotifyError(base::Optional<mojo::DisconnectReason> const&) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:331:0 #15 0xeb4ca39 in mojo::internal::MultiplexRouter::ProcessNotifyErrorTask(mojo::internal::MultiplexRouter::Task*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:800:13 #16 0xeb47cf6 in mojo::internal::MultiplexRouter::ProcessTasks(mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:713:15 #17 0xeb43a50 in mojo::internal::MultiplexRouter::OnPipeConnectionError() /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:682:3 [ OK ] BrowserTest.WindowOpenClose1 (3157 ms) [----------] 1 test from BrowserTest (3157 ms total) #18 0xeb32630 in Run /w/chrome/src/out/asan/../../base/callback.h:65:12 #19 0xeb32630 in mojo::Connector::HandleError(bool, bool) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/connector.cc:534:0 #20 0xeb7c84f in Run /w/chrome/src/out/asan/../../base/callback.h:94:12 #21 0xeb7c84f in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) /w/chrome/src/out/asan/../../mojo/public/cpp/system/simple_watcher.cc:276:0 #22 0xb247a7a in Run /w/chrome/src/out/asan/../../base/callback.h:65:12 #23 0xb247a7a in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /w/chrome/src/out/asan/../../base/debug/task_annotator.cc:55:0 #24 0xb29d63d in base::MessageLoop::RunTask(base::PendingTask*) /w/chrome/src/out/asan/../../base/message_loop/message_loop.cc:391:25 [----------] Global test environment tear-down #25 0xb29e9c7 in DeferOrRunPendingTask /w/chrome/src/out/asan/../../base/message_loop/message_loop.cc:403:5 #26 0xb29e9c7 in base::MessageLoop::DoWork() /w/chrome/src/out/asan/../../base/message_loop/message_loop.cc:447:0 #27 0xb2a31d0 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /w/chrome/src/out/asan/../../base/message_loop/message_pump_libevent.cc:220:31 #28 0xb30fec1 in base::RunLoop::Run() /w/chrome/src/out/asan/../../base/run_loop.cc:114:14 #29 0xaf8cee3 in content::UtilityMain(content::MainFunctionParams const&) /w/chrome/src/out/asan/../../content/utility/utility_main.cc:103:19 #30 0xb005b1a in content::ContentMainRunnerImpl::Run() /w/chrome/src/out/asan/../../content/app/content_main_runner.cc:705:12 #31 0x10e17b41 in service_manager::Main(service_manager::MainParams const&) /w/chrome/src/out/asan/../../services/service_manager/embedder/main.cc:456:29 #32 0xb0021b3 in content::ContentMain(content::ContentMainParams const&) /w/chrome/src/out/asan/../../content/app/content_main.cc:19:10 #33 0xc4c9573 in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) /w/chrome/src/out/asan/../../content/public/test/test_launcher.cc:621:12 #34 0xb21b02b in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) /w/chrome/src/out/asan/../../chrome/test/base/chrome_test_launcher.cc:169:10 #35 0xb2199a1 in RunMashBrowserTests(int, char**, int*) /w/chrome/src/out/asan/../../chrome/test/base/mash_browser_tests_main.cc:85:7 #36 0xb21966e in main /w/chrome/src/out/asan/../../chrome/test/base/browser_tests_main_chromeos.cc:13:7 #37 0x7fa97722ef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287:0 0x61100026a3d0 is located 80 bytes inside of 208-byte region [0x61100026a380,0x61100026a450) freed by thread T0 (browser_tests) here: [==========] 1 test from 1 test case ran. (3157 ms total) [ PASSED ] 1 test. #0 0x9808d2 in operator delete(void*) _asan_rtl_:3 #1 0x7fb6aa5 in operator() /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2233:5 #2 0x7fb6aa5 in reset /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2546:0 #3 0x7fb6aa5 in ~unique_ptr /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2500:0 #4 0x7fb6aa5 in ui::Service::~Service() /w/chrome/src/out/asan/../../services/ui/service.cc:171:0 #5 0x7fb703d in ui::Service::~Service() /w/chrome/src/out/asan/../../services/ui/service.cc:152:21 #6 0xcf36cbe in operator() /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2233:5 #7 0xcf36cbe in reset /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2546:0 #8 0xcf36cbe in ~unique_ptr /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2500:0 #9 0xcf36cbe in service_manager::ServiceContext::~ServiceContext() /w/chrome/src/out/asan/../../services/service_manager/public/cpp/service_context.cc:91:0 #10 0xcf36d4d in service_manager::ServiceContext::~ServiceContext() /w/chrome/src/out/asan/../../services/service_manager/public/cpp/service_context.cc:91:35 #11 0x10e1eba4 in operator() /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2233:5 #12 0x10e1eba4 in reset /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2546:0 #13 0x10e1eba4 in ~unique_ptr /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:2500:0 #14 0x10e1eba4 in ~pair /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/utility:312:0 #15 0x10e1eba4 in __destroy<std::__1::pair<service_manager::ServiceContext *const, std::__1::unique_ptr<service_manager::ServiceContext, std::__1::default_delete<service_manager::ServiceContext> > > > /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1687:0 #16 0x10e1eba4 in destroy<std::__1::pair<service_manager::ServiceContext *const, std::__1::unique_ptr<service_manager::ServiceContext, std::__1::default_delete<service_manager::ServiceContext> > > > /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1550:0 #17 0x10e1eba4 in erase /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__tree:2368:0 #18 0x10e1eba4 in erase /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/map:1194:0 #19 0x10e1eba4 in service_manager::EmbeddedInstanceManager::OnInstanceLost(int) /w/chrome/src/out/asan/../../services/service_manager/embedder/embedded_instance_manager.cc:98:0 #20 0xcf36aba in Run /w/chrome/src/out/asan/../../base/callback.h:105:12 #21 0xcf36aba in QuitNow /w/chrome/src/out/asan/../../services/service_manager/public/cpp/service_context.cc:113:0 #22 0xcf36aba in service_manager::ServiceContext::OnConnectionError() /w/chrome/src/out/asan/../../services/service_manager/public/cpp/service_context.cc:153:0 #23 0xeb384c0 in Run /w/chrome/src/out/asan/../../base/callback.h:65:12 #24 0xeb384c0 in mojo::InterfaceEndpointClient::NotifyError(base::Optional<mojo::DisconnectReason> const&) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:325:0 #25 0xeb4ca5e in mojo::internal::MultiplexRouter::ProcessNotifyErrorTask(mojo::internal::MultiplexRouter::Task*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:800:13 #26 0xeb47cf6 in mojo::internal::MultiplexRouter::ProcessTasks(mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:713:15 #27 0xeb43a50 in mojo::internal::MultiplexRouter::OnPipeConnectionError() /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:682:3 #28 0xeb32630 in Run /w/chrome/src/out/asan/../../base/callback.h:65:12 #29 0xeb32630 in mojo::Connector::HandleError(bool, bool) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/connector.cc:534:0 #30 0xeb7c84f in Run /w/chrome/src/out/asan/../../base/callback.h:94:12 #31 0xeb7c84f in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) /w/chrome/src/out/asan/../../mojo/public/cpp/system/simple_watcher.cc:276:0 #32 0xb247a7a in Run /w/chrome/src/out/asan/../../base/callback.h:65:12 #33 0xb247a7a in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /w/chrome/src/out/asan/../../base/debug/task_annotator.cc:55:0 #34 0xb29d63d in base::MessageLoop::RunTask(base::PendingTask*) /w/chrome/src/out/asan/../../base/message_loop/message_loop.cc:391:25 #35 0xb29e9c7 in DeferOrRunPendingTask /w/chrome/src/out/asan/../../base/message_loop/message_loop.cc:403:5 #36 0xb29e9c7 in base::MessageLoop::DoWork() /w/chrome/src/out/asan/../../base/message_loop/message_loop.cc:447:0 #37 0xb2a31d0 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /w/chrome/src/out/asan/../../base/message_loop/message_pump_libevent.cc:220:31 #38 0xb30fec1 in base::RunLoop::Run() /w/chrome/src/out/asan/../../base/run_loop.cc:114:14 #39 0xaf8cee3 in content::UtilityMain(content::MainFunctionParams const&) /w/chrome/src/out/asan/../../content/utility/utility_main.cc:103:19 #40 0xb005b1a in content::ContentMainRunnerImpl::Run() /w/chrome/src/out/asan/../../content/app/content_main_runner.cc:705:12 #41 0x10e17b41 in service_manager::Main(service_manager::MainParams const&) /w/chrome/src/out/asan/../../services/service_manager/embedder/main.cc:456:29 #42 0xb0021b3 in content::ContentMain(content::ContentMainParams const&) /w/chrome/src/out/asan/../../content/app/content_main.cc:19:10 #43 0xc4c9573 in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) /w/chrome/src/out/asan/../../content/public/test/test_launcher.cc:621:12 #44 0xb21b02b in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) /w/chrome/src/out/asan/../../chrome/test/base/chrome_test_launcher.cc:169:10 #45 0xb2199a1 in RunMashBrowserTests(int, char**, int*) /w/chrome/src/out/asan/../../chrome/test/base/mash_browser_tests_main.cc:85:7 #46 0xb21966e in main /w/chrome/src/out/asan/../../chrome/test/base/browser_tests_main_chromeos.cc:13:7 #47 0x7fa97722ef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287:0 previously allocated by thread T0 (browser_tests) here: #0 0x97fcf2 in operator new(unsigned long) _asan_rtl_:3 #1 0x7fb9b01 in make_unique<discardable_memory::DiscardableSharedMemoryManager> /w/chrome/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:3026:28 #2 0x7fb9b01 in ui::Service::OnStart() /w/chrome/src/out/asan/../../services/ui/service.cc:301:0 #3 0xcf37205 in service_manager::ServiceContext::OnStart(service_manager::Identity const&, base::OnceCallback<void (mojo::InterfaceRequest<service_manager::mojom::Connector>, mojo::AssociatedInterfaceRequest<service_manager::mojom::ServiceControl>)>) /w/chrome/src/out/asan/../../services/service_manager/public/cpp/service_context.cc:125:13 #4 0xeb9c766 in service_manager::mojom::ServiceStubDispatch::AcceptWithResponder(service_manager::mojom::Service*, mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) /w/chrome/src/out/asan/gen/services/service_manager/public/interfaces/service.mojom.cc:450:13 #5 0xcf3914c in service_manager::mojom::ServiceStub<mojo::RawPtrImplRefTraits<service_manager::mojom::Service> >::AcceptWithResponder(mojo::Message*, std::__1::unique_ptr<mojo::MessageReceiverWithStatus, std::__1::default_delete<mojo::MessageReceiverWithStatus> >) /w/chrome/src/out/asan/gen/services/service_manager/public/interfaces/service.mojom.h:173:12 #6 0xeb35958 in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:393:34 #7 0xeb4bbfe in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:880:42 #8 0xeb4a450 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:604:38 #9 0xeb33154 in mojo::Connector::ReadSingleMessage(unsigned int*) /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/connector.cc:440:51 #10 0xeb34876 in mojo::Connector::ReadAllAvailableMessages() /w/chrome/src/out/asan/../../mojo/public/cpp/bindings/lib/connector.cc:469:10 #11 0xeb7c84f in Run /w/chrome/src/out/asan/../../base/callback.h:94:12 #12 0xeb7c84f in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) /w/chrome/src/out/asan/../../mojo/public/cpp/system/simple_watcher.cc:276:0 #13 0xb247a7a in Run /w/chrome/src/out/asan/../../base/callback.h:65:12 #14 0xb247a7a in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /w/chrome/src/out/asan/../../base/debug/task_annotator.cc:55:0 #15 0xb29d63d in base::MessageLoop::RunTask(base::PendingTask*) /w/chrome/src/out/asan/../../base/message_loop/message_loop.cc:391:25 #16 0xb29e9c7 in DeferOrRunPendingTask /w/chrome/src/out/asan/../../base/message_loop/message_loop.cc:403:5 #17 0xb29e9c7 in base::MessageLoop::DoWork() /w/chrome/src/out/asan/../../base/message_loop/message_loop.cc:447:0 #18 0xb2a31d0 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /w/chrome/src/out/asan/../../base/message_loop/message_pump_libevent.cc:220:31 #19 0xb30fec1 in base::RunLoop::Run() /w/chrome/src/out/asan/../../base/run_loop.cc:114:14 #20 0xaf8cee3 in content::UtilityMain(content::MainFunctionParams const&) /w/chrome/src/out/asan/../../content/utility/utility_main.cc:103:19 #21 0xb005b1a in content::ContentMainRunnerImpl::Run() /w/chrome/src/out/asan/../../content/app/content_main_runner.cc:705:12 #22 0x10e17b41 in service_manager::Main(service_manager::MainParams const&) /w/chrome/src/out/asan/../../services/service_manager/embedder/main.cc:456:29 #23 0xb0021b3 in content::ContentMain(content::ContentMainParams const&) /w/chrome/src/out/asan/../../content/app/content_main.cc:19:10 #24 0xc4c9573 in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) /w/chrome/src/out/asan/../../content/public/test/test_launcher.cc:621:12 #25 0xb21b02b in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) /w/chrome/src/out/asan/../../chrome/test/base/chrome_test_launcher.cc:169:10 #26 0xb2199a1 in RunMashBrowserTests(int, char**, int*) /w/chrome/src/out/asan/../../chrome/test/base/mash_browser_tests_main.cc:85:7 #27 0xb21966e in main /w/chrome/src/out/asan/../../chrome/test/base/browser_tests_main_chromeos.cc:13:7 #28 0x7fa97722ef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287:0 SUMMARY: AddressSanitizer: heap-use-after-free (/w/chrome/src/out/asan/browser_tests+0x11c42535) Shadow bytes around the buggy address: 0x0c2280045420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2280045430: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c2280045440: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2280045450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280045460: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2280045470: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd 0x0c2280045480: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c2280045490: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c22800454a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c22800454b0: 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c22800454c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==51846==ABORTING Peng, can you take a look or find the right owner?
,
Dec 4 2017
Main problem with your proposal is that there is no such thing as a "root service" from the service manager's perspective and so there is no ordering it can reliably enforce. I also don't really understand how this isn't a UI service bug. It sounds like there are some incorrect assumptions being made about object lifetime. Can't we just fix those invalid assumptions?
,
Dec 4 2017
The implicit assumption in the code seems to be that DiscardableSharedMemoryManager outlives all instances of MojoDiscardableSharedMemoryManagerImpl (which is bound with a StrongBinding) it creates. This is not necessarily a valid assumption, since you can't guarantee the destruction order of the associated message-pipes. Possible solutions: . MojoDiscardableSharedMemoryManagerImpl retains a weak-ptr to the DiscardableSharedMemoryManager (instead of a raw pointer). So that it can be destroyed after DSMM. . Instead of using a StrongBinding, DiscardableSharedMemoryManager can probably use a StrongBindingSet instead?
,
Dec 4 2017
I see. I will fix it in DiscardableSharedMemoryManager.
,
Dec 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9cd323ccbf2d1758be966a03e6d86bea46bc9b8d commit 9cd323ccbf2d1758be966a03e6d86bea46bc9b8d Author: Peng Huang <penghuang@chromium.org> Date: Wed Dec 06 03:48:33 2017 discardable_memory: fix a use-after-free issue in asan build during shutdown And this CL also fixes an issue to make sure ppapi plugin will request the discardable memory interface from ui service instead of browser when the browser is launched with --mus flag. Bug: 791119 Change-Id: I1ce2b256c2280fe02c364aff8d199ab4c43618f0 Reviewed-on: https://chromium-review.googlesource.com/806482 Reviewed-by: David Reveman <reveman@chromium.org> Reviewed-by: Antoine Labour <piman@chromium.org> Reviewed-by: Ken Rockot <rockot@chromium.org> Commit-Queue: Peng Huang <penghuang@chromium.org> Cr-Commit-Position: refs/heads/master@{#521991} [modify] https://crrev.com/9cd323ccbf2d1758be966a03e6d86bea46bc9b8d/components/discardable_memory/service/discardable_shared_memory_manager.cc [modify] https://crrev.com/9cd323ccbf2d1758be966a03e6d86bea46bc9b8d/components/discardable_memory/service/discardable_shared_memory_manager.h [modify] https://crrev.com/9cd323ccbf2d1758be966a03e6d86bea46bc9b8d/content/browser/ppapi_plugin_process_host.cc [modify] https://crrev.com/9cd323ccbf2d1758be966a03e6d86bea46bc9b8d/content/browser/service_manager/common_browser_interfaces.cc
,
Dec 6 2017
,
Feb 26 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by penghuang@chromium.org
, Dec 4 2017Owner: roc...@chromium.org
The problem is because in asan build the ui::Service is destroyed before other services in the ui process when message pipes are broken due to shutdown. (see call stack 1). The ui::Server is the root service which creates other services. I feel the mojo should control the destroy order for all services and make sure to destroy root service after all other services. Otherwise, we need trace all created services in ui::Service and destroy all service in dtor of ui::Service(). rockot@ any suggestion? Do you think we should fix it in mojo or tracing all created services in ui::Service? ============== call stack 1========================== EEE DiscardableSharedMemoryManager::~DiscardableSharedMemoryManager thread=140190374885632 #0 0x000000ae7bb1 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3754:13 #1 0x7f80d51b170c in base::debug::StackTrace::StackTrace(unsigned long) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/debug/stack_trace_posix.cc:801:41 #2 0x7f80a58150e4 in discardable_memory::DiscardableSharedMemoryManager::~DiscardableSharedMemoryManager() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../components/discardable_memory/service/discardable_shared_memory_manager.cc:234:3 #3 0x7f80a581545e in discardable_memory::DiscardableSharedMemoryManager::~DiscardableSharedMemoryManager() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../components/discardable_memory/service/discardable_shared_memory_manager.cc:232:67 #4 0x0000075f04a6 in operator() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2233:5 #5 0x0000075f04a6 in reset /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2546:0 #6 0x0000075f04a6 in ~unique_ptr /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2500:0 #7 0x0000075f04a6 in ui::Service::~Service() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../services/ui/service.cc:171:0 #8 0x0000075f0a4e in ui::Service::~Service() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../services/ui/service.cc:152:21 #9 0x7f80d5742c93 in operator() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2233:5 #10 0x7f80d5742c93 in reset /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2546:0 #11 0x7f80d5742c93 in ~unique_ptr /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2500:0 #12 0x7f80d5742c93 in service_manager::ServiceContext::~ServiceContext() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../services/service_manager/public/cpp/service_context.cc:91:0 #13 0x7f80d5742d1e in service_manager::ServiceContext::~ServiceContext() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../services/service_manager/public/cpp/service_context.cc:91:35 #14 0x7f80c06af851 in operator() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2233:5 #15 0x7f80c06af851 in reset /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2546:0 #16 0x7f80c06af851 in ~unique_ptr /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2500:0 #17 0x7f80c06af851 in ~pair /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/utility:312:0 #18 0x7f80c06af851 in __destroy<std::__1::pair<service_manager::ServiceContext *const, std::__1::unique_ptr<service_manager::ServiceContext, std::__1::default_delete<service_manager::ServiceContext> > > > /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:1687:0 #19 0x7f80c06af851 in destroy<std::__1::pair<service_manager::ServiceContext *const, std::__1::unique_ptr<service_manager::ServiceContext, std::__1::default_delete<service_manager::ServiceContext> > > > /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:1550:0 #20 0x7f80c06af851 in erase /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/__tree:2368:0 #21 0x7f80c06af851 in erase /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/map:1194:0 #22 0x7f80c06af851 in service_manager::EmbeddedInstanceManager::OnInstanceLost(int) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../services/service_manager/embedder/embedded_instance_manager.cc:98:0 #23 0x7f80c06b59fc in Invoke<const scoped_refptr<service_manager::EmbeddedInstanceManager> &, const int &> /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/bind_internal.h:194:12 #24 0x7f80c06b59fc in MakeItSo<void (service_manager::EmbeddedInstanceManager::*const &)(int), const scoped_refptr<service_manager::EmbeddedInstanceManager> &, const int &> /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/bind_internal.h:277:0 #25 0x7f80c06b59fc in RunImpl<void (service_manager::EmbeddedInstanceManager::*const &)(int), const std::__1::tuple<scoped_refptr<service_manager::EmbeddedInstanceManager>, int> &, 0, 1> /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/bind_internal.h:351:0 #26 0x7f80c06b59fc in base::internal::Invoker<base::internal::BindState<void (service_manager::EmbeddedInstanceManager::*)(int), scoped_refptr<service_manager::EmbeddedInstanceManager>, int>, void ()>::Run(base::internal::BindStateBase*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/bind_internal.h:333:0 #27 0x7f80d57432c4 in Run /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/callback.h:105:12 #28 0x7f80d57432c4 in service_manager::ServiceContext::QuitNow() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../services/service_manager/public/cpp/service_context.cc:113:0 #29 0x7f80ccc9cd1a in Run /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/callback.h:65:12 #30 0x7f80ccc9cd1a in mojo::InterfaceEndpointClient::NotifyError(base::Optional<mojo::DisconnectReason> const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:325:0 #31 0x7f80cccc498f in mojo::internal::MultiplexRouter::ProcessNotifyErrorTask(mojo::internal::MultiplexRouter::Task*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:800:13 #32 0x7f80cccbba91 in mojo::internal::MultiplexRouter::ProcessTasks(mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:713:15 #33 0x7f80cccb694e in mojo::internal::MultiplexRouter::OnPipeConnectionError() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:682:3 #34 0x7f80ccc82d4f in Run /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/callback.h:65:12 #35 0x7f80ccc82d4f in mojo::Connector::HandleError(bool, bool) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/connector.cc:534:0 #36 0x7f80ccc86159 in mojo::Connector::OnHandleReadyInternal(unsigned int) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/connector.cc:370:5 #37 0x7f80ccc87bf0 in Run /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/callback.h:94:12 #38 0x7f80ccc87bf0 in mojo::SimpleWatcher::DiscardReadyState(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/system/simple_watcher.h:194:0 #39 0x7f80ccbf2860 in Run /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/callback.h:94:12 #40 0x7f80ccbf2860 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/system/simple_watcher.cc:276:0 #41 0x7f80ccbf3a85 in Invoke<const base::WeakPtr<mojo::SimpleWatcher> &, const int &, const unsigned int &, const mojo::HandleSignalsState &> /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/bind_internal.h:194:12 #42 0x7f80ccbf3a85 in MakeItSo<void (mojo::SimpleWatcher::*const &)(int, unsigned int, const mojo::HandleSignalsState &), const base::WeakPtr<mojo::SimpleWatcher> &, const int &, const unsigned int &, const mojo::HandleSignalsState &> /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/bind_internal.h:297:0 #43 0x7f80ccbf3a85 in void base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::RunImpl<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, 0ul, 1ul, 2ul, 3ul>(void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/bind_internal.h:351:0 #44 0x7f80d51b394f in Run /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/callback.h:65:12 #45 0x7f80d51b394f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/debug/task_annotator.cc:55:0 #46 0x7f80d525a8ff in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/incoming_task_queue.cc:128:19 #47 0x7f80d52682ad in base::MessageLoop::RunTask(base::PendingTask*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/message_loop.cc:391:25 #48 0x7f80d52694cd in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/message_loop.cc:403:5 #49 0x7f80d5269e24 in base::MessageLoop::DoWork() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/message_loop.cc:447:16 #50 0x7f80d52740c1 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/message_pump_libevent.cc:220:31 #51 0x7f80d5266c44 in base::MessageLoop::Run(bool) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/message_loop.cc:342:12 #52 0x7f80d53290e1 in base::RunLoop::Run() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/run_loop.cc:114:14 #53 0x7f80c945ef56 in content::UtilityMain(content::MainFunctionParams const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../content/utility/utility_main.cc:103:19 #54 0x7f80c94a260b in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../content/app/content_main_runner.cc:427:14 #55 0x7f80c94a4857 in content::ContentMainRunnerImpl::Run() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../content/app/content_main_runner.cc:705:12 #56 0x7f80c06bb8d5 in service_manager::Main(service_manager::MainParams const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../services/service_manager/embedder/main.cc:456:29 #57 0x7f80c94a09b4 in content::ContentMain(content::ContentMainParams const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../content/app/content_main.cc:19:10 #58 0x000008f62e91 in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../content/public/test/test_launcher.cc:621:12 #59 0x0000079e27cc in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../chrome/test/base/chrome_test_launcher.cc:169:10 #60 0x0000079e1142 in RunMashBrowserTests(int, char**, int*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../chrome/test/base/mash_browser_tests_main.cc:85:7 #61 0x0000079e0e0f in main /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../chrome/test/base/browser_tests_main_chromeos.cc:13:7 #62 0x7f80a1b8a2b1 in __libc_start_main ??:0:0 #63 0x000000a9c06a in _start ??:0:0 ================= call stack 2 for destroying MojoDiscardableSharedMemoryManagerImpl ============ EEE DiscardableSharedMemoryManager::ClientRemoved thread=140190374885632 [39680:39680:1204/102629.437252:FATAL:lock_impl_posix.cc(74)] Check failed: rv == 0 (22 vs. 0). Invalid argument #0 0x000000ae7bb1 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3754:13 #1 0x7f80d51b170c in base::debug::StackTrace::StackTrace(unsigned long) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/debug/stack_trace_posix.cc:801:41 #2 0x7f80d5235451 in logging::LogMessage::~LogMessage() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/logging.cc:581:29 #3 0x7f80d537e559 in base::internal::LockImpl::Lock() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/synchronization/lock_impl_posix.cc:74:3 #4 0x7f80a5817d46 in Acquire /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/synchronization/lock.h:45:11 #5 0x7f80a5817d46 in AutoLock /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/synchronization/lock.h:115:0 #6 0x7f80a5817d46 in discardable_memory::DiscardableSharedMemoryManager::ClientRemoved(int) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../components/discardable_memory/service/discardable_shared_memory_manager.cc:336:0 #7 0x7f80a5820a68 in ~MojoDiscardableSharedMemoryManagerImpl /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../components/discardable_memory/service/discardable_shared_memory_manager.cc:63:15 #8 0x7f80a5820a68 in discardable_memory::(anonymous namespace)::MojoDiscardableSharedMemoryManagerImpl::~MojoDiscardableSharedMemoryManagerImpl() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../components/discardable_memory/service/discardable_shared_memory_manager.cc:60:0 #9 0x7f80a5822bea in operator() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2233:5 #10 0x7f80a5822bea in reset /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2546:0 #11 0x7f80a5822bea in ~unique_ptr /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../buildtools/third_party/libc++/trunk/include/memory:2500:0 #12 0x7f80a5822bea in ~StrongBinding /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/strong_binding.h:111:0 #13 0x7f80a5822bea in mojo::StrongBinding<discardable_memory::mojom::DiscardableSharedMemoryManager>::Close() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/strong_binding.h:91:0 #14 0x7f80a5821e50 in mojo::StrongBinding<discardable_memory::mojom::DiscardableSharedMemoryManager>::OnConnectionError(unsigned int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/strong_binding.h:121:5 #15 0x7f80ccc9cf29 in Run /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/callback.h:65:12 #16 0x7f80ccc9cf29 in mojo::InterfaceEndpointClient::NotifyError(base::Optional<mojo::DisconnectReason> const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:331:0 #17 0x7f80cccc494f in mojo::internal::MultiplexRouter::ProcessNotifyErrorTask(mojo::internal::MultiplexRouter::Task*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:800:13 #18 0x7f80cccbba91 in mojo::internal::MultiplexRouter::ProcessTasks(mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:713:15 #19 0x7f80cccb694e in mojo::internal::MultiplexRouter::OnPipeConnectionError() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:682:3 #20 0x7f80ccc82d4f in Run /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/callback.h:65:12 #21 0x7f80ccc82d4f in mojo::Connector::HandleError(bool, bool) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/connector.cc:534:0 #22 0x7f80ccc86159 in mojo::Connector::OnHandleReadyInternal(unsigned int) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/bindings/lib/connector.cc:370:5 #23 0x7f80ccc87bf0 in Run /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/callback.h:94:12 #24 0x7f80ccc87bf0 in mojo::SimpleWatcher::DiscardReadyState(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/system/simple_watcher.h:194:0 #25 0x7f80ccbf2860 in Run /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/callback.h:94:12 #26 0x7f80ccbf2860 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../mojo/public/cpp/system/simple_watcher.cc:276:0 #27 0x7f80ccbf3a85 in Invoke<const base::WeakPtr<mojo::SimpleWatcher> &, const int &, const unsigned int &, const mojo::HandleSignalsState &> /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/bind_internal.h:194:12 #28 0x7f80ccbf3a85 in MakeItSo<void (mojo::SimpleWatcher::*const &)(int, unsigned int, const mojo::HandleSignalsState &), const base::WeakPtr<mojo::SimpleWatcher> &, const int &, const unsigned int &, const mojo::HandleSignalsState &> /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/bind_internal.h:297:0 #29 0x7f80ccbf3a85 in void base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::RunImpl<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, 0ul, 1ul, 2ul, 3ul>(void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/bind_internal.h:351:0 #30 0x7f80d51b394f in Run /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/callback.h:65:12 #31 0x7f80d51b394f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/debug/task_annotator.cc:55:0 #32 0x7f80d525a8ff in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/incoming_task_queue.cc:128:19 #33 0x7f80d52682ad in base::MessageLoop::RunTask(base::PendingTask*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/message_loop.cc:391:25 #34 0x7f80d52694cd in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/message_loop.cc:403:5 #35 0x7f80d5269e24 in base::MessageLoop::DoWork() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/message_loop.cc:447:16 #36 0x7f80d52740c1 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/message_pump_libevent.cc:220:31 #37 0x7f80d5266c44 in base::MessageLoop::Run(bool) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/message_loop/message_loop.cc:342:12 #38 0x7f80d53290e1 in base::RunLoop::Run() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../base/run_loop.cc:114:14 #39 0x7f80c945ef56 in content::UtilityMain(content::MainFunctionParams const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../content/utility/utility_main.cc:103:19 #40 0x7f80c94a260b in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../content/app/content_main_runner.cc:427:14 #41 0x7f80c94a4857 in content::ContentMainRunnerImpl::Run() /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../content/app/content_main_runner.cc:705:12 #42 0x7f80c06bb8d5 in service_manager::Main(service_manager::MainParams const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../services/service_manager/embedder/main.cc:456:29 #43 0x7f80c94a09b4 in content::ContentMain(content::ContentMainParams const&) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../content/app/content_main.cc:19:10 #44 0x000008f62e91 in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../content/public/test/test_launcher.cc:621:12 #45 0x0000079e27cc in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../chrome/test/base/chrome_test_launcher.cc:169:10 #46 0x0000079e1142 in RunMashBrowserTests(int, char**, int*) /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../chrome/test/base/mash_browser_tests_main.cc:85:7 #47 0x0000079e0e0f in main /usr/local/google/home/penghuang/sources/chromium/src/out/mus/../../chrome/test/base/browser_tests_main_chromeos.cc:13:7 #48 0x7f80a1b8a2b1 in __libc_start_main ??:0:0 #49 0x000000a9c06a in _start ??:0:0