New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 845709 link

Starred by 2 users
Status: Fixed
Owner:
lhchavez@chromium.org
Last visit 15 days ago
Closed: May 2018
Cc:
roc...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

SIGSEGV in mojo::edk::NodeController::OnAcceptBrokerClient

Project Member Reported by lhchavez@chromium.org, May 22 2018 
this is the crbug version of b/62219143.

Thread 0 CRASHED [SIGSEGV @ 0x00000000 ]
Stack Quality100%Show frame trust levels
0xf67a0180      (libmojo.so -unordered_map:1142 )       mojo::edk::NodeController::OnAcceptBrokerClient(mojo::edk::ports::NodeName const&, mojo::edk::ports::NodeName const&, mojo::edk::ScopedPlatformHandle)
0xf67a0381      (libmojo.so -node_controller.cc:943 )   non-virtual thunk to mojo::edk::NodeController::OnAcceptBrokerClient(mojo::edk::ports::NodeName const&, mojo::edk::ports::NodeName const&, mojo::edk::ScopedPlatformHandle)
0xf679abf0      (libmojo.so -node_channel.cc:587 )      mojo::edk::NodeChannel::OnChannelMessage(void const*, unsigned int, std::__1::unique_ptr<std::__1::vector<mojo::edk::PlatformHandle, std::__1::allocator<mojo::edk::PlatformHandle> >, mojo::edk::PlatformHandleVectorDeleter>)
0xf678913f      (libmojo.so -channel.cc:563 )   mojo::edk::Channel::OnReadComplete(unsigned int, unsigned int*)
0xf678a6e4      (libmojo.so -channel_posix.cc:288 )     mojo::edk::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking(int)
0xf678a8aa      (libmojo.so -channel_posix.cc:266 )     non-virtual thunk to mojo::edk::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking(int)
0xf6668682      (libchrome.so -message_pump_libevent.cc:97 )    base::MessagePumpLibevent::OnLibeventNotification(int, short, void*)
0xf6557b9f      (libevent.so -event.c:1319 )    event_base_loop
0xf6668a19      (libchrome.so -message_pump_libevent.cc:246 )   base::MessagePumpLibevent::Run(base::MessagePump::Delegate*)
0xf6665840      (libchrome.so -message_loop.cc:457 )    base::MessageLoop::RunHandler()
0xf6687155      (libchrome.so -run_loop.cc:35 ) base::RunLoop::Run()
0xf66aee34      (libchrome.so -thread.cc:204 )  base::Thread::Run(base::MessageLoop*)
0xf66aefbc      (libchrome.so -thread.cc:254 )  base::Thread::ThreadMain()
0xf66a7b5c      (libchrome.so -platform_thread_posix.cc:70 )    base::(anonymous namespace)::ThreadFunc(void*)
0xf62249e2      (libc.so -pthread_create.cpp:198 )      __pthread_start(void*)
0xf61ce73e      (libc.so -clone.cpp:41 )        __start_thread
0xf61cc3f6      (libc.so + 0x0002d3f6 ) __bionic_clone

What happens is that NodeController::pending_broker_clients_ and NodeController::pending_invitations_ are diverging, so the DCHECK in mojo::edk::NodeController::OnAcceptBrokerClient:932 is firing. Or would fire if we weren't building in Release mode, so clang is free to leverage undefined behavior and crash in mysterious and confusing ways.
Project Member

Comment 1 by bugdroid1@chromium.org, May 23 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/30a0b449c8f7036c300d808db96b391220b7698f

commit 30a0b449c8f7036c300d808db96b391220b7698f
Author: Luis Hector Chavez <lhchavez@google.com>
Date: Wed May 23 00:39:19 2018

[mojo]: Avoid a crash when NodeController pending invitations diverge

This change avoids a crash when NodeController::pending_broker_clients_
and NodeController::pending_invitations_ diverge. This might happen with
complex enough node topologies, where there is a node that proxies
invitations to a set of other nodes.

BUG= 845709 

Change-Id: Ia678f464fafb69628600ec00dac19da3b6868fe0
Reviewed-on: https://chromium-review.googlesource.com/1069728
Reviewed-by: Ken Rockot <rockot@chromium.org>
Commit-Queue: Luis Hector Chavez <lhchavez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#560857}
[modify] https://crrev.com/30a0b449c8f7036c300d808db96b391220b7698f/mojo/edk/system/node_controller.cc

Comment 2 by lhchavez@chromium.org, May 31 2018

Status: Fixed (was: Started)

Sign in to add a comment