New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 884034 link

Starred by 2 users
Status: Verified
Owner:
jmgao@google.com
Last visit 26 days ago
Closed: Oct 4
Cc:
torne@chromium.org
agrieve@chromium.org
peria@chromium.org
dcheng@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Premature file descriptor close in gin::V8Initializer

Project Member Reported by jmgao@google.com, Sep 14 
fdsan (see go/fdsan,  http://crbug.com/882733 ) noticed some weirdness with the file descriptor ownership management in content/app/content_main_runner_impl.cc.

LoadV8SnapshotFile and LoadV8NativesFile are calling the gin::V8Initializer::LoadV8{Snapshot,Natives}FromFD functions with file descriptors that are owned by ScopedFDs that will get destructed at the end of the functions: https://cs.chromium.org/chromium/src/content/app/content_main_runner_impl.cc?l=197

However, it looks like those functions expect to take ownership of the file descriptors. They're both storing the file descriptor into a map (which has a comment saying the file descriptors are never closed) that caches the file descriptors for a later mmap: https://cs.chromium.org/chromium/src/gin/v8_initializer.cc?g=0&l=357

If I'm reading the code correctly, this results in subsequent mappings of files with those names to attempt to mmap whatever file descriptor showed up in that value, which is probably not desired. This might be the root cause of https://bugs.chromium.org/p/chromium/issues/detail?id=852151


*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Android/aosp_walleye/walleye:Q/PI/jmgao09071140:userdebug/test-keys'
Revision: 'EVT2'
ABI: 'arm'
pid: 24767, tid: 24822, name: ChildProcessMai  >>> org.chromium.chrome:sandboxed_process0 <<<
signal 35 (<debuggerd signal>), code -1 (SI_QUEUE), fault addr --------
Abort message: 'failed to exchange ownership of file descriptor: fd 58 is owned by native object of unknown type 0xd789f75c, was expected to be unowned'
    r0  00000000  r1  000060f6  r2  00000023  r3  d789f388
    r4  000060bf  r5  d789f39c  r6  f4438d60  r7  0000016b
    r8  d789f180  r9  00000014  r10 000060f6  r11 00000000
    ip  d789f388  sp  d789f178  lr  f4396cbb  pc  f4396cce

backtrace:
    #00 pc 00006cce  /system/lib/libc.so (fdsan_error(char const*, ...)+262)
    #01 pc 0000707d  /system/lib/libc.so (android_fdsan_exchange_owner_tag+716)
    #02 pc 000d454f  /data/app/org.chromium.chrome-a61IH31DbYCzdDSw7GPA7A==/lib/arm/libbase.cr.so (offset 0xc2000) (base::internal::ScopedFDCloseTraits::Acquire(base::ScopedGeneric<int, base::internal::ScopedFDCloseTraits>&, int)+22)
    #03 pc 000cf499  /data/app/org.chromium.chrome-a61IH31DbYCzdDSw7GPA7A==/lib/arm/libbase.cr.so (offset 0xc2000)
    #04 pc 000cf441  /data/app/org.chromium.chrome-a61IH31DbYCzdDSw7GPA7A==/lib/arm/libbase.cr.so (offset 0xc2000) (base::File::File(int, bool)+12)
    #05 pc 00012643  /data/app/org.chromium.chrome-a61IH31DbYCzdDSw7GPA7A==/lib/arm/libgin.cr.so (offset 0xe000)
    #06 pc 00012573  /data/app/org.chromium.chrome-a61IH31DbYCzdDSw7GPA7A==/lib/arm/libgin.cr.so (offset 0xe000) (gin::V8Initializer::LoadV8SnapshotFromFD(int, long long, long long, gin::V8Initializer::V8SnapshotFileType)+74)
    #07 pc 00fdb73b  /data/app/org.chromium.chrome-a61IH31DbYCzdDSw7GPA7A==/lib/arm/libcontent.cr.so (offset 0x846000)
    #08 pc 0000f72f  /data/app/org.chromium.chrome-a61IH31DbYCzdDSw7GPA7A==/lib/arm/libembedder.cr.so (offset 0xd000) (service_manager::Main(service_manager::MainParams const&)+286)
    #09 pc 00fdb20d  /data/app/org.chromium.chrome-a61IH31DbYCzdDSw7GPA7A==/lib/arm/libcontent.cr.so (offset 0x846000) (Java_org_chromium_content_app_ContentMain_nativeStart+184)

Comment 1 by rajukulkarni@google.com, Sep 26 

Any updates on this?

Comment 2 by jmgao@google.com, Sep 27

Owner: jmgao@google.com
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 4 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/79f75279db408effb07bfe44145012b8bf0091c2

commit 79f75279db408effb07bfe44145012b8bf0091c2
Author: Josh Gao <jmgao@google.com>
Date: Thu Oct 04 18:37:45 2018

Fix fd ownership mismanagement in V8 initialization.

gin::V8Initializer::LoadV8SnapshotFromFD and LoadV8NativesFromFD were
accepting a base::PlatformFile owned by a File and then passing it into
MemoryMappedFile::Initialize, which constructs another owning base::File
from the PlatformFile.

Refactor the functions to take base::File instead, and delete some code
that was maintaining a cache that only ever missed.

Bug:  884034 
Change-Id: I2758bc45de63ee4d34dcd5a4b806f1806e25e4f8
Reviewed-on: https://chromium-review.googlesource.com/c/1247322
Commit-Queue: Josh Gao <jmgao@google.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#596775}
[modify] https://crrev.com/79f75279db408effb07bfe44145012b8bf0091c2/content/app/content_main_runner_impl.cc
[modify] https://crrev.com/79f75279db408effb07bfe44145012b8bf0091c2/gin/v8_initializer.cc
[modify] https://crrev.com/79f75279db408effb07bfe44145012b8bf0091c2/gin/v8_initializer.h

Comment 4 by jmgao@google.com, Oct 4

Status: Verified (was: Untriaged)

Sign in to add a comment