AudioPlayerBrowserTest.ChangeTracks CRASH PASS flake |
|||||||||||
Issue descriptionAudioPlayerBrowserTest.ChangeTracks is started to show crash pass flake again.
,
Oct 19
OpenAudioFiles/FilesAppBrowserTest.Test/audioAutoAdvanceDrive also. https://test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=ioFiles%2FFilesAppBrowserTest.Test%2FaudioAutoAdvanceDrive
,
Oct 21
This doesn't seem to be an issue in the client side, it seems to be an issue when shutting down the renderer, more specifically with audio-related Mojo. Sample logs I collected from this stdout browser_tests run: https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/linux-chromeos-rel/14926 [ RUN ] AudioPlayerBrowserTest.ChangeTracks [8320:8320:1019/150313.985647:ERROR:external_web_apps.cc(176)] Determining directory [8320:8320:1019/150313.985685:ERROR:external_web_apps.cc(207)] Scanning /usr/share/chromium/extensions/web_apps [8320:8320:1019/150313.988390:INFO:easy_unlock_service_regular.cc(163)] DeviceSyncClient is not ready yet, delaying UseLoadedRemoteDevices(). [8320:8320:1019/150314.046606:ERROR:external_web_apps.cc(176)] Determining directory [8320:8320:1019/150314.046629:ERROR:external_web_apps.cc(207)] Scanning [8320:8320:1019/150314.070889:WARNING:wallpaper_controller_client.cc(358)] Cannot get wallpaper files id in RemovePolicyWallpaper. This should never happen under normal circumstances. [8320:8320:1019/150314.183663:INFO:secure_channel_service.cc(25)] SecureChannelService::OnStart() [8320:8320:1019/150314.183693:INFO:secure_channel_initializer.cc(64)] SecureChannelInitializer::SecureChannelInitializer(): Fetching Bluetooth adapter. All requests received before the adapter is fetched will be queued. [8320:8320:1019/150314.183731:INFO:secure_channel_service.cc(38)] SecureChannelService::OnBindInterface() for interface chromeos.secure_channel.mojom.SecureChannel. [8320:8320:1019/150314.183804:INFO:device_sync_service.cc(30)] DeviceSyncService::OnStart() [8320:8320:1019/150314.183835:INFO:device_sync_service.cc(46)] DeviceSyncService::OnBindInterface() from interface chromeos.device_sync.mojom.DeviceSync. [8320:8320:1019/150314.183914:INFO:multidevice_setup_service.cc(62)] MultiDeviceSetupService::OnStart() [8320:8320:1019/150314.183936:INFO:multidevice_setup_service.cc(75)] MultiDeviceSetupService::OnBindInterface() from interface chromeos.multidevice_setup.mojom.MultiDeviceSetup. [8320:8320:1019/150314.189870:INFO:secure_channel_initializer.cc(119)] SecureChannelInitializer::OnBluetoothAdapterReceived(): Bluetooth adapter has been fetched. Passing all queued requests to the service. [8320:8320:1019/150314.190506:ERROR:gpu_interface_provider.cc(87)] Not implemented reached in virtual void content::GpuInterfaceProvider::RegisterOzoneGpuInterfaces(service_manager::BinderRegistry *) [8320:8320:1019/150314.203836:INFO:multidevice_setup_service.cc(75)] MultiDeviceSetupService::OnBindInterface() from interface chromeos.multidevice_setup.mojom.MultiDeviceSetup. [8320:8320:1019/150314.243235:INFO:file_manager_browsertest_base.cc(1160)] FileManagerBrowserTest::StartTest changeTracks [8320:8320:1019/150314.654058:INFO:CONSOLE(720)] "Cache database creating or upgrading.", source: chrome-extension://pmfjbimdmchhbnneeidfognadeopoehp/background_scripts.js (720) [8320:8320:1019/150314.675539:INFO:CONSOLE(4843)] "Waiting for the result of getFilesUnderVolume", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (4843) [8320:8320:1019/150314.676706:INFO:CONSOLE(5489)] "Requesting volume list.", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5489) [8320:8320:1019/150314.677303:INFO:CONSOLE(5491)] "Volume list fetched with: 3 items.", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5491) [8320:8320:1019/150314.677583:INFO:CONSOLE(5501)] "Initializing volume: android_files:AndroidFiles", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5501) [8320:8320:1019/150314.678057:INFO:CONSOLE(5955)] "Requesting file system: android_files android_files:AndroidFiles", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5955) [8320:8320:1019/150314.680300:INFO:CONSOLE(5501)] "Initializing volume: downloads:Downloads", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5501) [8320:8320:1019/150314.680346:INFO:CONSOLE(5955)] "Requesting file system: downloads downloads:Downloads", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5955) [8320:8320:1019/150314.680550:INFO:CONSOLE(5501)] "Initializing volume: drive:v2", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5501) [8320:8320:1019/150314.680734:INFO:CONSOLE(5955)] "Requesting file system: drive drive:v2", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5955) [8320:8320:1019/150314.684458:INFO:CONSOLE(6005)] "File system obtained: android_files:AndroidFiles", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (6005) [8320:8320:1019/150314.685237:INFO:CONSOLE(5505)] "Initialized volume: android_files:AndroidFiles", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5505) [8320:8320:1019/150314.685460:INFO:CONSOLE(6005)] "File system obtained: downloads:Downloads", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (6005) [8320:8320:1019/150314.685873:INFO:CONSOLE(5505)] "Initialized volume: downloads:Downloads", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5505) [8320:8320:1019/150314.686070:INFO:CONSOLE(6005)] "File system obtained: drive:v2", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (6005) [8320:8320:1019/150314.687300:INFO:CONSOLE(5505)] "Initialized volume: drive:v2", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5505) [8320:8320:1019/150314.687390:INFO:CONSOLE(5509)] "Initialized all volumes.", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5509) [8320:8320:1019/150314.688455:INFO:CONSOLE(4840)] "Received the result of getFilesUnderVolume", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (4840) [8320:8320:1019/150314.689988:INFO:CONSOLE(4843)] "Waiting for the result of openAudioPlayer", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (4843) [8320:8320:1019/150314.731624:INFO:CONSOLE(5489)] "Requesting volume list.", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5489) [8320:8320:1019/150314.735294:INFO:CONSOLE(5491)] "Volume list fetched with: 3 items.", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5491) [8320:8320:1019/150314.735589:INFO:CONSOLE(5501)] "Initializing volume: android_files:AndroidFiles", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5501) [8320:8320:1019/150314.735843:INFO:CONSOLE(5955)] "Requesting file system: android_files android_files:AndroidFiles", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5955) [8320:8320:1019/150314.738285:INFO:CONSOLE(5501)] "Initializing volume: downloads:Downloads", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5501) [8320:8320:1019/150314.738309:INFO:CONSOLE(5955)] "Requesting file system: downloads downloads:Downloads", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5955) [8320:8320:1019/150314.738383:INFO:CONSOLE(5501)] "Initializing volume: drive:v2", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5501) [8320:8320:1019/150314.738484:INFO:CONSOLE(5955)] "Requesting file system: drive drive:v2", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5955) [8320:8320:1019/150314.743062:INFO:CONSOLE(6005)] "File system obtained: android_files:AndroidFiles", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (6005) [8320:8320:1019/150314.744411:INFO:CONSOLE(5505)] "Initialized volume: android_files:AndroidFiles", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5505) [8320:8320:1019/150314.744665:INFO:CONSOLE(6005)] "File system obtained: downloads:Downloads", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (6005) [8320:8320:1019/150314.745060:INFO:CONSOLE(5505)] "Initialized volume: downloads:Downloads", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5505) [8320:8320:1019/150314.745431:INFO:CONSOLE(6005)] "File system obtained: drive:v2", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (6005) [8320:8320:1019/150314.745691:INFO:CONSOLE(5505)] "Initialized volume: drive:v2", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5505) [8320:8320:1019/150314.746466:INFO:CONSOLE(5509)] "Initialized all volumes.", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (5509) [8320:8320:1019/150314.749900:INFO:CONSOLE(4840)] "Received the result of openAudioPlayer", source: chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj/background/js/background_common_scripts.js (4840) [8320:8320:1019/150314.751077:INFO:CONSOLE(0)] "HTML Imports is deprecated and will be removed in M73, around March 2019. Please use ES modules instead. See https://www.chromestatus.com/features/5144752345317376 for more details.", source: (0) [8320:8320:1019/150314.818332:INFO:CONSOLE(442)] "document.registerElement is deprecated and will be removed in M73, around March 2019. Please use window.customElements.define instead. See https://www.chromestatus.com/features/4642138092470272 for more details.", source: chrome://resources/polymer/v1_0/polymer/polymer-micro-extracted.js (442) [8320:8320:1019/150314.943181:INFO:CONSOLE(2083)] "Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See https://www.chromestatus.com/features/4507242028072960 for more details.", source: chrome://resources/polymer/v1_0/polymer/polymer-mini-extracted.js (2083) [8320:8320:1019/150315.269609:INFO:CONSOLE(0)] "[SUCCESS] [changeTracks]", source: chrome-extension://ddabbgbggambiildohfagdkliahiecfl/_generated_background_page.html (0) BrowserTestBase received signal: Segmentation fault. Backtrace: #0 0x000004272e9f base::debug::StackTrace::StackTrace() #1 0x000004760035 content::(anonymous namespace)::DumpStackTraceSignalHandler() #2 0x7f8857638cb0 <unknown> #3 0x000002f46888 content::ForwardingAudioStreamFactory::Core::CreateOutputStream() #4 0x000002fd4e19 content::RenderFrameAudioOutputStreamFactory::Core::ProviderImpl::Acquire() #5 0x000002a6797e media::mojom::AudioOutputStreamProviderStubDispatch::Accept() #6 0x000004f0ac1b mojo::internal::MultiplexRouter::ProcessIncomingMessage() #7 0x000004f0a465 mojo::internal::MultiplexRouter::Accept() #8 0x000004f05891 mojo::Connector::ReadSingleMessage() #9 0x000004f05fd1 mojo::Connector::ReadAllAvailableMessages() #10 0x0000047d244a mojo::SimpleWatcher::OnHandleReady() #11 0x0000047d268a mojo::SimpleWatcher::Context::Notify() #12 0x0000047d1c90 mojo::SimpleWatcher::Context::CallNotify() #13 0x000002b88579 mojo::core::WatcherDispatcher::InvokeWatchCallback() #14 0x000002b87eec mojo::core::Watch::InvokeCallback() #15 0x000002b847ed mojo::core::RequestContext::~RequestContext() #16 0x000002b7c43e mojo::core::NodeChannel::OnChannelMessage() #17 0x000002b6f91d mojo::core::Channel::OnReadComplete() #18 0x000002b8c6bc mojo::core::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking() #19 0x0000042847a7 base::MessagePumpLibevent::OnLibeventNotification() #20 0x000004cda94d event_base_loop #21 0x000004284a6b base::MessagePumpLibevent::Run() #22 0x00000421d775 base::RunLoop::Run() #23 0x000002d46614 content::BrowserProcessSubThread::IOThreadRun() #24 0x00000424f786 base::Thread::ThreadMain() #25 0x00000427f07d base::(anonymous namespace)::ThreadFunc() #26 0x7f885a9cb184 start_thread #27 0x7f885770003d clone [623/1243] AudioPlayerBrowserTest.ChangeTracks (CRASHED)
,
Oct 21
Checked another crash and it's the same stack trace. https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/linux-chromeos-rel/14899 maxmorin@ the stack trace (previous comment) shows some code that you've changed recently, can you have a look?
,
Oct 21
Another stack trace, but from the dbg bot: https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/linux-chromeos-dbg/8440 (from stdout in the browser_tests) [27095:27095:1021/135506.127024:INFO:CONSOLE(0)] "[SUCCESS] [changeTracks]", source: chrome-extension://ddabbgbggambiildohfagdkliahiecfl/_generated_background_page.html (0) BrowserTestBase received signal: Segmentation fault. Backtrace: #0 0x7fe7e2e3e66d base::debug::StackTrace::StackTrace() #1 0x7fe7e2b4197a base::debug::StackTrace::StackTrace() #2 0x000008ea4ca2 Found a corrupted memory buffer in MallocBlock (may be offset from user ptr): buffer index: 0, buffer ptr: 0x23ff069c23c0, size of buffer: 288 Buffer byte 144 is 0xce (should be 0xcd). Deleted by thread 0x7fe7a4bcb700 *** WARNING: Cannot convert addresses to symbols in output below. *** Reason: Cannot find 'pprof' (is PPROF_PATH set correctly?) *** If you cannot fix this, try running pprof directly. @ 0x7fe7e2eed633 @ 0x7fe7e2e7861d @ 0x7fe7e2e78163 @ 0x7fe7e2e77b15 @ 0x7fe7d914b3a2 @ 0x7fe7d9150063 @ 0x7fe7d914fe0d @ 0x7fe7d914fdd0 @ 0x7fe7d914fd19 @ 0x7fe7e2af398e @ 0x7fe7e2b42eaa @ 0x7fe7e2bd44f8 @ 0x7fe7e2bd47fb @ 0x7fe7e2bd4c44 @ 0x7fe7e2e8ff69 @ 0x7fe7e2bd3cce Memory was written to after being freed. MallocBlock: 0x23ff069c23c0, user ptr: 0x23ff069c23e0, size: 288. If you can't find the source of the error, try using ASan (http://code.google.com/p/address-sanitizer/), Valgrind, or Purify, or study the output of the deleter's stack printed above. BrowserTestBase received signal: Segmentation fault. Backtrace: #0 0x7fe7e2e3e66d base::debug::StackTrace::StackTrace() #1 0x7fe7e2b4197a base::debug::StackTrace::StackTrace() #2 0x000008ea4ca2 <unknown> #3 0x7fe7b2220cb0 <unknown> #4 0x7fe7e2e96b14 content::(anonymous namespace)::DumpStackTraceSignalHandler() #3 0x7fe7b2220cb0 <unknown> #4 0x7fe7d914c28e content::ForwardingAudioStreamFactory::Core::CreateOutputStream() #5 0x7fe7d93f5a5c content::RenderFrameAudioOutputStreamFactory::Core::ProviderImpl::Acquire() #6 0x7fe7d7ebe0c1 media::mojom::AudioOutputStreamProviderStubDispatch::Accept() #7 0x7fe7d93f5c23 tcmalloc::Abort() #5 0x7fe7e2e9e88c LogPrintf() #6 0x7fe7e2e9e75b RAW_VLOG() #7 0x7fe7e2ec6209 MallocBlock::CheckForCorruptedBuffer() #8 0x7fe7e2ec5f56 MallocBlock::CheckForDanglingWrites() #9 0x7fe7e2ec2f98 MallocBlock::ProcessFreeQueue() #10 0x7fe7e2ec7bc4 MallocBlock::Deallocate() #11 0x7fe7e2ebfba5 media::mojom::AudioOutputStreamProviderStub<>::Accept() #8 0x7fe7dd7c5f1d DebugDeallocate() #12 0x7fe7e2eed633 tc_free #13 0x7fe7e2e7861d (anonymous namespace)::TCFree() #14 0x7fe7e2e78163 mojo::InterfaceEndpointClient::HandleValidatedMessage() #9 0x7fe7dd7c49b1 mojo::InterfaceEndpointClient::HandleIncomingMessageThunk::Accept() #10 0x7fe7dd7c2e88 mojo::FilterChain::Accept() #11 0x7fe7dd7c88b6 mojo::InterfaceEndpointClient::HandleIncomingMessage() #12 0x7fe7dd7d5282 mojo::internal::MultiplexRouter::ProcessIncomingMessage() #13 0x7fe7dd7d48a5 mojo::internal::MultiplexRouter::Accept() #14 0x7fe7dd7c2e88 mojo::FilterChain::Accept() #15 0x7fe7dd7b5474 mojo::Connector::ReadSingleMessage() #16 0x7fe7dd7b641a mojo::Connector::ReadAllAvailableMessages() #17 0x7fe7dd7b61e8 mojo::Connector::OnHandleReadyInternal() #18 0x7fe7dd7b60eb mojo::Connector::OnWatcherHandleReady() #19 0x7fe7dd7b9d9f _ZN4base8internal13FunctorTraitsIMN4mojo9ConnectorEFvjEvE6InvokeIS5_PS3_JjEEEvT_OT0_DpOT1_ #20 0x7fe7dd7b9ccf _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN4mojo9ConnectorEFvjEJPS5_jEEEvOT_DpOT0_ #21 0x7fe7dd7b9c65 _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo9ConnectorEFvjEJNS0_17UnretainedWrapperIS4_EEEEEFvjEE7RunImplIRKS6_RKNSt3__15tupleIJS8_EEEJLm0EEEEvOT_OT0_NSF_16integer_sequenceImJXspT1_EEEEOj #22 0x7fe7dd7b9b8b _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo9ConnectorEFvjEJNS0_17UnretainedWrapperIS4_EEEEEFvjEE3RunEPNS0_13BindStateBaseEj #23 0x7fe7dd7b0a5e _ZNKR4base17RepeatingCallbackIFvjEE3RunEj #24 0x7fe7dd7b8cdf mojo::SimpleWatcher::DiscardReadyState() #25 0x7fe7dd7b8f4f _ZN4base8internal13FunctorTraitsIPFvRKNS_17RepeatingCallbackIFvjEEEjRKN4mojo18HandleSignalsStateEEvE6InvokeIRKSC_JS6_jSA_EEEvOT_DpOT0_ #26 0x7fe7dd7b8eed _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKPFvRKNS_17RepeatingCallbackIFvjEEEjRKN4mojo18HandleSignalsStateEEJS8_jSC_EEEvOT_DpOT0_ #27 0x7fe7dd7b8e90 _ZN4base8internal7InvokerINS0_9BindStateIPFvRKNS_17RepeatingCallbackIFvjEEEjRKN4mojo18HandleSignalsStateEEJS5_EEEFvjSB_EE7RunImplIRKSD_RKNSt3__15tupleIJS5_EEEJLm0EEEEvOT_OT0_NSK_16integer_sequenceImJXspT1_EEEEOjSB_ #28 0x7fe7dd7b8db6 _ZN4base8internal7InvokerINS0_9BindStateIPFvRKNS_17RepeatingCallbackIFvjEEEjRKN4mojo18HandleSignalsStateEEJS5_EEEFvjSB_EE3RunEPNS0_13BindStateBaseEjSB_ #29 0x7fe7e313d7ee ShimCppDelete #15 0x7fe7e2e77b15 operator delete() #16 0x7fe7d94c1a32 content::RenderWidgetHostImpl::~RenderWidgetHostImpl() #17 0x7fe7d94b1df1 _ZNKR4base17RepeatingCallbackIFvjRKN4mojo18HandleSignalsStateEEE3RunEjS4_ #30 0x7fe7e313d16b mojo::SimpleWatcher::OnHandleReady() #31 0x7fe7e313d986 mojo::SimpleWatcher::Context::Notify() #32 0x7fe7e313d30f mojo::SimpleWatcher::Context::CallNotify() #33 0x7fe7ae4eb567 content::RenderViewHostImpl::~RenderViewHostImpl() #18 0x7fe7d94b1ec9 content::RenderViewHostImpl::~RenderViewHostImpl() #19 0x7fe7d94b5edc content::RenderViewHostImpl::ShutdownAndDestroy() #20 0x7fe7d8d26aae mojo::core::WatcherDispatcher::InvokeWatchCallback() #34 0x7fe7ae4eacf0 content::FrameTree::ReleaseRenderViewHostRef() #21 0x7fe7d8db3f65 mojo::core::Watch::InvokeCallback() #35 0x7fe7ae4da9e1 mojo::core::RequestContext::~RequestContext() #36 0x7fe7ae4ab9b3 mojo::core::NodeChannel::OnChannelMessage() #37 0x7fe7ae46c68d mojo::core::Channel::OnReadComplete() #38 0x7fe7ae4fcddc content::RenderFrameHostImpl::~RenderFrameHostImpl() #22 0x7fe7d8db6cc9 content::RenderFrameHostImpl::~RenderFrameHostImpl() #23 0x7fe7d8e3a2f5 mojo::core::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking() #39 0x7fe7e2e8e72e base::MessagePumpLibevent::FdWatchController::OnFileCanReadWithoutBlocking() #40 0x7fe7e2e8fe2b base::MessagePumpLibevent::OnLibeventNotification() #41 0x7fe7e2ee0e2e event_process_active #42 0x7fe7e2ee0477 event_base_loop #43 0x7fe7e2e90262 base::MessagePumpLibevent::Run() #44 0x7fe7e2bd3cce base::MessageLoop::Run() #45 0x7fe7e2c807a2 base::RunLoop::Run() #46 0x7fe7e2d7d3a9 content::RenderFrameHostManager::~RenderFrameHostManager() #24 0x7fe7d8d2b0b4 content::FrameTreeNode::~FrameTreeNode() #25 0x7fe7d8d23f7f base::Thread::Run() #47 0x7fe7d8823ccf content::FrameTree::~FrameTree() #26 0x7fe7d986c4ac <unknown> #27 0x7fe7d986ca79 <unknown> #28 0x000004d8f92d content::BrowserProcessSubThread::IOThreadRun() #48 0x7fe7d8823be8 extensions::AppWindowContentsImpl::~AppWindowContentsImpl() #29 0x000004d8f9a9 content::BrowserProcessSubThread::Run() #49 0x7fe7e2d7e007 base::Thread::ThreadMain() #50 0x7fe7e2e74b3d base::(anonymous namespace)::ThreadFunc() #51 0x7fe7b3ae8184 start_thread #52 0x7fe7b22e803d clone
,
Oct 21
A ASAN and MSAN stack trace from other test but with basically the same failure mode: https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Linux%20ChromiumOS%20MSan%20Tests/9152 https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Linux%20Chromium%20OS%20ASan%20LSan%20Tests%20%281%29/29667 [6120:6120:1019/050912.169951:INFO:CONSOLE(0)] "[SUCCESS] [audioAutoAdvanceDrive]", source: chrome-extension://oobinhbdbiehknkpbpejbbpdbkdjmoco/_generated_background_page.html (0) ==6120==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0xe4e1c1e in content::ForwardingAudioStreamFactory::Core::CreateOutputStream(int, int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, media::AudioParameters const&, base::Optional<base::UnguessableToken> const&, mojo::InterfacePtr<media::mojom::AudioOutputStreamProviderClient>) ./../../content/browser/media/forwarding_audio_stream_factory.cc:98:32 #1 0xe874767 in content::RenderFrameAudioOutputStreamFactory::Core::ProviderImpl::Acquire(media::AudioParameters const&, mojo::InterfacePtr<media::mojom::AudioOutputStreamProviderClient>, base::Optional<base::UnguessableToken> const&) ./../../content/browser/renderer_host/media/render_frame_audio_output_stream_factory.cc:79:36 #2 0xc5c509a in media::mojom::AudioOutputStreamProviderStubDispatch::Accept(media::mojom::AudioOutputStreamProvider*, mojo::Message*) ./gen/media/mojo/interfaces/audio_output_stream.mojom.cc:744:13 #3 0xe875266 in media::mojom::AudioOutputStreamProviderStub<mojo::RawPtrImplRefTraits<media::mojom::AudioOutputStreamProvider> >::Accept(mojo::Message*) ./gen/media/mojo/interfaces/audio_output_stream.mojom.h:456:12 #4 0x1aea4b69 in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) ./../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:423:32 #5 0x1aeeeaaa in mojo::FilterChain::Accept(mojo::Message*) ./../../mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #6 0x1aebbe2d in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) ./../../mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42 #7 0x1aeb9850 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) ./../../mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38 #8 0x1aeeeaaa in mojo::FilterChain::Accept(mojo::Message*) ./../../mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #9 0x1ae9d928 in mojo::Connector::ReadSingleMessage(unsigned int*) ./../../mojo/public/cpp/bindings/lib/connector.cc:476:51 #10 0x1aea0200 in mojo::Connector::ReadAllAvailableMessages() ./../../mojo/public/cpp/bindings/lib/connector.cc:505:10 #11 0x18420eb8 in Run ./../../base/callback.h:129:12 #12 0x18420eb8 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) ./../../mojo/public/cpp/system/simple_watcher.cc:273:0 #13 0x184218cc in mojo::SimpleWatcher::Context::Notify(unsigned int, MojoHandleSignalsState, unsigned int) ./../../mojo/public/cpp/system/simple_watcher.cc:105:22 #14 0x1841e3d8 in mojo::SimpleWatcher::Context::CallNotify(MojoTrapEvent const*) ./../../mojo/public/cpp/system/simple_watcher.cc:55:14 #15 0xcc81697 in mojo::core::WatcherDispatcher::InvokeWatchCallback(unsigned long, unsigned int, mojo::core::HandleSignalsState const&, unsigned int) ./../../mojo/core/watcher_dispatcher.cc:90:3 #16 0xcc7efc2 in mojo::core::Watch::InvokeCallback(unsigned int, mojo::core::HandleSignalsState const&, unsigned int) ./../../mojo/core/watch.cc:78:13 #17 0xcc6a133 in mojo::core::RequestContext::~RequestContext() ./../../mojo/core/request_context.cc:72:20 #18 0xcc33480 in mojo::core::NodeChannel::OnChannelMessage(void const*, unsigned long, std::__1::vector<mojo::PlatformHandle, std::__1::allocator<mojo::PlatformHandle> >) ./../../mojo/core/node_channel.cc:695:1 #19 0xcbe5e06 in mojo::core::Channel::OnReadComplete(unsigned long, unsigned long*) ./../../mojo/core/channel.cc:714:18 #20 0xcc9f407 in mojo::core::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking(int) ./../../mojo/core/channel_posix.cc:464:14 #21 0x164237df in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) ./../../base/message_loop/message_pump_libevent.cc:0:0 #22 0x1a2e8e66 in event_process_active ./../../base/third_party/libevent/event.c:381:4 #23 0x1a2e8e66 in event_base_loop ./../../base/third_party/libevent/event.c:521:0 #24 0x164243bf in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_libevent.cc:214:5 #25 0x161cf70f in base::RunLoop::Run() ./../../base/run_loop.cc:102:14 #26 0xd78ecce in content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*) ./../../content/browser/browser_process_sub_thread.cc:174:11 #27 0x162f2813 in base::Thread::ThreadMain() ./../../base/threading/thread.cc:357:3 #28 0x164122b7 in base::(anonymous namespace)::ThreadFunc(void*) ./../../base/threading/platform_thread_posix.cc:80:13 #29 0x7fb54c1c4183 in start_thread ??:0:0 #30 0x7fb54707903c in clone ??:0:0 Uninitialized value was created by a heap deallocation #0 0xca7eb9 in operator delete(void*) /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/msan/msan_new_delete.cc:75:44 #1 0xe4f00e4 in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2325:5 #2 0xe4f00e4 in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2638:0 #3 0xe4f00e4 in ~unique_ptr ./../../buildtools/third_party/libc++/trunk/include/memory:2592:0 #4 0xe4f00e4 in Invoke<(lambda at ../../content/browser/media/forwarding_audio_stream_factory.cc:219:22), std::__1::unique_ptr<content::ForwardingAudioStreamFactory::Core, std::__1::default_delete<content::ForwardingAudioStreamFactory::Core> > > ./../../base/bind_internal.h:403:0 #5 0xe4f00e4 in MakeItSo<(lambda at ../../content/browser/media/forwarding_audio_stream_factory.cc:219:22), std::__1::unique_ptr<content::ForwardingAudioStreamFactory::Core, std::__1::default_delete<content::ForwardingAudioStreamFactory::Core> > > ./../../base/bind_internal.h:616:0 #6 0xe4f00e4 in RunImpl<(lambda at ../../content/browser/media/forwarding_audio_stream_factory.cc:219:22), std::__1::tuple<std::__1::unique_ptr<content::ForwardingAudioStreamFactory::Core, std::__1::default_delete<content::ForwardingAudioStreamFactory::Core> > >, 0> ./../../base/bind_internal.h:689:0 #7 0xe4f00e4 in base::internal::Invoker<base::internal::BindState<content::ForwardingAudioStreamFactory::~ForwardingAudioStreamFactory()::$_0, std::__1::unique_ptr<content::ForwardingAudioStreamFactory::Core, std::__1::default_delete<content::ForwardingAudioStreamFactory::Core> > >, void ()>::RunOnce(base::internal::BindStateBase*) ./../../base/bind_internal.h:658:0 #8 0x16437caa in Run ./../../base/callback.h:99:12 #9 0x16437caa in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:99:0 #10 0x16107862 in base::MessageLoop::RunTask(base::PendingTask*) ./../../base/message_loop/message_loop.cc:434:46 #11 0x16108add in DeferOrRunPendingTask ./../../base/message_loop/message_loop.cc:445:5 #12 0x16108add in base::MessageLoop::DoWork() ./../../base/message_loop/message_loop.cc:517:0 #13 0x16424890 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_libevent.cc:210:31 #14 0x161cf70f in base::RunLoop::Run() ./../../base/run_loop.cc:102:14 #15 0xd78ecce in content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*) ./../../content/browser/browser_process_sub_thread.cc:174:11 #16 0x162f2813 in base::Thread::ThreadMain() ./../../base/threading/thread.cc:357:3 #17 0x164122b7 in base::(anonymous namespace)::ThreadFunc(void*) ./../../base/threading/platform_thread_posix.cc:80:13 #18 0x7fb54c1c4183 in start_thread ??:0:0 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/b/s/w/ir/out/Release/browser_tests+0xe4e1c1e) Exiting [1:8:0100/000000.342354:ERROR:broker_posix.cc(40)] Recvmsg error: Connection reset by peer (104) [1:8:0100/000000.342464:ERROR:broker_posix.cc(40)] Recvmsg error: Connection reset by peer (104) [1:8:0100/000000.350787:ERROR:broker_posix.cc(106)] Error sending sync broker message: Broken pipe (32) [419/464] OpenAudioFiles/FilesAppBrowserTest.Test/audioAutoAdvanceDrive (CRASHED) ------------------------------------------------------------------------------------------------------------------------------------------------ [15111:15111:1019/171410.331674:INFO:CONSOLE(0)] "[SUCCESS] [audioAutoAdvanceDrive]", source: chrome-extension://oobinhbdbiehknkpbpejbbpdbkdjmoco/_generated_background_page.html (0) ================================================================= ==15111==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000bcada0 at pc 0x00000b974f44 bp 0x7f44b042a4f0 sp 0x7f44b042a4e8 READ of size 8 at 0x611000bcada0 thread T2 (Chrome_IOThread) #0 0xb974f43 in operator-> buildtools/third_party/libc++/trunk/include/memory:2607:19 #1 0xb974f43 in content::ForwardingAudioStreamFactory::Core::CreateOutputStream(int, int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, media::AudioParameters const&, base::Optional<base::UnguessableToken> const&, mojo::InterfacePtr<media::mojom::AudioOutputStreamProviderClient>) content/browser/media/forwarding_audio_stream_factory.cc:98 #2 0xbcb3442 in content::RenderFrameAudioOutputStreamFactory::Core::ProviderImpl::Acquire(media::AudioParameters const&, mojo::InterfacePtr<media::mojom::AudioOutputStreamProviderClient>, base::Optional<base::UnguessableToken> const&) content/browser/renderer_host/media/render_frame_audio_output_stream_factory.cc:79:36 #3 0x9ef5584 in media::mojom::AudioOutputStreamProviderStubDispatch::Accept(media::mojom::AudioOutputStreamProvider*, mojo::Message*) gen/media/mojo/interfaces/audio_output_stream.mojom.cc:744:13 #4 0x1625d562 in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:423:32 #5 0x162a19a7 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #6 0x1626169c in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:306:19 #7 0x16275bc3 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42 #8 0x16273876 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38 #9 0x162a19a7 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #10 0x162541b1 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:476:51 #11 0x162561e3 in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:505:10 #12 0x16255b93 in mojo::Connector::OnHandleReadyInternal(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:387:3 #13 0x9a32913 in Run base/callback.h:129:12 #14 0x9a32913 in mojo::SimpleWatcher::DiscardReadyState(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.h:194 #15 0x1412288c in Run base/callback.h:129:12 #16 0x1412288c in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:273 #17 0x1412366e in mojo::SimpleWatcher::Context::Notify(unsigned int, MojoHandleSignalsState, unsigned int) mojo/public/cpp/system/simple_watcher.cc:105:22 #18 0x1411f21a in mojo::SimpleWatcher::Context::CallNotify(MojoTrapEvent const*) mojo/public/cpp/system/simple_watcher.cc:55:14 #19 0xa64197a in mojo::core::WatcherDispatcher::InvokeWatchCallback(unsigned long, unsigned int, mojo::core::HandleSignalsState const&, unsigned int) mojo/core/watcher_dispatcher.cc:90:3 #20 0xa6404f1 in mojo::core::Watch::InvokeCallback(unsigned int, mojo::core::HandleSignalsState const&, unsigned int) mojo/core/watch.cc:78:13 #21 0xa63045d in mojo::core::RequestContext::~RequestContext() mojo/core/request_context.cc:72:20 #22 0xa604e70 in mojo::core::NodeChannel::OnChannelMessage(void const*, unsigned long, std::__1::vector<mojo::PlatformHandle, std::__1::allocator<mojo::PlatformHandle> >) mojo/core/node_channel.cc:695:1 #23 0xa5cade7 in mojo::core::Channel::OnReadComplete(unsigned long, unsigned long*) mojo/core/channel.cc:714:18 #24 0xa6530cf in mojo::core::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking(int) mojo/core/channel_posix.cc:464:14 #25 0x126a718c in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) base/message_loop/message_pump_libevent.cc #26 0x15ada718 in event_process_active base/third_party/libevent/event.c:381:4 #27 0x15ada718 in event_base_loop base/third_party/libevent/event.c:521 #28 0x126a77b1 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:214:5 #29 0x12421904 in base::MessageLoop::Run(bool) base/message_loop/message_loop.cc:386:12 #30 0x124c29ad in base::RunLoop::Run() base/run_loop.cc:102:14 #31 0x125b3777 in base::Thread::Run(base::RunLoop*) base/threading/thread.cc:262:13 #32 0xaf04d10 in content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*) content/browser/browser_process_sub_thread.cc:174:11 #33 0xaf04a42 in content::BrowserProcessSubThread::Run(base::RunLoop*) content/browser/browser_process_sub_thread.cc:126:7 #34 0x125b41db in base::Thread::ThreadMain() base/threading/thread.cc:357:3 #35 0x12692ea2 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:80:13 #36 0x7f44be887183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183) 0x611000bcada0 is located 32 bytes inside of 240-byte region [0x611000bcad80,0x611000bcae70) freed by thread T2 (Chrome_IOThread) here: #0 0x101f802 in operator delete(void*) /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:167:3 #1 0x126bbe3f in Run base/callback.h:99:12 #2 0x126bbe3f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:99 #3 0x12422a74 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:434:46 #4 0x1242361f in DeferOrRunPendingTask base/message_loop/message_loop.cc:445:5 #5 0x1242361f in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:517 #6 0x126a7aa0 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:210:31 #7 0x12421904 in base::MessageLoop::Run(bool) base/message_loop/message_loop.cc:386:12 #8 0x124c29ad in base::RunLoop::Run() base/run_loop.cc:102:14 #9 0x125b3777 in base::Thread::Run(base::RunLoop*) base/threading/thread.cc:262:13 #10 0xaf04d10 in content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*) content/browser/browser_process_sub_thread.cc:174:11 #11 0xaf04a42 in content::BrowserProcessSubThread::Run(base::RunLoop*) content/browser/browser_process_sub_thread.cc:126:7 #12 0x125b41db in base::Thread::ThreadMain() base/threading/thread.cc:357:3 #13 0x12692ea2 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:80:13 #14 0x7f44be887183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183) previously allocated by thread T0 (browser_tests) here: #0 0x101ebc2 in operator new(unsigned long) /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:106:3 #1 0xb978cb4 in make_unique<content::ForwardingAudioStreamFactory::Core, base::WeakPtr<content::ForwardingAudioStreamFactory>, media::UserInputMonitorBase *&, std::__1::unique_ptr<service_manager::Connector, std::__1::default_delete<service_manager::Connector> >, std::__1::unique_ptr<content::AudioStreamBrokerFactory, std::__1::default_delete<content::AudioStreamBrokerFactory> > > buildtools/third_party/libc++/trunk/include/memory:3118:28 #2 0xb978cb4 in content::ForwardingAudioStreamFactory::ForwardingAudioStreamFactory(content::WebContents*, media::UserInputMonitorBase*, std::__1::unique_ptr<service_manager::Connector, std::__1::default_delete<service_manager::Connector> >, std::__1::unique_ptr<content::AudioStreamBrokerFactory, std::__1::default_delete<content::AudioStreamBrokerFactory> >) content/browser/media/forwarding_audio_stream_factory.cc:207 #3 0xc345418 in void base::internal::OptionalStorageBase<content::ForwardingAudioStreamFactory, false>::Init<content::WebContentsImpl*, media::UserInputMonitorBase*, std::__1::unique_ptr<service_manager::Connector, std::__1::default_delete<service_manager::Connector> >, std::__1::unique_ptr<content::AudioStreamBrokerFactory, std::__1::default_delete<content::AudioStreamBrokerFactory> > >(content::WebContentsImpl*&&, media::UserInputMonitorBase*&&, std::__1::unique_ptr<service_manager::Connector, std::__1::default_delete<service_manager::Connector> >&&, std::__1::unique_ptr<content::AudioStreamBrokerFactory, std::__1::default_delete<content::AudioStreamBrokerFactory> >&&) base/optional.h:70:21 #4 0xc2e933b in emplace<content::WebContentsImpl *, media::UserInputMonitorBase *, std::__1::unique_ptr<service_manager::Connector, std::__1::default_delete<service_manager::Connector> >, std::__1::unique_ptr<content::AudioStreamBrokerFactory, std::__1::default_delete<content::AudioStreamBrokerFactory> > > base/optional.h:683:14 #5 0xc2e933b in content::WebContentsImpl::GetAudioStreamFactory() content/browser/web_contents/web_contents_impl.cc:6602 #6 0xb97855c in content::ForwardingAudioStreamFactory::ForFrame(content::RenderFrameHost*) content/browser/media/forwarding_audio_stream_factory.cc:187:20 #7 0xb97885f in content::ForwardingAudioStreamFactory::CoreForFrame(content::RenderFrameHost*) content/browser/media/forwarding_audio_stream_factory.cc:195:7 #8 0xbcaecba in content::RenderFrameAudioOutputStreamFactory::Core::Core(content::RenderFrameHost*, media::AudioSystem*, content::MediaStreamManager*, mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory>) content/browser/renderer_host/media/render_frame_audio_output_stream_factory.cc:182:27 #9 0xbcae331 in content::RenderFrameAudioOutputStreamFactory::RenderFrameAudioOutputStreamFactory(content::RenderFrameHost*, media::AudioSystem*, content::MediaStreamManager*, mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory>) content/browser/renderer_host/media/render_frame_audio_output_stream_factory.cc:149:17 #10 0xb5ce656 in void base::internal::OptionalStorageBase<content::RenderFrameAudioOutputStreamFactory, false>::Init<content::RenderFrameHostImpl*, media::AudioSystem*&, content::MediaStreamManager*&, mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory> >(content::RenderFrameHostImpl*&&, media::AudioSystem*&, content::MediaStreamManager*&, mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory>&&) base/optional.h:70:21 #11 0xb56fbd2 in emplace<content::RenderFrameHostImpl *, media::AudioSystem *&, content::MediaStreamManager *&, mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory> > base/optional.h:683:14 #12 0xb56fbd2 in content::RenderFrameHostImpl::CreateAudioOutputStreamFactory(mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory>) content/browser/frame_host/render_frame_host_impl.cc:5234 #13 0xb5b0867 in Invoke<void (content::RenderFrameHostImpl::*)(mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory>), content::RenderFrameHostImpl *, mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory> > base/bind_internal.h:516:12 #14 0xb5b0867 in MakeItSo<void (content::RenderFrameHostImpl::*const &)(mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory>), content::RenderFrameHostImpl *, mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory> > base/bind_internal.h:616 #15 0xb5b0867 in RunImpl<void (content::RenderFrameHostImpl::*const &)(mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory>), const std::__1::tuple<base::internal::UnretainedWrapper<content::RenderFrameHostImpl> > &, 0> base/bind_internal.h:689 #16 0xb5b0867 in base::internal::Invoker<base::internal::BindState<void (content::RenderFrameHostImpl::*)(mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory>), base::internal::UnretainedWrapper<content::RenderFrameHostImpl> >, void (mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory>)>::Run(base::internal::BindStateBase*, mojo::InterfaceRequest<content::mojom::RendererAudioOutputStreamFactory>&&) base/bind_internal.h:671 #17 0xb5b0e12 in Run base/callback.h:129:12 #18 0xb5b0e12 in RunCallback services/service_manager/public/cpp/interface_binder.h:69 #19 0xb5b0e12 in service_manager::CallbackBinder<content::mojom::RendererAudioOutputStreamFactory>::BindInterface(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, mojo::ScopedHandleBase<mojo::MessagePipeHandle>) services/service_manager/public/cpp/interface_binder.h:62 #20 0x59f95da in service_manager::BinderRegistryWithArgs<>::BindInterface(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, mojo::ScopedHandleBase<mojo::MessagePipeHandle>) services/service_manager/public/cpp/binder_registry.h:86:19 #21 0xb58b315 in TryBindInterface services/service_manager/public/cpp/binder_registry.h:115:7 #22 0xb58b315 in content::RenderFrameHostImpl::GetInterface(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, mojo::ScopedHandleBase<mojo::MessagePipeHandle>) content/browser/frame_host/render_frame_host_impl.cc:5332 #23 0x16b4bab6 in service_manager::mojom::InterfaceProviderStubDispatch::Accept(service_manager::mojom::InterfaceProvider*, mojo::Message*) gen/services/service_manager/public/mojom/interface_provider.mojom.cc:123:13 #24 0x1625d562 in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:423:32 #25 0x162a19a7 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #26 0x1626169c in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:306:19 #27 0x16275bc3 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42 #28 0x16273876 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38 #29 0x162a19a7 in mojo::FilterChain::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/filter_chain.cc:40:17 #30 0x162541b1 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:476:51 #31 0x162561e3 in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:505:10 #32 0x16255b93 in mojo::Connector::OnHandleReadyInternal(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:387:3 #33 0x9a32913 in Run base/callback.h:129:12 #34 0x9a32913 in mojo::SimpleWatcher::DiscardReadyState(base::RepeatingCallback<void (unsigned int)> const&, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.h:194 #35 0x1412288c in Run base/callback.h:129:12 #36 0x1412288c in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:273 #37 0x14123a83 in Invoke<void (mojo::SimpleWatcher::*)(int, unsigned int, const mojo::HandleSignalsState &), const base::WeakPtr<mojo::SimpleWatcher> &, const int &, const unsigned int &, const mojo::HandleSignalsState &> base/bind_internal.h:516:12 #38 0x14123a83 in MakeItSo<void (mojo::SimpleWatcher::*const &)(int, unsigned int, const mojo::HandleSignalsState &), const base::WeakPtr<mojo::SimpleWatcher> &, const int &, const unsigned int &, const mojo::HandleSignalsState &> base/bind_internal.h:636 #39 0x14123a83 in void base::internal::Invoker<base::internal::BindState<void (mojo::SimpleWatcher::*)(int, unsigned int, mojo::HandleSignalsState const&), base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState>, void ()>::RunImpl<void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, 0ul, 1ul, 2ul, 3ul>(void (mojo::SimpleWatcher::* const&)(int, unsigned int, mojo::HandleSignalsState const&), std::__1::tuple<base::WeakPtr<mojo::SimpleWatcher>, int, unsigned int, mojo::HandleSignalsState> const&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>) base/bind_internal.h:689 #40 0x126bbe3f in Run base/callback.h:99:12 #41 0x126bbe3f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:99 #42 0x12422a74 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:434:46 #43 0x1242361f in DeferOrRunPendingTask base/message_loop/message_loop.cc:445:5 #44 0x1242361f in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:517 Thread T2 (Chrome_IOThread) created by T0 (browser_tests) here: #0 0xfdaf3d in __interceptor_pthread_create /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cc:210:3 #1 0x12691e9f in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:119:13 #2 0x125b1fb2 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:119:15 #3 0xaf043f5 in content::BrowserProcessSubThread::CreateIOThread() content/browser/browser_process_sub_thread.cc:90:19 #4 0x115ea868 in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:873:29 #5 0x1a15b073 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29 #6 0x115e5a65 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 #7 0x13e717c1 in content::BrowserTestBase::SetUp() content/public/test/browser_test_base.cc:340:3 #8 0x1282f84d in InProcessBrowserTest::SetUp() chrome/test/base/in_process_browser_test.cc:283:20 #9 0x738b212 in HandleExceptionsInMethodIfSupported<testing::Test, void> third_party/googletest/src/googletest/src/gtest.cc #10 0x738b212 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2518 #11 0x738d534 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2698:11 #12 0x738e9d6 in testing::TestCase::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28 #13 0x73b6546 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5182:43 #14 0x73b58c5 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> third_party/googletest/src/googletest/src/gtest.cc #15 0x73b58c5 in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4791 #16 0x128852aa in RUN_ALL_TESTS third_party/googletest/src/googletest/include/gtest/gtest.h:2333:46 #17 0x128852aa in base::TestSuite::Run() base/test/test_suite.cc:294 #18 0x1238bd51 in ChromeTestSuiteRunner::RunTestSuite(int, char**) chrome/test/base/chrome_test_launcher.cc:71:21 #19 0x13f06b65 in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) content/public/test/test_launcher.cc:647:31 #20 0x1238cb56 in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) chrome/test/base/chrome_test_launcher.cc:182:10 #21 0x1238b7ee in main chrome/test/base/browser_tests_main_chromeos.cc:21:10 #22 0x7f44ba27df44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) SUMMARY: AddressSanitizer: heap-use-after-free buildtools/third_party/libc++/trunk/include/memory:2607:19 in operator-> Shadow bytes around the buggy address: 0x0c2280171560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280171570: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c2280171580: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2280171590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22801715a0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa =>0x0c22801715b0: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd 0x0c22801715c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c22801715d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c22801715e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22801715f0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2280171600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc Cannot upload crash dump: failed to open ==15111==ABORTING [15534:15586:0100/000000.340717:ERROR:broker_posix.cc(40)] Recvmsg error: Connection reset by peer (104) [15534:15586:0100/000000.346953:ERROR:command_buffer_proxy_impl.cc(704)] AllocateAndMapSharedMemory: Allocation failed [15546:15595:0100/000000.340597:ERROR:broker_posix.cc(40)] Recvmsg error: Connection reset by peer (104) [15546:15595:0100/000000.357075:ERROR:command_buffer_proxy_impl.cc(704)] AllocateAndMapSharedMemory: Allocation failed [268/297] OpenAudioFiles/FilesAppBrowserTest.Test/audioAutoAdvanceDrive (CRASHED)
,
Oct 22
I'll take care of it.
,
Oct 22
,
Oct 22
So apparently a frame can be destroyed before its WebContentsImpl. There goes the last hope for me to ever understand content/ ¯\_(ツ)_/¯. I'll sprinkle some weak pointers over the code.
,
Oct 22
Fix up for review https://chromium-review.googlesource.com/c/chromium/src/+/1293572.
,
Oct 22
For M71: Please expedite the review, verify the fix, and get the merge in soon given our Beta schedule. Thanks.
,
Oct 23
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/df7a24e4781cb1aa5f853eab24effea1b4328e2a commit df7a24e4781cb1aa5f853eab24effea1b4328e2a Author: Max Morin <maxmorin@chromium.org> Date: Tue Oct 23 09:01:18 2018 Fix audio stream creation UAF. This code assumes that the WebContents owning a RenderFrameHost outlives the RenderFrameHost, since otherwise RenderFrameHost would have a dangling |delegate_| pointer. This is apparently false, so this CL makes sure the RenderFrameAudio{In,Out}putStreamFactory refers to the ForwardingAudioStreamFactory by a weak pointer. Test: In addition to CQ, AudioPlayerBrowserTest.ChangeTracks was repeated 1000 times locally with CrOS/ASAN to ensure it didn't flake. Bug: 897043 Change-Id: I77925403e95ba8edc7cfaa5db23dc8fe5fd70f93 Reviewed-on: https://chromium-review.googlesource.com/c/1293572 Reviewed-by: Olga Sharonova <olka@chromium.org> Commit-Queue: Olga Sharonova <olka@chromium.org> Cr-Commit-Position: refs/heads/master@{#601885} [modify] https://crrev.com/df7a24e4781cb1aa5f853eab24effea1b4328e2a/content/browser/media/forwarding_audio_stream_factory.cc [modify] https://crrev.com/df7a24e4781cb1aa5f853eab24effea1b4328e2a/content/browser/media/forwarding_audio_stream_factory.h [modify] https://crrev.com/df7a24e4781cb1aa5f853eab24effea1b4328e2a/content/browser/renderer_host/media/render_frame_audio_input_stream_factory.cc [modify] https://crrev.com/df7a24e4781cb1aa5f853eab24effea1b4328e2a/content/browser/renderer_host/media/render_frame_audio_output_stream_factory.cc [modify] https://crrev.com/df7a24e4781cb1aa5f853eab24effea1b4328e2a/content/browser/renderer_host/media/render_frame_audio_output_stream_factory.h
,
Oct 23
Issue 897770 has been merged into this issue.
,
Oct 23
Removing RBB after dicussions, will merge to next beta instead to let the fix bake in canary.
,
Oct 23
Ok, was asked to request merge here anyways so I will. The situation is like this: the code path which leads to the crash (or test failure in the case of this issue) is controlled with Finch. Thus, we can either merge the CL in comment 12 right away without baking in canary (it's pretty simple and covered by unit/browser tests), or we can wait a couple of days before merging and have the change picked up in the next beta release (and make sure the code path is disabled with Finch).
,
Oct 24
Your change meets the bar and is auto-approved for M71. Please go ahead and merge the CL to branch 3578 manually. Please contact milestone owner if you have questions. Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 24
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/955f50a2bb53128ef166a616c8258847d21ff288 Commit: 955f50a2bb53128ef166a616c8258847d21ff288 Author: maxmorin@chromium.org Commiter: maxmorin@chromium.org Date: 2018-10-24 13:59:08 +0000 UTC [M71] Fix audio stream creation UAF. This code assumes that the WebContents owning a RenderFrameHost outlives the RenderFrameHost, since otherwise RenderFrameHost would have a dangling |delegate_| pointer. This is apparently false, so this CL makes sure the RenderFrameAudio{In,Out}putStreamFactory refers to the ForwardingAudioStreamFactory by a weak pointer. Test: In addition to CQ, AudioPlayerBrowserTest.ChangeTracks was repeated 1000 times locally with CrOS/ASAN to ensure it didn't flake. Bug: 897043 Change-Id: I77925403e95ba8edc7cfaa5db23dc8fe5fd70f93 Reviewed-on: https://chromium-review.googlesource.com/c/1293572 Reviewed-by: Olga Sharonova <olka@chromium.org> Commit-Queue: Olga Sharonova <olka@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#601885}(cherry picked from commit df7a24e4781cb1aa5f853eab24effea1b4328e2a) Reviewed-on: https://chromium-review.googlesource.com/c/1298010 Reviewed-by: Max Morin <maxmorin@chromium.org> Cr-Commit-Position: refs/branch-heads/3578@{#287} Cr-Branched-From: 4226ddf99103e493d7afb23a4c7902ee496108b6-refs/heads/master@{#599034}
,
Oct 24
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/955f50a2bb53128ef166a616c8258847d21ff288 commit 955f50a2bb53128ef166a616c8258847d21ff288 Author: Max Morin <maxmorin@chromium.org> Date: Wed Oct 24 13:59:08 2018 [M71] Fix audio stream creation UAF. This code assumes that the WebContents owning a RenderFrameHost outlives the RenderFrameHost, since otherwise RenderFrameHost would have a dangling |delegate_| pointer. This is apparently false, so this CL makes sure the RenderFrameAudio{In,Out}putStreamFactory refers to the ForwardingAudioStreamFactory by a weak pointer. Test: In addition to CQ, AudioPlayerBrowserTest.ChangeTracks was repeated 1000 times locally with CrOS/ASAN to ensure it didn't flake. Bug: 897043 Change-Id: I77925403e95ba8edc7cfaa5db23dc8fe5fd70f93 Reviewed-on: https://chromium-review.googlesource.com/c/1293572 Reviewed-by: Olga Sharonova <olka@chromium.org> Commit-Queue: Olga Sharonova <olka@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#601885}(cherry picked from commit df7a24e4781cb1aa5f853eab24effea1b4328e2a) Reviewed-on: https://chromium-review.googlesource.com/c/1298010 Reviewed-by: Max Morin <maxmorin@chromium.org> Cr-Commit-Position: refs/branch-heads/3578@{#287} Cr-Branched-From: 4226ddf99103e493d7afb23a4c7902ee496108b6-refs/heads/master@{#599034} [modify] https://crrev.com/955f50a2bb53128ef166a616c8258847d21ff288/content/browser/media/forwarding_audio_stream_factory.cc [modify] https://crrev.com/955f50a2bb53128ef166a616c8258847d21ff288/content/browser/media/forwarding_audio_stream_factory.h [modify] https://crrev.com/955f50a2bb53128ef166a616c8258847d21ff288/content/browser/renderer_host/media/render_frame_audio_input_stream_factory.cc [modify] https://crrev.com/955f50a2bb53128ef166a616c8258847d21ff288/content/browser/renderer_host/media/render_frame_audio_output_stream_factory.cc [modify] https://crrev.com/955f50a2bb53128ef166a616c8258847d21ff288/content/browser/renderer_host/media/render_frame_audio_output_stream_factory.h
,
Oct 26
Thanks everyone (especially for the detailed investigation)! |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by noel@chromium.org
, Oct 19