New issue
Advanced search Search tips

Issue 902573 link

Starred by 1 user
Status: WontFix
Owner:
rsesek@chromium.org
Closed: Nov 12
Cc:
sdy@chromium.org
pbomm...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Chrome_Mac: Crash Report - [Cocoa Zombie] -[NSXPCInterface retain]

Project Member Reported by crash-fe...@system.gserviceaccount.com, Nov 6 
reporter:pbommana@google.com

Magic Signature: [Cocoa Zombie] -[NSXPCInterface retain]

Crash link: https://crash.corp.google.com/browse?q=product_name%3D%27Chrome_Mac%27+AND+product.version%3D%2771.0.3578.30%27+AND+expanded_custom_data.ChromeCrashProto.channel%3D%27beta%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27browser%27+AND+expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BCocoa+Zombie%5D+-%5BNSXPCInterface+retain%5D%27&stbtiq=&reportid=&index=0

-------------------------------------------------------------------------------
Sample Report
-------------------------------------------------------------------------------
Product name: Chrome_Mac
Magic Signature : [Cocoa Zombie] -[NSXPCInterface retain]
Product Version: 71.0.3578.30
Process type: browser
Report ID: d09b59305510172d
Report Url: https://crash.corp.google.com/d09b59305510172d
Report Time: 2018-11-05T11:07:13-08:00
Upload Time: 2018-11-05T11:12:10.512-08:00
Uptime: 150609000 ms
OS Name: Mac OS X
OS Version: 10.13.4 17E199
CPU Architecture: amd64
CPU Info: family 6 model 158 stepping 9

-------------------------------------------------------------------------------
Crashing thread: Thread index: 0. Stack Quality: 86%. Thread id: 722243.
-------------------------------------------------------------------------------
0x00000001128fad49 (Google Chrome Framework - objc_zombie.mm: 234)	(anonymous namespace)::ZombieObjectCrash(objc_object*, objc_selector*, objc_selector*)
0x00000001128fabad (Google Chrome Framework - objc_zombie.mm: 269)	-[CrZombie forwardingTargetForSelector:]
0x00000001079fe380 (CoreFoundation + 0x00081380)	___forwarding___
0x00000001079fe237 (CoreFoundation + 0x00081237)	__forwarding_prep_0___
0x00000001072eb250 (libobjc.A.dylib + 0x00013250)	objc_setProperty_nonatomic
0x0000000102026129 (Foundation + 0x00029129)	-[_NSXPCConnectionExportedObjectTable setInterface:forProxyNumber:]
0x000000010a678c8e (LaunchServices + 0x000ffc8e)	__45-[LSApplicationWorkspace establishConnection]_block_invoke
0x00000001092f3e07 (libdispatch.dylib + 0x00001e07)	_dispatch_client_callout
0x0000000109307230 (libdispatch.dylib + 0x00015230)	_dispatch_queue_barrier_sync_invoke_and_complete
0x000000010a678b90 (LaunchServices + 0x000ffb90)	-[LSApplicationWorkspace establishConnection]
0x000000010a58cd72 (LaunchServices + 0x00013d72)	-[LSApplicationWorkspace remoteObserver]
0x000000010a679e22 (LaunchServices + 0x00100e22)	-[LSApplicationWorkspace removeObserver:]
0x0000000121b44f56 (PlugInKit + 0x0000bf56)	-[PKDiscoveryLSWatcher stopUpdates]
0x0000000121b44d8b (PlugInKit + 0x0000bd8b)	-[PKDiscoveryDriver removeWatchers]
0x0000000121b443c0 (PlugInKit + 0x0000b3c0)	__28-[PKDiscoveryDriver dealloc]_block_invoke
0x00000001097d1e46 (libsystem_trace.dylib + 0x00002e46)	os_activity_apply_f
0x0000000121b442d8 (PlugInKit + 0x0000b2d8)	-[PKDiscoveryDriver dealloc]
0x000000014d13da53 (FinderKit + 0x00044a53)	TNSRef<NSObject*, void>::~TNSRef()
0x000000010944ceec (libsystem_c.dylib + 0x0005deec)	__cxa_finalize_ranges
0x000000010944d1fd (libsystem_c.dylib + 0x0005e1fd)	exit
0x0000000101feddd4 (Google Chrome - chrome_exe_main_mac.cc: 105)	main
0x0000000109367014 (libdyld.dylib + 0x00001014)	start

-------------------------------------------------------------------------------
Manual regression range finder link
-------------------------------------------------------------------------------
https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%5BCocoa+Zombie%5D+-%5BNSXPCInterface+retain%5D%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27browser%27#-property-selector,-samplereports,+productname,+productversion:1000,+directory,-clientid,+operatingsystem,+url,+simplifiedurl,+extensions

Comment 1 by pbommana@google.com, Nov 6

Cc: pbomm...@chromium.org sdy@chromium.org
Labels: M-72 FoundIn-71 FoundIn-70 FoundIn-72
This crash been there since 57.0.2987.133 and so far majority of the crashes are on Mac OS version 10.13 (High Sierra) and 10.14 (Mojave). 

So far we just have single digit crashes during Beta channel where in stable it's higher crashes.

Please find the crash impact on Chrome versions here : https://goto.google.com/xmwev

Comment 2 by ellyjo...@chromium.org, Nov 12

Labels: -Restrict-View-EditIssue -M-72 Target-73 M-73
Owner: rsesek@chromium.org
Status: Assigned (was: Untriaged)
Mac triage: to rsesek@ - any idea what's going on here?

From the stack trace this is a crash *during exit* where, in the process of tearing down PlugInKit, PlugInKit tries to talk to LaunchServices, which has already been torn down... have we seen issues like this before?

Stripping R-V-EI, this isn't a security bug.

Comment 3 by rsesek@chromium.org, Nov 12

Status: WontFix (was: Assigned)
Yeah, this is a shutdown crash where the XPC interface object has already been torn down but it's still being used. There's nothing we can do here - it's all Apple code.

zombie_dealloc_bt:
0x03d7ab82 [Google Chrome Framework -	 objc_zombie.mm:134] (anonymous namespace)::ZombieDealloc(objc_object*, objc_selector*)
0x0006b960 [Foundation +	 0x6b960] -[NSXPCInterface dealloc]
0x00067b46 [Foundation +	 0x67b46] -[_NSXPCConnectionExportInfo dealloc]
0x0004a3a8 [Foundation +	 0x4a3a8] -[_NSXPCConnectionExportedObjectTable invalidate]
0x00033cf8 [Foundation +	 0x33cf8] message_handler
0x0000b773 [libxpc.dylib +	 0xb773] _xpc_connection_call_event_handler
0x00009d3c [libxpc.dylib +	 0x9d3c] _xpc_connection_mach_event
0x00006da9 [libdispatch.dylib +	 0x6da9] _dispatch_client_callout4
0x00009de7 [libdispatch.dylib +	 0x9de7] _dispatch_mach_cancel_invoke
0x00005ba7 [libdispatch.dylib +	 0x5ba7] _dispatch_mach_invoke
0x0001607a [libdispatch.dylib +	 0x1607a] _dispatch_queue_serial_drain
0x00009166 [libdispatch.dylib +	 0x9166] _dispatch_queue_invoke
0x00016f0d [libdispatch.dylib +	 0x16f0d] _dispatch_root_queue_drain_deferred_wlh
0x0001ad21 [libdispatch.dylib +	 0x1ad21] _dispatch_workloop_worker_thread
0x00002fd2 [libsystem_pthread.dylib +	 0x2fd2] _pthread_wqthread
0x00002be9 [libsystem_pthread.dylib +	 0x2be9] start_wqthread

Sign in to add a comment