New issue
Advanced search Search tips

Issue 780 attachment: mailbox_asan.txt (14.5 KB) 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
 
=================================================================
==28553==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00000b530 at pc 0x7fc7d21e6707 bp 0x7fffbb49e6a0 sp 0x7fffbb49e698
READ of size 8 at 0x60b00000b530 thread T0 (chrome)
    #0 0x7fc7d21e6706 in gpu::gles2::MailboxManagerImpl::ProduceTexture(gpu::Mailbox const&, gpu::gles2::Texture*) gpu/command_buffer/service/mailbox_manager_impl.cc:39:21
    #1 0x7fc7d21b5ea3 in gpu::gles2::GLES2DecoderImpl::DoProduceTextureDirectCHROMIUM(unsigned int, unsigned int, signed char const*) gpu/command_buffer/service/gles2_cmd_decoder.cc:13730:3
    #2 0x7fc7d213e809 in gpu::gles2::GLES2DecoderImpl::HandleProduceTextureDirectCHROMIUMImmediate(unsigned int, void const*) gpu/command_buffer/service/gles2_cmd_decoder_autogen.h:4627:3
    #3 0x7fc7d2173d3a in gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>(unsigned int, void const*, int, int*) gpu/command_buffer/service/gles2_cmd_decoder.cc:4603:18
    #4 0x7fc7d2287ed0 in gpu::CommandParser::ProcessCommands(int) gpu/command_buffer/service/cmd_parser.cc:51:25
    #5 0x7fc7d21d5c7e in gpu::GpuScheduler::PutChanged() gpu/command_buffer/service/gpu_scheduler.cc:60:13
    #6 0x7fc7d2069ede in content::GpuCommandBufferStub::OnAsyncFlush(int, unsigned int, std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > const&) content/common/gpu/gpu_command_buffer_stub.cc:841:3
    #7 0x7fc7d2062685 in DispatchToMethodImpl<content::GpuCommandBufferStub, void (content::GpuCommandBufferStub::*)(int, unsigned int, const std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > &), int, unsigned int, std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > , 0, 1, 2> base/tuple.h:254:3
    #8 0x7fc7d2062685 in DispatchToMethod<content::GpuCommandBufferStub, void (content::GpuCommandBufferStub::*)(int, unsigned int, const std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > &), int, unsigned int, std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > > base/tuple.h:261:0
    #9 0x7fc7d2062685 in Dispatch<content::GpuCommandBufferStub, content::GpuCommandBufferStub, void, void (content::GpuCommandBufferStub::*)(int, unsigned int, const std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > &)> content/common/gpu/gpu_messages.h:570:0
    #10 0x7fc7d2062685 in content::GpuCommandBufferStub::OnMessageReceived(IPC::Message const&) content/common/gpu/gpu_command_buffer_stub.cc:304:0
    #11 0x7fc7d2033387 in content::MessageRouter::RouteMessage(IPC::Message const&) content/common/message_router.cc:54:10
    #12 0x7fc7d204ca7e in content::GpuChannel::HandleMessage() content/common/gpu/gpu_channel.cc:842:15
    #13 0x7fc7c5f2b084 in Run base/callback.h:396:12
    #14 0x7fc7c5f2b084 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51:0
    #15 0x7fc7c5e40d3f in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:481:3
    #16 0x7fc7c5e421c4 in DeferOrRunPendingTask base/message_loop/message_loop.cc:490:5
    #17 0x7fc7c5e421c4 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:602:0
    #18 0x7fc7c5f26d46 in HandleDispatch base/message_loop/message_pump_glib.cc:267:7
    #19 0x7fc7c5f26d46 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:109:0
    #20 0x7fc7c1acfe03 in g_main_context_dispatch ??:0:0

0x60b00000b530 is located 32 bytes inside of 104-byte region [0x60b00000b510,0x60b00000b578)
freed by thread T0 (chrome) here:
    #0 0x7fc7c5187c9b in operator delete(void*) ??:0:0
    #1 0x7fc7d21e6f0b in __deallocate buildtools/third_party/libc++/trunk/include/new:164:3
    #2 0x7fc7d21e6f0b in deallocate buildtools/third_party/libc++/trunk/include/memory:1636:0
    #3 0x7fc7d21e6f0b in deallocate buildtools/third_party/libc++/trunk/include/memory:1447:0
    #4 0x7fc7d21e6f0b in erase buildtools/third_party/libc++/trunk/include/__tree:1986:0
    #5 0x7fc7d21e6f0b in erase buildtools/third_party/libc++/trunk/include/__tree:1995:0
    #6 0x7fc7d21e6f0b in erase buildtools/third_party/libc++/trunk/include/map:1816:0
    #7 0x7fc7d21e6f0b in gpu::gles2::MailboxManagerImpl::TextureDeleted(gpu::gles2::Texture*) gpu/command_buffer/service/mailbox_manager_impl.cc:66:0
    #8 0x7fc7d225b71c in ~Texture gpu/command_buffer/service/texture_manager.cc:346:5
    #9 0x7fc7d225b71c in gpu::gles2::Texture::RemoveTextureRef(gpu::gles2::TextureRef*, bool) gpu/command_buffer/service/texture_manager.cc:370:0
    #10 0x7fc7d227090c in ~TextureRef gpu/command_buffer/service/texture_manager.cc:1341:3
    #11 0x7fc7d227090c in Release base/memory/ref_counted.h:134:0
    #12 0x7fc7d227090c in Release base/memory/ref_counted.h:403:0
    #13 0x7fc7d227090c in ~scoped_refptr base/memory/ref_counted.h:298:0
    #14 0x7fc7d227090c in ~pair buildtools/third_party/libc++/trunk/include/utility:248:0
    #15 0x7fc7d227090c in __destroy<std::__1::pair<unsigned int, scoped_refptr<gpu::gles2::TextureRef> > > buildtools/third_party/libc++/trunk/include/memory:1589:0
    #16 0x7fc7d227090c in destroy<std::__1::pair<unsigned int, scoped_refptr<gpu::gles2::TextureRef> > > buildtools/third_party/libc++/trunk/include/memory:1487:0
    #17 0x7fc7d227090c in std::__1::__hash_table<std::__1::pair<unsigned int, scoped_refptr<gpu::gles2::TextureRef> >, __gnu_cxx::__hash_map_hasher<std::__1::pair<unsigned int, scoped_refptr<gpu::gles2::TextureRef> >, base_hash::hash<unsigned int>, true>, __gnu_cxx::__hash_map_equal<std::__1::pair<unsigned int, scoped_refptr<gpu::gles2::TextureRef> >, std::__1::equal_to<unsigned int>, true>, std::__1::allocator<std::__1::pair<unsigned int, scoped_refptr<gpu::gles2::TextureRef> > > >::__deallocate(std::__1::__hash_node<std::__1::pair<unsigned int, scoped_refptr<gpu::gles2::TextureRef> >, void*>*) buildtools/third_party/libc++/trunk/include/__hash_table:1343:0
    #18 0x7fc7d225a61a in clear buildtools/third_party/libc++/trunk/include/__hash_table:1582:9
    #19 0x7fc7d225a61a in clear buildtools/third_party/libc++/trunk/include/ext/hash_map:581:0
    #20 0x7fc7d225a61a in gpu::gles2::TextureManager::Destroy(bool) gpu/command_buffer/service/texture_manager.cc:297:0
    #21 0x7fc7d20d9ee3 in gpu::gles2::ContextGroup::Destroy(gpu::gles2::GLES2Decoder*, bool) gpu/command_buffer/service/context_group.cc:355:5
    #22 0x7fc7d216f874 in gpu::gles2::GLES2DecoderImpl::Destroy(bool) gpu/command_buffer/service/gles2_cmd_decoder.cc:4320:5
    #23 0x7fc7d2061723 in content::GpuCommandBufferStub::Destroy() content/common/gpu/gpu_command_buffer_stub.cc:503:5
    #24 0x7fc7d20605b5 in content::GpuCommandBufferStub::~GpuCommandBufferStub() content/common/gpu/gpu_command_buffer_stub.cc:258:3
    #25 0x7fc7d2061bad in content::GpuCommandBufferStub::~GpuCommandBufferStub() content/common/gpu/gpu_command_buffer_stub.cc:257:47
    #26 0x7fc7d20575f8 in operator() base/memory/scoped_ptr.h:128:5
    #27 0x7fc7d20575f8 in reset base/memory/scoped_ptr.h:244:0
    #28 0x7fc7d20575f8 in ~scoped_ptr_impl base/memory/scoped_ptr.h:229:0
    #29 0x7fc7d20575f8 in ~scoped_ptr base/memory/scoped_ptr.h:307:0
    #30 0x7fc7d20575f8 in content::GpuChannel::OnDestroyCommandBuffer(int) content/common/gpu/gpu_channel.cc:993:0
    #31 0x7fc7d20554ae in DispatchToMethodImpl<content::GpuChannel, void (content::GpuChannel::*)(int), int, 0> base/tuple.h:320:3
    #32 0x7fc7d20554ae in DispatchToMethod<content::GpuChannel, void (content::GpuChannel::*)(int), int> base/tuple.h:329:0
    #33 0x7fc7d20554ae in DispatchWithSendParams<content::GpuChannel, content::GpuChannel, void (content::GpuChannel::*)(int)> ipc/ipc_message_utils.h:1026:0
    #34 0x7fc7d20554ae in Dispatch<content::GpuChannel, content::GpuChannel, void, void (content::GpuChannel::*)(int)> content/common/gpu/gpu_messages.h:500:0
    #35 0x7fc7d20554ae in content::GpuChannel::OnControlMessageReceived(IPC::Message const&) content/common/gpu/gpu_channel.cc:787:0
    #36 0x7fc7d204c9e9 in content::GpuChannel::HandleMessage() content/common/gpu/gpu_channel.cc:827:15
    #37 0x7fc7c5f2b084 in Run base/callback.h:396:12
    #38 0x7fc7c5f2b084 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51:0
    #39 0x7fc7c5e40d3f in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:481:3
    #40 0x7fc7c5e421c4 in DeferOrRunPendingTask base/message_loop/message_loop.cc:490:5
    #41 0x7fc7c5e421c4 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:602:0
    #42 0x7fc7c5f26d46 in HandleDispatch base/message_loop/message_pump_glib.cc:267:7
    #43 0x7fc7c5f26d46 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:109:0
    #44 0x7fc7c1acfe03 in g_main_context_dispatch ??:0:0

previously allocated by thread T0 (chrome) here:
    #0 0x7fc7c51876db in operator new(unsigned long) ??:0:0
    #1 0x7fc7d21e681f in __allocate buildtools/third_party/libc++/trunk/include/new:156:10
    #2 0x7fc7d21e681f in allocate buildtools/third_party/libc++/trunk/include/memory:1634:0
    #3 0x7fc7d21e681f in allocate buildtools/third_party/libc++/trunk/include/memory:1439:0
    #4 0x7fc7d21e681f in __construct_node<std::__1::pair<gpu::gles2::Texture *, gpu::Mailbox> > buildtools/third_party/libc++/trunk/include/__tree:1730:0
    #5 0x7fc7d21e681f in __insert_multi<std::__1::pair<gpu::gles2::Texture *, gpu::Mailbox> > buildtools/third_party/libc++/trunk/include/__tree:1828:0
    #6 0x7fc7d21e681f in insert<std::__1::pair<gpu::gles2::Texture *, gpu::Mailbox>, void> buildtools/third_party/libc++/trunk/include/map:1777:0
    #7 0x7fc7d21e681f in gpu::gles2::MailboxManagerImpl::InsertTexture(gpu::Mailbox const&, gpu::gles2::Texture*) gpu/command_buffer/service/mailbox_manager_impl.cc:52:0
    #8 0x7fc7d21b5ea3 in gpu::gles2::GLES2DecoderImpl::DoProduceTextureDirectCHROMIUM(unsigned int, unsigned int, signed char const*) gpu/command_buffer/service/gles2_cmd_decoder.cc:13730:3
    #9 0x7fc7d213e809 in gpu::gles2::GLES2DecoderImpl::HandleProduceTextureDirectCHROMIUMImmediate(unsigned int, void const*) gpu/command_buffer/service/gles2_cmd_decoder_autogen.h:4627:3
    #10 0x7fc7d2173d3a in gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>(unsigned int, void const*, int, int*) gpu/command_buffer/service/gles2_cmd_decoder.cc:4603:18
    #11 0x7fc7d2287ed0 in gpu::CommandParser::ProcessCommands(int) gpu/command_buffer/service/cmd_parser.cc:51:25
    #12 0x7fc7d21d5c7e in gpu::GpuScheduler::PutChanged() gpu/command_buffer/service/gpu_scheduler.cc:60:13
    #13 0x7fc7d2069ede in content::GpuCommandBufferStub::OnAsyncFlush(int, unsigned int, std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > const&) content/common/gpu/gpu_command_buffer_stub.cc:841:3
    #14 0x7fc7d2062685 in DispatchToMethodImpl<content::GpuCommandBufferStub, void (content::GpuCommandBufferStub::*)(int, unsigned int, const std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > &), int, unsigned int, std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > , 0, 1, 2> base/tuple.h:254:3
    #15 0x7fc7d2062685 in DispatchToMethod<content::GpuCommandBufferStub, void (content::GpuCommandBufferStub::*)(int, unsigned int, const std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > &), int, unsigned int, std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > > base/tuple.h:261:0
    #16 0x7fc7d2062685 in Dispatch<content::GpuCommandBufferStub, content::GpuCommandBufferStub, void, void (content::GpuCommandBufferStub::*)(int, unsigned int, const std::__1::vector<ui::LatencyInfo, std::__1::allocator<ui::LatencyInfo> > &)> content/common/gpu/gpu_messages.h:570:0
    #17 0x7fc7d2062685 in content::GpuCommandBufferStub::OnMessageReceived(IPC::Message const&) content/common/gpu/gpu_command_buffer_stub.cc:304:0
    #18 0x7fc7d2033387 in content::MessageRouter::RouteMessage(IPC::Message const&) content/common/message_router.cc:54:10
    #19 0x7fc7d204ca7e in content::GpuChannel::HandleMessage() content/common/gpu/gpu_channel.cc:842:15
    #20 0x7fc7c5f2b084 in Run base/callback.h:396:12
    #21 0x7fc7c5f2b084 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51:0
    #22 0x7fc7c5e40d3f in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:481:3
    #23 0x7fc7c5e421c4 in DeferOrRunPendingTask base/message_loop/message_loop.cc:490:5
    #24 0x7fc7c5e421c4 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:602:0
    #25 0x7fc7c5f26d46 in HandleDispatch base/message_loop/message_pump_glib.cc:267:7
    #26 0x7fc7c5f26d46 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:109:0
    #27 0x7fc7c1acfe03 in g_main_context_dispatch ??:0:0

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/local/google/home/markbrand/chromium/src/out/Release/chrome+0xf7cf706)
Shadow bytes around the buggy address:
  0x0c167fff9650: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c167fff9660: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c167fff9670: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c167fff9680: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c167fff9690: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
=>0x0c167fff96a0: fa fa fd fd fd fd[fd]fd fd fd fd fd fd fd fd fa
  0x0c167fff96b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c167fff96c0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
  0x0c167fff96d0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c167fff96e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c167fff96f0: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28553==ABORTING
[24300:24300:0324/152140:ERROR:gpu_process_transport_factory.cc(640)] Lost UI shared context.