Closed
Bug 1058368
Opened 10 years ago
Closed 10 years ago
ipc::CloseFileRunnable closes an invalid fd
Categories
(Core :: IPC, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 1054929
blocking-b2g | 2.0+ |
People
(Reporter: khuey, Assigned: khuey)
References
Details
(Keywords: crash, Whiteboard: [b2g-crash][caf priority: p1])
+++ This bug was initially created as a clone of Bug #1057220 +++ With Sotaro's patch from bug 1057220: Operating system: Android 0.0.0 Linux 3.4.0-g8263518 #27 SMP PREEMPT Sun Aug 24 22:28:38 PDT 2014 armv7l qcom/msm8610/msm8610:4.4.2/KVT49L/eng.tkundu.20140823.094323:userdebug/test-keys CPU: arm ARMv0 4 CPUs Crash reason: SIGABRT Crash address: 0x122c Thread 14 (crashed) 0 libc.so + 0x22208 r0 = 0x00000000 r1 = 0x000015ac r2 = 0x00000006 r3 = 0x00000000 r4 = 0x00000006 r5 = 0x00000009 r6 = 0x000015ac r7 = 0x0000010c r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 r12 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7be0 lr = 0xb6f01249 pc = 0xb6f10208 Found by: given as instruction pointer in context 1 libc.so!pthread_kill [pthread_kill.cpp : 49 + 0xb] r4 = 0x00000006 r5 = 0x00000009 r6 = 0x000015ac r7 = 0x00000000 r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 r12 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7bf8 lr = 0xb6f01249 pc = 0xb6f01249 Found by: call frame info 2 libc.so!raise [raise.cpp : 32 + 0x9] r4 = 0x00000006 r5 = 0x00000000 r6 = 0xb34d8320 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7c08 pc = 0xb6f0145d Found by: call frame info 3 libc.so!__libc_android_abort [abort.cpp : 55 + 0x3] r4 = 0xb2ce7c14 r5 = 0x00000000 r6 = 0xb34d8320 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7c10 pc = 0xb6f0014f Found by: call frame info 4 libc.so + 0x21abe r4 = 0x00000022 r5 = 0xffffffff r6 = 0xb34d8320 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7c38 pc = 0xb6f0fac0 Found by: call frame info 5 libc.so!close [close.c : 50 + 0x3] r3 = 0xb6f2e0bd r4 = 0x00000022 r5 = 0xffffffff r6 = 0xb34d8320 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7c40 lr = 0xb6efd299 pc = 0xb6efd299 Found by: call frame info 6 libmozglue.so!__wrap_close [Nuwa.cpp : 1358 + 0x3] r0 = 0xfffffff7 r1 = 0x00000022 r2 = 0xaaaaaaaa r4 = 0xb34d8320 r5 = 0x00000022 r6 = 0xb34d8320 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7c58 pc = 0xb6ea2ab5 Found by: call frame info 7 libnss3.so!pt_Close [ptio.c : 1252 + 0x5] r3 = 0xb34d8340 r4 = 0xb34d8320 r5 = 0xb515cc3c r6 = 0xb34d8320 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7c68 pc = 0xb50ad7dd Found by: call frame info 8 libnss3.so!PR_Close [priometh.c : 104 + 0x5] r4 = 0xb2e9d0a0 r5 = 0xb2e9d0a4 r6 = 0xb34d8320 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7c78 pc = 0xb509e91d Found by: call frame info 9 libxul.so!mozilla::ipc::CloseFileRunnable::CloseFile() [FileDescriptorUtils.cpp : 73 + 0x5] r3 = 0x00000000 r4 = 0xb2e9d0a0 r5 = 0xb2e9d0a4 r6 = 0xb34d8320 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7c80 pc = 0xb55d39c9 Found by: call frame info 10 libxul.so!mozilla::ipc::CloseFileRunnable::Run() [FileDescriptorUtils.cpp : 83 + 0x3] r0 = 0xffffffff r1 = 0x00000000 r2 = 0x00000001 r4 = 0xb39313d0 r5 = 0x00000000 r6 = 0xb39313e0 r7 = 0xb2ce7ca8 r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7ca0 pc = 0xb55d39d1 Found by: call frame info 11 libxul.so!nsThreadPool::Run() [nsThreadPool.cpp : 217 + 0x5] r3 = 0xb55d39cb r4 = 0xb39313d0 r5 = 0x00000000 r6 = 0xb39313e0 r7 = 0xb2ce7ca8 r8 = 0x00000000 r9 = 0x000c2a33 r10 = 0x00000000 fp = 0xb39313e0 sp = 0xb2ce7ca8 pc = 0xb5497405 Found by: call frame info 12 libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 766 + 0x5] r4 = 0xb3468b30 r5 = 0x00000000 r6 = 0xb2ce7cf4 r7 = 0xb2ce7d27 r8 = 0xb3468b60 r9 = 0x00000000 r10 = 0x00000000 fp = 0xb6f3a2f4 sp = 0xb2ce7ce0 pc = 0xb5495f5b Found by: call frame info 13 libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 263 + 0xb] r4 = 0x00000000 r5 = 0xb35c3860 r6 = 0xb2e8d9e0 r7 = 0xb3468b3c r8 = 0x0138f238 r9 = 0x00000012 r10 = 0xbec10114 fp = 0xb6f3a2f4 sp = 0xb2ce7d20 pc = 0xb5467d2f Found by: call frame info 14 libxul.so!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) [MessagePump.cpp : 307 + 0x7] r0 = 0xb3468b30 r1 = 0x01000000 r4 = 0xb2e8d9d0 r5 = 0xb35c3860 r6 = 0xb2e8d9e0 r7 = 0xb3468b3c r8 = 0x0138f238 r9 = 0x00000012 r10 = 0xbec10114 fp = 0xb6f3a2f4 sp = 0xb2ce7d30 pc = 0xb55d6fb5 Found by: call frame info 15 libxul.so!MessageLoop::RunInternal() [message_loop.cc : 229 + 0x5] r4 = 0xb35c3860 r5 = 0xb2ce7d78 r6 = 0xb35c3860 r7 = 0xb3468b3c r8 = 0x0138f238 r9 = 0x00000012 r10 = 0xbec10114 fp = 0xb6f3a2f4 sp = 0xb2ce7d58 pc = 0xb55cb5af Found by: call frame info 16 libxul.so!MessageLoop::Run() [message_loop.cc : 222 + 0x5] r3 = 0x00000000 r4 = 0xb35c3860 r5 = 0xb2ce7d78 r6 = 0xb35c3860 r7 = 0xb3468b3c r8 = 0x0138f238 r9 = 0x00000012 r10 = 0xbec10114 fp = 0xb6f3a2f4 sp = 0xb2ce7d60 pc = 0xb55cb661 Found by: call frame info 17 libxul.so!nsThread::ThreadFunc(void*) [nsThread.cpp : 346 + 0x5] r0 = 0x00000001 r1 = 0x00000000 r2 = 0xb35c3860 r3 = 0x00000000 r4 = 0xb3468b30 r5 = 0xb2ce7d78 r6 = 0xb35c3860 r7 = 0xb3468b3c r8 = 0x0138f238 r9 = 0x00000012 r10 = 0xbec10114 fp = 0xb6f3a2f4 sp = 0xb2ce7d78 pc = 0xb54966f1 Found by: call frame info 18 libnss3.so!_pt_root [ptthread.c : 212 + 0x5] r0 = 0x00000000 r1 = 0x00000000 r2 = 0x00000000 r4 = 0xb348c100 r5 = 0xb5161440 r6 = 0x00000000 r7 = 0x000015ac r8 = 0x0138f238 r9 = 0x00000012 r10 = 0xbec10114 fp = 0xb6f3a2f4 sp = 0xb2ce7d98 pc = 0xb50b0cbb Found by: call frame info 19 libc.so!__thread_entry [pthread_create.cpp : 105 + 0x6] r3 = 0x00000000 r4 = 0xb2ce7dd0 r5 = 0x0138f238 r6 = 0xb50b0c21 r7 = 0xb348c100 r8 = 0xb50b0c21 r9 = 0xb2bea000 r10 = 0xbec10114 fp = 0xb6f3a2f4 sp = 0xb2ce7db8 pc = 0xb6efb274 Found by: call frame info 20 libc.so!pthread_create [pthread_create.cpp : 224 + 0x16] r3 = 0xb348c100 r4 = 0x0138f238 r5 = 0xb2ce7dd0 r6 = 0x0000000b r7 = 0x00000078 r8 = 0xb50b0c21 r9 = 0xb2bea000 r10 = 0xbec10114 fp = 0xb6f3a2f4 sp = 0xb2ce7dd0 pc = 0xb6efb40c Found by: call frame info 21 0xb45024da r4 = 0x00000000 r5 = 0x00000000 r6 = 0xadff61ec r7 = 0x00000000 r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 sp = 0xb2ce7e00 pc = 0xb45024dc Found by: call frame info A race, perhaps. Not sure what to make of us being on thread 14 though.
Assignee | ||
Updated•10 years ago
|
blocking-b2g: --- → 2.0+
Assignee | ||
Comment 1•10 years ago
|
||
Also possibly related to bug 1054929?
Assignee | ||
Comment 2•10 years ago
|
||
So given that we're on thread 14 I think this is coming from http://mxr.mozilla.org/mozilla-central/source/dom/camera/GonkCameraControl.cpp#1021. That's the only use of CloseFileRunnable that I see that is obviously off the main thread.
Flags: needinfo?(mhabicher)
Flags: needinfo?(dhylands)
Assignee | ||
Comment 3•10 years ago
|
||
Oh, actually, CloseFileRunnable always goes to the stream transport service thread, so that doesn't mean anything. We actually don't even dispatch it in this case which means this is the one case it *can't* be.
Flags: needinfo?(mhabicher)
Flags: needinfo?(dhylands)
Comment 4•10 years ago
|
||
Which phone is this on? I see a reference to close.c, but I can't find a close.c in bionic. All of the ones I've found are just syscalls into the kernel's close. The close in this call stack has a raise call. And it references abort.cpp, but for my flame, android has abort.c not abort.cpp
Assignee | ||
Comment 5•10 years ago
|
||
close.c is part of Sotaro's patch in bug 1057220.
Comment 6•10 years ago
|
||
Ahh - ok - So based on what's in close.c this looks like a double close (as opposed to a close(-1)).
Comment 7•10 years ago
|
||
This bug seems a dup of Bug 105492.
Comment 8•10 years ago
|
||
(In reply to Sotaro Ikeda [:sotaro] from comment #7) > This bug seems a dup of Bug 105492. Correction: This bug seems a dup of Bug 1054929
Assignee | ||
Comment 9•10 years ago
|
||
I'll take this just so it has an owner but I agree with comment 8.
Assignee: nobody → khuey
Comment 10•10 years ago
|
||
Kyle, should we close that one as dupe of Bug 1054929 ?
Flags: needinfo?(khuey)
Assignee | ||
Comment 11•10 years ago
|
||
Yeah.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(khuey)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•