Closed Bug 1058368 Opened 10 years ago Closed 10 years ago

ipc::CloseFileRunnable closes an invalid fd

Categories

(Core :: IPC, defect, P1)

Product:
Core
Component:
IPC
Version:
32 Branch
Platform:
ARM
Gonk (Firefox OS)
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1054929
Project Flags:
blocking-b2g 2.0+

People

(Reporter: khuey, Assigned: khuey)

References

Details

(Keywords: crash, Whiteboard: [b2g-crash][caf priority: p1]) 

+++ This bug was initially created as a clone of Bug #1057220 +++

With Sotaro's patch from bug 1057220:

Operating system: Android
                  0.0.0 Linux 3.4.0-g8263518 #27 SMP PREEMPT Sun Aug 24 22:28:38 PDT 2014 armv7l qcom/msm8610/msm8610:4.4.2/KVT49L/eng.tkundu.20140823.094323:userdebug/test-keys
CPU: arm
     ARMv0
     4 CPUs

Crash reason:  SIGABRT
Crash address: 0x122c

Thread 14 (crashed)
 0  libc.so + 0x22208
     r0 = 0x00000000    r1 = 0x000015ac    r2 = 0x00000006    r3 = 0x00000000
     r4 = 0x00000006    r5 = 0x00000009    r6 = 0x000015ac    r7 = 0x0000010c
     r8 = 0x00000000    r9 = 0x000c2a33   r10 = 0x00000000   r12 = 0x00000000
     fp = 0xb39313e0    sp = 0xb2ce7be0    lr = 0xb6f01249    pc = 0xb6f10208
    Found by: given as instruction pointer in context
 1  libc.so!pthread_kill [pthread_kill.cpp : 49 + 0xb]
     r4 = 0x00000006    r5 = 0x00000009    r6 = 0x000015ac    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x000c2a33   r10 = 0x00000000   r12 = 0x00000000
     fp = 0xb39313e0    sp = 0xb2ce7bf8    lr = 0xb6f01249    pc = 0xb6f01249
    Found by: call frame info
 2  libc.so!raise [raise.cpp : 32 + 0x9]
     r4 = 0x00000006    r5 = 0x00000000    r6 = 0xb34d8320    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x000c2a33   r10 = 0x00000000    fp = 0xb39313e0
     sp = 0xb2ce7c08    pc = 0xb6f0145d
    Found by: call frame info
 3  libc.so!__libc_android_abort [abort.cpp : 55 + 0x3]
     r4 = 0xb2ce7c14    r5 = 0x00000000    r6 = 0xb34d8320    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x000c2a33   r10 = 0x00000000    fp = 0xb39313e0
     sp = 0xb2ce7c10    pc = 0xb6f0014f
    Found by: call frame info
 4  libc.so + 0x21abe
     r4 = 0x00000022    r5 = 0xffffffff    r6 = 0xb34d8320    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x000c2a33   r10 = 0x00000000    fp = 0xb39313e0
     sp = 0xb2ce7c38    pc = 0xb6f0fac0
    Found by: call frame info
 5  libc.so!close [close.c : 50 + 0x3]
     r3 = 0xb6f2e0bd    r4 = 0x00000022    r5 = 0xffffffff    r6 = 0xb34d8320
     r7 = 0x00000000    r8 = 0x00000000    r9 = 0x000c2a33   r10 = 0x00000000
     fp = 0xb39313e0    sp = 0xb2ce7c40    lr = 0xb6efd299    pc = 0xb6efd299
    Found by: call frame info
 6  libmozglue.so!__wrap_close [Nuwa.cpp : 1358 + 0x3]
     r0 = 0xfffffff7    r1 = 0x00000022    r2 = 0xaaaaaaaa    r4 = 0xb34d8320
     r5 = 0x00000022    r6 = 0xb34d8320    r7 = 0x00000000    r8 = 0x00000000
     r9 = 0x000c2a33   r10 = 0x00000000    fp = 0xb39313e0    sp = 0xb2ce7c58
     pc = 0xb6ea2ab5
    Found by: call frame info
 7  libnss3.so!pt_Close [ptio.c : 1252 + 0x5]
     r3 = 0xb34d8340    r4 = 0xb34d8320    r5 = 0xb515cc3c    r6 = 0xb34d8320
     r7 = 0x00000000    r8 = 0x00000000    r9 = 0x000c2a33   r10 = 0x00000000
     fp = 0xb39313e0    sp = 0xb2ce7c68    pc = 0xb50ad7dd
    Found by: call frame info
 8  libnss3.so!PR_Close [priometh.c : 104 + 0x5]
     r4 = 0xb2e9d0a0    r5 = 0xb2e9d0a4    r6 = 0xb34d8320    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x000c2a33   r10 = 0x00000000    fp = 0xb39313e0
     sp = 0xb2ce7c78    pc = 0xb509e91d
    Found by: call frame info
 9  libxul.so!mozilla::ipc::CloseFileRunnable::CloseFile() [FileDescriptorUtils.cpp : 73 + 0x5]
     r3 = 0x00000000    r4 = 0xb2e9d0a0    r5 = 0xb2e9d0a4    r6 = 0xb34d8320
     r7 = 0x00000000    r8 = 0x00000000    r9 = 0x000c2a33   r10 = 0x00000000
     fp = 0xb39313e0    sp = 0xb2ce7c80    pc = 0xb55d39c9
    Found by: call frame info
10  libxul.so!mozilla::ipc::CloseFileRunnable::Run() [FileDescriptorUtils.cpp : 83 + 0x3]
     r0 = 0xffffffff    r1 = 0x00000000    r2 = 0x00000001    r4 = 0xb39313d0
     r5 = 0x00000000    r6 = 0xb39313e0    r7 = 0xb2ce7ca8    r8 = 0x00000000
     r9 = 0x000c2a33   r10 = 0x00000000    fp = 0xb39313e0    sp = 0xb2ce7ca0
     pc = 0xb55d39d1
    Found by: call frame info
11  libxul.so!nsThreadPool::Run() [nsThreadPool.cpp : 217 + 0x5]
     r3 = 0xb55d39cb    r4 = 0xb39313d0    r5 = 0x00000000    r6 = 0xb39313e0
     r7 = 0xb2ce7ca8    r8 = 0x00000000    r9 = 0x000c2a33   r10 = 0x00000000
     fp = 0xb39313e0    sp = 0xb2ce7ca8    pc = 0xb5497405
    Found by: call frame info
12  libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 766 + 0x5]
     r4 = 0xb3468b30    r5 = 0x00000000    r6 = 0xb2ce7cf4    r7 = 0xb2ce7d27
     r8 = 0xb3468b60    r9 = 0x00000000   r10 = 0x00000000    fp = 0xb6f3a2f4
     sp = 0xb2ce7ce0    pc = 0xb5495f5b
    Found by: call frame info
13  libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 263 + 0xb]
     r4 = 0x00000000    r5 = 0xb35c3860    r6 = 0xb2e8d9e0    r7 = 0xb3468b3c
     r8 = 0x0138f238    r9 = 0x00000012   r10 = 0xbec10114    fp = 0xb6f3a2f4
     sp = 0xb2ce7d20    pc = 0xb5467d2f
    Found by: call frame info
14  libxul.so!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) [MessagePump.cpp : 307 + 0x7]
     r0 = 0xb3468b30    r1 = 0x01000000    r4 = 0xb2e8d9d0    r5 = 0xb35c3860
     r6 = 0xb2e8d9e0    r7 = 0xb3468b3c    r8 = 0x0138f238    r9 = 0x00000012
    r10 = 0xbec10114    fp = 0xb6f3a2f4    sp = 0xb2ce7d30    pc = 0xb55d6fb5
    Found by: call frame info
15  libxul.so!MessageLoop::RunInternal() [message_loop.cc : 229 + 0x5]
     r4 = 0xb35c3860    r5 = 0xb2ce7d78    r6 = 0xb35c3860    r7 = 0xb3468b3c
     r8 = 0x0138f238    r9 = 0x00000012   r10 = 0xbec10114    fp = 0xb6f3a2f4
     sp = 0xb2ce7d58    pc = 0xb55cb5af
    Found by: call frame info
16  libxul.so!MessageLoop::Run() [message_loop.cc : 222 + 0x5]
     r3 = 0x00000000    r4 = 0xb35c3860    r5 = 0xb2ce7d78    r6 = 0xb35c3860
     r7 = 0xb3468b3c    r8 = 0x0138f238    r9 = 0x00000012   r10 = 0xbec10114
     fp = 0xb6f3a2f4    sp = 0xb2ce7d60    pc = 0xb55cb661
    Found by: call frame info
17  libxul.so!nsThread::ThreadFunc(void*) [nsThread.cpp : 346 + 0x5]
     r0 = 0x00000001    r1 = 0x00000000    r2 = 0xb35c3860    r3 = 0x00000000
     r4 = 0xb3468b30    r5 = 0xb2ce7d78    r6 = 0xb35c3860    r7 = 0xb3468b3c
     r8 = 0x0138f238    r9 = 0x00000012   r10 = 0xbec10114    fp = 0xb6f3a2f4
     sp = 0xb2ce7d78    pc = 0xb54966f1
    Found by: call frame info
18  libnss3.so!_pt_root [ptthread.c : 212 + 0x5]
     r0 = 0x00000000    r1 = 0x00000000    r2 = 0x00000000    r4 = 0xb348c100
     r5 = 0xb5161440    r6 = 0x00000000    r7 = 0x000015ac    r8 = 0x0138f238
     r9 = 0x00000012   r10 = 0xbec10114    fp = 0xb6f3a2f4    sp = 0xb2ce7d98
     pc = 0xb50b0cbb
    Found by: call frame info
19  libc.so!__thread_entry [pthread_create.cpp : 105 + 0x6]
     r3 = 0x00000000    r4 = 0xb2ce7dd0    r5 = 0x0138f238    r6 = 0xb50b0c21
     r7 = 0xb348c100    r8 = 0xb50b0c21    r9 = 0xb2bea000   r10 = 0xbec10114
     fp = 0xb6f3a2f4    sp = 0xb2ce7db8    pc = 0xb6efb274
    Found by: call frame info
20  libc.so!pthread_create [pthread_create.cpp : 224 + 0x16]
     r3 = 0xb348c100    r4 = 0x0138f238    r5 = 0xb2ce7dd0    r6 = 0x0000000b
     r7 = 0x00000078    r8 = 0xb50b0c21    r9 = 0xb2bea000   r10 = 0xbec10114
     fp = 0xb6f3a2f4    sp = 0xb2ce7dd0    pc = 0xb6efb40c
    Found by: call frame info
21  0xb45024da
     r4 = 0x00000000    r5 = 0x00000000    r6 = 0xadff61ec    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xb2ce7e00    pc = 0xb45024dc
    Found by: call frame info

A race, perhaps.  Not sure what to make of us being on thread 14 though.
blocking-b2g: --- → 2.0+
So given that we're on thread 14 I think this is coming from http://mxr.mozilla.org/mozilla-central/source/dom/camera/GonkCameraControl.cpp#1021.  That's the only use of CloseFileRunnable that I see that is obviously off the main thread.
Flags: needinfo?(mhabicher)
Flags: needinfo?(dhylands)
Oh, actually, CloseFileRunnable always goes to the stream transport service thread, so that doesn't mean anything.  We actually don't even dispatch it in this case which means this is the one case it *can't* be.
Flags: needinfo?(mhabicher)
Flags: needinfo?(dhylands)
Which phone is this on?

I see a reference to close.c, but I can't find a close.c in bionic. All of the ones I've found are just syscalls into the kernel's close.

The close in this call stack has a raise call.

And it references abort.cpp, but for my flame, android has abort.c not abort.cpp
close.c is part of Sotaro's patch in bug 1057220.
Ahh - ok - So based on what's in close.c this looks like a double close (as opposed to a close(-1)).
This bug seems a dup of Bug 105492.
(In reply to Sotaro Ikeda [:sotaro] from comment #7)
> This bug seems a dup of Bug 105492.

Correction:  
 This bug seems a dup of Bug 1054929
Blocks: 1058780
I'll take this just so it has an owner but I agree with comment 8.
Assignee: nobody → khuey
Kyle, should we close that one as dupe of Bug 1054929 ?
Flags: needinfo?(khuey)
Yeah.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(khuey)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.