Closed Bug 835343 Opened 11 years ago Closed 11 years ago

crash in sctp / freeifaddrs

Categories

(Core :: WebRTC: Networking, defect)

Product:
Core
Component:
WebRTC: Networking
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21

People

(Reporter: gcp, Assigned: gcp)

Details

(Keywords: crash, Whiteboard: [native-crash][qa-])

Crash Data

Attachments

(1 file)

Patch 1. Fix getifaddrs replacement
2.11 KB, patch
jesup
: review+
Details | Diff | Splinter Review 
This happened while debugging some other bugs. I don't have reliably STR, but after looking at the trace and inspecting the code I can see some ways how this can get triggered on other errors, so filing & fixing.

#0  0x80b08e78 in jemalloc_crash () at /home/morbo/hg/mozilla-central/memory/mozjemalloc/jemalloc.c:1582
#1  0x80b18cb0 in arena_run_reg_dalloc (run=0x5c946000, bin=0x5c3dc0d0, ptr=0x5c946970, size=4)
    at /home/morbo/hg/mozilla-central/memory/mozjemalloc/jemalloc.c:3336
#2  0x80b1dc64 in arena_dalloc_small (arena=0x5c3dc040, chunk=0x5c900000, ptr=0x5c946970, mapelm=0x5c900358)
    at /home/morbo/hg/mozilla-central/memory/mozjemalloc/jemalloc.c:4540
#3  0x80b1e390 in arena_dalloc (ptr=0x5c946970, offset=289136)
    at /home/morbo/hg/mozilla-central/memory/mozjemalloc/jemalloc.c:4668
#4  0x80b22ed4 in __wrap_free (ptr=0x5c946970) at /home/morbo/hg/mozilla-central/memory/mozjemalloc/jemalloc.c:6589
#5  0x80b089f4 in __wrap__ZdaPvRKSt9nothrow_t (ptr=0x5c946970)
    at /home/morbo/hg/mozilla-central/memory/build/mozmemory_wrap.c:62
#6  0x65bf06bc in freeifaddrs (addresses=0x63b10720)
    at /home/morbo/hg/mozilla-central/netwerk/sctp/src/ifaddrs_android.cpp:181
#7  0x65bc3134 in sctp_pcb_finish () at /home/morbo/hg/mozilla-central/netwerk/sctp/src/netinet/sctp_pcb.c:6843
#8  0x65bce318 in sctp_finish () at /home/morbo/hg/mozilla-central/netwerk/sctp/src/netinet/sctp_usrreq.c:237
#9  0x65b557cc in usrsctp_finish () at /home/morbo/hg/mozilla-central/netwerk/sctp/src/user_socket.c:2211
#10 0x65bf1b50 in mozilla::DataChannelShutdown::Observe (this=0x639cb790, aSubject=0x0, 
    aTopic=0x68fa1858 "profile-change-net-teardown", aData=0x68fa1b78)
    at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:102
#11 0x679e37fc in nsObserverList::NotifyObservers (this=0x6390cbac, aSubject=0x0, 
    aTopic=0x68fa1858 "profile-change-net-teardown", someData=0x68fa1b78)
    at /home/morbo/hg/mozilla-central/xpcom/ds/nsObserverList.cpp:99
#12 0x679e5ab4 in nsObserverService::NotifyObservers (this=0x5c9deb80, aSubject=0x0, 
    aTopic=0x68fa1858 "profile-change-net-teardown", someData=0x68fa1b78)
    at /home/morbo/hg/mozilla-central/xpcom/ds/nsObserverService.cpp:161
#13 0x658f1efc in nsXREDirProvider::DoShutdown (this=0x5c5db9f4)
    at /home/morbo/hg/mozilla-central/toolkit/xre/nsXREDirProvider.cpp:847
#14 0x658df364 in ScopedXPCOMStartup::~ScopedXPCOMStartup (this=0x5c9460ac, __in_chrg=<optimized out>)
    at /home/morbo/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:1119
#15 0x658e95a4 in XREMain::XRE_main (this=0x5c5db9d8, argc=9, argv=0x5c971048, aAppData=0x80b78778)
    at /home/morbo/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:3915
#16 0x658e97dc in XRE_main (argc=9, argv=0x5c971048, aAppData=0x80b78778, aFlags=0)
    at /home/morbo/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:4093
#17 0x658fa65c in GeckoStart (data=0x1aa478, appData=0x80b78778)
    at /home/morbo/hg/mozilla-central/toolkit/xre/nsAndroidStartup.cpp:73
#18 0x80b39218 in Java_org_mozilla_gecko_GeckoAppShell_nativeRun (jenv=0x31d298, jc=0x407e6cf0, jargs=0x40a69d58)
    at /home/morbo/hg/mozilla-central/mozglue/android/APKOpen.cpp:669
#19 0xaca11d38 in dvmPlatformInvoke ()
   from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so
#20 0xaca41262 in dvmCallJNIMethod_general ()
   from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so
#21 0xaca46864 in dvmResolveNativeMethod ()
   from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so
#22 0xaca16f60 in dvmJitToInterpNoChain ()
   from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so
#23 0xaca16f60 in dvmJitToInterpNoChain ()
   from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Severity: normal → critical
Keywords: crash
This seems to confirm we bomb if we get an error after new'ing the structure, because we don't clear it before returning:

#1  0x80b18cb0 in arena_run_reg_dalloc (run=0x5c946000, bin=0x5c3880d0, ptr=0x5c946bcc, size=4)
    at /home/morbo/hg/mozilla-central/memory/mozjemalloc/jemalloc.c:3336
3336            RELEASE_ASSERT((run->regs_mask[elm] & (1U << bit)) == 0);
(gdb) up
#2  0x80b1dc64 in arena_dalloc_small (arena=0x5c388040, chunk=0x5c900000, ptr=0x5c946bcc, mapelm=0x5c900358)
    at /home/morbo/hg/mozilla-central/memory/mozjemalloc/jemalloc.c:4540
4540            arena_run_reg_dalloc(run, bin, ptr, size);
(gdb) up
#3  0x80b1e390 in arena_dalloc (ptr=0x5c946bcc, offset=289740)
    at /home/morbo/hg/mozilla-central/memory/mozjemalloc/jemalloc.c:4668
4668                    arena_dalloc_small(arena, chunk, ptr, mapelm);
(gdb) up
#4  0x80b22ed4 in __wrap_free (ptr=0x5c946bcc) at /home/morbo/hg/mozilla-central/memory/mozjemalloc/jemalloc.c:6589
6589                    arena_dalloc(ptr, offset);
(gdb) up
#5  0x80b089f4 in __wrap__ZdaPvRKSt9nothrow_t (ptr=0x5c946bcc)
    at /home/morbo/hg/mozilla-central/memory/build/mozmemory_wrap.c:62
62        free_impl(ptr);
(gdb) up
#6  0x6773a6c4 in freeifaddrs (addresses=0x64f5eea0)
    at /home/morbo/hg/mozilla-central/netwerk/sctp/src/ifaddrs_android.cpp:181
181             delete[] next->ifa_name;
(gdb) print next
$11 = (ifaddrs *) 0x64f5ee80
(gdb) print *next
$12 = {ifa_next = 0x0, 
  ifa_name = 0x5c946bcc 'Z' <repeats 36 times>"\240, \340\tg", 'Z' <repeats 96 times>, "`\341\tg", 'Z' <repeats 60 times>..., ifa_flags = 73, ifa_addr = 0x63cc8b00, ifa_netmask = 0x63cc8b80}
(gdb) print next->ifa_addr
$13 = (sockaddr *) 0x63cc8b00
(gdb) print *(next->ifa_addr)
$14 = {sa_family = 23130, sa_data = 'Z' <repeats 14 times>}
Crash Signature: [@ jemalloc_crash | arena_run_reg_dalloc | arena_dalloc_small | arena_dalloc | __wrap_free | __wrap__ZdaPvRKSt9nothrow_t]
Whiteboard: [native-crash]
Make sure we're nicely 0-ed before erroring out, and fix a stupid bug in walking the linked list.
Attachment #707151 - Flags: review?(rjesup)
Attachment #707151 - Flags: review?(rjesup) → review+
https://hg.mozilla.org/mozilla-central/rev/9f088fcd8080
Assignee: nobody → gpascutto
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Whiteboard: [native-crash] → [native-crash][qa-]
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: