Open GoogleCodeExporter opened 9 years ago
Same crash occurs with Ubuntu 14.04.1 and mesa 10.1.3.
Original comment by magreenb...@gmail.com
on 25 Nov 2014 at 10:18
Updated call stack from Ubuntu 14.04.1 with jogamp 2.2.4:
memory allocation bug: object at 0x7fff9e0f03e0 has never been allocated
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7fd9700 (LWP 2971)]
tcmalloc::Abort () at ../../third_party/tcmalloc/chromium/src/base/abort.cc:15
15 *(reinterpret_cast<volatile char*>(NULL) + 57) = 0x21;
(gdb) bt
#0 tcmalloc::Abort () at
../../third_party/tcmalloc/chromium/src/base/abort.cc:15
#1 0x00007fffa1bf5ec8 in LogPrintf (severity=<optimized out>, pat=<optimized
out>, ap=<optimized out>)
at ../../third_party/tcmalloc/chromium/src/base/logging.h:241
#2 0x00007fffa1c0202a in RAW_LOG (lvl=2,
pat=0x7ffff7fd5af0 "memory allocation bug: object at 0x7fff9e0f03e0 has never been allocated\n")
at ../../third_party/tcmalloc/chromium/src/base/logging.h:261
#3 0x00007fffa1c1c16a in MallocBlock::CheckLocked (this=<optimized out>,
type=<optimized out>)
at ../../third_party/tcmalloc/chromium/src/debugallocation.cc:416
#4 0x00007fffa1c1c3f7 in MallocBlock::CheckAndClear (this=<optimized out>,
type=<optimized out>)
at ../../third_party/tcmalloc/chromium/src/debugallocation.cc:398
#5 0x00007fffa1c1c2f1 in MallocBlock::Deallocate (this=<optimized out>,
type=<optimized out>)
at ../../third_party/tcmalloc/chromium/src/debugallocation.cc:541
#6 0x00007fffa1c17f60 in DebugDeallocate (ptr=<optimized out>, type=<optimized
out>)
at ../../third_party/tcmalloc/chromium/src/debugallocation.cc:1004
#7 0x00007fffa19b65ad in __gnu_cxx::new_allocator<char>::deallocate
(this=0x7ffff7fd63a0,
__p=0x7fff9e0f03e0 <std::string::_Rep::_S_empty_rep_storage> "")
at /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/ext/new_allocator.h:110
#8 0x00007fffa19b6581 in std::string::_Rep::_M_destroy (
this=0x7fff9e0f03e0 <std::string::_Rep::_S_empty_rep_storage>, __a=...)
at /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/basic_string.tcc:449
#9 0x00007fff9dea8699 in std::string::assign(std::string const&) () from
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
#10 0x00007fff48ed00c2 in ?? () from /usr/lib/x86_64-linux-gnu/libLLVM-3.4.so.1
#11 0x00007ffff7dea13a in call_init (l=<optimized out>, argc=argc@entry=5,
argv=argv@entry=0x7fffffffde38,
env=env@entry=0x7ffff0073d20) at dl-init.c:78
#12 0x00007ffff7dea223 in call_init (env=<optimized out>, argv=<optimized out>,
argc=<optimized out>,
l=<optimized out>) at dl-init.c:36
#13 _dl_init (main_map=main_map@entry=0x7ffff0467250, argc=5,
argv=0x7fffffffde38, env=0x7ffff0073d20)
at dl-init.c:126
#14 0x00007ffff7deec70 in dl_open_worker (a=a@entry=0x7ffff7fd6748) at
dl-open.c:577
#15 0x00007ffff7de9ff4 in _dl_catch_error
(objname=objname@entry=0x7ffff7fd6738,
errstring=errstring@entry=0x7ffff7fd6740, mallocedp=mallocedp@entry=0x7ffff7fd6730,
operate=operate@entry=0x7ffff7dee9a0 <dl_open_worker>, args=args@entry=0x7ffff7fd6748) at dl-error.c:187
#16 0x00007ffff7dee3bb in _dl_open (file=0x7ffff0467010
"/usr/lib/x86_64-linux-gnu/egl/egl_gallium.so",
---Type <return> to continue, or q <return> to quit---
mode=-2147483647, caller_dlopen=<optimized out>, nsid=-2, argc=5, argv=0x7fffffffde38, env=0x7ffff0073d20)
at dl-open.c:661
#17 0x00007ffff77a202b in dlopen_doit (a=a@entry=0x7ffff7fd6960) at dlopen.c:66
#18 0x00007ffff7de9ff4 in _dl_catch_error (objname=0x7ffff0000950,
errstring=0x7ffff0000958,
mallocedp=0x7ffff0000948, operate=0x7ffff77a1fd0 <dlopen_doit>, args=0x7ffff7fd6960) at dl-error.c:187
#19 0x00007ffff77a262d in _dlerror_run (operate=operate@entry=0x7ffff77a1fd0
<dlopen_doit>,
args=args@entry=0x7ffff7fd6960) at dlerror.c:163
#20 0x00007ffff77a20c1 in __dlopen (file=<optimized out>, mode=<optimized out>)
at dlopen.c:87
#21 0x00007fff5c840da4 in ?? () from
/usr/lib/x86_64-linux-gnu/mesa-egl/libEGL.so.1
#22 0x00007fff5c841184 in ?? () from
/usr/lib/x86_64-linux-gnu/mesa-egl/libEGL.so.1
#23 0x00007fff5c8412ed in ?? () from
/usr/lib/x86_64-linux-gnu/mesa-egl/libEGL.so.1
#24 0x00007fff5c83df48 in eglGetProcAddress () from
/usr/lib/x86_64-linux-gnu/mesa-egl/libEGL.so.1
#25 0x00007fff4bdecb58 in
Java_jogamp_opengl_egl_EGL_dispatch_1eglGetProcAddress0__Ljava_lang_String_2J ()
from /tmp/jogamp_0000/file_cache/jln8523565824923867566/jln7256964632691980350/libjogl_mobile.so
Original comment by magreenb...@gmail.com
on 26 Nov 2014 at 8:11
This could be related to the use of tcmalloc in Chromium. See for example
https://code.google.com/p/chromium/issues/detail?id=38692#c1 and the comment at
the end of http://goog-perftools.sourceforge.net/doc/tcmalloc.html:
"Don't try to load tcmalloc into a running binary (e.g., using JNI in Java
programs). The binary will have allocated some objects using the system malloc,
and may try to pass them to TCMalloc for deallocation. TCMalloc will not be
able to handle such objects."
I'm not sure why this is suddenly a problem with 2171 branch. It's possible to
create a CEF build without tcmalloc by setting GYP_DEFINES='use_allocator=none'
before running cef_create_projects.sh.
Original comment by magreenb...@gmail.com
on 26 Nov 2014 at 10:30
@#3: This same crash occurs when using a CEF build with tcmalloc disabled. It
may be possible to create an AddressSanitizer build that works with Java for
further debugging the problem. Discussion at
https://groups.google.com/a/chromium.org/d/msg/chromium-dev/FTt-My1gJcE/C475IUPl
cVEJ.
Original comment by magreenb...@gmail.com
on 27 Nov 2014 at 2:52
Running with an AddressSanitizer build (follow instructions from the link in
#4, copy libcef.so, libc++.so and libclang_rt.asan-x86_64.so to the JCEF
out/Debug directory, then modify the java command-line in tools/run.sh):
LD_PRELOAD=$LIB_PATH/libclang_rt.asan-x86_64.so java -cp "$CLS_PATH"
-Djava.library.path=$LIB_PATH tests.$RUN_TYPE.MainFrame "$@" 2>&1 |
/home/marshall/code/chromium_git/chromium/src/tools/valgrind/asan/asan_symbolize
.py
The output is as follows:
==5408==AddressSanitizer CHECK failed:
/home/marshall/code/chromium_git/chromium/src/third_party/llvm/compiler-rt/lib/a
san/asan_globals.cc:117 "((AddrIsAlignedByGranularity(g->beg))) != (0)" (0x0,
0x0)
#0 0x7fd63f4023de in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) _asan_rtl_:0
#1 0x7fd63f4079c3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/marshall/code/chromium_git/chromium/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:74:0
#2 0x7fd63f38ba40 in RegisterGlobal _asan_rtl_:0
#3 0x7fd63f38ba40 in __asan_register_globals _asan_rtl_:0
#4 0x7fd62a3bb186 in asan.module_ctor ??:0:0
#5 0x7fd6400cf139 in call_init /build/buildd/eglibc-2.19/elf/dl-init.c:78:0
#6 0x7fd6400cf222 in call_init /build/buildd/eglibc-2.19/elf/dl-init.c:36:0
#7 0x7fd6400cf222 in _dl_init /build/buildd/eglibc-2.19/elf/dl-init.c:126:0
#8 0x7fd6400c0309 in ?? ??:0
CefApp: INITIALIZED
==5423==AddressSanitizer CHECK failed:
/home/marshall/code/chromium_git/chromium/src/third_party/llvm/compiler-rt/lib/a
san/asan_globals.cc:117 "((AddrIsAlignedByGranularity(g->beg))) != (0)" (0x0,
0x0)
#0 0x7fc5ed8ac3de in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) _asan_rtl_:0
#1 0x7fc5ed8b19c3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/marshall/code/chromium_git/chromium/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:74:0
#2 0x7fc5ed835a40 in RegisterGlobal _asan_rtl_:0
#3 0x7fc5ed835a40 in __asan_register_globals _asan_rtl_:0
#4 0x7fc5d8865186 in asan.module_ctor ??:0:0
#5 0x7fc5ee579139 in call_init /build/buildd/eglibc-2.19/elf/dl-init.c:78:0
#6 0x7fc5ee579222 in call_init /build/buildd/eglibc-2.19/elf/dl-init.c:36:0
#7 0x7fc5ee579222 in _dl_init /build/buildd/eglibc-2.19/elf/dl-init.c:126:0
#8 0x7fc5ee56a309 in ?? ??:0
=================================================================
==5387==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000031072
at pc 0x7fe9f162b785 bp 0x7fe9f24dcfd0 sp 0x7fe9f24dc790
READ of size 1 at 0x602000031072 thread T1
#0 0x7fe9f162b784 in __interceptor_strcmp.part.24 /home/marshall/code/chromium_git/chromium/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:177:0
#1 0x7fe93549cdef in stub_find_dynamic ??:0:0
#2 0x7fe93549cc5d in _glapi_get_proc_address ??:0:0
#3 0x7fe933f34295 in _eglReleaseDisplayResources ??:?
#4 0x7fe933f30f47 in eglGetProcAddress ??:0:0
#5 0x7fe9334e6b57 in Java_jogamp_opengl_egl_EGL_dispatch_1eglGetProcAddress0__Ljava_lang_String_2J ??:0:0
#6 0x7fe9e9103d97 (<unknown module>)
0x602000031072 is located 2 bytes inside of 16-byte region
[0x602000031070,0x602000031080)
freed by thread T1 here:
#0 0x7fe9f1669a91 in free _asan_rtl_:0
#1 0x7fe9ed9a0b98 in os::free(void*, unsigned short) ??:0:0
#2 0x7fe9334e6b81 in Java_jogamp_opengl_egl_EGL_dispatch_1eglGetProcAddress0__Ljava_lang_String_2J ??:0:0
#3 0x7fe9e9103d97 (<unknown module>)
#4 0x7fe9e90f7174 (<unknown module>)
#5 0x7fe9e90f7174 (<unknown module>)
#6 0x7fe9e90f7822 (<unknown module>)
#7 0x7fe9e90f7174 (<unknown module>)
#8 0x7fe9e90f7822 (<unknown module>)
#9 0x7fe9e90f7822 (<unknown module>)
#10 0x7fe9e90f7057 (<unknown module>)
#11 0x7fe9e90f7057 (<unknown module>)
#12 0x7fe9e90f14e6 (<unknown module>)
#3 0x7fe9ed7890f4 in JavaCalls::call_helper(JavaValue*, methodHandle*, JavaCallArguments*, Thread*) ??:0:0
#4 0x7fe9ed787b57 in JavaCalls::call(JavaValue*, methodHandle, JavaCallArguments*, Thread*) ??:0:0
#5 0x7fe9ed80e7f3 in JVM_DoPrivileged ??:0:0
#16 0x7fe9e9103d97 (<unknown module>)
#17 0x7fe9e90f7232 (<unknown module>)
#18 0x7fe9e90f7057 (<unknown module>)
#19 0x7fe9e90f734f (<unknown module>)
#20 0x7fe9e90f734f (<unknown module>)
#21 0x7fe9e90f71d3 (<unknown module>)
#22 0x7fe9e90f71d3 (<unknown module>)
#23 0x7fe9e90f71d3 (<unknown module>)
#24 0x7fe9e90f734f (<unknown module>)
#25 0x7fe9e90f7232 (<unknown module>)
#26 0x7fe9e90f7232 (<unknown module>)
#27 0x7fe9e90f7232 (<unknown module>)
#28 0x7fe9e90f7232 (<unknown module>)
#29 0x7fe9e90f734f (<unknown module>)
previously allocated by thread T1 here:
#0 0x7fe9f1669d69 in malloc _asan_rtl_:0
#1 0x7fe9ed9a0ca8 in os::malloc(unsigned long, unsigned short, unsigned char*) ??:0:0
#2 0x7fe9ed43544b in AllocateHeap(unsigned long, unsigned short, unsigned char*, AllocFailStrategy::AllocFailEnum) ??:0:0
#3 0x7fe9ed7def51 in jni_GetStringUTFChars ??:0:0
#4 0x7fe9334e6af4 in Java_jogamp_opengl_egl_EGL_dispatch_1eglGetProcAddress0__Ljava_lang_String_2J ??:0:0
#5 0x7fe9e9103d97 (<unknown module>)
#6 0x7fe9e90f7174 (<unknown module>)
#7 0x7fe9e90f7174 (<unknown module>)
#8 0x7fe9e90f7822 (<unknown module>)
#9 0x7fe9e90f7174 (<unknown module>)
#10 0x7fe9e90f7822 (<unknown module>)
#11 0x7fe9e90f7822 (<unknown module>)
#12 0x7fe9e90f7057 (<unknown module>)
#13 0x7fe9e90f7057 (<unknown module>)
#14 0x7fe9e90f14e6 (<unknown module>)
#5 0x7fe9ed7890f4 in JavaCalls::call_helper(JavaValue*, methodHandle*, JavaCallArguments*, Thread*) ??:0:0
#6 0x7fe9ed787b57 in JavaCalls::call(JavaValue*, methodHandle, JavaCallArguments*, Thread*) ??:0:0
#7 0x7fe9ed80e7f3 in JVM_DoPrivileged ??:0:0
#18 0x7fe9e9103d97 (<unknown module>)
#19 0x7fe9e90f7232 (<unknown module>)
#20 0x7fe9e90f7057 (<unknown module>)
#21 0x7fe9e90f734f (<unknown module>)
#22 0x7fe9e90f734f (<unknown module>)
#23 0x7fe9e90f71d3 (<unknown module>)
#24 0x7fe9e90f71d3 (<unknown module>)
#25 0x7fe9e90f71d3 (<unknown module>)
#26 0x7fe9e90f734f (<unknown module>)
#27 0x7fe9e90f7232 (<unknown module>)
#28 0x7fe9e90f7232 (<unknown module>)
#29 0x7fe9e90f7232 (<unknown module>)
Thread T1 created by T0 here:
#0 0x7fe9f16089ee in __interceptor_pthread_create _asan_rtl_:0
#1 0x7fe9f11a44c8 in ContinueInNewThread0 ??:0:0
#2 0x7fe9f1199589 in ContinueInNewThread ??:0:0
#3 0x7fe9f119c0df in JLI_Launch ??:0:0
#4 0x400685 in main ??:0:0
#5 0x7fe9f0beeec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c047fffe1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffe1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffe1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffe1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffe1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffe200: fa fa fa fa fa fa 00 00 fa fa fd fd fa fa[fd]fd
0x0c047fffe210: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffe220: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fffe230: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffe240: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffe250: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
ASan internal: fe
==5387==ABORTING
Original comment by magreenb...@gmail.com
on 28 Nov 2014 at 3:45
Issue 147 has been merged into this issue.
Original comment by magreenb...@gmail.com
on 15 Jan 2015 at 3:16
Original comment by magreenb...@gmail.com
on 15 Jan 2015 at 3:18
Original issue reported on code.google.com by
magreenb...@gmail.com
on 25 Nov 2014 at 6:08