Updates:
Cc: [email protected]
Comment #31 on issue 26754 by [email protected]: Chrome crash :
AppCacheDispatcherHost::Initialize(IPC::Message::Sender*, int, int)
http://code.google.com/p/chromium/issues/detail?id=26754
I verified on Rohit's system that this is being caused by IPC channel reuse
gone
wrong.
I'm using an alternate reproduction case that results in what appears to be
the same
sort of IPC channel reuse that this bug's stack indicates is occurring.
Stuart has been
looking also, using the same case, because he's trying to work on another
related
bug that also shows the channel reuse.
The reproduction case is:
1. Visit http://www.dkmsoftware.com/Yubotu.htm
2. Click "Play Now"
3. Resize the pop-up window that opens a whole lot.
Eventually, a sad plug-in will appear. Note that the plugin process has
not actually
crashed. If the page is reloaded, the browser will crash due to IPC
channel reuse.
Reloading the page is not necessary to reach the failure point, however.
The renderer
logs this message when the sad plug-in appears:
[91983:12815:116937582875718:ERROR:/chrome/trunk/src/ipc/ipc_channel_posix.
cc(819)] pipe error on 3: Bad file descriptor
and at that point, things are doomed.
At some point, the renderer is trying to send an fd that isn't actually
open in the that
process. This causes the sendmsg at ipc_channel_posix.cc:801 to return -1
and set
errno to EBADF. EBADF in this case refers to the file descriptor that's
supposed to go
over IPC, not a descriptor associated with the IPC channel itself.
When I have the renderer stopped at this point:
(gdb) print msg->file_descriptor_set_->ptr_->descriptors_.size()
$1 = 1
(gdb) print msg->file_descriptor_set_->ptr_->descriptors_[0]
$2 = (const class base::FileDescriptor &) @0x21a27fd0: {
fd = 18,
auto_close = false
}
lsof confirms that fd 18 is not open in this process.
If I add a Close() at line 819, I can avoid the problem, at the expense of
the
FileDescriptorSet getting upset and logging messages like this:
[91817:13575:115589827699162:WARNING:/chrome/trunk/src/ipc/file_descriptor_
set_posix.cc(18)] FileDescriptorSet destroyed with unconsumed descriptors
but there are no other ill effects.
The Close() doesn't seem like the wrong approach here, but I'm going to
continue to
debug this to determine where the bad file descriptor is coming from.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
