Export to GitHub

chromium-os - issue #35391

modemmanager-next: Crash at data_available()

Posted on Oct 17, 2012 by Quick Bird

This crash occurred while running the server side network_3GSuspendResumeStress test on an Icera Y3300.

0 data_available (source=0x7ff7bd9eed60, condition=<value optimized out>, data=<value optimized out>) at mm-serial-port.c:767

1 0x00007ff7bbd1a753 in g_main_dispatch (context=0x7ff7bd971af0) at gmain.c:2539

2 g_main_context_dispatch (context=0x7ff7bd971af0) at gmain.c:3075

3 0x00007ff7bbd1aad0 in g_main_context_iterate (context=0x7ff7bd971af0, block=<value optimized out>, dispatch=1,

self=&lt;value optimized out&gt;) at gmain.c:3146

4 g_main_context_iterate (context=0x7ff7bd971af0, block=<value optimized out>, dispatch=1, self=<value optimized out>)

at gmain.c:3083

5 0x00007ff7bbd1af0a in g_main_loop_run (loop=0x7ff7bd977820) at gmain.c:3340

6 0x00007ff7bc390b55 in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:158

 Attachments

Comment #1

Posted on Oct 17, 2012 by Quick Kangaroo

(No comment was entered for this change.)

Comment #2

Posted on Oct 31, 2012 by Happy Wombat

(No comment was entered for this change.)

Comment #3

Posted on Nov 26, 2012 by Quick Kangaroo

(No comment was entered for this change.)

Comment #4

Posted on Nov 27, 2012 by Quick Kangaroo

https://crash/reportdetail?reportid=cd5acdc43d728d65

0x777594d8 [ModemManager] - mm-serial-port.c:767] data_available 0x7743b7cb [libglib-2.0.so.0.3200.4] - giounix.c:166] g_io_unix_dispatch 0x773f8e82 [libglib-2.0.so.0.3200.4] - gmain.c:2539] g_main_context_dispatch 0x773f9247 [libglib-2.0.so.0.3200.4] - gmain.c:3146] g_main_context_iterate 0x773f96ea [libglib-2.0.so.0.3200.4] - gmain.c:3340] g_main_loop_run 0x776ff7ac [ModemManager] - main.c:158] main 0x7722b446 [libc-2.15.so] - libc-start.c:234] __libc_start_main 0x776ff1d0 [ModemManager] + 0x000141d0]
0x776ff66f [ModemManager] + 0x0001466f]
0x776d9e6f [ld-2.15.so] + 0x0000ee6f]
0x776ca413 [linux-gate.so] + 0x00000413]
0x776c9fff

Comment #5

Posted on Nov 27, 2012 by Massive Ox

Just wondering; is it possible to have ModemManager running under valgrind during the test? That would give us a better hint.

Comment #6

Posted on Nov 27, 2012 by Quick Kangaroo

(No comment was entered for this change.)

Comment #7

Posted on Nov 27, 2012 by Quick Kangaroo

Aleksander, the problem can be either memory corruption (which I will run ModemManager through valgrind) or ModemManager tries to open a serial port that has been disposed. I submitted a patch to address the latter: https://mail.gnome.org/archives/networkmanager-list/2012-November/msg00186.html

I also found Dan's patch on serial-port, which should address another issue in data_available: http://cgit.freedesktop.org/ModemManager/ModemManager/commit/?id=8772d63389b97a65bcace9fe0b54175a6adab9fe

Comment #8

Posted on Nov 30, 2012 by Quick Kangaroo

The crash happens to be a reuse of an already disposed MMSerialPort object:

/* Don't read any input if the current command isn't done being sent yet */
info = g_queue_peek_nth (priv->queue, 0);

49f60: 6940 ldr r0, [r0, #20] <- 0x151F60 49f62: f7c9 ebf6 blx 13750 <_init+0x1254>

==20047== Invalid read of size 4 ==20047== at 0x151F60: ??? (in /usr/sbin/ModemManager) ==20047== Address 0x14 is not stack'd, malloc'd or (recently) free'd ==20047== ==20047== ==20047== Process terminating with default action of signal 11 (SIGSEGV) ==20047== Access not within mapped region at address 0x14 ==20047== at 0x151F60: ??? (in /usr/sbin/ModemManager) ==20047== If you believe this happened as a result of a stack ==20047== overflow in your program's main thread (unlikely but ==20047== possible), you can try to increase the size of the ==20047== main thread stack using the --main-stacksize= flag. ==20047== The main thread stack size used in this run was 8388608.

(ModemManager:2858): GLib-GObject-CRITICAL **: g_object_ref: assertion G_IS_OBJECT (object)' failed (ModemManager:2858): GLib-GObject-CRITICAL **: g_object_ref: assertionG_IS_OBJECT (object)' failed (ModemManager:2858): GLib-GObject-CRITICAL **: g_object_unref: assertion G_IS_OBJECT (object)' failed (ModemManager:2858): GLib-GObject-CRITICAL **: g_object_unref: assertionG_IS_OBJECT (object)' failed (ModemManager:2858): GLib-GObject-WARNING **: gsignal.c:2576: instance 0x78624028' has no handler with id148' (ModemManager:2858): GLib-GObject-WARNING **: invalid unclassed pointer in cast to MMSerialPort' (ModemManager:2858): GLib-GObject-CRITICAL **: g_type_instance_get_private: assertioninstance != NULL && instance->g_class != NULL' failed

 Attachments

Comment #9

Posted on Dec 7, 2012 by Quick Kangaroo

Tested and pushed patch from Aleksander

http://git.chromium.org/gitweb/?p=chromiumos/third_party/modemmanager-next.git;a=commit;h=1c51e4626d39a72e959b02db359a15e2463e526e

Comment #10

Posted on Jan 29, 2013 by Grumpy Bear

NO more crashes in Data Available observed in R25 builds.

Comment #11

Posted on Mar 6, 2013 by Grumpy Hippo

(No comment was entered for this change.)

Comment #12

Posted on Mar 10, 2013 by Quick Rabbit

(No comment was entered for this change.)

Comment #13

Posted on Mar 18, 2013 by Quick Rabbit

Moved to: Issue chromium:217499

Status: Moved

Labels:
Type-Bug Pri-2 Sev-2 bulkmove MovedFrom-24 Iteration-70 OS-Chrome Cr-OS-Systems-Cellular M-25