crash in gcm code when using system protobuf

[Paweł Hajdan, Jr.]

This is using an explicitly unsupported gyp switch -Duse_system_protobuf=1, but I'm getting the following crash on startup when using sync in my Chromium build:

#0  __cxxabiv1::__dynamic_cast (src_ptr=0x2ede52ec6e60, src_type=0x7ffff558eff0 <typeinfo for google::protobuf::MessageLite>, 

    dst_type=0x7ffff5590c20 <typeinfo for google::protobuf::Message>, src2dst=0)

    at /var/tmp/portage/sys-devel/gcc-4.7.3-r1/work/gcc-4.7.3/libstdc++-v3/libsupc++/dyncast.cc:61

#1  0x00007ffff533eadd in down_cast<google::protobuf::Message const*, google::protobuf::MessageLite const> (f=0x2ede52ec6e60) at ./google/protobuf/stubs/common.h:344

#2  google::protobuf::Message::CheckTypeAndMergeFrom (this=0x2ede52ec6dc0, other=...) at google/protobuf/message.cc:72

#3  0x00005555592b337c in gcm::MCSMessage::CloneProtobuf() const ()

#4  0x00005555592c83ae in gcm::MCSClient::SendMessage(gcm::MCSMessage const&) ()

#5  0x00005555592c8b97 in gcm::MCSClient::HandleMCSDataMesssage(scoped_ptr<google::protobuf::MessageLite, base::DefaultDeleter<google::protobuf::MessageLite> >) ()

#6  0x00005555592c9220 in gcm::MCSClient::HandlePacketFromWire(scoped_ptr<google::protobuf::MessageLite, base::DefaultDeleter<google::protobuf::MessageLite> >) ()

#7  0x00005555592c26fc in base::internal::Invoker<1, base::internal::BindState<base::internal::RunnableAdapter<void (gcm::MCSClient::*)(scoped_ptr<google::protobuf::MessageLite, base::DefaultDeleter<google::protobuf::MessageLite> >)>, void (gcm::MCSClient*, scoped_ptr<google::protobuf::MessageLite, base::DefaultDeleter<google::protobuf::MessageLite> >), void (base::WeakPtr<gcm::MCSClient>)>, void (gcm::MCSClient*, scoped_ptr<google::protobuf::MessageLite, base::DefaultDeleter<google::protobuf::MessageLite> >)>::Run(base::internal::BindStateBase*, scoped_ptr<google::protobuf::MessageLite, base::DefaultDeleter<google::protobuf::MessageLite> >) ()

#8  0x00005555592b7078 in gcm::ConnectionHandlerImpl::OnGotMessageBytes() ()

#9  0x00005555592b7ea0 in gcm::ConnectionHandlerImpl::WaitForData(gcm::ConnectionHandlerImpl::ProcessingState) ()

#10 0x00005555592d2d27 in gcm::SocketInputStream::RefreshCompletionCallback(base::Callback<void ()> const&, int) ()

#11 0x000055555659ab7f in base::internal::Invoker<1, base::internal::BindState<base::Callback<void (int)>, void (int), void (int)>, void (int)>::Run(base::internal::BindStateBase*) ()

#12 0x000055555682b27d in net::SSLClientSocketNSS::Core::PostOrRunCallback(tracked_objects::Location const&, base::Callback<void ()> const&) ()

#13 0x00005555566af2d2 in base::MessageLoop::RunTask(base::PendingTask const&) ()

#14 0x00005555566b0318 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ()

#15 0x00005555566b2440 in base::MessageLoop::DoWork() ()

#16 0x0000555556677c89 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ()

#17 0x00005555566b3670 in base::MessageLoop::RunHandler() ()

#18 0x00005555566ca708 in base::RunLoop::Run() ()

#19 0x00005555566ae344 in base::MessageLoop::Run() ()

#20 0x0000555558aff5e4 in content::BrowserThreadImpl::IOThreadRun(base::MessageLoop*) ()

#21 0x0000555558aff963 in content::BrowserThreadImpl::Run(base::MessageLoop*) ()

#22 0x00005555566e2ae1 in base::Thread::ThreadMain() ()

#23 0x00005555566dd919 in base::(anonymous namespace)::ThreadFunc(void*) ()

#24 0x00007ffff5074fda in start_thread (arg=0x7fffe38ca700) at pthread_create.c:308

#25 0x00007ffff140371d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

It's 100% reproducible, one needs to be signed in to Chrome, sync enabled, API keys present - and -Duse_system_protobuf=1 passed to build/gyp_chromium. I tested against system protobuf-2.5.0 using gcc-4.7.3.

Unfortunately looks like protobuf available on my Ubuntu Precise workstation is 2.4.1, too old to compile with use_system_protobuf=1. If anyone wants to reproduce this you may need to compile protobuf-2.5.0 manually or e.g. use a Gentoo chroot. I can help with both.

My git bisect points to https://codereview.chromium.org/152633006/ as the first commit where crash appears.

Any help would be appreciated, I'm fully aware this build configuration is unsupported, but:

1) It may indicate a latent problem exposed by using protobuf-2.5.0 . We still have time now to debug and fix it before for whatever reason we need to switch to a more recent protobuf.

2) The code would be arguably more robust if it didn't rely very specifically on a version of protobuf bundled with Chromium.

3) Even if you don't debug it fully, but can point me to some findings / other things I should check, that's still valuable. I'd like to learn more about this.

This was originally reported as https://bugs.gentoo.org/show_bug.cgi?id=503084

Please let me know if you'd like me to post some more info from my repro case, or perform some further tests.

Paweł

[Jian Li]

Could you please file a chromium bug and cc to zea, fgorski and me? Thanks.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

[Paweł Hajdan, Jr.]

Done: https://code.google.com/p/chromium/issues/detail?id=351093

Thank you for taking a look at this.

Paweł