Logging for tracking purpose:

Find it: Analysis of failed component others is not supported by Findit.
Suspected Component: others

using code search seeing some changes to ImageBitmapFactories.cpp in 

https://chromium.googlesource.com/chromium/src/+/13834522ca6d7969f80743285dff0e09050b8227

xidachen @,Could you please check the above issue & help us in finding an owner it its not yours.

Looks like ImageDecode internally has pointers to stuff with non-atomic reference counts.  The best way to solve this would be to create and delete the decoder on the main thread. IMHO, you should create the decoder on the main thread in ImageBitmapFactories::ImageBitmapLoader::scheduleAsyncImageBitmapDecoding() and pass it to the encoder thread.

Also, you should safeguard the code against this kind of error in the future by adding an instance of ThreadChecker to ImageBitmap to make sure that the constructor ans destructor are called on the same thread, as well as any other methods that touch RefPtrs of non-ThreadSafeRefCounted types.

In the comment above I wrote "ImageBitmap" where I meant "ImageDecoder".

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/283d18607e366095c377ddf72d196a8c4e256429

commit 283d18607e366095c377ddf72d196a8c4e256429
Author: xidachen <xidachen@chromium.org>
Date: Fri Mar 11 12:26:07 2016

Fix data race problem in createImageBitmap(Blob)

In createImageBitmap(Blob), the method creates an ImageDecoder
in a background thread, does the image decoding in the same thread, and
pass the ImageDecoder back to the main thread for creating an ImageBitmap.
This is causing the data race problem because the ImageDecoder
does some non-atomic reference counts internally.

This CL should fix the data race problem. In particular, we let the
ImageDecoder does image decoding in the background thread, and creates
a SkImage from the ImageDecoder, and pass the SkImage across threads.
Because SkImage is thread-safe RefCnted, this solves the data race
problem. In order to let postTask taking a SkImage, this CL changes
the CrossThreadCopier so that it can take an object that is SkRefCnt.

Locally I was able to repro the test case reported in the bug by
using the tsan build. With this CL the data race goes away.
Also, an existing layout tests that have data race condition
is changed.

BUG= 593224 

Review URL: https://codereview.chromium.org/1781613002

Cr-Commit-Position: refs/heads/master@{#380609}

[modify] https://crrev.com/283d18607e366095c377ddf72d196a8c4e256429/third_party/WebKit/LayoutTests/virtual/threaded/fast/canvas-toBlob/canvas-createImageBitmap-blob-in-workers.html
[modify] https://crrev.com/283d18607e366095c377ddf72d196a8c4e256429/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp
[modify] https://crrev.com/283d18607e366095c377ddf72d196a8c4e256429/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.h
[modify] https://crrev.com/283d18607e366095c377ddf72d196a8c4e256429/third_party/WebKit/Source/platform/CrossThreadCopier.h

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6707493708759040

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race WRITE 8
Crash Address: 0x7d2000027f80
Crash State:
  blink::PurgeableVector::clear
  blink::SharedBuffer::~SharedBuffer
  blink::ImageBitmapFactories::ImageBitmapLoader::decodeImageOnDecoderThread
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=378207:378422

Minimized Testcase (7.84 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95txVXHYgR1SUwIPuLmcZhXdGnA3tKGv41K86QH7jCY5t7qBe3--PsrXkGsDQqkmcVHvBodUA4CE6WxyAo84ch0w0X3cLEb1WHhOxvxbJNCNOreLqpG37aNwdrPmsdsFnq-TrDpr5dRKt2BdR-3HDaxDrqedg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

I am assuming the layout is:
virtual/threaded/fast/canvas-toBlob/canvas-createImageBitmap-blob-in-workers.html

could you retry this?

Remove legacy label cr-blink

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot