Data race in blink::PageMemoryRegion::allocate |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5822916706435072 Fuzzer: ochang_domfuzzer Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race WRITE 4 Crash Address: 0x7f4c22ea23e8 Crash State: blink::PageMemoryRegion::allocate blink::NormalPageHeap::allocatePage blink::NormalPageHeap::outOfLineAllocate Minimized Testcase (3.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv960mMZi3LWG0AUGgLVZ8dOlMKOwVDYrk_3NLa--b2wX-JljNbR_CqYmD8uwcbnWpsWc3AQMO0lTWNXcDiBfyiWiJg8ovJM-kLJ1IK66V4ENesgqbR_IDPb1KaMOR-z2FHFe3lxbR50rtHviuIqXlfud4LVTBA Filer: ajha See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 17 2016
The |allocPageErrorCode| you added in https://codereview.chromium.org/1718123002/ is causing a threading race. tasak@: Would you mind taking a look?
,
Mar 18 2016
,
Mar 18 2016
Remove legacy label Cr-Blink-GarbageCollection.
,
Mar 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/513bc4519eaf958471a4d169fe3169addfe2f5b3 commit 513bc4519eaf958471a4d169fe3169addfe2f5b3 Author: tasak <tasak@google.com> Date: Thu Mar 24 11:08:53 2016 Update allocPageErrorCode only when mmap fails. cluster-fuzz: https://cluster-fuzz.appspot.com/testcase?key=5822916706435072 If mmap fails, blink will immediately crash. So updating allocPageErrorCode when mmap fails is enough to avoid data race. BUG= 595631 Review URL: https://codereview.chromium.org/1820413003 Cr-Commit-Position: refs/heads/master@{#383052} [modify] https://crrev.com/513bc4519eaf958471a4d169fe3169addfe2f5b3/third_party/WebKit/Source/wtf/PageAllocator.cpp
,
Mar 24 2016
ClusterFuzz has detected this issue as fixed in range 383042:383055. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5822916706435072 Fuzzer: ochang_domfuzzer Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race WRITE 4 Crash Address: 0x7f4c22ea23e8 Crash State: blink::PageMemoryRegion::allocate blink::NormalPageHeap::allocatePage blink::NormalPageHeap::outOfLineAllocate Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=383042:383055 Minimized Testcase (3.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv960mMZi3LWG0AUGgLVZ8dOlMKOwVDYrk_3NLa--b2wX-JljNbR_CqYmD8uwcbnWpsWc3AQMO0lTWNXcDiBfyiWiJg8ovJM-kLJ1IK66V4ENesgqbR_IDPb1KaMOR-z2FHFe3lxbR50rtHviuIqXlfud4LVTBA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ajha@chromium.org
, Mar 17 2016Owner: haraken@chromium.org
Status: Assigned (was: Available)