Data race in blink::PageMemoryRegion::allocate |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5267320498290688 Fuzzer: inferno_layout_test_unmodified Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race WRITE 4 Crash Address: 0x7ff017127fb8 Crash State: blink::PageMemoryRegion::allocate blink::PageMemory::allocate blink::LargeObjectArena::allocateLargeObjectPage Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97yRrbKCQoU4l0Ckk0qzP05favCIyBFWjZCSM2o9sv1AcQyXmud6RBD0WVxBXB6Kg0V05H5DPPYHiNPgMotS7N6mIR15A55fGTsNq92FDRyIAc6-OaBgbtMRHQAuOl9ZrCWfiSCCDkJ-7WddXaz8lvaUENssA Filer: manoranjanr See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 7 2016
This race is still happening. Sigbjorn: Would you mind taking a look?
,
Apr 7 2016
Stack trace:
WARNING: ThreadSanitizer: data race (pid=10106)
Write of size 4 at 0x7f1ce8c6dfb8 by thread T10 (mutexes: write M59680, write M394):
#0 0x7f1ce531088a in systemAllocPages third_party/WebKit/Source/wtf/PageAllocator.cpp:87:28
#1 0x7f1ce531088a in WTF::allocPages(void*, unsigned long, unsigned long, WTF::PageAccessibilityConfiguration) third_party/WebKit/Source/wtf/PageAllocator.cpp:149
#2 0x7f1cdff2cfb0 in Block third_party/WebKit/Source/platform/heap/CallbackStack.cpp:17:35
#3 0x7f1cdff2cfb0 in blink::CallbackStack::CallbackStack(unsigned long) third_party/WebKit/Source/platform/heap/CallbackStack.cpp:80
#4 0x7f1cdfee7449 in blink::ThreadState::ThreadState() third_party/WebKit/Source/platform/heap/ThreadState.cpp:137:42
#5 0x7f1cdfee8502 in blink::ThreadState::attach() third_party/WebKit/Source/platform/heap/ThreadState.cpp:265:30
#6 0x7f1ce536adfb in blink::WebThreadSupportingGC::initialize() third_party/WebKit/Source/platform/WebThreadSupportingGC.cpp:50:5
#7 0x7f1ce19d4e1b in blink::WorkerThread::initializeBackingThread() third_party/WebKit/Source/core/workers/WorkerThread.cpp:394:5
#8 0x7f1ce19d3b18 in blink::WorkerThread::initialize(WTF::PassOwnPtr<blink::WorkerThreadStartupData>) third_party/WebKit/Source/core/workers/WorkerThread.cpp:208:9
#9 0x7f1ce19d68de in operator()<WTF::PassOwnPtr<blink::WorkerThreadStartupData> &> third_party/WebKit/Source/wtf/Functional.h:133:16
#10 0x7f1ce19d68de in callInternal<0, 1> third_party/WebKit/Source/wtf/Functional.h:284
#11 0x7f1ce19d68de in WTF::PartBoundFunctionImpl<(WTF::FunctionThreadAffinity)0, std::__1::tuple<blink::WorkerThread*&&, WTF::PassOwnPtr<blink::WorkerThreadStartupData>&&>, WTF::FunctionWrapper<void (blink::WorkerThread::*)(WTF::PassOwnPtr<blink::WorkerThreadStartupData>)>>::operator()() third_party/WebKit/Source/wtf/Functional.h:275
#12 0x7f1cdff306d0 in blink::CrossThreadTask::run() third_party/WebKit/Source/platform/Task.h:77:9
#13 0x7f1ce2ebdc8e in scheduler::WebTaskRunnerImpl::runTask(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >) components/scheduler/child/web_task_runner_impl.cc:68:3
#14 0x7f1ce2ebe0e1 in Run<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:159:12
#15 0x7f1ce2ebe0e1 in MakeItSo<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:301
#16 0x7f1ce2ebe0e1 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >)>, void (std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >)> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:352
#17 0x7f1cded87c1e in Run base/callback.h:397:12
#18 0x7f1cded87c1e in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
#19 0x7f1ce2ec10a1 in scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue*, scheduler::internal::TaskQueueImpl::Task*) components/scheduler/base/task_queue_manager.cc:288:3
#20 0x7f1ce2ebf6c0 in scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) components/scheduler/base/task_queue_manager.cc:200:13
#21 0x7f1ce2ec2209 in Run<const base::TimeTicks &, const bool &> base/bind_internal.h:181:12
#22 0x7f1ce2ec2209 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> base/bind_internal.h:314
#23 0x7f1ce2ec2209 in base::internal::Invoker<base::IndexSequence<0ul, 1ul, 2ul>, base::internal::BindState<base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, void (scheduler::TaskQueueManager*, base::TimeTicks, bool), base::WeakPtr<scheduler::TaskQueueManager>, base::TimeTicks, bool>, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:352
#24 0x7f1cded87c1e in Run base/callback.h:397:12
#25 0x7f1cded87c1e in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
#26 0x7f1cded0f583 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:476:3
#27 0x7f1cded0fb1e in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:485:5
#28 0x7f1cded0ff06 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:597:13
#29 0x7f1cded13622 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:21
#30 0x7f1cded0ef7c in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:440:3
#31 0x7f1cded32587 in base::RunLoop::Run() base/run_loop.cc:35:3
#32 0x7f1cded0e786 in base::MessageLoop::Run() base/message_loop/message_loop.cc:293:3
#33 0x7f1cded5eeaa in base::Thread::Run(base::MessageLoop*) base/threading/thread.cc:202:3
#34 0x7f1cded5f07a in base::Thread::ThreadMain() base/threading/thread.cc:254:3
#35 0x7f1cded5967e in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:68:3
Previous write of size 4 at 0x7f1ce8c6dfb8 by thread T8:
#0 0x7f1ce531088a in systemAllocPages third_party/WebKit/Source/wtf/PageAllocator.cpp:87:28
#1 0x7f1ce531088a in WTF::allocPages(void*, unsigned long, unsigned long, WTF::PageAccessibilityConfiguration) third_party/WebKit/Source/wtf/PageAllocator.cpp:149
#2 0x7f1cdfee5392 in blink::PageMemoryRegion::allocate(unsigned long, unsigned int, blink::RegionTree*) third_party/WebKit/Source/platform/heap/PageMemory.cpp:69:41
#3 0x7f1cdfee56ef in allocateLargePage third_party/WebKit/Source/platform/heap/PageMemory.h:80:16
#4 0x7f1cdfee56ef in blink::PageMemory::allocate(unsigned long, blink::RegionTree*) third_party/WebKit/Source/platform/heap/PageMemory.cpp:183
#5 0x7f1cdfee2eee in doAllocateLargeObjectPage third_party/WebKit/Source/platform/heap/HeapPage.cpp:800:30
#6 0x7f1cdfee2eee in blink::LargeObjectArena::allocateLargeObjectPage(unsigned long, unsigned long) third_party/WebKit/Source/platform/heap/HeapPage.cpp:787
#7 0x7f1cdfee2b9f in blink::NormalPageArena::outOfLineAllocate(unsigned long, unsigned long) third_party/WebKit/Source/platform/heap/HeapPage.cpp:689:31
#8 0x7f1ce0edb3e2 in allocateObject third_party/WebKit/Source/platform/heap/HeapPage.h:890:12
#9 0x7f1ce0edb3e2 in allocateOnArenaIndex third_party/WebKit/Source/platform/heap/Heap.h:480
#10 0x7f1ce0edb3e2 in WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >** blink::HeapAllocator::allocateHashTableBacking<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*, WTF::HashTable<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*, WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*, WTF::IdentityExtractor, WTF::ListHashSetNodeHashFunctions<WTF::PtrHash<blink::Member<blink::IDBRequest> > >, WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*>, WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*>, blink::HeapAllocator> >(unsigned long) third_party/WebKit/Source/platform/heap/HeapAllocator.h:79
#11 0x7f1ce0edae28 in allocateZeroedHashTableBacking<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0> > *, WTF::HashTable<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0> > *, WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0> > *, WTF::IdentityExtractor, WTF::ListHashSetNodeHashFunctions<WTF::PtrHash<blink::Member<blink::IDBRequest> > >, WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0> > *>, WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0> > *>, blink::HeapAllocator> > third_party/WebKit/Source/platform/heap/HeapAllocator.h:84:16
#12 0x7f1ce0edae28 in allocateTable third_party/WebKit/Source/wtf/HashTable.h:1016
#13 0x7f1ce0edae28 in WTF::HashTable<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*, WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*, WTF::IdentityExtractor, WTF::ListHashSetNodeHashFunctions<WTF::PtrHash<blink::Member<blink::IDBRequest> > >, WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*>, WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*>, blink::HeapAllocator>::rehash(unsigned int, WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >**) third_party/WebKit/Source/wtf/HashTable.h:1180
#14 0x7f1ce0edad89 in expand third_party/WebKit/Source/wtf/HashTable.h:1063:12
#15 0x7f1ce0edad89 in WTF::HashTableAddResult<WTF::HashTable<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*, WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*, WTF::IdentityExtractor, WTF::ListHashSetNodeHashFunctions<WTF::PtrHash<blink::Member<blink::IDBRequest> > >, WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*>, WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*>, blink::HeapAllocator>, WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*> WTF::HashTable<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*, WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*, WTF::IdentityExtractor, WTF::ListHashSetNodeHashFunctions<WTF::PtrHash<blink::Member<blink::IDBRequest> > >, WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*>, WTF::HashTraits<WTF::ListHashSetNode<blink::Member<blink::IDBRequest>, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul> >*>, blink::HeapAllocator>::add<WTF::ListHashSetTranslator<WTF::PtrHash<blink::Member<blink::IDBRequest> > >, blink::IDBRequest*&, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul>&>(blink::IDBRequest*&, blink::HeapListHashSetAllocator<blink::Member<blink::IDBRequest>, 0ul>&) third_party/WebKit/Source/wtf/HashTable.h:861
#16 0x7f1ce0ed4534 in add<blink::IDBRequest *&> third_party/WebKit/Source/wtf/ListHashSet.h:836:19
#17 0x7f1ce0ed4534 in blink::IDBTransaction::registerRequest(blink::IDBRequest*) third_party/WebKit/Source/modules/indexeddb/IDBTransaction.cpp:232
#18 0x7f1ce0ece2e4 in blink::IDBRequest::create(blink::ScriptState*, blink::IDBAny*, blink::IDBTransaction*) third_party/WebKit/Source/modules/indexeddb/IDBRequest.cpp:58:9
#19 0x7f1ce0ec4249 in blink::IDBObjectStore::put(blink::ScriptState*, blink::WebIDBPutMode, blink::IDBAny*, blink::ScriptValue const&, blink::IDBKey*, blink::ExceptionState&) third_party/WebKit/Source/modules/indexeddb/IDBObjectStore.cpp:336:27
#20 0x7f1ce0ec3297 in blink::IDBObjectStore::put(blink::ScriptState*, blink::WebIDBPutMode, blink::IDBAny*, blink::ScriptValue const&, blink::ScriptValue const&, blink::ExceptionState&) third_party/WebKit/Source/modules/indexeddb/IDBObjectStore.cpp:233:12
#21 0x7f1ce0ec340f in blink::IDBObjectStore::put(blink::ScriptState*, blink::ScriptValue const&, blink::ScriptValue const&, blink::ExceptionState&) third_party/WebKit/Source/modules/indexeddb/IDBObjectStore.cpp:225:12
#22 0x7f1ce0d063ac in putMethod out/Release/gen/blink/bindings/modules/v8/V8IDBObjectStore.cpp:138:33
#23 0x7f1ce0d063ac in blink::IDBObjectStoreV8Internal::putMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/gen/blink/bindings/modules/v8/V8IDBObjectStore.cpp:148
#24 0x7f1ce06aaf10 in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) v8/src/api-arguments.cc:16:3
#25 0x7f1ce004f467 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>) v8/src/builtins.cc:3981:29
#26 0x7f1ce0085e8e in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) v8/src/builtins.cc:3999:3
#27 0x7f1ce005dac7 in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) v8/src/builtins.cc:3996:1
#28 0x7f1c38306187 (<unknown module>)
#29 0x7f1ce02cfaae in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:163:10
#30 0x7f1ce000a243 in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) v8/src/api.cc:4478:7
#31 0x7f1ce1e990ef in blink::V8ScriptRunner::callFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:465:40
#32 0x7f1ce1ea0f4e in blink::V8WorkerGlobalScopeEventListener::callListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) third_party/WebKit/Source/bindings/core/v8/V8WorkerGlobalScopeEventListener.cpp:80:45
#33 0x7f1ce1e7658a in blink::V8AbstractEventListener::invokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:138:23
#34 0x7f1ce1ea0e7b in blink::V8WorkerGlobalScopeEventListener::handleEvent(blink::ScriptState*, blink::Event*) third_party/WebKit/Source/bindings/core/v8/V8WorkerGlobalScopeEventListener.cpp:68:5
#35 0x7f1ce1e76238 in blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:84:5
#36 0x7f1ce1357799 in blink::EventTarget::fireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) third_party/WebKit/Source/core/events/EventTarget.cpp:448:9
#37 0x7f1ce1356dbb in blink::EventTarget::fireEventListeners(blink::Event*) third_party/WebKit/Source/core/events/EventTarget.cpp:372:9
#38 0x7f1ce10480ae in blink::IDBEventDispatcher::dispatch(blink::Event*, blink::HeapVector<blink::Member<blink::EventTarget>, 0ul>&) third_party/WebKit/Source/modules/indexeddb/IDBEventDispatcher.cpp:51:5
#39 0x7f1ce0ed1b6c in blink::IDBRequest::dispatchEventInternal(WTF::RawPtr<blink::Event>) third_party/WebKit/Source/modules/indexeddb/IDBRequest.cpp:460:42
#40 0x7f1ce0ecddcc in blink::IDBOpenDBRequest::dispatchEventInternal(WTF::RawPtr<blink::Event>) third_party/WebKit/Source/modules/indexeddb/IDBOpenDBRequest.cpp:176:12
#41 0x7f1ce1356b4d in blink::EventTarget::dispatchEvent(WTF::RawPtr<blink::Event>) third_party/WebKit/Source/core/events/EventTarget.cpp:277:12
#42 0x7f1ce1b24d73 in dispatchEvent third_party/WebKit/Source/core/workers/WorkerEventQueue.cpp:81:9
#43 0x7f1ce1b24d73 in blink::WorkerEventQueue::EventDispatcherTask::performTask(blink::ExecutionContext*) third_party/WebKit/Source/core/workers/WorkerEventQueue.cpp:89
#44 0x7f1ce19d2f0f in blink::WorkerThread::performTask(WTF::PassOwnPtr<blink::ExecutionContextTask>, bool) third_party/WebKit/Source/core/workers/WorkerThread.cpp:120:5
#45 0x7f1ce19d611f in operator()<WTF::PassOwnPtr<blink::ExecutionContextTask> &, bool &> third_party/WebKit/Source/wtf/Functional.h:133:16
#46 0x7f1ce19d611f in callInternal<0, 1, 2> third_party/WebKit/Source/wtf/Functional.h:284
#47 0x7f1ce19d611f in WTF::PartBoundFunctionImpl<(WTF::FunctionThreadAffinity)0, std::__1::tuple<blink::WorkerThread*&&, WTF::PassOwnPtr<blink::ExecutionContextTask>&&, bool&&>, WTF::FunctionWrapper<void (blink::WorkerThread::*)(WTF::PassOwnPtr<blink::ExecutionContextTask>, bool)>>::operator()() third_party/WebKit/Source/wtf/Functional.h:275
#48 0x7f1cdff306d0 in blink::CrossThreadTask::run() third_party/WebKit/Source/platform/Task.h:77:9
#49 0x7f1ce2ebdc8e in scheduler::WebTaskRunnerImpl::runTask(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >) components/scheduler/child/web_task_runner_impl.cc:68:3
#50 0x7f1ce2ebe0e1 in Run<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:159:12
#51 0x7f1ce2ebe0e1 in MakeItSo<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:301
#52 0x7f1ce2ebe0e1 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >)>, void (std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >)> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:352
#53 0x7f1cded87c1e in Run base/callback.h:397:12
#54 0x7f1cded87c1e in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
#55 0x7f1ce2ec10a1 in scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue*, scheduler::internal::TaskQueueImpl::Task*) components/scheduler/base/task_queue_manager.cc:288:3
#56 0x7f1ce2ebf6c0 in scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) components/scheduler/base/task_queue_manager.cc:200:13
#57 0x7f1ce2ec2209 in Run<const base::TimeTicks &, const bool &> base/bind_internal.h:181:12
#58 0x7f1ce2ec2209 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> base/bind_internal.h:314
#59 0x7f1ce2ec2209 in base::internal::Invoker<base::IndexSequence<0ul, 1ul, 2ul>, base::internal::BindState<base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, void (scheduler::TaskQueueManager*, base::TimeTicks, bool), base::WeakPtr<scheduler::TaskQueueManager>, base::TimeTicks, bool>, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:352
#60 0x7f1cded87c1e in Run base/callback.h:397:12
#61 0x7f1cded87c1e in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
#62 0x7f1cded0f583 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:476:3
#63 0x7f1cded0fb1e in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:485:5
#64 0x7f1cded0ff06 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:597:13
#65 0x7f1cded13622 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:21
#66 0x7f1cded0ef7c in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:440:3
#67 0x7f1cded32587 in base::RunLoop::Run() base/run_loop.cc:35:3
#68 0x7f1cded0e786 in base::MessageLoop::Run() base/message_loop/message_loop.cc:293:3
#69 0x7f1cded5eeaa in base::Thread::Run(base::MessageLoop*) base/threading/thread.cc:202:3
#70 0x7f1cded5f07a in base::Thread::ThreadMain() base/threading/thread.cc:254:3
#71 0x7f1cded5967e in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:68:3
,
Apr 8 2016
Race on updating allocPageErrorCode.
,
Apr 8 2016
tasak@: what is the wanted behavior for allocPageErrorCode across threads - last one to update "wins", or only of interest for the main thread?
,
Apr 8 2016
,
Apr 11 2016
Last one to update "wins". I think, once VirtualAlloc fails, another VirtualAlloc will fail because of the same reason.
,
Apr 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8826db7f4c75f4ed04fa1c7e2c53a321a599c9b8 commit 8826db7f4c75f4ed04fa1c7e2c53a321a599c9b8 Author: sigbjornf <sigbjornf@opera.com> Date: Wed Apr 20 14:23:02 2016 Avoid PageAllocator::s_allocPageErrorCode races. R= BUG= 601579 Review URL: https://codereview.chromium.org/1903763002 Cr-Commit-Position: refs/heads/master@{#388491} [modify] https://crrev.com/8826db7f4c75f4ed04fa1c7e2c53a321a599c9b8/third_party/WebKit/Source/wtf/allocator/PageAllocator.cpp
,
Apr 20 2016
,
Apr 22 2016
Thank you, sigbjornf.
,
Apr 24 2016
ClusterFuzz has detected this issue as fixed in range 383042:383055. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5267320498290688 Fuzzer: inferno_layout_test_unmodified Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race WRITE 4 Crash Address: 0x7ff017127fb8 Crash State: blink::PageMemoryRegion::allocate blink::PageMemory::allocate blink::LargeObjectArena::allocateLargeObjectPage Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=383042:383055 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97yRrbKCQoU4l0Ckk0qzP05favCIyBFWjZCSM2o9sv1AcQyXmud6RBD0WVxBXB6Kg0V05H5DPPYHiNPgMotS7N6mIR15A55fGTsNq92FDRyIAc6-OaBgbtMRHQAuOl9ZrCWfiSCCDkJ-7WddXaz8lvaUENssA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by manoranj...@chromium.org
, Apr 7 2016Owner: haraken@chromium.org
Status: Assigned (was: Available)