New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 605479 link

Starred by 0 users
Status: Fixed
Owner:
scroggo@chromium.org
Closed: Apr 2016
Cc:
scroggo@chromium.org
ssamanoori@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Data race in SkRWBuffer::append

Project Member Reported by ClusterFuzz, Apr 21 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6645208069963776

Fuzzer: attekett_surku_fuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race WRITE 8
Crash Address: 0x7d800007e008
Crash State:
  SkRWBuffer::append
  blink::DeferredImageDecoder::setData
  blink::ImageSource::setData
  

Minimized Testcase (0.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96HNiYgFuTSK10ljIiQyN0EjhxqS46FjzVQlhN7dvAeLtfcE394DNlNbs72ZP-8TmgY-QkqdVLWqjmsn_KVaZgrgGEhcwcRpo4n_I_ReXlTllfamap_WA6qe9eDvkzN71zco7ZvrvN3ndHajl_8zihSAIKWDA

Additional requirements: Requires Gestures

Filer: ssamanoori

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ssamanoori@chromium.org, Apr 21 2016

Labels: ToolsTestsFindItNoResult M-50 Te-Logged
Owner: scroggo@chromium.org
Status: Assigned (was: Available)
Through code search file 'SegmentReader.cpp' suspecting the below
https://chromium.googlesource.com/chromium/src/+/d2234904faee943bd987bd38d620096db808efca%5E%21/third_party/WebKit/Source/platform/image-decoders/SegmentReader.cpp

scroggo@ Could you please look into this issue if its related to your change,else please re assign it to an appropriate dev person.

Comment 2 by scroggo@chromium.org, Apr 21 2016

Status: Started (was: Assigned)
Yes, this introduced by my change. I have a CL in progress at https://codereview.chromium.org/1871953002 to fix.

Comment 3 by scroggo@chromium.org, Apr 22 2016

Cc: scroggo@chromium.org
 Issue 605896  has been merged into this issue.
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 22 2016 

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/635164028594b4af0086ec85b5e4570dd11091da

commit 635164028594b4af0086ec85b5e4570dd11091da
Author: scroggo <scroggo@google.com>
Date: Fri Apr 22 13:59:01 2016

Fixes for SkRWBuffer

Do not call SkBufferHead::validate in SkROBuffer's destructor, which
may be called in a separate thread from SkRWBuffer::append. validate()
reads SkBufferBlock::fUsed, and append() writes to it, resulting in
a data race.

Update some comments to be more clear about how it is safe to use
these classes across threads.

Test the readers in separate threads.

In addition, make sure it is safe to create a reader even when no
data has been appended. Add tests for this case.

Mark a parameter to SkBufferHead::validate() as const, reflecting
its use.

BUG= chromium:601578 
BUG= chromium:605479 

GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=1871953002

Review URL: https://codereview.chromium.org/1871953002

[modify] https://crrev.com/635164028594b4af0086ec85b5e4570dd11091da/include/core/SkRWBuffer.h
[modify] https://crrev.com/635164028594b4af0086ec85b5e4570dd11091da/src/core/SkRWBuffer.cpp
[modify] https://crrev.com/635164028594b4af0086ec85b5e4570dd11091da/tests/DataRefTest.cpp

Comment 5 by scroggo@chromium.org, Apr 22 2016

Status: Fixed (was: Started)
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment