Lock-order-inversion in pthread_mutex_lock |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5284082207948800 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock base::internal::LockImpl::Lock IPC::ChannelMojo::Send Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=392692:392770 Minimized Testcase (0.19 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv9796-xurMSVGIShhn0_w1FEOLAYAFvqmOyzFzMfYoty4XVDS2g7Ch0AS8kleFphDTjGJmqSK__Pi9mau4fG2GKaVU32ZSPEETw5ruknmE5LH37PwYxZ-JNe0jyVVV4xTFBLBarJZ5Ux7T04al2UnR6rM1SUsQ return result; </script> <script type="text/javascript"> var gContext = null; gContext = new AudioContext(); gSecondConnection.setLocalDescription(); </script> Additional requirements: Requires Gestures Additional requirements: Requires HTTP Filer: rnimmagadda See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 12 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5284082207948800 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock base::internal::LockImpl::Lock IPC::ChannelMojo::Send Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=392692:392770 Minimized Testcase (0.19 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv9796-xurMSVGIShhn0_w1FEOLAYAFvqmOyzFzMfYoty4XVDS2g7Ch0AS8kleFphDTjGJmqSK__Pi9mau4fG2GKaVU32ZSPEETw5ruknmE5LH37PwYxZ-JNe0jyVVV4xTFBLBarJZ5Ux7T04al2UnR6rM1SUsQ return result; </script> <script type="text/javascript"> var gContext = null; gContext = new AudioContext(); gSecondConnection.setLocalDescription(); </script> Additional requirements: Requires Gestures Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 17 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5751885683752960 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock base::internal::LockImpl::Lock IPC::ChannelMojo::Send Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97MXhtYDqQITpxpxmuWzHkU0C-jscY54F6ShW_1dLFg1QJJoAx6cDzN5mWe7etnTKPI-TK-J7Txu2-2KgoXR8YgfkPNidz4NASBd3dXSPJnnqhkiJOfZ-FlmLxWwKp1SDd_yFe0C_mEOMFrxxCzhGG_mm2g_e7i-cT9Ko1m-OPGDdm9eJE Additional requirements: Requires Gestures Additional requirements: Requires HTTP Filer: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 18 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5751885683752960 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock base::internal::LockImpl::Lock IPC::ChannelMojo::Send Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97MXhtYDqQITpxpxmuWzHkU0C-jscY54F6ShW_1dLFg1QJJoAx6cDzN5mWe7etnTKPI-TK-J7Txu2-2KgoXR8YgfkPNidz4NASBd3dXSPJnnqhkiJOfZ-FlmLxWwKp1SDd_yFe0C_mEOMFrxxCzhGG_mm2g_e7i-cT9Ko1m-OPGDdm9eJE Additional requirements: Requires Gestures Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 18 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5978438514507776 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock base::internal::LockImpl::Lock IPC::ChannelMojo::Send Minimized Testcase (0.83 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97xhMsu-XS0qK1zyldEmWC5gzRX0A49yJDadrOcRoWcJQu7hRJb2F0ic5wUy7yq7FI_mXbUkCAdMDKWD-Fe4ds2ImRM-krzZkiUAlrme_FWgV_pWPGKEe8-qwIG46StXlKHAac5-QpRLVuPldLzoHD6jqASrQ <script> if (navigator.mozGetUserMedia) { if (turnUrlParts.length === 1 || 'transport=udp' === 0) { } } else if (navigator.webkitGetUserMedia) { RTCPeerConnection = function(pcConfig, pcConstraints) { return new webkitRTCPeerConnection(pcConfig); }; } /** */ gContext = new AudioContext(); var inputSink = gContext.createMediaStreamDestination(); callUsingStream(inputSink.stream); function callUsingStream(localStream) { gFirstConnection = new RTCPeerConnection(); gFirstConnection.addStream(localStream); negotiate(); } function negotiate() { gFirstConnection.createOffer(onOfferCreated, function() {}); } function onOfferCreated(offer) { gFirstConnection.setLocalDescription(offer, function() { }, function() {}); } </script> Additional requirements: Requires Gestures Additional requirements: Requires HTTP Filer: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 19 2016
ClusterFuzz has detected this issue as fixed in range 394251:394729. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5978438514507776 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock base::internal::LockImpl::Lock IPC::ChannelMojo::Send Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=394251:394729 Minimized Testcase (0.83 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97xhMsu-XS0qK1zyldEmWC5gzRX0A49yJDadrOcRoWcJQu7hRJb2F0ic5wUy7yq7FI_mXbUkCAdMDKWD-Fe4ds2ImRM-krzZkiUAlrme_FWgV_pWPGKEe8-qwIG46StXlKHAac5-QpRLVuPldLzoHD6jqASrQ <script> if (navigator.mozGetUserMedia) { if (turnUrlParts.length === 1 || 'transport=udp' === 0) { } } else if (navigator.webkitGetUserMedia) { RTCPeerConnection = function(pcConfig, pcConstraints) { return new webkitRTCPeerConnection(pcConfig); }; } /** */ gContext = new AudioContext(); var inputSink = gContext.createMediaStreamDestination(); callUsingStream(inputSink.stream); function callUsingStream(localStream) { gFirstConnection = new RTCPeerConnection(); gFirstConnection.addStream(localStream); negotiate(); } function negotiate() { gFirstConnection.createOffer(onOfferCreated, function() {}); } function onOfferCreated(offer) { gFirstConnection.setLocalDescription(offer, function() { }, function() {}); } </script> Additional requirements: Requires Gestures Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 23 2016
I think this is due to ThreadSafeSender switch, introduced with ChannelMojo recently. rockot: Could you handle this?
,
May 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/06325bce94fafdd8df10ab1d41723a5a36587e0d commit 06325bce94fafdd8df10ab1d41723a5a36587e0d Author: rockot <rockot@chromium.org> Date: Tue May 24 00:27:02 2016 ChannelMojo: Don't signal Channel errors with lock held This eliminates a lock-order inversion between ChannelMojo and SyncMessageFilter. BUG= 611338 R=sammc@chromium.org Review-Url: https://codereview.chromium.org/2000213002 Cr-Commit-Position: refs/heads/master@{#395483} [modify] https://crrev.com/06325bce94fafdd8df10ab1d41723a5a36587e0d/ipc/mojo/ipc_channel_mojo.cc
,
May 24 2016
,
May 24 2016
This is a stability fix affecting all platforms. It's out in current canaries and is safe to merge.
,
May 24 2016
Your change meets the bar and is auto-approved for M52 (branch: 2743)
,
May 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9aae2383da1ee43b1e5980252cfde40a9ee7d41f commit 9aae2383da1ee43b1e5980252cfde40a9ee7d41f Author: Ken Rockot <rockot@chromium.org> Date: Tue May 24 23:32:41 2016 ChannelMojo: Don't signal Channel errors with lock held This eliminates a lock-order inversion between ChannelMojo and SyncMessageFilter. BUG= 611338 R=sammc@chromium.org Review-Url: https://codereview.chromium.org/2000213002 Cr-Commit-Position: refs/heads/master@{#395483} (cherry picked from commit 06325bce94fafdd8df10ab1d41723a5a36587e0d) Review URL: https://codereview.chromium.org/2013673002 . Cr-Commit-Position: refs/branch-heads/2743@{#43} Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939} [modify] https://crrev.com/9aae2383da1ee43b1e5980252cfde40a9ee7d41f/ipc/mojo/ipc_channel_mojo.cc
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by rnimmagadda@chromium.org
, May 12 2016Owner: tzik@chromium.org
Status: Assigned (was: Available)