Data race in I422ToARGBRow_Any_SSSE3 |
||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4567314536333312 Fuzzer: attekett_dom_fuzzer Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7f38c6d69ee8 Crash State: I422ToARGBRow_Any_SSSE3 libyuv::I420ToARGBMatrix I420ToARGB Minimized Testcase (173.89 Kb): https://cluster-fuzz.appspot.com/download/AMIfv944I3-Af_gupzmagU8up-Zds5G0DFA9UcNr4-DBV7YtTXXKyrSaLPfOoS9mD9-ocSapbnAEthVwHlTWxrFhrr_5eD-igtsyVuygTeY-G-OOg8efT2dcrmOF_JWveNm1Y77NOC4nPKXmLfDp3Kh-Ewl0ITCE7qXxBE1MCJaSfNQVFrExoKM Additional requirements: Requires Gestures Filer: ashejole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 14 2016
ClusterFuzz has detected this issue as fixed in range 408378:408381. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4567314536333312 Fuzzer: attekett_dom_fuzzer Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7f38c6d69ee8 Crash State: I422ToARGBRow_Any_SSSE3 libyuv::I420ToARGBMatrix I420ToARGB Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=397536:397672 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=408378:408381 Minimized Testcase (173.89 Kb): https://cluster-fuzz.appspot.com/download/AMIfv944I3-Af_gupzmagU8up-Zds5G0DFA9UcNr4-DBV7YtTXXKyrSaLPfOoS9mD9-ocSapbnAEthVwHlTWxrFhrr_5eD-igtsyVuygTeY-G-OOg8efT2dcrmOF_JWveNm1Y77NOC4nPKXmLfDp3Kh-Ewl0ITCE7qXxBE1MCJaSfNQVFrExoKM?testcase_id=4567314536333312 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4857420050595840 Fuzzer: attekett_surku_fuzzer Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7f62815f0b04 Crash State: I422ToARGBRow_Any_SSSE3 libyuv::I420ToARGBMatrix I420ToARGB Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=397536:397672 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv950CWuY6Qpb1NSClHZBywqzb8PKH3KUElcFvF11rctupcJ_gKmk4r7okgB8ltZWWP41tf903Ej8u5wsvSspGiQMpci574AM5c7ZSmhOiv0p6ffECF8AW2h5q1ioKJb1CXwcfsr1-avTh1ZFIPcAtUHLo2ZGWQBjzmq0B-lloNFyoXZ1rNI?testcase_id=4857420050595840 Additional requirements: Requires Gestures Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 27 2016
ClusterFuzz has detected this issue as fixed in range 414438:414545. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4857420050595840 Fuzzer: attekett_surku_fuzzer Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7f62815f0b04 Crash State: I422ToARGBRow_Any_SSSE3 libyuv::I420ToARGBMatrix I420ToARGB Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=397536:397672 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=414438:414545 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv950CWuY6Qpb1NSClHZBywqzb8PKH3KUElcFvF11rctupcJ_gKmk4r7okgB8ltZWWP41tf903Ej8u5wsvSspGiQMpci574AM5c7ZSmhOiv0p6ffECF8AW2h5q1ioKJb1CXwcfsr1-avTh1ZFIPcAtUHLo2ZGWQBjzmq0B-lloNFyoXZ1rNI?testcase_id=4857420050595840 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 27 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 6 2016
Re-Opening the issue as Clusterfuzz has detected the crash again, Clusterfuzz update in the next comment.Thank you
,
Sep 6 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6383685731614720 Fuzzer: inferno_flicker Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7f74926e35a8 Crash State: I422ToARGBRow_Any_SSSE3 libyuv::I420ToARGBMatrix I420ToARGB Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=397536:397672 Minimized Testcase (43.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv944-eaips2emgfwsSeSbaLJY1YJTtUULBt3vBL-DXS1sYWEe3G-nrFDu0Z8irLKzwWbgRTNZD0p6dQnqluDIi1RQRsvFaSrJhtfl-RDD-4UNKmgv6ew5XYaYkc69jOq0yztvl2lK8zvFm4yRoIJhArvN59zdEBUhtULjXlyq1ivIu2AlTA?testcase_id=6383685731614720 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 10 2017
Could someone please look into this issue if it is still valid? Thank you.
,
Feb 14 2017
https://codereview.chromium.org/2693003003/#ps20001
,
Feb 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/82dafff44d048b03c236469ed4f5d2c260a4e95c commit 82dafff44d048b03c236469ed4f5d2c260a4e95c Author: dalecurtis <dalecurtis@chromium.org> Date: Tue Feb 14 05:31:16 2017 Initialize libyuv CPU features in a thread safe manner. This will solve any raciness inside the renderer process. If libyuv is used in the browser process or elsewhere we should add a similar initializer there. BUG= 618640 TEST=none TBR=fbarchard Review-Url: https://codereview.chromium.org/2693003003 Cr-Commit-Position: refs/heads/master@{#450267} [modify] https://crrev.com/82dafff44d048b03c236469ed4f5d2c260a4e95c/media/base/media.cc
,
Feb 14 2017
Hmm, my fix didn't help the issue in c#7, it looks like the problem is not in initialization but instead in some other code running every call: https://cs.chromium.org/chromium/src/third_party/libyuv/source/row_any.cc?sq=package:chromium&type=cs&l=122 #1 0x7f74cf03e5d3 in I422ToARGBRow_Any_SSSE3 third_party/libyuv/source/row_any.cc:122:1 #2 0x7f74cf0385dd in libyuv::I420ToARGBMatrix(unsigned char const*, int, unsigned char const*, int, unsigned char const*, int, unsigned char*, int, libyuv::YuvConstants const*, int, int) third_party/libyuv/source/convert_argb.cc:107:5 #3 0x7f74cf03844b in I420ToARGB third_party/libyuv/source/convert_argb.cc:125:10 Back to Frank for investigation.
,
Mar 22 2017
ClusterFuzz has detected this issue as fixed in range 458507:458565. Detailed report: https://clusterfuzz.com/testcase?key=6383685731614720 Fuzzer: inferno_flicker Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7f74926e35a8 Crash State: I422ToARGBRow_Any_SSSE3 libyuv::I420ToARGBMatrix I420ToARGB Sanitizer: thread (TSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=397536:397672 Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=458507:458565 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv944-eaips2emgfwsSeSbaLJY1YJTtUULBt3vBL-DXS1sYWEe3G-nrFDu0Z8irLKzwWbgRTNZD0p6dQnqluDIi1RQRsvFaSrJhtfl-RDD-4UNKmgv6ew5XYaYkc69jOq0yztvl2lK8zvFm4yRoIJhArvN59zdEBUhtULjXlyq1ivIu2AlTA?testcase_id=6383685731614720 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 5 2017
is clusterfuzz saying the race condition is fixed?
,
May 25 2017
Issue has been reproduced and a fix proposed gn gen out/Release "--args=is_debug=false is_tsan=true" ninja -v -C out/Release out/Release/libyuv_unittest --gtest_filter=LibYUVCpuThreadTest.TestCpuFlagMultipleThreads 3 fixes worked to various degree atomics thread local storage attribute to disable the warning The proposed fix is atomics. 2 ways were tried 1. c++11 2. gnu atomics The c++11 atomics are not supported in some versions of gcc. Its an optional component. The c11 atomics are not compatible with c++11 atomics, nor can c++97 or c89 use the c++11 atomics, so a mix of languages in calling apps is problematic. On clang 3.8, c++11 is not default, and the header produces build errors if included, so compilers need updating or build systems need to enable c++11 to use the c++11 atomics. So gnu atomics are used, which works in gcc 3.1+ and clang, and clangcl on windows. __thread also worked well, but has a performance penalty. Worth considering for long term though, allowing each thread to change the cpu settings. Code produced with gnu atomics is the same as using an int - confirmed by disassembly of the binary.
,
May 25 2017
Fixed with this roll https://codereview.chromium.org/2906563003 Uses clang's built in atomics to access cpu_info_
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by ashej...@chromium.org
, Jun 9 2016Components: Tools>Test>FindIt>NoResult
Labels: -Pri-2 Te-Logged Pri-3