Data race in blink::MediaQueryEvaluator::eval |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5954650943782912 Fuzzer: attekett_surku_fuzzer Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 8 Crash Address: 0x7f43e8c9a428 Crash State: blink::MediaQueryEvaluator::eval blink::MediaQueryEvaluator::eval blink::MediaQueryEvaluator::eval Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=403874:403894 Minimized Testcase (0.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96S6wuT0J7W5X8dE6UdKgjaWVRjorSTp_MbcEJg9hLK6KjBYy-3UNoYZdSTZF5D9-fiEosUlabHAdaoPNDtunBu7mmLimzx5LNTkqmjo1q7SpPJ68yLP2WyTH3CTiqH8sqLNhtfVDkHtLvIvozmFp6GRRGv7g?testcase_id=5954650943782912 Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 8 2016
,
Jul 8 2016
Can you attach the test case here (or send it to me by mail)? I don't have access permissions to clusterfuzz
,
Jul 8 2016
Moving this nonessential bug to the next milestone. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 11 2016
@kouhei - maybe https://codereview.chromium.org/2041013004/ is weirdly responsible for this? (It's the only CL in the range that seems vaguely related)
,
Jul 11 2016
,
Jul 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ce6b9dfd435e967107e9677a902371864ef1bc59 commit ce6b9dfd435e967107e9677a902371864ef1bc59 Author: kouhei <kouhei@chromium.org> Date: Mon Jul 11 21:43:45 2016 Initialize gFunctionMap from CoreInitializer Before this CL, gFunctionMap init was racy, as it could be initialized from both BackgroundParserThread/CrRendererMain. This CL ties the init to blink::initialize() to avoid the issue. BUG= 626493 Review-Url: https://codereview.chromium.org/2135083003 Cr-Commit-Position: refs/heads/master@{#404738} [modify] https://crrev.com/ce6b9dfd435e967107e9677a902371864ef1bc59/third_party/WebKit/Source/core/CoreInitializer.cpp [modify] https://crrev.com/ce6b9dfd435e967107e9677a902371864ef1bc59/third_party/WebKit/Source/core/css/MediaQueryEvaluator.cpp [modify] https://crrev.com/ce6b9dfd435e967107e9677a902371864ef1bc59/third_party/WebKit/Source/core/css/MediaQueryEvaluator.h
,
Jul 12 2016
,
Jul 12 2016
ClusterFuzz has detected this issue as fixed in range 404631:404810. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5954650943782912 Fuzzer: attekett_surku_fuzzer Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 8 Crash Address: 0x7f43e8c9a428 Crash State: blink::MediaQueryEvaluator::eval blink::MediaQueryEvaluator::eval blink::MediaQueryEvaluator::eval Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=403874:403894 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=404631:404810 Minimized Testcase (0.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96S6wuT0J7W5X8dE6UdKgjaWVRjorSTp_MbcEJg9hLK6KjBYy-3UNoYZdSTZF5D9-fiEosUlabHAdaoPNDtunBu7mmLimzx5LNTkqmjo1q7SpPJ68yLP2WyTH3CTiqH8sqLNhtfVDkHtLvIvozmFp6GRRGv7g?testcase_id=5954650943782912 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by mummare...@chromium.org
, Jul 7 2016Components: Tools>Test>FindIt>NoResult Blink>CSS
Labels: Te-Logged M-53
Owner: dgozman@chromium.org
Status: Assigned (was: Available)