Data race in blink::SerializedScriptValue::~SerializedScriptValue |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6517539826040832 Fuzzer: inferno_layout_test_unmodified Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race WRITE 8 Crash Address: 0x7d1000056928 Crash State: blink::SerializedScriptValue::~SerializedScriptValue blink::SerializedScriptValue::~SerializedScriptValue blink::MessagePortV8Internal::postMessageImpl Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=410296:410304 Minimized Testcase (0.77 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Yvk2sfjHDnuhNn1jUzgQesxB-4ErjPuFLyPIUBneWtXI2GjsRG7trPrBrkGTMMeS7KxyieD7ogI2jNRdKe63ESYzOsQuURJNk7e1WkPbk5H8gHN73bK_l5SD3NzDHDimFe34GmuWGLORz1sDxBWpkvKbCCg?testcase_id=6517539826040832 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 8 2016
,
Aug 8 2016
jbroman@ Can you take this?
,
Aug 9 2016
,
Aug 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/414c42a0b400f213b58314c1b26926f9b897ac8a commit 414c42a0b400f213b58314c1b26926f9b897ac8a Author: jbroman <jbroman@chromium.org> Date: Tue Aug 09 19:37:08 2016 Fix a data race in WebMessagePortChannelImpl. It's unsafe to pass a WebString (which is logically a RefPtr<StringImpl>) across threads because the underlying object is not thread-safe ref-counted. Instead, the base::string16 that the receiving method accepts should be constructed before posting the task. BUG= 635659 Review-Url: https://codereview.chromium.org/2224393002 Cr-Commit-Position: refs/heads/master@{#410761} [modify] https://crrev.com/414c42a0b400f213b58314c1b26926f9b897ac8a/content/child/webmessageportchannel_impl.cc
,
Aug 9 2016
,
Aug 10 2016
ClusterFuzz has detected this issue as fixed in range 410621:410634. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6517539826040832 Fuzzer: inferno_layout_test_unmodified Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race WRITE 8 Crash Address: 0x7d1000056928 Crash State: blink::SerializedScriptValue::~SerializedScriptValue blink::SerializedScriptValue::~SerializedScriptValue blink::MessagePortV8Internal::postMessageImpl Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=410296:410304 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=410621:410634 Minimized Testcase (0.77 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Yvk2sfjHDnuhNn1jUzgQesxB-4ErjPuFLyPIUBneWtXI2GjsRG7trPrBrkGTMMeS7KxyieD7ogI2jNRdKe63ESYzOsQuURJNk7e1WkPbk5H8gHN73bK_l5SD3NzDHDimFe34GmuWGLORz1sDxBWpkvKbCCg?testcase_id=6517539826040832 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mmohammad@chromium.org
, Aug 8 2016Owner: haraken@chromium.org