Data race in blink::ImageFrame::setSizeAndColorSpace |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5290027937693696 Fuzzer: inferno_layout_test_unmodified Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7fb8bb2429b0 Crash State: blink::ImageFrame::setSizeAndColorSpace blink::JPEGImageDecoder::outputScanlines blink::JPEGImageReader::decode Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=411233:411257 Minimized Testcase (0.09 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94wrpkE0lECVPyzNPWABiyZlweRKswDeL7R4kyGTwVmZQ5LUh2XkWQ-wIjBqQ4StSALuLGY1ESDHeAfI62rNWK2zj01CWPtsU0RG1pIBS2SDh0Mtzc7_2yR_Xq_ETzoWNT0thAsWdodC8qnutlVzbsRfUrLIg?testcase_id=5290027937693696 <meta http-equiv="refresh" content="0; url=http://madisonscottishcountrydancers.org/"</html> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 21 2016
No possible suspects from find it and there is no regression range in the details report. Assigning to the concern owner using Code Search for the file, "JPEGImageDecoder.cpp" Suspecting Commit#75bac58d037d14d78babf75e674654062a1c85eb Suspecting Review URL# https://codereview.chromium.org/2482883002 @msarett -- Could you please look into the issue, kindly re-assign if this is not related to your change. Thank You.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 23 2016
Adding Chris because this appears to be related to the color correct rendering flag. I don't think this is a big deal, since color correct rendering is test only right now.
,
Nov 23 2016
Hmm, odd. I've seen some of these before, but they all spontaneously resolved.
,
Nov 28 2016
The clusterfuzz trace suggests that a Deferred image decode happening on the cc raster thread is trying to access the webkit thread (by reading the color correct rendering flag stored therein) ... And so a racy crash here if the webkit thread no longer exists, eg. at tab shutdown. Blink deferred image decodes should not try access webkit thread state, right?
,
Nov 28 2016
,
Dec 1 2016
ClusterFuzz has detected this issue as fixed in range 435416:435480. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5290027937693696 Fuzzer: inferno_layout_test_unmodified Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7fb8bb2429b0 Crash State: blink::ImageFrame::setSizeAndColorSpace blink::JPEGImageDecoder::outputScanlines blink::JPEGImageReader::decode Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=411233:411257 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=435416:435480 Minimized Testcase (0.09 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94wrpkE0lECVPyzNPWABiyZlweRKswDeL7R4kyGTwVmZQ5LUh2XkWQ-wIjBqQ4StSALuLGY1ESDHeAfI62rNWK2zj01CWPtsU0RG1pIBS2SDh0Mtzc7_2yR_Xq_ETzoWNT0thAsWdodC8qnutlVzbsRfUrLIg?testcase_id=5290027937693696 <meta http-equiv="refresh" content="0; url=http://madisonscottishcountrydancers.org/"</html> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 1 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 1 2016
This was probably fixed by crrev.com/435478 -- that patch made it so that we no longer query the color profile from a global variable during decode. Now we pass it in at ImageDecoder creation time.
,
Dec 5 2016
Yeap, agree.
,
Dec 5 2016
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ajha@chromium.org
, Nov 21 2016Labels: M-55