Data race in blink::AudioBufferSourceHandler::handleStoppableSourceNode |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6721155726835712 Fuzzer: inferno_twister_custom_bundle Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7b4400002cb1 Crash State: blink::AudioBufferSourceHandler::handleStoppableSourceNode blink::BaseAudioContext::handleStoppableSourceNodes blink::BaseAudioContext::handlePreRenderTasks Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=440655:440657 Minimized Testcase (0.19 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94snAxbTtVfQccRCD9uoE90_ntCVLIf1KVavJEc9JFNmoFqMuUFU1-Bz3S67W7XmRK3YALq06efpPzR1UoNeqKN0PpYiiyp0BpgJY1G8ceQXSS1k13oc2lPLohQPh40Xed6QjE5RxC_RMnb1VEUZ1nKTipwMw?testcase_id=6721155726835712 <script> ; o2 = new window.AudioContext(); o3 = o2.createBufferSource(); o3.start() try { o3.buffer = function anonymous() { }(); } catch(e) {; } o3.loop = false; setInterval() </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 3 2017
rtoy@ is probably a better owner.
,
Jan 3 2017
I can't reproduce this locally, but I'm guessing it's caused by accessing m_didSetLooping. The audio thread reads this (very often) and the main thread sets it.
,
Jan 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/310673a6eca24e30371c29593b4385fd3983ad1d commit 310673a6eca24e30371c29593b4385fd3983ad1d Author: rtoy <rtoy@chromium.org> Date: Wed Jan 04 02:56:22 2017 Use atomics when accessing m_didSetLooping Add setter and getter methods for accessing m_didSetLooping so that we can access it atomically. The audio thread was reading this while the main thread could be writing it. Manually verified the test case from the bug that this fix works. (Need to reload the page a few times to trigger the original bug.) BUG= 676874 TEST= Review-Url: https://codereview.chromium.org/2615463002 Cr-Commit-Position: refs/heads/master@{#441304} [modify] https://crrev.com/310673a6eca24e30371c29593b4385fd3983ad1d/third_party/WebKit/Source/modules/webaudio/AudioBufferSourceNode.cpp [modify] https://crrev.com/310673a6eca24e30371c29593b4385fd3983ad1d/third_party/WebKit/Source/modules/webaudio/AudioBufferSourceNode.h
,
Jan 5 2017
ClusterFuzz has detected this issue as fixed in range 440945:440947. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6721155726835712 Fuzzer: inferno_twister_custom_bundle Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7b4400002cb1 Crash State: blink::AudioBufferSourceHandler::handleStoppableSourceNode blink::BaseAudioContext::handleStoppableSourceNodes blink::BaseAudioContext::handlePreRenderTasks Sanitizer: thread (TSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=440655:440657 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=440945:440947 Minimized Testcase (0.19 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94snAxbTtVfQccRCD9uoE90_ntCVLIf1KVavJEc9JFNmoFqMuUFU1-Bz3S67W7XmRK3YALq06efpPzR1UoNeqKN0PpYiiyp0BpgJY1G8ceQXSS1k13oc2lPLohQPh40Xed6QjE5RxC_RMnb1VEUZ1nKTipwMw?testcase_id=6721155726835712 <script> ; o2 = new window.AudioContext(); o3 = o2.createBufferSource(); o3.start() try { o3.buffer = function anonymous() { }(); } catch(e) {; } o3.loop = false; setInterval() </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 5 2017
ClusterFuzz testcase 6721155726835712 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by msrchandra@chromium.org
, Dec 26 2016Components: Blink>WebAudio
Labels: Test-Predator-Wrong-CLs
Owner: mlamouri@chromium.org
Status: Assigned (was: Untriaged)