Lock-order-inversion in pthread_mutex_lock |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5926686714757120 Fuzzer: inferno_twister_custom_bundle Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock blink::MessagePort::messageAvailable blink::MessagePort::messageAvailable Sanitizer: thread (TSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=443594:443650 Minimized Testcase (0.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95q9qAOI5TwqA1Zp2o9qBBU5w1Dno-A_1nbH392TSQjerYGUcGn71cflRFTMZznvGi3VxK94ZVMtYCouAeHxOdiT13ZX5wD0nIw5LudEXotG7oeLUhX7cbHXNyDzXLOVgrcLHUle0qssm_mUmfj3Uj6vIAZFSI1CBzLdUlLhWinmvuUtKNkQPdJvfM3QShvHTciLyTVaSKPnsC8MtFBDjSP33qFyl71XtlP17bjqOjQVVaw_l2k9bzpWwwPBvpvU48hPC_Dhd4n-ZENnfGlsPe521Q2tnFToBL9TgBrnP91bKGy3PW8ADKnp32sfO7VXehoWj03RrIBFeriQDOn0kXymOUM84kGwPAXAseOeXd7i2t2e1k?testcase_id=5926686714757120 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 18 2017
This is a lock order inversion around WebMessagePortChannelImpl::lock_ and the persistent node lock in Oilpan. MessagePort makes a CrossThreadWeakPersistent in the lock, and touches the lock in the destructor while GC holds the persistent node lock. keishi: As we chatted offline, I think the root cause is the sweep phase of GC while holding the persistent node lock. The sweep phase probably need to run out side of the locked block, otherwise, an user destructor of an object may touch a problematic lock.
,
Feb 14 2017
ClusterFuzz has detected this issue as fixed in range 450202:450256. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5926686714757120 Fuzzer: inferno_twister_custom_bundle Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock blink::MessagePort::messageAvailable blink::MessagePort::messageAvailable Sanitizer: thread (TSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=443594:443650 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=450202:450256 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95q9qAOI5TwqA1Zp2o9qBBU5w1Dno-A_1nbH392TSQjerYGUcGn71cflRFTMZznvGi3VxK94ZVMtYCouAeHxOdiT13ZX5wD0nIw5LudEXotG7oeLUhX7cbHXNyDzXLOVgrcLHUle0qssm_mUmfj3Uj6vIAZFSI1CBzLdUlLhWinmvuUtKNkQPdJvfM3QShvHTciLyTVaSKPnsC8MtFBDjSP33qFyl71XtlP17bjqOjQVVaw_l2k9bzpWwwPBvpvU48hPC_Dhd4n-ZENnfGlsPe521Q2tnFToBL9TgBrnP91bKGy3PW8ADKnp32sfO7VXehoWj03RrIBFeriQDOn0kXymOUM84kGwPAXAseOeXd7i2t2e1k?testcase_id=5926686714757120 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 14 2017
ClusterFuzz testcase 5926686714757120 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by mummare...@chromium.org
, Jan 18 2017Labels: M-57 Test-Predator-Wrong
Owner: tzik@chromium.org
Status: Assigned (was: Untriaged)