New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 681349 link

Starred by 2 users
Status: Fixed
Owner:
bcwh...@chromium.org
Closed: Jan 2017
Cc:
bcwh...@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Data race in base::PersistentMemoryAllocator::Iterator::GetNext

Project Member Reported by ClusterFuzz, Jan 14 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5041955596926976

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race READ 4
Crash Address: 0x7f19b5809fc4
Crash State:
  base::PersistentMemoryAllocator::Iterator::GetNext
  base::PersistentMemoryAllocator::Iterator::GetNextOfType
  base::GlobalHistogramAllocator::ImportHistogramsToStatisticsRecorder
  
Sanitizer: thread (TSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=443594:443650

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97WWDm7GNQuxpmqy01dNU6Q7huWO8TQaFDk1mXqtn72uWKE89iQQlMSb992yzY-3lOcO1-6DTKbtZH6dOiGUPzSMzDEyfxFswX__VM5QX8beOyKzUe0t3x06zueNnfSjPH_md5LXFFGmcbPVGIUd88n8D8O6T3kIo4tcV1ZNOS0Tv8D96ahyvrmCUuXCphVn57jt5lGe0vshiRRcWzIt5jHfxH4l2oTpxvCnr3cIkRKVTMSnLpLyivDpfAfETI8W-PxPFIZ329HQ5QPkaT2nUt0XmB1fkNTkgDWzwIYZTlIVey16EyUsDJm5m9v5die4LmdQ1ewcCedNeXhKl4kplLdokN1rWQhVRKpJOq4NUOA7WX5-tc?testcase_id=5041955596926976
<script>
	var db = openDatabase('test_db', '1.0', 'Test database', 1024);
	db.transaction(function(tx) {
		for (i = 0; i < 1000; i++) {
'SELECT "AAAAABBBBBCCCCCDDDDEEEEE" REGEXP "(.|b)(|b){0}\\Q\\E\\$(?#xxx){3}(?>\\D*)"';
		}
		location.reload();
	});
</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Jan 16 2017

Cc: msrchandra@chromium.org
Components: Blink>MemoryAllocator
Labels: Test-Predator-Wrong-CLs
Owner: bcwh...@chromium.org
Status: Assigned (was: Untriaged)
Find it and CL did not provide any possible suspects.
Using Code Search for the file, "persistent_memory_allocator.cc" assigning to the concern owner.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/3f999d3d054de11816d1a97c887753b26013c853

@bcwhite -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by bcwh...@chromium.org, Jan 16 2017 

The first link fails for me saying, "Failed to get component rev list." so I'm unsure how to trace the potential problem.

The test case is unrelated.  The failure is happening in histogram upload code which is triggered by time, not database access.

It's possible that recent changes introduced a data race but I can't check without the data from that first URL.  But if that is the case, this will occur again.

Comment 3 by bcwh...@chromium.org, Jan 16 2017 

Oh, I meant that the *second* url fails for me.  Looking at the report now...
Project Member

Comment 4 by bugdroid1@chromium.org, Jan 16 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/43c154f97c004706a96ed0f185d6232b12824c76

commit 43c154f97c004706a96ed0f185d6232b12824c76
Author: bcwhite <bcwhite@chromium.org>
Date: Mon Jan 16 15:45:37 2017

Revert simplification of memory ordering that is causing TSAN errors.

Also added (unrelated) comment.

BUG= 681349 

Review-Url: https://codereview.chromium.org/2634093002
Cr-Commit-Position: refs/heads/master@{#443901}

[modify] https://crrev.com/43c154f97c004706a96ed0f185d6232b12824c76/base/metrics/persistent_memory_allocator.cc

Comment 5 by bcwh...@chromium.org, Jan 16 2017

Status: Fixed (was: Assigned)
I believe that should do it.  That's the only change in months even remotely close to the area of effect.

Comment 6 by bcwh...@chromium.org, Jan 19 2017

Cc: bcwh...@chromium.org
 Issue 681291  has been merged into this issue.

Sign in to add a comment