Data race in media::VideoFrameCompositor::ProcessNewFrame |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6225523761217536 Fuzzer: inferno_flicker Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 8 Crash Address: 0x7b40000010b8 Crash State: media::VideoFrameCompositor::ProcessNewFrame media::VideoFrameCompositor::PaintSingleFrame base::internal::Invoker<base::internal::BindState<void Sanitizer: thread (TSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=444758:445138 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94HbYarL7l2ZQKwuZvdVvx_ow_dH_k9ky0ZxTDbWXU9-bWFhEmsKkGea2N0dnF27vRcyoJOWm5JPsnAVQh3R69kNTUBneaWAjj01_jirZ0r6kP3tI8nFUKudME1bpXQfXbz5j3i1arCXu4c01LzDylvLwOelfmG4Z5104yxLIrjpypzkqlat1lLhKfoO1Qeb1yUnIQBdd05hnTzj78qZMj5xEriEB6uMhh4bjALxE9EjaettSU9Lz5gll1KoDsGHQlRkeFwKPoq-DxZi7ASYumV5DkfLo20KgvqaSmP8y7vl4bEuBffygwJFkSUvan-YW1KE_PPSli0raa0OZL1dSo_-6DQa3sFdBBZFk9DMhubdcVdtGA?testcase_id=6225523761217536 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 26 2017
,
Jan 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b5c8d0d1bed4056880ad70ed949714f9edc0f81b commit b5c8d0d1bed4056880ad70ed949714f9edc0f81b Author: avayvod <avayvod@chromium.org> Date: Fri Jan 27 01:11:35 2017 [Video] Reset new processed frame callback on the compositor thread. The callback is set and used on the compositor thread but is reset on the media thread, causing a data race. Moved resetting the callback to the OnRenderingStateChange when the state is set to false. BUG= 684458 TEST=manual Review-Url: https://codereview.chromium.org/2651323002 Cr-Commit-Position: refs/heads/master@{#446515} [modify] https://crrev.com/b5c8d0d1bed4056880ad70ed949714f9edc0f81b/media/blink/video_frame_compositor.cc
,
Jan 27 2017
,
Jan 27 2017
,
Jan 28 2017
ClusterFuzz has detected this issue as fixed in range 446318:446606. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6225523761217536 Fuzzer: inferno_flicker Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 8 Crash Address: 0x7b40000010b8 Crash State: media::VideoFrameCompositor::ProcessNewFrame media::VideoFrameCompositor::PaintSingleFrame base::internal::Invoker<base::internal::BindState<void Sanitizer: thread (TSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=444758:445138 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=446318:446606 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94HbYarL7l2ZQKwuZvdVvx_ow_dH_k9ky0ZxTDbWXU9-bWFhEmsKkGea2N0dnF27vRcyoJOWm5JPsnAVQh3R69kNTUBneaWAjj01_jirZ0r6kP3tI8nFUKudME1bpXQfXbz5j3i1arCXu4c01LzDylvLwOelfmG4Z5104yxLIrjpypzkqlat1lLhKfoO1Qeb1yUnIQBdd05hnTzj78qZMj5xEriEB6uMhh4bjALxE9EjaettSU9Lz5gll1KoDsGHQlRkeFwKPoq-DxZi7ASYumV5DkfLo20KgvqaSmP8y7vl4bEuBffygwJFkSUvan-YW1KE_PPSli0raa0OZL1dSo_-6DQa3sFdBBZFk9DMhubdcVdtGA?testcase_id=6225523761217536 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 28 2017
ClusterFuzz testcase 6225523761217536 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 30 2017
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 30 2017
Please merge your change to M57 branch 2987 ASAP.If merge happens today before 5:00 PM PT, then we can take it for tomorrow's last M57 Dev release. Thank you.
,
Jan 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8249e65739295d3aa951eba40de6221e3b11aae6 commit 8249e65739295d3aa951eba40de6221e3b11aae6 Author: Anton Vayvod <avayvod@chromium.org> Date: Mon Jan 30 20:14:27 2017 [Video] Reset new processed frame callback on the compositor thread. The callback is set and used on the compositor thread but is reset on the media thread, causing a data race. Moved resetting the callback to the OnRenderingStateChange when the state is set to false. BUG= 684458 TEST=manual Review-Url: https://codereview.chromium.org/2651323002 Cr-Commit-Position: refs/heads/master@{#446515} (cherry picked from commit b5c8d0d1bed4056880ad70ed949714f9edc0f81b) Review-Url: https://codereview.chromium.org/2660993002 . Cr-Commit-Position: refs/branch-heads/2987@{#178} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [modify] https://crrev.com/8249e65739295d3aa951eba40de6221e3b11aae6/media/blink/video_frame_compositor.cc |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by msrchandra@chromium.org
, Jan 24 2017Components: Blink>Media>Video
Labels: Test-Predator-Correct-CLs
Owner: avayvod@chromium.org
Status: Assigned (was: Untriaged)