Lock-order-inversion in pthread_mutex_lock |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4856224299614208 Fuzzer: inferno_twister Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock blink::AudioBufferSourceHandler::setBuffer blink::AudioBufferSourceNode::setBuffer Sanitizer: thread (TSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=371187:371266 Minimized Testcase (0.64 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94JoXNuTWOCGewrLqNbQelBBgVuUHW4eMFLqIeD78_YMkl-XULq2tktOjlbEOYOt4Kp767XcohWRKJXoPp6jXSvQwGQrFTfpD86QFU0qhARlS7HOoHnYBLx_zHMlKXbSsaW863oNYNQbqK1iLewQZxY-556KneCUc7Aok9lFsDggkT3mW-lET_SpUA7Ul5acvFUy4xssSFbcwkUU_djyBiZef24qxLrV82NaqmQttBusIyQ8vEFn3XvpmCa97bn95hZYMNTH4BEHXBbOZp-7uCu-3CkWP_gVTYEsxNAnapdZwds5PnNBy44_kMNLtp-jAmlbHlP1yOqqw8LF0E6AKzCrBYi1vlFbJ0wHA4d0BvW6IPkDvA?testcase_id=4856224299614208 <script> var sampleRate=44100.0; (function() { })(); /* */ (function() { var zeroElementCurve=[]; executeTest(zeroElementCurve, "Testing zero-element curve (unspecified result)"); })(); function executeTest(curveData, inputData) { var ac=new OfflineAudioContext(1, inputData.length, sampleRate); var waveShaper=ac.createWaveShaper(); waveShaper.connect(ac.destination); var inputBuffer=ac.createBuffer(1, 2, sampleRate); var src=ac.createBufferSource(); src.buffer=inputBuffer; src.connect(waveShaper); src.start(); ac.startRendering(); } setTimeout("tCFcrash()"); function tCFcrash() { gc() }</script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 25 2017
This looks like a webaudio problem. I'll take it. And for the record, I can reproduce, but only if I keep reloading the minimized test case.
,
Jan 25 2017
Could this be a GC/oilpan problem? Possibly related to issue 681527? Assigning to keishi again, since you're also looking at 681527.
,
Feb 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/52b19c8f68c222c08944af937a01f3ff7e46705c commit 52b19c8f68c222c08944af937a01f3ff7e46705c Author: keishi <keishi@chromium.org> Date: Tue Feb 14 04:47:46 2017 Move postGC out of CrossThreadPersistentRegion::LockScope Some finalizers/prefinalizers acquire locks, causing a dead lock when CrossThreadPersistent tries to acquire the CrossThreadPersistentRegion lock. This CL moves the postGC step outside of the CrossThreadPersistentRegion::LockScope. This should be okay as the CrossThreadPersistentRegion::LockScope only exists to avoid add/deletetion of CrossThreadPersistentNodes during marking. BUG= 684856 , 685624 , 685624 Review-Url: https://codereview.chromium.org/2686533003 Cr-Commit-Position: refs/heads/master@{#450251} [modify] https://crrev.com/52b19c8f68c222c08944af937a01f3ff7e46705c/third_party/WebKit/Source/platform/heap/Heap.cpp [modify] https://crrev.com/52b19c8f68c222c08944af937a01f3ff7e46705c/third_party/WebKit/Source/platform/heap/Heap.h [modify] https://crrev.com/52b19c8f68c222c08944af937a01f3ff7e46705c/third_party/WebKit/Source/platform/heap/HeapTest.cpp [modify] https://crrev.com/52b19c8f68c222c08944af937a01f3ff7e46705c/third_party/WebKit/Source/platform/heap/ThreadState.cpp [modify] https://crrev.com/52b19c8f68c222c08944af937a01f3ff7e46705c/third_party/WebKit/Source/platform/heap/ThreadState.h
,
Feb 14 2017
ClusterFuzz has detected this issue as fixed in range 450202:450256. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4856224299614208 Fuzzer: inferno_twister Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock blink::AudioBufferSourceHandler::setBuffer blink::AudioBufferSourceNode::setBuffer Sanitizer: thread (TSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=371187:371266 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=450202:450256 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94JoXNuTWOCGewrLqNbQelBBgVuUHW4eMFLqIeD78_YMkl-XULq2tktOjlbEOYOt4Kp767XcohWRKJXoPp6jXSvQwGQrFTfpD86QFU0qhARlS7HOoHnYBLx_zHMlKXbSsaW863oNYNQbqK1iLewQZxY-556KneCUc7Aok9lFsDggkT3mW-lET_SpUA7Ul5acvFUy4xssSFbcwkUU_djyBiZef24qxLrV82NaqmQttBusIyQ8vEFn3XvpmCa97bn95hZYMNTH4BEHXBbOZp-7uCu-3CkWP_gVTYEsxNAnapdZwds5PnNBy44_kMNLtp-jAmlbHlP1yOqqw8LF0E6AKzCrBYi1vlFbJ0wHA4d0BvW6IPkDvA?testcase_id=4856224299614208 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 14 2017
ClusterFuzz testcase 4856224299614208 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8 commit 590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8 Author: Keishi Hattori <keishi@chromium.org> Date: Thu Feb 16 08:00:38 2017 Move postGC out of CrossThreadPersistentRegion::LockScope Some finalizers/prefinalizers acquire locks, causing a dead lock when CrossThreadPersistent tries to acquire the CrossThreadPersistentRegion lock. This CL moves the postGC step outside of the CrossThreadPersistentRegion::LockScope. This should be okay as the CrossThreadPersistentRegion::LockScope only exists to avoid add/deletetion of CrossThreadPersistentNodes during marking. BUG=681527, 684856 , 685624 , 685624 Review-Url: https://codereview.chromium.org/2686533003 Cr-Commit-Position: refs/heads/master@{#450251} (cherry picked from commit 52b19c8f68c222c08944af937a01f3ff7e46705c) Review-Url: https://codereview.chromium.org/2695063005 . Cr-Commit-Position: refs/branch-heads/2987@{#539} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [modify] https://crrev.com/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8/third_party/WebKit/Source/platform/heap/Heap.cpp [modify] https://crrev.com/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8/third_party/WebKit/Source/platform/heap/Heap.h [modify] https://crrev.com/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8/third_party/WebKit/Source/platform/heap/HeapTest.cpp [modify] https://crrev.com/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8/third_party/WebKit/Source/platform/heap/ThreadState.cpp [modify] https://crrev.com/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8/third_party/WebKit/Source/platform/heap/ThreadState.h
,
Feb 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27 commit 3d80b9d4de29bc69458e1c27eb8bce181d7dcb27 Author: keishi <keishi@chromium.org> Date: Thu Feb 16 09:50:46 2017 Revert of Move postGC out of CrossThreadPersistentRegion::LockScope (patchset #2 id:20001 of https://codereview.chromium.org/2695063005/ ) Reason for revert: Broke build. crbug.com/692982 Original issue's description: > Move postGC out of CrossThreadPersistentRegion::LockScope > > Some finalizers/prefinalizers acquire locks, causing a dead lock when CrossThreadPersistent tries to acquire the CrossThreadPersistentRegion lock. > > This CL moves the postGC step outside of the CrossThreadPersistentRegion::LockScope. This should be okay as the CrossThreadPersistentRegion::LockScope only exists to avoid add/deletetion of CrossThreadPersistentNodes during marking. > > BUG=681527, 684856 , 685624 , 685624 > > Review-Url: https://codereview.chromium.org/2686533003 > Cr-Commit-Position: refs/heads/master@{#450251} > (cherry picked from commit 52b19c8f68c222c08944af937a01f3ff7e46705c) > > Review-Url: https://codereview.chromium.org/2695063005 . > Cr-Commit-Position: refs/branch-heads/2987@{#539} > Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} > Committed: https://chromium.googlesource.com/chromium/src/+/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8 TBR= # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=681527, 684856 , 685624 , 685624 Review-Url: https://codereview.chromium.org/2701513003 Cr-Commit-Position: refs/branch-heads/2987@{#541} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [modify] https://crrev.com/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27/third_party/WebKit/Source/platform/heap/Heap.cpp [modify] https://crrev.com/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27/third_party/WebKit/Source/platform/heap/Heap.h [modify] https://crrev.com/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27/third_party/WebKit/Source/platform/heap/HeapTest.cpp [modify] https://crrev.com/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27/third_party/WebKit/Source/platform/heap/ThreadState.cpp [modify] https://crrev.com/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27/third_party/WebKit/Source/platform/heap/ThreadState.h
,
Feb 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/04062423c93acc7bcd6d313c480d3f29bbf382e2 commit 04062423c93acc7bcd6d313c480d3f29bbf382e2 Author: Keishi Hattori <keishi@chromium.org> Date: Thu Feb 16 11:09:42 2017 Move postGC out of CrossThreadPersistentRegion::LockScope Some finalizers/prefinalizers acquire locks, causing a dead lock when CrossThreadPersistent tries to acquire the CrossThreadPersistentRegion lock. This CL moves the postGC step outside of the CrossThreadPersistentRegion::LockScope. This should be okay as the CrossThreadPersistentRegion::LockScope only exists to avoid add/deletetion of CrossThreadPersistentNodes during marking. BUG= 684856 , 685624 , 685624 Review-Url: https://codereview.chromium.org/2686533003 Cr-Commit-Position: refs/heads/master@{#450251} (cherry picked from commit 52b19c8f68c222c08944af937a01f3ff7e46705c) Review-Url: https://codereview.chromium.org/2690943009 . Cr-Commit-Position: refs/branch-heads/2987@{#543} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [modify] https://crrev.com/04062423c93acc7bcd6d313c480d3f29bbf382e2/third_party/WebKit/Source/platform/heap/Heap.cpp [modify] https://crrev.com/04062423c93acc7bcd6d313c480d3f29bbf382e2/third_party/WebKit/Source/platform/heap/Heap.h [modify] https://crrev.com/04062423c93acc7bcd6d313c480d3f29bbf382e2/third_party/WebKit/Source/platform/heap/HeapTest.cpp [modify] https://crrev.com/04062423c93acc7bcd6d313c480d3f29bbf382e2/third_party/WebKit/Source/platform/heap/ThreadState.cpp [modify] https://crrev.com/04062423c93acc7bcd6d313c480d3f29bbf382e2/third_party/WebKit/Source/platform/heap/ThreadState.h |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Jan 25 2017Components: Blink>WebAudio
Labels: Test-Predator-Wrong M-56
Owner: keishi@chromium.org
Status: Assigned (was: Untriaged)