Lock-order-inversion in pthread_mutex_lock |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5006982080888832 Fuzzer: inferno_twister_custom_bundle Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock blink::BaseAudioContext::resolvePromisesForResume blink::BaseAudioContext::handlePreRenderTasks Sanitizer: thread (TSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=315519:315522 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv979PGziAze4fw8xzXXcdgcz8lFV2y7nBQVdWHqzn5XxzbHK5Cda0YsNMcOAqw62E3-o9hnd2gDG8POE4HHQdn4H9uurfeRH0CjLveHmdH4ec0i_y4aH3SAc-yiAfUQptR4yFjvAsNjVYXo6NItOQ_PA1CRqpKORGYzJwCftZjrWPWHGIPMbtkGizLwLBA-rMXCygEI23ySxUvIe70-kYgpoDko31LyfRZAC5iqbZDgmQ7mXqaJivR0PkXlh3x8Lx5aED6ipxEpnTO_9hSwlbuA0WsZZed3nM05oTL0KBh4GkPy1K2Q87gsXXpt8_ZIcntX_aQj7jnxTdrDvRGbgvvxWg8eMAmU5kvSh4kYxgd68gqP1l8Q?testcase_id=5006982080888832 id=tCF0><script> var ac = new AudioContext(); ac.resume(); ; if(document.documentElement) document.documentElement.offsetTop; ; ; setTimeout("window.location.reload();"); </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/52b19c8f68c222c08944af937a01f3ff7e46705c commit 52b19c8f68c222c08944af937a01f3ff7e46705c Author: keishi <keishi@chromium.org> Date: Tue Feb 14 04:47:46 2017 Move postGC out of CrossThreadPersistentRegion::LockScope Some finalizers/prefinalizers acquire locks, causing a dead lock when CrossThreadPersistent tries to acquire the CrossThreadPersistentRegion lock. This CL moves the postGC step outside of the CrossThreadPersistentRegion::LockScope. This should be okay as the CrossThreadPersistentRegion::LockScope only exists to avoid add/deletetion of CrossThreadPersistentNodes during marking. BUG= 684856 , 685624 , 685624 Review-Url: https://codereview.chromium.org/2686533003 Cr-Commit-Position: refs/heads/master@{#450251} [modify] https://crrev.com/52b19c8f68c222c08944af937a01f3ff7e46705c/third_party/WebKit/Source/platform/heap/Heap.cpp [modify] https://crrev.com/52b19c8f68c222c08944af937a01f3ff7e46705c/third_party/WebKit/Source/platform/heap/Heap.h [modify] https://crrev.com/52b19c8f68c222c08944af937a01f3ff7e46705c/third_party/WebKit/Source/platform/heap/HeapTest.cpp [modify] https://crrev.com/52b19c8f68c222c08944af937a01f3ff7e46705c/third_party/WebKit/Source/platform/heap/ThreadState.cpp [modify] https://crrev.com/52b19c8f68c222c08944af937a01f3ff7e46705c/third_party/WebKit/Source/platform/heap/ThreadState.h
,
Feb 14 2017
ClusterFuzz has detected this issue as fixed in range 450202:450256. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5006982080888832 Fuzzer: inferno_twister_custom_bundle Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Lock-order-inversion Crash Address: Crash State: pthread_mutex_lock blink::BaseAudioContext::resolvePromisesForResume blink::BaseAudioContext::handlePreRenderTasks Sanitizer: thread (TSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=315519:315522 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=450202:450256 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979PGziAze4fw8xzXXcdgcz8lFV2y7nBQVdWHqzn5XxzbHK5Cda0YsNMcOAqw62E3-o9hnd2gDG8POE4HHQdn4H9uurfeRH0CjLveHmdH4ec0i_y4aH3SAc-yiAfUQptR4yFjvAsNjVYXo6NItOQ_PA1CRqpKORGYzJwCftZjrWPWHGIPMbtkGizLwLBA-rMXCygEI23ySxUvIe70-kYgpoDko31LyfRZAC5iqbZDgmQ7mXqaJivR0PkXlh3x8Lx5aED6ipxEpnTO_9hSwlbuA0WsZZed3nM05oTL0KBh4GkPy1K2Q87gsXXpt8_ZIcntX_aQj7jnxTdrDvRGbgvvxWg8eMAmU5kvSh4kYxgd68gqP1l8Q?testcase_id=5006982080888832 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 14 2017
ClusterFuzz testcase 5006982080888832 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8 commit 590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8 Author: Keishi Hattori <keishi@chromium.org> Date: Thu Feb 16 08:00:38 2017 Move postGC out of CrossThreadPersistentRegion::LockScope Some finalizers/prefinalizers acquire locks, causing a dead lock when CrossThreadPersistent tries to acquire the CrossThreadPersistentRegion lock. This CL moves the postGC step outside of the CrossThreadPersistentRegion::LockScope. This should be okay as the CrossThreadPersistentRegion::LockScope only exists to avoid add/deletetion of CrossThreadPersistentNodes during marking. BUG=681527, 684856 , 685624 , 685624 Review-Url: https://codereview.chromium.org/2686533003 Cr-Commit-Position: refs/heads/master@{#450251} (cherry picked from commit 52b19c8f68c222c08944af937a01f3ff7e46705c) Review-Url: https://codereview.chromium.org/2695063005 . Cr-Commit-Position: refs/branch-heads/2987@{#539} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [modify] https://crrev.com/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8/third_party/WebKit/Source/platform/heap/Heap.cpp [modify] https://crrev.com/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8/third_party/WebKit/Source/platform/heap/Heap.h [modify] https://crrev.com/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8/third_party/WebKit/Source/platform/heap/HeapTest.cpp [modify] https://crrev.com/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8/third_party/WebKit/Source/platform/heap/ThreadState.cpp [modify] https://crrev.com/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8/third_party/WebKit/Source/platform/heap/ThreadState.h
,
Feb 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27 commit 3d80b9d4de29bc69458e1c27eb8bce181d7dcb27 Author: keishi <keishi@chromium.org> Date: Thu Feb 16 09:50:46 2017 Revert of Move postGC out of CrossThreadPersistentRegion::LockScope (patchset #2 id:20001 of https://codereview.chromium.org/2695063005/ ) Reason for revert: Broke build. crbug.com/692982 Original issue's description: > Move postGC out of CrossThreadPersistentRegion::LockScope > > Some finalizers/prefinalizers acquire locks, causing a dead lock when CrossThreadPersistent tries to acquire the CrossThreadPersistentRegion lock. > > This CL moves the postGC step outside of the CrossThreadPersistentRegion::LockScope. This should be okay as the CrossThreadPersistentRegion::LockScope only exists to avoid add/deletetion of CrossThreadPersistentNodes during marking. > > BUG=681527, 684856 , 685624 , 685624 > > Review-Url: https://codereview.chromium.org/2686533003 > Cr-Commit-Position: refs/heads/master@{#450251} > (cherry picked from commit 52b19c8f68c222c08944af937a01f3ff7e46705c) > > Review-Url: https://codereview.chromium.org/2695063005 . > Cr-Commit-Position: refs/branch-heads/2987@{#539} > Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} > Committed: https://chromium.googlesource.com/chromium/src/+/590a7c6ceb9bea92bbce8e7636406ed6ea39bfe8 TBR= # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=681527, 684856 , 685624 , 685624 Review-Url: https://codereview.chromium.org/2701513003 Cr-Commit-Position: refs/branch-heads/2987@{#541} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [modify] https://crrev.com/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27/third_party/WebKit/Source/platform/heap/Heap.cpp [modify] https://crrev.com/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27/third_party/WebKit/Source/platform/heap/Heap.h [modify] https://crrev.com/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27/third_party/WebKit/Source/platform/heap/HeapTest.cpp [modify] https://crrev.com/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27/third_party/WebKit/Source/platform/heap/ThreadState.cpp [modify] https://crrev.com/3d80b9d4de29bc69458e1c27eb8bce181d7dcb27/third_party/WebKit/Source/platform/heap/ThreadState.h
,
Feb 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/04062423c93acc7bcd6d313c480d3f29bbf382e2 commit 04062423c93acc7bcd6d313c480d3f29bbf382e2 Author: Keishi Hattori <keishi@chromium.org> Date: Thu Feb 16 11:09:42 2017 Move postGC out of CrossThreadPersistentRegion::LockScope Some finalizers/prefinalizers acquire locks, causing a dead lock when CrossThreadPersistent tries to acquire the CrossThreadPersistentRegion lock. This CL moves the postGC step outside of the CrossThreadPersistentRegion::LockScope. This should be okay as the CrossThreadPersistentRegion::LockScope only exists to avoid add/deletetion of CrossThreadPersistentNodes during marking. BUG= 684856 , 685624 , 685624 Review-Url: https://codereview.chromium.org/2686533003 Cr-Commit-Position: refs/heads/master@{#450251} (cherry picked from commit 52b19c8f68c222c08944af937a01f3ff7e46705c) Review-Url: https://codereview.chromium.org/2690943009 . Cr-Commit-Position: refs/branch-heads/2987@{#543} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [modify] https://crrev.com/04062423c93acc7bcd6d313c480d3f29bbf382e2/third_party/WebKit/Source/platform/heap/Heap.cpp [modify] https://crrev.com/04062423c93acc7bcd6d313c480d3f29bbf382e2/third_party/WebKit/Source/platform/heap/Heap.h [modify] https://crrev.com/04062423c93acc7bcd6d313c480d3f29bbf382e2/third_party/WebKit/Source/platform/heap/HeapTest.cpp [modify] https://crrev.com/04062423c93acc7bcd6d313c480d3f29bbf382e2/third_party/WebKit/Source/platform/heap/ThreadState.cpp [modify] https://crrev.com/04062423c93acc7bcd6d313c480d3f29bbf382e2/third_party/WebKit/Source/platform/heap/ThreadState.h |
|||
►
Sign in to add a comment |
|||
Comment 1 by mummare...@chromium.org
, Jan 27 2017Labels: Test-Predator-Wrong M-58
Owner: keishi@chromium.org
Status: Assigned (was: Untriaged)