Data race in blink::SerializedScriptValue::unregisterMemoryAllocatedByCurrentScriptContext |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5829576547893248 Fuzzer: ochang_domfuzzer Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 4 Crash Address: 0x7b1400018d80 Crash State: blink::SerializedScriptValue::unregisterMemoryAllocatedByCurrentScriptContext blink::V8DedicatedWorkerGlobalScope::postMessageMethodCallback v8::internal::FunctionCallbackArguments::Call Sanitizer: thread (TSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=455700:456019 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95soi7ZDxlFvlpmwpj5bTn_vozU7YsSTQKx8SzbYJEidBiXZEmq4ATzUCZi7AafEnrlGPOT3j8QPimZNsz5DM0UkPrJ07QkiULkNRlJUQCL__xLrwmSV98YZtkVzj_RkpRdusk_5WAPlJL3FeSANRNNkcV3Btqj9QaDK9bHKgUrMUa3ISVuY7H4CUTiFWIjAXj6cSH823P_xt_U8kI-kUeA6Hd8QmwSz8dKx5UGK8CCNPJikfVzUIpqiS8Jhjoq5PH6OEO6Fg8Jy-e9gp169DzfZWkRNLh3xf_Kh5g1wRpDsRhtJyIriprzeKNrWE6kx62jAKbgPTFkLJJe0Dxy4kM3xULCPs8xBm8OhcSgPuF_jJAQcLI?testcase_id=5829576547893248 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 10 2017
,
Mar 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e75f1381dccdeef00b30479ad55432f60ee8db7d commit e75f1381dccdeef00b30479ad55432f60ee8db7d Author: sigbjornf <sigbjornf@opera.com> Date: Tue Mar 14 20:04:39 2017 Accurate transfer of SerializedScriptValue allocation costs. r456009 added transferring of allocation costs for a SerializedScriptValue and any array buffers that it refers to, transferring that cost from one v8 context to another as part of a postMessage() The handoff 'protocol' provided there fell short in that it could fail to subtract transferable (array buffer contents) costs in the source context, or end up doing it twice if the postMessage() failed. Bookkeeping confusion resulted. Rework the mechanism by instead having ArrayBufferContents keep track of its external allocation cost registration status, so as to prevent double discounting. Along with that, it is both safe and accurate to unregister all allocation costs prior to transfer. Should the value successfully be posted to its target context, cost will be registered there. And if not, the value will be destructed (..but without discounting allocation cost yet again.) R=jbroman,haraken BUG= 700353 Review-Url: https://codereview.chromium.org/2741793003 Cr-Commit-Position: refs/heads/master@{#456800} [modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/bindings/core/v8/SerializedScriptValue.cpp [modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/bindings/core/v8/SerializedScriptValue.h [modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp [modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl [modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/bindings/tests/results/core/V8TestObject.cpp [modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/wtf/typed_arrays/ArrayBufferContents.cpp [modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/wtf/typed_arrays/ArrayBufferContents.h
,
Mar 14 2017
,
Mar 21 2017
ClusterFuzz has detected this issue as fixed in range 458081:458090. Detailed report: https://clusterfuzz.com/testcase?key=5829576547893248 Fuzzer: ochang_domfuzzer Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 4 Crash Address: 0x7b1400018d80 Crash State: blink::SerializedScriptValue::unregisterMemoryAllocatedByCurrentScriptContext blink::V8DedicatedWorkerGlobalScope::postMessageMethodCallback v8::internal::FunctionCallbackArguments::Call Sanitizer: thread (TSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=455700:456019 Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=458081:458090 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95soi7ZDxlFvlpmwpj5bTn_vozU7YsSTQKx8SzbYJEidBiXZEmq4ATzUCZi7AafEnrlGPOT3j8QPimZNsz5DM0UkPrJ07QkiULkNRlJUQCL__xLrwmSV98YZtkVzj_RkpRdusk_5WAPlJL3FeSANRNNkcV3Btqj9QaDK9bHKgUrMUa3ISVuY7H4CUTiFWIjAXj6cSH823P_xt_U8kI-kUeA6Hd8QmwSz8dKx5UGK8CCNPJikfVzUIpqiS8Jhjoq5PH6OEO6Fg8Jy-e9gp169DzfZWkRNLh3xf_Kh5g1wRpDsRhtJyIriprzeKNrWE6kx62jAKbgPTFkLJJe0Dxy4kM3xULCPs8xBm8OhcSgPuF_jJAQcLI?testcase_id=5829576547893248 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by sigbjo...@opera.com
, Mar 10 2017