New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 700713 link

Starred by 5 users
Status: Fixed
Owner:
esprehn@chromium.org
Closed: Mar 2017
Cc:
msrchandra@chromium.org
infe...@chromium.org
lfg@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Data race in blink::ScriptForbiddenScope

Project Member Reported by ClusterFuzz, Mar 12 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5762329708068864

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race WRITE 4
Crash Address: 0x7f1e14b96178
Crash State:
  blink::Document::updateStyleAndLayoutTree
  blink::Document::updateStyleAndLayoutTreeIgnorePendingStylesheets
  blink::Document::updateStyleAndLayoutIgnorePendingStylesheets
  
Sanitizer: thread (TSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=456256:456287

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv975047IW33NglNqprUDz5GNOSHSD-mqWov1cdQsmciAAHqmJcD3VsSewmco5rN3TdW7mB8vRZ6SPBFIfi5jWwLvV-8xT2NZt0MHDDkmgTW-oSaueEXmen67xF8KVoRzQaPCyTIgDQ9-W0SyCiYHzKkCWGd7lIdXKSHOgysq_aRz2eVLM8VuEFjXScmD06lTdWAMUgBG4Y4g8ZIZbVKlqqpHwlVkWpAcP1cGQlYpiZbaIdodXbvddwgzKJSbFSGASy6Mpv9mZBRP0dxP2AXmNxrRLQARaaJMMa6btjnHBdBHju8Qkj_k1AhVZ3gEtJw2zkxTrH2N2FMBFSnLSqUvS-W2v5buNMSI3OTKI0dA7SiZWYQD-sc?testcase_id=5762329708068864


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by tkent@chromium.org, Mar 13 2017

Components: Blink>Bindings
Summary: Data race in blink::ScriptForbiddenScope (was: Data race in blink::Document::updateStyleAndLayoutTree)

Comment 2 by tkent@chromium.org, Mar 13 2017 

 Issue 700716  has been merged into this issue.

Comment 3 by tkent@chromium.org, Mar 13 2017 

 Issue 700720  has been merged into this issue.

Comment 4 by tkent@chromium.org, Mar 13 2017 

 Issue 700729  has been merged into this issue.

Comment 5 by tkent@chromium.org, Mar 13 2017 

 Issue 700749  has been merged into this issue.

Comment 6 by tkent@chromium.org, Mar 13 2017 

 Issue 700754  has been merged into this issue.

Comment 7 by tkent@chromium.org, Mar 13 2017 

 Issue 700768  has been merged into this issue.

Comment 8 by tkent@chromium.org, Mar 13 2017 

 Issue 700775  has been merged into this issue.

Comment 9 by tkent@chromium.org, Mar 13 2017 

 Issue 700793  has been merged into this issue.

Comment 10 by tkent@chromium.org, Mar 13 2017 

 Issue 700718  has been merged into this issue.

Comment 11 by msrchandra@chromium.org, Mar 14 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong-CLs M-58
Owner: esprehn@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL did not provide any possible CL.
Using Code Search for the file, "ScriptForbiddenScope.h" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/3b4b07ced6315a25960ca5a51dd1b7ba88de53db

@esprehn -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 12 by esprehn@chromium.org, Mar 14 2017

Cc: infe...@chromium.org
How do I annotate this as a benign race? It's safe and done for a performance optimization.

Comment 13 by esprehn@chromium.org, Mar 17 2017 

Possible fix: https://codereview.chromium.org/2753203002

Waiting on someone to reply to #12 to tell me what the correct thing to do is.

Comment 14 by glider@chromium.org, Mar 17 2017 

I've replied to the CL, but want to reiterate here: there's no such thing as a benign race, and one should not introduce data races to optimize for performance.

Hope swapping isMainThread() and s_scriptForbiddenCount shall help.

Comment 15 by esprehn@chromium.org, Mar 20 2017 

I disagree about the race here, but I'm too tired to argue about it. I reverted it.

Comment 16 by esprehn@chromium.org, Mar 20 2017

Status: Fixed (was: Assigned)
Project Member

Comment 17 by ClusterFuzz, Mar 21 2017 

ClusterFuzz has detected this issue as fixed in range 458081:458090.

Detailed report: https://clusterfuzz.com/testcase?key=5762329708068864

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race WRITE 4
Crash Address: 0x7f1e14b96178
Crash State:
  blink::Document::updateStyleAndLayoutTree
  blink::Document::updateStyleAndLayoutTreeIgnorePendingStylesheets
  blink::Document::updateStyleAndLayoutIgnorePendingStylesheets
  
Sanitizer: thread (TSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=456256:456287
Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=458081:458090

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv975047IW33NglNqprUDz5GNOSHSD-mqWov1cdQsmciAAHqmJcD3VsSewmco5rN3TdW7mB8vRZ6SPBFIfi5jWwLvV-8xT2NZt0MHDDkmgTW-oSaueEXmen67xF8KVoRzQaPCyTIgDQ9-W0SyCiYHzKkCWGd7lIdXKSHOgysq_aRz2eVLM8VuEFjXScmD06lTdWAMUgBG4Y4g8ZIZbVKlqqpHwlVkWpAcP1cGQlYpiZbaIdodXbvddwgzKJSbFSGASy6Mpv9mZBRP0dxP2AXmNxrRLQARaaJMMa6btjnHBdBHju8Qkj_k1AhVZ3gEtJw2zkxTrH2N2FMBFSnLSqUvS-W2v5buNMSI3OTKI0dA7SiZWYQD-sc?testcase_id=5762329708068864


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment