Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users
Status: Fixed
Owner:
Closed: Mar 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Mac
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
race on a linked list in third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp
Project Member Reported by kcc@chromium.org, Jan 24 2011 Back to list
I've got the following race report while running chromium on cross_fuzz under ThreadSanitizer. 

WARNING: Possible data race during write of size 8 at 0x352219A8: {{{                                                                                                                               
   T14 (L{L799}):                                                                                                                                                                                   
    #0  0x21EE98D: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Concurrent write(s) happened at (OR AFTER) these points:                                                                                                                                          
   T15 (L{L862}):                                                                                                                                                                                   
    #0  0x21EE989: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Location 0x352219A8 is 40 bytes inside a block starting at 0x35221980 of size 56 allocated by T14 from heap:                                                                                      
    #0  0x4073981: malloc /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:410                                                                                                                     
    #1  0x128A705: sqlite3MemMalloc third_party/sqlite/src/src/mem1.c:43                                                                                                                            
    #2  0x1289918: mallocWithAlarm third_party/sqlite/src/src/malloc.c:251                                                                                                                          
    #3  0x1289DD2: sqlite3Malloc third_party/sqlite/src/src/malloc.c:279                                                                                                                            
    #4  0x21EF722: findLockInfo(ChromiumFile*, ChromiumLockInfo**, ChromiumOpenInfo**) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:247                
    #5  0x21EF8AF: fillInChromiumFile(sqlite3_vfs*, int, int, sqlite3_file*, char const*, int) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:911        
    #6  0x21EFA0F: chromiumOpen(sqlite3_vfs*, char const*, sqlite3_file*, int, int*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:1020                 
    #7  0x129078D: sqlite3PagerOpen third_party/sqlite/src/src/pager.c:3236                                                                                                                         
    #8  0x12D86D8: sqlite3BtreeOpen third_party/sqlite/src/src/btree.c:1769                                                                                                                         
    #9  0x1288089: sqlite3BtreeFactory third_party/sqlite/src/src/main.c:1246                                                                                                                       
    #10 0x12894AF: openDatabase third_party/sqlite/src/src/main.c:1643                                                                                                                              
    #11 0x21EE4CB: WebCore::SQLiteFileSystem::openDatabase(WTF::String const&, sqlite3**, bool) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromium.cpp:54             
    #12 0x21ED70C: WebCore::SQLiteDatabase::open(WTF::String const&, bool) third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:69                                                     
    #13 0x1D8ADA8: WebCore::AbstractDatabase::performOpenAndVerify(bool, int&) third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:245                                                   
    #14 0x1D93FC0: WebCore::Database::performOpenAndVerify(bool, int&) third_party/WebKit/Source/WebCore/storage/Database.cpp:247                
  Locks involved in this report (reporting last lock sites): {L799, L862}                                                                                                                           
   L799 (0x35221B88)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   L862 (0x35220888)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   Race verifier data: 0x21EE98D,0x21EE989                                                                                                                                                          
}}}                                                                    


Looks like a potential crasher. 

We have at least four crash reports where this stack is present in non-crashing thread 
http://crash/reportdetail?reportid=221d46cde49c3d47
http://crash/reportdetail?reportid=8bdfad1fc933ee1c
http://crash/reportdetail?reportid=a3da7bf7bdb189dd
http://crash/reportdetail?reportid=0360fdc7f622a86b


I'll be investigating further. 
 
Comment 1 by kcc@chromium.org, Jan 24 2011
Labels: -Pri-2 Pri-1
This is chromium r71787

I've added an innocent-looking sleep inside releaseLockInfo:
--- third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp   (revision 76088)
+++ third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp   (working copy)
@@ -159,6 +159,7 @@
         ASSERT(lockList == pLock);
         lockList = pLock->pNext;
     }
+    usleep(500000);
     if (pLock->pNext) {
         ASSERT(pLock->pNext->pPrev == pLock);
         pLock->pNext->pPrev = pLock->pPrev;



 and run Chrome like this: 
./out/Release/chrome --disable-popup-blocking --no-first-run --user-data-dir=zzz --allow-file-access-from-files file:///home/kcc/chromium/lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20110105_seed.html#485623357

As the result, chrome crashed in few minutes inside findLockInfo, which proves that the race is harmful. 
 findLockInfo could be found in crash many times (though not in the crashing thread). 

Program terminated with signal 11, Segmentation fault.
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:787
787     ../sysdeps/x86_64/multiarch/memcmp-sse4.S: No such file or directory.
        in ../sysdeps/x86_64/multiarch/memcmp-sse4.S
(gdb) bt
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:787
#1  0x00000000021ef8c0 in findLockInfo (pFile=0x5b3a7f8, ppLock=<value optimized out>, ppOpen=0x5b3a800)
    at third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:257
#2  0x00000000021efa64 in fillInChromiumFile (pVfs=<value optimized out>, h=21, dirfd=-1, pId=<value optimized out>, zFilename=0x5b3a888 "file__0/[object NamedNodeMap]#", noLock=0)
    at third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:926
#3  0x00000000021efbc4 in chromiumOpen (vfs=<value optimized out>, fileName=0x5b3a888 "file__0/[object NamedNodeMap]#", id=0x5b3a7f8, desiredFlags=262, usedFlags=<value optimized out>)
    at third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:1035
#4  0x0000000001290792 in sqlite3PagerOpen (pVfs=0x3f8fec0, ppPager=<value optimized out>, zFilename=0x54c6da0 "file__0/[object NamedNodeMap]#", nExtra=<value optimized out>, 
    flags=<value optimized out>, vfsFlags=<value optimized out>, xReinit=0x12d3a40 <pageReinit>) at third_party/sqlite/src/src/pager.c:3236
#5  0x00000000012d86dd in sqlite3BtreeOpen (zFilename=0x54c6da0 "file__0/[object NamedNodeMap]#", db=0x5b4a008, ppBtree=0x5b4a2c8, flags=<value optimized out>, vfsFlags=<value optimized out>)
    at third_party/sqlite/src/src/btree.c:1769
#6  0x000000000128808e in sqlite3BtreeFactory (db=0x5b4a008, zFilename=0x54c6da0 "file__0/[object NamedNodeMap]#", omitJournal=<value optimized out>, nCache=2000, vfsFlags=95660168, 
    ppBtree=0x5b4a2c8) at third_party/sqlite/src/src/main.c:1246
#7  0x00000000012894b4 in openDatabase (zFilename=0x54c6da0 "file__0/[object NamedNodeMap]#", ppDb=0x63a51b0, flags=6, zVfs=<value optimized out>) at third_party/sqlite/src/src/main.c:1643
#8  0x00000000021ee500 in WebCore::SQLiteFileSystem::openDatabase (fileName=<value optimized out>, database=0x63a51b0, forWebSQLDatabase=<value optimized out>)
    at third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromium.cpp:54
#9  0x00000000021ed741 in WebCore::SQLiteDatabase::open (this=0x63a51b0, filename=..., forWebSQLDatabase=16) at third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:69
#10 0x0000000001d8addd in WebCore::AbstractDatabase::performOpenAndVerify (this=0x63a5160, shouldSetVersionInNewDatabase=true, ec=@0x7ffffa0b010c)
    at third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:245
#11 0x0000000001d93ff5 in WebCore::Database::performOpenAndVerify (this=0x7fb6b276d7d0, setVersionInNewDatabase=111, e=@0x10) at third_party/WebKit/Source/WebCore/storage/Database.cpp:247
#12 0x0000000001d97320 in WebCore::Database::DatabaseOpenTask::doPerformTask (this=0x5d62510) at third_party/WebKit/Source/WebCore/storage/DatabaseTask.cpp:108
#13 0x0000000001d976ae in WebCore::DatabaseTask::performTask (this=0x5d62510) at third_party/WebKit/Source/WebCore/storage/DatabaseTask.cpp:84
#14 0x0000000001d99e58 in WebCore::DatabaseThread::databaseThread (this=0x5b3cd00) at third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:107
#15 0x00000000021ad345 in WTF::threadEntryPoint (contextData=0x638a400) at third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65
#16 0x00007fb6e227a9ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
#17 0x00007fb6df92770d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112


Raising to Pri-1 and passing to eroman@

Comment 2 by kcc@chromium.org, Jan 24 2011
Comment 3 by jorlow@chromium.org, Jan 24 2011
I've actually never worked with this code.

Michael is probably the better person.  But if he doesn't know this code, then it's likely no one (still working on Chromium) does.
There was a code change to this last fall such that we're no longer using SQLite's implementation as directly as we were before. The bulk of this code seems to have been copied,from sqlite3's os_unix.c file, but some modifications

What's most conspicuous is that the unixEnterMutex() and unixLeaveMutex() calls in the os_unix.c are missing from our copy of this code?

@pawel (cc'd), can you comment on the history of these changes? What happened to that mutex?
There was a code change to this last fall such that we're no longer using SQLite's implementation as directly as we were before. The bulk of this code seems to have been copied from sqlite3's os_unix.c file, but with some modifications. What's most conspicuous is that the unixEnterMutex() and unixLeaveMutex() calls in the os_unix.c are missing from our copy of this code?

@pawel (cc'd), can you comment on the history of these changes? What happened to that mutex?
Thank you for detecting this issue. Yes, I made change that moved some sqlite code to our webkit port, see issue 22208 and http://trac.webkit.org/changeset/68310

I removed some "unrelated" parts of original os_unix.c file to simplify the patch. I was told that the code inside WebKit will always run single-threaded, so the mutexes were among the things I left out.

This bug probably indicates that was wrong. Fixing it may be non-trivial, so feel free to revert the webkit change, and any of the chromium changes from issue 22208 that would otherwise break compilation (and re-open that issue so I can fix it later in a better way).
Comment 7 by michaeln@google.com, Jan 25 2011
> I was told that the code inside WebKit will always run single-threaded

Whoa... that's definitely not the case?

> This bug probably indicates that was wrong. Fixing it may be non-trivial,
> so feel free to revert the webkit change, and any of the chromium changes
> from  issue 22208  that would otherwise break compilation (and re-open that
> issue so I can fix it later in a better way)

Reverting two-sided patches can be non-trivial in and of itself, especially since there have been months worth of changes since these changes landed.

@pawel, can i assign this to you to take care of, to either fix it or back it out?
Comment 8 by jorlow@chromium.org, Jan 25 2011
@pawel: Ironically most of the non-single-threaded code in WebKit is for interacting with SQLite.  :-)
My plan is to back out the brokenness, and fix it properly later.
Project Member Comment 11 by bugdroid1@chromium.org, Jan 26 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=72673

------------------------------------------------------------------------
r72673 | phajdan.jr@chromium.org | Wed Jan 26 11:58:51 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/sqlite/src/src/os_unix.c?r1=72673&r2=72672&pathrev=72673
 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/sqlite/README.chromium?r1=72673&r2=72672&pathrev=72673

Prepare to revert WebKit patch http://trac.webkit.org/changeset/68310 because of stability issues (race conditions detected by tsan, possibly leading to crashes).

Revert "Update sqlite's README.chromium with a note to keep webkit side" (http://crrev.com/62151).

Revert "Remove our local modifications to sqlite's os_unix.c now that" (http://crrev.com/60761).

BUG=70589, 22208
TEST=none

Review URL: http://codereview.chromium.org/6330011
------------------------------------------------------------------------
Comment 12 by karen@chromium.org, Jan 26 2011
Labels: Mstone-X
Comment 13 by kcc@chromium.org, Jan 27 2011
I've just got the following report. It might be caused by the same reason. If not, we will have to track it separately. 

==27030== WARNING: Possible data race during read of size 8 at 0x109127F0: {{{                                                                                                                      
==27030==    T10 (L{L656}):                                                                                                                                                                         
==27030==     #0  0x21D1EF0: releaseOpenInfo(ChromiumOpenInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:181                                       
==27030==     #1  0x21D27C4: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:655                                             
==27030==     #2  0x12C4196: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                      
==27030==     #3  0x12C9753: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                              
==27030==     #4  0x1311C94: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                              
==27030==     #5  0x12C1E60: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                    
==27030==     #6  0x21D0BF1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                 
==27030==     #7  0x1D88604: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                          
==27030==     #8  0x1D9156E: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                  
==27030==     #9  0x1D968BB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                             
==27030==     #10 0x2191332: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:67                                                                             
==27030==     #11 0x406D126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                       
==27030==   Concurrent write(s) happened at (OR AFTER) these points:                                                                                                                                
==27030==    T11 (L{L681}):                                                                                                                                                                         
==27030==     #0  0x21D1F0A: releaseOpenInfo(ChromiumOpenInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:190                                       
==27030==     #1  0x21D27C4: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:655                                             
==27030==     #2  0x12C4196: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                      
==27030==     #3  0x12C9753: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                              
==27030==     #4  0x1311C94: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                              
==27030==     #5  0x12C1E60: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                    
==27030==     #6  0x21D0BF1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                 
==27030==     #7  0x1D88604: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                          
==27030==     #8  0x1D9156E: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                  
==27030==     #9  0x1D968BB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                             
==27030==     #10 0x2191332: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:67                                                                             
==27030==     #11 0x406D126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                       
==27030==   Location 0x109127F0 is 48 bytes inside a block starting at 0x109127C0 of size 56 allocated by T10 from heap:                                                                            
==27030==     #0  0x4074981: malloc /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:410                                                                                                           
==27030==     #1  0x12C3E05: sqlite3MemMalloc third_party/sqlite/src/src/mem1.c:43                                                                                                                  
==27030==     #2  0x12C3018: mallocWithAlarm third_party/sqlite/src/src/malloc.c:251                                                                                                                
==27030==     #3  0x12C34D2: sqlite3Malloc third_party/sqlite/src/src/malloc.c:279                                                                                                                  
==27030==     #4  0x21D2CE3: findLockInfo(ChromiumFile*, ChromiumLockInfo**, ChromiumOpenInfo**) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:271      
==27030==     #5  0x21D2DBF: fillInChromiumFile(sqlite3_vfs*, int, int, sqlite3_file*, char const*, int) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:ยป
==27030==     #6  0x21D2EEC: chromiumOpen(sqlite3_vfs*, char const*, sqlite3_file*, int, int*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:1021       
==27030==     #7  0x12C9E8D: sqlite3PagerOpen third_party/sqlite/src/src/pager.c:3236                                                                                                               
==27030==     #8  0x1311DD8: sqlite3BtreeOpen third_party/sqlite/src/src/btree.c:1769                                                                                                               
==27030==     #9  0x12C1789: sqlite3BtreeFactory third_party/sqlite/src/src/main.c:1246                                                                                                             
==27030==     #10 0x12C2BAF: openDatabase third_party/sqlite/src/src/main.c:1643                                                                                                                    
==27030==     #11 0x21D1A33: WebCore::SQLiteFileSystem::openDatabase(WTF::String const&, sqlite3**, bool) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromium.cpp:54   
==27030==     #12 0x21D0C3C: WebCore::SQLiteDatabase::open(WTF::String const&, bool) third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:69                                           
==27030==     #13 0x1D88748: WebCore::AbstractDatabase::performOpenAndVerify(bool, int&) third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:245                                         
==27030==     #14 0x1D91250: WebCore::Database::performOpenAndVerify(bool, int&) third_party/WebKit/Source/WebCore/storage/Database.cpp:247                          



Status: Started
Tony Chang reverted my WebKit patch in http://trac.webkit.org/changeset/76713 . I think we rolled webkit in chromium past 76713. Could you check with the latest trunk?
Comment 15 by kcc@chromium.org, Jan 27 2011
yes, with chromium r72792 / WebKit r76718 this code is gone, so there is no race on it any more. 

Status: Fixed
Labels: SecSeverity-Critical Security Restrict-View-SecurityTeam
Status: WillMerge
This is a critical security issue; the fixes need to be merged to m9 and m10. Just to clarify, this affects only Linux?
I think it affects both Linux and Mac.
Labels: OS-Mac OS-Linux
On the bright side, that means a lot fewer users were exposed than if it had been in Windows.
Labels: -Mstone-X -SecSeverity-Critical Mstone-9 SecSeverity-High
@jschuh -- are you sure this is critical? I think this might be part of HTML5 WebDatabase, which actually runs the SQLite code in the renderer (thank goodness!)
Moving to High, but feel free to put it back to Critical with a justification if I've missed some earlier conversation.
@phajdan.jr - can you please confirm if the patch to be merged to m9, m10 is just webkit revision r76713 ? Also, how risky is this merge since it is a rollout ?
had a chat with @phajdan.jr, this needs both chromium r72673 and webkit r76713. i think a better timeframe for this is the next m9 patch (m9p3). will merge it at that time.
Labels: -Mstone-9 Mstone-10
Labels: -Mstone-10 -Restrict-View-SecurityTeam Mstone-11 Restrict-View-SecurityNotify
Status: FixUnreleased
Labels: -ThreadSanitizer bulkmove Type-Regression
I've got the following race report while running chromium on cross_fuzz under ThreadSanitizer. 

WARNING: Possible data race during write of size 8 at 0x352219A8: {{{                                                                                                                               
   T14 (L{L799}):                                                                                                                                                                                   
    #0  0x21EE98D: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Concurrent write(s) happened at (OR AFTER) these points:                                                                                                                                          
   T15 (L{L862}):                                                                                                                                                                                   
    #0  0x21EE989: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Location 0x352219A8 is 40 bytes inside a block starting at 0x35221980 of size 56 allocated by T14 from heap:                                                                                      
    #0  0x4073981: malloc /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:410                                                                                                                     
    #1  0x128A705: sqlite3MemMalloc third_party/sqlite/src/src/mem1.c:43                                                                                                                            
    #2  0x1289918: mallocWithAlarm third_party/sqlite/src/src/malloc.c:251                                                                                                                          
    #3  0x1289DD2: sqlite3Malloc third_party/sqlite/src/src/malloc.c:279                                                                                                                            
    #4  0x21EF722: findLockInfo(ChromiumFile*, ChromiumLockInfo**, ChromiumOpenInfo**) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:247                
    #5  0x21EF8AF: fillInChromiumFile(sqlite3_vfs*, int, int, sqlite3_file*, char const*, int) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:911        
    #6  0x21EFA0F: chromiumOpen(sqlite3_vfs*, char const*, sqlite3_file*, int, int*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:1020                 
    #7  0x129078D: sqlite3PagerOpen third_party/sqlite/src/src/pager.c:3236                                                                                                                         
    #8  0x12D86D8: sqlite3BtreeOpen third_party/sqlite/src/src/btree.c:1769                                                                                                                         
    #9  0x1288089: sqlite3BtreeFactory third_party/sqlite/src/src/main.c:1246                                                                                                                       
    #10 0x12894AF: openDatabase third_party/sqlite/src/src/main.c:1643                                                                                                                              
    #11 0x21EE4CB: WebCore::SQLiteFileSystem::openDatabase(WTF::String const&amp;, sqlite3**, bool) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromium.cpp:54             
    #12 0x21ED70C: WebCore::SQLiteDatabase::open(WTF::String const&amp;, bool) third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:69                                                     
    #13 0x1D8ADA8: WebCore::AbstractDatabase::performOpenAndVerify(bool, int&amp;) third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:245                                                   
    #14 0x1D93FC0: WebCore::Database::performOpenAndVerify(bool, int&amp;) third_party/WebKit/Source/WebCore/storage/Database.cpp:247                
  Locks involved in this report (reporting last lock sites): {L799, L862}                                                                                                                           
   L799 (0x35221B88)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   L862 (0x35220888)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   Race verifier data: 0x21EE98D,0x21EE989                                                                                                                                                          
}}}                                                                    


Looks like a potential crasher. 

We have at least four crash reports where this stack is present in non-crashing thread 
http://crash/reportdetail?reportid=221d46cde49c3d47
http://crash/reportdetail?reportid=8bdfad1fc933ee1c
http://crash/reportdetail?reportid=a3da7bf7bdb189dd
http://crash/reportdetail?reportid=0360fdc7f622a86b


I'll be investigating further.
Labels: -Crash Stability-Crash
I've got the following race report while running chromium on cross_fuzz under ThreadSanitizer. 

WARNING: Possible data race during write of size 8 at 0x352219A8: {{{                                                                                                                               
   T14 (L{L799}):                                                                                                                                                                                   
    #0  0x21EE98D: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Concurrent write(s) happened at (OR AFTER) these points:                                                                                                                                          
   T15 (L{L862}):                                                                                                                                                                                   
    #0  0x21EE989: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Location 0x352219A8 is 40 bytes inside a block starting at 0x35221980 of size 56 allocated by T14 from heap:                                                                                      
    #0  0x4073981: malloc /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:410                                                                                                                     
    #1  0x128A705: sqlite3MemMalloc third_party/sqlite/src/src/mem1.c:43                                                                                                                            
    #2  0x1289918: mallocWithAlarm third_party/sqlite/src/src/malloc.c:251                                                                                                                          
    #3  0x1289DD2: sqlite3Malloc third_party/sqlite/src/src/malloc.c:279                                                                                                                            
    #4  0x21EF722: findLockInfo(ChromiumFile*, ChromiumLockInfo**, ChromiumOpenInfo**) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:247                
    #5  0x21EF8AF: fillInChromiumFile(sqlite3_vfs*, int, int, sqlite3_file*, char const*, int) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:911        
    #6  0x21EFA0F: chromiumOpen(sqlite3_vfs*, char const*, sqlite3_file*, int, int*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:1020                 
    #7  0x129078D: sqlite3PagerOpen third_party/sqlite/src/src/pager.c:3236                                                                                                                         
    #8  0x12D86D8: sqlite3BtreeOpen third_party/sqlite/src/src/btree.c:1769                                                                                                                         
    #9  0x1288089: sqlite3BtreeFactory third_party/sqlite/src/src/main.c:1246                                                                                                                       
    #10 0x12894AF: openDatabase third_party/sqlite/src/src/main.c:1643                                                                                                                              
    #11 0x21EE4CB: WebCore::SQLiteFileSystem::openDatabase(WTF::String const&amp;, sqlite3**, bool) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromium.cpp:54             
    #12 0x21ED70C: WebCore::SQLiteDatabase::open(WTF::String const&amp;, bool) third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:69                                                     
    #13 0x1D8ADA8: WebCore::AbstractDatabase::performOpenAndVerify(bool, int&amp;) third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:245                                                   
    #14 0x1D93FC0: WebCore::Database::performOpenAndVerify(bool, int&amp;) third_party/WebKit/Source/WebCore/storage/Database.cpp:247                
  Locks involved in this report (reporting last lock sites): {L799, L862}                                                                                                                           
   L799 (0x35221B88)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   L862 (0x35220888)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   Race verifier data: 0x21EE98D,0x21EE989                                                                                                                                                          
}}}                                                                    


Looks like a potential crasher. 

We have at least four crash reports where this stack is present in non-crashing thread 
http://crash/reportdetail?reportid=221d46cde49c3d47
http://crash/reportdetail?reportid=8bdfad1fc933ee1c
http://crash/reportdetail?reportid=a3da7bf7bdb189dd
http://crash/reportdetail?reportid=0360fdc7f622a86b


I'll be investigating further.
Labels: Type-Security
Labels: -SecSeverity-High SecSeverity-Medium CVE-2011-1305
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member Comment 33 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 34 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -Mstone-11 -SecSeverity-Medium -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Security-Severity-Medium Type-Bug-Security M-11
Project Member Comment 35 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 36 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 37 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 38 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 39 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 40 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment