New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Last visit 20 days ago
Closed: Mar 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

race on a linked list in third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp

Project Member Reported by kcc@chromium.org, Jan 24 2011 Back to list

Issue description

I've got the following race report while running chromium on cross_fuzz under ThreadSanitizer. 

WARNING: Possible data race during write of size 8 at 0x352219A8: {{{                                                                                                                               
   T14 (L{L799}):                                                                                                                                                                                   
    #0  0x21EE98D: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Concurrent write(s) happened at (OR AFTER) these points:                                                                                                                                          
   T15 (L{L862}):                                                                                                                                                                                   
    #0  0x21EE989: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Location 0x352219A8 is 40 bytes inside a block starting at 0x35221980 of size 56 allocated by T14 from heap:                                                                                      
    #0  0x4073981: malloc /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:410                                                                                                                     
    #1  0x128A705: sqlite3MemMalloc third_party/sqlite/src/src/mem1.c:43                                                                                                                            
    #2  0x1289918: mallocWithAlarm third_party/sqlite/src/src/malloc.c:251                                                                                                                          
    #3  0x1289DD2: sqlite3Malloc third_party/sqlite/src/src/malloc.c:279                                                                                                                            
    #4  0x21EF722: findLockInfo(ChromiumFile*, ChromiumLockInfo**, ChromiumOpenInfo**) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:247                
    #5  0x21EF8AF: fillInChromiumFile(sqlite3_vfs*, int, int, sqlite3_file*, char const*, int) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:911        
    #6  0x21EFA0F: chromiumOpen(sqlite3_vfs*, char const*, sqlite3_file*, int, int*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:1020                 
    #7  0x129078D: sqlite3PagerOpen third_party/sqlite/src/src/pager.c:3236                                                                                                                         
    #8  0x12D86D8: sqlite3BtreeOpen third_party/sqlite/src/src/btree.c:1769                                                                                                                         
    #9  0x1288089: sqlite3BtreeFactory third_party/sqlite/src/src/main.c:1246                                                                                                                       
    #10 0x12894AF: openDatabase third_party/sqlite/src/src/main.c:1643                                                                                                                              
    #11 0x21EE4CB: WebCore::SQLiteFileSystem::openDatabase(WTF::String const&, sqlite3**, bool) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromium.cpp:54             
    #12 0x21ED70C: WebCore::SQLiteDatabase::open(WTF::String const&, bool) third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:69                                                     
    #13 0x1D8ADA8: WebCore::AbstractDatabase::performOpenAndVerify(bool, int&) third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:245                                                   
    #14 0x1D93FC0: WebCore::Database::performOpenAndVerify(bool, int&) third_party/WebKit/Source/WebCore/storage/Database.cpp:247                
  Locks involved in this report (reporting last lock sites): {L799, L862}                                                                                                                           
   L799 (0x35221B88)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   L862 (0x35220888)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   Race verifier data: 0x21EE98D,0x21EE989                                                                                                                                                          
}}}                                                                    


Looks like a potential crasher. 

We have at least four crash reports where this stack is present in non-crashing thread 
http://crash/reportdetail?reportid=221d46cde49c3d47
http://crash/reportdetail?reportid=8bdfad1fc933ee1c
http://crash/reportdetail?reportid=a3da7bf7bdb189dd
http://crash/reportdetail?reportid=0360fdc7f622a86b


I'll be investigating further. 
 

Comment 1 by kcc@chromium.org, Jan 24 2011

Labels: -Pri-2 Pri-1
This is chromium r71787

I've added an innocent-looking sleep inside releaseLockInfo:
--- third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp   (revision 76088)
+++ third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp   (working copy)
@@ -159,6 +159,7 @@
         ASSERT(lockList == pLock);
         lockList = pLock->pNext;
     }
+    usleep(500000);
     if (pLock->pNext) {
         ASSERT(pLock->pNext->pPrev == pLock);
         pLock->pNext->pPrev = pLock->pPrev;



 and run Chrome like this: 
./out/Release/chrome --disable-popup-blocking --no-first-run --user-data-dir=zzz --allow-file-access-from-files file:///home/kcc/chromium/lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20110105_seed.html#485623357

As the result, chrome crashed in few minutes inside findLockInfo, which proves that the race is harmful. 
 findLockInfo could be found in crash many times (though not in the crashing thread). 

Program terminated with signal 11, Segmentation fault.
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:787
787     ../sysdeps/x86_64/multiarch/memcmp-sse4.S: No such file or directory.
        in ../sysdeps/x86_64/multiarch/memcmp-sse4.S
(gdb) bt
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:787
#1  0x00000000021ef8c0 in findLockInfo (pFile=0x5b3a7f8, ppLock=<value optimized out>, ppOpen=0x5b3a800)
    at third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:257
#2  0x00000000021efa64 in fillInChromiumFile (pVfs=<value optimized out>, h=21, dirfd=-1, pId=<value optimized out>, zFilename=0x5b3a888 "file__0/[object NamedNodeMap]#", noLock=0)
    at third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:926
#3  0x00000000021efbc4 in chromiumOpen (vfs=<value optimized out>, fileName=0x5b3a888 "file__0/[object NamedNodeMap]#", id=0x5b3a7f8, desiredFlags=262, usedFlags=<value optimized out>)
    at third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:1035
#4  0x0000000001290792 in sqlite3PagerOpen (pVfs=0x3f8fec0, ppPager=<value optimized out>, zFilename=0x54c6da0 "file__0/[object NamedNodeMap]#", nExtra=<value optimized out>, 
    flags=<value optimized out>, vfsFlags=<value optimized out>, xReinit=0x12d3a40 <pageReinit>) at third_party/sqlite/src/src/pager.c:3236
#5  0x00000000012d86dd in sqlite3BtreeOpen (zFilename=0x54c6da0 "file__0/[object NamedNodeMap]#", db=0x5b4a008, ppBtree=0x5b4a2c8, flags=<value optimized out>, vfsFlags=<value optimized out>)
    at third_party/sqlite/src/src/btree.c:1769
#6  0x000000000128808e in sqlite3BtreeFactory (db=0x5b4a008, zFilename=0x54c6da0 "file__0/[object NamedNodeMap]#", omitJournal=<value optimized out>, nCache=2000, vfsFlags=95660168, 
    ppBtree=0x5b4a2c8) at third_party/sqlite/src/src/main.c:1246
#7  0x00000000012894b4 in openDatabase (zFilename=0x54c6da0 "file__0/[object NamedNodeMap]#", ppDb=0x63a51b0, flags=6, zVfs=<value optimized out>) at third_party/sqlite/src/src/main.c:1643
#8  0x00000000021ee500 in WebCore::SQLiteFileSystem::openDatabase (fileName=<value optimized out>, database=0x63a51b0, forWebSQLDatabase=<value optimized out>)
    at third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromium.cpp:54
#9  0x00000000021ed741 in WebCore::SQLiteDatabase::open (this=0x63a51b0, filename=..., forWebSQLDatabase=16) at third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:69
#10 0x0000000001d8addd in WebCore::AbstractDatabase::performOpenAndVerify (this=0x63a5160, shouldSetVersionInNewDatabase=true, ec=@0x7ffffa0b010c)
    at third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:245
#11 0x0000000001d93ff5 in WebCore::Database::performOpenAndVerify (this=0x7fb6b276d7d0, setVersionInNewDatabase=111, e=@0x10) at third_party/WebKit/Source/WebCore/storage/Database.cpp:247
#12 0x0000000001d97320 in WebCore::Database::DatabaseOpenTask::doPerformTask (this=0x5d62510) at third_party/WebKit/Source/WebCore/storage/DatabaseTask.cpp:108
#13 0x0000000001d976ae in WebCore::DatabaseTask::performTask (this=0x5d62510) at third_party/WebKit/Source/WebCore/storage/DatabaseTask.cpp:84
#14 0x0000000001d99e58 in WebCore::DatabaseThread::databaseThread (this=0x5b3cd00) at third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:107
#15 0x00000000021ad345 in WTF::threadEntryPoint (contextData=0x638a400) at third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65
#16 0x00007fb6e227a9ca in start_thread (arg=<value optimized out>) at pthread_create.c:300
#17 0x00007fb6df92770d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112


Raising to Pri-1 and passing to eroman@

Comment 2 by kcc@chromium.org, Jan 24 2011

Comment 3 by jorlow@chromium.org, Jan 24 2011

I've actually never worked with this code.

Michael is probably the better person.  But if he doesn't know this code, then it's likely no one (still working on Chromium) does.
There was a code change to this last fall such that we're no longer using SQLite's implementation as directly as we were before. The bulk of this code seems to have been copied,from sqlite3's os_unix.c file, but some modifications

What's most conspicuous is that the unixEnterMutex() and unixLeaveMutex() calls in the os_unix.c are missing from our copy of this code?

@pawel (cc'd), can you comment on the history of these changes? What happened to that mutex?
There was a code change to this last fall such that we're no longer using SQLite's implementation as directly as we were before. The bulk of this code seems to have been copied from sqlite3's os_unix.c file, but with some modifications. What's most conspicuous is that the unixEnterMutex() and unixLeaveMutex() calls in the os_unix.c are missing from our copy of this code?

@pawel (cc'd), can you comment on the history of these changes? What happened to that mutex?
Thank you for detecting this issue. Yes, I made change that moved some sqlite code to our webkit port, see  issue 22208  and http://trac.webkit.org/changeset/68310

I removed some "unrelated" parts of original os_unix.c file to simplify the patch. I was told that the code inside WebKit will always run single-threaded, so the mutexes were among the things I left out.

This bug probably indicates that was wrong. Fixing it may be non-trivial, so feel free to revert the webkit change, and any of the chromium changes from  issue 22208  that would otherwise break compilation (and re-open that issue so I can fix it later in a better way).

Comment 7 by michaeln@google.com, Jan 25 2011

> I was told that the code inside WebKit will always run single-threaded

Whoa... that's definitely not the case?

> This bug probably indicates that was wrong. Fixing it may be non-trivial,
> so feel free to revert the webkit change, and any of the chromium changes
> from   issue 22208   that would otherwise break compilation (and re-open that
> issue so I can fix it later in a better way)

Reverting two-sided patches can be non-trivial in and of itself, especially since there have been months worth of changes since these changes landed.

@pawel, can i assign this to you to take care of, to either fix it or back it out?

Comment 8 by jorlow@chromium.org, Jan 25 2011

@pawel: Ironically most of the non-single-threaded code in WebKit is for interacting with SQLite.  :-)
My plan is to back out the brokenness, and fix it properly later.
Project Member

Comment 11 by bugdroid1@chromium.org, Jan 26 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=72673

------------------------------------------------------------------------
r72673 | phajdan.jr@chromium.org | Wed Jan 26 11:58:51 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/sqlite/src/src/os_unix.c?r1=72673&r2=72672&pathrev=72673
 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/sqlite/README.chromium?r1=72673&r2=72672&pathrev=72673

Prepare to revert WebKit patch http://trac.webkit.org/changeset/68310 because of stability issues (race conditions detected by tsan, possibly leading to crashes).

Revert "Update sqlite's README.chromium with a note to keep webkit side" (http://crrev.com/62151).

Revert "Remove our local modifications to sqlite's os_unix.c now that" (http://crrev.com/60761).

BUG= 70589 ,  22208 
TEST=none

Review URL: http://codereview.chromium.org/6330011
------------------------------------------------------------------------

Comment 12 by karen@chromium.org, Jan 26 2011

Labels: Mstone-X

Comment 13 by kcc@chromium.org, Jan 27 2011

I've just got the following report. It might be caused by the same reason. If not, we will have to track it separately. 

==27030== WARNING: Possible data race during read of size 8 at 0x109127F0: {{{                                                                                                                      
==27030==    T10 (L{L656}):                                                                                                                                                                         
==27030==     #0  0x21D1EF0: releaseOpenInfo(ChromiumOpenInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:181                                       
==27030==     #1  0x21D27C4: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:655                                             
==27030==     #2  0x12C4196: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                      
==27030==     #3  0x12C9753: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                              
==27030==     #4  0x1311C94: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                              
==27030==     #5  0x12C1E60: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                    
==27030==     #6  0x21D0BF1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                 
==27030==     #7  0x1D88604: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                          
==27030==     #8  0x1D9156E: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                  
==27030==     #9  0x1D968BB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                             
==27030==     #10 0x2191332: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:67                                                                             
==27030==     #11 0x406D126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                       
==27030==   Concurrent write(s) happened at (OR AFTER) these points:                                                                                                                                
==27030==    T11 (L{L681}):                                                                                                                                                                         
==27030==     #0  0x21D1F0A: releaseOpenInfo(ChromiumOpenInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:190                                       
==27030==     #1  0x21D27C4: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:655                                             
==27030==     #2  0x12C4196: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                      
==27030==     #3  0x12C9753: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                              
==27030==     #4  0x1311C94: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                              
==27030==     #5  0x12C1E60: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                    
==27030==     #6  0x21D0BF1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                 
==27030==     #7  0x1D88604: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                          
==27030==     #8  0x1D9156E: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                  
==27030==     #9  0x1D968BB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                             
==27030==     #10 0x2191332: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:67                                                                             
==27030==     #11 0x406D126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                       
==27030==   Location 0x109127F0 is 48 bytes inside a block starting at 0x109127C0 of size 56 allocated by T10 from heap:                                                                            
==27030==     #0  0x4074981: malloc /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:410                                                                                                           
==27030==     #1  0x12C3E05: sqlite3MemMalloc third_party/sqlite/src/src/mem1.c:43                                                                                                                  
==27030==     #2  0x12C3018: mallocWithAlarm third_party/sqlite/src/src/malloc.c:251                                                                                                                
==27030==     #3  0x12C34D2: sqlite3Malloc third_party/sqlite/src/src/malloc.c:279                                                                                                                  
==27030==     #4  0x21D2CE3: findLockInfo(ChromiumFile*, ChromiumLockInfo**, ChromiumOpenInfo**) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:271      
==27030==     #5  0x21D2DBF: fillInChromiumFile(sqlite3_vfs*, int, int, sqlite3_file*, char const*, int) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:ยป
==27030==     #6  0x21D2EEC: chromiumOpen(sqlite3_vfs*, char const*, sqlite3_file*, int, int*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:1021       
==27030==     #7  0x12C9E8D: sqlite3PagerOpen third_party/sqlite/src/src/pager.c:3236                                                                                                               
==27030==     #8  0x1311DD8: sqlite3BtreeOpen third_party/sqlite/src/src/btree.c:1769                                                                                                               
==27030==     #9  0x12C1789: sqlite3BtreeFactory third_party/sqlite/src/src/main.c:1246                                                                                                             
==27030==     #10 0x12C2BAF: openDatabase third_party/sqlite/src/src/main.c:1643                                                                                                                    
==27030==     #11 0x21D1A33: WebCore::SQLiteFileSystem::openDatabase(WTF::String const&, sqlite3**, bool) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromium.cpp:54   
==27030==     #12 0x21D0C3C: WebCore::SQLiteDatabase::open(WTF::String const&, bool) third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:69                                           
==27030==     #13 0x1D88748: WebCore::AbstractDatabase::performOpenAndVerify(bool, int&) third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:245                                         
==27030==     #14 0x1D91250: WebCore::Database::performOpenAndVerify(bool, int&) third_party/WebKit/Source/WebCore/storage/Database.cpp:247                          



Status: Started
Tony Chang reverted my WebKit patch in http://trac.webkit.org/changeset/76713 . I think we rolled webkit in chromium past 76713. Could you check with the latest trunk?

Comment 15 by kcc@chromium.org, Jan 27 2011

yes, with chromium r72792 / WebKit r76718 this code is gone, so there is no race on it any more. 

Status: Fixed
Labels: SecSeverity-Critical Security Restrict-View-SecurityTeam
Status: WillMerge
This is a critical security issue; the fixes need to be merged to m9 and m10. Just to clarify, this affects only Linux?
I think it affects both Linux and Mac.
Labels: OS-Mac OS-Linux
On the bright side, that means a lot fewer users were exposed than if it had been in Windows.
Labels: -Mstone-X -SecSeverity-Critical Mstone-9 SecSeverity-High
@jschuh -- are you sure this is critical? I think this might be part of HTML5 WebDatabase, which actually runs the SQLite code in the renderer (thank goodness!)
Moving to High, but feel free to put it back to Critical with a justification if I've missed some earlier conversation.
@phajdan.jr - can you please confirm if the patch to be merged to m9, m10 is just webkit revision r76713 ? Also, how risky is this merge since it is a rollout ?
had a chat with @phajdan.jr, this needs both chromium r72673 and webkit r76713. i think a better timeframe for this is the next m9 patch (m9p3). will merge it at that time.
Labels: -Mstone-9 Mstone-10
Labels: -Mstone-10 -Restrict-View-SecurityTeam Mstone-11 Restrict-View-SecurityNotify
Status: FixUnreleased
Labels: -ThreadSanitizer bulkmove Type-Regression
I've got the following race report while running chromium on cross_fuzz under ThreadSanitizer. 

WARNING: Possible data race during write of size 8 at 0x352219A8: {{{                                                                                                                               
   T14 (L{L799}):                                                                                                                                                                                   
    #0  0x21EE98D: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Concurrent write(s) happened at (OR AFTER) these points:                                                                                                                                          
   T15 (L{L862}):                                                                                                                                                                                   
    #0  0x21EE989: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Location 0x352219A8 is 40 bytes inside a block starting at 0x35221980 of size 56 allocated by T14 from heap:                                                                                      
    #0  0x4073981: malloc /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:410                                                                                                                     
    #1  0x128A705: sqlite3MemMalloc third_party/sqlite/src/src/mem1.c:43                                                                                                                            
    #2  0x1289918: mallocWithAlarm third_party/sqlite/src/src/malloc.c:251                                                                                                                          
    #3  0x1289DD2: sqlite3Malloc third_party/sqlite/src/src/malloc.c:279                                                                                                                            
    #4  0x21EF722: findLockInfo(ChromiumFile*, ChromiumLockInfo**, ChromiumOpenInfo**) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:247                
    #5  0x21EF8AF: fillInChromiumFile(sqlite3_vfs*, int, int, sqlite3_file*, char const*, int) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:911        
    #6  0x21EFA0F: chromiumOpen(sqlite3_vfs*, char const*, sqlite3_file*, int, int*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:1020                 
    #7  0x129078D: sqlite3PagerOpen third_party/sqlite/src/src/pager.c:3236                                                                                                                         
    #8  0x12D86D8: sqlite3BtreeOpen third_party/sqlite/src/src/btree.c:1769                                                                                                                         
    #9  0x1288089: sqlite3BtreeFactory third_party/sqlite/src/src/main.c:1246                                                                                                                       
    #10 0x12894AF: openDatabase third_party/sqlite/src/src/main.c:1643                                                                                                                              
    #11 0x21EE4CB: WebCore::SQLiteFileSystem::openDatabase(WTF::String const&amp;, sqlite3**, bool) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromium.cpp:54             
    #12 0x21ED70C: WebCore::SQLiteDatabase::open(WTF::String const&amp;, bool) third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:69                                                     
    #13 0x1D8ADA8: WebCore::AbstractDatabase::performOpenAndVerify(bool, int&amp;) third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:245                                                   
    #14 0x1D93FC0: WebCore::Database::performOpenAndVerify(bool, int&amp;) third_party/WebKit/Source/WebCore/storage/Database.cpp:247                
  Locks involved in this report (reporting last lock sites): {L799, L862}                                                                                                                           
   L799 (0x35221B88)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   L862 (0x35220888)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   Race verifier data: 0x21EE98D,0x21EE989                                                                                                                                                          
}}}                                                                    


Looks like a potential crasher. 

We have at least four crash reports where this stack is present in non-crashing thread 
http://crash/reportdetail?reportid=221d46cde49c3d47
http://crash/reportdetail?reportid=8bdfad1fc933ee1c
http://crash/reportdetail?reportid=a3da7bf7bdb189dd
http://crash/reportdetail?reportid=0360fdc7f622a86b


I'll be investigating further.
Labels: -Crash Stability-Crash
I've got the following race report while running chromium on cross_fuzz under ThreadSanitizer. 

WARNING: Possible data race during write of size 8 at 0x352219A8: {{{                                                                                                                               
   T14 (L{L799}):                                                                                                                                                                                   
    #0  0x21EE98D: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Concurrent write(s) happened at (OR AFTER) these points:                                                                                                                                          
   T15 (L{L862}):                                                                                                                                                                                   
    #0  0x21EE989: releaseLockInfo(ChromiumLockInfo*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:157                                                 
    #1  0x21EF2AB: chromiumClose(sqlite3_file*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:653                                                       
    #2  0x128AA96: sqlite3OsClose third_party/sqlite/src/src/os.c:58                                                                                                                                
    #3  0x1290053: sqlite3PagerClose third_party/sqlite/src/src/pager.c:2655                                                                                                                        
    #4  0x12D8594: sqlite3BtreeClose third_party/sqlite/src/src/btree.c:1982                                                                                                                        
    #5  0x1288760: sqlite3_close third_party/sqlite/src/src/main.c:634                                                                                                                              
    #6  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #7  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #8  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #9  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #10 0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #11 0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
  Location 0x352219A8 is 40 bytes inside a block starting at 0x35221980 of size 56 allocated by T14 from heap:                                                                                      
    #0  0x4073981: malloc /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:410                                                                                                                     
    #1  0x128A705: sqlite3MemMalloc third_party/sqlite/src/src/mem1.c:43                                                                                                                            
    #2  0x1289918: mallocWithAlarm third_party/sqlite/src/src/malloc.c:251                                                                                                                          
    #3  0x1289DD2: sqlite3Malloc third_party/sqlite/src/src/malloc.c:279                                                                                                                            
    #4  0x21EF722: findLockInfo(ChromiumFile*, ChromiumLockInfo**, ChromiumOpenInfo**) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:247                
    #5  0x21EF8AF: fillInChromiumFile(sqlite3_vfs*, int, int, sqlite3_file*, char const*, int) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:911        
    #6  0x21EFA0F: chromiumOpen(sqlite3_vfs*, char const*, sqlite3_file*, int, int*) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromiumPosix.cpp:1020                 
    #7  0x129078D: sqlite3PagerOpen third_party/sqlite/src/src/pager.c:3236                                                                                                                         
    #8  0x12D86D8: sqlite3BtreeOpen third_party/sqlite/src/src/btree.c:1769                                                                                                                         
    #9  0x1288089: sqlite3BtreeFactory third_party/sqlite/src/src/main.c:1246                                                                                                                       
    #10 0x12894AF: openDatabase third_party/sqlite/src/src/main.c:1643                                                                                                                              
    #11 0x21EE4CB: WebCore::SQLiteFileSystem::openDatabase(WTF::String const&amp;, sqlite3**, bool) third_party/WebKit/Source/WebCore/platform/sql/chromium/SQLiteFileSystemChromium.cpp:54             
    #12 0x21ED70C: WebCore::SQLiteDatabase::open(WTF::String const&amp;, bool) third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:69                                                     
    #13 0x1D8ADA8: WebCore::AbstractDatabase::performOpenAndVerify(bool, int&amp;) third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:245                                                   
    #14 0x1D93FC0: WebCore::Database::performOpenAndVerify(bool, int&amp;) third_party/WebKit/Source/WebCore/storage/Database.cpp:247                
  Locks involved in this report (reporting last lock sites): {L799, L862}                                                                                                                           
   L799 (0x35221B88)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   L862 (0x35220888)                                                                                                                                                                                
    #0  0x406ABF6: pthread_mutex_lock /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:891                                                                                                         
    #1  0x128A97C: pthreadMutexEnter third_party/sqlite/src/src/mutex_unix.c:222                                                                                                                    
    #2  0x12886A4: sqlite3_close third_party/sqlite/src/src/main.c:596                                                                                                                              
    #3  0x21ED6C1: WebCore::SQLiteDatabase::close() third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp:102                                                                           
    #4  0x1D8AC64: WebCore::AbstractDatabase::closeDatabase() third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp:219                                                                    
    #5  0x1D942DE: WebCore::Database::close() third_party/WebKit/Source/WebCore/storage/Database.cpp:224                                                                                            
    #6  0x1D99EEB: WebCore::DatabaseThread::databaseThread() third_party/WebKit/Source/WebCore/storage/DatabaseThread.cpp:124                                                                       
    #7  0x21AD312: WTF::threadEntryPoint(void*) third_party/WebKit/Source/JavaScriptCore/wtf/Threading.cpp:65                                                                                       
    #8  0x406C126: ThreadSanitizerStartThread /home/kcc/drt/trunk/tsan/ts_valgrind_intercepts.c:650                                                                                                 
   Race verifier data: 0x21EE98D,0x21EE989                                                                                                                                                          
}}}                                                                    


Looks like a potential crasher. 

We have at least four crash reports where this stack is present in non-crashing thread 
http://crash/reportdetail?reportid=221d46cde49c3d47
http://crash/reportdetail?reportid=8bdfad1fc933ee1c
http://crash/reportdetail?reportid=a3da7bf7bdb189dd
http://crash/reportdetail?reportid=0360fdc7f622a86b


I'll be investigating further.
Labels: Type-Security
Labels: -SecSeverity-High SecSeverity-Medium CVE-2011-1305
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member

Comment 33 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 34 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -Mstone-11 -SecSeverity-Medium -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Security-Severity-Medium Type-Bug-Security M-11
Project Member

Comment 35 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 36 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 37 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 38 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 39 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 40 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Comment 42 by awhalley@chromium.org, Today (27 minutes ago)

Labels: CVE_description-submitted

Sign in to add a comment