Issue 710789 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 710753
Owner:	capn@chromium.org
Closed:	Apr 2017
Cc:	sugoi@chromium.org capn@chromium.org █ msrchandra@chromium.org
Components:	Internals>GPU>SwiftShader
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	3
Type:	Bug
Reproducible Stability-ThreadSanitizer Clusterfuzz M-59 Test-Predator-Correct-CLs

Data race in sw::Surface::Buffer::lockRect

Project Member Reported by ClusterFuzz, Apr 12 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5361075651608576

Fuzzer: ochang_domfuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race WRITE 4
Crash Address: 0x7b4000002374
Crash State:
  sw::Surface::Buffer::lockRect
  sw::Surface::lockInternal
  sw::Blitter::blitReactor
  
Sanitizer: thread (TSAN)

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95_CLtmpKPd8Cz5WH3a7aBfjsIZ5iwRoZpYbJWZhQQdyC_AuXhvoUpTaNPCapey1PpB-9mi-Xugt7ilukHZAaWqwc3yHjSLpEd2l7hKmMJtCkLYsDc03HCwPLbRXvpg0W7VdSjihJUXcUyMUPaKpEsso0QgTRcqZdNLmA4uK4C7lJgV-8KNouO1SySUeeT6ncZYqgC6nrXb29DPtO4zk0dg-yD44UNOxRyCTuP1pO-RKLv-XGK1k9e4fN6MXrQ-IQtgXFKS0KyiHlKBuw-8R8EIAIUlhIERjlZh40QSXGqHRarhGAwix4e7eR4Y94Ijj-3axfYoMkBblN_zZR0vboj6g0NGMKOjGbHHpcfuk5SusXYaHsw?testcase_id=5361075651608576


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Apr 12 2017

Cc: msrchandra@chromium.org capn@chromium.org
Components: Internals>GPU>SwiftShader
Labels: Test-Predator-Correct-CLs M-59
Owner: sugoi@chromium.org
Status: Assigned (was: Untriaged)

Assigning to the concern owner from Predator results --
Regression information is not available. The result is the blame information. 

Author: John Bauman
Project: chromium-swiftshader
Changelist: https://swiftshader.googlesource.com/SwiftShader.git/+/894018228b0e0bdbd7aa7e8f47d4a9458789ca82
Time: Tue May 06 15:04:28 2014 -0400
The CL last changed line 1072 of file Surface.cpp, which is stack frame 0. 

Author: John Bauman
Project: chromium-swiftshader
Changelist: https://swiftshader.googlesource.com/SwiftShader.git/+/19bac1e08be200c31efd26f0f5fd144c9b3eefd3
Time: Tue May 06 15:23:49 2014 -0400
The CL last changed line 1420 of file Surface.cpp, which is stack frame 1. 

Author: Nicolas Capens
Project: chromium-swiftshader
Changelist: https://swiftshader.googlesource.com/SwiftShader.git/+/0bac285a78df6a6d7a6b68784748b92805420ffb
Time: Sat May 07 06:09:58 2016 -0400
The CL last changed line 485 of file Surface.hpp, which is stack frame 2. 

Author: Alexis Hetu
Project: chromium-swiftshader
Changelist: https://swiftshader.googlesource.com/SwiftShader.git/+/75b650f0e501750ae0ba66a435741731905dffc1
Time: Thu Nov 19 17:40:15 2015 -0500
The CL last changed line 152 of file Blitter.cpp, which is stack frame 3. 

Author: Alexis Hetu
Project: chromium-swiftshader
Changelist: https://swiftshader.googlesource.com/SwiftShader.git/+/75b650f0e501750ae0ba66a435741731905dffc1
Time: Thu Nov 19 17:40:15 2015 -0500
The CL last changed line 142 of file Blitter.cpp, which is stack frame 4. 

Author: Alexis Hetu
Project: chromium-swiftshader
Changelist: https://swiftshader.googlesource.com/SwiftShader.git/+/b9dda64e0e31dc5ac3eb7a19948062385a097cdb
Time: Thu Oct 06 11:25:32 2016 -0400
The CL last changed line 212 of file Renderer.cpp, which is stack frame 5. 

Author: Nicolas Capens
Project: chromium-swiftshader
Changelist: https://swiftshader.googlesource.com/SwiftShader.git/+/0bac285a78df6a6d7a6b68784748b92805420ffb
Time: Sat May 07 06:09:58 2016 -0400
The CL last changed line 3241 of file Context.cpp, which is stack frame 6.

Suspecting Commit#
https://swiftshader.googlesource.com/SwiftShader.git/+/75b650f0e501750ae0ba66a435741731905dffc1

@sugoi -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by capn@chromium.org, Apr 12 2017

Cc: sugoi@chromium.org
Labels: -Pri-2 Pri-3
Owner: capn@chromium.org

This appears to be another manifestation of  Issue 710753  and  Issue 710822 .

Comment 3 by capn@chromium.org, Apr 13 2017

Mergedinto: 710753
Status: Duplicate (was: Assigned)

Race happens in BackoffLock::isLocked(), same as  Issue 710753  but called from a different location / different lock object.

Project Member

Comment 4 by ClusterFuzz, Apr 15 2017

ClusterFuzz has detected this issue as fixed in range 464734:464738.

Detailed report: https://clusterfuzz.com/testcase?key=5361075651608576

Fuzzer: ochang_domfuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race WRITE 4
Crash Address: 0x7b4000002374
Crash State:
  sw::Surface::Buffer::lockRect
  sw::Surface::lockInternal
  sw::Blitter::blitReactor
  
Sanitizer: thread (TSAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=464734:464738

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95_CLtmpKPd8Cz5WH3a7aBfjsIZ5iwRoZpYbJWZhQQdyC_AuXhvoUpTaNPCapey1PpB-9mi-Xugt7ilukHZAaWqwc3yHjSLpEd2l7hKmMJtCkLYsDc03HCwPLbRXvpg0W7VdSjihJUXcUyMUPaKpEsso0QgTRcqZdNLmA4uK4C7lJgV-8KNouO1SySUeeT6ncZYqgC6nrXb29DPtO4zk0dg-yD44UNOxRyCTuP1pO-RKLv-XGK1k9e4fN6MXrQ-IQtgXFKS0KyiHlKBuw-8R8EIAIUlhIERjlZh40QSXGqHRarhGAwix4e7eR4Y94Ijj-3axfYoMkBblN_zZR0vboj6g0NGMKOjGbHHpcfuk5SusXYaHsw?testcase_id=5361075651608576


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

►

Issue 710789 link

Issue metadata

Data race in sw::Surface::Buffer::lockRect

Issue description

Comment 1 by msrchandra@chromium.org, Apr 12 2017

Comment 1 Deleted

Comment 2 by capn@chromium.org, Apr 12 2017

Comment 2 Deleted

Comment 3 by capn@chromium.org, Apr 13 2017

Comment 3 Deleted

Comment 4 by ClusterFuzz, Apr 15 2017

Comment 4 Deleted

Sign in to add a comment