Issue metadata
Sign in to add a comment
|
Crash in blink::InProcessWorkerObjectProxy::ProcessMessageFromWorkerObject |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5306069904785408 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x000000000040 Crash State: blink::InProcessWorkerObjectProxy::ProcessMessageFromWorkerObject void base::internal::FunctorTraits<void base::internal::Invoker<base::internal::BindState<void Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=465819:465843 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97umnQ7zftKtD_kCwnwXRdgYCtEJnH4zX_yuLxn6QtJ4jAt5LtXFwAI3p0RKIfIaDXcNZeH-w24n8-A_fODj4N2UQWajetzObNtO1ruUtWWTB13DWU1HC7NSRW231L-zIZ4yYaJGhN41sXrDXP3Sw4BmrgkNU51O2aIUVjechjW-nKiz3fgyDZSU5fni7kCa6u6sVmajBq-leVBtuuin3Zc4gTKCIS-It41rGxz48vRziWXl2kVS9g3MhrEvwf9AIHmI_BTBxTR1jKU-SUnKxzcDoz5Wo6mtLmSi79EAS4SQ09DkBIfdmboq9ZUDL_3uqa97-YwHqalrod1NTEWp_AemEWU-cQ3aDRg8ZM7t-Bx2tLTbak?testcase_id=5306069904785408 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 27 2017
,
Apr 27 2017
Issue 714634 has been merged into this issue.
,
Apr 27 2017
If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Apr 27 2017
Adding CHECKs for further debugging: https://codereview.chromium.org/2846773002/
,
Apr 28 2017
tzik@ found a possible cause in the underlying scheduler. He is now more deeply investigating how it happens. (Thank you, tzik-san!)
,
Apr 28 2017
Looked into it. The WorkerGlobalScopeScheduler instance was Dispose()d in this call path: TaskQueueManager::ProcessTaskFromWorkQueue WorkerThread::WillProcessTask() WorkerThread::PrepareForShutdownOnWorkerThread() WorkerGlobalScopeScheduler::Dispose() And the crashing task ran immediately after that in the same ProcessTaskFromWorkQueue. Though the scheduler disposal cancels all following task, that seems not to cancel the about-to-run task.
,
Apr 28 2017
Ah... interesting. Before GlobalScopeScheduler was landed, this path was working fine because PrepareForShutdownOnWorkerThread() didn't clear the task to be run but just annotated it with "DO NOT RUN". After that, this path actually clears the task and it results in the crash. I think we could move PrepareForShutdownOnWorkerThread() call from WillProcessTask() to DidProcessTask(). I'll make a patch and test it.
,
Apr 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/611639da9364de0f00eb0136523482a9b7b394b7 commit 611639da9364de0f00eb0136523482a9b7b394b7 Author: nhiroki <nhiroki@chromium.org> Date: Fri Apr 28 15:19:59 2017 Worker: Stop disposing of the global scope scheduler in WorkerThread::WillProcessTask() When forcible termination is requested, WorkerThread::WillProcessTask() calls PrepareForShutdownOnWorkerThread() that disposes of the global scope scheduler, which in turn disposes of the task to be run. This results in crashes. This CL moves PrepareForShutdownOnWorkerThread() call from WillProcessTask() to DidProcessTask() to fix the crashes. This could still cause a crash if the termination request is issued between DidProcessTask() and WillProcessTask() because in the case a task runs and may access an empty handle returned by V8 API. However, such a case would be rare because generally forcible termination is scheduled as a delayed task(*) and DidProcessTask() can have a chance to check IsForciblyTerminated() before it's fired. (*) Forcible termination could synchronously be called in some path, but it'll be removed (see issue 641846 ). BUG= 713914 Review-Url: https://codereview.chromium.org/2849583004 Cr-Commit-Position: refs/heads/master@{#468001} [modify] https://crrev.com/611639da9364de0f00eb0136523482a9b7b394b7/third_party/WebKit/Source/core/workers/WorkerThread.cpp
,
Apr 29 2017
To check if the patch is working, I started a "Fixed" task on the fuzzer dashboard.
,
Apr 29 2017
ClusterFuzz has detected this issue as fixed in range 467999:468017. Detailed report: https://clusterfuzz.com/testcase?key=5306069904785408 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x000000000040 Crash State: blink::InProcessWorkerObjectProxy::ProcessMessageFromWorkerObject void base::internal::FunctorTraits<void base::internal::Invoker<base::internal::BindState<void Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=465819:465843 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=467999:468017 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5306069904785408 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 29 2017
ClusterFuzz testcase 5306069904785408 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mummare...@chromium.org
, Apr 20 2017Labels: M-60 Test-Predator-Correct-CLs
Owner: nhiroki@chromium.org
Status: Assigned (was: Untriaged)