New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 714217 link

Starred by 1 user
Status: Fixed
Owner:
servolk@chromium.org
Last visit > 30 days ago
Closed: Apr 2017
Cc:
tguilbert@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Data race in read_frame_internal

Project Member Reported by ClusterFuzz, Apr 21 2017

Comment 1 by mummare...@chromium.org, Apr 22 2017

Cc: tguilbert@chromium.org
Components: Internals>Media>FFmpeg
Labels: M-60 Test-Predator-Wrong
tguilbert@, could you please take a look?
Thank you.
Project Member

Comment 2 by ClusterFuzz, Apr 22 2017 

ClusterFuzz has detected this issue as fixed in range 466472:466488.

Detailed report: https://clusterfuzz.com/testcase?key=5427164494430208

Fuzzer: ochang_domfuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race READ 4
Crash Address: 0x7b5c0002fed4
Crash State:
  read_frame_internal
  av_read_frame
  base::internal::Invoker<base::internal::BindState<int
  
Sanitizer: thread (TSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=466318:466320
Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=466472:466488

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5427164494430208


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Apr 22 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Untriaged)
ClusterFuzz testcase 5427164494430208 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 4 by dalecur...@chromium.org, Apr 24 2017

Owner: servolk@chromium.org
Status: Assigned (was: Verified)
I don't think this is actually fixed => servolk@, it seems like we're calling SetEnabled on the wrong thread, it must be trampolined to the blocking thread.

Comment 5 by servolk@chromium.org, Apr 24 2017

Status: Started (was: Assigned)
IIRC the problem is that we are setting AVStream.discard property on media thread (see https://cs.chromium.org/chromium/src/media/filters/ffmpeg_demuxer.cc?rcl=7ddccb994a410a624be528ca2143c869afb67683&l=743). It probably doesn't make sense to call all of SetEnabled on the FFmpeg thread, we'd just get the opposite problem of accessing FFmpegDemuxerStream properties from non-media thread. Instead we can probably just post the setting of AVStream.discard to the blocking_task_runner_. The discard property is purely an optimization thing, so it should be ok if it's updated slightly after the SetEnabled has been toggled. I'll make a CL.

Comment 6 by servolk@chromium.org, Apr 24 2017

Labels: -ClusterFuzz-Verified ClusterFuzz-Wrong
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 24 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/12b000b53d9f17fe443e7ff10a57f00f9ff17045

commit 12b000b53d9f17fe443e7ff10a57f00f9ff17045
Author: servolk <servolk@chromium.org>
Date: Mon Apr 24 23:00:46 2017

Set FFmpeg AVStream discard on FFmpeg task runner thread

BUG= 714217 

Review-Url: https://codereview.chromium.org/2836173002
Cr-Commit-Position: refs/heads/master@{#466809}

[modify] https://crrev.com/12b000b53d9f17fe443e7ff10a57f00f9ff17045/media/filters/ffmpeg_demuxer.cc
[modify] https://crrev.com/12b000b53d9f17fe443e7ff10a57f00f9ff17045/media/filters/ffmpeg_demuxer.h

Comment 8 by servolk@chromium.org, Apr 24 2017

Status: Fixed (was: Started)

Comment 9 by infe...@chromium.org, Sep 18 2017

Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment