New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 727050 link

Starred by 1 user
Status: Verified
Owner:
fbarchard@chromium.org
Last visit > 30 days ago
Closed: Jun 2017
Cc:
wtc@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Data race in I422ToARGBRow_Any_SSSE3

Project Member Reported by ClusterFuzz, May 27 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5847094358441984

Fuzzer: attekett_surku_fuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race READ 1
Crash Address: 0x7fd095415208
Crash State:
  I422ToARGBRow_Any_SSSE3
  libyuv::I420ToARGBMatrix
  I420ToARGB
  
Sanitizer: thread (TSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5847094358441984


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, May 29 2017

Cc: msrchandra@chromium.org
Components: Infra>Git
Labels: M-60 Test-Predator-Correct-CLs
Owner: fbarchard@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
Regression information is not available. The result is the blame information. 

Author: Frank Barchard
Project: chromium-libyuv
Changelist: https://chromium.googlesource.com/libyuv/libyuv.git/+/f96890a0bea37d8d68e7534fd9a714f62e7d65e0
Time: Tue Sep 22 17:26:03 2015
The CL last changed line 138 of file row_any.cc, which is stack frame 1. 

Author: Frank Barchard
Project: chromium-libyuv
Changelist: https://chromium.googlesource.com/libyuv/libyuv.git/+/5d97b9336922eaee34c342a00c8e370933938703
Time: Fri Oct 30 18:56:57 2015
The CL last changed line 119 of file convert_argb.cc, which is stack frame 2. 

Author: Frank Barchard
Project: chromium-libyuv
Changelist: https://chromium.googlesource.com/libyuv/libyuv.git/+/e62309f2591d8b87acae5f4560ab9eeed8f91471
Time: Tue Nov 08 01:37:23 2016
The CL last changed line 142 of file convert_argb.cc, which is stack frame 3. 

Author: ynovikov
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/6c406fd0ca401c34de9a9335bad24fc9435a2037
Time: Sat Dec 03 22:24:41 2016
The CL last changed line 713 of file skcanvas_video_renderer.cc, which is stack frame 4. 

Author: ynovikov
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/6c406fd0ca401c34de9a9335bad24fc9435a2037
Time: Sat Dec 03 22:24:41 2016
The CL last changed line 249 of file skcanvas_video_renderer.cc, which is stack frame 5. 

Author: Matt Sarett
Project: chromium-skia
Changelist: https://skia.googlesource.com/skia.git/+/d531ca038fac8acb3320a78c393c002ca59768fe
Time: Fri Mar 24 16:31:19 2017 -0400
The CL last changed line 33 of file SkImageGenerator.cpp, which is stack frame 6. 

Author: Brian Osman
Project: chromium-skia
Changelist: https://skia.googlesource.com/skia.git/+/df7e075c74110fcfebdc49ca503684162e118af5
Time: Wed Apr 26 16:20:28 2017 -0400
The CL last changed line 460 of file SkImage_Lazy.cpp, which is stack frame 7.

Suspecting Commit#
https://chromium.googlesource.com/libyuv/libyuv.git/+/f96890a0bea37d8d68e7534fd9a714f62e7d65e0

@fbarchard -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by fbarchard@chromium.org, May 30 2017

Cc: wtc@chromium.org
A tsan race for cpu_id.cc was fixed, which would affect this function.  Is there an ongoing issue?

Comment 3 by fbarchard@chromium.org, Jun 5 2017 

Its not clear what the issue could be in libyuv?
The change referred to changed from hard coded constants to a constant matrix passed by pointer.  I should have declared it as const * so i could try that.

ran tsan on libyuv_unittest and no errors were encountered.
gn gen out/Release "--args=is_debug=false is_tsan=true"
ninja -v -C out/Release

[----------] Global test environment tear-down
[==========] 989 tests from 7 test cases ran. (22016 ms total)
[  PASSED  ] 989 tests.

Any is used for odd widths, which arent normally tested.  The unittest can be passed parameters

out/Release/libyuv_unittest --gtest_filter=* --libyuv_width=129 --libyuv_height=73

An unrelated odd width error is detected on I420Blend, but no other errors detected:
[  PASSED  ] 986 tests.
[  FAILED  ] 3 tests, listed below:
[  FAILED  ] LibYUVPlanarTest.I420Blend_Opt
[  FAILED  ] LibYUVPlanarTest.I420Blend_Unaligned
[  FAILED  ] LibYUVPlanarTest.I420Blend_Invert
Project Member

Comment 4 by ClusterFuzz, Jun 7 2017 

ClusterFuzz has detected this issue as fixed in range 477329:477356.

Detailed report: https://clusterfuzz.com/testcase?key=5847094358441984

Fuzzer: attekett_surku_fuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race READ 1
Crash Address: 0x7fd095415208
Crash State:
  I422ToARGBRow_Any_SSSE3
  libyuv::I420ToARGBMatrix
  I420ToARGB
  
Sanitizer: thread (TSAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=477329:477356

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5847094358441984


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Jun 7 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5847094358441984 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment