New issue
Advanced search Search tips

Issue 735992 link

Starred by 2 users
Status: WontFix
Owner:
nhiroki@chromium.org
Closed: Jul 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Data race in blink::Document::BaseURLForOverride

Project Member Reported by ClusterFuzz, Jun 22 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6019796377534464

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race READ 4
Crash Address: 0x7b08000110c8
Crash State:
  blink::Document::BaseURLForOverride
  blink::Document::VirtualCompleteURL
  blink::ExecutionContext::DispatchErrorEventInternal
  
Sanitizer: thread (TSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6019796377534464


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by tkent@chromium.org, Jun 22 2017

Components: Blink>Workers

Comment 2 by falken@chromium.org, Jun 23 2017 

WARNING: ThreadSanitizer: data race (pid=31555)
Read of size 4 at 0x7b08000110c8 by main thread:
#0 0x7f974b3e183b in WTF::Equal(WTF::StringImpl const*, WTF::StringImpl const*) third_party/WebKit/Source/platform/wtf/text/StringImpl.h:215:34
#1 0x7f974f17fa00 in blink::Document::BaseURLForOverride(blink::KURL const&) const third_party/WebKit/Source/platform/wtf/text/WTFString.h:474:10
#2 0x7f974f173ca4 in non-virtual thunk to blink::Document::VirtualCompleteURL(WTF::String const&) const third_party/WebKit/Source/core/dom/Document.cpp:5292:26
#3 0x7f974f1c6161 in blink::ExecutionContext::DispatchErrorEventInternal(blink::ErrorEvent*, blink::AccessControlStatus) third_party/WebKit/Source/core/dom/ExecutionContext.cpp:175:10
#4 0x7f974f1c5f9f in blink::ExecutionContext::DispatchErrorEvent(blink::ErrorEvent*, blink::AccessControlStatus) third_party/WebKit/Source/core/dom/ExecutionContext.cpp:121:8
#5 0x7f974eb8ba50 in blink::V8Initializer::MessageHandlerInMainThread(v8::Local<v8::Message>, v8::Local<v8::Value>) third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp:175:12
#6 0x7f9748d4f540 in v8::internal::MessageHandler::ReportMessageNoExceptions(v8::internal::Isolate*, v8::internal::MessageLocation const*, v8::internal::Handle<v8::internal::Object>, v8::Local<v8::Value>) v8/src/messages.cc:161:9
#7 0x7f9748d4f22a in v8::internal::MessageHandler::ReportMessage(v8::internal::Isolate*, v8::internal::MessageLocation const*, v8::internal::Handle<v8::internal::JSMessageObject>) v8/src/messages.cc:124:5
#8 0x7f9748d02098 in v8::internal::Isolate::ReportPendingMessages() v8/src/isolate.cc:1786:5
#9 0x7f9748b55fbd in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling) v8/src/execution.cc:160:16
#10 0x7f9748b55a08 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:181:10

Something about WTF::String not being thread safe and we're passing one, via ErrorEvent::filename(), between the worker thread and the main thread on an error event?

Comment 3 by falken@chromium.org, Jun 23 2017 

I could not reproduce this locally using the tool linked in the clusterfuzz report:
"You can reproduce this crash on Linux painlessly with our reproduce tool. For Googlers, install the required libraries and run prodaccess && /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 6019796377534464"

Instead the tool found another crash and stopped there, in base::Histogram.

I suspect somewhere we need to call SourceLocation.clone() and we're not. But it looks like, e.g.,  WorkerOrWorkletScriptController.cpp is calling it:
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/bindings/core/v8/WorkerOrWorkletScriptController.cpp?q=/Source/bindings/core/v8/WorkerOrWorkletScriptController.cpp&sq=package:chromium&dr&l=319

OK, I just discovered you can see more of the stack trace in clusterfuzz.

Read of size 4 at 0x7b08000110c8 by main thread:
#0 0x7f974b3e183b in WTF::Equal(WTF::StringImpl const*, WTF::StringImpl const*) third_party/WebKit/Source/platform/wtf/text/StringImpl.h:215:34
#1 0x7f974f17fa00 in blink::Document::BaseURLForOverride(blink::KURL const&) const third_party/WebKit/Source/platform/wtf/text/WTFString.h:474:10
#2 0x7f974f173ca4 in non-virtual thunk to blink::Document::VirtualCompleteURL(WTF::String const&) const third_party/WebKit/Source/core/dom/Document.cpp:5292:26
#3 0x7f974f1c6161 in blink::ExecutionContext::DispatchErrorEventInternal(blink::ErrorEvent*, blink::AccessControlStatus) third_party/WebKit/Source/core/dom/ExecutionContext.cpp:175:10
#4 0x7f974f1c5f9f in blink::ExecutionContext::DispatchErrorEvent(blink::ErrorEvent*, blink::AccessControlStatus) third_party/WebKit/Source/core/dom/ExecutionContext.cpp:121:8
#5 0x7f974eb8ba50 in blink::V8Initializer::MessageHandlerInMainThread(v8::Local<v8::Message>, v8::Local<v8::Value>) third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp:175:12
#6 0x7f9748d4f540 in v8::internal::MessageHandler::ReportMessageNoExceptions(v8::internal::Isolate*, v8::internal::MessageLocation const*, v8::internal::Handle<v8::internal::Object>, v8::Local<v8::Value>) v8/src/messages.cc:161:9
#7 0x7f9748d4f22a in v8::internal::MessageHandler::ReportMessage(v8::internal::Isolate*, v8::internal::MessageLocation const*, v8::internal::Handle<v8::internal::JSMessageObject>) v8/src/messages.cc:124:5
#8 0x7f9748d02098 in v8::internal::Isolate::ReportPendingMessages() v8/src/isolate.cc:1786:5
#9 0x7f9748b55fbd in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling) v8/src/execution.cc:160:16
#10 0x7f9748b55a08 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:181:10
#11 0x7f974865a06c in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) v8/src/api.cc:5273:7
#12 0x7f974eb93381 in blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:679:17
#13 0x7f974ebcdadc in blink::V8EventListener::CallListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) third_party/WebKit/Source/bindings/core/v8/V8EventListener.cpp:115:8
#14 0x7f974ebcc0ad in blink::V8AbstractEventListener::InvokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:146:20
#15 0x7f974ebcbec0 in blink::V8AbstractEventListener::HandleEvent(blink::ScriptState*, blink::Event*) third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:104:3
#16 0x7f974ebcbd53 in blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:92:3
#17 0x7f974cedaa58 in blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) third_party/WebKit/Source/core/events/EventTarget.cpp:765:15
#18 0x7f974ced9e08 in blink::EventTarget::FireEventListeners(blink::Event*) third_party/WebKit/Source/core/events/EventTarget.cpp:623:29
#19 0x7f974ced9c4e in blink::EventTarget::DispatchEventInternal(blink::Event*) third_party/WebKit/Source/core/events/EventTarget.cpp:528:41
#20 0x7f974ced9be8 in blink::EventTarget::DispatchEvent(blink::Event*) third_party/WebKit/Source/core/events/EventTarget.cpp:521:10
#21 0x7f974f6f260f in blink::InProcessWorkerMessagingProxy::PostMessageToWorkerObject(WTF::PassRefPtr<blink::SerializedScriptValue>, WTF::Vector<std::__1::unique_ptr<blink::WebMessagePortChannel, std::__1::default_delete<blink::WebMessagePortChannel> >, 1ul, WTF::PartitionAllocator>) third_party/WebKit/Source/core/workers/InProcessWorkerMessagingProxy.cpp:129:19

Previous write of size 4 at 0x7b08000110c8 by thread T9:
#0 0x7f974b3d5066 in WTF::StringImpl::UpdateContainsOnlyASCII() const third_party/WebKit/Source/platform/wtf/text/StringImpl.cpp:86:22
#1 0x7f97477b0612 in WTF::StringUTF8Adaptor::StringUTF8Adaptor(WTF::String const&, WTF::UTF8ConversionMode) third_party/WebKit/Source/platform/wtf/text/StringImpl.h:510:5
#2 0x7f974ce2d49c in blink::KURL::Init(blink::KURL const&, WTF::String const&, WTF::TextEncoding const*) third_party/WebKit/Source/platform/weborigin/KURL.cpp:743:21
#3 0x7f974ce2dd36 in blink::KURL::KURL(blink::KURL const&, WTF::String const&) third_party/WebKit/Source/platform/weborigin/KURL.cpp:229:3
#4 0x7f974f156248 in blink::DOMURL::DOMURL(WTF::String const&, blink::KURL const&, blink::ExceptionState&) third_party/WebKit/Source/core/dom/DOMURL.cpp:48:10
#5 0x7f974ee9c16f in blink::V8URL::constructorCallback(v8::FunctionCallbackInfo<v8::Value> const&) third_party/WebKit/Source/core/dom/DOMURL.h:51:16
#6 0x7f974862a035 in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) v8/src/api-arguments.cc:25:3
#7 0x7f97487108cf in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<true>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:112:36
#8 0x7f974870fe8b in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:138:5
#9 0x7f974870fa5f in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:130:1
#10 0x7f96ebd0463d  (<unknown module>)
#11 0x7f9748b55a08 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:181:10
#12 0x7f974865a06c in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) v8/src/api.cc:5273:7
#13 0x7f974eb93381 in blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:679:17
#14 0x7f975006726a in blink::V8WorkerGlobalScopeEventListener::CallListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) third_party/WebKit/Source/bindings/core/v8/V8WorkerGlobalScopeEventListener.cpp:83:44


The string read by the main thread came from the worker thread when it created a KURL.

Comment 4 by falken@chromium.org, Jun 23 2017

Owner: nhiroki@chromium.org
Status: Assigned (was: Untriaged)
nhiroki: Would you be able to continue the investigation?

Comment 5 by nhiroki@chromium.org, Jun 23 2017 

Sure :)
Project Member

Comment 6 by ClusterFuzz, Jul 23 2017

Status: WontFix (was: Assigned)
ClusterFuzz testcase 6019796377534464 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment