Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::DeferredTaskHandler::FinishTailProcessing |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6037762021785600 Fuzzer: inferno_twister Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x7b0400010408 Crash State: blink::DeferredTaskHandler::FinishTailProcessing blink::OfflineAudioContext::FireCompletionEvent blink::OfflineAudioDestinationHandler::NotifyComplete Sanitizer: thread (TSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=546013:546014 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6037762021785600 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Mar 27 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/4b21f5cb58a5dc36b63a4d396cd1c4e0abbf8c7d (Make LocalCaretRectTest verify more linebreak related cases). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Mar 27 2018
,
Mar 27 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
,
Mar 27 2018
My CL can't be the culprit. It changes a unit test file only.
,
Mar 27 2018
Joshua, could your CL be a root cause here? I mean https://chromium-review.googlesource.com/c/chromium/src/+/969798
,
Mar 27 2018
I don't think it could be mine; likely rtoy@'s "Implement tail processing for AudioNodes" CL tickled something? https://chromium-review.googlesource.com/661165
,
Mar 28 2018
Yes, I was wondering how long it would take clusterfuzz to find problems with that since it changes the lifetime of many objects. :-)
,
Mar 30 2018
Ok, I think what's happening is that FinishTailProcessing is running down the vector tail_processing_handlers_ and for each element, calls DisableOutputs(). However, DisableOutputs() can cause new handlers to be appended to tail_processing-Handlers_. But if this vector has no more room, it gets reallocated, and FinishTailProcessing doesn't know that it's been reallocated and hence access memory that has been freed.
,
Mar 30 2018
CL https://chromium-review.googlesource.com/c/chromium/src/+/988298 fixes this issue by copying the vector out before processing it in case it gets updated and reallocated. This fixes the use-after-free issue and I believe this is the correct fix from WebAudio's viewpoint. However, with this CL, the same test case now gives a data race in v8/src/objects/map-inl.h:276:7 in instance_type. +haraken Any ideas on what's happening here? Backtrace: SUMMARY: ThreadSanitizer: data race v8/src/objects/map-inl.h:276:7 in instance_type ================== ================== WARNING: ThreadSanitizer: data race (pid=139465) Read of size 2 at 0x7ea1f4a23043 by thread T24: #0 instance_type v8/src/objects/map-inl.h:276:7 (libv8.so+0xb9c178) #1 v8::internal::Heap::AllowedToBeMigrated(v8::internal::HeapObject*, v8::internal::AllocationSpace) v8/src/heap/heap.cc:6861 (libv8.so+0xb9c178) #2 v8::internal::Scavenger::SemiSpaceCopyObject(v8::internal::Map*, v8::internal::HeapObjectReference**, v8::internal::HeapObject*, int) v8/src/heap/scavenger-inl.h:74:3 (libv8.so+0xc11cb3) #3 EvacuateObjectDefault v8/src/heap/scavenger-inl.h:134:9 (libv8.so+0xc114dd) #4 v8::internal::Scavenger::EvacuateObject(v8::internal::HeapObjectReference**, v8::internal::Map*, v8::internal::HeapObject*) v8/src/heap/scavenger-inl.h:224 (libv8.so+0xc114dd) #5 v8::internal::Scavenger::ScavengeObject(v8::internal::HeapObjectReference**, v8::internal::HeapObject*) v8/src/heap/scavenger-inl.h:253:3 (libv8.so+0xc1092d) #6 VisitPointers v8/src/heap/scavenger-inl.h:293:17 (libv8.so+0xc1568b) #7 IteratePointers<v8::internal::ScavengeVisitor> v8/src/objects-body-descriptors-inl.h:65 (libv8.so+0xc1568b) #8 IterateBody<v8::internal::ScavengeVisitor> v8/src/objects-body-descriptors.h:103 (libv8.so+0xc1568b) #9 VisitFixedArray v8/src/heap/objects-visiting-inl.h:91 (libv8.so+0xc1568b) #10 v8::internal::HeapVisitor<int, v8::internal::ScavengeVisitor>::Visit(v8::internal::Map*, v8::internal::HeapObject*) v8/src/heap/objects-visiting-inl.h:39 (libv8.so+0xc1568b) #11 Visit v8/src/heap/objects-visiting-inl.h:27:10 (libv8.so+0xc1007b) #12 v8::internal::Scavenger::Process(v8::internal::OneshotBarrier*) v8/src/heap/scavenger.cc:153 (libv8.so+0xc1007b) #13 v8::internal::ScavengingTask::RunInParallel() v8/src/heap/heap.cc:1980:21 (libv8.so+0xba41fb) #14 v8::internal::ItemParallelJob::Task::RunInternal() v8/src/heap/item-parallel-job.cc:44:3 (libv8.so+0xbc68a2) #15 Run v8/src/cancelable-task.h:148:7 (libv8.so+0x57da53) #16 non-virtual thunk to v8::internal::CancelableTask::Run() v8/src/cancelable-task.h (libv8.so+0x57da53) #17 Invoke<std::__1::unique_ptr<v8::Task, std::__1::default_delete<v8::Task> >> base/bind_internal.h:447:12 (libgin.so+0x1f6a9) #18 MakeItSo<void (v8::Task::*)(), std::__1::unique_ptr<v8::Task, std::__1::default_delete<v8::Task> > > base/bind_internal.h:530 (libgin.so+0x1f6a9) #19 RunImpl<void (v8::Task::*)(), std::__1::tuple<std::__1::unique_ptr<v8::Task, std::__1::default_delete<v8::Task> > >, 0> base/bind_internal.h:604 (libgin.so+0x1f6a9) #20 base::internal::Invoker<base::internal::BindState<void (v8::Task::*)(), std::__1::unique_ptr<v8::Task, std::__1::default_delete<v8::Task> > >, void ()>::RunOnce(base::internal::BindStateBase*) base/bind_internal.h:572 (libgin.so+0x1f6a9) #21 Run base/callback.h:95:12 (libbase.so+0x1098f4) #22 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:61 (libbase.so+0x1098f4) #23 base::internal::TaskTracker::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) base/task_scheduler/task_tracker.cc:460:23 (libbase.so+0x211d58) #24 base::internal::TaskTrackerPosix::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) base/task_scheduler/task_tracker_posix.cc:25:16 (libbase.so+0x213dc7) #25 base::internal::TaskTracker::RunAndPopNextTask(scoped_refptr<base::internal::Sequence>, base::internal::CanScheduleSequenceObserver*) base/task_scheduler/task_tracker.cc:353:3 (libbase.so+0x210aa1) #26 base::internal::SchedulerWorker::Thread::ThreadMain() base/task_scheduler/scheduler_worker.cc:85:41 (libbase.so+0x2026c9) #27 base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13 (libbase.so+0x222e58) Previous write of size 8 at 0x7ea1f4a23040 by main thread (mutexes: write M2104): #0 CopyWords<v8::internal::Object *> v8/src/utils.h:1136:14 (libv8.so+0xc12640) #1 CopyBlock v8/src/heap/heap-inl.h:554 (libv8.so+0xc12640) #2 v8::internal::Scavenger::MigrateObject(v8::internal::Map*, v8::internal::HeapObject*, v8::internal::HeapObject*, int) v8/src/heap/scavenger-inl.h:50 (libv8.so+0xc12640) #3 v8::internal::Scavenger::SemiSpaceCopyObject(v8::internal::Map*, v8::internal::HeapObjectReference**, v8::internal::HeapObject*, int) v8/src/heap/scavenger-inl.h:83:31 (libv8.so+0xc11e6e) #4 EvacuateObjectDefault v8/src/heap/scavenger-inl.h:134:9 (libv8.so+0xc114dd) #5 v8::internal::Scavenger::EvacuateObject(v8::internal::HeapObjectReference**, v8::internal::Map*, v8::internal::HeapObject*) v8/src/heap/scavenger-inl.h:224 (libv8.so+0xc114dd) #6 v8::internal::Scavenger::ScavengeObject(v8::internal::HeapObjectReference**, v8::internal::HeapObject*) v8/src/heap/scavenger-inl.h:253:3 (libv8.so+0xc1092d) #7 VisitPointers v8/src/heap/scavenger-inl.h:293:17 (libv8.so+0xc1557b) #8 IteratePointers<v8::internal::ScavengeVisitor> v8/src/objects-body-descriptors-inl.h:65 (libv8.so+0xc1557b) #9 IterateBody<v8::internal::ScavengeVisitor> v8/src/objects-body-descriptors.h:103 (libv8.so+0xc1557b) #10 VisitPropertyArray v8/src/heap/objects-visiting-inl.h:91 (libv8.so+0xc1557b) #11 v8::internal::HeapVisitor<int, v8::internal::ScavengeVisitor>::Visit(v8::internal::Map*, v8::internal::HeapObject*) v8/src/heap/objects-visiting-inl.h:39 (libv8.so+0xc1557b) #12 Visit v8/src/heap/objects-visiting-inl.h:27:10 (libv8.so+0xc1007b) #13 v8::internal::Scavenger::Process(v8::internal::OneshotBarrier*) v8/src/heap/scavenger.cc:153 (libv8.so+0xc1007b) #14 v8::internal::ScavengingTask::RunInParallel() v8/src/heap/heap.cc:1980:21 (libv8.so+0xba41fb) #15 v8::internal::ItemParallelJob::Task::RunInternal() v8/src/heap/item-parallel-job.cc:44:3 (libv8.so+0xbc68a2) #16 Run v8/src/cancelable-task.h:148:7 (libv8.so+0xbc7315) #17 v8::internal::ItemParallelJob::Run(std::__1::shared_ptr<v8::internal::Counters>) v8/src/heap/item-parallel-job.cc:117 (libv8.so+0xbc7315) #18 v8::internal::Heap::Scavenge() v8/src/heap/heap.cc:2096:11 (libv8.so+0xb7e156) #19 v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) v8/src/heap/heap.cc:1681:11 (libv8.so+0xb782d3) #20 v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) v8/src/heap/heap.cc:1329:11 (libv8.so+0xb76108) #21 v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationSpace) v8/src/factory.cc:93:3 (libv8.so+0xae50f9) #22 v8::internal::__RT_impl_Runtime_AllocateInNewSpace(v8::internal::Arguments, v8::internal::Isolate*) v8/src/runtime/runtime-internal.cc:286:31 (libv8.so+0x103630b) #23 v8::internal::Runtime_AllocateInNewSpace(int, v8::internal::Object**, v8::internal::Isolate*) v8/src/runtime/runtime-internal.cc:279:1 (libv8.so+0x1035ec7) #24 <null> <null> (0x7eeeb1004212) #25 v8::internal::(anonymous namespace)::CallInternal(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) v8/src/execution.cc:191:10 (libv8.so+0xacc742) #26 v8::internal::Execution::TryCall(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Execution::MessageHandling, v8::internal::MaybeHandle<v8::internal::Object>*, v8::internal::Execution::Target) v8/src/execution.cc:241:20 (libv8.so+0xacda42) #27 v8::internal::Execution::RunMicrotasks(v8::internal::Isolate*, v8::internal::Execution::MessageHandling, v8::internal::MaybeHandle<v8::internal::Object>*) v8/src/execution.cc:272:10 (libv8.so+0xacdd49) #28 v8::internal::Isolate::RunMicrotasks() v8/src/isolate.cc:3904:40 (libv8.so+0xd17b01) #29 v8::MicrotasksScope::PerformCheckpoint(v8::Isolate*) v8/src/api.cc:9036:14 (libv8.so+0x409d92) #30 blink::Microtask::PerformCheckpoint(v8::Isolate*) third_party/WebKit/Source/platform/bindings/Microtask.cpp:44:3 (libblink_platform.so+0x45483e) #31 blink::(anonymous namespace)::EndOfTaskRunner::DidProcessTask() third_party/WebKit/Source/controller/BlinkInitializer.cpp:63:5 (libblink_controller.so+0xcd99) #32 blink::scheduler::WebThreadBase::TaskObserverAdapter::DidProcessTask(base::PendingTask const&) third_party/WebKit/Source/platform/scheduler/child/webthread_base.cc:36:16 (libblink_platform.so+0x8da0ff) #33 blink::scheduler::TaskQueueManagerImpl::NotifyDidProcessTask(blink::scheduler::TaskQueueManagerImpl::ExecutingTask const&, blink::scheduler::LazyNow*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager_impl.cc:455:16 (libblink_platform.so+0x8bba2f) #34 blink::scheduler::TaskQueueManagerImpl::DidRunTask() third_party/WebKit/Source/platform/scheduler/base/task_queue_manager_impl.cc:320:3 (libblink_platform.so+0x8bb364) #35 non-virtual thunk to blink::scheduler::TaskQueueManagerImpl::DidRunTask() third_party/WebKit/Source/platform/scheduler/base/task_queue_manager_impl.cc (libblink_platform.so+0x8bc67d) #36 blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::SequencedTaskSource::WorkType) third_party/WebKit/Source/platform/scheduler/base/thread_controller_impl.cc:167:16 (libblink_platform.so+0x8c3600) #37 Invoke<const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> &, const blink::scheduler::internal::SequencedTaskSource::WorkType &> base/bind_internal.h:447:12 (libblink_platform.so+0x8c5db2) #38 MakeItSo<void (blink::scheduler::internal::ThreadControllerImpl::*const &)(blink::scheduler::internal::SequencedTaskSource::WorkType), const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> &, const blink::scheduler::internal::SequencedTaskSource::WorkType &> base/bind_internal.h:550 (libblink_platform.so+0x8c5db2) #39 RunImpl<void (blink::scheduler::internal::ThreadControllerImpl::*const &)(blink::scheduler::internal::SequencedTaskSource::WorkType), const std::__1::tuple<base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::SequencedTaskSource::WorkType> &, 0, 1> base/bind_internal.h:604 (libblink_platform.so+0x8c5db2) #40 base::internal::Invoker<base::internal::BindState<void (blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::SequencedTaskSource::WorkType), base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::SequencedTaskSource::WorkType>, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:586 (libblink_platform.so+0x8c5db2) #41 Run base/callback.h:95:12 (libbase.so+0x1098f4) #42 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:61 (libbase.so+0x1098f4) #43 base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) base/message_loop/incoming_task_queue.cc:124:19 (libbase.so+0x15aade) #44 base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:391:25 (libbase.so+0x1613b3) #45 base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:403:5 (libbase.so+0x161cdc) #46 base::MessageLoop::DoWork() base/message_loop/message_loop.cc:447:16 (libbase.so+0x162075) #47 base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31 (libbase.so+0x165086) #48 base::MessageLoop::Run(bool) base/message_loop/message_loop.cc:342:12 (libbase.so+0x160929) #49 non-virtual thunk to base::MessageLoop::Run(bool) base/message_loop/message_loop.cc (libbase.so+0x160a74) #50 base::RunLoop::Run() base/run_loop.cc:130:14 (libbase.so+0x1bd00f) #51 content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:247:23 (libcontent.so+0x2292fdb) #52 content::RunZygote(content::ContentMainDelegate*) content/app/content_main_runner.cc:356:14 (libcontent.so+0x2545f5a) #53 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:435:12 (libcontent.so+0x254697d) #54 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:706:12 (libcontent.so+0x2547f0b) #55 content::ContentServiceManagerMainDelegate::RunEmbedderProcess() content/app/content_service_manager_main_delegate.cc:51:32 (libcontent.so+0x254474f) #56 service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:453:29 (libembedder.so+0x24937) #57 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 (libcontent.so+0x2545b5e) #58 ChromeMain chrome/app/chrome_main.cc:101:12 (chrome+0x11a7e54) #59 main chrome/app/chrome_exe_main_aura.cc:17:10 (chrome+0x11a7dae) Mutex M2104 (0x7bb4000194d0) created at: #0 pthread_mutex_init /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:1184:3 (chrome+0x113e603) #1 InitializeNativeHandle v8/src/base/platform/mutex.cc:23:12 (libv8_libbase.so+0x1aa91) #2 v8::base::Mutex::Mutex() v8/src/base/platform/mutex.cc:81 (libv8_libbase.so+0x1aa91) #3 v8::internal::Heap::Heap() v8/src/heap/heap.cc:140:7 (libv8.so+0xb6b09f) #4 v8::internal::Isolate::Isolate(bool) v8/src/isolate.cc:2474:10 (libv8.so+0xd0b328) #5 v8::Isolate::New(v8::Isolate::CreateParams const&) v8/src/api.cc:8331:29 (libv8.so+0x406ec9) #6 gin::IsolateHolder::IsolateHolder(scoped_refptr<base::SingleThreadTaskRunner>, gin::IsolateHolder::AccessMode, gin::IsolateHolder::AllowAtomicsWaitMode, gin::IsolateHolder::IsolateCreationMode) gin/isolate_holder.cc:75:16 (libgin.so+0x19183) #7 blink::V8PerIsolateData::V8PerIsolateData(scoped_refptr<base::SingleThreadTaskRunner>, blink::V8PerIsolateData::V8ContextSnapshotMode) third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:63:7 (libblink_platform.so+0x46bc01) #8 blink::V8PerIsolateData::Initialize(scoped_refptr<base::SingleThreadTaskRunner>, blink::V8PerIsolateData::V8ContextSnapshotMode) third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:119:16 (libblink_platform.so+0x46caf1) #9 blink::V8Initializer::InitializeMainThread(long const*) third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp:613:26 (libblink_core.so+0xcf5b64) #10 blink::Initialize(blink::Platform*, service_manager::BinderRegistryWithArgs<>*) third_party/WebKit/Source/controller/BlinkInitializer.cpp:105:3 (libblink_controller.so+0xc1b7) #11 content::RenderThreadImpl::InitializeWebKit(scoped_refptr<base::SingleThreadTaskRunner> const&, service_manager::BinderRegistryWithArgs<>*) content/renderer/render_thread_impl.cc:1347:3 (libcontent.so+0x22366cd) #12 content::RenderThreadImpl::Init(scoped_refptr<base::SingleThreadTaskRunner> const&) content/renderer/render_thread_impl.cc:831:3 (libcontent.so+0x22329af) #13 content::RenderThreadImpl::RenderThreadImpl(std::__1::unique_ptr<base::MessageLoop, std::__1::default_delete<base::MessageLoop> >, std::__1::unique_ptr<blink::scheduler::RendererScheduler, std::__1::default_delete<blink::scheduler::RendererScheduler> >) content/renderer/render_thread_impl.cc:777:3 (libcontent.so+0x223120e) #14 content::RenderThreadImpl::Create(std::__1::unique_ptr<base::MessageLoop, std::__1::default_delete<base::MessageLoop> >, std::__1::unique_ptr<blink::scheduler::RendererScheduler, std::__1::default_delete<blink::scheduler::RendererScheduler> >) content/renderer/render_thread_impl.cc:687:14 (libcontent.so+0x2230945) #15 content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:235:5 (libcontent.so+0x2292f2e) #16 content::RunZygote(content::ContentMainDelegate*) content/app/content_main_runner.cc:356:14 (libcontent.so+0x2545f5a) #17 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:435:12 (libcontent.so+0x254697d) #18 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:706:12 (libcontent.so+0x2547f0b) #19 content::ContentServiceManagerMainDelegate::RunEmbedderProcess() content/app/content_service_manager_main_delegate.cc:51:32 (libcontent.so+0x254474f) #20 service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:453:29 (libembedder.so+0x24937) #21 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 (libcontent.so+0x2545b5e) #22 ChromeMain chrome/app/chrome_main.cc:101:12 (chrome+0x11a7e54) #23 main chrome/app/chrome_exe_main_aura.cc:17:10 (chrome+0x11a7dae) Thread T24 'TaskSchedulerFo' (tid=182085, running) created by main thread at: #0 pthread_create /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:965:3 (chrome+0x113d4f5) #1 base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:115:13 (libbase.so+0x222796) #2 base::PlatformThread::CreateWithPriority(unsigned long, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:200:10 (libbase.so+0x222655) #3 Initialize base/task_scheduler/scheduler_worker.cc:130:5 (libbase.so+0x201a20) #4 base::internal::SchedulerWorker::Thread::Create(scoped_refptr<base::internal::SchedulerWorker>) base/task_scheduler/scheduler_worker.cc:32 (libbase.so+0x201a20) #5 base::internal::SchedulerWorker::Start() base/task_scheduler/scheduler_worker.cc:218:13 (libbase.so+0x201801) #6 base::internal::SchedulerWorkerPoolImpl::CreateRegisterAndStartSchedulerWorkerLockRequired() base/task_scheduler/scheduler_worker_pool_impl.cc:870:16 (libbase.so+0x2056df) #7 base::internal::SchedulerWorkerPoolImpl::MaintainAtLeastOneIdleWorkerLockRequired() base/task_scheduler/scheduler_worker_pool_impl.cc:827:9 (libbase.so+0x2098c5) #8 base::internal::SchedulerWorkerPoolImpl::WakeUpOneWorkerLockRequired() base/task_scheduler/scheduler_worker_pool_impl.cc:803:3 (libbase.so+0x209a2a) #9 WakeUpOneWorker base/task_scheduler/scheduler_worker_pool_impl.cc:812:23 (libbase.so+0x205fdc) #10 base::internal::SchedulerWorkerPoolImpl::OnCanScheduleSequence(scoped_refptr<base::internal::Sequence>) base/task_scheduler/scheduler_worker_pool_impl.cc:273 (libbase.so+0x205fdc) #11 base::internal::SchedulerWorkerPool::PostTaskWithSequenceNow(base::internal::Task, scoped_refptr<base::internal::Sequence>) base/task_scheduler/scheduler_worker_pool.cc:213:7 (libbase.so+0x2036b1) #12 base::internal::SchedulerWorkerPool::PostTaskWithSequence(base::internal::Task, scoped_refptr<base::internal::Sequence>) base/task_scheduler/scheduler_worker_pool.cc:152:5 (libbase.so+0x203395) #13 base::internal::TaskSchedulerImpl::PostDelayedTaskWithTraits(base::Location const&, base::TaskTraits const&, base::OnceCallback<void ()>, base::TimeDelta) base/task_scheduler/task_scheduler_impl.cc:130:9 (libbase.so+0x20e900) #14 base::PostDelayedTaskWithTraits(base::Location const&, base::TaskTraits const&, base::OnceCallback<void ()>, base::TimeDelta) base/task_scheduler/post_task.cc:76:33 (libbase.so+0x1fb9ec) #15 base::PostTaskWithTraits(base::Location const&, base::TaskTraits const&, base::OnceCallback<void ()>) base/task_scheduler/post_task.cc:65:3 (libbase.so+0x1fbc0f) #16 gin::V8BackgroundTaskRunner::PostTask(std::__1::unique_ptr<v8::Task, std::__1::default_delete<v8::Task> >) gin/v8_background_task_runner.cc:25:3 (libgin.so+0x1f3c1) #17 gin::V8Platform::CallOnBackgroundThread(v8::Task*, v8::Platform::ExpectedRuntime) gin/v8_platform.cc:342:37 (libgin.so+0x2334c) #18 v8::Platform::CallOnWorkerThread(std::__1::unique_ptr<v8::Task, std::__1::default_delete<v8::Task> >) v8/include/v8-platform.h:384:5 (libgin.so+0x23b90) #19 v8::Platform::CallBlockingTaskOnWorkerThread(std::__1::unique_ptr<v8::Task, std::__1::default_delete<v8::Task> >) v8/include/v8-platform.h:394:5 (libgin.so+0x23bfb) #20 v8::internal::ItemParallelJob::Run(std::__1::shared_ptr<v8::internal::Counters>) v8/src/heap/item-parallel-job.cc:109:33 (libv8.so+0xbc71fe) #21 void v8::internal::MarkCompactCollectorBase::CreateAndExecuteEvacuationTasks<v8::internal::FullEvacuator, v8::internal::MarkCompactCollector>(v8::internal::MarkCompactCollector*, v8::internal::ItemParallelJob*, v8::internal::RecordMigratedSlotVisitor*, v8::internal::MigrationObserver*, long) v8/src/heap/mark-compact.cc:3400:8 (libv8.so+0xbe0135) #22 v8::internal::MarkCompactCollector::EvacuatePagesInParallel() v8/src/heap/mark-compact.cc:3459:3 (libv8.so+0xbdfa49) #23 v8::internal::MarkCompactCollector::Evacuate() v8/src/heap/mark-compact.cc:3608:5 (libv8.so+0xbce0c1) #24 v8::internal::MarkCompactCollector::CollectGarbage() v8/src/heap/mark-compact.cc:610:3 (libv8.so+0xbca811) #25 v8::internal::Heap::MarkCompact() v8/src/heap/heap.cc:1797:29 (libv8.so+0xb7b7c3) #26 v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) v8/src/heap/heap.cc:1659:9 (libv8.so+0xb77f3e) #27 v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) v8/src/heap/heap.cc:1329:11 (libv8.so+0xb76108) #28 CollectAllGarbage v8/src/heap/heap.cc:1099:3 (libv8.so+0xb7434e) #29 v8::internal::Heap::HandleGCRequest() v8/src/heap/heap.cc:1023 (libv8.so+0xb7434e) #30 v8::internal::StackGuard::HandleInterrupts() v8/src/execution.cc:494:23 (libv8.so+0xacee8a) #31 v8::internal::__RT_impl_Runtime_StackGuard(v8::internal::Arguments, v8::internal::Isolate*) v8/src/runtime/runtime-internal.cc:270:34 (libv8.so+0x10355c2) #32 v8::internal::Runtime_StackGuard(int, v8::internal::Object**, v8::internal::Isolate*) v8/src/runtime/runtime-internal.cc:260:1 (libv8.so+0x1035167) #33 <null> <null> (0x7eeeb1004212) #34 v8::internal::(anonymous namespace)::CallInternal(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) v8/src/execution.cc:191:10 (libv8.so+0xacc742) #35 v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:202:10 (libv8.so+0xacc583) #36 v8::Script::Run(v8::Local<v8::Context>) v8/src/api.cc:2153:7 (libv8.so+0x3a9895) #37 blink::V8ScriptRunner::RunCompiledScript(v8::Isolate*, v8::Local<v8::Script>, blink::ExecutionContext*) third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:473:22 (libblink_core.so+0xd01e5b) #38 blink::ScriptController::ExecuteScriptAndReturnValue(v8::Local<v8::Context>, blink::ScriptSourceCode const&, blink::KURL const&, blink::ScriptFetchOptions const&, blink::AccessControlStatus) third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:150:22 (libblink_core.so+0xcbe640) #39 blink::ScheduledAction::Execute(blink::LocalFrame*) third_party/WebKit/Source/bindings/core/v8/ScheduledAction.cpp:161:34 (libblink_core.so+0xcbc4ad) #40 blink::ScheduledAction::Execute(blink::ExecutionContext*) third_party/WebKit/Source/bindings/core/v8/ScheduledAction.cpp:107:5 (libblink_core.so+0xcbbccc) #41 blink::DOMTimer::Fired() third_party/WebKit/Source/core/frame/DOMTimer.cpp:175:11 (libblink_core.so+0x1761781) #42 blink::TimerBase::RunInternal() third_party/WebKit/Source/platform/Timer.cpp:161:3 (libblink_platform.so+0x3ef05f) #43 Invoke<base::WeakPtr<blink::TimerBase>> base/bind_internal.h:447:12 (libblink_platform.so+0x3ef4f2) #44 MakeItSo<void (blink::TimerBase::*)(), base::WeakPtr<blink::TimerBase>> base/bind_internal.h:550 (libblink_platform.so+0x3ef4f2) #45 RunImpl<void (blink::TimerBase::*)(), std::__1::tuple<base::WeakPtr<blink::TimerBase> >, 0> base/bind_internal.h:604 (libblink_platform.so+0x3ef4f2) #46 base::internal::Invoker<base::internal::BindState<void (blink::TimerBase::*)(), base::WeakPtr<blink::TimerBase> >, void ()>::RunOnce(base::internal::BindStateBase*) base/bind_internal.h:572 (libblink_platform.so+0x3ef4f2) #47 Run base/callback.h:95:12 (libblink_platform.so+0x3ef3a7) #48 RunInternal third_party/WebKit/Source/platform/wtf/Functional.h:258 (libblink_platform.so+0x3ef3a7) #49 WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()>::Run() third_party/WebKit/Source/platform/wtf/Functional.h:245 (libblink_platform.so+0x3ef3a7) #50 Invoke<std::__1::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()>, std::__1::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()> > >> base/bind_internal.h:447:12 (libblink_platform.so+0x3ef619) #51 MakeItSo<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()>::*)(), std::__1::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()>, std::__1::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()> > > > base/bind_internal.h:530 (libblink_platform.so+0x3ef619) #52 RunImpl<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()>::*)(), std::__1::tuple<std::__1::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()>, std::__1::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()> > > >, 0> base/bind_internal.h:604 (libblink_platform.so+0x3ef619) #53 base::internal::Invoker<base::internal::BindState<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()>::*)(), std::__1::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()>, std::__1::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>, void ()> > > >, void ()>::RunOnce(base::internal::BindStateBase*) base/bind_internal.h:572 (libblink_platform.so+0x3ef619) #54 Run base/callback.h:95:12 (libbase.so+0x1098f4) #55 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:61 (libbase.so+0x1098f4) #56 blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::SequencedTaskSource::WorkType) third_party/WebKit/Source/platform/scheduler/base/thread_controller_impl.cc:162:21 (libblink_platform.so+0x8c35b5) #57 Invoke<const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> &, const blink::scheduler::internal::SequencedTaskSource::WorkType &> base/bind_internal.h:447:12 (libblink_platform.so+0x8c5db2) #58 MakeItSo<void (blink::scheduler::internal::ThreadControllerImpl::*const &)(blink::scheduler::internal::SequencedTaskSource::WorkType), const base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> &, const blink::scheduler::internal::SequencedTaskSource::WorkType &> base/bind_internal.h:550 (libblink_platform.so+0x8c5db2) #59 RunImpl<void (blink::scheduler::internal::ThreadControllerImpl::*const &)(blink::scheduler::internal::SequencedTaskSource::WorkType), const std::__1::tuple<base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::SequencedTaskSource::WorkType> &, 0, 1> base/bind_internal.h:604 (libblink_platform.so+0x8c5db2) #60 base::internal::Invoker<base::internal::BindState<void (blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::SequencedTaskSource::WorkType), base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::SequencedTaskSource::WorkType>, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:586 (libblink_platform.so+0x8c5db2) #61 Run base/callback.h:95:12 (libbase.so+0x1098f4) #62 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:61 (libbase.so+0x1098f4) #63 base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) base/message_loop/incoming_task_queue.cc:124:19 (libbase.so+0x15aade) #64 base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:391:25 (libbase.so+0x1613b3) #65 base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:403:5 (libbase.so+0x161cdc) #66 base::MessageLoop::DoWork() base/message_loop/message_loop.cc:447:16 (libbase.so+0x162075) #67 base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31 (libbase.so+0x165086) #68 base::MessageLoop::Run(bool) base/message_loop/message_loop.cc:342:12 (libbase.so+0x160929) #69 non-virtual thunk to base::MessageLoop::Run(bool) base/message_loop/message_loop.cc (libbase.so+0x160a74) #70 base::RunLoop::Run() base/run_loop.cc:130:14 (libbase.so+0x1bd00f) #71 content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:247:23 (libcontent.so+0x2292fdb) #72 content::RunZygote(content::ContentMainDelegate*) content/app/content_main_runner.cc:356:14 (libcontent.so+0x2545f5a) #73 content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:435:12 (libcontent.so+0x254697d) #74 content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:706:12 (libcontent.so+0x2547f0b) #75 content::ContentServiceManagerMainDelegate::RunEmbedderProcess() content/app/content_service_manager_main_delegate.cc:51:32 (libcontent.so+0x254474f) #76 service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:453:29 (libembedder.so+0x24937) #77 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 (libcontent.so+0x2545b5e) #78 ChromeMain chrome/app/chrome_main.cc:101:12 (chrome+0x11a7e54) #79 main chrome/app/chrome_exe_main_aura.cc:17:10 (chrome+0x11a7dae) SUMMARY: ThreadSanitizer: data race v8/src/objects/map-inl.h:276:7 in instance_type ==================
,
Mar 31 2018
Is this crash really related to the WebAudio fix (https://chromium-review.googlesource.com/c/chromium/src/+/988298)? The crash is happening inside a minor GC, indicating that V8's heap is corrupted. The WebAudio fix wouldn't be touching anything about V8...
,
Apr 2 2018
That CL fixes the original issue about FinishTailProcessing; it doesn't touch anything with V8, but applying the fix and re-running the test case causes the crash in c#11.
,
Apr 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f20e46b4753ec0548b2dada0c00bff6d77b894a8 commit f20e46b4753ec0548b2dada0c00bff6d77b894a8 Author: Raymond Toy <rtoy@chromium.org> Date: Mon Apr 02 17:59:23 2018 Carefully finish tail processing When FinishTailProcessing runs, swap out tail_processing_handlers_ before processing the list because DisableOutputs() can add new items to it, and reallocate the vector. Bug: 826232 Change-Id: I61e0c7b7ead40c7abe9807795c28699931402b59 Reviewed-on: https://chromium-review.googlesource.com/988298 Reviewed-by: Hongchan Choi <hongchan@chromium.org> Commit-Queue: Raymond Toy <rtoy@chromium.org> Cr-Commit-Position: refs/heads/master@{#547467} [modify] https://crrev.com/f20e46b4753ec0548b2dada0c00bff6d77b894a8/third_party/WebKit/Source/modules/webaudio/DeferredTaskHandler.cpp
,
Apr 2 2018
ClusterFuzz has detected this issue as fixed in range 547466:547468. Detailed report: https://clusterfuzz.com/testcase?key=6037762021785600 Fuzzer: inferno_twister Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x7b0400010408 Crash State: blink::DeferredTaskHandler::FinishTailProcessing blink::OfflineAudioContext::FireCompletionEvent blink::OfflineAudioDestinationHandler::NotifyComplete Sanitizer: thread (TSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=546013:546014 Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=547466:547468 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6037762021785600 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 2 2018
ClusterFuzz testcase 6037762021785600 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 3 2018
,
Apr 30 2018
,
Jul 10
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Mar 27 2018Labels: Test-Predator-Auto-Components