Data race in blink::SQLTransactionBackend::Trace |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4836719845965824 Fuzzer: inferno_twister Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 8 Crash Address: 0x7ed8cf1f6238 Crash State: blink::SQLTransactionBackend::Trace blink::TraceTrait<blink::SQLTransactionBackend>::Trace blink::ThreadHeap::AdvanceMarkingStackProcessing Sanitizer: thread (TSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=561061:561062 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4836719845965824 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 24 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/78de89c79ee15aa6e714895eb509d4f816d93d3a (Fix NTP animation issues). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
May 24 2018
My change is iOS only so it should affect linux.
,
May 25 2018
Unable to find actual suspect through code search and also observing no related CL's under regression range, hence adding appropriate label and requesting someone from blink team to look in to this issue. Thanks!
,
May 28 2018
Kentaro: Can you have a look and maybe triage? We have a GC on the foreground thread that accesses [1] database_ for tracing and there's a SQLTransactionBackend::DoCleanup [2] that also clears the database_ using some mutex (not anything that's GC relevant). [1] https://cs.chromium.org/chromium/src/third_party/blink/renderer/modules/webdatabase/sql_transaction_backend.cc?q=blink::SQLTransactionBackend::Trace&g=0&l=401 [2] https://cs.chromium.org/chromium/src/third_party/blink/renderer/modules/webdatabase/sql_transaction_backend.cc?q=SQLTransactionBackend::DoCleanup&g=0&l=405
,
May 28 2018
Another try: Kentaro, can you help triaging?
,
May 28 2018
If database_ is accessed by the database thread, database_ needs to be CrossThreadPersistent. keishi: Would you take a look? Ideally this should hit the dcheck in Member::CheckPointer() because Member::raw_ is accessed from a thread different from the thread that created the heap object. I noticed that we're missing calling CheckPointer() in Member::operator->(). I'm not sure if this is intentional or not. Maybe it's not acceptable to add CheckPointer to Member::operator->() for performance reasons.
,
May 31 2018
ClusterFuzz testcase 4836719845965824 appears to be flaky, updating reproducibility label.
,
Jun 4 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ab681fc101a84707a4892ac017ba8e3d5ee8bb53 commit ab681fc101a84707a4892ac017ba8e3d5ee8bb53 Author: Keishi Hattori <keishi@chromium.org> Date: Mon Jun 04 11:39:23 2018 Use CrossThreadPersistent for SQLTransactionBackend::database_ SQLTransactionBackend::database_, that points to a main thread owned Database object, was being read from SQLTransactionBackend::DoCleanup on the database thread. Bug: 846144 Change-Id: I6433e0289460da02e04878ec25748876787d6e76 Reviewed-on: https://chromium-review.googlesource.com/1080586 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Keishi Hattori <keishi@chromium.org> Cr-Commit-Position: refs/heads/master@{#564059} [modify] https://crrev.com/ab681fc101a84707a4892ac017ba8e3d5ee8bb53/third_party/blink/renderer/modules/webdatabase/sql_transaction_backend.cc [modify] https://crrev.com/ab681fc101a84707a4892ac017ba8e3d5ee8bb53/third_party/blink/renderer/modules/webdatabase/sql_transaction_backend.h
,
Jun 11 2018
ClusterFuzz testcase 4836719845965824 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, May 24 2018Labels: Test-Predator-Auto-Components