Predator and CL could not provide any possible suspects.

Using Code Search for the file, "sqlite3.c", unable to find culprit CL, hence assigning it to the  pwnall@ for his work on file "sqlite3.c"

pwnall@ -- Could you please look into this issue.

Thanks!

This crash occurs very frequently on linux platform and is likely preventing the fuzzer tokenfuzz_pdf_curated from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.

M69 branch is coming VERY soon on July 19th, Your bug is marked as ReleaseBlock-Beta for M69. Please try to land the fix ASAP to trunk in order to prevent many merges going after M69 branch. This will also help us to branch M69 from high quality trunk. Thank you.

Full stack traces:

Write of size 4 at 0x55943160d3e0 by thread T24 (mutexes: write M1100139500455898960):
#0 pcache1FetchStage2 third_party/sqlite/amalgamation/sqlite3.c:48173:25
#1 pcache1Fetch third_party/sqlite/amalgamation/sqlite3.c:48733:12
#2 getPageNormal third_party/sqlite/amalgamation/sqlite3.c:47236:10
#3 allocateBtreePage third_party/sqlite/amalgamation/sqlite3.c:55277:10
#4 sqlite3BtreeCreateTable third_party/sqlite/amalgamation/sqlite3.c:71029:10
#5 sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:87656:8
#6 chrome_sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:80449:10
#7 sql::Connection::ExecuteAndReturnErrorCode(char const*) sql/connection.cc:1340:18
#8 sql::Connection::Execute(char const*) sql/connection.cc:1377:15
#9 autofill::AutofillTable::CreateTablesIfNecessary() components/autofill/core/browser/webdata/autofill_table.cc:2554:15
#10 WebDatabase::Init(base::FilePath const&) components/webdata/common/web_database.cc:136:22
#11 WebDatabaseBackend::LoadDatabaseIfNecessary() components/webdata/common/web_database_backend.cc:110:23
#12 WebDatabaseBackend::InitDatabase() components/webdata/common/web_database_backend.cc:38:3
#13 base::internal::Invoker<base::internal::BindState<void (WebDatabaseBackend::*)(), scoped_refptr<WebDatabaseBackend> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:507:12
#14 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/callback.h:99:12
#15 base::internal::TaskTracker::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) base/task_scheduler/task_tracker.cc:529:23
#16 base::internal::TaskTrackerPosix::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) base/task_scheduler/task_tracker_posix.cc:23:16
#17 base::internal::TaskTracker::RunAndPopNextTask(scoped_refptr<base::internal::Sequence>, base::internal::CanScheduleSequenceObserver*) base/task_scheduler/task_tracker.cc:404:3
#18 base::internal::SchedulerWorker::RunWorker() base/task_scheduler/scheduler_worker.cc:330:24
#19 base::internal::SchedulerWorker::RunSharedWorker() base/task_scheduler/scheduler_worker.cc:236:3
#20 base::internal::SchedulerWorker::ThreadMain() base/task_scheduler/scheduler_worker.cc:206:7
    #21 0x5594294d806e in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13

Previous write of size 4 at 0x55943160d3e0 by thread T23 (mutexes: write M981075585307285808):
#0 pcache1FetchStage2 third_party/sqlite/amalgamation/sqlite3.c:48173:25
#1 pcache1Fetch third_party/sqlite/amalgamation/sqlite3.c:48733:12
#2 getPageNormal third_party/sqlite/amalgamation/sqlite3.c:47236:10
#3 allocateBtreePage third_party/sqlite/amalgamation/sqlite3.c:55277:10
#4 sqlite3BtreeCreateTable third_party/sqlite/amalgamation/sqlite3.c:70951:10
#5 sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:87656:8
#6 chrome_sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:80449:10
#7 sql::Connection::ExecuteAndReturnErrorCode(char const*) sql/connection.cc:1340:18
#8 sql::Connection::Execute(char const*) sql/connection.cc:1377:15
#9 history::URLDatabase::CreateKeywordSearchTermsIndices() components/history/core/browser/url_database.cc:426:16
#10 history::InMemoryDatabase::InitFromDisk(base::FilePath const&) components/history/core/browser/in_memory_database.cc:155:3
#11 history::InMemoryHistoryBackend::Init(base::FilePath const&) components/history/core/browser/in_memory_history_backend.cc:28:15
#12 history::HistoryBackend::InitImpl(history::HistoryDatabaseParams const&) components/history/core/browser/history_backend.cc:739:22
#13 history::HistoryBackend::Init(bool, history::HistoryDatabaseParams const&) components/history/core/browser/history_backend.cc:242:5
#14 base::internal::Invoker<base::internal::BindState<void (history::HistoryBackend::*)(bool, history::HistoryDatabaseParams const&), scoped_refptr<history::HistoryBackend>, bool, history::HistoryDatabaseParams>, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:507:12
#15 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/callback.h:99:12
#16 base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:453:46
#17 base::MessageLoop::DoWork() base/message_loop/message_loop.cc:464:5
#18 base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31
#19 non-virtual thunk to base::MessageLoop::Run(bool) base/message_loop/message_loop.cc:405:12
#20 base::RunLoop::Run() base/run_loop.cc:102:14
#21 base::Thread::Run(base::RunLoop*) base/threading/thread.cc:255:13
#22 base::Thread::ThreadMain() base/threading/thread.cc:337:3
#23 base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13

I don't think I can fix this in time for 69, sorry.

I tried adding thread safety checkers to sql::Statement [1] and sql::Connection [2], and they have uncovered quite a few threading errors. It'll take a while to go through everything.

[1] https://crrev.com/c/1137851
[2] https://crrev.com/c/1137920

M69 branch is coming VERY soon on this Thursday, July 19th, Your bug is marked as ReleaseBlock-Beta for M69. Please try to land the fix ASAP to trunk in order to prevent many merges going after M69 branch. This will also help us to branch M69 from high quality trunk. Thank you.

ClusterFuzz has detected this issue as fixed in range 576397:576398.

Detailed report: https://clusterfuzz.com/testcase?key=6050276226891776

Fuzzer: tokenfuzz_pdf_curated
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race WRITE 4
Crash Address: 0x562d34a05b10
Crash State:
  pcache1FetchStage2
  pcache1Fetch
  getPageNormal
  
Sanitizer: thread (TSAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=576397:576398

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6050276226891776

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6050276226891776 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.