TSan: data race libstagefright/stubs/include/cutils/atomic.h:23 stagefright::android_atomic_inc(int volatile*)

RESOLVED FIXED in Firefox 40

Status

()

Core
Audio/Video
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: froydnj, Assigned: jya)

Tracking

(Blocks: 1 bug)

unspecified
mozilla40
x86_64
Linux
Points:
---

Firefox Tracking Flags

(firefox40 fixed)

Details

(Whiteboard: [tsan])

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Created attachment 8595480 [details]
libstagefright-atomic-race.txt

The attached logfile shows a thread/data race detected by TSan (ThreadSanitizer).

* Specific information about this bug

The implementation of the stagefright::android_atomic_* functions is completely bogus, substituting operations on |volatile T*| for real atomic operations.  At least the source code owns up to this:

http://mxr.mozilla.org/mozilla-central/source/media/libstagefright/stubs/include/cutils/atomic.h#9

It looks like we import this from upstream?  Is there a good way to convince them to fix this?

* General information about TSan, data races, etc.

Typically, races reported by TSan are not false positives, but it is possible that the race is benign. Even in this case though, we should try to come up with a fix unless this would cause unacceptable performance issues. Also note that seemingly benign races can possibly be harmful (also depending on the compiler and the architecture) [1][2].

If the bug cannot be fixed, then this bug should be used to either make a compile-time annotation for blacklisting or add an entry to the runtime blacklist.

[1] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
[2] _How to miscompile programs with "benign" data races_: https://www.usenix.org/legacy/events/hotpar11/tech/final_files/Boehm.pdf
(Assignee)

Comment 1

3 years ago
I can't think of a case where libstagefright would be used from two concurrent threads at once. 

We only use stagefright to read the metadata and this is always done on the media task queue
ThreadSanitizer is a dynamic analysis, so this is in fact happening in some test case.  It looks like the writes are happening in threads named "Media P~back #4" and "Media P~back #3".
(Assignee)

Comment 3

3 years ago
Created attachment 8596989 [details] [diff] [review]
Disable use of stagefright::String8::clear

Could have just removed all that code alltogether as we don't care about the creation date anyway.
Attachment #8596989 - Flags: review?(ajones)
(Assignee)

Updated

3 years ago
Assignee: nobody → jyavenard
Status: NEW → ASSIGNED
Attachment #8596989 - Flags: review?(ajones) → review+
https://hg.mozilla.org/mozilla-central/rev/d83ea2eed9d8
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox40: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.