Closed
Bug 1219403
Opened 9 years ago
Closed 9 years ago
TSan: data race dom/media/MediaStreamGraph.cpp:376 UpdateStreamOrder (race on MediaStreamGraphImpl::mStreamOrderDirty)
Categories
(Core :: Web Audio, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla45
| Tracking | Status | |
|---|---|---|
| firefox41 | --- | unaffected |
| firefox42 | --- | disabled |
| firefox43 | --- | disabled |
| firefox44 | --- | disabled |
| firefox45 | --- | fixed |
| firefox-esr38 | --- | unaffected |
People
(Reporter: froydnj, Assigned: padenot)
References
(Blocks 2 open bugs)
Details
(Keywords: regression, sec-moderate, Whiteboard: [tsan][b2g-adv-main2.5-][post-critsmash-triage])
Attachments
(2 files, 1 obsolete file)
|
17.38 KB,
text/plain
|
Details | |
|
1.53 KB,
patch
|
karlt
:
review+
|
Details | Diff | Splinter Review |
The attached logfile shows a thread/data race detected by TSan (ThreadSanitizer).
* Specific information about this bug
MediaStreamGraphImpl::SetStreamOrderDirty updates mStreamOrderDirty without any locks held on the main thread. MediaStreamGraphimpl::UpdateStreamOrder then reads the value held therein on a helper thread (started by ALSA?), also without any locks.
* General information about TSan, data races, etc.
Typically, races reported by TSan are not false positives, but it is possible that the race is benign. Even in this case though, we should try to come up with a fix unless this would cause unacceptable performance issues. Also note that seemingly benign races can possibly be harmful (also depending on the compiler and the architecture) [1][2].
If the bug cannot be fixed, then this bug should be used to either make a compile-time annotation for blacklisting or add an entry to the runtime blacklist.
[1] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
[2] _How to miscompile programs with "benign" data races_: https://www.usenix.org/legacy/events/hotpar11/tech/final_files/Boehm.pdf
|
||
Comment 1•9 years ago
|
||
MediaInputPort::Disconnect() is a graph thread method, and I expect there are memory safety risks from RemoveInput/RemoveConsumer on the wrong thread.
I expect these are hard to exploit, but not sure.
Destroy() should be sufficient.
https://hg.mozilla.org/mozilla-central/rev/946e320a1776#l3.62
Introduced in 42. Assuming these version also affected. (I don't know whether this might have been disabled somehow in some versions.)
Blocks: 1156472
Group: core-security
Has Regression Range: --- → yes
status-firefox41:
--- → unaffected
status-firefox42:
--- → affected
status-firefox43:
--- → affected
status-firefox44:
--- → affected
Flags: needinfo?(padenot)
Keywords: regression,
sec-moderate
Version: unspecified → 42 Branch
|
|
||
Updated•9 years ago
|
Component: Audio/Video: MSG/cubeb/GMP → Web Audio
|
||
Comment 2•9 years ago
|
||
Paul -- Do you have the bandwidth to take this bug? I'd like to get a fix for this soon.
Rank: 15
Priority: -- → P1
|
||
Updated•9 years ago
|
Group: core-security → media-core-security
|
Assignee | |
Comment 3•9 years ago
|
||
This is related to audio capture, and audio capture is behind a disabled pref for now. This report comes probably from a mochitest run, and the mochitest flips the pref so that the feature can be tested. The faulty code is therefore unreachable in the wild.
That said, Karl is right in comment 1, ::Destroy is sufficient here, patch coming up.
Flags: needinfo?(padenot)
|
|
Assignee | |
Comment 4•9 years ago
|
||
I'll be doing some work in bug 1221021 to prevent this in the future.
Assignee: nobody → padenot
Attachment #8682388 -
Flags: review?(karlt)
|
|
Assignee | |
Comment 5•9 years ago
|
||
Hrm, forgot I was not in a MediaStreamGraphImpl method.
Attachment #8682402 -
Flags: review?(karlt)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8682388 -
Attachment is obsolete: true
Attachment #8682388 -
Flags: review?(karlt)
|
|
||
Updated•9 years ago
|
Attachment #8682402 -
Flags: review?(karlt) → review+
|
|
Assignee | |
Comment 6•9 years ago
|
||
Daniel, considering comment 3, can we just land this without sec-approval?
Flags: needinfo?(dveditz)
|
|
||
Comment 7•9 years ago
|
||
Turning on audio capture is bug 1187333. Is there a target release version yet? Until we have one I guess we can keep flipping the status to "disabled".
(In reply to Paul Adenot (:padenot) from comment #6)
> Daniel, considering comment 3, can we just land this without sec-approval?
Yup, please do. No worries about who we're putting at risk should the patch be reverse engineered. (For a racy bug that's difficult/unlikely anyway even if it weren't disabled.)
Blocks: 1187333
status-firefox45:
--- → affected
status-firefox-esr38:
--- → unaffected
Flags: needinfo?(dveditz)
|
|
Assignee | |
Comment 8•9 years ago
|
||
|
|
||
Comment 9•9 years ago
|
||
Paul -- Will the fix for this bug also fix Bug 1221884?
Flags: needinfo?(padenot)
|
|
Assignee | |
Comment 10•9 years ago
|
||
As Karl said, it's not clear, but it could be. We'll see, this just got landed.
Flags: needinfo?(padenot)
https://hg.mozilla.org/mozilla-central/rev/0cdf0710beb8
https://hg.mozilla.org/mozilla-central/rev/b7d8668ab1e1
https://hg.mozilla.org/mozilla-central/rev/a082d90d2732
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
|
|
||
Updated•9 years ago
|
Group: media-core-security → core-security-release
|
||
Updated•9 years ago
|
Whiteboard: [tsan] → [tsan][b2g-adv-main2.5-]
|
||
Updated•9 years ago
|
Whiteboard: [tsan][b2g-adv-main2.5-] → [tsan][b2g-adv-main2.5-][post-critsmash-triage]
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•