Closed
Bug 1282283
Opened 8 years ago
Closed 8 years ago
TSan: data race on APZCTreeManager::mRootNode
Categories
(Core :: Panning and Zooming, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla50
People
(Reporter: jseward, Assigned: kats)
References
Details
(Whiteboard: [gfx-noted])
Attachments
(2 files)
27.88 KB,
text/plain
|
Details | |
58 bytes,
text/x-review-board-request
|
jseward
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details |
This is not easy to reproduce -- was observed when surfing with a
profile with around 100 tabs using a TSan-enabled build. Sorry I
don't have better STR right now.
It appears that APZCTreeManager::UpdateHitTestingTree sets mRootNode to null
at APZCTreeManager.cpp:174, on the compositor thread
174 mRootNode = nullptr;
whilst APZCTreeManager::ReceiveInputEvent dereferences it, on the
controller thread
698 if (!apzc && mRootNode) {
699 apzc = mRootNode->GetApzc();
700 }
APZCTreeManager::UpdateHitTestingTree does indeed hold
APZCTreeManager::mTreeLock but APZCTreeManager::ReceiveInputEvent does
not.
This strikes me as distinctly ungood ;-)
According to APZCTreeManager.h, comment starting at line 542,
mTreeLock must be held whenever accessing the tree rooted at
mRootNode. So it seems as if ::ReceiveInputEvent is in error, and
could conceivably be fixed just by putting "MutexAutoLock
lock(mTreeLock);" at the top of APZCTreeManager::ReceiveInputEvent.
Does that sound plausible?
Reporter | ||
Comment 1•8 years ago
|
||
Assignee | ||
Comment 2•8 years ago
|
||
Yeah, that looks like a bug in ReceiveInputEvent. We should add a treelock, but I would prefer to scope it just around that hunk of code that reads mRootNode. ReceiveInputEvent does a lot of other stuff and I don't want to hold the lock for the whole function.
Component: Graphics: Layers → Panning and Zooming
Assignee | ||
Updated•8 years ago
|
Blocks: 1211612
status-firefox47:
--- → wontfix
status-firefox48:
--- → fix-optional
status-firefox49:
--- → affected
Version: Trunk → 45 Branch
Assignee | ||
Comment 3•8 years ago
|
||
I can write the patch, it's pretty straightforward.
Assignee: nobody → bugmail.mozilla
Assignee | ||
Comment 4•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/60748/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/60748/
Assignee | ||
Updated•8 years ago
|
Attachment #8765284 -
Flags: review?(jseward)
Reporter | ||
Comment 5•8 years ago
|
||
(In reply to Kartikaya Gupta (email:kats@mozilla.com) from comment #2)
> Yeah, that looks like a bug in ReceiveInputEvent. We should add a treelock,
> but I would prefer to scope it just around that hunk of code that reads
> mRootNode. ReceiveInputEvent does a lot of other stuff and I don't want to
> hold the lock for the whole function.
Ok, so I see that in the patch you restrict the scope of the lock just to
that hunk. I just want to check the following: with the patch, we now hold
the lock when testing |mRootNode| and then calling |mRootNode->GetApzc()|,
and then drop the lock. Is it possible that the other thread could then
get the lock, set |mRootNode| to null, and thereby cause the |azpc|
value we just pulled out to become invalid?
In other words -- is the locked region you've added, big enough to guarantee
that the |azpc| value obtained from |mRootNode| remains valid for the rest
of its uses in APZCTreeManager::ReceiveInputEvent case MOUSE_INPUT ?
Assignee | ||
Comment 6•8 years ago
|
||
The apzc is held by a RefPtr so it won't become garbage. It has some internal pointers that may get nulled out if mRootNode is destroyed but even if that happens the code in ReceiveInputEvent should work fine. Access to member variables inside apzc has other locks to avoid races.
Reporter | ||
Comment 7•8 years ago
|
||
Comment on attachment 8765284 [details]
Bug 1282283 - Fix data race found by TSan.
With that patch, I can no longer reproduce the race. Thanks!
Attachment #8765284 -
Flags: review?(jseward) → review+
Pushed by kgupta@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fb7b5a8e6124
Fix data race found by TSan. r=sewardj
Assignee | ||
Updated•8 years ago
|
Priority: -- → P3
Assignee | ||
Updated•8 years ago
|
Whiteboard: [gfx-noted]
Comment 9•8 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Assignee | ||
Comment 10•8 years ago
|
||
Comment on attachment 8765284 [details]
Bug 1282283 - Fix data race found by TSan.
Approval Request Comment
[Feature/regressing bug #]: bug 1211612
[User impact if declined]: Possible race condition that results in a crash while dragging. We haven't seen any reports of this in the wild, but it's a theoretical possibility
[Describe test coverage new/current, TreeHerder]: not easily testable
[Risks and why]: very low risk patch, just adds a bit of locking to avoid the race condition
[String/UUID change made/needed]: none
Attachment #8765284 -
Flags: approval-mozilla-beta?
Attachment #8765284 -
Flags: approval-mozilla-aurora?
Comment 11•8 years ago
|
||
Comment on attachment 8765284 [details]
Bug 1282283 - Fix data race found by TSan.
Fix a race, taking it.
Should be in 48 beta 5
Attachment #8765284 -
Flags: approval-mozilla-beta?
Attachment #8765284 -
Flags: approval-mozilla-beta+
Attachment #8765284 -
Flags: approval-mozilla-aurora?
Attachment #8765284 -
Flags: approval-mozilla-aurora+
Comment 12•8 years ago
|
||
bugherder uplift |
Comment 13•8 years ago
|
||
bugherder uplift |
You need to log in
before you can comment on or make changes to this bug.
Description
•