Closed Bug 1676257 Opened 3 years ago Closed 3 years ago

ThreadSanitizer: data race [@ GiveSurface] vs. [@ mozilla::gfx::SourceSurfaceSkia::GetImage]

Categories

(Core :: Graphics, defect, P3)

defect

Tracking

()

RESOLVED FIXED
84 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox82 --- wontfix
firefox83 --- wontfix
firefox84 --- fixed

People

(Reporter: decoder, Assigned: lsalzman)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, sec-other, Whiteboard: [post-critsmash-triage][adv-main84-])

Attachments

(2 files)

The attached crash information was detected while running CI tests with ThreadSanitizer on try based on m-c revision ffeebb5c7d51e7d63b60c225057717e46231d59c.

For detailed crash information, see attachment.

Marking s-s because there are some RefPtr signatures in one of the stacks. I quickly looked over this and I believe the race is on mSnapshot, but that's not the RefPtr going away here. In any case, it would be good if a developer looked over this before opening.

General information about TSan reports

Why fix races?

Data races are undefined behavior and can cause crashes as well as correctness issues. Compiler optimizations can cause racy code to have unpredictable and hard-to-reproduce behavior.

Rating

If you think this race can cause crashes or correctness issues, it would be great to rate the bug appropriately as P1/P2 and/or indicating this in the bug. This makes it a lot easier for us to assess the actual impact that these reports make and if they are helpful to you.

False Positives / Benign Races

Typically, races reported by TSan are not false positives [1], but it is possible that the race is benign. Even in this case it would be nice to come up with a fix if it is easily doable and does not regress performance. Every race that we cannot fix will have to remain on the suppression list and slows down the overall TSan performance. Also note that seemingly benign races can possibly be harmful (also depending on the compiler, optimizations and the architecture) [2][3].

[1] One major exception is the involvement of uninstrumented code from third-party libraries.
[2] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
[3] How to miscompile programs with "benign" data races: https://www.usenix.org/legacy/events/hotpar11/tech/final_files/Boehm.pdf

Suppressing unfixable races

If the bug cannot be fixed, then a runtime suppression needs to be added in mozglue/build/TsanOptions.cpp. The suppressions match on the full stack, so it should be picked such that it is unique to this particular race. The bug number of this bug should also be included so we have some documentation on why this suppression was added.

Group: core-security → gfx-core-security

jimm: who should look into this? Potentially dangerous race but we need someone with expertise to double-check that.

Flags: needinfo?(jmathies)
Keywords: csectype-race
Severity: -- → S3
Priority: -- → P3
OS: Linux → All
Hardware: x86_64 → All

This race is benign, as the DrawTargetSkia that is using the SourceSurfaceSkia is actually going away. It's essentially harmless whether or not it ends up using the value that is in contention here and possibly unlocking a mutex based on that value that is designed to protect against multiple users inside the SourceSkia. I will put up a patch to make this value an Atomic<DrawTargetSkia*> which should at least get rid of the warning and ensure the value is accessed in an atomic/deterministic fashion.

I think it would be fine to just leave this a sec-moderate since I don't expect this has any exploits.

Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Flags: needinfo?(jmathies) → needinfo?(dveditz)

From your description it sounds non-exploitable, but I'll leave it hidden for now.

Flags: needinfo?(dveditz)
Keywords: sec-other
Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main84-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: