Closed Bug 1685837 Opened 3 years ago Closed 3 years ago

ThreadSanitizer: data race [@ mozilla::layers::AsyncPanZoomController::SetState] vs. [@ IsAsyncZooming]

Categories

(Core :: Panning and Zooming, defect)

Product:
Core
Component:
Panning and Zooming
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox86 --- fixed

People

(Reporter: tsmith, Assigned: botond)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race)

Attachments

(2 files)

Detailed Crash Information
22.68 KB, text/plain
Details
Bug 1685837 - Protect the read of mState in AsyncPanZoomController::IsAsyncZooming() with the APZC lock. r=tnikkel
48 bytes, text/x-phabricator-request
Details | Review

The attached crash information was detected by ThreadSanitizer while automatically transitioning between videos on youtube.com. Using build mozilla-central 20210108-e7ad4ad7c65b.

General information about TSan reports

Why fix races?

Data races are undefined behavior and can cause crashes as well as correctness issues. Compiler optimizations can cause racy code to have unpredictable and hard-to-reproduce behavior.

Rating

If you think this race can cause crashes or correctness issues, it would be great to rate the bug appropriately as P1/P2 and/or indicating this in the bug. This makes it a lot easier for us to assess the actual impact that these reports make and if they are helpful to you.

False Positives / Benign Races

Typically, races reported by TSan are not false positives [1], but it is possible that the race is benign. Even in this case it would be nice to come up with a fix if it is easily doable and does not regress performance. Every race that we cannot fix will have to remain on the suppression list and slows down the overall TSan performance. Also note that seemingly benign races can possibly be harmful (also depending on the compiler, optimizations and the architecture) [2][3].

[1] One major exception is the involvement of uninstrumented code from third-party libraries.
[2] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
[3] How to miscompile programs with "benign" data races: https://www.usenix.org/legacy/events/hotpar11/tech/final_files/Boehm.pdf

Suppressing unfixable races

If the bug cannot be fixed, then a runtime suppression needs to be added in mozglue/build/TsanOptions.cpp. The suppressions match on the full stack, so it should be picked such that it is unique to this particular race. The bug number of this bug should also be included so we have some documentation on why this suppression was added.

Hmm, just looking at what kind of locking we have in place for accessing the state of an apzc I found this

https://searchfox.org/mozilla-central/rev/c59d9181cbcd8356ce9271723e31be11641e7010/gfx/layers/apz/src/AsyncPanZoomController.h#1277

"This is in theory protected by |mRecursiveMutex|; that is, it should be held whenever this is updated. In practice though... see bug 897017."

And there is also bug 1153979. So I'm not sure if there is just one place we need to hold the mutex but don't or there are already systematic problems in many other places we are aware of but haven't tackled yet.

It may not fix all of the locking issues around mState, but fixing this particular race is easy enough.

Assignee: nobody → botond
Pushed by bballo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fb6a56a9f1a6
Protect the read of mState in AsyncPanZoomController::IsAsyncZooming() with the APZC lock. r=tnikkel

https://hg.mozilla.org/mozilla-central/rev/fb6a56a9f1a6

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox86: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: