ThreadSanitizer: data race [@ StartHandlingUserInput] vs. [@ mozilla::dom::UserActivation::IsHandlingUserInput]
Categories
(Core :: DOM: Forms, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox90 | --- | affected |
People
(Reporter: tsmith, Assigned: edgar)
References
(Blocks 2 open bugs)
Details
(Keywords: csectype-race, testcase)
Attachments
(2 files)
The attached crash information was detected by ThreadSanitizer while using build mozilla-central 20210422-33143ef17c70.
General information about TSan reports
Why fix races?
Data races are undefined behavior and can cause crashes as well as correctness issues. Compiler optimizations can cause racy code to have unpredictable and hard-to-reproduce behavior.
Rating
If you think this race can cause crashes or correctness issues, it would be great to rate the bug appropriately as P1/P2 and/or indicating this in the bug. This makes it a lot easier for us to assess the actual impact that these reports make and if they are helpful to you.
False Positives / Benign Races
Typically, races reported by TSan are not false positives [1], but it is possible that the race is benign. Even in this case it would be nice to come up with a fix if it is easily doable and does not regress performance. Every race that we cannot fix will have to remain on the suppression list and slows down the overall TSan performance. Also note that seemingly benign races can possibly be harmful (also depending on the compiler, optimizations and the architecture) [2][3].
[1] One major exception is the involvement of uninstrumented code from third-party libraries.
[2] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
[3] How to miscompile programs with "benign" data races: https://www.usenix.org/legacy/events/hotpar11/tech/final_files/Boehm.pdf
Suppressing unfixable races
If the bug cannot be fixed, then a runtime suppression needs to be added in mozglue/build/TsanOptions.cpp. The suppressions match on the full stack, so it should be picked such that it is unique to this particular race. The bug number of this bug should also be included so we have some documentation on why this suppression was added.
|
Reporter | |
Comment 1•3 years ago
|
||
To reproduce with the attached test case use the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 3799c70b5773 -t --fuzzing -n mc-tsan
$ python -m grizzly.replay ./mc-tsan/firefox ./testcase.zip --repeat 10 --relaunch 1
|
||
Comment 2•3 years ago
|
||
There's a global variable, sUserInputEventDepth, that is being accessed on both the main thread and the worker thread. It is a little surprising to me that we're creating form data stuff off the main thread. Via self-hosted code, somehow? Anyways, this seems bad, though I'm not sure how much of a security issue it is.
|
|
||
Comment 3•3 years ago
|
||
From the test case, it looks like this is created by new FormData(), which is just an interface that is available on workers and has been for at least a few years.
This is the line that calls into it: mInitiatedFromUserInput(UserActivation::IsHandlingUserInput()) {
Maybe this needs to be set to false if it is being created on a worker or something?
|
|
||
Comment 4•3 years ago
|
||
It looks like this might be a regression from bug 1551264 (which landed in 2019) because that moved the UserActivation check from FormElement to FormData.
|
Assignee | |
Updated•3 years ago
|
|
|
||
Comment 5•3 years ago
|
||
It looks like this field is only read from IsInitiatedFromUserInput(), which is only called from HTMLFormElement::SubmitSubmission(), which will only be called from the main thread, so I think this is not going to be an issue in practice. It would still be good to fix.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
Description
•