Closed Bug 1724107 Opened 3 years ago Closed 3 years ago

ThreadSanitizer: data race [@ Free] vs. [@ free] with nsTimerEvent during shutdown

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
92 Branch
Tracking Flags:
Tracking Status
firefox-esr78 92+ fixed
firefox-esr91 92+ fixed
firefox90 --- wontfix
firefox91 --- wontfix
firefox92 + fixed

People

(Reporter: tsmith, Assigned: smaug)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-race, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main92+r][adv-esr78.14+r][adv-esr91.1+r])

Attachments

(2 files)

Detailed Crash Information
9.51 KB, text/plain
Details
Bug 1724107, be more precise when counting the number of allocator users, r=KrisWright
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
RyanVM
: approval-mozilla-esr91+
Details | Review

The attached crash information was detected by ThreadSanitizer while fuzzing build mozilla-central 20210627-540a7a99af3e. No test case is available at this time.

General information about TSan reports

Why fix races?

Data races are undefined behavior and can cause crashes as well as correctness issues. Compiler optimizations can cause racy code to have unpredictable and hard-to-reproduce behavior.

Rating

If you think this race can cause crashes or correctness issues, it would be great to rate the bug appropriately as P1/P2 and/or indicating this in the bug. This makes it a lot easier for us to assess the actual impact that these reports make and if they are helpful to you.

False Positives / Benign Races

Typically, races reported by TSan are not false positives [1], but it is possible that the race is benign. Even in this case it would be nice to come up with a fix if it is easily doable and does not regress performance. Every race that we cannot fix will have to remain on the suppression list and slows down the overall TSan performance. Also note that seemingly benign races can possibly be harmful (also depending on the compiler, optimizations and the architecture) [2][3].

[1] One major exception is the involvement of uninstrumented code from third-party libraries.
[2] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
[3] How to miscompile programs with "benign" data races: https://www.usenix.org/legacy/events/hotpar11/tech/final_files/Boehm.pdf

Suppressing unfixable races

If the bug cannot be fixed, then a runtime suppression needs to be added in mozglue/build/TsanOptions.cpp. The suppressions match on the full stack, so it should be picked such that it is unique to this particular race. The bug number of this bug should also be included so we have some documentation on why this suppression was added.

This looks like a potential double-free on shutdown (this could cause a shutdown crash).

Summary: ThreadSanitizer: data race [@ Free] vs. [@ free] → ThreadSanitizer: data race [@ Free] vs. [@ free] with nsTimerEvent during shutdown

Ah, so the allocator can be deleted when there are no nsTimerEvent objects left. And the counter is decreased in dtor of nsTimerEvent, so the object is still alive at that point. Another thread then deletes the allocator.
I guess the counter should be decreased later, maybe after https://searchfox.org/mozilla-central/rev/00977c4e37865a92f1c15572ae4aea90e934b25b/xpcom/threads/TimerThread.cpp#151

The patch is based on code inspection.

One could move sAllocatorUsers also to Free(), but shouldn't matter in practise.

Assignee: nobody → bugs
Status: NEW → ASSIGNED

I'll mark this sec-moderate under the assumption that it is a shutdown race.

Keywords: sec-moderate

be more precise when counting the number of allocator users, r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/3f4660476057d126d6d849dd24f7d30a6a1cf1b0
https://hg.mozilla.org/mozilla-central/rev/3f4660476057

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox92: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]

Please nominate this for ESR78 & ESR91 approval when you get a chance.

Flags: needinfo?(bugs)

Comment on attachment 9234886 [details]
Bug 1724107, be more precise when counting the number of allocator users, r=KrisWright

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: This could fix some shutdown crashes
  • User impact if declined: crashes
  • Fix Landed on Version: 92
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch just moved sAllocatorUsers-- to be just outside the destructor call.
  • String or UUID changes made by this patch: NA
Flags: needinfo?(bugs)
Attachment #9234886 - Flags: approval-mozilla-esr91?
Attachment #9234886 - Flags: approval-mozilla-esr78?

Comment on attachment 9234886 [details]
Bug 1724107, be more precise when counting the number of allocator users, r=KrisWright

Approved for 91.1esr and 78.14esr.

Attachment #9234886 - Flags: approval-mozilla-esr91?
Attachment #9234886 - Flags: approval-mozilla-esr91+
Attachment #9234886 - Flags: approval-mozilla-esr78?
Attachment #9234886 - Flags: approval-mozilla-esr78+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main92+r]
Whiteboard: [post-critsmash-triage][adv-main92+r] → [post-critsmash-triage][adv-main92+r][adv-esr78.14+r][adv-esr91.0.1+r]
Whiteboard: [post-critsmash-triage][adv-main92+r][adv-esr78.14+r][adv-esr91.0.1+r] → [post-critsmash-triage][adv-main92+r][adv-esr78.14+r][adv-esr91.1+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: