Closed Bug 1758223 Opened 3 years ago Closed 3 years ago

ThreadSanitizer: data race [@ UnsetFlags] vs. [@ style::gecko::wrapper::GeckoNode::flags]

Categories

(Core :: CSS Parsing and Computation, defect)

defect

Tracking

()

VERIFIED FIXED
100 Branch
Tracking Status
firefox-esr91 - wontfix
firefox98 --- wontfix
firefox99 --- wontfix
firefox100 + verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-race, sec-moderate, testcase, Whiteboard: [bugmon:bisected,confirmed][adv-main100+r])

Attachments

(3 files)

Attached file testcase.html

Found while fuzzing m-c 20220304-b01b8627f45f (--enable-thread-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -t --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --repeat 10 --no-harness

The test case is not 100% relaible but I can usually get it to repro within 6 attempts.

WARNING: ThreadSanitizer: data race (pid=30010)
  Write of size 4 at 0x7b6c0000b618 by thread T17:
    #0 UnsetFlags /builds/worker/workspace/obj-build/dist/include/nsWrapperCache.h:285:12 (libxul.so+0x5027044)
    #1 UnsetFlags /builds/worker/checkouts/gecko/dom/base/nsINode.h:1318:21 (libxul.so+0x5027044)
    #2 Gecko_UnsetNodeFlags /builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp:270:32 (libxul.so+0x5027044)
    #3 style::gecko::wrapper::GeckoElement::unset_flags::hd2bae9c72374eb89 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:667:9 (libxul.so+0x7f9f17f)
    #4 _$LT$style..gecko..wrapper..GeckoElement$u20$as$u20$style..dom..TElement$GT$::clear_descendant_bits::h5c3cdbd8d552d2f2 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:1428:9 (libxul.so+0x7f9f17f)
    #5 style::traversal::clear_descendant_data::hfd438933a014a9cd /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:851:5 (libxul.so+0x7f9f17f)
    #6 style::traversal::recalc_style_at::h825868bd8f2fc4a8 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:440:17 (libxul.so+0x7fa9b3b)
    #7 _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h51801bb01cb7fb03 /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13 (libxul.so+0x7fa9b3b)
    #8 style::traversal::recalc_style_at::h825868bd8f2fc4a8 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:440:17 (libxul.so+0x7fa9b3b)
    #9 _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h51801bb01cb7fb03 /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13 (libxul.so+0x7fa9b3b)
    #10 style::parallel::top_down_dom::h3d12f5fd6fdb9f63 /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:197:13 (libxul.so+0x7fa9561)
    #11 style::parallel::traverse_nodes::_$u7b$$u7b$closure$u7d$$u7d$::h25ccac476fbf0260 /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:282:17 (libxul.so+0x7fa9561)
    #12 rayon_core::scope::ScopeFifo::spawn_fifo::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h724c9324c074379c /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:585:47 (libxul.so+0x7fa9561)
    #13 _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb92fb87058eeb32f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:271:9 (libxul.so+0x7fa9561)
    #14 std::panicking::try::do_call::hd79f2cd18775379f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:406:40 (libxul.so+0x7fa9561)
    #15 std::panicking::try::h835bb2e86967a2c3 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:370:19 (libxul.so+0x7fa9561)
    #16 std::panic::catch_unwind::h43a1743956601189 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:133:14 (libxul.so+0x7fa9561)
    #17 rayon_core::unwind::halt_unwinding::h5129718133a90d9f /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5 (libxul.so+0x7fa9561)
    #18 rayon_core::scope::ScopeBase::execute_job_closure::hbb790bb983272014 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:650:15 (libxul.so+0x7fa9561)
    #19 rayon_core::scope::ScopeBase::execute_job::hcc0a316691188b80 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:640:29 (libxul.so+0x7fa9561)
    #20 rayon_core::scope::ScopeFifo::spawn_fifo::_$u7b$$u7b$closure$u7d$$u7d$::he6a9965468186353 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:585:17 (libxul.so+0x7fa9561)
    #21 _$LT$rayon_core..job..HeapJob$LT$BODY$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h0b56642f7c0a45d9 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:167:9 (libxul.so+0x7fa9561)
    #22 rayon_core::job::JobRef::execute::ha00d7b41915f03ba /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:59:9 (libxul.so+0x8490ee2)
    #23 _$LT$rayon_core..job..JobFifo$u20$as$u20$rayon_core..job..Job$GT$::execute::hf53ee5392bdd888d /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:211:50 (libxul.so+0x8490ee2)
    #24 rayon_core::job::JobRef::execute::ha00d7b41915f03ba /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:59:9 (libxul.so+0xaadf85)
    #25 rayon_core::registry::WorkerThread::execute::h8c4331d7525412a4 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:749:9 (libxul.so+0xaadf85)
    #26 rayon_core::registry::WorkerThread::wait_until_cold::h8ae159f27c00d846 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:726:17 (libxul.so+0xaadf85)
    #27 rayon_core::registry::WorkerThread::wait_until::h4f2932e4eec36717 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:700:13 (libxul.so+0x8493f92)
    #28 rayon_core::registry::main_loop::h0e37a2d4fe2032df /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:833:5 (libxul.so+0x8493f92)
    #29 rayon_core::registry::ThreadBuilder::run::h6e628b264653257a /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:55:18 (libxul.so+0x8493f92)
    #30 _$LT$rayon_core..registry..DefaultSpawn$u20$as$u20$rayon_core..registry..ThreadSpawn$GT$::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h513e75fe6b3391c0 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:100:20 (libxul.so+0x8493f92)
    #31 std::sys_common::backtrace::__rust_begin_short_backtrace::h5b42f8bbb8fe5c10 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:123:18 (libxul.so+0x8493f92)
    #32 std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hd3efae066518b3c0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:477:17 (libxul.so+0x849329a)
    #33 _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::ha9734dfcf115a1c3 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:271:9 (libxul.so+0x849329a)
    #34 std::panicking::try::do_call::h088f763b944c364d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:406:40 (libxul.so+0x849329a)
    #35 std::panicking::try::h3ce8a139501ab2b5 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:370:19 (libxul.so+0x849329a)
    #36 std::panic::catch_unwind::h4ea047cc4ce4e994 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:133:14 (libxul.so+0x849329a)
    #37 std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::hc2727fcc81bb73c9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:476:30 (libxul.so+0x849329a)
    #38 core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h22e0b9858f3cb25e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5 (libxul.so+0x849329a)
    #39 std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hd3efae066518b3c0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:477:17 (libxul.so+0x849329a)
    #40 _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::ha9734dfcf115a1c3 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:271:9 (libxul.so+0x849329a)
    #41 std::panicking::try::do_call::h088f763b944c364d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:406:40 (libxul.so+0x849329a)
    #42 std::panicking::try::h3ce8a139501ab2b5 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:370:19 (libxul.so+0x849329a)
    #43 std::panic::catch_unwind::h4ea047cc4ce4e994 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:133:14 (libxul.so+0x849329a)
    #44 std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::hc2727fcc81bb73c9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:476:30 (libxul.so+0x849329a)
    #45 core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h22e0b9858f3cb25e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5 (libxul.so+0x849329a)
    #46 _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h6101b21655d0709f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/boxed.rs:1854:9 (libxul.so+0x859cd66)
    #47 _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h314b9b19f4338a45 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/boxed.rs:1854:9 (libxul.so+0x859cd66)
    #48 std::sys::unix::thread::Thread::new::thread_start::h31f5f540df5473d8 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys/unix/thread.rs:108:17 (libxul.so+0x859cd66)

  Previous read of size 4 at 0x7b6c0000b618 by thread T15:
    #0 style::gecko::wrapper::GeckoNode::flags::h4ccef17399009190 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:275:9 (libxul.so+0x7fd4232)
    #1 style::gecko::wrapper::GeckoElement::flags::hdef176f51d25aeb9 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:653:9 (libxul.so+0x7fd4232)
    #2 style::gecko::wrapper::GeckoElement::is_root_of_native_anonymous_subtree::hd1b943b383b5f0b7 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:805:16 (libxul.so+0x7fd4232)
    #3 _$LT$style..gecko..wrapper..GeckoElement$u20$as$u20$selectors..tree..Element$GT$::ignores_nth_child_selectors::ha80627117a236f22 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:2283:9 (libxul.so+0x7fd4232)
    #4 selectors::matching::matches_generic_nth_child::h3d3f3e13670ddd13 /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:887:8 (libxul.so+0x7fd4232)
    #5 selectors::matching::matches_simple_selector::h31078e5982a516b9 /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:839:13 (libxul.so+0x7fd4232)
    #6 selectors::matching::matches_compound_selector::_$u7b$$u7b$closure$u7d$$u7d$::hac3607d579d3293e /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:644:23 (libxul.so+0x7fd3356)
    #7 core::iter::traits::iterator::Iterator::all::check::_$u7b$$u7b$closure$u7d$$u7d$::h444da473ecf06355 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:2346:20 (libxul.so+0x7fd3356)
    #8 core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnMut$LT$A$GT$$u20$for$u20$$RF$mut$u20$F$GT$::call_mut::h055a8fc2c9e689c2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:269:13 (libxul.so+0x7fd3356)
    #9 core::iter::traits::iterator::Iterator::try_fold::h25172faa366da34f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:1995:21 (libxul.so+0x7fd3356)
    #10 _$LT$core..iter..adapters..chain..Chain$LT$A$C$B$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h300b41a723a07a03 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/adapters/chain.rs:104:19 (libxul.so+0x7fd3356)
    #11 core::iter::traits::iterator::Iterator::all::h45977cadf7490dd9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:2349:9 (libxul.so+0x7fd3356)
    #12 selectors::matching::matches_compound_selector::h19f6008c9c5db0c3 /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:642:5 (libxul.so+0x7fd3356)
    #13 selectors::matching::matches_complex_selector_internal::h615aa9e1162c23d1 /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:475:37 (libxul.so+0x7fd3356)
    #14 selectors::matching::matches_complex_selector_internal::_$u7b$$u7b$closure$u7d$$u7d$::h28c915dd066428ee /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:529:13 (libxul.so+0x7fd3834)
    #15 selectors::context::MatchingContext$LT$Impl$GT$::with_visited_handling_mode::he72c7db8fbf4113d /builds/worker/checkouts/gecko/servo/components/selectors/context.rs:265:22 (libxul.so+0x7fd3834)
    #16 selectors::matching::matches_complex_selector_internal::h615aa9e1162c23d1 /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:528:22 (libxul.so+0x7fd3834)
    #17 selectors::matching::matches_complex_selector::h26059c8afb4ad5af /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:335:9 (libxul.so+0x7fb1a34)
    #18 selectors::matching::matches_selector::h8f3f3ae8b23cd063 /builds/worker/checkouts/gecko/servo/components/selectors/matching.rs:206:5 (libxul.so+0x7fb1a34)
    #19 style::stylist::Stylist::match_revalidation_selectors::_$u7b$$u7b$closure$u7d$$u7d$::hee6ce8c7cb697285 /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:1455:34 (libxul.so+0x7fb1a34)
    #20 style::selector_map::SelectorMap$LT$T$GT$::lookup::hcf3f26e61c6b921a /builds/worker/checkouts/gecko/servo/components/style/selector_map.rs:518:17 (libxul.so+0x7f9b240)
    #21 style::stylist::Stylist::match_revalidation_selectors::h539bde2c89086903 /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:1451:13 (libxul.so+0x7f9b240)
    #22 style::sharing::ValidationData::revalidation_match_results::_$u7b$$u7b$closure$u7d$$u7d$::h5bc79428af4caa8c /builds/worker/checkouts/gecko/servo/components/style/sharing/mod.rs:256:13 (libxul.so+0x7f9b240)
    #23 core::option::Option$LT$T$GT$::get_or_insert_with::hf6885bfa72aacf6d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/option.rs:1487:49 (libxul.so+0x7f9b240)
    #24 style::sharing::ValidationData::revalidation_match_results::h9e34c33deada29ca /builds/worker/checkouts/gecko/servo/components/style/sharing/mod.rs:239:9 (libxul.so+0x7f9b240)
    #25 style::sharing::StyleSharingTarget$LT$E$GT$::revalidation_match_results::hd120e5beb23a49a0 /builds/worker/checkouts/gecko/servo/components/style/sharing/mod.rs:409:9 (libxul.so+0x7f9b240)
    #26 style::sharing::checks::revalidate::h8267b23373f7677e /builds/worker/checkouts/gecko/servo/components/style/sharing/checks.rs:131:9 (libxul.so+0x7f9b240)
    #27 style::sharing::StyleSharingCache$LT$E$GT$::test_candidate::hf5bac974a766a60d /builds/worker/checkouts/gecko/servo/components/style/sharing/mod.rs:814:13 (libxul.so+0x7f9b240)
    #28 style::sharing::StyleSharingCache$LT$E$GT$::share_style_if_possible::_$u7b$$u7b$closure$u7d$$u7d$::h2e4183c92abcd136 /builds/worker/checkouts/gecko/servo/components/style/sharing/mod.rs:697:13 (libxul.so+0x7f9b240)
    #29 uluru::LRUCache$LT$A$GT$::lookup::h3d4edaa650df9d51 /builds/worker/checkouts/gecko/third_party/rust/uluru/lib.rs:141:30 (libxul.so+0x7f9b240)
    #30 style::sharing::StyleSharingCache$LT$E$GT$::share_style_if_possible::h0f54f496fd45dc80 /builds/worker/checkouts/gecko/servo/components/style/sharing/mod.rs:696:9 (libxul.so+0x7f9b240)
    #31 style::sharing::StyleSharingTarget$LT$E$GT$::share_style_if_possible::hff1f013533f155c6 /builds/worker/checkouts/gecko/servo/components/style/sharing/mod.rs:444:9 (libxul.so+0x7f9b240)
    #32 style::traversal::compute_style::hc6cbd20c1fc6955b /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:586:19 (libxul.so+0x7f9b240)
    #33 style::traversal::recalc_style_at::h825868bd8f2fc4a8 /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:420:37 (libxul.so+0x7fa9ab7)
    #34 _$LT$style..gecko..traversal..RecalcStyleOnly$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$GT$$GT$::process_preorder::h51801bb01cb7fb03 /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37:13 (libxul.so+0x7fa9ab7)
    #35 style::parallel::top_down_dom::h3d12f5fd6fdb9f63 /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:197:13 (libxul.so+0x7fa9561)
    #36 style::parallel::traverse_nodes::_$u7b$$u7b$closure$u7d$$u7d$::h25ccac476fbf0260 /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:282:17 (libxul.so+0x7fa9561)
    #37 rayon_core::scope::ScopeFifo::spawn_fifo::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h724c9324c074379c /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:585:47 (libxul.so+0x7fa9561)
    #38 _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb92fb87058eeb32f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:271:9 (libxul.so+0x7fa9561)
    #39 std::panicking::try::do_call::hd79f2cd18775379f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:406:40 (libxul.so+0x7fa9561)
    #40 std::panicking::try::h835bb2e86967a2c3 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:370:19 (libxul.so+0x7fa9561)
    #41 std::panic::catch_unwind::h43a1743956601189 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:133:14 (libxul.so+0x7fa9561)
    #42 rayon_core::unwind::halt_unwinding::h5129718133a90d9f /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5 (libxul.so+0x7fa9561)
    #43 rayon_core::scope::ScopeBase::execute_job_closure::hbb790bb983272014 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:650:15 (libxul.so+0x7fa9561)
    #44 rayon_core::scope::ScopeBase::execute_job::hcc0a316691188b80 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:640:29 (libxul.so+0x7fa9561)
    #45 rayon_core::scope::ScopeFifo::spawn_fifo::_$u7b$$u7b$closure$u7d$$u7d$::he6a9965468186353 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:585:17 (libxul.so+0x7fa9561)
    #46 _$LT$rayon_core..job..HeapJob$LT$BODY$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h0b56642f7c0a45d9 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:167:9 (libxul.so+0x7fa9561)
    #47 rayon_core::job::JobRef::execute::ha00d7b41915f03ba /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:59:9 (libxul.so+0x8490ee2)
    #48 _$LT$rayon_core..job..JobFifo$u20$as$u20$rayon_core..job..Job$GT$::execute::hf53ee5392bdd888d /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:211:50 (libxul.so+0x8490ee2)
    #49 rayon_core::job::JobRef::execute::ha00d7b41915f03ba /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:59:9 (libxul.so+0xaadf85)
    #50 rayon_core::registry::WorkerThread::execute::h8c4331d7525412a4 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:749:9 (libxul.so+0xaadf85)
    #51 rayon_core::registry::WorkerThread::wait_until_cold::h8ae159f27c00d846 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:726:17 (libxul.so+0xaadf85)
    #52 rayon_core::registry::WorkerThread::wait_until::h4f2932e4eec36717 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:700:13 (libxul.so+0x7fa0ba0)
    #53 rayon_core::scope::ScopeLatch::wait::h1daae6e910e061a0 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:730:17 (libxul.so+0x7fa0ba0)
    #54 rayon_core::scope::ScopeBase::complete::h9a360ce75c28b812 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:629:9 (libxul.so+0x7fa0ba0)
    #55 rayon_core::scope::scope_fifo::_$u7b$$u7b$closure$u7d$$u7d$::h6a03f3ba8ae46c47 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:401:9 (libxul.so+0x7fa0ba0)
    #56 rayon_core::registry::in_worker::h529c335fa954e422 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:875:13 (libxul.so+0x7fad99d)
    #57 rayon_core::scope::scope_fifo::h3abb89f7fef75831 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:399:5 (libxul.so+0x7fad99d)
    #58 rayon_core::thread_pool::ThreadPool::scope_fifo::_$u7b$$u7b$closure$u7d$$u7d$::h999bd4e616499d92 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/thread_pool/mod.rs:222:25 (libxul.so+0x7fad99d)
    #59 rayon_core::thread_pool::ThreadPool::install::_$u7b$$u7b$closure$u7d$$u7d$::hdbd54c2460dc3a15 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/thread_pool/mod.rs:111:40 (libxul.so+0x7fad99d)
    #60 rayon_core::registry::Registry::in_worker_cold::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h3154a361c5cfdb78 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:465:21 (libxul.so+0x7fad99d)
    #61 _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::call::_$u7b$$u7b$closure$u7d$$u7d$::hbb723f6923e1eabb /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:113:21 (libxul.so+0x7fad99d)
    #62 _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::ha42a1e929788e3e4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:271:9 (libxul.so+0x7fad99d)
    #63 std::panicking::try::do_call::h1c0052579ba59a32 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:406:40 (libxul.so+0x7fad99d)
    #64 std::panicking::try::hf49e8cf21ceb465c /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:370:19 (libxul.so+0x7fad99d)
    #65 std::panic::catch_unwind::h2911207866cc97ed /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:133:14 (libxul.so+0x7fad99d)
    #66 rayon_core::unwind::halt_unwinding::h6e1302345f44a65d /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5 (libxul.so+0x7fad99d)
    #67 _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::hc9dec13237015d84 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:119:38 (libxul.so+0x7fad99d)
    #68 rayon_core::registry::in_worker::h529c335fa954e422 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:875:13 (libxul.so+0x7fad99d)
    #69 rayon_core::scope::scope_fifo::h3abb89f7fef75831 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:399:5 (libxul.so+0x7fad99d)
    #70 rayon_core::thread_pool::ThreadPool::scope_fifo::_$u7b$$u7b$closure$u7d$$u7d$::h999bd4e616499d92 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/thread_pool/mod.rs:222:25 (libxul.so+0x7fad99d)
    #71 rayon_core::thread_pool::ThreadPool::install::_$u7b$$u7b$closure$u7d$$u7d$::hdbd54c2460dc3a15 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/thread_pool/mod.rs:111:40 (libxul.so+0x7fad99d)
    #72 rayon_core::registry::Registry::in_worker_cold::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h3154a361c5cfdb78 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:465:21 (libxul.so+0x7fad99d)
    #73 _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::call::_$u7b$$u7b$closure$u7d$$u7d$::hbb723f6923e1eabb /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:113:21 (libxul.so+0x7fad99d)
    #74 _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::ha42a1e929788e3e4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:271:9 (libxul.so+0x7fad99d)
    #75 std::panicking::try::do_call::h1c0052579ba59a32 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:406:40 (libxul.so+0x7fad99d)
    #76 std::panicking::try::hf49e8cf21ceb465c /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:370:19 (libxul.so+0x7fad99d)
    #77 std::panic::catch_unwind::h2911207866cc97ed /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:133:14 (libxul.so+0x7fad99d)
    #78 rayon_core::unwind::halt_unwinding::h6e1302345f44a65d /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17:5 (libxul.so+0x7fad99d)
    #79 _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::hc9dec13237015d84 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:119:38 (libxul.so+0x7fad99d)
    #80 rayon_core::job::JobRef::execute::ha00d7b41915f03ba /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:59:9 (libxul.so+0xaadf85)
    #81 rayon_core::registry::WorkerThread::execute::h8c4331d7525412a4 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:749:9 (libxul.so+0xaadf85)
    #82 rayon_core::registry::WorkerThread::wait_until_cold::h8ae159f27c00d846 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:726:17 (libxul.so+0xaadf85)
    #83 rayon_core::registry::WorkerThread::wait_until::h4f2932e4eec36717 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:700:13 (libxul.so+0x8493f92)
    #84 rayon_core::registry::main_loop::h0e37a2d4fe2032df /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:833:5 (libxul.so+0x8493f92)
    #85 rayon_core::registry::ThreadBuilder::run::h6e628b264653257a /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:55:18 (libxul.so+0x8493f92)
    #86 _$LT$rayon_core..registry..DefaultSpawn$u20$as$u20$rayon_core..registry..ThreadSpawn$GT$::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h513e75fe6b3391c0 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:100:20 (libxul.so+0x8493f92)
    #87 std::sys_common::backtrace::__rust_begin_short_backtrace::h5b42f8bbb8fe5c10 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:123:18 (libxul.so+0x8493f92)
    #88 std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hd3efae066518b3c0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:477:17 (libxul.so+0x849329a)
    #89 _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::ha9734dfcf115a1c3 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:271:9 (libxul.so+0x849329a)
    #90 std::panicking::try::do_call::h088f763b944c364d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:406:40 (libxul.so+0x849329a)
    #91 std::panicking::try::h3ce8a139501ab2b5 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:370:19 (libxul.so+0x849329a)
    #92 std::panic::catch_unwind::h4ea047cc4ce4e994 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:133:14 (libxul.so+0x849329a)
    #93 std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::hc2727fcc81bb73c9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:476:30 (libxul.so+0x849329a)
    #94 core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h22e0b9858f3cb25e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5 (libxul.so+0x849329a)
    #95 std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hd3efae066518b3c0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:477:17 (libxul.so+0x849329a)
    #96 _$LT$core..panic..unwind_safe..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::ha9734dfcf115a1c3 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/panic/unwind_safe.rs:271:9 (libxul.so+0x849329a)
    #97 std::panicking::try::do_call::h088f763b944c364d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:406:40 (libxul.so+0x849329a)
    #98 std::panicking::try::h3ce8a139501ab2b5 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:370:19 (libxul.so+0x849329a)
    #99 std::panic::catch_unwind::h4ea047cc4ce4e994 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:133:14 (libxul.so+0x849329a)
    #100 std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::hc2727fcc81bb73c9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:476:30 (libxul.so+0x849329a)
    #101 core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h22e0b9858f3cb25e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5 (libxul.so+0x849329a)
    #102 _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h6101b21655d0709f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/boxed.rs:1854:9 (libxul.so+0x859cd66)
    #103 _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h314b9b19f4338a45 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/boxed.rs:1854:9 (libxul.so+0x859cd66)
    #104 std::sys::unix::thread::Thread::new::thread_start::h31f5f540df5473d8 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys/unix/thread.rs:108:17 (libxul.so+0x859cd66)
Flags: in-testsuite?

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220304214025-967ae1edad41.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: de11c0fbd90155ddd1fc8450b45ed99a55c3c2cf (20210306093316)
End: b01b8627f45f723d46ecf570983dba9ae30f2894 (20220304094153)
BuildFlags: BuildFlags(asan=False, tsan=True, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:bisected,confirmed]

Calling it sec-high to start because getting the WrapperCache flags wrong could lead to UAFs, but maybe further analysis will let us downgrade this to sec-moderate or so.

Flags: needinfo?(emilio)
Keywords: sec-high

Yeah, I don't think this is security sensitive. The bits we're reading (NODE_IS_NATIVE_ANONYMOUS_ROOT) are never written by the style system, while the bits we're writing (ELEMENT_HAS_DIRTY_DESCENDANTS_FOR_SERVO) are being cleared.

So depending on how the compiler actually implements it it might be a harmless race. But still we should fix...

Yeah, but you could end up with some kind of weird mangled value for the node flags because the code isn't actually just writing a single bit. My concern was mostly around the wrapper cache part of the node flags getting messed up, as those are involved in determining the lifetime of objects.

Severity: -- → S2

The flags stylo cares about reading and writing potentially at the same
time are disjoint, so there's no need for any strong memory ordering.

Assignee: nobody → emilio
Status: NEW → ASSIGNED

Pretty sure this is not an S2. We shouldn't end up with those flags unset in any case. But taking anyways.

Severity: S2 → S3
Flags: needinfo?(emilio)

I'll make this a sec-moderate because Emilio thinks it isn't a severe issue.

Keywords: sec-highsec-moderate
Attachment #9269030 - Attachment description: Bug 1758223 - Use atomic ops to read / write node flags from stylo. r=mccr8! → Bug 1758223 - Use atomic ops to read / write node flags from stylo. r=nika!
Blocks: 1680285

Landed:
https://hg.mozilla.org/integration/autoland/rev/8a3be63619deb612fc315f75d786cb02b57c1445

Backed out for causing bustages:
https://hg.mozilla.org/integration/autoland/rev/8eb82743e2e4e81e7225bc2f3522f7fcbe5a12eb

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry&revision=8a3be63619deb612fc315f75d786cb02b57c1445
Build log: https://treeherder.mozilla.org/logviewer?job_id=372144732&repo=autoland

[task 2022-03-24T04:34:18.062Z] 04:34:18    ERROR -  error[E0432]: unresolved imports `crate::gecko_bindings::bindings::Gecko_SetNodeFlags`, `crate::gecko_bindings::bindings::Gecko_UnsetNodeFlags`
[task 2022-03-24T04:34:18.063Z] 04:34:18     INFO -    --> servo/components/style/gecko/wrapper.rs:44:39
[task 2022-03-24T04:34:18.063Z] 04:34:18     INFO -     |
[task 2022-03-24T04:34:18.063Z] 04:34:18     INFO -  44 | use crate::gecko_bindings::bindings::{Gecko_SetNodeFlags, Gecko_UnsetNodeFlags};
[task 2022-03-24T04:34:18.063Z] 04:34:18     INFO -     |                                       ^^^^^^^^^^^^^^^^^^  ^^^^^^^^^^^^^^^^^^^^ no `Gecko_UnsetNodeFlags` in `gecko_bindings::structs`
[task 2022-03-24T04:34:18.063Z] 04:34:18     INFO -     |                                       |
[task 2022-03-24T04:34:18.063Z] 04:34:18     INFO -     |                                       no `Gecko_SetNodeFlags` in `gecko_bindings::structs`
Flags: needinfo?(emilio)

Err, I split the patch wrong and removing that line was in bug 1680285.

Flags: needinfo?(emilio)

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220324215420-5b0962239a45.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

Per discussion with Emilio, we're going to let this ride.

Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][adv-main100+r]

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)
Flags: needinfo?(emilio)
Group: core-security-release

HasFlag tends to show up in the profiles.
Could stylo be changed so that it doesn't modify the flags off the main thread?
Or could there be a variant of HasFlags for stylo which does atomic stuff, but DOM wouldn't need to use that?
(I've been wondering for awhile why HasFlag would ever show up in any profile, and finally ended up checking what it does these days. It was surprising to see it being something else than a simple &)

Or perhaps foo->HasFlag() is slow because of accessing foo at all?

Flags: needinfo?(emilio)

Can you check the generated code? A relaxed atomic load in x86 should generate exactly the same code as a non-atomic load, I suspect the hit is in the cache miss from accessing the memory to begin with.

Flags: needinfo?(emilio)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: