Closed Bug 1821838 Opened 1 year ago Closed 1 year ago

Intermittent SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/gfx/layers/apz/src/AsyncPanZoomController.cpp:6138:10 in mozilla::layers::AsyncPanZoomController::SetStateNoContentControllerDispatch(mozilla::layers::AsyncPanZoomController::

Categories

(Core :: Panning and Zooming, defect)

Product:
Core
Component:
Panning and Zooming
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox111 --- wontfix
firefox112 + fixed
firefox113 + fixed

People

(Reporter: intermittent-bug-filer, Assigned: botond)

Details

(Keywords: csectype-race, intermittent-failure, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main112+r])

Attachments

(1 file)

Bug 1821838 - Protect access to mState in AsyncPanZoomController::OnPanEnd() with mRecursiveMutex. r=hiro
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
Details | Review

Filed by: nfay [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=408614081&repo=mozilla-central
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Gc6UjWxgSeWNrqf34rjZaw/runs/0/artifacts/public/logs/live_backing.log

[task 2023-03-11T10:54:33.760Z] 10:54:33     INFO - TEST-START | widget/tests/browser/browser_test_swipe_gesture.js
[task 2023-03-11T10:54:35.079Z] 10:54:35     INFO - GECKO(8425) | Waiting for browser to start load of about:about
[task 2023-03-11T10:54:35.080Z] 10:54:35     INFO - GECKO(8425) | Waiting for browser state change of about:about
[task 2023-03-11T10:54:35.081Z] 10:54:35     INFO - GECKO(8425) | Waiting for browser load of about:about
[task 2023-03-11T10:54:35.081Z] 10:54:35     INFO - GECKO(8425) | Waiting for browser state change of about:about
[task 2023-03-11T10:54:35.191Z] 10:54:35     INFO - GECKO(8425) | Saw state f0001 and status 0
<...>
[task 2023-03-11T10:55:03.400Z] 10:55:03     INFO - GECKO(8425) |   Thread T61 'WRScene~ilder#1' (tid=8526, running) created by thread T28 at:
[task 2023-03-11T10:55:03.401Z] 10:55:03     INFO - GECKO(8425) |     #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1022:3 (firefox-bin+0xb3dcd) (BuildId: 2bb2c284138be54ef232131f60e184372c65836d)
[task 2023-03-11T10:55:03.401Z] 10:55:03     INFO - GECKO(8425) |     #1 std::sys::unix::thread::Thread::new::ha0fa5359583a8b4a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys/unix/thread.rs:87:19 (libxul.so+0xdcd020a) (BuildId: 14354c016647f0a892cc5095caa5665d03a967d6)
[task 2023-03-11T10:55:03.402Z] 10:55:03     INFO - GECKO(8425) |     #2 std::thread::Builder::spawn_unchecked_::hbd0cc7afbb87765c /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:584:17 (libxul.so+0xe289812) (BuildId: 14354c016647f0a892cc5095caa5665d03a967d6)
[task 2023-03-11T10:55:03.402Z] 10:55:03     INFO - GECKO(8425) |     #3 std::thread::Builder::spawn_unchecked::hb088c8c3e4cfb77d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:478:32 (libxul.so+0xe289812)
[task 2023-03-11T10:55:03.403Z] 10:55:03     INFO - GECKO(8425) |     #4 std::thread::Builder::spawn::hd5a7b842074e6d24 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:410:18 (libxul.so+0xe289812)
[task 2023-03-11T10:55:03.403Z] 10:55:03     INFO - GECKO(8425) |     #5 webrender::renderer::init::create_webrender_instance::h658f4b7b760a2ae8 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/init.rs:587:5 (libxul.so+0xe289812)
[task 2023-03-11T10:55:03.404Z] 10:55:03     INFO - GECKO(8425) |     #6 wr_window_new /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:1697:36 (libxul.so+0xe5a927d) (BuildId: 14354c016647f0a892cc5095caa5665d03a967d6)
[task 2023-03-11T10:55:03.404Z] 10:55:03     INFO - GECKO(8425) |     #7 mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/WebRenderAPI.cpp:133:10 (libxul.so+0x5afee97) (BuildId: 14354c016647f0a892cc5095caa5665d03a967d6)
[task 2023-03-11T10:55:03.405Z] 10:55:03     INFO - GECKO(8425) |     #8 mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent>>) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:525:11 (libxul.so+0x5ae49f0) (BuildId: 14354c016647f0a892cc5095caa5665d03a967d6)
[task 2023-03-11T10:55:03.405Z] 10:55:03     INFO - GECKO(8425) |     #9 applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, 0UL, 1UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:12 (libxul.so+0x5af00d1) (BuildId: 14354c016647f0a892cc5095caa5665d03a967d6)
[task 2023-03-11T10:55:03.406Z] 10:55:03     INFO - GECKO(8425) |     #10 apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1169:12 (libxul.so+0x5af00d1)
[task 2023-03-11T10:55:03.407Z] 10:55:03     INFO - GECKO(8425) |     #11 mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent>>), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent>>&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1216:13 (libxul.so+0x5af00d1)
[task 2023-03-11T10:55:03.407Z] 10:55:03     INFO - GECKO(8425) |     #12 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233:16 (libxul.so+0x42be878) (BuildId: 14354c016647f0a892cc5095caa5665d03a967d6)
[task 2023-03-11T10:55:03.408Z] 10:55:03     INFO - GECKO(8425) |     #13 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10 (libxul.so+0x42c5126) (BuildId: 14354c016647f0a892cc5095caa5665d03a967d6)
[task 2023-03-11T10:55:03.408Z] 10:55:03     INFO - GECKO(8425) |     #14 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5 (libxul.so+0x4ff55e8) (BuildId: 14354c016647f0a892cc5095caa5665d03a967d6)
[task 2023-03-11T10:55:03.408Z] 10:55:03     INFO - GECKO(8425) |     #15 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4f0abe7) (BuildId: 14354c016647f0a892cc5095caa5665d03a967d6)
[task 2023-03-11T10:55:03.409Z] 10:55:03     INFO - GECKO(8425) |     #16 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4f0abe7)
[task 2023-03-11T10:55:03.409Z] 10:55:03     INFO - GECKO(8425) |     #17 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4f0abe7)
[task 2023-03-11T10:55:03.411Z] 10:55:03     INFO - GECKO(8425) |     #18 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10 (libxul.so+0x42b9a22) (BuildId: 14354c016647f0a892cc5095caa5665d03a967d6)
[task 2023-03-11T10:55:03.412Z] 10:55:03     INFO - GECKO(8425) |     #19 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x523e3) (BuildId: 5c537dd2ac5de7e632d18db4e8d6d8b0fd80e34e)
[task 2023-03-11T10:55:03.412Z] 10:55:03     INFO - GECKO(8425) | SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/gfx/layers/apz/src/AsyncPanZoomController.cpp:6138:10 in mozilla::layers::AsyncPanZoomController::SetStateNoContentControllerDispatch(mozilla::layers::AsyncPanZoomController::PanZoomState)
[task 2023-03-11T10:55:03.412Z] 10:55:03     INFO - GECKO(8425) | ==================
[task 2023-03-11T10:55:03.412Z] 10:55:03     INFO - GECKO(8425) | Exiting due to channel error.
[task 2023-03-11T10:55:03.412Z] 10:55:03     INFO - GECKO(8425) | Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: CompositorBridgeChild receives IPC close with reason=AbnormalShutdown (t=42.7293) Exiting due to channel error.
[task 2023-03-11T10:55:03.412Z] 10:55:03     INFO - GECKO(8425) | Exiting due to channel error.
[task 2023-03-11T10:55:03.412Z] 10:55:03     INFO - GECKO(8425) | Exiting due to channel error.
[task 2023-03-11T10:55:03.412Z] 10:55:03     INFO - GECKO(8425) | Exiting due to channel error.
[task 2023-03-11T10:55:03.412Z] 10:55:03     INFO - GECKO(8425) | Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: CompositorBridgeChild receives IPC close with reason=AbnormalShutdown (t=44.8896) Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: CompositorBridgeChild receives IPC close with reason=AbnormalShutdown (t=5.94467) Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: CompositorBridgeChild receives IPC close with reason=AbnormalShutdown (t=5.45544) Exiting due to channel error.
[task 2023-03-11T10:55:03.413Z] 10:55:03     INFO - GECKO(8425) | Exiting due to channel error.
[task 2023-03-11T10:55:03.413Z] 10:55:03     INFO - GECKO(8425) | Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: CompositorBridgeChild receives IPC close with reason=AbnormalShutdown (t=51.6948) Exiting due to channel error.
[task 2023-03-11T10:55:04.325Z] 10:55:04     INFO - GECKO(8425) | Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: CompositorBridgeChild receives IPC close with reason=AbnormalShutdown (t=7.74918) Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: CompositorBridgeChild receives IPC close with reason=AbnormalShutdown (t=52.4929)
[task 2023-03-11T10:55:04.326Z] 10:55:04     INFO - TEST-INFO | Main app process: killed by SIGIOT
[task 2023-03-11T10:55:04.326Z] 10:55:04     INFO - Buffered messages logged at 10:54:33
[task 2023-03-11T10:55:04.332Z] 10:55:04     INFO - Entering test bound 
[task 2023-03-11T10:55:04.332Z] 10:55:04     INFO - Buffered messages logged at 10:54:34
[task 2023-03-11T10:55:04.332Z] 10:55:04     INFO - TEST-PASS | widget/tests/browser/browser_test_swipe_gesture.js | undefined assertion name -
Group: core-security → gfx-core-security
Keywords: csectype-race

The snippet quoted in comment 0 is not very informative, but the complete ThreadSanitizer diagnostic in the logs (which seems to be too long for me to paste into a Bugzilla comment) contains additional info.

The diagnostic is saying that the write of AsyncPanZoomController::mState in SetStateNoContentControllerDispatch(), which is mutex-protected, is racing with the read in OnPanEnd(), which is not mutex-protected.

Assignee: nobody → botond
Status: NEW → ASSIGNED

Protect access to mState in AsyncPanZoomController::OnPanEnd() with mRecursiveMutex. r=hiro
https://hg.mozilla.org/integration/autoland/rev/320e1e1636ce27672c84b2ed53e964cbdb027b83
https://hg.mozilla.org/mozilla-central/rev/320e1e1636ce

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox113: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch

The patch landed in nightly and beta is affected.
:botond, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox112 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(botond)

Comment on attachment 9322818 [details]
Bug 1821838 - Protect access to mState in AsyncPanZoomController::OnPanEnd() with mRecursiveMutex. r=hiro

Beta/Release Uplift Approval Request

  • User impact if declined: A data race could lead to an incorrect value mState being read OnPanEnd, potentially leading to minor misbehaviour like getting stuck in an overscrolled state.
  • Is this code covered by automated tests?: Unknown
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Low-risk fix for a data race caught by TSan by adding a new usage of an existing mutex
  • String changes made/needed:
  • Is Android affected?: Yes
Flags: needinfo?(botond)
Attachment #9322818 - Flags: approval-mozilla-beta?

Comment on attachment 9322818 [details]
Bug 1821838 - Protect access to mState in AsyncPanZoomController::OnPanEnd() with mRecursiveMutex. r=hiro

Approved for 112.0b3

Attachment #9322818 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main112+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: