Hit MOZ_CRASH(CanvasChild not thread-safe) at /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43
Categories
(Core :: Graphics: Canvas2D, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox121 | --- | unaffected |
firefox122 | --- | fixed |
firefox123 | --- | fixed |
People
(Reporter: tsmith, Assigned: aosmond)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords)
Attachments
(3 files)
Found while fuzzing m-c 20231213-f823ab1d9a00 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Hit MOZ_CRASH(CanvasChild not thread-safe) at /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43
#0 0x7fd8a5f7391a in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7fd8a5f7391a in nsAutoOwningThread::AssertCurrentThreadOwnsMe(char const*) const /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43:5
#2 0x7fd8a750e1e6 in AssertOwnership<28> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:59:5
#3 0x7fd8a750e1e6 in mozilla::layers::CanvasChild::Release() /builds/worker/workspace/obj-build/dist/include/mozilla/layers/CanvasChild.h:27:3
#4 0x7fd8a754ab86 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#5 0x7fd8a754ab86 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:409:36
#6 0x7fd8a754ab86 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:80:7
#7 0x7fd8a754ab86 in ~DataShmemHolder /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasChild.cpp:424:10
#8 0x7fd8a754ab86 in operator() /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasChild.cpp:440:13
#9 0x7fd8a754ab86 in mozilla::layers::CanvasChild::GetDataSurface(long, mozilla::gfx::SourceSurface const*, bool)::$_0::__invoke(void*) /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasChild.cpp:436:11
#10 0x7fd8a726eb61 in ~SourceSurfaceRawData /builds/worker/checkouts/gecko/gfx/2d/SourceSurfaceRawData.h:63:7
#11 0x7fd8a726eb61 in mozilla::gfx::SourceSurfaceRawData::~SourceSurfaceRawData() /builds/worker/checkouts/gecko/gfx/2d/SourceSurfaceRawData.h:61:35
#12 0x7fd8a71d6c48 in mozilla::SupportsThreadSafeWeakPtr<mozilla::gfx::SourceSurface>::Release() const /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadSafeWeakPtr.h:179:7
#13 0x7fd8a7e4d3a3 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#14 0x7fd8a7e4d3a3 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:409:36
#15 0x7fd8a7e4d3a3 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:80:7
#16 0x7fd8a7e4d3a3 in ~ImageBitmapCloneData /builds/worker/workspace/obj-build/dist/include/mozilla/dom/ImageBitmap.h:63:8
#17 0x7fd8a7e4d3a3 in mozilla::dom::StructuredCloneHolder::CustomFreeTransferHandler(unsigned int, JS::TransferableOwnership, void*, unsigned long) /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:1631:5
#18 0x7fd8ad64ee14 in JSStructuredCloneData::discardTransferables() /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:1121:7
#19 0x7fd8ad66698f in JSAutoStructuredCloneBuffer::clear() /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:3979:9
#20 0x7fd8a7e62ae7 in ~JSAutoStructuredCloneBuffer /builds/worker/workspace/obj-build/dist/include/js/StructuredClone.h:679:36
#21 0x7fd8a7e62ae7 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:459:5
#22 0x7fd8a7e62ae7 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:301:7
#23 0x7fd8a7e62ae7 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:271:5
#24 0x7fd8a7e62ae7 in Clear /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:261:11
#25 0x7fd8a7e62ae7 in mozilla::dom::StructuredCloneHolder::~StructuredCloneHolder() /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:353:3
#26 0x7fd8aafdccc1 in ~MessageEventRunnable /builds/worker/checkouts/gecko/dom/workers/MessageEventRunnable.h:20:7
#27 0x7fd8aafdccc1 in mozilla::dom::MessageEventRunnable::~MessageEventRunnable() /builds/worker/checkouts/gecko/dom/workers/MessageEventRunnable.h:20:7
#28 0x7fd8ab00d04b in mozilla::dom::WorkerRunnable::Release() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:192:1
#29 0x7fd8a606729a in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#30 0x7fd8a606729a in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:322:7
#31 0x7fd8a606729a in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:597:5
#32 0x7fd8a606729a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1210:13
#33 0x7fd8a606e1bd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#34 0x7fd8aaffa46e in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3341:7
#35 0x7fd8aafddb41 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2106:42
#36 0x7fd8a60671e1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#37 0x7fd8a606e1bd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#38 0x7fd8a6d43235 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#39 0x7fd8a6c5b6b1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#40 0x7fd8a6c5b6b1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#41 0x7fd8a60624b3 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
#42 0x7fd8bac7ed0f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#43 0x7fd8ba694ac2 in start_thread nptl/pthread_create.c:442:8
#44 0x7fd8ba72665f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Comment 1•9 months ago
|
||
Unable to reproduce bug 1873790 using build mozilla-central 20231213004326-f823ab1d9a00. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 2•9 months ago
|
||
I don't quite understand the consequences of attempting to release a CanvasChild
in a different thread than where it was initialized, but it doesn't sound good! Escalating to triage, since I'm not sure I can judge the severity yet.
Reporter | ||
Comment 3•9 months ago
|
||
A Pernosco session is available here: https://pernos.co/debug/NuV3iAMlZa0rDdVH1-lFFg/index.html
Added manually since bugmon failed to repro.
Assignee | ||
Updated•9 months ago
|
Assignee | ||
Updated•9 months ago
|
Assignee | ||
Comment 4•9 months ago
|
||
CanvasChild is not thread-safe and can only be interacted with on its
owning thread.
Assignee | ||
Updated•9 months ago
|
Assignee | ||
Updated•9 months ago
|
Assignee | ||
Updated•9 months ago
|
Assignee | ||
Updated•9 months ago
|
Assignee | ||
Comment 5•9 months ago
|
||
CanvasChild is not thread-safe and can only be interacted with on its
owning thread.
Original Revision: https://phabricator.services.mozilla.com/D198347
Updated•9 months ago
|
Comment 6•9 months ago
|
||
Uplift Approval Request
- Explanation of risk level: Trivial patch which moves the release to the main thread
- Is Android affected?: yes
- String changes made/needed: N/A
- Fix verified in Nightly: no
- Needs manual QE test: no
- Risk associated with taking this patch: Low
- User impact if declined: Easy to trigger threading crash
- Steps to reproduce for manual QE testing: N/A
- Code covered by automated testing: yes
Comment 8•9 months ago
|
||
bugherder |
Updated•9 months ago
|
Comment 9•9 months ago
|
||
:aosomond the beta patch failed to land due to conflicts.
Could you please create a revision rebased ontop of beta?
Comment 11•9 months ago
|
||
Uplift Approval Request
- Fix verified in Nightly: no
- String changes made/needed: N/A
- Needs manual QE test: no
- Risk associated with taking this patch: Low
- Explanation of risk level: rivial patch which moves the release to the main thread
- Steps to reproduce for manual QE testing: N/A
- Code covered by automated testing: yes
- User impact if declined: Easy to trigger threading crash
- Is Android affected?: yes
Updated•9 months ago
|
Comment 12•9 months ago
|
||
uplift |
Comment 13•9 months ago
|
||
(In reply to Andrew Osmond [:aosmond] (he/him) from comment #10)
I updated the phab revision.
Thanks for the quick turnaround!
Assignee | ||
Comment 14•9 months ago
|
||
(In reply to Donal Meehan [:dmeehan] from comment #13)
Thanks for the quick turnaround!
No problem, I really don't want to miss the train on these fixes :).
Description
•