Closed Bug 1873790 Opened 9 months ago Closed 9 months ago

Hit MOZ_CRASH(CanvasChild not thread-safe) at /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43

Categories

(Core :: Graphics: Canvas2D, defect, P3)

defect

Tracking

()

RESOLVED FIXED
123 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox121 --- unaffected
firefox122 --- fixed
firefox123 --- fixed

People

(Reporter: tsmith, Assigned: aosmond)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords)

Attachments

(3 files)

Attached file testcase.html

Found while fuzzing m-c 20231213-f823ab1d9a00 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Hit MOZ_CRASH(CanvasChild not thread-safe) at /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43

#0 0x7fd8a5f7391a in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3
#1 0x7fd8a5f7391a in nsAutoOwningThread::AssertCurrentThreadOwnsMe(char const*) const /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43:5
#2 0x7fd8a750e1e6 in AssertOwnership<28> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:59:5
#3 0x7fd8a750e1e6 in mozilla::layers::CanvasChild::Release() /builds/worker/workspace/obj-build/dist/include/mozilla/layers/CanvasChild.h:27:3
#4 0x7fd8a754ab86 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#5 0x7fd8a754ab86 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:409:36
#6 0x7fd8a754ab86 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:80:7
#7 0x7fd8a754ab86 in ~DataShmemHolder /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasChild.cpp:424:10
#8 0x7fd8a754ab86 in operator() /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasChild.cpp:440:13
#9 0x7fd8a754ab86 in mozilla::layers::CanvasChild::GetDataSurface(long, mozilla::gfx::SourceSurface const*, bool)::$_0::__invoke(void*) /builds/worker/checkouts/gecko/gfx/layers/ipc/CanvasChild.cpp:436:11
#10 0x7fd8a726eb61 in ~SourceSurfaceRawData /builds/worker/checkouts/gecko/gfx/2d/SourceSurfaceRawData.h:63:7
#11 0x7fd8a726eb61 in mozilla::gfx::SourceSurfaceRawData::~SourceSurfaceRawData() /builds/worker/checkouts/gecko/gfx/2d/SourceSurfaceRawData.h:61:35
#12 0x7fd8a71d6c48 in mozilla::SupportsThreadSafeWeakPtr<mozilla::gfx::SourceSurface>::Release() const /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadSafeWeakPtr.h:179:7
#13 0x7fd8a7e4d3a3 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#14 0x7fd8a7e4d3a3 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:409:36
#15 0x7fd8a7e4d3a3 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:80:7
#16 0x7fd8a7e4d3a3 in ~ImageBitmapCloneData /builds/worker/workspace/obj-build/dist/include/mozilla/dom/ImageBitmap.h:63:8
#17 0x7fd8a7e4d3a3 in mozilla::dom::StructuredCloneHolder::CustomFreeTransferHandler(unsigned int, JS::TransferableOwnership, void*, unsigned long) /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:1631:5
#18 0x7fd8ad64ee14 in JSStructuredCloneData::discardTransferables() /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:1121:7
#19 0x7fd8ad66698f in JSAutoStructuredCloneBuffer::clear() /builds/worker/checkouts/gecko/js/src/vm/StructuredClone.cpp:3979:9
#20 0x7fd8a7e62ae7 in ~JSAutoStructuredCloneBuffer /builds/worker/workspace/obj-build/dist/include/js/StructuredClone.h:679:36
#21 0x7fd8a7e62ae7 in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:459:5
#22 0x7fd8a7e62ae7 in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:301:7
#23 0x7fd8a7e62ae7 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:271:5
#24 0x7fd8a7e62ae7 in Clear /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:261:11
#25 0x7fd8a7e62ae7 in mozilla::dom::StructuredCloneHolder::~StructuredCloneHolder() /builds/worker/checkouts/gecko/dom/base/StructuredCloneHolder.cpp:353:3
#26 0x7fd8aafdccc1 in ~MessageEventRunnable /builds/worker/checkouts/gecko/dom/workers/MessageEventRunnable.h:20:7
#27 0x7fd8aafdccc1 in mozilla::dom::MessageEventRunnable::~MessageEventRunnable() /builds/worker/checkouts/gecko/dom/workers/MessageEventRunnable.h:20:7
#28 0x7fd8ab00d04b in mozilla::dom::WorkerRunnable::Release() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:192:1
#29 0x7fd8a606729a in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#30 0x7fd8a606729a in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:322:7
#31 0x7fd8a606729a in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:597:5
#32 0x7fd8a606729a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1210:13
#33 0x7fd8a606e1bd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#34 0x7fd8aaffa46e in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3341:7
#35 0x7fd8aafddb41 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2106:42
#36 0x7fd8a60671e1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#37 0x7fd8a606e1bd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#38 0x7fd8a6d43235 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#39 0x7fd8a6c5b6b1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#40 0x7fd8a6c5b6b1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#41 0x7fd8a60624b3 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
#42 0x7fd8bac7ed0f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#43 0x7fd8ba694ac2 in start_thread nptl/pthread_create.c:442:8
#44 0x7fd8ba72665f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Unable to reproduce bug 1873790 using build mozilla-central 20231213004326-f823ab1d9a00. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

I don't quite understand the consequences of attempting to release a CanvasChild in a different thread than where it was initialized, but it doesn't sound good! Escalating to triage, since I'm not sure I can judge the severity yet.

Blocks: gfx-triage

A Pernosco session is available here: https://pernos.co/debug/NuV3iAMlZa0rDdVH1-lFFg/index.html

Added manually since bugmon failed to repro.

Keywords: pernosco
Flags: needinfo?(aosmond)
Assignee: nobody → aosmond
Status: NEW → ASSIGNED
Flags: needinfo?(aosmond)
Priority: -- → P4

CanvasChild is not thread-safe and can only be interacted with on its
owning thread.

Severity: -- → S3
Priority: P4 → P3
No longer blocks: gfx-triage

CanvasChild is not thread-safe and can only be interacted with on its
owning thread.

Original Revision: https://phabricator.services.mozilla.com/D198347

Attachment #9372468 - Flags: approval-mozilla-beta?

Uplift Approval Request

  • Explanation of risk level: Trivial patch which moves the release to the main thread
  • Is Android affected?: yes
  • String changes made/needed: N/A
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Risk associated with taking this patch: Low
  • User impact if declined: Easy to trigger threading crash
  • Steps to reproduce for manual QE testing: N/A
  • Code covered by automated testing: yes
Pushed by aosmond@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7a07cd281802 Ensure that we release CanvasChild::DataShmemHolder on main thread. r=gfx-reviewers,lsalzman
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch
Attachment #9372468 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

:aosomond the beta patch failed to land due to conflicts.
Could you please create a revision rebased ontop of beta?

Flags: needinfo?(aosmond)

I updated the phab revision.

Flags: needinfo?(aosmond)

Uplift Approval Request

  • Fix verified in Nightly: no
  • String changes made/needed: N/A
  • Needs manual QE test: no
  • Risk associated with taking this patch: Low
  • Explanation of risk level: rivial patch which moves the release to the main thread
  • Steps to reproduce for manual QE testing: N/A
  • Code covered by automated testing: yes
  • User impact if declined: Easy to trigger threading crash
  • Is Android affected?: yes

(In reply to Andrew Osmond [:aosmond] (he/him) from comment #10)

I updated the phab revision.

Thanks for the quick turnaround!

(In reply to Donal Meehan [:dmeehan] from comment #13)

Thanks for the quick turnaround!

No problem, I really don't want to miss the train on these fixes :).

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: