Closed
Bug 1893388
Opened 1 year ago
Closed 1 year ago
ThreadSanitizer: data race [@ mozilla::BitWriter::WriteBits] vs. [@ mozilla::VideoInfo::operator==]
Categories
(Core :: Audio/Video: Playback, defect)
Core
Audio/Video: Playback
Tracking
()
People
(Reporter: tsmith, Assigned: alwu)
References
(Blocks 1 open bug, )
Details
(Keywords: csectype-race, sec-high, Whiteboard: [adv-main127+r][adv-esr115.12+r])
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr115+
tjr
:
sec-approval+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
tjr
:
sec-approval+
|
Details | Review |
Found with m-c 20240424-3de3f9428f13 (--enable-thread-sanitizer --enable-fuzzing)
This was found by visiting a live website with a TSan build.
STR:
- Launch browser and visit site
This issue was triggered by visiting http://www.eenadu.net/.
WARNING: ThreadSanitizer: data race (pid=25665)
Write of size 8 at 0x7b0400093940 by thread T40:
#0 nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::EnsureCapacityImpl<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h (libxul.so+0x311615d) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#1 EnsureCapacity<nsTArrayInfallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:442:12 (libxul.so+0x66d89a2) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#2 AppendElementInternal<nsTArrayInfallibleAllocator, int> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2700:47 (libxul.so+0x66d89a2)
#3 AppendElement<int> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2844:24 (libxul.so+0x66d89a2)
#4 mozilla::BitWriter::WriteBits(unsigned long, unsigned long) /src/dom/media/BitWriter.cpp:40:16 (libxul.so+0x66d89a2)
#5 WriteU8 /builds/worker/workspace/obj-build/dist/include/BitWriter.h:20:34 (libxul.so+0x6c1f2d7) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#6 mozilla::VPXDecoder::GetVPCCBox(mozilla::MediaByteBuffer*, mozilla::VPXDecoder::VPXStreamInfo const&) /src/dom/media/platforms/agnostic/VPXDecoder.cpp:595:10 (libxul.so+0x6c1f2d7)
#7 mozilla::VPXChangeMonitor::CheckForChange(mozilla::MediaRawData*) /src/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:422:7 (libxul.so+0x6c4e106) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#8 mozilla::MediaChangeMonitor::CreateDecoderAndInit(mozilla::MediaRawData*) /src/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:869:36 (libxul.so+0x6c48253) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#9 mozilla::MediaChangeMonitor::CheckForChange(mozilla::MediaRawData*) /src/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:986:12 (libxul.so+0x6c4739e) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#10 mozilla::MediaChangeMonitor::Decode(mozilla::MediaRawData*) /src/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:682:20 (libxul.so+0x6c46e22) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#11 operator() /src/dom/media/platforms/wrappers/MediaDataDecoderProxy.cpp:31:33 (libxul.so+0x6c5e2e6) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#12 mozilla::detail::ProxyFunctionRunnable<mozilla::MediaDataDecoderProxy::Decode(mozilla::MediaRawData*)::$_0, mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData>>, mozilla::MediaResult, true>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1811:29 (libxul.so+0x6c5e2e6)
#13 mozilla::TaskQueue::Runner::Run() /src/xpcom/threads/TaskQueue.cpp:257:20 (libxul.so+0x3234693) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#14 nsThreadPool::Run() /src/xpcom/threads/nsThreadPool.cpp:341:14 (libxul.so+0x325f10f) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#15 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1193:16 (libxul.so+0x325630e) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#16 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x325c8a4) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#17 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x3db99fe) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#18 RunInternal /src/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d2bc98) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#19 RunHandler /src/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d2bc98)
#20 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d2bc98)
#21 nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:370:10 (libxul.so+0x3251b83) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#22 _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4ba79) (BuildId: f8654d6dfe057c280bfbd732bc8627cefdb2a15d)
Previous read of size 8 at 0x7b0400093940 by thread T42:
#0 Length /builds/worker/workspace/obj-build/dist/include/nsTArray.h:409:37 (libxul.so+0x679cb7f) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#1 operator==<nsTArrayInfallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1123:21 (libxul.so+0x679cb7f)
#2 mozilla::VideoInfo::operator==(mozilla::VideoInfo const&) const /src/dom/media/MediaInfo.cpp:70:23 (libxul.so+0x679cb7f)
#3 mozilla::TrackBuffersManager::IsRepeatInitData(mozilla::MediaInfo const&) const /src/dom/media/mediasource/TrackBuffersManager.cpp:1222:51 (libxul.so+0x6b75eb1) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#4 mozilla::TrackBuffersManager::OnDemuxerInitDone(mozilla::MediaResult const&) /src/dom/media/mediasource/TrackBuffersManager.cpp:1319:27 (libxul.so+0x6b7435e) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#5 InvokeMethod<mozilla::TrackBuffersManager, void (mozilla::TrackBuffersManager::*)(const mozilla::MediaResult &), const mozilla::MediaResult &> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:651:12 (libxul.so+0x6ba106c) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#6 InvokeCallbackMethod<false, mozilla::TrackBuffersManager, void (mozilla::TrackBuffersManager::*)(const mozilla::MediaResult &), const mozilla::MediaResult &, RefPtr<mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:682:5 (libxul.so+0x6ba106c)
#7 mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::ThenValue<mozilla::TrackBuffersManager*, void (mozilla::TrackBuffersManager::*)(mozilla::MediaResult const&), void (mozilla::TrackBuffersManager::*)(mozilla::MediaResult const&)>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h (libxul.so+0x6ba106c)
#8 mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::ThenValueBase::DoResolveOrReject(mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:620:7 (libxul.so+0x66c18d1) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#9 mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:487:21 (libxul.so+0x66c10d5) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#10 mozilla::TaskQueue::Runner::Run() /src/xpcom/threads/TaskQueue.cpp:257:20 (libxul.so+0x3234693) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#11 nsThreadPool::Run() /src/xpcom/threads/nsThreadPool.cpp:341:14 (libxul.so+0x325f10f) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#12 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1193:16 (libxul.so+0x325630e) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#13 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x325c8a4) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#14 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x3db99fe) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#15 RunInternal /src/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d2bc98) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#16 RunHandler /src/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d2bc98)
#17 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d2bc98)
#18 nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:370:10 (libxul.so+0x3251b83) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#19 _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4ba79) (BuildId: f8654d6dfe057c280bfbd732bc8627cefdb2a15d)
Location is heap block of size 16 at 0x7b0400093940 allocated by thread T42:
#0 malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:663:5 (firefox-bin+0xd17dc) (BuildId: 694674247df7d54f35209c569a49d42e8a1b11a9)
#1 moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:52:15 (firefox-bin+0x15e3f8) (BuildId: 694674247df7d54f35209c569a49d42e8a1b11a9)
#2 operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10 (libxul.so+0x65fa70d) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#3 mozilla::VideoInfo::VideoInfo(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&) /src/dom/media/MediaInfo.h:349:20 (libxul.so+0x65fa70d)
#4 VideoInfo /builds/worker/workspace/obj-build/dist/include/MediaInfo.h:341:9 (libxul.so+0x6f08c29) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#5 VideoInfo /builds/worker/workspace/obj-build/dist/include/MediaInfo.h:338:17 (libxul.so+0x6f08c29)
#6 MediaInfo /builds/worker/workspace/obj-build/dist/include/MediaInfo.h:650:7 (libxul.so+0x6f08c29)
#7 mozilla::WebMDemuxer::WebMDemuxer(mozilla::MediaResource*, bool) /src/dom/media/webm/WebMDemuxer.cpp:153:14 (libxul.so+0x6f08c29)
#8 mozilla::TrackBuffersManager::CreateDemuxerforMIMEType() /src/dom/media/mediasource/TrackBuffersManager.cpp:1042:13 (libxul.so+0x6b6c1ce) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#9 mozilla::TrackBuffersManager::InitializationSegmentReceived() /src/dom/media/mediasource/TrackBuffersManager.cpp:1164:3 (libxul.so+0x6b71e87) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#10 mozilla::TrackBuffersManager::SegmentParserLoop() /src/dom/media/mediasource/TrackBuffersManager.cpp:902:7 (libxul.so+0x6b70e74) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#11 operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18 (libxul.so+0x6b9dda9) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#12 __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14 (libxul.so+0x6b9dda9)
#13 __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14 (libxul.so+0x6b9dda9)
#14 __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14 (libxul.so+0x6b9dda9)
#15 apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14 (libxul.so+0x6b9dda9)
#16 apply<mozilla::TrackBuffersManager, void (mozilla::TrackBuffersManager::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12 (libxul.so+0x6b9dda9)
#17 mozilla::detail::RunnableMethodImpl<mozilla::TrackBuffersManager*, void (mozilla::TrackBuffersManager::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13 (libxul.so+0x6b9dda9)
#18 mozilla::TaskQueue::Runner::Run() /src/xpcom/threads/TaskQueue.cpp:257:20 (libxul.so+0x3234693) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#19 nsThreadPool::Run() /src/xpcom/threads/nsThreadPool.cpp:341:14 (libxul.so+0x325f10f) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#20 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1193:16 (libxul.so+0x325630e) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#21 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x325c8a4) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#22 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x3db99fe) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#23 RunInternal /src/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d2bc98) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#24 RunHandler /src/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d2bc98)
#25 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d2bc98)
#26 nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:370:10 (libxul.so+0x3251b83) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#27 _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4ba79) (BuildId: f8654d6dfe057c280bfbd732bc8627cefdb2a15d)
Thread T40 'MediaPD~oder #3' (tid=25833, running) created by thread T34 at:
#0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1020:3 (firefox-bin+0xd33bb) (BuildId: 694674247df7d54f35209c569a49d42e8a1b11a9)
#1 _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x42cee) (BuildId: f8654d6dfe057c280bfbd732bc8627cefdb2a15d)
#2 PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x37f84) (BuildId: f8654d6dfe057c280bfbd732bc8627cefdb2a15d)
#3 nsThread::Init(nsTSubstring<char> const&) /src/xpcom/threads/nsThread.cpp:620:20 (libxul.so+0x3253327) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#4 nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /src/xpcom/threads/nsThreadManager.cpp:602:22 (libxul.so+0x325b3dd) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#5 NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /src/xpcom/threads/nsThreadUtils.cpp:176:57 (libxul.so+0x3264093) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#6 NS_NewNamedThread /src/xpcom/threads/nsThreadUtils.cpp:168:10 (libxul.so+0x325e3ab) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#7 nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /src/xpcom/threads/nsThreadPool.cpp:126:17 (libxul.so+0x325e3ab)
#8 Dispatch /src/xpcom/threads/nsThreadPool.cpp:379:3 (libxul.so+0x325fdf3) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#9 non-virtual thunk to nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /src/xpcom/threads/nsThreadPool.cpp (libxul.so+0x325fdf3)
#10 mozilla::SharedThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/SharedThreadPool.h:75:28 (libxul.so+0x3237e6e) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#11 mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, unsigned int, mozilla::AbstractThread::DispatchReason) /src/xpcom/threads/TaskQueue.cpp:121:26 (libxul.so+0x32332a6) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#12 mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:73:14 (libxul.so+0x322cb07) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#13 mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::ThenValueBase::Dispatch(mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>*) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:589:38 (libxul.so+0x68401d5) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#14 mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::DispatchAll() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1271:18 (libxul.so+0x6c2a264) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#15 void mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::Private::Resolve<RefPtr<mozilla::AllocPolicy::Token>>(RefPtr<mozilla::AllocPolicy::Token>&&, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1356:5 (libxul.so+0x6c2a7e0) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#16 mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::ForwardTo(mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::Private*) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1284:15 (libxul.so+0x6c2a57d) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#17 mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::DispatchAll() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1276:7 (libxul.so+0x6c2a3f4) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#18 void mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::Private::Resolve<RefPtr<mozilla::AllocPolicy::Token>&>(RefPtr<mozilla::AllocPolicy::Token>&, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1356:5 (libxul.so+0x6c2d6d0) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#19 Resolve<RefPtr<mozilla::AllocPolicy::Token> &> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1509:15 (libxul.so+0x6c2ce29) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#20 operator() /src/dom/media/platforms/AllocationPolicy.cpp:137:41 (libxul.so+0x6c2ce29)
#21 InvokeMethod<(lambda at /src/dom/media/platforms/AllocationPolicy.cpp:132:17), void ((lambda at /src/dom/media/platforms/AllocationPolicy.cpp:132:17)::*)(RefPtr<mozilla::AllocPolicy::Token>), RefPtr<mozilla::AllocPolicy::Token> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:651:12 (libxul.so+0x6c2ce29)
#22 InvokeCallbackMethod<false, (lambda at /src/dom/media/platforms/AllocationPolicy.cpp:132:17), void ((lambda at /src/dom/media/platforms/AllocationPolicy.cpp:132:17)::*)(RefPtr<mozilla::AllocPolicy::Token>), RefPtr<mozilla::AllocPolicy::Token>, RefPtr<mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:682:5 (libxul.so+0x6c2ce29)
#23 mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::ThenValue<mozilla::SingleAllocPolicy::Alloc()::$_0::operator()(RefPtr<mozilla::AllocPolicy::Token>) const::'lambda'(RefPtr<mozilla::AllocPolicy::Token>), mozilla::SingleAllocPolicy::Alloc()::$_0::operator()(RefPtr<mozilla::AllocPolicy::Token>) const::'lambda'()>::DoResolveOrRejectInternal(mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:856:9 (libxul.so+0x6c2ce29)
#24 mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::ThenValueBase::DoResolveOrReject(mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:620:7 (libxul.so+0x6840ce1) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#25 mozilla::MozPromise<RefPtr<mozilla::AllocPolicy::Token>, bool, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:487:21 (libxul.so+0x68404e5) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#26 mozilla::TaskQueue::Runner::Run() /src/xpcom/threads/TaskQueue.cpp:257:20 (libxul.so+0x3234693) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#27 nsThreadPool::Run() /src/xpcom/threads/nsThreadPool.cpp:341:14 (libxul.so+0x325f10f) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#28 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1193:16 (libxul.so+0x325630e) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#29 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x325c8a4) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#30 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x3db99fe) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#31 RunInternal /src/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d2bc98) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#32 RunHandler /src/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d2bc98)
#33 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d2bc98)
#34 nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:370:10 (libxul.so+0x3251b83) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#35 _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4ba79) (BuildId: f8654d6dfe057c280bfbd732bc8627cefdb2a15d)
Thread T42 'MediaSu~isor #3' (tid=25845, running) created by thread T39 at:
#0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1020:3 (firefox-bin+0xd33bb) (BuildId: 694674247df7d54f35209c569a49d42e8a1b11a9)
#1 _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x42cee) (BuildId: f8654d6dfe057c280bfbd732bc8627cefdb2a15d)
#2 PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x37f84) (BuildId: f8654d6dfe057c280bfbd732bc8627cefdb2a15d)
#3 nsThread::Init(nsTSubstring<char> const&) /src/xpcom/threads/nsThread.cpp:620:20 (libxul.so+0x3253327) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#4 nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /src/xpcom/threads/nsThreadManager.cpp:602:22 (libxul.so+0x325b3dd) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#5 NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /src/xpcom/threads/nsThreadUtils.cpp:176:57 (libxul.so+0x3264093) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#6 NS_NewNamedThread /src/xpcom/threads/nsThreadUtils.cpp:168:10 (libxul.so+0x325e3ab) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#7 nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /src/xpcom/threads/nsThreadPool.cpp:126:17 (libxul.so+0x325e3ab)
#8 Dispatch /src/xpcom/threads/nsThreadPool.cpp:379:3 (libxul.so+0x325fdf3) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#9 non-virtual thunk to nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /src/xpcom/threads/nsThreadPool.cpp (libxul.so+0x325fdf3)
#10 mozilla::SharedThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/SharedThreadPool.h:75:28 (libxul.so+0x3237e6e) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#11 mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, unsigned int, mozilla::AbstractThread::DispatchReason) /src/xpcom/threads/TaskQueue.cpp:121:26 (libxul.so+0x32332a6) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#12 mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:73:14 (libxul.so+0x322cb07) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#13 mozilla::MozPromise<unsigned int, mozilla::MediaTrackDemuxer::SkipFailureHolder, true>::ThenValueBase::Dispatch(mozilla::MozPromise<unsigned int, mozilla::MediaTrackDemuxer::SkipFailureHolder, true>*) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:589:38 (libxul.so+0x66c9a55) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#14 mozilla::MozPromise<unsigned int, mozilla::MediaTrackDemuxer::SkipFailureHolder, true>::DispatchAll() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1271:18 (libxul.so+0x66c91e4) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#15 void mozilla::MozPromise<unsigned int, mozilla::MediaTrackDemuxer::SkipFailureHolder, true>::Private::Reject<mozilla::MediaTrackDemuxer::SkipFailureHolder>(mozilla::MediaTrackDemuxer::SkipFailureHolder&&, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1374:5 (libxul.so+0x66c881f) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#16 ForwardTo /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1286:15 (libxul.so+0x6850675) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#17 mozilla::MozPromise<unsigned int, mozilla::MediaTrackDemuxer::SkipFailureHolder, true>::ChainTo(already_AddRefed<mozilla::MozPromise<unsigned int, mozilla::MediaTrackDemuxer::SkipFailureHolder, true>::Private>, char const*) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1217:7 (libxul.so+0x6850675)
#18 mozilla::MozPromise<unsigned int, mozilla::MediaTrackDemuxer::SkipFailureHolder, true>::ThenValue<mozilla::MediaFormatReader::DemuxerProxy::Wrapper::SkipToNextRandomAccessPoint(mozilla::media::TimeUnit const&)::'lambda'(unsigned int), mozilla::MediaFormatReader::DemuxerProxy::Wrapper::SkipToNextRandomAccessPoint(mozilla::media::TimeUnit const&)::'lambda'(mozilla::MediaTrackDemuxer::SkipFailureHolder const&)>::DoResolveOrRejectInternal(mozilla::MozPromise<unsigned int, mozilla::MediaTrackDemuxer::SkipFailureHolder, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h (libxul.so+0x6851254) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#19 mozilla::MozPromise<unsigned int, mozilla::MediaTrackDemuxer::SkipFailureHolder, true>::ThenValueBase::DoResolveOrReject(mozilla::MozPromise<unsigned int, mozilla::MediaTrackDemuxer::SkipFailureHolder, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:620:7 (libxul.so+0x66ca601) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#20 mozilla::MozPromise<unsigned int, mozilla::MediaTrackDemuxer::SkipFailureHolder, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:487:21 (libxul.so+0x66c9e05) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#21 mozilla::TaskQueue::Runner::Run() /src/xpcom/threads/TaskQueue.cpp:257:20 (libxul.so+0x3234693) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#22 nsThreadPool::Run() /src/xpcom/threads/nsThreadPool.cpp:341:14 (libxul.so+0x325f10f) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#23 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1193:16 (libxul.so+0x325630e) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#24 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x325c8a4) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#25 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x3db99fe) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#26 RunInternal /src/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d2bc98) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#27 RunHandler /src/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d2bc98)
#28 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d2bc98)
#29 nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:370:10 (libxul.so+0x3251b83) (BuildId: 60348f84b08c7e90342a240f3bc6c1c83f975e81)
#30 _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4ba79) (BuildId: f8654d6dfe057c280bfbd732bc8627cefdb2a15d)
Changing the length of an array while another thread is reading the array seems like it could result in a buffer overflow, so I'll mark this high.
Keywords: sec-high
|
||
Updated•1 year ago
|
Blocks: media-triage
|
|
||
Updated•1 year ago
|
Severity: -- → S2
Flags: needinfo?(alwu)
|
Assignee | |
Comment 2•1 year ago
|
||
The problem is that when doing Clone() on a VideoInfo, we didn't clone everything properly.
In VideoInfo::Clone() would trigger this copy ctor. But for these two RefPtrs, we didn't assign a new MediaByteBuffer. So the new VideoInfo would still use the MediaByteBuffer from the old VideoInfo, which causes a data-race.
Assignee: nobody → alwu
Flags: needinfo?(alwu)
|
|
Assignee | |
Comment 3•1 year ago
|
||
|
|
Assignee | |
Comment 4•1 year ago
|
||
Depends on D209439
|
|
Assignee | |
Comment 5•1 year ago
•
|
||
Comment on attachment 9400074 [details]
Bug 1893388 - add gtest.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: This patch is the test, but even that it's still hard to find the actual place for data race.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Current patch should be able to backport to all branches.
- How likely is this patch to cause regressions; how much testing does it need?: Zero chance, this is just a test, which should be landed after the fix has been properly landed on all affected versions.
- Is the patch ready to land after security approval is given?: No
- Is Android affected?: Unknown
Attachment #9400074 -
Flags: sec-approval?
|
|
Assignee | |
Comment 6•1 year ago
|
||
Comment on attachment 9400073 [details]
Bug 1893388 - clone video info properly.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Hard, the patch doesn't indicate the place where the data race would happen, and it's hard to find the actual place for data race as well.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Current patch should be able to backport to all branches.
- How likely is this patch to cause regressions; how much testing does it need?: Less likely, it's just properly clone the array which we forget to clone before.
- Is the patch ready to land after security approval is given?: No
- Is Android affected?: Unknown
Attachment #9400073 -
Flags: sec-approval?
|
||
Updated•1 year ago
|
status-firefox125:
--- → wontfix
status-firefox126:
--- → wontfix
status-firefox-esr115:
--- → affected
tracking-firefox127:
--- → +
tracking-firefox-esr115:
--- → 127+
|
|
||
Updated•1 year ago
|
No longer blocks: media-triage
|
|
Assignee | |
Comment 7•1 year ago
|
||
I found that my patch breaks some tests, and I'm working on it now. Will update my patch again.
|
||
Updated•1 year ago
|
Attachment #9400073 -
Attachment description: Bug 1893388 - clone media byte buffers. → Bug 1893388 - clone video info properly.
|
||
Comment 8•1 year ago
|
||
Comment on attachment 9400073 [details]
Bug 1893388 - clone video info properly.
Approved to land and uplift
Attachment #9400073 -
Flags: sec-approval? → sec-approval+
|
|
||
Comment 9•1 year ago
|
||
Comment on attachment 9400074 [details]
Bug 1893388 - add gtest.
The test is also approved to land (and uplift if relman wants to)
Attachment #9400074 -
Flags: sec-approval? → sec-approval+
|
||
Comment 10•1 year ago
|
||
Pushed by alwu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0e28492391fd
clone video info properly. r=media-playback-reviewers,chunmin
|
|
Assignee | |
Comment 11•1 year ago
|
||
Comment on attachment 9400073 [details]
Bug 1893388 - clone video info properly.
Beta/Release Uplift Approval Request
- User impact if declined: Potential data race which might cause a security problem
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It doesn't add any new behavior or structural change, it's just about properly cloning a c++ structure.
- String changes made/needed: No
- Is Android affected?: Unknown
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Potential data race which might cause a security problem
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It doesn't add any new behavior or structural change, it's just about properly cloning a c++ structure.
Attachment #9400073 -
Flags: approval-mozilla-esr115?
Attachment #9400073 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Comment 12•1 year ago
|
||
Set NI to myself to land the test after deploying the fix.
Flags: needinfo?(alwu)
|
|
||
Comment 13•1 year ago
|
||
Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox128:
--- → fixed
tracking-firefox128:
--- → +
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch
|
||
Comment 14•1 year ago
|
||
Comment on attachment 9400073 [details]
Bug 1893388 - clone video info properly.
Approved for 127 beta 4, thanks.
Attachment #9400073 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 15•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(alwu)
|
|
||
Comment 16•1 year ago
|
||
Pushed by alwu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e2bb867be376
add gtest. r=media-playback-reviewers,chunmin
|
|
||
Comment 17•1 year ago
|
||
Flags: in-testsuite+
|
|
||
Comment 18•1 year ago
|
||
Comment on attachment 9400073 [details]
Bug 1893388 - clone video info properly.
Approved for 115.12esr. BTW, this test shouldn't have landed until a couple cycles after the fix made it to release...
Attachment #9400073 -
Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
|
|
||
Comment 19•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
|
||
Comment 20•1 year ago
|
||
Backout by ryanvm@gmail.com:
https://hg.mozilla.org/releases/mozilla-esr115/rev/7e7fd5b6d8e2
Backed out changeset c29e50b0d33c
|
|
Assignee | |
Comment 21•1 year ago
|
||
What version should I land the test? In our approval process guidance, it doesn't have a clear guideline when the test can be landed.
Flags: needinfo?(ryanvm)
|
|
||
Updated•1 year ago
|
Flags: needinfo?(ryanvm) → needinfo?(tom)
|
|
||
Comment 22•1 year ago
|
||
Sorry, my comment in #9 wasn't clear :) I will add a [reminder-test 2024-XX-YY] flag that indicates when the test is okay to land; but in this instance, I meant to convey that you can land the test concurrently with the actual patch, no need to delay.
Flags: needinfo?(tom)
|
|
Assignee | |
Comment 23•1 year ago
|
||
Thanks! Then I will reland the test later again.
|
|
||
Updated•1 year ago
|
Whiteboard: [adv-main127+r]
|
|
||
Updated•1 year ago
|
Whiteboard: [adv-main127+r] → [adv-main127+r][adv-esr115.12+r]
|
||
Updated•5 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•