Closed Bug 1952105 Opened 8 months ago Closed 7 months ago

Assertion failure: IsIdle(oldState) || IsRead(oldState), at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:130

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 138+ fixed
firefox138 --- fixed
firefox139 --- fixed

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: assertion, csectype-race, sec-moderate, Whiteboard: [adv-main138+r][adv-esr128.10+r])

Attachments

(4 files)

minidump.zip
216.93 KB, application/x-zip-compressed
Details
Bug 1952105 - Add a lock to guard the cache in nsLanguageAtomService. r=#platform-i18n-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1952105 - Add a lock to guard the cache in nsLanguageAtomService. r=#platform-i18n-reviewers
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1952105 - Add a lock to guard the cache in nsLanguageAtomService. r=#platform-i18n-reviewers
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review

Found with m-c 20250222-7a7d2fb4b923 (--enable-debug)

This was found by visiting a live website with a debug build.

STR:

  • Launch browser and visit site

This issue was triggered by visiting https://news.sportbox.ru/. So far I've only seen this reported by Windows machines.

This has been triggered by visiting a few different sites so far:

Assertion failure: IsIdle(oldState) || IsRead(oldState), at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:130

#0 0x7ff9e81ed382 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:55
#1 0x7ff9e81ed382 in Checker::StartReadOp /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:130
#2 0x7ff9e81ed382 in AutoReadOp::AutoReadOp /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:32
#3 0x7ff9e81ed382 in PLDHashTable::Search(void const *) const /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:492
#4 0x7ff9e857bc6a in nsTHashtable<nsBaseHashtableET<nsAtomHashKey,nsStaticAtom *> >::GetEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:289
#5 0x7ff9e857bc6a in nsBaseHashtable<nsAtomHashKey,nsStaticAtom *,nsStaticAtom *,nsDefaultConverter<nsStaticAtom *,nsStaticAtom *> >::Get /builds/worker/workspace/obj-build/dist/include/nsBaseHashtable.h:362
#6 0x7ff9e857bc6a in nsLanguageAtomService::GetLanguageGroup(class nsAtom *, bool *) /builds/worker/checkouts/gecko/intl/locale/nsLanguageAtomService.cpp:144
#7 0x7ff9f3403793 in mozilla::StaticPresData::GetLangGroup /builds/worker/checkouts/gecko/layout/base/StaticPresData.cpp:204
#8 0x7ff9f3403793 in mozilla::StaticPresData::GetFontPrefsForLang(class nsAtom *, bool *) /builds/worker/checkouts/gecko/layout/base/StaticPresData.cpp:222
#9 0x7ff9f31e381f in Gecko_nsStyleFont_ComputeMinSize::<lambda_12>::operator() /builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp:1234
#10 0x7ff9f31e381f in Gecko_nsStyleFont_ComputeMinSize /builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp:1241
#11 0x7ff9f6b08bb6 in style::properties::cascade::Cascade::constrain_font_size_if_needed /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:1225
#12 0x7ff9f6b08bb6 in style::properties::cascade::Cascade::apply_prioritary_properties /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:806
#13 0x7ff9f619b417 in style::properties::cascade::apply_declarations /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:334
#14 0x7ff9f619b417 in style::properties::cascade::cascade_rules<style::gecko::wrapper::GeckoElement> /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:198
#15 0x7ff9f619a92d in style::properties::cascade::cascade /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:82
#16 0x7ff9f619a92d in style::stylist::Stylist::cascade_style_and_visited /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:1271
#17 0x7ff9f619a92d in style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::cascade_style_and_visited<style::gecko::wrapper::GeckoElement> /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:382
#18 0x7ff9f61a1d2a in style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::cascade_primary_style<style::gecko::wrapper::GeckoElement> /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:277
#19 0x7ff9f61a1684 in style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::resolve_primary_style<style::gecko::wrapper::GeckoElement> /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:231
#20 0x7ff9f6199431 in style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::resolve_style<style::gecko::wrapper::GeckoElement> /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:295
#21 0x7ff9f61948a2 in style::style_resolver::impl$4::resolve_style_with_default_parents::closure$0 /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:330
#22 0x7ff9f61948a2 in style::style_resolver::with_default_parent_styles /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:139
#23 0x7ff9f61948a2 in style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::resolve_style_with_default_parents /builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs:329
#24 0x7ff9f61948a2 in style::traversal::compute_style /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:619
#25 0x7ff9f61948a2 in style::traversal::recalc_style_at /builds/worker/checkouts/gecko/servo/components/style/traversal.rs:432
#26 0x7ff9f61948a2 in style::gecko::traversal::impl$1::process_preorder /builds/worker/checkouts/gecko/servo/components/style/gecko/traversal.rs:37
#27 0x7ff9f61948a2 in style::parallel::style_trees<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly> /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:158
#28 0x7ff9f619a4e1 in style::parallel::distribute_one_chunk::closure$0 /builds/worker/checkouts/gecko/servo/components/style/parallel.rs:90
#29 0x7ff9f619a4e1 in rayon_core::scope::impl$1::spawn_fifo::closure$0::closure$0 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:586
#30 0x7ff9f619a4e1 in core::panic::unwind_safe::impl$25::call_once /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\core\src\panic\unwind_safe.rs:272
#31 0x7ff9f619a4e1 in std::panicking::try::do_call /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\std\src\panicking.rs:584
#32 0x7ff9f619a4e1 in std::panicking::try /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\std\src\panicking.rs:547
#33 0x7ff9f619a4e1 in std::panic::catch_unwind /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\std\src\panic.rs:358
#34 0x7ff9f619a4e1 in rayon_core::unwind::halt_unwinding /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/unwind.rs:17
#35 0x7ff9f619a4e1 in rayon_core::scope::ScopeBase::execute_job_closure /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:689
#36 0x7ff9f619a4e1 in rayon_core::scope::ScopeBase::execute_job /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:679
#37 0x7ff9f619a4e1 in rayon_core::scope::impl$1::spawn_fifo::closure$0 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/scope/mod.rs:586
#38 0x7ff9f619a4e1 in rayon_core::job::impl$6::execute<rayon_core::scope::impl$1::spawn_fifo::closure_env$0<style::parallel::distribute_one_chunk::closure_env$0<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly> > > /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:169
#39 0x7ff9f8cc544c in rayon_core::job::JobRef::execute /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/job.rs:64
#40 0x7ff9f8cc544c in rayon_core::registry::WorkerThread::execute /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:860
#41 0x7ff9f8cc544c in rayon_core::registry::WorkerThread::wait_until_cold /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/lib.rs:1
#42 0x7ff9f6709276 in rayon_core::registry::WorkerThread::wait_until /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:769
#43 0x7ff9f6709276 in rayon_core::registry::WorkerThread::wait_until_out_of_work /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:818
#44 0x7ff9f6709276 in rayon_core::registry::main_loop /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:923
#45 0x7ff9f6709276 in rayon_core::registry::ThreadBuilder::run /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:53
#46 0x7ff9f6708efe in rayon_core::registry::impl$2::spawn::closure$0 /builds/worker/checkouts/gecko/third_party/rust/rayon-core/src/registry.rs:98
#47 0x7ff9f6708efe in std::sys::backtrace::__rust_begin_short_backtrace<rayon_core::registry::impl$2::spawn::closure_env$0,tuple$<> > /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\std\src\sys\backtrace.rs:152
#48 0x7ff9f6999437 in std::thread::impl$0::spawn_unchecked_::closure$1::closure$0 /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\std\src\thread\mod.rs:564
#49 0x7ff9f6999437 in core::panic::unwind_safe::impl$25::call_once /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\core\src\panic\unwind_safe.rs:272
#50 0x7ff9f6999437 in std::panicking::try::do_call /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\std\src\panicking.rs:584
#51 0x7ff9f6999437 in std::panicking::try /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\std\src\panicking.rs:547
#52 0x7ff9f6999437 in std::panic::catch_unwind /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\std\src\panic.rs:358
#53 0x7ff9f6999437 in std::thread::impl$0::spawn_unchecked_::closure$1 /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\std\src\thread\mod.rs:562
#54 0x7ff9f6999437 in core::ops::function::FnOnce::call_once<std::thread::impl$0::spawn_unchecked_::closure_env$1<style::global_style_data::thread_spawn::closure_env$0,tuple$<> >,tuple$<> > /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688\library\core\src\ops\function.rs:250
#55 0x7ff9f684f363 in alloc::boxed::impl$28::call_once /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688/library\alloc\src\boxed.rs:1993
#56 0x7ff9f684f363 in alloc::boxed::impl$28::call_once /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688/library\alloc\src\boxed.rs:1993
#57 0x7ff9f684f363 in std::sys::pal::windows::thread::impl$0::new::thread_start /rustc/4d91de4e48198da2e33413efdcd9cd2cc0c46688/library\std\src\sys\pal\windows\thread.rs:56
#58 0x7ffa0a76a31d in asan_thread_start /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:147
#59 0x124610dc002e  (<unknown module>)
#60 0x000a2c45f81f  (<unknown module>)
#61 0x7ffa0a76a2ce in CreateThread (C:\Users\task_174098273331499\build\clang_rt.asan_dynamic-x86_64.dll+0x18005a2ce)
#62 0x00000000002f  (<unknown module>)
#63 0x000a2c45f797  (<unknown module>)
#64 0x000a2c45f81f  (<unknown module>)
#65 0x7ffa2f2471ac in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h:150
#66 0x7ffa2f2471ac in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:562
#67 0x7ffa363fedca  (C:\Windows\SYSTEM32\ntdll.dll+0x18007edca)

Looks like Stylo is reading some internationalization data while the hash table is being modified.

Tyson, could you get a minidump for this crash (or maybe use a debugger)? That will show what other threads are doing which might show what is mutating the hash table. The Stylo part of this doesn't look like it has changed recently. Thanks.

Flags: needinfo?(twsmith)
Keywords: csectype-race, sec-moderate
Attached file minidump.zip
Flags: needinfo?(twsmith)

The severity field is not set for this bug.
:m_kato, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(m_kato)

It seems to be race condition between Gecko main thread and Servo's threads... But when trying STR, I cannot reproduce this...

Assignee: nobody → m_kato
Severity: -- → S2
Flags: needinfo?(m_kato)

Main thread

0:036> ~0K
 # Child-SP          RetAddr               Call Site
00 00000003`af5f43f8 00007fff`edbd9f09     ntdll!NtWaitForAlertByThreadId+0x14
01 00000003`af5f4400 00007fff`edbd74c2     ntdll!RtlpEnterCriticalSectionContended+0x339
02 00000003`af5f4520 00007fff`af8160c7     ntdll!RtlEnterCriticalSection+0x42
03 (Inline Function) --------`--------     xul!google_breakpad::AutoExceptionHandler::AutoExceptionHandler+0xd [/builds/worker/checkouts/gecko/toolkit/crashreporter/breakpad-client/windows/handler/exception_handler.cc @ 473] 
04 00000003`af5f4550 00007fff`af80f52f     xul!google_breakpad::ExceptionHandler::HandleException+0x17 [/builds/worker/checkouts/gecko/toolkit/crashreporter/breakpad-client/windows/handler/exception_handler.cc @ 507] 
05 00000003`af5f4590 00007fff`edc648ef     xul!CrashReporter::JitExceptionHandler+0x2f [/builds/worker/checkouts/gecko/toolkit/crashreporter/nsExceptionHandler.cpp @ 364] 
06 00000003`af5f45d0 00007fff`edbf192e     ntdll!RtlpExecuteHandlerForException+0xf
07 00000003`af5f4600 00007fff`edc638ee     ntdll!RtlDispatchException+0x26e
08 00000003`af5f4d40 00007fff`a842a771     ntdll!KiUserExceptionDispatch+0x2e
09 (Inline Function) --------`--------     xul!AnnotateMozCrashReason+0x11 [/builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h @ 55] 
0a (Inline Function) --------`--------     xul!Checker::EndReadOp+0xbb [/builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h @ 136] 
0b (Inline Function) --------`--------     xul!AutoReadOp::~AutoReadOp+0xbb [/builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp @ 33] 
0c 00000003`af5f5a90 00007fff`a86bd9d9     xul!PLDHashTable::Search+0x251 [/builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp @ 503] 
0d (Inline Function) --------`--------     xul!nsTHashtable<nsBaseHashtableET<nsAtomHashKey,nsStaticAtom *> >::GetEntry+0x8 [/builds/worker/workspace/obj-build/dist/include/nsTHashtable.h @ 289] 
0e (Inline Function) --------`--------     xul!nsBaseHashtable<nsAtomHashKey,nsStaticAtom *,nsStaticAtom *,nsDefaultConverter<nsStaticAtom *,nsStaticAtom *> >::Get+0x8 [/builds/worker/workspace/obj-build/dist/include/nsBaseHashtable.h @ 362] 
0f 00000003`af5f5b00 00007fff`aea65029     xul!nsLanguageAtomService::GetLanguageGroup+0x29 [/builds/worker/checkouts/gecko/intl/locale/nsLanguageAtomService.cpp @ 144] 
10 (Inline Function) --------`--------     xul!mozilla::StaticPresData::GetLangGroup+0x8 [/builds/worker/checkouts/gecko/layout/base/StaticPresData.cpp @ 204] 
11 00000003`af5f5bc0 00007fff`ae9401c3     xul!mozilla::StaticPresData::GetFontPrefsForLang+0x29 [/builds/worker/checkouts/gecko/layout/base/StaticPresData.cpp @ 222] 
12 (Inline Function) --------`--------     xul!Gecko_nsStyleFont_ComputeMinSize::<lambda_0>::operator()+0x8 [/builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp @ 1234] 
13 00000003`af5f5c10 00007fff`b08139a2     xul!Gecko_nsStyleFont_ComputeMinSize+0x73 [/builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp @ 1241] 
14 00000003`af5f5c80 00007fff`b05372b9     xul!style::properties::cascade::Cascade::apply_prioritary_properties+0xe32 [/builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs @ 806] 
15 (Inline Function) --------`--------     xul!style::properties::cascade::apply_declarations+0x447 [/builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs @ 334] 
16 00000003`af5f5df0 00007fff`b05655c7     xul!style::properties::cascade::cascade_rules<style::gecko::wrapper::GeckoElement>+0x579 [/builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs @ 198] 
17 (Inline Function) --------`--------     xul!style::properties::cascade::cascade+0x3b [/builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs @ 82] 
18 (Inline Function) --------`--------     xul!style::stylist::Stylist::cascade_style_and_visited+0x85 [/builds/worker/checkouts/gecko/servo/components/style/stylist.rs @ 1271] 
19 00000003`af5f6a00 00007fff`b0564f95     xul!style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::cascade_style_and_visited<style::gecko::wrapper::GeckoElement>+0x127 [/builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs @ 382] 
1a 00000003`af5f6af0 00007fff`b05652a5     xul!style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::cascade_primary_style<style::gecko::wrapper::GeckoElement>+0x3e5 [/builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs @ 276] 
1b 00000003`af5f6c30 00007fff`b0564912     xul!style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::resolve_primary_style<style::gecko::wrapper::GeckoElement>+0xc5 [/builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs @ 242] 
1c 00000003`af5f6cd0 00007fff`b0587f4b     xul!style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::resolve_style<style::gecko::wrapper::GeckoElement>+0x32 [/builds/worker/checkouts/gecko/servo/components/style/style_resolver.rs @ 297] 
1d 00000003`af5f6db0 00007fff`b0585ef7     xul!style::traversal::compute_style<style::gecko::wrapper::GeckoElement>+0xadb [/builds/worker/checkouts/gecko/servo/components/style/traversal.rs @ 614] 
1e (Inline Function) --------`--------     xul!style::traversal::recalc_style_at+0x1aa [/builds/worker/checkouts/gecko/servo/components/style/traversal.rs @ 428]

DOM Worker thread

0:036> ~36k
 # Child-SP          RetAddr               Call Site
00 00000003`b2c79728 00007fff`eb72497c     ntdll!NtWaitForMultipleObjects+0x14
01 00000003`b2c79730 00007fff`eb72487e     KERNELBASE!WaitForMultipleObjectsEx+0xec
02 00000003`b2c79a20 00007fff`af811a9f     KERNELBASE!WaitForMultipleObjects+0xe
03 00000003`b2c79a60 00007fff`af816ca3     xul!google_breakpad::CrashGenerationClient::SignalCrashEventAndWait+0xdf [/builds/worker/checkouts/gecko/toolkit/crashreporter/breakpad-client/windows/crash_generation/crash_generation_client.cc @ 420] 
04 00000003`b2c79ab0 00007fff`af816188     xul!google_breakpad::ExceptionHandler::WriteMinidumpWithException+0x73 [/builds/worker/checkouts/gecko/toolkit/crashreporter/breakpad-client/windows/handler/exception_handler.cc @ 946] 
05 00000003`b2c79b10 00007fff`af80f52f     xul!google_breakpad::ExceptionHandler::HandleException+0xd8 [/builds/worker/checkouts/gecko/toolkit/crashreporter/breakpad-client/windows/handler/exception_handler.cc @ 538] 
06 00000003`b2c79b50 00007fff`edc648ef     xul!CrashReporter::JitExceptionHandler+0x2f [/builds/worker/checkouts/gecko/toolkit/crashreporter/nsExceptionHandler.cpp @ 364] 
07 00000003`b2c79b90 00007fff`edbf192e     ntdll!RtlpExecuteHandlerForException+0xf
08 00000003`b2c79bc0 00007fff`edc638ee     ntdll!RtlDispatchException+0x26e
09 00000003`b2c7a300 00007fff`a842acf7     ntdll!KiUserExceptionDispatch+0x2e
0a (Inline Function) --------`--------     xul!AnnotateMozCrashReason+0x11 [/builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h @ 55] 
0b (Inline Function) --------`--------     xul!Checker::StartWriteOp+0x352 [/builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h @ 142] 
0c 00000003`b2c7b040 00007fff`a842b076     xul!PLDHashTable::MakeEntryHandle+0x377 [/builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp @ 620] 
0d 00000003`b2c7b0f0 00007fff`a86bda22     xul!PLDHashTable::MakeEntryHandle+0x46 [/builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp @ 675] 
0e (Inline Function) --------`--------     xul!PLDHashTable::WithEntryHandle+0x13 [/builds/worker/workspace/obj-build/dist/include/PLDHashTable.h @ 605] 
0f (Inline Function) --------`--------     xul!nsTHashtable<nsBaseHashtableET<nsAtomHashKey,nsStaticAtom *> >::WithEntryHandle+0x13 [/builds/worker/workspace/obj-build/dist/include/nsTHashtable.h @ 435] 
10 (Inline Function) --------`--------     xul!nsBaseHashtable<nsAtomHashKey,nsStaticAtom *,nsStaticAtom *,nsDefaultConverter<nsStaticAtom *,nsStaticAtom *> >::WithEntryHandle+0x13 [/builds/worker/workspace/obj-build/dist/include/nsBaseHashtable.h @ 841] 
11 (Inline Function) --------`--------     xul!nsBaseHashtable<nsAtomHashKey,nsStaticAtom *,nsStaticAtom *,nsDefaultConverter<nsStaticAtom *,nsStaticAtom *> >::LookupOrInsertWith+0x13 [/builds/worker/workspace/obj-build/dist/include/nsBaseHashtable.h @ 429] 
12 00000003`b2c7b160 00007fff`a9d3db00     xul!nsLanguageAtomService::GetLanguageGroup+0x72 [/builds/worker/checkouts/gecko/intl/locale/nsLanguageAtomService.cpp @ 151] 
13 (Inline Function) --------`--------     xul!gfxPlatformFontList::GetLangGroup+0x17 [/builds/worker/checkouts/gecko/gfx/thebes/gfxPlatformFontList.cpp @ 2644] 
14 00000003`b2c7b220 00007fff`a9d58bdf     xul!gfxPlatformFontList::AddGenericFonts+0x50 [/builds/worker/checkouts/gecko/gfx/thebes/gfxPlatformFontList.cpp @ 2207] 
15 00000003`b2c7b2b0 00007fff`a9d5b1e4     xul!gfxFontGroup::EnsureFontList+0x2cf [/builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp @ 1962] 
16 00000003`b2c7b440 00007fff`abc8f0c0     xul!gfxFontGroup::GetFirstValidFont+0x34 [/builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp @ 2285] 
17 00000003`b2c7b500 00007fff`abc8fbc3     xul!mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText+0xbe0 [/builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp @ 4991] 
18 00000003`b2c7b830 00007fff`aacb9a67     xul!mozilla::dom::CanvasRenderingContext2D::MeasureText+0x43 [/builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp @ 4480] 
19 00000003`b2c7b8a0 00007fff`abba461e     xul!mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::measureText+0x137 [/builds/worker/workspace/obj-build/dom/bindings/./OffscreenCanvasRenderingContext2DBinding.cpp @ 4128] 
1a 00000003`b2c7ba00 00000348`8f06341b     xul!mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions>+0x1be [/builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp @ 3304]
Keywords: pernosco-wanted

This has only been reported by Windows instances and rr/Pernosco is not supported on Windows.
I have not been able to reproduce this issue on Linux so I won't be able to get a Pernosco session, sorry.

Keywords: pernosco-wanted

Thanks, so this is not so much about stylo, but about OffscreenCanvas accessing lang groups etc off main thread.

Flags: needinfo?(jfkthame)
Flags: needinfo?(aosmond)
Group: layout-core-security → gfx-core-security
Component: Internationalization → Graphics: Canvas2D

Jonathan, this looks like a possible dup of bug 1951561?

It's not going through LookAndFeel, but the symptomology seems the same, that an offscreen canvas worker threads is racing on font lookups.

Severity: S2 → S3
See Also: → 1951561
See Also: → 1955591

This is about calling nsLanguageAtomService::GetLanguageGroup, which font-resolution code uses, and which isn't safe to call from a worker thread because it uses a hashtable to cache the language code mappings it looks up.

I guess there are a couple of fairly easy options to address this. (a) We could make the font code (gfxPlatformFontList::GetLangGroup) check if it's running on a worker thread, and call GetUncachedLanguageGroup in that case; but that does add some small overhead to all generic-font resolution on workers, which is regrettable. So I think I favor (b): add a RWLock to nsLanguageAtomService, to protect the hashtable. Most of the time we'll only need to take a read lock (because the overwhelming majority of lookups will find an existing cached mapping and return it, without modifying anything), so there should be very little contention.

Flags: needinfo?(jfkthame)

Note that I don't have a testcase/STR to verify this. But AFAICS by inspection, the patch above should prevent the race here.

Assignee: m_kato → jfkthame
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f749f463eed1 Add a lock to guard the cache in nsLanguageAtomService. r=m_kato,emilio

https://hg.mozilla.org/mozilla-central/rev/f749f463eed1

Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 7 months ago
status-firefox139: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch

The patch landed in nightly and beta is affected.
:jfkthame, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox138 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jfkthame)
Attachment #9478929 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: Possible race condition accessing language-group hash table
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: (no reliable STR)
  • Risk associated with taking this patch: low
  • Explanation of risk level: adds locking to guard hashtable access; no behavior change
  • String changes made/needed: none
  • Is Android affected?: yes
Flags: needinfo?(jfkthame)
Flags: needinfo?(aosmond)
Attachment #9478929 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

It looks like this is patching some pretty old code that is also on our ESRs. Should we land this patch in time for 128.10?

status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → affected
tracking-firefox-esr128: --- → 138+
Flags: needinfo?(jfkthame)

Yeah, my gut feeling is that reliably exploiting the race would be hard to arrange in practice, but probably it's worth taking the fix to eliminate any such risk.

Flags: needinfo?(jfkthame)
Attachment #9479225 - Flags: approval-mozilla-esr128?

esr128 Uplift Approval Request

  • User impact if declined: Possible race condition accessing language-group hash table
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: (no reliable STR)
  • Risk associated with taking this patch: low
  • Explanation of risk level: adds locking to guard hashtable access; no behavior change
  • String changes made/needed: none
  • Is Android affected?: yes
Attachment #9479225 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main138+r]
Whiteboard: [adv-main138+r] → [adv-main138+r][adv-esr128.23+r]
Whiteboard: [adv-main138+r][adv-esr128.23+r] → [adv-main138+r][adv-esr128.10+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: