Closed Bug 845741 Opened 11 years ago Closed 11 years ago

TSan: Thread data race in mozilla::MediaStreamGraphImpl::ExtractPendingInput() vs. mozilla::SourceMediaStream::FinishWithLockHeld()

Categories

(Core :: WebRTC, defect, P2)

Product:
Core
Component:
WebRTC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox19 --- disabled
firefox20 --- wontfix
firefox21 --- wontfix
firefox22 --- fixed
firefox23 --- fixed

People

(Reporter: posidron, Assigned: jesup)

References

Details

(Keywords: sec-want, Whiteboard: [tsan][tsan-test-blocker][webrtc][blocking-webrtc+][qa-])

Attachments

(2 files)

trace
12.71 KB, text/plain
Details
Set mUpdateFinished under lock
1.27 KB, patch
roc
: review+
akeybl
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file trace 
During initial fuzz tests with ThreadSanitizer (LLVM version), we get a data race reported as described in the attached log. Trace was created on mozilla-central with changeset 122820:c233837cce08.

According to the TSan devs, most of the reported traces should be real data races, even though they can be "benign". We need to determine if the race can/should be fixed, or put on the ignore list. Even for benign races, TSan devs suggest to fix them (second priority), as they can also cause problems [1].

[1] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
This happened during fuzzing the JSEP in two separate windows.
This is almost certainly a data race on mUpdateFinished.  It's set on the caller side (Mainthread) and read in MSG without any locking.  This could be resolved by having Finish operate on the MSG thread by inserting a message instead of just setting a flag.  (I'm not sure if that would cause any other issues, however)

I haven't checked all the versions, but I think this affects all the way back to FF19, probably before.

I suspect the downside might be MSG thread taking longer to notice that Finish() or EndAllTracksAndFinish() was called.  I don't know if that would cause any real problems so long as they eventually synchronize; I haven't thought it through. (Tim?)
Assignee: nobody → roc
status-firefox19: --- → affected
status-firefox20: --- → affected
status-firefox21: --- → affected
status-firefox22: --- → affected
Priority: -- → P2
Whiteboard: [tsan][tsan-test-blocker] → [tsan][tsan-test-blocker][webrtc][blocking-webrtc+]
Looked at this several times before seeing my mistake: when I switched to FinishWithLockHeld(), I didn't remove the level of braces around the AutoLock
Attachment #734235 - Flags: review?(roc)
Depends on: 803976
Whiteboard: [tsan][tsan-test-blocker][webrtc][blocking-webrtc+] → [tsan][tsan-test-blocker][webrtc][blocking-webrtc+][webrtc-uplift]
Comment on attachment 734235 [details] [diff] [review]
Set mUpdateFinished under lock

Review of attachment 734235 [details] [diff] [review]:
-----------------------------------------------------------------

thanks for taking this!!
Attachment #734235 - Flags: review?(roc) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/59e93bff76d4

We'll want this for Aurora/22, and it's a small-enough/safe-enough bug to consider for Beta/21
Assignee: roc → rjesup
Target Milestone: --- → mozilla22
https://hg.mozilla.org/mozilla-central/rev/59e93bff76d4
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: mozilla22 → mozilla23
Whiteboard: [tsan][tsan-test-blocker][webrtc][blocking-webrtc+][webrtc-uplift] → [tsan][tsan-test-blocker][webrtc][blocking-webrtc+][webrtc-uplift][qa-]
Comment on attachment 734235 [details] [diff] [review]
Set mUpdateFinished under lock

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 803976

User impact if declined: TSAN bugs are inherently risky and compiler/optimizer and runtime timing dependent.  Nuclear missiles could be launched (to borrow a phrase from the "there are no such things as benign data races" article.

Testing completed (on m-c, etc.): on m-c

Risk to taking this patch (and alternatives if risky): No appreciable risk

String or IDL/UUID changes made by this patch: none
Attachment #734235 - Flags: approval-mozilla-aurora?
Attachment #734235 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/76f7efd3e9c1
status-firefox22: affectedfixed
Whiteboard: [tsan][tsan-test-blocker][webrtc][blocking-webrtc+][webrtc-uplift][qa-] → [tsan][tsan-test-blocker][webrtc][blocking-webrtc+][qa-][webrtc-uplift]
Target Milestone: mozilla23 → mozilla22
Roc - should we nominate this for beta?
Flags: needinfo?(roc)
I think it's probably not worth it.
Flags: needinfo?(roc)
Thanks!
status-firefox19: affecteddisabled
status-firefox20: affectedwontfix
status-firefox21: affectedwontfix
status-firefox23: --- → fixed
Whiteboard: [tsan][tsan-test-blocker][webrtc][blocking-webrtc+][qa-][webrtc-uplift] → [tsan][tsan-test-blocker][webrtc][blocking-webrtc+][qa-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: