Closed Bug 1743221 Opened 3 years ago Closed 3 years ago

ThreadSanitizer: data race [@ AddCompositableRef] vs. [@ ReleaseCompositableRef]

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
firefox-esr91 96+ fixed
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 + fixed
firefox97 + fixed

People

(Reporter: tsmith, Assigned: sotaro)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: csectype-race, regression, sec-moderate, Whiteboard: [adv-main96+r][adv-ESR91.5+r])

Attachments

(1 file)

Bug 1743221 - Clear CompositableParentManager::mCompositables in WebRenderBridgeParent::Destroy()
(deleted), text/x-phabricator-request
tjr
: approval-mozilla-beta+
tjr
: approval-mozilla-esr91+
tjr
: sec-approval+
Details

Found while fuzzing m-c 20211005-0c84f40112a5 (--enable-thread-sanitizer --enable-fuzzing)

WARNING: ThreadSanitizer: data race (pid=17738)
  Write of size 4 at 0x7b1c000642cc by thread T70:
    #0 AddCompositableRef /builds/worker/workspace/obj-build/dist/include/mozilla/layers/TextureHost.h:626:5 (libxul.so+0x1faa408)
    #1 operator= /builds/worker/workspace/obj-build/dist/include/mozilla/layers/TextureHost.h:258:15 (libxul.so+0x1faa408)
    #2 operator= src/gfx/layers/wr/AsyncImagePipelineManager.h:151:10 (libxul.so+0x1faa408)
    #3 __copy_m<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost *, mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost *> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:343:18 (libxul.so+0x1faa408)
    #4 __copy_move_a<true, mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost *, mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost *> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:385:14 (libxul.so+0x1faa408)
    #5 __copy_move_a2<true, __gnu_cxx::__normal_iterator<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost *, std::vector<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost> >, __gnu_cxx::__normal_iterator<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost *, std::vector<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost> > > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:422:18 (libxul.so+0x1faa408)
    #6 move<__gnu_cxx::__normal_iterator<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost *, std::vector<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost> >, __gnu_cxx::__normal_iterator<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost *, std::vector<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost> > > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:487:14 (libxul.so+0x1faa408)
    #7 std::vector<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost, std::allocator<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost> >::_M_erase(__gnu_cxx::__normal_iterator<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost*, std::vector<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost, std::allocator<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost> > >, __gnu_cxx::__normal_iterator<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost*, std::vector<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost, std::allocator<mozilla::layers::AsyncImagePipelineManager::ForwardingTextureHost> > >) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/vector.tcc:171:6 (libxul.so+0x1faa408)
    #8 erase /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:1210:9 (libxul.so+0x1f97de6)
    #9 mozilla::layers::AsyncImagePipelineManager::ProcessPipelineRendered(mozilla::wr::PipelineId const&, mozilla::wr::Epoch const&, mozilla::layers::BaseTransactionId<mozilla::wr::RenderedFrameIdType>) src/gfx/layers/wr/AsyncImagePipelineManager.cpp:665:47 (libxul.so+0x1f97de6)
    #10 mozilla::layers::AsyncImagePipelineManager::ProcessPipelineUpdates() src/gfx/layers/wr/AsyncImagePipelineManager.cpp:631:7 (libxul.so+0x1f97a6a)
    #11 applyImpl<FdWatcher, void (FdWatcher::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12 (libxul.so+0xb705a6)
    #12 apply<FdWatcher, void (FdWatcher::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12 (libxul.so+0xb705a6)
    #13 mozilla::detail::RunnableMethodImpl<mozilla::TaskQueue*, void (mozilla::TaskQueue::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13 (libxul.so+0xb705a6)
    #14 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1142:16 (libxul.so+0xc827b2)
    #15 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10 (libxul.so+0xc894a2)
    #16 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x15763ee)
    #17 RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10 (libxul.so+0x14f8c2c)
    #18 RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3 (libxul.so+0x14f8c2c)
    #19 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3 (libxul.so+0x14f8c2c)
    #20 nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:390:10 (libxul.so+0xc7efc8)
    #21 _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x43d86)

  Previous write of size 4 at 0x7b1c000642cc by thread T94:
    #0 ReleaseCompositableRef /builds/worker/workspace/obj-build/dist/include/mozilla/layers/TextureHost.h:633:5 (libxul.so+0x1f212d5)
    #1 ~CompositableTextureRef /builds/worker/workspace/obj-build/dist/include/mozilla/layers/TextureHost.h:252:13 (libxul.so+0x1f212d5)
    #2 ~TimedImage src/gfx/layers/composite/ImageComposite.h:61:10 (libxul.so+0x1f212d5)
    #3 Destruct /builds/worker/workspace/obj-build/dist/include/nsTArray.h:642:45 (libxul.so+0x1f212d5)
    #4 DestructRange /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2403:7 (libxul.so+0x1f212d5)
    #5 ClearAndRetainStorage /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1479:5 (libxul.so+0x1f212d5)
    #6 nsTArray_Impl<mozilla::layers::ImageComposite::TimedImage, nsTArrayInfallibleAllocator>::~nsTArray_Impl() /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1034:7 (libxul.so+0x1f212d5)
    #7 mozilla::layers::ImageComposite::~ImageComposite() src/gfx/layers/composite/ImageComposite.cpp:25:33 (libxul.so+0x1f21234)
    #8 ~WebRenderImageHost src/gfx/layers/wr/WebRenderImageHost.cpp:36:77 (libxul.so+0x1fd4caa)
    #9 mozilla::layers::WebRenderImageHost::~WebRenderImageHost() src/gfx/layers/wr/WebRenderImageHost.cpp:36:43 (libxul.so+0x1fd4caa)
    #10 Release /builds/worker/workspace/obj-build/dist/include/CompositableHost.h:87:3 (libxul.so+0x1f6c954)
    #11 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40 (libxul.so+0x1f6c954)
    #12 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36 (libxul.so+0x1f6c954)
    #13 ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7 (libxul.so+0x1f6c954)
    #14 ~pair /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_pair.h:208:12 (libxul.so+0x1f6c954)
    #15 destroy<std::pair<const unsigned long, RefPtr<mozilla::layers::CompositableHost> > > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:140:28 (libxul.so+0x1f6c954)
    #16 destroy<std::pair<const unsigned long, RefPtr<mozilla::layers::CompositableHost> > > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:487:8 (libxul.so+0x1f6c954)
    #17 _M_destroy_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:650:2 (libxul.so+0x1f6c954)
    #18 _M_drop_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:658:2 (libxul.so+0x1f6c954)
    #19 std::_Rb_tree<unsigned long, std::pair<unsigned long const, RefPtr<mozilla::layers::CompositableHost> >, std::_Select1st<std::pair<unsigned long const, RefPtr<mozilla::layers::CompositableHost> > >, std::less<unsigned long>, std::allocator<std::pair<unsigned long const, RefPtr<mozilla::layers::CompositableHost> > > >::_M_erase(std::_Rb_tree_node<std::pair<unsigned long const, RefPtr<mozilla::layers::CompositableHost> > >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1858:4 (libxul.so+0x1f6c954)
    #20 ~_Rb_tree /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:949:9 (libxul.so+0x1fb42c8)
    #21 ~map /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_map.h:294:22 (libxul.so+0x1fb42c8)
    #22 ~CompositableParentManager /builds/worker/workspace/obj-build/dist/include/mozilla/layers/CompositableTransactionParent.h:25:7 (libxul.so+0x1fb42c8)
    #23 mozilla::layers::WebRenderBridgeParent::~WebRenderBridgeParent() src/gfx/layers/wr/WebRenderBridgeParent.cpp:390:1 (libxul.so+0x1fb42c8)
    #24 ~WebRenderBridgeParent src/gfx/layers/wr/WebRenderBridgeParent.cpp:387:49 (libxul.so+0x1fb45b9)
    #25 non-virtual thunk to mozilla::layers::WebRenderBridgeParent::~WebRenderBridgeParent() src/gfx/layers/wr/WebRenderBridgeParent.cpp (libxul.so+0x1fb45b9)
    #26 Release /builds/worker/workspace/obj-build/dist/include/mozilla/layers/ISurfaceAllocator.h:69:3 (libxul.so+0x1febcc9)
    #27 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40 (libxul.so+0x1febcc9)
    #28 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36 (libxul.so+0x1febcc9)
    #29 ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7 (libxul.so+0x1febcc9)
    #30 ~SceneBuiltNotification src/gfx/layers/wr/WebRenderBridgeParent.cpp:241:7 (libxul.so+0x1febcc9)
    #31 mozilla::layers::SceneBuiltNotification::~SceneBuiltNotification() src/gfx/layers/wr/WebRenderBridgeParent.cpp:241:7 (libxul.so+0x1febcc9)
    #32 wr_transaction_notification_notified src/gfx/webrender_bindings/WebRenderAPI.cpp:1673:3 (libxul.so+0x21637cc)
    #33 _$LT$webrender_bindings..bindings..wr_transaction_notify..GeckoNotification$u20$as$u20$webrender_api..NotificationHandler$GT$::notify::h2fbf4f7d02085e71 src/gfx/webrender_bindings/src/bindings.rs:1820:17 (libxul.so+0x85e1bc4)
    #34 webrender_api::NotificationRequest::notify::he7340c7edd43e9e1 src/gfx/wr/webrender_api/src/lib.rs:271:13 (libxul.so+0x85b138b)
    #35 webrender::scene_builder_thread::SceneBuilderThread::process_transaction::_$u7b$$u7b$closure$u7d$$u7d$::h92fb2d3087ad057b src/gfx/wr/webrender/src/scene_builder_thread.rs:638:19 (libxul.so+0x84a640b)
    #36 webrender::util::drain_filter::hc270327dc725706d src/gfx/wr/webrender/src/util.rs:1305:13 (libxul.so+0x84a640b)
    #37 webrender::scene_builder_thread::SceneBuilderThread::process_transaction::h33b5b48bd42b581b src/gfx/wr/webrender/src/scene_builder_thread.rs:635:9 (libxul.so+0x84a640b)
    #38 webrender::scene_builder_thread::SceneBuilderThread::run::_$u7b$$u7b$closure$u7d$$u7d$::h2b369db1505979cf src/gfx/wr/webrender/src/scene_builder_thread.rs:312:36 (libxul.so+0x84a640b)
    #39 core::iter::adapters::map::map_try_fold::_$u7b$$u7b$closure$u7d$$u7d$::hff8028be9c145db0 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/adapters/map.rs:89:28 (libxul.so+0x84a640b)
    #40 core::iter::traits::iterator::Iterator::try_fold::h05f837406bde0a01 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:1998:21 (libxul.so+0x84a640b)
    #41 _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h4692ece791659e18 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/adapters/map.rs:115:9 (libxul.so+0x84a640b)
    #42 _$LT$I$u20$as$u20$alloc..vec..source_iter_marker..SpecInPlaceCollect$LT$T$C$I$GT$$GT$::collect_in_place::hcf38e634199b6e3a /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec/source_iter_marker.rs:119:13 (libxul.so+0x84a640b)
    #43 alloc::vec::source_iter_marker::_$LT$impl$u20$alloc..vec..spec_from_iter..SpecFromIter$LT$T$C$I$GT$$u20$for$u20$alloc..vec..Vec$LT$T$GT$$GT$::from_iter::hd7ef44d6c3480f41 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec/source_iter_marker.rs:55:19 (libxul.so+0x84a640b)
    #44 _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..iter..traits..collect..FromIterator$LT$T$GT$$GT$::from_iter::h9dcc4f5cb9aab191 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:2453:9 (libxul.so+0x84a640b)
    #45 core::iter::traits::iterator::Iterator::collect::hc07811a9f314f3e2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:1749:9 (libxul.so+0x84a640b)
    #46 webrender::scene_builder_thread::SceneBuilderThread::run::h4c67226683018353 src/gfx/wr/webrender/src/scene_builder_thread.rs:311:67 (libxul.so+0x84a640b)
    #47 webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h245d497a32401fe7 src/gfx/wr/webrender/src/renderer/mod.rs:1237:13 (libxul.so+0x84a5413)
    #48 std::sys_common::backtrace::__rust_begin_short_backtrace::h497e01cb9d2ebd30 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18 (libxul.so+0x84a5413)
    #49 std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h1e36afdd70c0e6bc /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:476:17 (libxul.so+0x84a508f)
    #50 _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hb0d6f7f5d4a67019 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:347:9 (libxul.so+0x84a508f)
    #51 std::panicking::try::do_call::h5eb03c6ca79036ea /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:401:40 (libxul.so+0x84a508f)
    #52 std::panicking::try::hc43c0974b78702a4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:365:19 (libxul.so+0x84a508f)
    #53 std::panic::catch_unwind::h0216148c188639fc /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:434:14 (libxul.so+0x84a508f)
    #54 std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h880c7a449ed40142 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:475:30 (libxul.so+0x84a508f)
    #55 core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h7595f5d73110834f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5 (libxul.so+0x84a508f)
    #56 _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h692a33f7e2a54a24 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/boxed.rs:1572:9 (libxul.so+0x7dac8f6)
    #57 _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h8327fd8880ab52d1 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/boxed.rs:1572:9 (libxul.so+0x7dac8f6)
    #58 std::sys::unix::thread::Thread::new::thread_start::he817b28a2ced59f6 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys/unix/thread.rs:91:17 (libxul.so+0x7dac8f6)

  Location is heap block of size 104 at 0x7b1c00064290 allocated by thread T70:
    #0 malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:651:5 (firefox+0x5b20b)
    #1 moz_xmalloc src/memory/mozalloc/mozalloc.cpp:52:15 (firefox+0xcb8ab)
    #2 operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10 (libxul.so+0x1e4d99d)
    #3 mozilla::layers::TextureHost::Create(mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::ISurfaceAllocator*, mozilla::layers::LayersBackend, mozilla::layers::TextureFlags, mozilla::Maybe<mozilla::wr::ExternalImageId>&) src/gfx/layers/composite/TextureHost.cpp:243:9 (libxul.so+0x1e4d99d)
    #4 Init src/gfx/layers/composite/TextureHost.cpp:1230:18 (libxul.so+0x1e4d495)
    #5 mozilla::layers::TextureHost::CreateIPDLActor(mozilla::layers::HostIPCAllocator*, mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::LayersBackend, mozilla::layers::TextureFlags, unsigned long, mozilla::Maybe<mozilla::wr::ExternalImageId> const&) src/gfx/layers/composite/TextureHost.cpp:123:15 (libxul.so+0x1e4d495)
    #6 mozilla::layers::ContentCompositorBridgeParent::AllocPTextureParent(mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::LayersBackend const&, mozilla::layers::TextureFlags const&, mozilla::layers::LayersId const&, unsigned long const&, mozilla::Maybe<mozilla::wr::ExternalImageId> const&) src/gfx/layers/ipc/ContentCompositorBridgeParent.cpp:414:10 (libxul.so+0x1f4861e)
    #7 mozilla::layers::PCompositorBridgeParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorBridgeParent.cpp:1179:87 (libxul.so+0x163b414)
    #8 mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerParent.cpp:200:32 (libxul.so+0x1642fdc)
    #9 mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2043:25 (libxul.so+0x1571bce)
    #10 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:1968:9 (libxul.so+0x1570265)
    #11 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1827:3 (libxul.so+0x1570e5a)
    #12 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1855:14 (libxul.so+0x15712d5)
    #13 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1142:16 (libxul.so+0xc827b2)
    #14 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10 (libxul.so+0xc894a2)
    #15 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:330:5 (libxul.so+0x1576458)
    #16 RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10 (libxul.so+0x14f8c2c)
    #17 RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3 (libxul.so+0x14f8c2c)
    #18 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3 (libxul.so+0x14f8c2c)
    #19 nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:390:10 (libxul.so+0xc7efc8)
    #20 _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x43d86)

  Thread T70 'Compositor' (tid=18114, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:965:3 (firefox+0x5ca3b)
    #1 _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x3af13)
    #2 PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x2fa65)
    #3 nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:602:18 (libxul.so+0xc80332)
    #4 nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:576:12 (libxul.so+0xc8847a)
    #5 NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadUtils.cpp:163:57 (libxul.so+0xc8f214)
    #6 NS_NewNamedThread<11> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10 (libxul.so+0x1f44bce)
    #7 mozilla::layers::CompositorThreadHolder::CreateCompositorThread() src/gfx/layers/ipc/CompositorThread.cpp:62:17 (libxul.so+0x1f44bce)
    #8 CompositorThreadHolder src/gfx/layers/ipc/CompositorThread.cpp:39:25 (libxul.so+0x1f44cba)
    #9 mozilla::layers::CompositorThreadHolder::Start() src/gfx/layers/ipc/CompositorThread.cpp:103:33 (libxul.so+0x1f44cba)
    #10 InitLayersIPC src/gfx/thebes/gfxPlatform.cpp:1273:5 (libxul.so+0x2015240)
    #11 gfxPlatform::Init() src/gfx/thebes/gfxPlatform.cpp:938:3 (libxul.so+0x2015240)
    #12 GetPlatform src/gfx/thebes/gfxPlatform.cpp:462:5 (libxul.so+0x2016747)
    #13 gfxPlatform::InitializeCMS() src/gfx/thebes/gfxPlatform.cpp:2084:9 (libxul.so+0x2016747)
    #14 EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:955:7 (libxul.so+0x48d00d5)
    #15 GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:520:5 (libxul.so+0x48d00d5)
    #16 nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::LookAndFeel::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) src/widget/nsXPLookAndFeel.cpp:793:9 (libxul.so+0x48d00d5)
    #17 mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::LookAndFeel::ColorScheme, mozilla::LookAndFeel::UseStandins) src/widget/nsXPLookAndFeel.cpp:1106:47 (libxul.so+0x48d1716)
    #18 Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:466:12 (libxul.so+0x48a615d)
    #19 ThemedAccentColor src/widget/nsNativeBasicTheme.cpp:146:37 (libxul.so+0x48a615d)
    #20 nsNativeBasicTheme::RecomputeAccentColors() src/widget/nsNativeBasicTheme.cpp:287:20 (libxul.so+0x48a615d)
    #21 LookAndFeelChanged src/widget/nsNativeBasicTheme.cpp:274:3 (libxul.so+0x48a6041)
    #22 nsNativeBasicTheme::Init() src/widget/nsNativeBasicTheme.cpp:264:3 (libxul.so+0x48a6041)
    #23 nsXPLookAndFeel::GetInstance() src/widget/nsXPLookAndFeel.cpp:364:3 (libxul.so+0x48cf62c)
    #24 mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) src/widget/nsXPLookAndFeel.cpp:1226:3 (libxul.so+0x48d1ba8)
    #25 nsSystemInfo::Init() src/xpcom/base/nsSystemInfo.cpp:1003:5 (libxul.so+0xbc70cd)
    #26 mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10483:7 (libxul.so+0xc4cde8)
    #27 mozilla::xpcom::StaticModule::CreateInstance(nsISupports*, nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12087:10 (libxul.so+0xc43e13)
    #28 CreateInstance src/xpcom/components/nsComponentManager.cpp:177:46 (libxul.so+0xc5aa59)
    #29 nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1276:17 (libxul.so+0xc5aa59)
    #30 nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1366:10 (libxul.so+0xc5b037)
    #31 mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12206:50 (libxul.so+0xc4dafa)
    #32 nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) src/xpcom/base/nsCOMPtr.cpp:109:7 (libxul.so+0xba319f)
    #33 nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:999:5 (libxul.so+0x1ae938a)
    #34 GetServiceImpl src/js/xpconnect/src/JSServices.cpp:84:32 (libxul.so+0x1ae938a)
    #35 GetService src/js/xpconnect/src/JSServices.cpp:131:8 (libxul.so+0x1ae938a)
    #36 xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) src/js/xpconnect/src/JSServices.cpp:154:25 (libxul.so+0x1ae938a)
    #37 CallResolveOp src/js/src/vm/NativeObject-inl.h:634:8 (libxul.so+0x6a0a3c3)
    #38 NativeLookupOwnPropertyInline<js::CanGC, js::LookupResolveMode::CheckResolve> src/js/src/vm/NativeObject-inl.h:751:14 (libxul.so+0x6a0a3c3)
    #39 NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2150:10 (libxul.so+0x6a0a3c3)
    #40 js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2198:10 (libxul.so+0x6a0a3c3)
    #41 GetProperty src/js/src/vm/ObjectOperations-inl.h:115:10 (libxul.so+0x677e026)
    #42 GetProperty src/js/src/vm/ObjectOperations-inl.h:122:10 (libxul.so+0x677e026)
    #43 js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:4547:10 (libxul.so+0x677e026)
    #44 GetPropertyOperation src/js/src/vm/Interpreter.cpp:203:10 (libxul.so+0x676bcf9)
    #45 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2903:12 (libxul.so+0x676bcf9)
    #46 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:354:13 (libxul.so+0x6762cf6)
    #47 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:504:13 (libxul.so+0x6779641)
    #48 InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:532:10 (libxul.so+0x677a3ee)
    #49 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:549:8 (libxul.so+0x677a4da)
    #50 JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:53:10 (libxul.so+0x68ab46e)
    #51 nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:973:17 (libxul.so+0x1b046a7)
    #52 PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37 (libxul.so+0xcae411)
    #53 SharedStub <null> (libxul.so+0xcad772)
    #54 nsXREDirProvider::DoStartup() src/toolkit/xre/nsXREDirProvider.cpp:976:11 (libxul.so+0x664bc3e)
    #55 XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:5027:18 (libxul.so+0x663a60f)
    #56 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5477:8 (libxul.so+0x663b9a6)
    #57 XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5536:21 (libxul.so+0x663bf74)
    #58 mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/Bootstrap.cpp:45:12 (libxul.so+0x6646442)
    #59 do_main src/browser/app/nsBrowserApp.cpp:225:22 (firefox+0xc9b58)
    #60 main src/browser/app/nsBrowserApp.cpp:392:16 (firefox+0xc9b58)

  Thread T94 'WRScene~ilder#1' (tid=18235, running) created by thread T53 at:
    #0 pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:965:3 (firefox+0x5ca3b)
    #1 std::sys::unix::thread::Thread::new::h970c6f22e604a088 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys/unix/thread.rs:70:19 (libxul.so+0x7dac64b)
    #2 std::thread::Builder::spawn_unchecked::hda85defda51af1e9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:500:22 (libxul.so+0x8320056)
    #3 std::thread::Builder::spawn::h341e00ba65b1e6e6 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:383:18 (libxul.so+0x8320056)
    #4 webrender::renderer::Renderer::new::h33e0e23bc433974a src/gfx/wr/webrender/src/renderer/mod.rs:1226:9 (libxul.so+0x8320056)
    #5 wr_window_new src/gfx/webrender_bindings/src/bindings.rs:1657:36 (libxul.so+0x85c50f3)
    #6 mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) src/gfx/webrender_bindings/WebRenderAPI.cpp:157:10 (libxul.so+0x216693b)
    #7 mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) src/gfx/webrender_bindings/RenderThread.cpp:428:11 (libxul.so+0x214fcca)
    #8 applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent>), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent> > , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12 (libxul.so+0x2159f13)
    #9 apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent>)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12 (libxul.so+0x2159f13)
    #10 mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13 (libxul.so+0x2159f13)
    #11 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1142:16 (libxul.so+0xc827b2)
    #12 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10 (libxul.so+0xc894a2)
    #13 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:330:5 (libxul.so+0x1576458)
    #14 RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10 (libxul.so+0x14f8c2c)
    #15 RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3 (libxul.so+0x14f8c2c)
    #16 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3 (libxul.so+0x14f8c2c)
    #17 nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:390:10 (libxul.so+0xc7efc8)
    #18 _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x43d86)
Keywords: sec-moderate
Regressed by: 1589718

In the worst case (this happens regularly in the wild, controllable from content) this could lead to exploitable use-after-frees. But this looks controlled by us so calling it sec-moderate for now. Can raise if we see related signatures in the wild

Set release status flags based on info from the regressing bug 1589718

status-firefox94: --- → affected
status-firefox95: --- → affected
status-firefox96: --- → affected
status-firefox-esr91: --- → affected
Assignee: nobody → sotaro.ikeda.g
Flags: needinfo?(sotaro.ikeda.g)

A cause of problem seems not related to bug 1589718. One problem is that CompositableParentManager::mCompositables is not released by WebRenderBridgeParent::Destroy().

No longer regressed by: 1589718

Race condition seemed to be introduced by Bug 1505858.

Regressed by: 1505858
Has Regression Range: --- → yes
Keywords: regression

Comment on attachment 9253560 [details]
Bug 1743221 - Clear CompositableParentManager::mCompositables in WebRenderBridgeParent::Destroy()

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It is very hard to do it.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: 65
  • If not all supported branches, which bug introduced the flaw?: Bug 1505858
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: It is very easy to create the patch and low risk.
  • How likely is this patch to cause regressions; how much testing does it need?: It is not likely to cause the regression. Normal auto testings seem enough.
Attachment #9253560 - Flags: sec-approval?

Comment on attachment 9253560 [details]
Bug 1743221 - Clear CompositableParentManager::mCompositables in WebRenderBridgeParent::Destroy()

Approved to land and uplift.

Attachment #9253560 - Flags: sec-approval?
Attachment #9253560 - Flags: sec-approval+
Attachment #9253560 - Flags: approval-mozilla-esr91+
Attachment #9253560 - Flags: approval-mozilla-beta+

Clear CompositableParentManager::mCompositables in WebRenderBridgeParent::Destroy() r=nical
https://hg.mozilla.org/integration/autoland/rev/6d8adc06d5d12376e9989f21e24c561cada866de
https://hg.mozilla.org/mozilla-central/rev/6d8adc06d5d1

Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox97: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main96+r][adv-ESR91.5+r]
Alias: CVE-2022-22741
Alias: CVE-2022-22741
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: