Closed Bug 1683439 Opened 4 years ago Closed 4 years ago

ThreadSanitizer: data race [@ AudioCallbackDriver::MixerCallback] vs. [@ AudioCallbackDriver::Init]

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox85 --- wontfix
firefox86 --- wontfix
firefox87 --- fixed

People

(Reporter: Gankra, Assigned: kinetik)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-race, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main87+r][adv-esr78.9+r])

Attachments

(3 files)

tsan-backtrace-dec-2020.txt
33.97 KB, text/plain
Details
Bug 1683439 - supress issue found while enabling full tsan shutdown. r?decoder
48 bytes, text/x-phabricator-request
Details | Review
Bug 1683439 - Remove suppression for fixed issue. r?kriswright
48 bytes, text/x-phabricator-request
Details | Review

I noticed that Bug 1638212 "coming back" was actually a different bug altogether. Marked as security because potential dereference of uninit pointer. Filing this new bug to not draw attention to the intermittent.

Racing on writing to mScratchBuffer vs allocating+assigning it.

AudioCallbackDriver::MixerCallback

vs

AudioCallbackDriver::Init

General information about TSan reports

Why fix races?

Data races are undefined behavior and can cause crashes as well as correctness issues. Compiler optimizations can cause racy code to have unpredictable and hard-to-reproduce behavior.

Rating

If you think this race can cause crashes or correctness issues, it would be great to rate the bug appropriately as P1/P2 and/or indicating this in the bug. This makes it a lot easier for us to assess the actual impact that these reports make and if they are helpful to you.

False Positives / Benign Races

Typically, races reported by TSan are not false positives [1], but it is possible that the race is benign. Even in this case it would be nice to come up with a fix if it is easily doable and does not regress performance. Every race that we cannot fix will have to remain on the suppression list and slows down the overall TSan performance. Also note that seemingly benign races can possibly be harmful (also depending on the compiler, optimizations and the architecture) [2][3].

[1] One major exception is the involvement of uninstrumented code from third-party libraries.
[2] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
[3] How to miscompile programs with "benign" data races: https://www.usenix.org/legacy/events/hotpar11/tech/final_files/Boehm.pdf
Suppressing unfixable races

If the bug cannot be fixed, then a runtime suppression needs to be added in mozglue/build/TsanOptions.cpp. The suppressions match on the full stack, so it should be picked such that it is unique to this particular race. The bug number of this bug should also be included so we have some documentation on why this suppression was added.

Group: core-security → media-core-security
Keywords: csectype-race
Assignee: nobody → a.beingessner
Status: NEW → ASSIGNED

This seems to occur only together with bug 1674039.
I've seen between 1 and 3 occurrences detected in a single run.
It looks like this often happens with toolkit/content/tests/browser/browser_media_wakelock_webaudio.js, but can also happen in other tests such as after browser_delay_autoplay_webAudio.js.

Hypothetically this might happen if AudioCallbackDriver::Init() could be called again somehow while the DataCallback() is running, but I don't see a way that could happen.

FallbackWrapper::OneIteration() is called only with a null mixer.

Blocks: 1674039

Alexis, Can we be confident that TSAN analysis across Rust and C++ is now sound?

Part of the synchronization of threads involved here happens out of process. TSAN should be able to see that through write and read system calls to the other process from Rust code. Would the TSAN analysis treat these system calls as synchronization points?

If not, I wonder whether changes for bug 1671691 may have removed suppressions for this situation.

One thing that may be helpful here might be if we could raise SIGABRT to get stack traces from all threads.

Flags: needinfo?(a.beingessner)
Blocks: 1638212

(In reply to Karl Tomlinson (:karlt) from comment #3)

Part of the synchronization of threads involved here happens out of process. TSAN should be able to see that through write and read system calls to the other process from Rust code. Would the TSAN analysis treat these system calls as synchronization points?

So you are doing reads and writes and in-between those, there is (out-of-process) synchronization? In this case, TSan considers this synchronized if the read and write happens on the same fd:

io_sync 	(Default: 1) 	Controls level of synchronization implied by IO operations. 0 - no synchronization; 1 - reasonable level of synchronization (write->read on the same fd); 2 - global synchronization of all IO operations.

If you have two syscalls to different file descriptors but there is synchronization between those in another process, then that can currently cause a false positive. We haven't seen this happen yet in Firefox, so far all operations that had external synchronization were on the same fd.

(In reply to Christian Holler (:decoder) from comment #4)

So you are doing reads and writes and in-between those, there is (out-of-process) synchronization?

Thanks, Christian. Yes, my expectation is that, but I'm not familiar with the details.

Matthew, do you know whether audioipc reads and writes on the same fd?
(I would have guessed different pipes for each direction.)

Flags: needinfo?(kinetik)
Flags: needinfo?(a.beingessner)
Keywords: leave-open
Assignee: a.beingessner → nobody
Status: ASSIGNED → NEW

(In reply to Karl Tomlinson (back Feb 2 :karlt) from comment #5)

Matthew, do you know whether audioipc reads and writes on the same fd?
(I would have guessed different pipes for each direction.)

There's one SOCK_STREAM Unix domain socket per cubeb stream which is used to synchronize access to the inter-process shared memory used by AudioIPC's data_callback shim. On waking due to readability of the UDS, the shim will pass the in/out shm to the supplied data_callback for processing. Once data_callback returns, the shim signals the shm access is complete by sending a message via the UDS. Note that the actual read/write syscall and the shm access happen on different threads with some other synchronization via the futures task executor.

There's a second UDS (one per cubeb context) used for cubeb_stream_init processing, but none of that code path accesses the shm regions.

(In reply to Karl Tomlinson (back Feb 2 :karlt) from comment #2)

Hypothetically this might happen if AudioCallbackDriver::Init() could be called again somehow while the DataCallback() is running, but I don't see a way that could happen.

There's may be an ordering issue in AudioIPC where a DataCallback for a previous stream is running after stream destroy, I'll investigate.

Flags: needinfo?(kinetik)
Assignee: nobody → kinetik

(In reply to Matthew Gregan [:kinetik] from comment #7)

There's a second UDS (one per cubeb context) used for cubeb_stream_init processing, but none of that code path accesses the shm regions.

Thanks. That may be something to bear in mind when looking at other TSAN races, but cubeb_stream_init has not yet been called again here.

There's may be an ordering issue in AudioIPC where a DataCallback for a previous stream is running after stream destroy, I'll investigate.

If there is such an ordering issue, then that would lead to this race, yes.

Severity: -- → S2

Should be fixed by bug 1690718.

Status: NEW → ASSIGNED
Depends on: 1690718

Not sure how/when to land the supression removal, but it's all ready to go for whenever we're ready

Thanks! Bug 1690718 is on m-c, so I've queued this for landing too.

Yes, thank you. Marking resolved.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(kinetik)
Resolution: --- → FIXED
Group: media-core-security → core-security-release
status-firefox87: --- → fixed
Keywords: leave-open
Target Milestone: --- → 87 Branch

Is there a plan to uplift this to release? Bug 1638212 is still catching that.

The patch landed in nightly and beta is affected.
:kinetik, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(kinetik)
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]

(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #16)

The patch landed in nightly and beta is affected.
:kinetik, is this bug important enough to require an uplift?

I've requested beta uplift in bug 1690718.

I'm not sure this fix meets the criteria for a release uplift.

Flags: needinfo?(kinetik)

beta uplift was denied as it's RC week.

status-firefox86: affectedwontfix
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main87+r][adv-esr78.9+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: