Closed Bug 1892287 Opened 1 year ago Closed 1 year ago

ThreadSanitizer: data race [@ js::gc::GCRuntime::freeFromBackgroundThread] vs. [@ ArrayJoinDenseKernel]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1890909

Tracking Flags:

Tracking

Status

firefox127

---

affected

People

(Reporter: tsmith, Assigned: sfink)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-race, sec-high)

Tyson Smith [:tsmith]

Reporter

Description

•

1 year ago

Found with m-c 20240418-e725b213623e (--enable-thread-sanitizer --enable-fuzzing)

This was found by visiting a live website with a TSan build.

STR:

Launch browser and visit: http://globalsign.net/

WARNING: ThreadSanitizer: data race (pid=13848)
  Write of size 8 at 0x7b6000233800 by thread T27:
    #0 free /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:722:3 (firefox-bin+0xd1f35) (BuildId: 0e1defd7300885c5455b0f4f7998c6bce10bfd61)
    #1 js_free /builds/worker/workspace/obj-build/dist/include/js/Utility.h:418:3 (libxul.so+0xa701c8f) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #2 freeUntracked /builds/worker/checkouts/gecko/js/src/gc/GCContext.h:117:33 (libxul.so+0xa701c8f)
    #3 js::gc::GCRuntime::freeFromBackgroundThread(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:479:12 (libxul.so+0xa701c8f)
    #4 js::gc::BackgroundFreeTask::run(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:459:7 (libxul.so+0xa701a98) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #5 js::GCParallelTask::runTask(JS::GCContext*, js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:201:3 (libxul.so+0xa6bd9f7) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #6 js::GCParallelTask::runHelperThreadTask(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:183:3 (libxul.so+0xa6bdcb1) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #7 runTaskLocked /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1728:9 (libxul.so+0xa0dfb7b) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #8 js::GlobalHelperThreadState::runOneTask(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1697:5 (libxul.so+0xa0dfb7b)
    #9 JS::RunHelperThreadTask() /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1684:23 (libxul.so+0xa0df994) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #10 HelperThreadTaskHandler::Run() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1113:5 (libxul.so+0x3f239af) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #11 mozilla::TaskController::RunPoolThread() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:370:33 (libxul.so+0x3220b7e) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #12 mozilla::ThreadFuncPoolThread(void*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:222:26 (libxul.so+0x32202be) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #13 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4ba79) (BuildId: e38e45ce06f49cf2783acf0b8b3ae9897adc5815)

  Previous read of size 8 at 0x7b6000233800 by main thread:
    #0 new_<const char16_t &> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:251:12 (libxul.so+0x9f7baf4) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #1 copyConstruct<char16_t> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:284:7 (libxul.so+0x9f7baf4)
    #2 internalAppend<char16_t> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1443:3 (libxul.so+0x9f7baf4)
    #3 append<char16_t> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1433:3 (libxul.so+0x9f7baf4)
    #4 append<char16_t> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1516:10 (libxul.so+0x9f7baf4)
    #5 js::StringBuffer::append(JSLinearString*) /builds/worker/checkouts/gecko/js/src/util/StringBuffer.h:430:31 (libxul.so+0x9f7baf4)
    #6 append /builds/worker/checkouts/gecko/js/src/util/StringBuffer.h:484:10 (libxul.so+0x9f5651f) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #7 ArrayJoinDenseKernel<(lambda at /builds/worker/checkouts/gecko/js/src/builtin/Array.cpp:1350:20)> /builds/worker/checkouts/gecko/js/src/builtin/Array.cpp:1168:15 (libxul.so+0x9f5651f)
    #8 bool ArrayJoinKernel<js::array_join(JSContext*, unsigned int, JS::Value*)::$_1>(JSContext*, js::array_join(JSContext*, unsigned int, JS::Value*)::$_1, JS::Handle<JSObject*>, unsigned long, js::StringBuffer&) /builds/worker/checkouts/gecko/js/src/builtin/Array.cpp:1215:10 (libxul.so+0x9f5651f)
    #9 js::array_join(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Array.cpp:1351:12 (libxul.so+0x9f55b55) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #10 js::jit::ArrayJoin(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:677:8 (libxul.so+0xa8c16c1) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #11 <null> <null> (0x7f897ef1811c)
    #12 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:441:32 (libxul.so+0x9f99786) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #13 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13 (libxul.so+0x9f9a486) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #14 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10 (libxul.so+0x9f9b037) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #15 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8 (libxul.so+0x9f9b037)
    #16 Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.h:116:10 (libxul.so+0xa1d4f59) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #17 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2242:10 (libxul.so+0xa1d4f59)
    #18 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13 (libxul.so+0x9f9a3b9) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #19 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12 (libxul.so+0x9f9a3b9)
    #20 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10 (libxul.so+0x9f9b037) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #21 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8 (libxul.so+0x9f9b037)
    #22 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10 (libxul.so+0xa06f323) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #23 mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./PromiseBinding.cpp:83:8 (libxul.so+0x516b963) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #24 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12 (libxul.so+0x313e987) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #25 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12 (libxul.so+0x313e987)
    #26 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:210:18 (libxul.so+0x313e987)
    #27 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:712:17 (libxul.so+0x312ae56) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #28 LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:241:7 (libxul.so+0x5d0d89d) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #29 mozilla::dom::CallbackObject::CallSetup::~CallSetup() /builds/worker/checkouts/gecko/dom/bindings/CallbackObject.cpp:394:11 (libxul.so+0x5d0d89d)
    #30 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:387:3 (libxul.so+0x4ba4651) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #31 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:399:12 (libxul.so+0x4ba4651)
    #32 mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) /builds/worker/checkouts/gecko/dom/base/IdleRequest.cpp:57:13 (libxul.so+0x4ba4651)
    #33 nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:730:12 (libxul.so+0x49b8782) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #34 nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:758:3 (libxul.so+0x49b7bb7) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #35 IdleRequestExecutor::Run() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:599:13 (libxul.so+0x49b78e7) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #36 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16 (libxul.so+0x322f662) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #37 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26 (libxul.so+0x3223c2e) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #38 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:772:15 (libxul.so+0x3222616) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #39 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36 (libxul.so+0x322278f) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #40 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37 (libxul.so+0x3232904) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #41 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x3232904)
    #42 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x32478a8) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #43 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x324e054) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #44 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x3db3eee) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #45 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3db49bb) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #46 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d26e18) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #47 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d26e18)
    #48 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d26e18)
    #49 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7e7d763) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #50 nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33 (libxul.so+0x7f7237c) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #51 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20 (libxul.so+0x9dff36f) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #52 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3db496a) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #53 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d26e18) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #54 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d26e18)
    #55 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d26e18)
    #56 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34 (libxul.so+0x9dfefc0) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #57 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9e0b4b2) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #58 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15c272) (BuildId: 0e1defd7300885c5455b0f4f7998c6bce10bfd61)
    #59 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15c272)

  Thread T27 'TaskCon~ller #7' (tid=13887, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1020:3 (firefox-bin+0xd33bb) (BuildId: 0e1defd7300885c5455b0f4f7998c6bce10bfd61)
    #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x42cee) (BuildId: e38e45ce06f49cf2783acf0b8b3ae9897adc5815)
    #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x37f84) (BuildId: e38e45ce06f49cf2783acf0b8b3ae9897adc5815)
    #3 mozilla::TaskController::InitializeThreadPool() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:271:10 (libxul.so+0x32215c9) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #4 mozilla::TaskController::AddTask(already_AddRefed<mozilla::Task>&&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:436:7 (libxul.so+0x3221fe5) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #5 mozilla::dom::ScriptLoader::AttemptOffThreadScriptCompile(JS::loader::ScriptLoadRequest*, bool*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1750:26 (libxul.so+0x7c204ce) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #6 mozilla::dom::ScriptLoader::PrepareLoadedRequest(JS::loader::ScriptLoadRequest*, nsIIncrementalStreamLoader*, nsresult) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:3845:19 (libxul.so+0x7c282da) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #7 mozilla::dom::ScriptLoader::OnStreamComplete(nsIIncrementalStreamLoader*, JS::loader::ScriptLoadRequest*, nsresult, nsresult, mozilla::dom::SRICheckDataVerifier*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:3301:12 (libxul.so+0x7c165f8) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #8 mozilla::dom::ScriptLoadHandler::OnStreamComplete(nsIIncrementalStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) /builds/worker/checkouts/gecko/dom/script/ScriptLoadHandler.cpp:459:23 (libxul.so+0x7c15efb) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #9 nsIncrementalStreamLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsIncrementalStreamLoader.cpp:82:20 (libxul.so+0x3437021) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #10 mozilla::net::InterceptFailedOnStop::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpBaseChannel.cpp:1427:19 (libxul.so+0x39a4571) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #11 mozilla::net::nsHTTPCompressConv::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:283:20 (libxul.so+0x37a5f48) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #12 mozilla::net::HttpChannelChild::DoOnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:1299:15 (libxul.so+0x3967444) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #13 mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:1095:5 (libxul.so+0x3966c99) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #14 operator() /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:922:15 (libxul.so+0x39b58de) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #15 std::_Function_handler<void (), mozilla::net::HttpChannelChild::ProcessOnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&, nsTArray<mozilla::net::ConsoleReportCollected>&&, bool, mozilla::TimeStamp const&)::$_2>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:297:2 (libxul.so+0x39b58de)
    #16 operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14 (libxul.so+0x388b393) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #17 mozilla::net::ChannelFunctionEvent::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:55:25 (libxul.so+0x388b393)
    #18 mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:94:12 (libxul.so+0x3b6459d) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #19 MaybeFlushQueue /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.h:354:5 (libxul.so+0x3b88c0c) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #20 mozilla::net::ChannelEventQueue::CompleteResume() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.h:333:5 (libxul.so+0x3b88c0c)
    #21 mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:152:17 (libxul.so+0x3b889ff) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #22 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16 (libxul.so+0x322f662) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #23 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26 (libxul.so+0x3223c2e) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #24 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15 (libxul.so+0x3222456) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #25 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36 (libxul.so+0x322278f) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #26 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37 (libxul.so+0x3232904) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #27 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x3232904)
    #28 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x32478a8) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #29 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x324e054) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #30 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x3db3eee) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #31 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3db49bb) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #32 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d26e18) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #33 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d26e18)
    #34 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d26e18)
    #35 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7e7d763) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #36 nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33 (libxul.so+0x7f7237c) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #37 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20 (libxul.so+0x9dff36f) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #38 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3db496a) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #39 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d26e18) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #40 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d26e18)
    #41 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d26e18)
    #42 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34 (libxul.so+0x9dfefc0) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #43 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9e0b4b2) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #44 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15c272) (BuildId: 0e1defd7300885c5455b0f4f7998c6bce10bfd61)
    #45 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15c272)

Steve Fink [:sfink] [:s:]

Assignee

Comment 1

•

1 year ago

This might be another dupe of bug 1890909 but the allocation is from a different enough place that I'd like to keep it separate for now.

Andrew McCreight [:mccr8]

Updated

•

1 year ago

Keywords: sec-high

Steven DeTar [:sdetar]

Updated

•

1 year ago

Blocks: sm-security

Severity: -- → S2

Priority: -- → P1

Steve Fink [:sfink] [:s:]

Assignee

Updated

•

1 year ago

Assignee: nobody → sphink

Steve Fink [:sfink] [:s:]

Assignee

Comment 2

•

1 year ago

Now that I've seen enough of these, this does indeed look like a symptom of bug 1890909.

Status: NEW → RESOLVED

Closed: 1 year ago

Duplicate of bug: 1890909

Resolution: --- → DUPLICATE

Daniel Veditz [:dveditz]

Updated

•

7 months ago

Group: javascript-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

ThreadSanitizer: data race [@ js::gc::GCRuntime::freeFromBackgroundThread] vs. [@ ArrayJoinDenseKernel]

Categories

(Core :: JavaScript: GC, defect, P1)

Tracking

()

People

(Reporter: tsmith, Assigned: sfink)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-race, sec-high)

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Updated

Updated

Comment 2

Updated