Closed
Bug 1163079
Opened 11 years ago
Closed 6 years ago
GeckoChildProcessHost.cpp calls nsDirectoryService::Get off main-thread (unsafe race)
Categories
(Core :: IPC, defect, P5)
Core
IPC
Tracking
()
RESOLVED
FIXED
mozilla71
| Tracking | Status | |
|---|---|---|
| firefox71 | --- | fixed |
People
(Reporter: jib, Assigned: Gijs)
References
Details
Attachments
(1 file)
STR: Start firefox with patch in Bug 1163021 comment 8.
In Gecko_IOThread (5) here http://mxr.mozilla.org/mozilla-central/source/ipc/glue/GeckoChildProcessHost.cpp?rev=c4d062966fee#519
This is unsafe as pointed out in Bug 1163021 comment 2.
|
Reporter | |
Comment 1•11 years ago
|
||
> Gecko_IOThread (5)
> #0 0x00000001016c2014 in nsDirectoryService::Get(char const*, nsID const&, void**) at /Users/Jan/moz/mozilla-central/xpcom/io/nsDirectoryService.cpp:364
> #1 0x00000001016c29da in non-virtual thunk to nsDirectoryService::Get(char const*, nsID const&, void**) at /Users/Jan/moz/mozilla-central/xpcom/io/nsDirectoryService.cpp:407
> #2 0x0000000101db4ec5 in AddAppDirToCommandLine(std::vector<std::string, std::allocator<std::string> >&) at /Users/Jan/moz/mozilla-central/ipc/glue/GeckoChildProcessHost.cpp:519
> #3 0x0000000101db4614 in mozilla::ipc::GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string, std::allocator<std::string> >&, base::ProcessArchitecture) at /Users/Jan/moz/mozilla-central/ipc/glue/GeckoChildProcessHost.cpp:699
> #4 0x0000000101db3e03 in mozilla::ipc::GeckoChildProcessHost::PerformAsyncLaunch(std::vector<std::string, std::allocator<std::string> >, base::ProcessArchitecture) at /Users/Jan/moz/mozilla-central/ipc/glue/GeckoChildProcessHost.cpp:487
> #5 0x0000000101db37bd in mozilla::ipc::GeckoChildProcessHost::RunPerformAsyncLaunch(std::vector<std::string, std::allocator<std::string> >, base::ProcessArchitecture) at /Users/Jan/moz/mozilla-central/ipc/glue/GeckoChildProcessHost.cpp:500
> #6 0x0000000101dbac9d in void DispatchToMethod<mozilla::ipc::GeckoChildProcessHost, bool (mozilla::ipc::GeckoChildProcessHost::*)(std::vector<std::string, std::allocator<std::string> >, base::ProcessArchitecture), std::vector<std::string, std::allocator<std::string> >, base::ProcessArchitecture>(mozilla::ipc::GeckoChildProcessHost*, bool (mozilla::ipc::GeckoChildProcessHost::*)(std::vector<std::string, std::allocator<std::string> >, base::ProcessArchitecture), Tuple2<std::vector<std::string, std::allocator<std::string> >, base::ProcessArchitecture> const&) at /Users/Jan/moz/mozilla-central/ipc/chromium/src/base/tuple.h:400
> #7 0x0000000101dbab5e in RunnableMethod<mozilla::ipc::GeckoChildProcessHost, bool (mozilla::ipc::GeckoChildProcessHost::*)(std::vector<std::string, std::allocator<std::string> >, base::ProcessArchitecture), Tuple2<std::vector<std::string, std::allocator<std::string> >, base::ProcessArchitecture> >::Run() at /Users/Jan/moz/mozilla-central/ipc/chromium/src/base/task.h:310
> #8 0x0000000101d3cc50 in MessageLoop::RunTask(Task*) at /Users/Jan/moz/mozilla-central/ipc/chromium/src/base/message_loop.cc:361
> #9 0x0000000101d3d1cf in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) at /Users/Jan/moz/mozilla-central/ipc/chromium/src/base/message_loop.cc:369
> #10 0x0000000101d3d3f4 in MessageLoop::DoWork() at /Users/Jan/moz/mozilla-central/ipc/chromium/src/base/message_loop.cc:456
> #11 0x0000000101d3ef7b in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) at /Users/Jan/moz/mozilla-central/ipc/chromium/src/base/message_pump_libevent.cc:328
> #12 0x0000000101d3cb35 in MessageLoop::RunInternal() at /Users/Jan/moz/mozilla-central/ipc/chromium/src/base/message_loop.cc:233
> #13 0x0000000101d3ca45 in MessageLoop::RunHandler() at /Users/Jan/moz/mozilla-central/ipc/chromium/src/base/message_loop.cc:226
> #14 0x0000000101d3c9ed in MessageLoop::Run() at /Users/Jan/moz/mozilla-central/ipc/chromium/src/base/message_loop.cc:200
> #15 0x0000000101d620f9 in base::Thread::ThreadMain() at /Users/Jan/moz/mozilla-central/ipc/chromium/src/base/thread.cc:170
> #16 0x0000000101d6333c in ThreadFunc(void*) at /Users/Jan/moz/mozilla-central/ipc/chromium/src/base/platform_thread_posix.cc:39
> #17 0x00007fff89375899 in _pthread_body ()
> #18 0x00007fff8937572a in _pthread_start ()
> #19 0x00007fff89379fc9 in thread_start ()
|
|
Reporter | |
Comment 2•11 years ago
|
||
FYI also seen post startup when flash starts (I went to cnn.com).
Last line in log before breakpoint:
> For application/x-shockwave-flash found plugin Flash Player.plugin
Since this bug is a potential data-race on the hash table, might it be contributing to intermittent crashes around flash?
|
||
Updated•11 years ago
|
Component: DOM → DOM: Content Processes
|
||
Comment 3•7 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046
Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5.
If you have questions, please contact :mdaly.
Priority: -- → P5
|
Assignee | |
Comment 4•6 years ago
|
||
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
|
||
Updated•6 years ago
|
Component: DOM: Content Processes → IPC
|
||
Updated•6 years ago
|
Attachment #9087039 -
Attachment description: Bug 1163079 - ensure we fetch app/profile dir information on the main thread in GeckoChildProcessHost, r?bholley → Bug 1163079 - ensure we fetch app/profile dir information on the main thread in GeckoChildProcessHost
Pushed by gijskruitbosch@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/b4df7e108b5d
ensure we fetch app/profile dir information on the main thread in GeckoChildProcessHost r=jld,bryce,haik
|
|
||
Comment 6•6 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox71:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
You need to log in
before you can comment on or make changes to this bug.
Description
•