Bug 1533521

UntypedArray::SetLength tries to write to sEmptyTArrayHeader

RESOLVED FIXED in Firefox 67

Get help with this page

Status

()

Product:

Component:

Type:

defect

Status:

RESOLVED FIXED

Opened:

4 months ago

Updated:

4 months ago

People

(Reporter: ytausky, Assigned: erahm)

Tracking

(Blocks 1 bug)

Version:

unspecified

Target:

mozilla67

Points:

---

Blocks:

tsan-maintenance

Dependency tree / graph

Firefox Tracking Flags

(firefox67 fixed)

Details

Attachments

(1 attachment)

Bug 1533521 - Avoid modifying the static empty header size field. r=mccr8 4 months ago Eric Rahm [:erahm] 47 bytes, text/x-phabricator-request		Details \| Review

Yaron Tausky [:ytausky] (on leave)

Reporter

Description

•

4 months ago

I got the following TSan report:

WARNING: ThreadSanitizer: data race (pid=65550)
  Write of size 4 at 0x00011078cb28 by main thread:
    #0 std::__1::__function::__func<XPCConvert::JSData2Native(JSContext*, void*, JS::Handle<JS::Value>, nsXPTType const&, nsID const*, unsigned int, nsresult*)::$_1, std::__1::allocator<XPCConvert::JSData2Native(JSContext*, void*, JS::Handle<JS::Value>, nsXPTType const&, nsID const*, unsigned int, nsresult*)::$_1>, void* (unsigned int*)>::operator()(unsigned int*&&) xptinfo.h:562 (XUL:x86_64+0x13b4108)
    #1 XPCConvert::JSArray2Native(JS::Handle<JS::Value>, nsXPTType const&, nsID const*, nsresult*, std::__1::function<void* (unsigned int*)> const&) functional:1913 (XUL:x86_64+0x1383f43)
    #2 XPCConvert::JSData2Native(JSContext*, void*, JS::Handle<JS::Value>, nsXPTType const&, nsID const*, unsigned int, nsresult*) XPCConvert.cpp:894 (XUL:x86_64+0x13817a0)
    #3 CallMethodHelper::ConvertIndependentParam(unsigned char) XPCWrappedNative.cpp:1552 (XUL:x86_64+0x13fd8c4)
    #4 CallMethodHelper::Call() XPCWrappedNative.cpp:1471 (XUL:x86_64+0x13dc547)
    #5 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) XPCWrappedNative.cpp:1144 (XUL:x86_64+0x13dc2f4)
    #6 XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) XPCWrappedNativeJSOps.cpp:941 (XUL:x86_64+0x13de9a2)
    #7 <null> <null> (0x00011e6a074b)
    #8 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:405 (XUL:x86_64+0x7b1e202)
    #9 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #10 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #11 js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3c9e4)
    #12 bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) NativeObject.cpp:2240 (XUL:x86_64+0x7f41a8a)
    #13 bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) NativeObject.cpp:2541 (XUL:x86_64+0x7f42d3b)
    #14 js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) NativeObject.cpp:2578 (XUL:x86_64+0x7f425dc)
    #15 js::jit::IonGetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonGetPropertyIC*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ObjectOperations-inl.h:117 (XUL:x86_64+0x8ac8f7d)
    #16 <null> <null> (0x00011e686b43)
    #17 Interpret(JSContext*, js::RunState&) Interpreter.cpp:3103 (XUL:x86_64+0x7b2b2f0)
    #18 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #19 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #20 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #21 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #22 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) SelfHosting.cpp:1908 (XUL:x86_64+0x7fde79a)
    #23 js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) VMFunctions.cpp:961 (XUL:x86_64+0x87a6821)
    #24 <null> <null> (0x00011e685d0f)
    #25 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:405 (XUL:x86_64+0x7b1e202)
    #26 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #27 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #28 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #29 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) SelfHosting.cpp:1908 (XUL:x86_64+0x7fde79a)
    #30 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) AsyncFunction.cpp:109 (XUL:x86_64+0x7c79a42)
    #31 js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) AsyncFunction.cpp:144 (XUL:x86_64+0x7c7961b)
    #32 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) Promise.cpp:1491 (XUL:x86_64+0x7c36df6)
    #33 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #34 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #35 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #36 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #37 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) jsapi.cpp:2623 (XUL:x86_64+0x8324a55)
    #38 mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) PromiseBinding.cpp:26 (XUL:x86_64+0x2a80d02)
    #39 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) PromiseBinding.h:91 (XUL:x86_64+0x93b2a)
    #40 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) CycleCollectedJSContext.cpp:595 (XUL:x86_64+0x78060)
    #41 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) CycleCollectedJSContext.h:201 (XUL:x86_64+0x40596cc)
    #42 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) EventListenerManager.cpp:1237 (XUL:x86_64+0x405a49a)
    #43 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) EventListenerManager.h:350 (XUL:x86_64+0x404b4f0)
    #44 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) EventDispatcher.cpp:553 (XUL:x86_64+0x404a552)
    #45 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) EventDispatcher.cpp:1048 (XUL:x86_64+0x404e497)
    #46 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) EventDispatcher.cpp (XUL:x86_64+0x4051afd)
    #47 mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) DOMEventTargetHelper.cpp:166 (XUL:x86_64+0x4024c88)
    #48 mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) EventTarget.cpp:178 (XUL:x86_64+0x40621b8)
    #49 mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) MessageEventRunnable.cpp:94 (XUL:x86_64+0x4f5adf8)
    #50 mozilla::dom::MessageEventRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) MessageEventRunnable.cpp (XUL:x86_64+0x4f5b58e)
    #51 mozilla::dom::WorkerRunnable::Run() WorkerRunnable.cpp:363 (XUL:x86_64+0x4fbc04c)
    #52 mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() ThrottledEventQueue.cpp:243 (XUL:x86_64+0x1f9c7b)
    #53 mozilla::ThrottledEventQueue::Inner::Executor::Run() ThrottledEventQueue.cpp:80 (XUL:x86_64+0x1f3ef8)
    #54 nsThread::ProcessNextEvent(bool, bool*) nsThread.cpp:1179 (XUL:x86_64+0x1e1c38)
    #55 nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) nsThreadUtils.cpp:482 (XUL:x86_64+0x1e7222)
    #56 nsThreadManager::SpinEventLoopUntil(nsINestedEventLoopCondition*) nsThreadManager.cpp:468 (XUL:x86_64+0x1e6e9b)
    #57 NS_InvokeByIndex xptcinvoke_asm_x86_64_unix.S:106 (XUL:x86_64+0x211a4d)
    #58 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) XPCWrappedNative.cpp:1144 (XUL:x86_64+0x13dc2f4)
    #59 XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) XPCWrappedNativeJSOps.cpp:941 (XUL:x86_64+0x13de9a2)
    #60 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #61 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #62 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #63 Interpret(JSContext*, js::RunState&) Interpreter.cpp:591 (XUL:x86_64+0x7b2ad78)
    #64 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #65 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #66 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #67 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #68 js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) VMFunctions.cpp:232 (XUL:x86_64+0x87a0a3b)
    #69 js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*) VMFunctions.cpp:261 (XUL:x86_64+0x87a1422)
    #70 <null> <null> (0x00011e68135f)
    #71 Interpret(JSContext*, js::RunState&) Interpreter.cpp:1980 (XUL:x86_64+0x7b1fcee)
    #72 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #73 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #74 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #75 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #76 js::fun_apply(JSContext*, unsigned int, JS::Value*) JSFunction.cpp:1211 (XUL:x86_64+0x7e96542)
    #77 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #78 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #79 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #80 Interpret(JSContext*, js::RunState&) Interpreter.cpp:591 (XUL:x86_64+0x7b2ad78)
    #81 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #82 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #83 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #84 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #85 JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) jsapi.cpp:2560 (XUL:x86_64+0x83232ed)
    #86 nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) XPCWrappedJSClass.cpp:993 (XUL:x86_64+0x13ccaba)
    #87 nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) XPCWrappedJS.cpp:611 (XUL:x86_64+0x13cb6e3)
    #88 PrepareAndDispatch xptcstubs_x86_64_darwin.cpp:129 (XUL:x86_64+0x2132b9)
    #89 SharedStub <null> (XUL:x86_64+0x211dba)
    #90 XREMain::XRE_mainRun() nsAppRunner.cpp:4364 (XUL:x86_64+0x7990d65)
    #91 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) nsAppRunner.cpp:4682 (XUL:x86_64+0x799326d)
    #92 XRE_main(int, char**, mozilla::BootstrapConfig const&) nsAppRunner.cpp:4766 (XUL:x86_64+0x7993c62)
    #93 mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) Bootstrap.cpp:39 (XUL:x86_64+0x79a7bb7)
    #94 main nsBrowserApp.cpp:214 (firefox:x86_64+0x100001b63)

  Previous read of size 4 at 0x00011078cb28 by thread T22 (mutexes: write M523397341894601424, write M562241043299646768):
    #0 mozilla::ThreadEventQueue<mozilla::EventQueue>::HasPendingEvent() nsTArray.h:344 (XUL:x86_64+0x1cb9fc)
    #1 nsThread::HasPendingEvents(bool*) nsThread.cpp:894 (XUL:x86_64+0x1e0552)
    #2 NS_HasPendingEvents(nsIThread*) nsThreadUtils.cpp:444 (XUL:x86_64+0x1e7789)
    #3 mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) WorkerPrivate.cpp:2632 (XUL:x86_64+0x4fa6a55)
    #4 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() RuntimeService.cpp:2291 (XUL:x86_64+0x4f7951b)
    #5 nsThread::ProcessNextEvent(bool, bool*) nsThread.cpp:1179 (XUL:x86_64+0x1e1c38)
    #6 NS_ProcessNextEvent(nsIThread*, bool) nsThreadUtils.cpp:482 (XUL:x86_64+0x1e7842)
    #7 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) MessagePump.cpp:333 (XUL:x86_64+0xbe88ac)
    #8 MessageLoop::RunInternal() message_loop.cc:315 (XUL:x86_64+0xb54d5d)
    #9 MessageLoop::Run() message_loop.cc:308 (XUL:x86_64+0xb54c08)
    #10 nsThread::ThreadFunc(void*) nsThread.cpp:454 (XUL:x86_64+0x1dccff)
    #11 _pt_root ptthread.c:201 (libnss3.dylib:x86_64+0x22280c)

  Location is global 'sEmptyTArrayHeader' at 0x00011078cb28 (XUL+0x00000cc1db28)

  Mutex M523397341894601424 is already destroyed.

  Mutex M562241043299646768 is already destroyed.

  Thread T22 (tid=1551120, running) created by main thread at:
    #0 pthread_create tsan_interceptors.cc:965 (libclang_rt.tsan_osx_dynamic.dylib:x86_64h+0x931d)
    #1 _PR_CreateThread ptthread.c:433 (libnss3.dylib:x86_64+0x21befe)
    #2 PR_CreateThread ptthread.c:518 (libnss3.dylib:x86_64+0x20e237)
    #3 nsThread::Init(nsTSubstring<char> const&) nsThread.cpp:660 (XUL:x86_64+0x1de6b5)
    #4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) WorkerThread.cpp:93 (XUL:x86_64+0x4fc96e5)
    #5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate*) RuntimeService.cpp:1428 (XUL:x86_64+0x4f5fabd)
    #6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate*) RuntimeService.cpp:1293 (XUL:x86_64+0x4f5e819)
    #7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&) WorkerPrivate.cpp:2244 (XUL:x86_64+0x4fa284e)
    #8 mozilla::dom::ChromeWorker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) ChromeWorker.cpp:22 (XUL:x86_64+0x4f59845)
    #9 mozilla::dom::ChromeWorker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) WorkerBinding.cpp:275 (XUL:x86_64+0x34bf4a4)
    #10 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #11 CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:456 (XUL:x86_64+0x7b5112b)
    #12 InternalConstruct(JSContext*, js::AnyConstructArgs const&) Interpreter.cpp:649 (XUL:x86_64+0x7b3bc27)
    #13 js::ConstructFromStack(JSContext*, JS::CallArgs const&) Interpreter.cpp:676 (XUL:x86_64+0x7b3b5b0)
    #14 Interpret(JSContext*, js::RunState&) Interpreter.cpp:3047 (XUL:x86_64+0x7b2af62)
    #15 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #16 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #17 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #18 js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3c9e4)
    #19 bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) NativeObject.cpp:2240 (XUL:x86_64+0x7f41a8a)
    #20 bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) NativeObject.cpp:2541 (XUL:x86_64+0x7f42d3b)
    #21 js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) NativeObject.cpp:2578 (XUL:x86_64+0x7f425dc)
    #22 js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ObjectOperations-inl.h:117 (XUL:x86_64+0x7e5852b)
    #23 js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) Interpreter.cpp:4467 (XUL:x86_64+0x7b410cd)
    #24 Interpret(JSContext*, js::RunState&) Interpreter.cpp:215 (XUL:x86_64+0x7b27f1a)
    #25 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #26 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #27 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #28 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #29 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) SelfHosting.cpp:1908 (XUL:x86_64+0x7fde79a)
    #30 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) AsyncFunction.cpp:109 (XUL:x86_64+0x7c79a42)
    #31 js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) AsyncFunction.cpp:144 (XUL:x86_64+0x7c7961b)
    #32 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) Promise.cpp:1491 (XUL:x86_64+0x7c36df6)
    #33 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #34 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #35 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #36 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #37 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) jsapi.cpp:2623 (XUL:x86_64+0x8324a55)
    #38 mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) PromiseBinding.cpp:26 (XUL:x86_64+0x2a80d02)
    #39 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) PromiseBinding.h:91 (XUL:x86_64+0x93b2a)
    #40 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) CycleCollectedJSContext.cpp:595 (XUL:x86_64+0x78060)
    #41 mozilla::CycleCollectedJSContext::BeforeProcessTask(bool) CycleCollectedJSContext.cpp:421 (XUL:x86_64+0x78ea9)
    #42 XPCJSContext::BeforeProcessTask(bool) XPCJSContext.cpp:1250 (XUL:x86_64+0x138a3d7)
    #43 nsThread::ProcessNextEvent(bool, bool*) nsThread.cpp:1086 (XUL:x86_64+0x1e0eee)
    #44 nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) nsThreadUtils.cpp:482 (XUL:x86_64+0x1e7222)
    #45 nsThreadManager::SpinEventLoopUntil(nsINestedEventLoopCondition*) nsThreadManager.cpp:468 (XUL:x86_64+0x1e6e9b)
    #46 NS_InvokeByIndex xptcinvoke_asm_x86_64_unix.S:106 (XUL:x86_64+0x211a4d)
    #47 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) XPCWrappedNative.cpp:1144 (XUL:x86_64+0x13dc2f4)
    #48 XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) XPCWrappedNativeJSOps.cpp:941 (XUL:x86_64+0x13de9a2)
    #49 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #50 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #51 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #52 Interpret(JSContext*, js::RunState&) Interpreter.cpp:591 (XUL:x86_64+0x7b2ad78)
    #53 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #54 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #55 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #56 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #57 js::fun_apply(JSContext*, unsigned int, JS::Value*) JSFunction.cpp:1211 (XUL:x86_64+0x7e96542)
    #58 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #59 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #60 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #61 Interpret(JSContext*, js::RunState&) Interpreter.cpp:591 (XUL:x86_64+0x7b2ad78)
    #62 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #63 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #64 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #65 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #66 JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) jsapi.cpp:2560 (XUL:x86_64+0x83232ed)
    #67 nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) XPCWrappedJSClass.cpp:993 (XUL:x86_64+0x13ccaba)
    #68 nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) XPCWrappedJS.cpp:611 (XUL:x86_64+0x13cb6e3)
    #69 PrepareAndDispatch xptcstubs_x86_64_darwin.cpp:129 (XUL:x86_64+0x2132b9)
    #70 SharedStub <null> (XUL:x86_64+0x211dba)
    #71 XREMain::XRE_mainRun() nsAppRunner.cpp:4364 (XUL:x86_64+0x7990d65)
    #72 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) nsAppRunner.cpp:4682 (XUL:x86_64+0x799326d)
    #73 XRE_main(int, char**, mozilla::BootstrapConfig const&) nsAppRunner.cpp:4766 (XUL:x86_64+0x7993c62)
    #74 mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) Bootstrap.cpp:39 (XUL:x86_64+0x79a7bb7)
    #75 main nsBrowserApp.cpp:214 (firefox:x86_64+0x100001b63)

SUMMARY: ThreadSanitizer: data race xptinfo.h:562 in std::__1::__function::__func<XPCConvert::JSData2Native(JSContext*, void*, JS::Handle<JS::Value>, nsXPTType const&, nsID const*, unsigned int, nsresult*)::$_1, std::__1::allocator<XPCConvert::JSData2Native(JSContext*, void*, JS::Handle<JS::Value>, nsXPTType const&, nsID const*, unsigned int, nsresult*)::$_1>, void* (unsigned int*)>::operator()(unsigned int*&&)

On closer inspection, it turns out that aTo's value was 0. It caused EnsureCapacity to return true, thus continuing to write to sEmptyTArrayHeader. Since that header is used in many threads, writing to it without synchronization is undefined behavior.

Eric Rahm [:erahm]

Assignee

Comment 1

•

4 months ago

Looks like adding if (mHdr != EmptyHdr()) to SetLength would fix things.

Eric Rahm [:erahm]

Assignee

Comment 2

•

4 months ago

Posted file Bug 1533521 - Avoid modifying the static empty header size field. r=mccr8 — Details

Add a check that this array isn't using the static empty header before updating the size field.

Pulsebot

Comment 3

•

4 months ago

Pushed by erahm@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7f1c8a3ebd95
Avoid modifying the static empty header size field. r=mccr8

Stefan Hindli [:stefan_hindli]

Comment 4

•

4 months ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/7f1c8a3ebd95

Status: NEW → RESOLVED

Closed: 4 months ago

status-firefox67: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla67

Release mgmt bot [:sylvestre / :calixte / :marco for bugbug]

Updated

•

4 months ago

Assignee: nobody → erahm

You need to log in before you can comment on or make changes to this bug.

Bugzilla

UntypedArray::SetLength tries to write to sEmptyTArrayHeader

Status

()

People

(Reporter: ytausky, Assigned: erahm)

Tracking

(Blocks 1 bug)

Firefox Tracking Flags

(firefox67 fixed)

Details

Security

(public)

User Story

Attachments

(1 attachment)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated