Closed Bug 1533521 Opened 3 years ago Closed 3 years ago

UntypedArray::SetLength tries to write to sEmptyTArrayHeader

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla67

Tracking Flags:

Tracking

Status

firefox67

---

fixed

People

(Reporter: ytausky, Assigned: erahm)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1533521 - Avoid modifying the static empty header size field. r=mccr8 3 years ago Eric Rahm [:erahm] 47 bytes, text/x-phabricator-request		Details \| Review

Yaron Tausky [:ytausky]

Reporter

Description

•

3 years ago

I got the following TSan report:

WARNING: ThreadSanitizer: data race (pid=65550)
  Write of size 4 at 0x00011078cb28 by main thread:
    #0 std::__1::__function::__func<XPCConvert::JSData2Native(JSContext*, void*, JS::Handle<JS::Value>, nsXPTType const&, nsID const*, unsigned int, nsresult*)::$_1, std::__1::allocator<XPCConvert::JSData2Native(JSContext*, void*, JS::Handle<JS::Value>, nsXPTType const&, nsID const*, unsigned int, nsresult*)::$_1>, void* (unsigned int*)>::operator()(unsigned int*&&) xptinfo.h:562 (XUL:x86_64+0x13b4108)
    #1 XPCConvert::JSArray2Native(JS::Handle<JS::Value>, nsXPTType const&, nsID const*, nsresult*, std::__1::function<void* (unsigned int*)> const&) functional:1913 (XUL:x86_64+0x1383f43)
    #2 XPCConvert::JSData2Native(JSContext*, void*, JS::Handle<JS::Value>, nsXPTType const&, nsID const*, unsigned int, nsresult*) XPCConvert.cpp:894 (XUL:x86_64+0x13817a0)
    #3 CallMethodHelper::ConvertIndependentParam(unsigned char) XPCWrappedNative.cpp:1552 (XUL:x86_64+0x13fd8c4)
    #4 CallMethodHelper::Call() XPCWrappedNative.cpp:1471 (XUL:x86_64+0x13dc547)
    #5 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) XPCWrappedNative.cpp:1144 (XUL:x86_64+0x13dc2f4)
    #6 XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) XPCWrappedNativeJSOps.cpp:941 (XUL:x86_64+0x13de9a2)
    #7 <null> <null> (0x00011e6a074b)
    #8 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:405 (XUL:x86_64+0x7b1e202)
    #9 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #10 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #11 js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3c9e4)
    #12 bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) NativeObject.cpp:2240 (XUL:x86_64+0x7f41a8a)
    #13 bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) NativeObject.cpp:2541 (XUL:x86_64+0x7f42d3b)
    #14 js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) NativeObject.cpp:2578 (XUL:x86_64+0x7f425dc)
    #15 js::jit::IonGetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonGetPropertyIC*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ObjectOperations-inl.h:117 (XUL:x86_64+0x8ac8f7d)
    #16 <null> <null> (0x00011e686b43)
    #17 Interpret(JSContext*, js::RunState&) Interpreter.cpp:3103 (XUL:x86_64+0x7b2b2f0)
    #18 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #19 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #20 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #21 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #22 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) SelfHosting.cpp:1908 (XUL:x86_64+0x7fde79a)
    #23 js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) VMFunctions.cpp:961 (XUL:x86_64+0x87a6821)
    #24 <null> <null> (0x00011e685d0f)
    #25 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:405 (XUL:x86_64+0x7b1e202)
    #26 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #27 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #28 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #29 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) SelfHosting.cpp:1908 (XUL:x86_64+0x7fde79a)
    #30 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) AsyncFunction.cpp:109 (XUL:x86_64+0x7c79a42)
    #31 js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) AsyncFunction.cpp:144 (XUL:x86_64+0x7c7961b)
    #32 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) Promise.cpp:1491 (XUL:x86_64+0x7c36df6)
    #33 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #34 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #35 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #36 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #37 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) jsapi.cpp:2623 (XUL:x86_64+0x8324a55)
    #38 mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) PromiseBinding.cpp:26 (XUL:x86_64+0x2a80d02)
    #39 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) PromiseBinding.h:91 (XUL:x86_64+0x93b2a)
    #40 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) CycleCollectedJSContext.cpp:595 (XUL:x86_64+0x78060)
    #41 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) CycleCollectedJSContext.h:201 (XUL:x86_64+0x40596cc)
    #42 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) EventListenerManager.cpp:1237 (XUL:x86_64+0x405a49a)
    #43 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) EventListenerManager.h:350 (XUL:x86_64+0x404b4f0)
    #44 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) EventDispatcher.cpp:553 (XUL:x86_64+0x404a552)
    #45 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) EventDispatcher.cpp:1048 (XUL:x86_64+0x404e497)
    #46 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) EventDispatcher.cpp (XUL:x86_64+0x4051afd)
    #47 mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) DOMEventTargetHelper.cpp:166 (XUL:x86_64+0x4024c88)
    #48 mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) EventTarget.cpp:178 (XUL:x86_64+0x40621b8)
    #49 mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) MessageEventRunnable.cpp:94 (XUL:x86_64+0x4f5adf8)
    #50 mozilla::dom::MessageEventRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) MessageEventRunnable.cpp (XUL:x86_64+0x4f5b58e)
    #51 mozilla::dom::WorkerRunnable::Run() WorkerRunnable.cpp:363 (XUL:x86_64+0x4fbc04c)
    #52 mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() ThrottledEventQueue.cpp:243 (XUL:x86_64+0x1f9c7b)
    #53 mozilla::ThrottledEventQueue::Inner::Executor::Run() ThrottledEventQueue.cpp:80 (XUL:x86_64+0x1f3ef8)
    #54 nsThread::ProcessNextEvent(bool, bool*) nsThread.cpp:1179 (XUL:x86_64+0x1e1c38)
    #55 nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) nsThreadUtils.cpp:482 (XUL:x86_64+0x1e7222)
    #56 nsThreadManager::SpinEventLoopUntil(nsINestedEventLoopCondition*) nsThreadManager.cpp:468 (XUL:x86_64+0x1e6e9b)
    #57 NS_InvokeByIndex xptcinvoke_asm_x86_64_unix.S:106 (XUL:x86_64+0x211a4d)
    #58 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) XPCWrappedNative.cpp:1144 (XUL:x86_64+0x13dc2f4)
    #59 XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) XPCWrappedNativeJSOps.cpp:941 (XUL:x86_64+0x13de9a2)
    #60 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #61 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #62 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #63 Interpret(JSContext*, js::RunState&) Interpreter.cpp:591 (XUL:x86_64+0x7b2ad78)
    #64 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #65 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #66 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #67 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #68 js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) VMFunctions.cpp:232 (XUL:x86_64+0x87a0a3b)
    #69 js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*) VMFunctions.cpp:261 (XUL:x86_64+0x87a1422)
    #70 <null> <null> (0x00011e68135f)
    #71 Interpret(JSContext*, js::RunState&) Interpreter.cpp:1980 (XUL:x86_64+0x7b1fcee)
    #72 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #73 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #74 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #75 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #76 js::fun_apply(JSContext*, unsigned int, JS::Value*) JSFunction.cpp:1211 (XUL:x86_64+0x7e96542)
    #77 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #78 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #79 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #80 Interpret(JSContext*, js::RunState&) Interpreter.cpp:591 (XUL:x86_64+0x7b2ad78)
    #81 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #82 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #83 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #84 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #85 JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) jsapi.cpp:2560 (XUL:x86_64+0x83232ed)
    #86 nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) XPCWrappedJSClass.cpp:993 (XUL:x86_64+0x13ccaba)
    #87 nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) XPCWrappedJS.cpp:611 (XUL:x86_64+0x13cb6e3)
    #88 PrepareAndDispatch xptcstubs_x86_64_darwin.cpp:129 (XUL:x86_64+0x2132b9)
    #89 SharedStub <null> (XUL:x86_64+0x211dba)
    #90 XREMain::XRE_mainRun() nsAppRunner.cpp:4364 (XUL:x86_64+0x7990d65)
    #91 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) nsAppRunner.cpp:4682 (XUL:x86_64+0x799326d)
    #92 XRE_main(int, char**, mozilla::BootstrapConfig const&) nsAppRunner.cpp:4766 (XUL:x86_64+0x7993c62)
    #93 mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) Bootstrap.cpp:39 (XUL:x86_64+0x79a7bb7)
    #94 main nsBrowserApp.cpp:214 (firefox:x86_64+0x100001b63)

  Previous read of size 4 at 0x00011078cb28 by thread T22 (mutexes: write M523397341894601424, write M562241043299646768):
    #0 mozilla::ThreadEventQueue<mozilla::EventQueue>::HasPendingEvent() nsTArray.h:344 (XUL:x86_64+0x1cb9fc)
    #1 nsThread::HasPendingEvents(bool*) nsThread.cpp:894 (XUL:x86_64+0x1e0552)
    #2 NS_HasPendingEvents(nsIThread*) nsThreadUtils.cpp:444 (XUL:x86_64+0x1e7789)
    #3 mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) WorkerPrivate.cpp:2632 (XUL:x86_64+0x4fa6a55)
    #4 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() RuntimeService.cpp:2291 (XUL:x86_64+0x4f7951b)
    #5 nsThread::ProcessNextEvent(bool, bool*) nsThread.cpp:1179 (XUL:x86_64+0x1e1c38)
    #6 NS_ProcessNextEvent(nsIThread*, bool) nsThreadUtils.cpp:482 (XUL:x86_64+0x1e7842)
    #7 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) MessagePump.cpp:333 (XUL:x86_64+0xbe88ac)
    #8 MessageLoop::RunInternal() message_loop.cc:315 (XUL:x86_64+0xb54d5d)
    #9 MessageLoop::Run() message_loop.cc:308 (XUL:x86_64+0xb54c08)
    #10 nsThread::ThreadFunc(void*) nsThread.cpp:454 (XUL:x86_64+0x1dccff)
    #11 _pt_root ptthread.c:201 (libnss3.dylib:x86_64+0x22280c)

  Location is global 'sEmptyTArrayHeader' at 0x00011078cb28 (XUL+0x00000cc1db28)

  Mutex M523397341894601424 is already destroyed.

  Mutex M562241043299646768 is already destroyed.

  Thread T22 (tid=1551120, running) created by main thread at:
    #0 pthread_create tsan_interceptors.cc:965 (libclang_rt.tsan_osx_dynamic.dylib:x86_64h+0x931d)
    #1 _PR_CreateThread ptthread.c:433 (libnss3.dylib:x86_64+0x21befe)
    #2 PR_CreateThread ptthread.c:518 (libnss3.dylib:x86_64+0x20e237)
    #3 nsThread::Init(nsTSubstring<char> const&) nsThread.cpp:660 (XUL:x86_64+0x1de6b5)
    #4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) WorkerThread.cpp:93 (XUL:x86_64+0x4fc96e5)
    #5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate*) RuntimeService.cpp:1428 (XUL:x86_64+0x4f5fabd)
    #6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate*) RuntimeService.cpp:1293 (XUL:x86_64+0x4f5e819)
    #7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&) WorkerPrivate.cpp:2244 (XUL:x86_64+0x4fa284e)
    #8 mozilla::dom::ChromeWorker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) ChromeWorker.cpp:22 (XUL:x86_64+0x4f59845)
    #9 mozilla::dom::ChromeWorker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) WorkerBinding.cpp:275 (XUL:x86_64+0x34bf4a4)
    #10 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #11 CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:456 (XUL:x86_64+0x7b5112b)
    #12 InternalConstruct(JSContext*, js::AnyConstructArgs const&) Interpreter.cpp:649 (XUL:x86_64+0x7b3bc27)
    #13 js::ConstructFromStack(JSContext*, JS::CallArgs const&) Interpreter.cpp:676 (XUL:x86_64+0x7b3b5b0)
    #14 Interpret(JSContext*, js::RunState&) Interpreter.cpp:3047 (XUL:x86_64+0x7b2af62)
    #15 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #16 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #17 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #18 js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3c9e4)
    #19 bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) NativeObject.cpp:2240 (XUL:x86_64+0x7f41a8a)
    #20 bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) NativeObject.cpp:2541 (XUL:x86_64+0x7f42d3b)
    #21 js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) NativeObject.cpp:2578 (XUL:x86_64+0x7f425dc)
    #22 js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ObjectOperations-inl.h:117 (XUL:x86_64+0x7e5852b)
    #23 js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) Interpreter.cpp:4467 (XUL:x86_64+0x7b410cd)
    #24 Interpret(JSContext*, js::RunState&) Interpreter.cpp:215 (XUL:x86_64+0x7b27f1a)
    #25 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #26 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #27 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #28 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #29 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) SelfHosting.cpp:1908 (XUL:x86_64+0x7fde79a)
    #30 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) AsyncFunction.cpp:109 (XUL:x86_64+0x7c79a42)
    #31 js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) AsyncFunction.cpp:144 (XUL:x86_64+0x7c7961b)
    #32 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) Promise.cpp:1491 (XUL:x86_64+0x7c36df6)
    #33 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #34 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #35 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #36 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #37 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) jsapi.cpp:2623 (XUL:x86_64+0x8324a55)
    #38 mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) PromiseBinding.cpp:26 (XUL:x86_64+0x2a80d02)
    #39 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) PromiseBinding.h:91 (XUL:x86_64+0x93b2a)
    #40 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) CycleCollectedJSContext.cpp:595 (XUL:x86_64+0x78060)
    #41 mozilla::CycleCollectedJSContext::BeforeProcessTask(bool) CycleCollectedJSContext.cpp:421 (XUL:x86_64+0x78ea9)
    #42 XPCJSContext::BeforeProcessTask(bool) XPCJSContext.cpp:1250 (XUL:x86_64+0x138a3d7)
    #43 nsThread::ProcessNextEvent(bool, bool*) nsThread.cpp:1086 (XUL:x86_64+0x1e0eee)
    #44 nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) nsThreadUtils.cpp:482 (XUL:x86_64+0x1e7222)
    #45 nsThreadManager::SpinEventLoopUntil(nsINestedEventLoopCondition*) nsThreadManager.cpp:468 (XUL:x86_64+0x1e6e9b)
    #46 NS_InvokeByIndex xptcinvoke_asm_x86_64_unix.S:106 (XUL:x86_64+0x211a4d)
    #47 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) XPCWrappedNative.cpp:1144 (XUL:x86_64+0x13dc2f4)
    #48 XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) XPCWrappedNativeJSOps.cpp:941 (XUL:x86_64+0x13de9a2)
    #49 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #50 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #51 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #52 Interpret(JSContext*, js::RunState&) Interpreter.cpp:591 (XUL:x86_64+0x7b2ad78)
    #53 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #54 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #55 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #56 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #57 js::fun_apply(JSContext*, unsigned int, JS::Value*) JSFunction.cpp:1211 (XUL:x86_64+0x7e96542)
    #58 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) Interpreter.cpp:440 (XUL:x86_64+0x7b3a834)
    #59 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:532 (XUL:x86_64+0x7b39d9c)
    #60 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #61 Interpret(JSContext*, js::RunState&) Interpreter.cpp:591 (XUL:x86_64+0x7b2ad78)
    #62 js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:420 (XUL:x86_64+0x7b1e259)
    #63 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) Interpreter.cpp:560 (XUL:x86_64+0x7b39d66)
    #64 InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:587 (XUL:x86_64+0x7b3b147)
    #65 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:603 (XUL:x86_64+0x7b3b494)
    #66 JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) jsapi.cpp:2560 (XUL:x86_64+0x83232ed)
    #67 nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) XPCWrappedJSClass.cpp:993 (XUL:x86_64+0x13ccaba)
    #68 nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) XPCWrappedJS.cpp:611 (XUL:x86_64+0x13cb6e3)
    #69 PrepareAndDispatch xptcstubs_x86_64_darwin.cpp:129 (XUL:x86_64+0x2132b9)
    #70 SharedStub <null> (XUL:x86_64+0x211dba)
    #71 XREMain::XRE_mainRun() nsAppRunner.cpp:4364 (XUL:x86_64+0x7990d65)
    #72 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) nsAppRunner.cpp:4682 (XUL:x86_64+0x799326d)
    #73 XRE_main(int, char**, mozilla::BootstrapConfig const&) nsAppRunner.cpp:4766 (XUL:x86_64+0x7993c62)
    #74 mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) Bootstrap.cpp:39 (XUL:x86_64+0x79a7bb7)
    #75 main nsBrowserApp.cpp:214 (firefox:x86_64+0x100001b63)

SUMMARY: ThreadSanitizer: data race xptinfo.h:562 in std::__1::__function::__func<XPCConvert::JSData2Native(JSContext*, void*, JS::Handle<JS::Value>, nsXPTType const&, nsID const*, unsigned int, nsresult*)::$_1, std::__1::allocator<XPCConvert::JSData2Native(JSContext*, void*, JS::Handle<JS::Value>, nsXPTType const&, nsID const*, unsigned int, nsresult*)::$_1>, void* (unsigned int*)>::operator()(unsigned int*&&)

On closer inspection, it turns out that aTo's value was 0. It caused EnsureCapacity to return true, thus continuing to write to sEmptyTArrayHeader. Since that header is used in many threads, writing to it without synchronization is undefined behavior.

Eric Rahm [:erahm]

Assignee

Comment 1

•

3 years ago

Looks like adding if (mHdr != EmptyHdr()) to SetLength would fix things.

Eric Rahm [:erahm]

Assignee

Comment 2

•

3 years ago

Attached file Bug 1533521 - Avoid modifying the static empty header size field. r=mccr8 — Details

Add a check that this array isn't using the static empty header before updating the size field.

Pulsebot

Comment 3

•

3 years ago

Pushed by erahm@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7f1c8a3ebd95
Avoid modifying the static empty header size field. r=mccr8

Stefan Hindli [:stefan_hindli]

Comment 4

•

3 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/7f1c8a3ebd95

Status: NEW → RESOLVED

Closed: 3 years ago

status-firefox67: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla67

Release mgmt bot [:suhaib / :marco/ :calixte]

Updated

•

3 years ago

Assignee: nobody → erahm

You need to log in before you can comment on or make changes to this bug.

Bugzilla

UntypedArray::SetLength tries to write to sEmptyTArrayHeader

Categories

(Core :: XPCOM, defect)

Tracking

()

People

(Reporter: ytausky, Assigned: erahm)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated