Closed Bug 1647702 Opened 1 year ago Closed 1 year ago

ThreadSanitizer: data race [@ isForwarded] vs. [@ unsafeSetPtr]


(Core :: JavaScript: GC, defect)

Not set



Tracking Status
firefox79 --- fixed


(Reporter: jkratzer, Assigned: jonco)


(Blocks 2 open bugs)


(Keywords: csectype-race, Whiteboard: [fuzzblocker])


(2 files)

The attached crash information was detected while running CI tests with ThreadSanitizer on mozilla-central revision 20200619-24787602a9f6.

For detailed crash information, see attachment.
General information about TSan reports
Why fix races?

Data races are undefined behavior and can cause crashes as well as correctness issues. Compiler optimizations can cause racy code to have unpredictable and hard-to-reproduce behavior.

If you think this race can cause crashes or correctness issues, it would be great to rate the bug appropriately as P1/P2 and/or indicating this in the bug. This makes it a lot easier for us to assess the actual impact that these reports make and if they are helpful to you.
False Positives / Benign Races

Typically, races reported by TSan are not false positives [1], but it is possible that the race is benign. Even in this case it would be nice to come up with a fix if it is easily doable and does not regress performance. Every race that we cannot fix will have to remain on the suppression list and slows down the overall TSan performance. Also note that seemingly benign races can possibly be harmful (also depending on the compiler, optimizations and the architecture) [2][3].

[1] One major exception is the involvement of uninstrumented code from third-party libraries.
[3] How to miscompile programs with "benign" data races:
Suppressing unfixable races

If the bug cannot be fixed, then a runtime suppression needs to be added in mozglue/build/TsanOptions.cpp. The suppressions match on the full stack, so it should be picked such that it is unique to this particular race. The bug number of this bug should also be included so we have some documentation on why this suppression was added.

Group: core-security

I'll look into this

Assignee: nobody → allstars.chh
Group: core-security → javascript-core-security

sec-high might be overstating a race, but having it the JS engine itself is worrying.

Also, Tyson said this is a fuzzblocker because it is happening so much, so presumably it is not very difficult to discover and not very difficult to trigger.

This is another instance of bug 1506798 where IsForwarded called on a shape is racing with updating that Shape's BaseShape pointer.

(The stacks are hard to understand because optimisation has combined equivalent functions with different types. Thus the types are wrong in several places).

Assignee: allstars.chh → jcoppeard

Oh, this is actually the problem reported in bug 1600895 but the suppression isn't working because the types are wrong in the generated stacks.

This is a data race, but I don't think it is causing problems at the momment. It will go away when we get rid of ObjectGroups and is not trivial to fix, hence the decision to suppress it.

The stacks generated have incorrect types due to optimisation so the existing suppression wasn't catching it (note appearance of BigInt in the logs -- onScopeEdge(js::Scope**) calls updateEdge<JS::BigInt> which is clearly bogus). This change broadens the suppression to one that looks like it will match this based on these logs.

Group: javascript-core-security
Keywords: sec-high
Pushed by
Broaden the race supression for compacting race between updating ObjectGroups and Shapes r=sfink
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Regressions: 1645710
You need to log in before you can comment on or make changes to this bug.