1681297 - Intermittent Intermittent SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1185:14 in mark<js::jit::JitCode>

Multiple Authors

Description

•

3 years ago

•

Edited

Log: https://treeherder.mozilla.org/logviewer?job_id=323889230&repo=try&lineNumber=3394

TEST-START | browser/components/protections/test/browser/browser_protections_monitor.js
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | 1607427921708	FirefoxAccounts	ERROR	FxA rejecting with error NO_ACCOUNT, details: undefined
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
GECKO(2626) | 1607427922699	FirefoxAccounts	ERROR	FxA rejecting with error NO_ACCOUNT, details: undefined
GECKO(2626) | ==================
GECKO(2626) | WARNING: ThreadSanitizer: data race (pid=2783)
GECKO(2626) |   Write of size 8 at 0x7ba400000e30 by main thread:
GECKO(2626) |     #0 mark<js::jit::JitCode> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1185:14 (libxul.so+0x6cabedb)
GECKO(2626) |     #1 markAndPush<js::jit::JitCode> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1058:8 (libxul.so+0x6cabedb)
GECKO(2626) |     #2 traverse<js::jit::JitCode *> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1074:3 (libxul.so+0x6cabedb)
GECKO(2626) |     #3 DoMarking<js::jit::JitCode> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:950:13 (libxul.so+0x6cabedb)
GECKO(2626) |     #4 bool js::gc::TraceEdgeInternal<js::jit::JitCode*>(JSTracer*, js::jit::JitCode**, char const*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:676:5 (libxul.so+0x6cabedb)
GECKO(2626) |     #5 TraceManuallyBarrieredEdge<js::jit::JitCode *> /builds/worker/checkouts/gecko/js/src/gc/Tracer.h:202:3 (libxul.so+0x6c8f7db)
GECKO(2626) |     #6 operator()<js::jit::JitCode *> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:637:35 (libxul.so+0x6c8f7db)
GECKO(2626) |     #7 MapGCThingTyped<(lambda at /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:636:33)> /builds/worker/workspace/obj-build/dist/include/js/TraceKind.h:257:5 (libxul.so+0x6c8f7db)
GECKO(2626) |     #8 js::TraceManuallyBarrieredGenericPointerEdge(JSTracer*, js::gc::Cell**, char const*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:635:17 (libxul.so+0x6c8f7db)
GECKO(2626) |     #9 ReadBarrierImpl /builds/worker/checkouts/gecko/js/src/gc/Cell.h:483:5 (libxul.so+0x72d5178)
GECKO(2626) |     #10 ReadBarrier<js::jit::JitCode> /builds/worker/checkouts/gecko/js/src/gc/Cell.h:463:5 (libxul.so+0x72d5178)
GECKO(2626) |     #11 readBarrier /builds/worker/checkouts/gecko/js/src/gc/Barrier.h:342:35 (libxul.so+0x72d5178)
GECKO(2626) |     #12 read /builds/worker/checkouts/gecko/js/src/gc/Barrier.h:750:23 (libxul.so+0x72d5178)
GECKO(2626) |     #13 get /builds/worker/checkouts/gecko/js/src/gc/Barrier.h:801:13 (libxul.so+0x72d5178)
GECKO(2626) |     #14 operator js::jit::JitCode *const & /builds/worker/checkouts/gecko/js/src/gc/Barrier.h:810:38 (libxul.so+0x72d5178)
GECKO(2626) |     #15 js::jit::JitZone::getBaselineCacheIRStubCode(js::jit::CacheIRStubKey::Lookup const&, js::jit::CacheIRStubInfo**) /builds/worker/checkouts/gecko/js/src/jit/JitZone.h:128:14 (libxul.so+0x72d5178)
GECKO(2626) |     #16 js::jit::AttachBaselineCacheIRStub(JSContext*, js::jit::CacheIRWriter const&, js::jit::CacheKind, js::jit::BaselineCacheIRStubKind, JSScript*, js::jit::ICScript*, js::jit::ICFallbackStub*, bool*) /builds/worker/checkouts/gecko/js/src/jit/BaselineCacheIRCompiler.cpp:2376:28 (libxul.so+0x72d47fd)
GECKO(2626) |     #17 js::jit::TryAttachGetPropStub(char const*, JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, js::jit::CacheKind, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:874:13 (libxul.so+0x6d53d73)
GECKO(2626) |     #18 js::jit::DoGetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetProp_Fallback*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1538:3 (libxul.so+0x6d5ae7d)
GECKO(2626) |     #19 <null> <null> (0x7f524c41c7a4)
GECKO(2626) |     #20 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3327:40 (libxul.so+0x65777b0)
GECKO(2626) |     #21 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:473:13 (libxul.so+0x6569be1)
GECKO(2626) |     #22 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:13 (libxul.so+0x65825da)
GECKO(2626) |     #23 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10 (libxul.so+0x6582fa6)
GECKO(2626) |     #24 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:8 (libxul.so+0x6582fa6)
GECKO(2626) |     #25 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2838:10 (libxul.so+0x6a3177d)
GECKO(2626) |     #26 mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:58:8 (libxul.so+0x30f2146)
GECKO(2626) |     #27 HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:80:12 (libxul.so+0x44494f3)
GECKO(2626) |     #28 HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:93:12 (libxul.so+0x44494f3)
GECKO(2626) |     #29 mozilla::dom::JSWindowActorProtocol::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSWindowActorProtocol.cpp:203:18 (libxul.so+0x44494f3)
GECKO(2626) |     #30 non-virtual thunk to mozilla::dom::JSWindowActorProtocol::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSWindowActorProtocol.cpp (libxul.so+0x44495e2)
GECKO(2626) |     #31 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1080:22 (libxul.so+0x373c2e8)
GECKO(2626) |     #32 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1271:17 (libxul.so+0x373cd46)
GECKO(2626) |     #33 HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:354:5 (libxul.so+0x37336f6)
GECKO(2626) |     #34 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:352:17 (libxul.so+0x37336f6)
GECKO(2626) |     #35 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:590:14 (libxul.so+0x3732c3c)
GECKO(2626) |     #36 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1089:11 (libxul.so+0x3735506)
GECKO(2626) |     #37 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp (libxul.so+0x3737750)
GECKO(2626) |     #38 mozilla::dom::Document::DispatchPageTransition(mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, bool, bool, bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11128:3 (libxul.so+0x239a000)
GECKO(2626) |     #39 mozilla::dom::Document::OnPageHide(bool, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11266:7 (libxul.so+0x239a98c)
GECKO(2626) |     #40 nsDocumentViewer::PageHide(bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1394:14 (libxul.so+0x4ba029b)
GECKO(2626) |     #41 nsDocShell::FirePageHideNotificationInternal(bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:1118:20 (libxul.so+0x5f0ffa4)
GECKO(2626) |     #42 FirePageHideNotification /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:1102:3 (libxul.so+0x5f07aef)
GECKO(2626) |     #43 nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:7775:3 (libxul.so+0x5f07aef)
GECKO(2626) |     #44 nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/checkouts/gecko/docshell/base/nsDSURIContentListener.cpp:178:20 (libxul.so+0x5f071e1)
GECKO(2626) |     #45 nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:597:18 (libxul.so+0x1a2b0e1)
GECKO(2626) |     #46 nsDocumentOpenInfo::TryDefaultContentListener(nsIChannel*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:626:12 (libxul.so+0x1a2bd00)
GECKO(2626) |     #47 nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:276:9 (libxul.so+0x1a29c00)
GECKO(2626) |     #48 nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:154:8 (libxul.so+0x1a2931c)
GECKO(2626) |     #49 nsJARChannel::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/modules/libjar/nsJARChannel.cpp:1002:28 (libxul.so+0x197e699)
GECKO(2626) |     #50 non-virtual thunk to nsJARChannel::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/modules/libjar/nsJARChannel.cpp (libxul.so+0x1980952)
GECKO(2626) |     #51 nsInputStreamPump::OnStateStart() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:481:21 (libxul.so+0xc7ba73)
GECKO(2626) |     #52 nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:390:21 (libxul.so+0xc7b5d5)
GECKO(2626) |     #53 non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp (libxul.so+0xc7c759)
GECKO(2626) |     #54 nsInputStreamReadyEvent::Run() /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:94:20 (libxul.so+0xae6c7c)
GECKO(2626) |     #55 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:452:16 (libxul.so+0xb14bc7)
GECKO(2626) |     #56 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:732:26 (libxul.so+0xb12c60)
GECKO(2626) |     #57 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:591:15 (libxul.so+0xb118c6)
GECKO(2626) |     #58 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:375:36 (libxul.so+0xb11b64)
GECKO(2626) |     #59 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:122:37 (libxul.so+0xb17a34)
GECKO(2626) |     #60 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5 (libxul.so+0xb17a34)
GECKO(2626) |     #61 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14 (libxul.so+0xb27bcb)
GECKO(2626) |     #62 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10 (libxul.so+0xb2d682)
GECKO(2626) |     #63 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21 (libxul.so+0x13f4ead)
GECKO(2626) |     #64 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:270:30 (libxul.so+0x13f588b)
GECKO(2626) |     #65 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10 (libxul.so+0x138660c)
GECKO(2626) |     #66 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3 (libxul.so+0x138660c)
GECKO(2626) |     #67 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3 (libxul.so+0x138660c)
GECKO(2626) |     #68 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27 (libxul.so+0x4849233)
GECKO(2626) |     #69 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20 (libxul.so+0x64522d9)
GECKO(2626) |     #70 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9 (libxul.so+0x13f583a)
GECKO(2626) |     #71 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10 (libxul.so+0x138660c)
GECKO(2626) |     #72 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3 (libxul.so+0x138660c)
GECKO(2626) |     #73 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3 (libxul.so+0x138660c)
GECKO(2626) |     #74 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34 (libxul.so+0x6452052)
GECKO(2626) |     #75 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x6459902)
GECKO(2626) |     #76 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0xc78f2)
GECKO(2626) |     #77 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18 (firefox+0xc78f2)
GECKO(2626) |   Previous write of size 8 at 0x7ba400000e30 by thread T10:
GECKO(2626) |     #0 mark<JSString> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1185:14 (libxul.so+0x6c91850)
GECKO(2626) |     #1 markAndScan<JSString> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1032:7 (libxul.so+0x6c91850)
GECKO(2626) |     #2 void js::GCMarker::traverse<JSString*>(JSString*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1039:3 (libxul.so+0x6c91850)
GECKO(2626) |     #3 DoMarking<JSString> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:950:13 (libxul.so+0x6cac6a9)
GECKO(2626) |     #4 bool js::gc::TraceEdgeInternal<JSString*>(JSTracer*, JSString**, char const*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:676:5 (libxul.so+0x6cac6a9)
GECKO(2626) |     #5 TraceManuallyBarrieredEdge<JSString *> /builds/worker/checkouts/gecko/js/src/gc/Tracer.h:202:3 (libxul.so+0x6c8f809)
GECKO(2626) |     #6 operator()<JSString *> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:637:35 (libxul.so+0x6c8f809)
GECKO(2626) |     #7 MapGCThingTyped<(lambda at /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:636:33)> /builds/worker/workspace/obj-build/dist/include/js/TraceKind.h:257:5 (libxul.so+0x6c8f809)
GECKO(2626) |     #8 js::TraceManuallyBarrieredGenericPointerEdge(JSTracer*, js::gc::Cell**, char const*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:635:17 (libxul.so+0x6c8f809)
GECKO(2626) |     #9 PreWriteBarrierImpl /builds/worker/checkouts/gecko/js/src/gc/Cell.h:536:5 (libxul.so+0x6c4c2a9)
GECKO(2626) |     #10 js::gc::IdPreWriteBarrier(JS::PropertyKey) /builds/worker/checkouts/gecko/js/src/gc/Barrier.cpp:172:5 (libxul.so+0x6c4c2a9)
GECKO(2626) |     #11 preBarrier /builds/worker/checkouts/gecko/js/src/gc/Barrier.h:404:7 (libxul.so+0x660be98)
GECKO(2626) |     #12 pre /builds/worker/checkouts/gecko/js/src/gc/Barrier.h:477:16 (libxul.so+0x660be98)
GECKO(2626) |     #13 ~PreBarriered /builds/worker/checkouts/gecko/js/src/gc/Barrier.h:514:27 (libxul.so+0x660be98)
GECKO(2626) |     #14 mozilla::HashMapEntry<js::PreBarriered<JS::PropertyKey>, js::IndirectBindingMap::Binding>::~HashMapEntry() /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:101:7 (libxul.so+0x660be98)
GECKO(2626) |     #15 destroyStoredT /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1047:11 (libxul.so+0x661d2a2)
GECKO(2626) |     #16 operator() /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1658:25 (libxul.so+0x661d2a2)
GECKO(2626) |     #17 forEachSlot<(lambda at /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1656:39)> /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1192:7 (libxul.so+0x661d2a2)
GECKO(2626) |     #18 destroyTable /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1656:5 (libxul.so+0x661d2a2)
GECKO(2626) |     #19 ~HashTable /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:1691:7 (libxul.so+0x661d2a2)
GECKO(2626) |     #20 ~HashMap /builds/worker/workspace/obj-build/dist/include/mozilla/HashTable.h:142:7 (libxul.so+0x661d2a2)
GECKO(2626) |     #21 ~MaybeStorage /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:283:24 (libxul.so+0x661d2a2)
GECKO(2626) |     #22 ~IndirectBindingMap /builds/worker/checkouts/gecko/js/src/builtin/ModuleObject.h:127:7 (libxul.so+0x661d2a2)
GECKO(2626) |     #23 void JSFreeOp::delete_<js::IndirectBindingMap>(js::gc::Cell*, js::IndirectBindingMap*, unsigned long, js::MemoryUse) /builds/worker/checkouts/gecko/js/src/gc/FreeOp.h:118:11 (libxul.so+0x661d2a2)
GECKO(2626) |     #24 delete_<js::IndirectBindingMap> /builds/worker/checkouts/gecko/js/src/gc/FreeOp.h:106:5 (libxul.so+0x65ee62d)
GECKO(2626) |     #25 js::ModuleObject::finalize(JSFreeOp*, JSObject*) /builds/worker/checkouts/gecko/js/src/builtin/ModuleObject.cpp:775:10 (libxul.so+0x65ee62d)
GECKO(2626) |     #26 doFinalize /builds/worker/workspace/obj-build/dist/include/js/Class.h:802:5 (libxul.so+0x6c80b89)
GECKO(2626) |     #27 finalize /builds/worker/checkouts/gecko/js/src/vm/JSObject-inl.h:101:12 (libxul.so+0x6c80b89)
GECKO(2626) |     #28 unsigned long js::gc::Arena::finalize<JSObject>(JSFreeOp*, js::gc::AllocKind, unsigned long) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:484:10 (libxul.so+0x6c80b89)
GECKO(2626) |     #29 FinalizeTypedArenas<JSObject> /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:539:29 (libxul.so+0x6c5c2ae)
GECKO(2626) |     #30 FinalizeArenas(JSFreeOp*, js::gc::Arena**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:567:5 (libxul.so+0x6c5c2ae)
GECKO(2626) |     #31 js::gc::ArenaLists::backgroundFinalize(JSFreeOp*, js::gc::Arena*, js::gc::Arena**) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:2821:3 (libxul.so+0x6c5a90d)
GECKO(2626) |     #32 js::gc::GCRuntime::sweepBackgroundThings(js::gc::ZoneList&) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:3358:11 (libxul.so+0x6c601ff)
GECKO(2626) |     #33 js::gc::GCRuntime::sweepFromBackgroundThread(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:3430:5 (libxul.so+0x6c606b0)
GECKO(2626) |     #34 js::gc::BackgroundSweepTask::run(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:3421:7 (libxul.so+0x6c60628)
GECKO(2626) |     #35 runTask /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:145:3 (libxul.so+0x6c7cda1)
GECKO(2626) |     #36 js::GCParallelTask::runHelperThreadTask(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:132:3 (libxul.so+0x6c7cda1)
GECKO(2626) |     #37 runTaskLocked /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2676:9 (libxul.so+0x67712a6)
GECKO(2626) |     #38 js::HelperThread::threadLoop() /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2648:25 (libxul.so+0x67712a6)
GECKO(2626) |     #39 js::HelperThread::ThreadMain(void*) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2349:11 (libxul.so+0x677110d)
GECKO(2626) |     #40 callMain<0> /builds/worker/checkouts/gecko/js/src/threading/Thread.h:217:5 (libxul.so+0x67b4100)
GECKO(2626) |     #41 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) /builds/worker/checkouts/gecko/js/src/threading/Thread.h:206:11 (libxul.so+0x67b4100)
GECKO(2626) |   Location is heap block of size 19024 at 0x7ba400000000 allocated by main thread:
GECKO(2626) |     #0 malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:652:5 (firefox+0x54e5c)
GECKO(2626) |     #1 malloc /builds/worker/checkouts/gecko/memory/build/malloc_decls.h:51:1 (firefox+0xc98e5)
GECKO(2626) |     #2 moz_arena_malloc /builds/worker/checkouts/gecko/memory/build/malloc_decls.h:51:1 (firefox+0xc98e5)
GECKO(2626) |     #3 moz_arena_malloc /builds/worker/checkouts/gecko/memory/build/malloc_decls.h:133:1 (firefox+0xc98e5)
GECKO(2626) |     #4 js_arena_malloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:385:10 (libxul.so+0x67b9e72)
GECKO(2626) |     #5 js_malloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:389:10 (libxul.so+0x67b9e72)
GECKO(2626) |     #6 js_new<JSRuntime, JSRuntime *&> /builds/worker/workspace/obj-build/dist/include/js/Utility.h:538:1 (libxul.so+0x67b9e72)
GECKO(2626) |     #7 js::NewContext(unsigned int, JSRuntime*) /builds/worker/checkouts/gecko/js/src/vm/JSContext.cpp:166:24 (libxul.so+0x67b9e72)
GECKO(2626) |     #8 JS_NewContext(unsigned int, JSRuntime*) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:401:10 (libxul.so+0x6a269a4)
GECKO(2626) |     #9 mozilla::CycleCollectedJSContext::Initialize(JSRuntime*, unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:127:16 (libxul.so+0xa2977b)
GECKO(2626) |     #10 XPCJSContext::Initialize() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1202:32 (libxul.so+0x1929d6a)
GECKO(2626) |     #11 XPCJSContext::NewXPCJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1404:23 (libxul.so+0x192a937)
GECKO(2626) |     #12 InitJSContext /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:83:25 (libxul.so+0x19666c3)
GECKO(2626) |     #13 xpc::InitializeJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:98:35 (libxul.so+0x19666c3)
GECKO(2626) |     #14 NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:488:5 (libxul.so+0xb5da72)
GECKO(2626) |     #15 XRE_InitEmbedding2(nsIFile*, nsIFile*, nsIDirectoryServiceProvider*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:186:8 (libxul.so+0x64517f4)
GECKO(2626) |     #16 mozilla::ipc::ScopedXREEmbed::Start() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp (libxul.so+0x13faa04)
GECKO(2626) |     #17 mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:183:13 (libxul.so+0x43fa2de)
GECKO(2626) |     #18 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:699:21 (libxul.so+0x6452028)
GECKO(2626) |     #19 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x6459902)
GECKO(2626) |     #20 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0xc78f2)
GECKO(2626) |     #21 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18 (firefox+0xc78f2)
GECKO(2626) |   Thread T10 'JS Helper' (tid=2796, running) created by main thread at:
GECKO(2626) |     #0 pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:966:3 (firefox+0x5668b)
GECKO(2626) |     #1 js::Thread::create(void* (*)(void*), void*) /builds/worker/checkouts/gecko/js/src/threading/posix/PosixThread.cpp:54:7 (libxul.so+0x6669e21)
GECKO(2626) |     #2 bool js::Thread::init<void (&)(void*), js::HelperThread*>(void (&)(void*), js::HelperThread*&&) /builds/worker/checkouts/gecko/js/src/threading/Thread.h:90:12 (libxul.so+0x6771022)
GECKO(2626) |     #3 init /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2303:17 (libxul.so+0x676c8dc)
GECKO(2626) |     #4 js::GlobalHelperThreadState::ensureThreadCount(unsigned long) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1306:29 (libxul.so+0x676c8dc)
GECKO(2626) |     #5 ensureInitialized /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1273:10 (libxul.so+0x67665b2)
GECKO(2626) |     #6 js::EnsureHelperThreadsInitialized() /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:103:30 (libxul.so+0x67665b2)
GECKO(2626) |     #7 JSRuntime::init(JSContext*, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/Runtime.cpp:200:32 (libxul.so+0x685d952)
GECKO(2626) |     #8 js::NewContext(unsigned int, JSRuntime*) /builds/worker/checkouts/gecko/js/src/vm/JSContext.cpp:183:17 (libxul.so+0x67b9f7b)
GECKO(2626) |     #9 JS_NewContext(unsigned int, JSRuntime*) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:401:10 (libxul.so+0x6a269a4)
GECKO(2626) |     #10 mozilla::CycleCollectedJSContext::Initialize(JSRuntime*, unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:127:16 (libxul.so+0xa2977b)
GECKO(2626) |     #11 XPCJSContext::Initialize() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1202:32 (libxul.so+0x1929d6a)
GECKO(2626) |     #12 XPCJSContext::NewXPCJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1404:23 (libxul.so+0x192a937)
GECKO(2626) |     #13 InitJSContext /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:83:25 (libxul.so+0x19666c3)
GECKO(2626) |     #14 xpc::InitializeJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:98:35 (libxul.so+0x19666c3)
GECKO(2626) |     #15 NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:488:5 (libxul.so+0xb5da72)
GECKO(2626) |     #16 XRE_InitEmbedding2(nsIFile*, nsIFile*, nsIDirectoryServiceProvider*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:186:8 (libxul.so+0x64517f4)
GECKO(2626) |     #17 mozilla::ipc::ScopedXREEmbed::Start() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp (libxul.so+0x13faa04)
GECKO(2626) |     #18 mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:183:13 (libxul.so+0x43fa2de)
GECKO(2626) |     #19 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:699:21 (libxul.so+0x6452028)
GECKO(2626) |     #20 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x6459902)
GECKO(2626) |     #21 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0xc78f2)
GECKO(2626) |     #22 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18 (firefox+0xc78f2)
GECKO(2626) | SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1185:14 in mark<js::jit::JitCode>
GECKO(2626) | ==================
TEST-INFO | started process screentopng
TEST-INFO | screentopng: exit 0
Buffered messages logged at 11:45:20
Entering test bound 
Buffered messages logged at 11:45:21
Console message: [JavaScript Error: "Error: Can't find profile directory." {file: "resource://gre/modules/XULStore.jsm" line: 66}]
load@resource://gre/modules/XULStore.jsm:66:15
XULStore@resource://gre/modules/XULStore.jsm:24:10

...

Buffered messages finished
TEST-UNEXPECTED-FAIL | browser/components/protections/test/browser/browser_protections_monitor.js | Test timed out - 
GECKO(2626) | MEMORY STAT | vsize 130551090MB | residentFast 2084MB
TEST-OK | browser/components/protections/test/browser/browser_protections_monitor.js | took 120123ms
Not taking screenshot here: see the one that was previously logged
TEST-UNEXPECTED-FAIL | browser/components/protections/test/browser/browser_protections_monitor.js | Found a tab after previous test timed out: about:protections -

Andrew McCreight [:mccr8]

Comment 1

•

3 years ago

•

Edited

To summarize, the main thread is doing a write via a read barrier on JIT code in js::jit::JitZone::getBaselineCacheIRStubCode().

That write is racing with a previous write, that is a write barrier on a JS string because we're destroying some hash table of PropertyKeys via js::ModuleObject::finalize(), on a JS helper thread.

If these function names are right, it seems bad that we're treating a single location as two different types.

Flags: needinfo?(jcoppeard)

Keywords: csectype-race

Andrew McCreight [:mccr8]

Updated

•

3 years ago

Blocks: tsan

Jon Coppeard (:jonco)

Assignee

Comment 2

•

3 years ago

Fortunately we're not treating a location as two different types. It's racing on updating a count of marked cells.

What's happening is that we're triggering a pre barrier on an atom pointer during background finalization. We check a flag on the zone to see if the barrier is needed (barriers aren't needed during finalization) but this doesn't work for cross-zone pointers into the atoms zone (barriers are still enabled on the atoms zone at this point). So we're doing an unnecessary barrier and it's causing this race.

It would be great if we could skip performing this barrier. I'm not sure how to do that without doing a TLS lookup to check the current thread, and I'd like to avoid doing that as part of the barrier if possible.

Daniel Veditz [:dveditz]

Updated

•

3 years ago

Keywords: sec-moderate

Jon Coppeard (:jonco)

Assignee

Updated

•

3 years ago

Assignee: nobody → jcoppeard

Severity: -- → S4

Flags: needinfo?(jcoppeard)

Priority: -- → P1

Jon Coppeard (:jonco)

Assignee

Comment 3

•

3 years ago

Attached file Bug 1681297 - Skip pre-write barriers triggered on background threads r?sfink — Details

The problem here is that we can trigger this barrier when background
finalization destroys HeapPtrs to things in the atoms zone, since the atoms
zone may still be marking at this point. (Usualy cross-zone edges are stored in
the private pointer of a cross-compartment wrapper.)

To avoid the possiblity of races the patch checks the current thread when the
target thing is in the atoms zone. To make this work without pulling the whole
of Zone.h into Cell.h I had to move some of the zone's flags into shadow::Zone.
I'll tidy that a little in the next patch.

Jon Coppeard (:jonco)

Assignee

Comment 4

•

3 years ago

Attached file Bug 1681297 - Refactor JS::shadow::Zone flags into a single enum and make it const r?jandem — Details

Following on from the previous patch which moved the individual flags for the
zone kind into shadow::Zone, we can replace these by a single kind enum which
is set once when the zone is created.

Depends on D99782

Phabricator Automation

Updated

•

3 years ago

Attachment #9193246 - Attachment description: Bug 1681297 - Refactor JS::shadow::Zone flats into a single enum and make it const r?jandem → Bug 1681297 - Refactor JS::shadow::Zone flags into a single enum and make it const r?jandem

Jon Coppeard (:jonco)

Assignee

Comment 5

•

3 years ago

https://hg.mozilla.org/mozilla-central/rev/5208d36713dbd97452656dd89f948654fec9e0fe
https://hg.mozilla.org/mozilla-central/rev/f15cc33e5e952bfc238635578552a27a42839ca0

Jon Coppeard (:jonco)

Assignee

Updated

•

3 years ago

Status: NEW → RESOLVED

Closed: 3 years ago

Resolution: --- → FIXED

Ryan VanderMeulen [:RyanVM]

Comment 6

•

3 years ago

How far back does this go? Should we consider backporting?

Group: javascript-core-security → core-security-release

status-firefox86: --- → fixed

Flags: needinfo?(jcoppeard)

Flags: in-testsuite+

Target Milestone: --- → 86 Branch

Jon Coppeard (:jonco)

Assignee

Comment 7

•

3 years ago

This has been around for a while but I don't think it is actually causing a problem so let's let this ride the trains.

Flags: needinfo?(jcoppeard)

Brindusa Tot, Desktop QA

Updated

•

3 years ago

Flags: qe-verify-

Whiteboard: [post-critsmash-triage]

Tom Ritter [:tjr] (OOTO until 4/30 at least)

Updated

•

3 years ago

Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main86+r]

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Group: core-security-release

Mathew Hodson

Updated

•

2 years ago

Blocks: 1664535

Bug 1681297 - Skip pre-write barriers triggered on background threads r?sfink 3 years ago Jon Coppeard (:jonco) 47 bytes, text/x-phabricator-request		Details \| Review
Bug 1681297 - Refactor JS::shadow::Zone flags into a single enum and make it const r?jandem 3 years ago Jon Coppeard (:jonco) 47 bytes, text/x-phabricator-request		Details \| Review