Closed Bug 1789503 (CVE-2022-42930) Opened 2 years ago Closed 2 years ago

ThreadSanitizer: data race in XPCOMService_GetThirdPartyUtil

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox105 --- wontfix
firefox106 --- fixed

People

(Reporter: arminius, Assigned: nika)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, sec-moderate, Whiteboard: [fixed by bug 1789902][necko-triaged][post-critsmash-triage][adv-main106+])

Attachments

(1 file)

advisory.txt
197 bytes, text/plain
Details

This data race occurred when two Worker() threads were concurrently initializing their CacheStorage.

Since the CacheStorage is created lazily, that would happen when accessing the caches global the first time, e.g.:

new Worker(URL.createObjectURL(new Blob(["self.caches"])))

TSAN report from m-c-20220901215206-tsan-opt:

WARNING: ThreadSanitizer: data race (pid=2832989)
  Read of size 8 at 0x7f2d10df5c28 by thread T26:
    #0 XPCOMService_GetThirdPartyUtil /builds/worker/workspace/obj-build/xpcom/build/Services.cpp:465:8 (libxul.so+0x1219e25) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #1 xpcom::services::get_ThirdPartyUtil::hc14c5b99fc9b0511 /builds/worker/workspace/obj-build/xpcom/build/services.rs:173:43 (libxul.so+0x9d14f58) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #2 mozurl::get_base_domain::h344f0f5988d19466 /builds/worker/checkouts/gecko/netwerk/base/mozurl/src/lib.rs:319:36 (libxul.so+0x9d14f58)
    #3 mozurl_base_domain /builds/worker/checkouts/gecko/netwerk/base/mozurl/src/lib.rs:358:15 (libxul.so+0x9d14f58)
    #4 BaseDomain /builds/worker/workspace/obj-build/dist/include/mozilla/net/MozURL.h:76:12 (libxul.so+0x5000d56) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #5 mozilla::dom::quota::QuotaManager::IsPrincipalInfoValid(mozilla::ipc::PrincipalInfo const&) /builds/worker/checkouts/gecko/dom/quota/ActorsParent.cpp:6834:21 (libxul.so+0x5000d56)
    #6 BaseDomain /builds/worker/workspace/obj-build/dist/include/mozilla/net/MozURL.h:76:12 (libxul.so+0x5000d56) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #7 mozilla::dom::quota::QuotaManager::IsPrincipalInfoValid(mozilla::ipc::PrincipalInfo const&) /builds/worker/checkouts/gecko/dom/quota/ActorsParent.cpp:6834:21 (libxul.so+0x5000d56)
    #8 mozilla::dom::cache::CacheStorage::CreateOnWorker(mozilla::dom::cache::Namespace, nsIGlobalObject*, mozilla::dom::WorkerPrivate*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/cache/CacheStorage.cpp:195:3 (libxul.so+0x3d96b4b) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #9 mozilla::dom::WorkerGlobalScope::GetCaches(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/WorkerScope.cpp:439:21 (libxul.so+0x5675d9c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #10 mozilla::dom::WorkerGlobalScope_Binding::get_caches(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/WorkerGlobalScopeBinding.cpp:2024:86 (libxul.so+0x38dae89) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #11 bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3169:13 (libxul.so+0x3d636dd) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #12 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13 (libxul.so+0x96f531f) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #13 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:546:12 (libxul.so+0x96f531f)
    #14 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:613:10 (libxul.so+0x96f611c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #15 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:8 (libxul.so+0x96f611c)
    #16 js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:774:10 (libxul.so+0x96f6ed5) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #17 CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:1974:12 (libxul.so+0x8972275) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #18 GetExistingProperty<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2002:12 (libxul.so+0x8972275)
    #19 NativeGetPropertyInline<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2150:14 (libxul.so+0x8972275)
    #20 js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2181:10 (libxul.so+0x8972275)
    #21 GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:118:10 (libxul.so+0x96f96a9) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #22 GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:125:10 (libxul.so+0x96f96a9)
    #23 js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4719:10 (libxul.so+0x96f96a9)
    #24 GetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:244:10 (libxul.so+0x96e7694) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #25 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3029:12 (libxul.so+0x96e7694)
    #26 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:430:13 (libxul.so+0x96de514) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #27 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:824:13 (libxul.so+0x96f7272) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #28 js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:856:10 (libxul.so+0x96f7439) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #29 EvaluateSourceBuffer<mozilla::Utf8Unit> /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:584:10 (libxul.so+0x886a41c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #30 JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:592:10 (libxul.so+0x886a41c)
    #31 EvaluateSourceBuffer<mozilla::Utf8Unit> /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:419:10 (libxul.so+0x563c12e) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #32 mozilla::dom::workerinternals::loader::WorkerScriptLoader::EvaluateScript(JSContext*, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:956:13 (libxul.so+0x563c12e)
    #33 mozilla::dom::workerinternals::loader::WorkerScriptLoader::ProcessPendingRequests(JSContext*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:628:10 (libxul.so+0x563bd44) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #34 mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1076:24 (libxul.so+0x563e853) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #35 mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12 (libxul.so+0x56723f2) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #36 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x11db178) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #37 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x11e1645) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #38 mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4200:7 (libxul.so+0x56680c6) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #39 mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1504:27 (libxul.so+0x43b25c7) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #40 mozilla::dom::workerinternals::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder> >, nsTArray<nsTString<char16_t> > const&, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:262:14 (libxul.so+0x563f219) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #41 mozilla::dom::workerinternals::LoadMainScript(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder> >, nsTSubstring<char16_t> const&, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1215:3 (libxul.so+0x563eeac) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #42 mozilla::dom::(anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:380:5 (libxul.so+0x567f8a7) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #43 mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12 (libxul.so+0x56723f2) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #44 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x11db178) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #45 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x11e1645) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #46 mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3204:7 (libxul.so+0x5662d29) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #47 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2042:42 (libxul.so+0x564d043) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #48 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x11db178) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #49 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x11e1645) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #50 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x1e471de) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #51 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d64d9c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #52 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d64d9c)
    #53 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d64d9c)
    #54 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10 (libxul.so+0x11d6536) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #55 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4615d) (BuildId: 1c90f7fc05ccccdc86ccc4366be2a66c20feacf7)

  Previous write of size 8 at 0x7f2d10df5c28 by thread T24:
    #0 swap /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:822:10 (libxul.so+0x1219e71) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #1 XPCOMService_GetThirdPartyUtil /builds/worker/workspace/obj-build/xpcom/build/Services.cpp:467:8 (libxul.so+0x1219e71)
    #2 xpcom::services::get_ThirdPartyUtil::hc14c5b99fc9b0511 /builds/worker/workspace/obj-build/xpcom/build/services.rs:173:43 (libxul.so+0x9d14f58) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #3 mozurl::get_base_domain::h344f0f5988d19466 /builds/worker/checkouts/gecko/netwerk/base/mozurl/src/lib.rs:319:36 (libxul.so+0x9d14f58)
    #4 mozurl_base_domain /builds/worker/checkouts/gecko/netwerk/base/mozurl/src/lib.rs:358:15 (libxul.so+0x9d14f58)
    #5 BaseDomain /builds/worker/workspace/obj-build/dist/include/mozilla/net/MozURL.h:76:12 (libxul.so+0x5000d56) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #6 mozilla::dom::quota::QuotaManager::IsPrincipalInfoValid(mozilla::ipc::PrincipalInfo const&) /builds/worker/checkouts/gecko/dom/quota/ActorsParent.cpp:6834:21 (libxul.so+0x5000d56)
    #7 BaseDomain /builds/worker/workspace/obj-build/dist/include/mozilla/net/MozURL.h:76:12 (libxul.so+0x5000d56) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #8 mozilla::dom::quota::QuotaManager::IsPrincipalInfoValid(mozilla::ipc::PrincipalInfo const&) /builds/worker/checkouts/gecko/dom/quota/ActorsParent.cpp:6834:21 (libxul.so+0x5000d56)
    #9 mozilla::dom::cache::CacheStorage::CreateOnWorker(mozilla::dom::cache::Namespace, nsIGlobalObject*, mozilla::dom::WorkerPrivate*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/cache/CacheStorage.cpp:195:3 (libxul.so+0x3d96b4b) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #10 mozilla::dom::WorkerGlobalScope::GetCaches(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/WorkerScope.cpp:439:21 (libxul.so+0x5675d9c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #11 mozilla::dom::WorkerGlobalScope_Binding::get_caches(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/WorkerGlobalScopeBinding.cpp:2024:86 (libxul.so+0x38dae89) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #12 bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3169:13 (libxul.so+0x3d636dd) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #13 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13 (libxul.so+0x96f531f) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #14 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:546:12 (libxul.so+0x96f531f)
    #15 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:613:10 (libxul.so+0x96f611c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #16 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:8 (libxul.so+0x96f611c)
    #17 js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:774:10 (libxul.so+0x96f6ed5) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #18 CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:1974:12 (libxul.so+0x8972275) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #19 GetExistingProperty<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2002:12 (libxul.so+0x8972275)
    #20 NativeGetPropertyInline<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2150:14 (libxul.so+0x8972275)
    #21 js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2181:10 (libxul.so+0x8972275)
    #22 GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:118:10 (libxul.so+0x96f96a9) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #23 GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:125:10 (libxul.so+0x96f96a9)
    #24 js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4719:10 (libxul.so+0x96f96a9)
    #25 GetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:244:10 (libxul.so+0x96e7694) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #26 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3029:12 (libxul.so+0x96e7694)
    #27 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:430:13 (libxul.so+0x96de514) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #28 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:824:13 (libxul.so+0x96f7272) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #29 js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:856:10 (libxul.so+0x96f7439) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #30 EvaluateSourceBuffer<mozilla::Utf8Unit> /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:584:10 (libxul.so+0x886a41c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #31 JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:592:10 (libxul.so+0x886a41c)
    #32 EvaluateSourceBuffer<mozilla::Utf8Unit> /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:419:10 (libxul.so+0x563c12e) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #33 mozilla::dom::workerinternals::loader::WorkerScriptLoader::EvaluateScript(JSContext*, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:956:13 (libxul.so+0x563c12e)
    #34 mozilla::dom::workerinternals::loader::WorkerScriptLoader::ProcessPendingRequests(JSContext*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:628:10 (libxul.so+0x563bd44) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #35 mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1076:24 (libxul.so+0x563e853) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #36 mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12 (libxul.so+0x56723f2) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #37 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x11db178) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #38 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x11e1645) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #39 mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4200:7 (libxul.so+0x56680c6) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #40 mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1504:27 (libxul.so+0x43b25c7) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #41 mozilla::dom::workerinternals::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder> >, nsTArray<nsTString<char16_t> > const&, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:262:14 (libxul.so+0x563f219) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #42 mozilla::dom::workerinternals::LoadMainScript(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder> >, nsTSubstring<char16_t> const&, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1215:3 (libxul.so+0x563eeac) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #43 mozilla::dom::(anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:380:5 (libxul.so+0x567f8a7) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #44 mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12 (libxul.so+0x56723f2) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #45 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x11db178) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #46 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x11e1645) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #47 mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3204:7 (libxul.so+0x5662d29) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #48 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2042:42 (libxul.so+0x564d043) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #49 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x11db178) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #50 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x11e1645) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #51 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x1e471de) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #52 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d64d9c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #53 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d64d9c)
    #54 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d64d9c)
    #55 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10 (libxul.so+0x11d6536) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #56 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4615d) (BuildId: 1c90f7fc05ccccdc86ccc4366be2a66c20feacf7)

  Location is global 'gThirdPartyUtil' of size 8 at 0x7f2d10df5c28 (libxul.so+0xe1f5c28)

  Thread T26 'DOM Worker' (tid=2834988, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1022:3 (firefox+0x5dfdd) (BuildId: 1cc3162b5b2142f42fb41fc71067f0763f9ef4a6)
    #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x3d1b5) (BuildId: 1c90f7fc05ccccdc86ccc4366be2a66c20feacf7)
    #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x322a5) (BuildId: 1c90f7fc05ccccdc86ccc4366be2a66c20feacf7)
    #3 nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:618:18 (libxul.so+0x11d80b5) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102:7 (libxul.so+0x567c9b1) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1323:37 (libxul.so+0x5636872) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1205:19 (libxul.so+0x5635d5d) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2587:24 (libxul.so+0x565feb5) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #8 mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43:41 (libxul.so+0x563f4fe) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #9 mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1115:52 (libxul.so+0x38c94ed) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #10 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13 (libxul.so+0x96f6a21) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #11 CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:474:8 (libxul.so+0x96f6a21)
    #12 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:693:10 (libxul.so+0x96f6a21)
    #13 ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:721:10 (libxul.so+0x96eb1fe) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #14 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3359:16 (libxul.so+0x96eb1fe)
    #15 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:430:13 (libxul.so+0x96de514) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #16 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:824:13 (libxul.so+0x96f7272) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #17 js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:856:10 (libxul.so+0x96f7439) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #18 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:520:10 (libxul.so+0x8869d48) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #19 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:544:10 (libxul.so+0x8869f00) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #20 mozilla::dom::JSExecutionContext::ExecScript() /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:296:8 (libxul.so+0x2c12c8b) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #21 ExecuteCompiledScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2139:16 (libxul.so+0x5915425) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #22 mozilla::dom::ScriptLoader::EvaluateScript(nsIGlobalObject*, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2402:12 (libxul.so+0x5915425)
    #23 mozilla::dom::ScriptLoader::EvaluateScriptElement(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2208:10 (libxul.so+0x5914a00) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #24 mozilla::dom::ScriptLoader::ProcessRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1858:10 (libxul.so+0x5911546) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #25 mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, JS::loader::ScriptKind) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1269:10 (libxul.so+0x590f83c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #26 mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:910:10 (libxul.so+0x59051d2) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #27 mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:118:18 (libxul.so+0x5904cc5) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #28 AttemptToExecute /builds/worker/workspace/obj-build/dist/include/nsIScriptElement.h:221:18 (libxul.so+0x2281a42) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #29 nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:942:22 (libxul.so+0x2281a42)
    #30 nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:733:7 (libxul.so+0x227f7c9) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #31 nsHtml5ExecutorFlusher::Run() /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:174:18 (libxul.so+0x2284b9d) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #32 mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20 (libxul.so+0x11bbebf) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #33 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16 (libxul.so+0x11f0b77) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #34 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26 (libxul.so+0x11c68a7) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #35 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15 (libxul.so+0x11c4d16) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #36 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36 (libxul.so+0x11c4ff4) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #37 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37 (libxul.so+0x11f4957) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #38 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5 (libxul.so+0x11f4957)
    #39 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16 (libxul.so+0x11daf52) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #40 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x11e1645) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #41 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x1e465bb) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #42 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x1e470eb) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #43 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d64d9c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #44 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d64d9c)
    #45 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d64d9c)
    #46 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27 (libxul.so+0x5b90dc6) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #47 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20 (libxul.so+0x85ad6c9) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #48 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x1e4709d) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #49 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d64d9c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #50 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d64d9c)
    #51 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d64d9c)
    #52 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34 (libxul.so+0x85ace6c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #53 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x85b6462) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #54 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0xdefa7) (BuildId: 1cc3162b5b2142f42fb41fc71067f0763f9ef4a6)
    #55 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:362:18 (firefox+0xdefa7)

  Thread T24 'DOM Worker' (tid=2834986, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1022:3 (firefox+0x5dfdd) (BuildId: 1cc3162b5b2142f42fb41fc71067f0763f9ef4a6)
    #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x3d1b5) (BuildId: 1c90f7fc05ccccdc86ccc4366be2a66c20feacf7)
    #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x322a5) (BuildId: 1c90f7fc05ccccdc86ccc4366be2a66c20feacf7)
    #3 nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:618:18 (libxul.so+0x11d80b5) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102:7 (libxul.so+0x567c9b1) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1323:37 (libxul.so+0x5636872) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1205:19 (libxul.so+0x5635d5d) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2587:24 (libxul.so+0x565feb5) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #8 mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43:41 (libxul.so+0x563f4fe) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #9 mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1115:52 (libxul.so+0x38c94ed) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #10 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13 (libxul.so+0x96f6a21) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #11 CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:474:8 (libxul.so+0x96f6a21)
    #12 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:693:10 (libxul.so+0x96f6a21)
    #13 ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:721:10 (libxul.so+0x96eb1fe) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #14 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3359:16 (libxul.so+0x96eb1fe)
    #15 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:430:13 (libxul.so+0x96de514) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #16 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:824:13 (libxul.so+0x96f7272) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #17 js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:856:10 (libxul.so+0x96f7439) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #18 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:520:10 (libxul.so+0x8869d48) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #19 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:544:10 (libxul.so+0x8869f00) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #20 mozilla::dom::JSExecutionContext::ExecScript() /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:296:8 (libxul.so+0x2c12c8b) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #21 ExecuteCompiledScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2139:16 (libxul.so+0x5915425) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #22 mozilla::dom::ScriptLoader::EvaluateScript(nsIGlobalObject*, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2402:12 (libxul.so+0x5915425)
    #23 mozilla::dom::ScriptLoader::EvaluateScriptElement(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2208:10 (libxul.so+0x5914a00) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #24 mozilla::dom::ScriptLoader::ProcessRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1858:10 (libxul.so+0x5911546) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #25 mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, JS::loader::ScriptKind) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1269:10 (libxul.so+0x590f83c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #26 mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:910:10 (libxul.so+0x59051d2) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #27 mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:118:18 (libxul.so+0x5904cc5) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #28 AttemptToExecute /builds/worker/workspace/obj-build/dist/include/nsIScriptElement.h:221:18 (libxul.so+0x2281a42) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #29 nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:942:22 (libxul.so+0x2281a42)
    #30 nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:733:7 (libxul.so+0x227f7c9) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #31 nsHtml5ExecutorFlusher::Run() /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:174:18 (libxul.so+0x2284b9d) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #32 mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20 (libxul.so+0x11bbebf) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #33 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16 (libxul.so+0x11f0b77) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #34 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26 (libxul.so+0x11c68a7) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #35 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15 (libxul.so+0x11c4d16) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #36 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36 (libxul.so+0x11c4ff4) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #37 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37 (libxul.so+0x11f4957) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #38 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5 (libxul.so+0x11f4957)
    #39 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16 (libxul.so+0x11daf52) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #40 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x11e1645) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #41 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x1e465bb) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #42 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x1e470eb) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #43 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d64d9c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #44 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d64d9c)
    #45 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d64d9c)
    #46 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27 (libxul.so+0x5b90dc6) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #47 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20 (libxul.so+0x85ad6c9) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #48 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x1e4709d) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #49 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d64d9c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #50 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d64d9c)
    #51 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d64d9c)
    #52 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34 (libxul.so+0x85ace6c) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #53 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x85b6462) (BuildId: 258975982a4c462af763ad71fac49e6c2ab4c945)
    #54 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0xdefa7) (BuildId: 1cc3162b5b2142f42fb41fc71067f0763f9ef4a6)
    #55 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:362:18 (firefox+0xdefa7)

SUMMARY: ThreadSanitizer: data race /builds/worker/workspace/obj-build/xpcom/build/Services.cpp:465:8 in XPCOMService_GetThirdPartyUtil

AFAIU, the underlying issue is that BaseDomain() on a MozURL isn't thread-safe due to how the Rust implementation makes use of the ThirdPartyUtil XPCOM service in /netwerk/base/mozurl/src/lib.rs:

fn get_base_domain(url: &MozURL) -> Result<Option<String>, nsresult> {
    match url.scheme() {
        "ftp" | "http" | "https" | "moz-extension" | "resource" => {
            let third_party_util = xpcom::services::get_ThirdPartyUtil().unwrap();
...
            unsafe {
                let mut string = nsCString::new();
                third_party_util
                    .GetBaseDomainFromSchemeHost(&*scheme, &*host, &mut *string)
                    .to_result()?;

(I've flagged the bug as security-sensitive to be safe, but I'm not sure about the impact here. Also not quite sure if it's filed in the right component...)

Flags: sec-bounty?
See Also: → 1640066

Valentin, do you think this is an issue with mozurl or how quota manager is using it? Thanks.

Flags: needinfo?(valentin.gosu)
Keywords: csectype-race

Though it looks like the actual race is happening on gThirdPartyUtil, so this is more of an issue with how the XPCOM service is being used.

Flags: needinfo?(valentin.gosu)
Flags: needinfo?(jvarga)

Well, maybe Valentin has some thoughts, too, as to where the issue is, so I'll leave their needinfo up.

Flags: needinfo?(valentin.gosu)
Group: core-security → network-core-security

We used have intermittent TSAN crashes that could be this (in the see also bug Armin found), but those stopped. Do we no longer use this in an unsafe way, or did the test timing simply change?

Tyson notes the fuzzing team does see this crash in the fuzzing manager about once a week (several a day in July/August this year); but haven't been able to get a reproducible testcase. We'll rate this sec-moderate because it's real, but likely not exploitable in practice.

Keywords: sec-moderate

Nika, are these XPCOM service getters supposed to be threadsafe? Because it looks like the initialization currently is not. Thanks.

Flags: needinfo?(nika)

IIRC the ThirdPartyUtil service is not thread-safe right now, (I remember stumbling across this when poking at making nsIPrincipal threadsafe a while back), though it appears there was an attempt to make it threadsafe in bug 1517089.

We should probably fix this and make it properly threadsafe, as it looks like we're trying to use it from across threads right now.

(Hmm I didn't read your comment closely enough - the XPCOM service getters probably weren't designed to be threadsafe - might be worth fixing that)

Flags: needinfo?(nika)

I think the easiest fix here might actually be to switch rust code over to using the static component manager finally, and remove the Services getters, which are inherently non-threadsafe and are deprecated in C++ already. I've filed bug 1789902 for doing that.

Depends on: 1789902
Blocks: tsan
Severity: -- → S3
Flags: needinfo?(valentin.gosu)
Priority: -- → P2
Whiteboard: [necko-triaged]
Flags: needinfo?(jvarga)

This should've been fixed by bug 1789902

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Assignee: nobody → nika
Group: network-core-security → core-security-release
status-firefox105: --- → wontfix
status-firefox106: --- → fixed
status-firefox-esr102: --- → wontfix
Target Milestone: --- → 106 Branch

The award amount is a little higher than it would be for this one instance because it prompted Nika's fix that probably knocked out one or two other races.

Flags: sec-bounty? → sec-bounty+

Appreciate it! And thanks to Nika :-)

Flags: qe-verify-
Whiteboard: [necko-triaged] → [necko-triaged][post-critsmash-triage]
Whiteboard: [necko-triaged][post-critsmash-triage] → [necko-triaged][post-critsmash-triage][adv-main106+]
Attached file advisory.txt

Advisory doesn't describe the impact of the data race, if anyone wants to include it, happy to.

Alias: CVE-2022-42930
Whiteboard: [necko-triaged][post-critsmash-triage][adv-main106+] → [fixed by bug 1789902][necko-triaged][post-critsmash-triage][adv-main106+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: