Closed Bug 1792619 Opened 3 years ago Closed 2 years ago

ThreadSanitizer: data race /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:105:3 in Destroy

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1726898

People

(Reporter: arminius, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, reporter-external)

Armin Ebert [:arminius]

Reporter

Description

•

3 years ago

This data race occurred during GC after calling performance.mark("foo") from a worker.

WARNING: ThreadSanitizer: data race (pid=2545845)
  Write of size 8 at 0x7b4804ea8188 by main thread (mutexes: write M0):
    #0 free /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:726:3 (firefox+0x5de14) (BuildId: 42e5e0d5b2b23ccd51e3c43fbc24c386d6226984)
    #1 Destroy /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:105:3 (libxul.so+0x113452b) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #2 nsAtomSubTable::GCLocked(GCKind) /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:419:7 (libxul.so+0x113452b)
    #3 GC /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:360:11 (libxul.so+0x11348f5) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #4 nsDynamicAtom::GCAtomTable() /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:452:17 (libxul.so+0x11348f5)
    #5 Release /builds/worker/workspace/obj-build/dist/include/nsAtom.h:180:9 (libxul.so+0x213bb49) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #6 Release /builds/worker/workspace/obj-build/dist/include/nsAtom.h:237:40 (libxul.so+0x213bb49)
    #7 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40 (libxul.so+0x213bb49)
    #8 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36 (libxul.so+0x213bb49)
    #9 ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7 (libxul.so+0x213bb49)
    #10 mozilla::BasePrincipal::~BasePrincipal() /builds/worker/checkouts/gecko/caps/BasePrincipal.cpp:67:31 (libxul.so+0x213bb49)
    #11 ~NullPrincipal /builds/worker/workspace/obj-build/dist/include/mozilla/NullPrincipal.h:106:36 (libxul.so+0x215544e) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #12 mozilla::NullPrincipal::~NullPrincipal() /builds/worker/workspace/obj-build/dist/include/mozilla/NullPrincipal.h:106:36 (libxul.so+0x215544e)
    #13 nsJSPrincipals::Release() /builds/worker/checkouts/gecko/caps/nsJSPrincipals.cpp:44:5 (libxul.so+0x214cd79) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #14 ~nsCOMPtr_base /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:328:7 (libxul.so+0x1fc54ed) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #15 SandboxPrivate::~SandboxPrivate() /builds/worker/checkouts/gecko/js/xpconnect/src/SandboxPrivate.h:99:37 (libxul.so+0x1fc54ed)
    #16 SandboxPrivate::~SandboxPrivate() /builds/worker/checkouts/gecko/js/xpconnect/src/SandboxPrivate.h:99:37 (libxul.so+0x1fc5615) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #17 SandboxPrivate::DeleteCycleCollectable() /builds/worker/checkouts/gecko/js/xpconnect/src/Sandbox.cpp:124:1 (libxul.so+0x1f8f061) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #18 SandboxPrivate::cycleCollection::DeleteCycleCollectable(void*) /builds/worker/checkouts/gecko/js/xpconnect/src/SandboxPrivate.h:33:3 (libxul.so+0x1fc51d1) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #19 MaybeKillObject /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2419:29 (libxul.so+0x11033f4) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #20 SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2444:9 (libxul.so+0x11033f4)
    #21 void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:939:23 (libxul.so+0x10f0431) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #22 nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2612:14 (libxul.so+0x10f0f46) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #23 nsCycleCollector_doDeferredDeletionWithBudget(js::SliceBudget&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3901:28 (libxul.so+0x10f76d8) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #24 AsyncFreeSnowWhite::Run() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSRuntime.cpp:155:9 (libxul.so+0x1fce6d3) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #25 IdleRunnableWrapper::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:309:22 (libxul.so+0x11fa024) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #26 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16 (libxul.so+0x11fdba7) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #27 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26 (libxul.so+0x11d38d7) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #28 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:725:15 (libxul.so+0x11d1ee8) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #29 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36 (libxul.so+0x11d2024) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #30 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37 (libxul.so+0x1201987) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #31 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5 (libxul.so+0x1201987)
    #32 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16 (libxul.so+0x11e7f82) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #33 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x11ee675) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #34 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x1e58dbb) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #35 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x1e598eb) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #36 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d7746c) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #37 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d7746c)
    #38 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d7746c)
    #39 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27 (libxul.so+0x5c31f36) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #40 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20 (libxul.so+0x8682fc9) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #41 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x1e5989d) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #42 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d7746c) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #43 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d7746c)
    #44 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d7746c)
    #45 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34 (libxul.so+0x868276c) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #46 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x868bd62) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #47 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0xdffa7) (BuildId: 42e5e0d5b2b23ccd51e3c43fbc24c386d6226984)
    #48 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18 (firefox+0xdffa7)

  Previous atomic read of size 8 at 0x7b4804ea8188 by thread T338:
    #0 load /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/atomic_base.h:396:9 (libxul.so+0x592f27e) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #1 operator-- /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:371:14 (libxul.so+0x592f27e)
    #2 Release /builds/worker/workspace/obj-build/dist/include/nsAtom.h:177:22 (libxul.so+0x592f27e)
    #3 Release /builds/worker/workspace/obj-build/dist/include/nsAtom.h:237:40 (libxul.so+0x592f27e)
    #4 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40 (libxul.so+0x592f27e)
    #5 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36 (libxul.so+0x592f27e)
    #6 ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7 (libxul.so+0x592f27e)
    #7 ~PerformanceEntry /builds/worker/checkouts/gecko/dom/performance/PerformanceEntry.cpp:28:37 (libxul.so+0x592f27e)
    #8 mozilla::dom::PerformanceMark::~PerformanceMark() /builds/worker/checkouts/gecko/dom/performance/PerformanceMark.cpp:77:69 (libxul.so+0x592f27e)
    #9 mozilla::dom::PerformanceMark::~PerformanceMark() /builds/worker/checkouts/gecko/dom/performance/PerformanceMark.cpp:77:37 (libxul.so+0x592f315) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #10 mozilla::dom::PerformanceEntry::DeleteCycleCollectable() /builds/worker/checkouts/gecko/dom/performance/PerformanceEntry.cpp:15:1 (libxul.so+0x5927afe) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #11 mozilla::dom::PerformanceEntry::cycleCollection::DeleteCycleCollectable(void*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PerformanceEntry.h:31:3 (libxul.so+0x59395ce) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #12 MaybeKillObject /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2419:29 (libxul.so+0x10f0af1) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #13 SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2406:7 (libxul.so+0x10f0af1)
    #14 nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2596:3 (libxul.so+0x10f0192) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #15 nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3585:3 (libxul.so+0x10f58e8) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #16 nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3412:9 (libxul.so+0x10f5206) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #17 nsCycleCollector::ShutdownCollect() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3351:20 (libxul.so+0x10f4dfa) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #18 Shutdown /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3647:5 (libxul.so+0x10f812c) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #19 nsCycleCollector_shutdown(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3971:18 (libxul.so+0x10f812c)
    #20 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2089:7 (libxul.so+0x56e9749) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #21 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x11e81a8) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #22 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x11ee675) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #23 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x1e599de) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #24 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d7746c) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #25 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d7746c)
    #26 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d7746c)
    #27 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10 (libxul.so+0x11e3566) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #28 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4615d) (BuildId: ba017d6bb7040701e4d330ef3897619538d6a72a)

  Mutex M0 (0x7b9400002800) created at:
    #0 pthread_mutex_init /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1316:3 (firefox+0x607df) (BuildId: 42e5e0d5b2b23ccd51e3c43fbc24c386d6226984)
    #1 mozilla::detail::MutexImpl::MutexImpl() /builds/worker/checkouts/gecko/mozglue/misc/Mutex_posix.cpp:78:3 (firefox+0x148db2) (BuildId: 42e5e0d5b2b23ccd51e3c43fbc24c386d6226984)
    #2 OffTheBooksMutex /builds/worker/workspace/obj-build/dist/include/mozilla/Mutex.h:46:12 (libxul.so+0x1134977) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #3 Mutex /builds/worker/workspace/obj-build/dist/include/mozilla/Mutex.h:125:39 (libxul.so+0x1134977)
    #4 nsAtomSubTable /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:400:7 (libxul.so+0x1134977)
    #5 nsAtomTable /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:209:7 (libxul.so+0x1134977)
    #6 NS_InitAtomTable() /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:467:20 (libxul.so+0x1134977)
    #7 NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:253:3 (libxul.so+0x122b2d9) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #8 XRE_InitEmbedding2(nsIFile*, nsIFile*, nsIDirectoryServiceProvider*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:198:8 (libxul.so+0x8681f17) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #9 mozilla::ipc::ScopedXREEmbed::Start() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp (libxul.so+0x1e6fcd4) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #10 mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:156:13 (libxul.so+0x54d1ba6) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #11 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:705:21 (libxul.so+0x8682742) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #12 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x868bd62) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #13 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0xdffa7) (BuildId: 42e5e0d5b2b23ccd51e3c43fbc24c386d6226984)
    #14 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18 (firefox+0xdffa7)

  Thread T338 'DOM Worker' (tid=2549367, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1022:3 (firefox+0x5efdd) (BuildId: 42e5e0d5b2b23ccd51e3c43fbc24c386d6226984)
    #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x3d1b5) (BuildId: ba017d6bb7040701e4d330ef3897619538d6a72a)
    #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x322a5) (BuildId: ba017d6bb7040701e4d330ef3897619538d6a72a)
    #3 nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:618:18 (libxul.so+0x11e50e5) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102:7 (libxul.so+0x57197b1) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1323:37 (libxul.so+0x56d2b42) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1205:19 (libxul.so+0x56d202d) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2588:24 (libxul.so+0x56fcca2) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #8 mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43:41 (libxul.so+0x56dbb9e) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #9 mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1107:52 (libxul.so+0x39060bd) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #10 <null> <null> (0x7fe8035602b2)
    #11 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:420:32 (libxul.so+0x97f462e) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #12 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:578:13 (libxul.so+0x980b5f5) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #13 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:613:10 (libxul.so+0x980c32c) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #14 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:8 (libxul.so+0x980c32c)
    #15 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0x8924b91) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #16 mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50:8 (libxul.so+0x3bbe7ba) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #17 void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12 (libxul.so+0x2cac373) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #18 mozilla::dom::CallbackTimeoutHandler::Call(char const*) /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167:29 (libxul.so+0x2cac159) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #19 nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:6471:38 (libxul.so+0x2a8915e) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #20 mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /builds/worker/checkouts/gecko/dom/base/TimeoutManager.cpp:903:44 (libxul.so+0x2ca971e) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #21 mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:179:11 (libxul.so+0x2ca8ae5) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #22 mozilla::dom::TimeoutExecutor::Run() /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:234:5 (libxul.so+0x2caa823) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #23 mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22 (libxul.so+0x1200808) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #24 mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15 (libxul.so+0x11f944f) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #25 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16 (libxul.so+0x11fdba7) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #26 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26 (libxul.so+0x11d38d7) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #27 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15 (libxul.so+0x11d1d46) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #28 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36 (libxul.so+0x11d2024) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #29 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37 (libxul.so+0x1201987) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #30 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5 (libxul.so+0x1201987)
    #31 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16 (libxul.so+0x11e7f82) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #32 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x11ee675) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #33 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x1e58dbb) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #34 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x1e598eb) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #35 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d7746c) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #36 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d7746c)
    #37 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d7746c)
    #38 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27 (libxul.so+0x5c31f36) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #39 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20 (libxul.so+0x8682fc9) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #40 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x1e5989d) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #41 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d7746c) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #42 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d7746c)
    #43 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d7746c)
    #44 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34 (libxul.so+0x868276c) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #45 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x868bd62) (BuildId: fc5f0e8bfbb06ec0eba308a8306ab473d29372f2)
    #46 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0xdffa7) (BuildId: 42e5e0d5b2b23ccd51e3c43fbc24c386d6226984)
    #47 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18 (firefox+0xdffa7)

SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:105:3 in Destroy
==================

However it seems this one possibly has the same root cause as bug 1726898. Over there it's suggested that this may be a TSAN false positive due to /xpcom/base/nsISupportsImpl.h#367-371:

#ifdef MOZ_TSAN
      // TSan doesn't understand std::atomic_thread_fence, so in order
      // to avoid a false positive for every time a refcounted object
      // is deleted, we replace the fence with an atomic operation.
      mValue.load(std::memory_order_acquire);
#else
      std::atomic_thread_fence(std::memory_order_acquire);
#endif

But since I'm not entirely sure, I'm still filing this as a separate bug. Maybe this additional instance also helps with the analysis.

Flags: sec-bounty?

Andrew McCreight [:mccr8]

Updated

•

3 years ago

Group: core-security → dom-core-security

Component: DOM: Performance → XPCOM

Keywords: csectype-race

Andrew McCreight [:mccr8]

Comment 1

•

3 years ago

Kris, do you know if this is a TSan false positive with atoms or a real issue? Thanks.

Flags: needinfo?(kwright)

Daniel Veditz [:dveditz]

Updated

•

3 years ago

Keywords: sec-moderate

Andrew McCreight [:mccr8]

Updated

•

2 years ago

Flags: needinfo?(kwright)

Nika Layzell [:nika] (ni? for response)

Comment 2

•

2 years ago

I've looked over the code. As suggested in comment 0, this is a dupe of bug 1726898, and the known race in the TSAN-only code. I think we can probably unhide this similar to that bug.

Status: NEW → RESOLVED

Closed: 2 years ago

Duplicate of bug: 1726898

Resolution: --- → DUPLICATE

Andrew McCreight [:mccr8]

Updated

•

2 years ago

Group: dom-core-security

Keywords: sec-moderate

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Flags: sec-bounty? → sec-bounty-

David Lawrence [:dkl]

Updated

•

1 year ago

Keywords: reporter-external

You need to log in before you can comment on or make changes to this bug.

Bugzilla

ThreadSanitizer: data race /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:105:3 in Destroy

Categories

(Core :: XPCOM, defect)

Tracking

()

People

(Reporter: arminius, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, reporter-external)

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Updated

Updated

Comment 2

Updated

Updated

Updated