1798591 - ThreadSanitizer: data race [@ Weight] vs. [@ operator=]

Tyson Smith [:tsmith]

Reporter

Description

•

3 years ago

Attached file testcase.html — Details

Found while fuzzing m-c 20221101-d0fd41bff926 (--enable-thread-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -t --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

WARNING: ThreadSanitizer: data race (pid=544)
  Write of size 2 at 0x7b54000611b8 by thread T21:
    #0 operator= /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_pair.h:383:8 (libxul.so+0x568d452) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #1 operator= /builds/worker/workspace/obj-build/dist/include/mozilla/FontPropertyTypes.h:61:73 (libxul.so+0x568d452)
    #2 operator= /builds/worker/workspace/obj-build/dist/include/mozilla/FontPropertyTypes.h:110:7 (libxul.so+0x568d452)
    #3 gfxUserFontEntry::UpdateAttributes(mozilla::WeightRange, mozilla::StretchRange, mozilla::SlantStyleRange, nsTArray<gfxFontFeature> const&, nsTArray<mozilla::gfx::FontVariation> const&, unsigned int, gfxCharacterMap*, mozilla::StyleFontDisplay, gfxFontEntry::RangeFlags, float, float, float, float) /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:87:16 (libxul.so+0x568d452)
    #4 mozilla::dom::FontFaceSetImpl::FindOrCreateUserFontEntryFromFontFace(nsTSubstring<char> const&, mozilla::dom::FontFaceImpl*, mozilla::StyleOrigin) /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp:460:20 (libxul.so+0x8eca25e) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #5 FindOrCreateUserFontEntryFromFontFace /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp:341:10 (libxul.so+0x8ebef72) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #6 mozilla::dom::FontFaceImpl::DescriptorUpdated() /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:293:7 (libxul.so+0x8ebef72)
    #7 SetStretch /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:180:5 (libxul.so+0x8ebc9ec) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #8 mozilla::dom::FontFace::SetStretch(nsTSubstring<char> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/layout/style/FontFace.cpp:168:10 (libxul.so+0x8ebc9ec)
    #9 mozilla::dom::FontFace_Binding::set_stretch(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/FontFaceBinding.cpp:1154:24 (libxul.so+0x6b13205) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #10 bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3235:8 (libxul.so+0x6cd4e55) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #11 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13 (libxul.so+0xb88762f) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #12 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12 (libxul.so+0xb88762f)
    #13 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0xb88842c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #14 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0xb88842c)
    #15 js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:790:10 (libxul.so+0xb88937c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #16 SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2549:8 (libxul.so+0xba4b7ba) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #17 bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2583:14 (libxul.so+0xba4a1ec) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #18 SetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:306:10 (libxul.so+0xb87a5a7) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #19 SetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:1861:10 (libxul.so+0xb87a5a7)
    #20 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3121:12 (libxul.so+0xb87a5a7)
    #21 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13 (libxul.so+0xb8707b4) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #22 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13 (libxul.so+0xb8876f5) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #23 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0xb88842c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #24 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0xb88842c)
    #25 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0xb91f021) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #26 mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37 (libxul.so+0x6a51120) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #27 Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12 (libxul.so+0x731d3a6) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #28 mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12 (libxul.so+0x731d3a6)
    #29 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1316:22 (libxul.so+0x72f6a72) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #30 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17 (libxul.so+0x72f7799) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #31 HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5 (libxul.so+0x72ec9ae) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #32 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17 (libxul.so+0x72ec9ae)
    #33 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16 (libxul.so+0x72ebd49) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #34 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11 (libxul.so+0x72ee9dd) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #35 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp (libxul.so+0x72f19b0) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #36 mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/events/DOMEventTargetHelper.cpp:176:17 (libxul.so+0x72c5236) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #37 mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:180:13 (libxul.so+0x72fec36) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #38 mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /builds/worker/checkouts/gecko/dom/workers/MessageEventRunnable.cpp:104:12 (libxul.so+0x8674cff) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #39 mozilla::dom::MessageEventRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/MessageEventRunnable.cpp (libxul.so+0x8675296) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #40 mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12 (libxul.so+0x86b4fb2) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #41 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x4094ec2) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #42 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x409b635) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #43 mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3205:7 (libxul.so+0x86a5899) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #44 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2042:42 (libxul.so+0x868f213) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #45 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x4094ec2) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #46 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x409b635) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #47 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x4d1df2e) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #48 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4c3e69c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #49 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4c3e69c)
    #50 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4c3e69c)
    #51 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10 (libxul.so+0x40902b6) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #52 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x52c7d) (BuildId: b709cd0a39ed8196452724471a52beecca03386f)

  Previous read of size 4 at 0x7b54000611b8 by main thread:
    #0 Weight /builds/worker/workspace/obj-build/dist/include/gfxFontEntry.h:172:39 (libxul.so+0x8eccb87) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #1 mozilla::dom::FontFaceSetImpl::LogMessage(gfxUserFontEntry*, unsigned int, char const*, unsigned int, nsresult) /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp:645:19 (libxul.so+0x8eccb87)
    #2 non-virtual thunk to mozilla::dom::FontFaceSetImpl::LogMessage(gfxUserFontEntry*, unsigned int, char const*, unsigned int, nsresult) /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp (libxul.so+0x8ecd2b4) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #3 gfxUserFontEntry::LoadPlatformFont(unsigned int, unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<gfxUserFontEntry::OTSMessage>&&) /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:669:15 (libxul.so+0x5690f17) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #4 gfxUserFontEntry::LoadPlatformFontSync(unsigned int, unsigned char const*, unsigned int) /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:627:10 (libxul.so+0x5690bd7) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #5 gfxUserFontEntry::DoLoadNextSrc(bool) /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:572:11 (libxul.so+0x568f501) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #6 LoadNextSrc /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:380:3 (libxul.so+0x5684c6e) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #7 gfxUserFontEntry::Load() /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:791:5 (libxul.so+0x5684c6e)
    #8 operator() /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:349:53 (libxul.so+0x8ed00ff) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #9 mozilla::detail::RunnableFunction<mozilla::dom::FontFaceImpl::DoLoad()::$_9>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5 (libxul.so+0x8ed00ff)
    #10 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16 (libxul.so+0x407c512) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #11 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26 (libxul.so+0x407612f) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #12 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15 (libxul.so+0x40747e6) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #13 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36 (libxul.so+0x4074bb4) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #14 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37 (libxul.so+0x407eff7) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #15 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5 (libxul.so+0x407eff7)
    #16 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16 (libxul.so+0x4094ca7) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #17 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x409b635) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #18 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x4d1d30b) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #19 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x4d1de3b) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #20 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4c3e69c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #21 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4c3e69c)
    #22 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4c3e69c)
    #23 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27 (libxul.so+0x8bca136) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #24 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20 (libxul.so+0xb628d89) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #25 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x4d1dded) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #26 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4c3e69c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #27 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4c3e69c)
    #28 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4c3e69c)
    #29 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34 (libxul.so+0xb62847d) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #30 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0xb631cb2) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #31 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0x142c47) (BuildId: 022d728af4c771e513e0ffeaa12aa2a02e0052a3)
    #32 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:357:18 (firefox+0x142c47)

  Location is heap block of size 584 at 0x7b5400061080 allocated by thread T21:
    #0 malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:667:5 (firefox+0xc04c1) (BuildId: 022d728af4c771e513e0ffeaa12aa2a02e0052a3)
    #1 moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15 (firefox+0x144b1b) (BuildId: 022d728af4c771e513e0ffeaa12aa2a02e0052a3)
    #2 operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10 (libxul.so+0x8ecde12) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #3 CreateUserFontEntry /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp:978:36 (libxul.so+0x8ecde12)
    #4 non-virtual thunk to mozilla::dom::FontFaceSetImpl::CreateUserFontEntry(nsTArray<gfxFontFaceSrc> const&, mozilla::WeightRange, mozilla::StretchRange, mozilla::SlantStyleRange, nsTArray<gfxFontFeature> const&, nsTArray<mozilla::gfx::FontVariation> const&, unsigned int, gfxCharacterMap*, mozilla::StyleFontDisplay, gfxFontEntry::RangeFlags, float, float, float, float) /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp (libxul.so+0x8ecde12)
    #5 gfxUserFontSet::FindOrCreateUserFontEntry(nsTSubstring<char> const&, nsTArray<gfxFontFaceSrc> const&, mozilla::WeightRange, mozilla::StretchRange, mozilla::SlantStyleRange, nsTArray<gfxFontFeature> const&, nsTArray<mozilla::gfx::FontVariation> const&, unsigned int, gfxCharacterMap*, mozilla::StyleFontDisplay, gfxFontEntry::RangeFlags, float, float, float, float) /builds/worker/checkouts/gecko/gfx/thebes/gfxUserFontSet.cpp:978:13 (libxul.so+0x5693134) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #6 mozilla::dom::FontFaceSetImpl::FindOrCreateUserFontEntryFromFontFace(nsTSubstring<char> const&, mozilla::dom::FontFaceImpl*, mozilla::StyleOrigin) /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp:629:41 (libxul.so+0x8ecab94) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #7 FindOrCreateUserFontEntryFromFontFace /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp:341:10 (libxul.so+0x8ebf256) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #8 mozilla::dom::FontFaceImpl::CreateUserFontEntry() /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:332:9 (libxul.so+0x8ebf256)
    #9 mozilla::dom::FontFaceImpl::DoLoad() /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:342:8 (libxul.so+0x8ebecdd) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #10 mozilla::dom::FontFaceImpl::InitializeSourceBuffer(unsigned char*, unsigned int) /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:138:3 (libxul.so+0x8ebc255) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #11 mozilla::dom::FontFace::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char> const&, mozilla::dom::UTF8StringOrArrayBufferOrArrayBufferView const&, mozilla::dom::FontFaceDescriptors const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/layout/style/FontFace.cpp:141:17 (libxul.so+0x8ebba8c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #12 mozilla::dom::FontFace_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FontFaceBinding.cpp:2268:54 (libxul.so+0x6b11ab9) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #13 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13 (libxul.so+0xb888d31) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #14 CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:475:8 (libxul.so+0xb888d31)
    #15 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:694:10 (libxul.so+0xb888d31)
    #16 ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:722:10 (libxul.so+0xb87d4f6) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #17 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3360:16 (libxul.so+0xb87d4f6)
    #18 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13 (libxul.so+0xb8707b4) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #19 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13 (libxul.so+0xb8876f5) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #20 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0xb88842c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #21 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0xb88842c)
    #22 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0xb91f021) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #23 mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37 (libxul.so+0x6a51120) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #24 Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12 (libxul.so+0x731d3a6) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #25 mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12 (libxul.so+0x731d3a6)
    #26 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1316:22 (libxul.so+0x72f6a72) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #27 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17 (libxul.so+0x72f7799) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #28 HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5 (libxul.so+0x72ec9ae) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #29 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17 (libxul.so+0x72ec9ae)
    #30 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16 (libxul.so+0x72ebd49) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #31 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11 (libxul.so+0x72ee9dd) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #32 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp (libxul.so+0x72f19b0) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #33 mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/events/DOMEventTargetHelper.cpp:176:17 (libxul.so+0x72c5236) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #34 mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:180:13 (libxul.so+0x72fec36) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #35 mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /builds/worker/checkouts/gecko/dom/workers/MessageEventRunnable.cpp:104:12 (libxul.so+0x8674cff) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #36 mozilla::dom::MessageEventRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/MessageEventRunnable.cpp (libxul.so+0x8675296) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #37 mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12 (libxul.so+0x86b4fb2) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #38 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x4094ec2) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #39 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x409b635) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #40 mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3205:7 (libxul.so+0x86a5899) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #41 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2042:42 (libxul.so+0x868f213) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #42 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x4094ec2) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #43 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x409b635) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #44 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x4d1df2e) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #45 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4c3e69c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #46 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4c3e69c)
    #47 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4c3e69c)
    #48 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10 (libxul.so+0x40902b6) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #49 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x52c7d) (BuildId: b709cd0a39ed8196452724471a52beecca03386f)

  Thread T21 'DOM Worker' (tid=584, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1022:3 (firefox+0xc1c7d) (BuildId: 022d728af4c771e513e0ffeaa12aa2a02e0052a3)
    #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x49cd5) (BuildId: b709cd0a39ed8196452724471a52beecca03386f)
    #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x3edc5) (BuildId: b709cd0a39ed8196452724471a52beecca03386f)
    #3 nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:617:18 (libxul.so+0x4091e15) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102:7 (libxul.so+0x86bf421) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1323:37 (libxul.so+0x8677b32) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1205:19 (libxul.so+0x8676f2e) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2588:24 (libxul.so+0x86a2a12) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #8 mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43:41 (libxul.so+0x868134e) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #9 mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1107:52 (libxul.so+0x681c83d) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #10 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13 (libxul.so+0xb888d31) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #11 CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:475:8 (libxul.so+0xb888d31)
    #12 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:694:10 (libxul.so+0xb888d31)
    #13 ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:722:10 (libxul.so+0xb87d4f6) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #14 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3360:16 (libxul.so+0xb87d4f6)
    #15 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13 (libxul.so+0xb8707b4) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #16 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13 (libxul.so+0xb8876f5) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #17 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0xb88842c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #18 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0xb88842c)
    #19 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0xb91f021) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #20 mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8 (libxul.so+0x6a53ba1) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #21 HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12 (libxul.so+0x72f6a5c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #22 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1310:43 (libxul.so+0x72f6a5c)
    #23 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17 (libxul.so+0x72f776a) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #24 HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5 (libxul.so+0x72ec9ae) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #25 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17 (libxul.so+0x72ec9ae)
    #26 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16 (libxul.so+0x72ebd49) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #27 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11 (libxul.so+0x72ee9dd) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #28 nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1079:7 (libxul.so+0x9031023) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #29 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6434:20 (libxul.so+0xadda1e2) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #30 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5827:7 (libxul.so+0xadd9ac6) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #31 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp (libxul.so+0xaddaa2b) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #32 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3 (libxul.so+0x4fc4c8e) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #33 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14 (libxul.so+0x4fc439a) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #34 nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9 (libxul.so+0x4fc2501) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #35 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5 (libxul.so+0x4fc3859) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #36 nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13841:23 (libxul.so+0xadf697c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #37 non-virtual thunk to nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp (libxul.so+0xadf6b78) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #38 mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22 (libxul.so+0x4270acc) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #39 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10 (libxul.so+0x4272032) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #40 DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11488:18 (libxul.so+0x5a71b93) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #41 mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11426:9 (libxul.so+0x5a71b93)
    #42 mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7953:3 (libxul.so+0x5a83e06) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #43 applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12 (libxul.so+0x5afb716) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #44 apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12 (libxul.so+0x5afb716)
    #45 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13 (libxul.so+0x5afb716)
    #46 mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20 (libxul.so+0x40705cf) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #47 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16 (libxul.so+0x407c512) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #48 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26 (libxul.so+0x407612f) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #49 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15 (libxul.so+0x40747e6) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #50 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36 (libxul.so+0x4074bb4) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #51 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37 (libxul.so+0x407eff7) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #52 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5 (libxul.so+0x407eff7)
    #53 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16 (libxul.so+0x4094ca7) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #54 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x409b635) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #55 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x4d1d30b) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #56 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x4d1de3b) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #57 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4c3e69c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #58 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4c3e69c)
    #59 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4c3e69c)
    #60 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27 (libxul.so+0x8bca136) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #61 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20 (libxul.so+0xb628d89) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #62 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x4d1dded) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #63 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4c3e69c) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #64 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4c3e69c)
    #65 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4c3e69c)
    #66 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34 (libxul.so+0xb62847d) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #67 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0xb631cb2) (BuildId: 1a0ebe26b873df2d009207c1a1b5ea4f2b35537c)
    #68 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0x142c47) (BuildId: 022d728af4c771e513e0ffeaa12aa2a02e0052a3)
    #69 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:357:18 (firefox+0x142c47)

Flags: in-testsuite?

Bugmon [:jkratzer for issues]

Comment 1

•

3 years ago

Verified bug as reproducible on mozilla-central 20221101213659-f8dff2edfe1b.
The bug appears to have been introduced in the following build range:

Start: 14bbdad41ca8f9cbe874b8e1adf10a701ff81517 (20220711154729)
End: 0fa881dedc30efcf53f1419737a9f3d7d2fc5521 (20220711143742)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=14bbdad41ca8f9cbe874b8e1adf10a701ff81517&tochange=0fa881dedc30efcf53f1419737a9f3d7d2fc5521

Keywords: regression

Whiteboard: [bugmon:bisected,confirmed]

Andrew McCreight [:mccr8]

Comment 2

•

3 years ago

Based on the range and the stack, I'm guessing that this could be a regression from bug 1746110.

Flags: needinfo?(aosmond)

Regressed by: 1746110

Andrew McCreight [:mccr8]

Comment 3

•

3 years ago

I'm not sure whether these font races should be sec-high or sec-moderate.

Keywords: sec-high

BugBot [:suhaib / :marco/ :calixte]

Comment 4

•

3 years ago

Set release status flags based on info from the regressing bug 1746110

status-firefox106: --- → affected

status-firefox107: --- → affected

status-firefox-esr102: --- → unaffected

Donal Meehan [:dmeehan]

Updated

•

3 years ago

status-firefox106: affected → disabled

status-firefox107: affected → disabled

Jonathan Kew [:jfkthame]

Comment 5

•

3 years ago

I don't think it's correct to mark this as disabled for 106/107, as bug 1779009 allowed OffscreenCanvas to ship to release.

status-firefox106: disabled → affected

status-firefox107: disabled → affected

Donal Meehan [:dmeehan]

Comment 6

•

3 years ago

(In reply to Jonathan Kew [:jfkthame] from comment #5)

I don't think it's correct to mark this as disabled for 106/107, as bug 1779009 allowed OffscreenCanvas to ship to release.

Correct, sorry for the error

Brad Werth [:bradwerth]

Updated

•

3 years ago

Severity: -- → S2

Priority: -- → P2

Maire Reavy [:mreavy]

Updated

•

3 years ago

Blocks: gfx-triage

Jim Mathies [:jimm]

Comment 7

•

3 years ago

Will chat with Andrew about this.

No longer blocks: gfx-triage

Ryan VanderMeulen [:RyanVM]

Updated

•

3 years ago

status-firefox106: affected → wontfix

status-firefox107: affected → wontfix

BugBot [:suhaib / :marco/ :calixte]

Comment 8

•

3 years ago

Set release status flags based on info from the regressing bug 1746110

status-firefox109: --- → affected

Jim Mathies [:jimm]

Updated

•

3 years ago

Assignee: nobody → aosmond

Andrew Osmond [:aosmond] (he/him)

Comment 9

•

3 years ago

I have a WIP for this I will post tomorrow.

Andrew Osmond [:aosmond] (he/him)

Comment 10

•

3 years ago

I intended to post the WIP, but testing revealed a cyclical mutex problem. It isn't yet clear to me the best way to fix this.

Andrew Osmond [:aosmond] (he/him)

Comment 11

•

3 years ago

Attached file Bug 1798591. — Details

Andrew Osmond [:aosmond] (he/him)

Comment 12

•

3 years ago

There are two major issues that are interrelated in the patch:

Modification to the gfxUserFontEntry attributes should only happen on the main thread. We achieve this by blocking the worker thread, waiting for the call to finish on the main thread. This avoids the worker state being "ahead" of the main thread cache, and allowing the font to be used immediately in canvas. Posting to the main thread avoids cyclical lock issues encountered by protecting the individual fields.
I believe gfxUserFontEntry::mFontFamilies also needs to be protected. Each entry has a lock that we use, but there needs to be a lock for the hashtable. We also now return a strong pointer instead of a weak from accesses.

Flags: needinfo?(aosmond)

Andrew Osmond [:aosmond] (he/him)

Comment 13

•

3 years ago

Comment on attachment 9305726 [details]
Bug 1798591.

Security Approval Request

How easily could an exploit be constructed based on the patch?: The patch is fairly large and changes many things. I don't think it is immediately obvious on how to exploit, but it should be clear that we protect an additional member with a mutex, and do a sync post from the worker thread to the main thread wrt to user fonts.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
Which older supported branches are affected by this flaw?: All
If not all supported branches, which bug introduced the flaw?: None
Do you have backports for the affected branches?: No
If not, how different, hard to create, and risky will they be?: They should not be hard/risky to create.
How likely is this patch to cause regressions; how much testing does it need?: It would be good for this to soak in nightly for a few days before uplifting to beta/release since it is so large. Test coverage is very good however.
Is Android affected?: Yes

Attachment #9305726 - Flags: sec-approval?

Tom Ritter [:tjr]

Comment 14

•

3 years ago

It's too late in the cycle to land this and have it soak, so it will wait for next cycle.

Dianna Smith [:diannaS]

Updated

•

3 years ago

status-firefox108: affected → wontfix

Tom Ritter [:tjr]

Comment 15

•

3 years ago

Comment on attachment 9305726 [details]
Bug 1798591.

Approved to land and request uplift when ready

Attachment #9305726 - Flags: sec-approval? → sec-approval+

Andrew Osmond [:aosmond] (he/him)

Comment 16

•

3 years ago

I updated the patch to fix some tsan issues discovered in try. They are incremental changes, so I don't think it is necessary to re-request sec-approval for it, although I did request a second pass on the review in light of them.

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 17

•

3 years ago

Landed: https://hg.mozilla.org/integration/autoland/rev/d647be139836259fa689ac7b47cdb32ee353c4ab

Backed out for causing build bustages in FontFaceSetImpl.cpp: https://hg.mozilla.org/integration/autoland/rev/1980847b62eb149cbf18d0901e71ebefe24e633c
Push with failures
Failure log

layout/style/FontFaceSetImpl.cpp:105:29: error: incomplete type 'gfxPlatformFontList' named in nested name specifier

Flags: needinfo?(aosmond)

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 18

•

3 years ago

r=jfkthame
https://hg.mozilla.org/integration/autoland/rev/051844e2dd8031ddd0a6b6da8e63085dfbbe8bd3
https://hg.mozilla.org/mozilla-central/rev/051844e2dd80

Status: NEW → RESOLVED

Closed: 3 years ago

status-firefox110: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 110 Branch

Andrew Osmond [:aosmond] (he/him)

Updated

•

3 years ago

Flags: needinfo?(aosmond)

Ryan VanderMeulen [:RyanVM]

Comment 19

•

3 years ago

Please nominate this for Beta approval when you get a chance.

Group: gfx-core-security → core-security-release

tracking-firefox109: --- → +

tracking-firefox110: --- → +

Flags: needinfo?(aosmond)

Bugmon [:jkratzer for issues]

Comment 20

•

3 years ago

Verified bug as fixed on rev mozilla-central 20221219162526-91a9bbbe6bea.

Status: RESOLVED → VERIFIED

Andrew Osmond [:aosmond] (he/him)

Comment 21

•

3 years ago

Comment on attachment 9305726 [details]
Bug 1798591.

Beta/Release Uplift Approval Request

User impact if declined: Resolves a number of sec issues
Is this code covered by automated tests?: Yes
Has the fix been verified in Nightly?: Yes
Needs manual test from QE?: No
If yes, steps to reproduce:
List of other uplifts needed: None
Risk to taking this patch: Medium
Why is the change risky/not risky? (and alternatives if risky): The change in of itself should be low risk, in that we are just fine tuning our mutxes, but it does cover a lot of code to achieve this. We've let it soak in nightly for a week without any new issues reported.
String changes made/needed:
Is Android affected?: Yes

Flags: needinfo?(aosmond)

Attachment #9305726 - Flags: approval-mozilla-beta?

Ryan VanderMeulen [:RyanVM]

Comment 22

•

3 years ago

Comment on attachment 9305726 [details]
Bug 1798591.

Approved for 109.0b5.

Attachment #9305726 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Ryan VanderMeulen [:RyanVM]

Comment 23

•

3 years ago

uplift

https://hg.mozilla.org/releases/mozilla-beta/rev/6e9159a2620f

status-firefox109: affected → fixed

June Wilde (she/her) [:jewilde]

Updated

•

3 years ago

Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][adv-main109+r]

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Group: core-security-release

David Lawrence [:dkl]

Updated

•

2 years ago

Assignee: aosmond → nobody

Keywords: bugmon

testcase.html 3 years ago Tyson Smith [:tsmith] 440 bytes, text/html		Details
Bug 1798591. 3 years ago Andrew Osmond [:aosmond] (he/him) 48 bytes, text/x-phabricator-request	RyanVM : approval-mozilla-beta+ tjr : sec-approval+	Details \| Review