Closed Bug 1810805 Opened 2 years ago Closed 11 months ago

ThreadSanitizer: data race [@ mozilla::dom::FetchDriver::FetchDriverAbortActions] vs. [@ mozilla::dom::FetchDriver::OnDataAvailable]

Categories

(Core :: DOM: Networking, defect, P2)

defect

Tracking

()

RESOLVED FIXED
122 Branch
Tracking Status
firefox-esr115 121+ fixed
firefox110 --- wontfix
firefox111 --- wontfix
firefox120 --- wontfix
firefox121 + fixed
firefox122 + fixed

People

(Reporter: tsmith, Assigned: smayya)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [necko-triaged][necko-priority-queue][adv-main121+r][adv-esr115.6+r])

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20221220-dd4482632694 (--enable-thread-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -t --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --headless
WARNING: ThreadSanitizer: data race (pid=22695)
  Write of size 8 at 0x7b44000f11e8 by main thread:
    #0 assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:67:13 (libxul.so+0x7725cea) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #1 operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:168:5 (libxul.so+0x7725cea)
    #2 mozilla::dom::FetchDriver::FetchDriverAbortActions(mozilla::dom::AbortSignalImpl*) /builds/worker/checkouts/gecko/dom/fetch/FetchDriver.cpp:1639:15 (libxul.so+0x7725cea)
    #3 RunAbortAlgorithm /builds/worker/checkouts/gecko/dom/fetch/FetchDriver.cpp:1625:41 (libxul.so+0x7729de0) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #4 non-virtual thunk to mozilla::dom::FetchDriver::RunAbortAlgorithm() /builds/worker/checkouts/gecko/dom/fetch/FetchDriver.cpp (libxul.so+0x7729de0)
    #5 SignalAbort /builds/worker/checkouts/gecko/dom/abort/AbortSignal.cpp:62:15 (libxul.so+0x5af2b9d) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #6 mozilla::dom::AbortSignal::SignalAbort(JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/dom/abort/AbortSignal.cpp:273:20 (libxul.so+0x5af2b9d)
    #7 RunAbortAlgorithm /builds/worker/checkouts/gecko/dom/abort/AbortSignal.cpp:288:3 (libxul.so+0x5af2f93) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #8 non-virtual thunk to mozilla::dom::AbortSignal::RunAbortAlgorithm() /builds/worker/checkouts/gecko/dom/abort/AbortSignal.cpp (libxul.so+0x5af2f93)
    #9 SignalAbort /builds/worker/checkouts/gecko/dom/abort/AbortSignal.cpp:62:15 (libxul.so+0x5af2b9d) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #10 mozilla::dom::AbortSignal::SignalAbort(JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/dom/abort/AbortSignal.cpp:273:20 (libxul.so+0x5af2b9d)
    #11 mozilla::dom::AbortController::Abort(JSContext*, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/dom/abort/AbortController.cpp:72:14 (libxul.so+0x5af0678) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #12 mozilla::dom::AbortController_Binding::abort(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/AbortControllerBinding.cpp:86:24 (libxul.so+0x5f44afa) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #13 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13 (libxul.so+0x7074174) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #14 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13 (libxul.so+0xbe5b62b) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #15 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12 (libxul.so+0xbe5b62b)
    #16 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0xbe5173c) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #17 CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10 (libxul.so+0xbe5173c)
    #18 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16 (libxul.so+0xbe5173c)
    #19 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13 (libxul.so+0xbe44a1f) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #20 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13 (libxul.so+0xbe5b700) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #21 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0xbe5c3b3) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #22 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0xbe5c3b3)
    #23 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1488:10 (libxul.so+0xc0e7560) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #24 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:149:8 (libxul.so+0xbed0252) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #25 js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:190:10 (libxul.so+0xbecff87) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #26 AsyncFunctionPromiseReactionJob /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2111:12 (libxul.so+0xc070a2d) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #27 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2174:12 (libxul.so+0xc070a2d)
    #28 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13 (libxul.so+0xbe5b62b) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #29 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12 (libxul.so+0xbe5b62b)
    #30 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0xbe5c3b3) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #31 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0xbe5c3b3)
    #32 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0xbef046b) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #33 mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8 (libxul.so+0x6495673) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #34 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12 (libxul.so+0x410d5ad) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #35 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12 (libxul.so+0x410d5ad)
    #36 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18 (libxul.so+0x410d5ad)
    #37 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17 (libxul.so+0x40f9e96) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #38 mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3 (libxul.so+0x40fab47) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #39 XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1479:28 (libxul.so+0x50916fb) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #40 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:24 (libxul.so+0x422cd55) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #41 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10 (libxul.so+0x42331d6) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #42 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5 (libxul.so+0x4f1849c) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #43 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x4f18f4b) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #44 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4e32197) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #45 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4e32197)
    #46 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4e32197)
    #47 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x90f56e6) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #48 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20 (libxul.so+0xbbee7dc) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #49 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x4f18efd) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #50 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4e32197) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #51 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4e32197)
    #52 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4e32197)
    #53 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34 (libxul.so+0xbbee429) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #54 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0xbbf8692) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #55 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x142d43) (BuildId: 340dcf8ba0bcd325da86754af51ac7332ecde9cc)
    #56 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18 (firefox-bin+0x142d43)

  Previous read of size 8 at 0x7b44000f11e8 by thread T21:
    #0 operator bool /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:310:45 (libxul.so+0x7723af2) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #1 mozilla::dom::FetchDriver::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/checkouts/gecko/dom/fetch/FetchDriver.cpp:1302:9 (libxul.so+0x7723af2)
    #2 nsCORSListenerProxy::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/checkouts/gecko/netwerk/protocol/http/nsCORSListenerProxy.cpp:701:20 (libxul.so+0x4aebabd) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #3 mozilla::net::HttpChannelChild::DoOnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:783:29 (libxul.so+0x4a69e4e) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #4 mozilla::net::HttpChannelChild::OnTransportAndData(nsresult const&, nsresult const&, unsigned long const&, unsigned int const&, nsTSubstring<char> const&) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:685:3 (libxul.so+0x4a68fe6) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #5 operator() /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:615:15 (libxul.so+0x4ab9f2f) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #6 std::_Function_handler<void (), mozilla::net::HttpChannelChild::ProcessOnTransportAndData(nsresult const&, nsresult const&, unsigned long const&, unsigned int const&, nsTSubstring<char> const&)::$_19>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2 (libxul.so+0x4ab9f2f)
    #7 operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14 (libxul.so+0x4993106) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #8 mozilla::net::ChannelFunctionEvent::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:55:25 (libxul.so+0x4993106)
    #9 mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:94:12 (libxul.so+0x4c5a330) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #10 MaybeFlushQueue /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:337:5 (libxul.so+0x4c7ebaf) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #11 mozilla::net::ChannelEventQueue::CompleteResume() /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:316:5 (libxul.so+0x4c7ebaf)
    #12 mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:152:17 (libxul.so+0x4c7e99f) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #13 nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:313:14 (libxul.so+0x42358e4) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #14 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1191:16 (libxul.so+0x422ca04) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #15 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10 (libxul.so+0x42331d6) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #16 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5 (libxul.so+0x4f190a8) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #17 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4e32197) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #18 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4e32197)
    #19 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4e32197)
    #20 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10 (libxul.so+0x4227c82) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #21 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x523e3) (BuildId: 52931621dd94ed517e41d68bcd1513e37b97d712)

  Location is heap block of size 296 at 0x7b44000f1180 allocated by main thread:
    #0 malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:667:5 (firefox-bin+0xc0901) (BuildId: 340dcf8ba0bcd325da86754af51ac7332ecde9cc)
    #1 moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15 (firefox-bin+0x144cab) (BuildId: 340dcf8ba0bcd325da86754af51ac7332ecde9cc)
    #2 operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10 (libxul.so+0x771bb6e) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #3 mozilla::dom::FetchRequest(nsIGlobalObject*, mozilla::dom::RequestOrUSVString const&, mozilla::dom::RequestInit const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/fetch/Fetch.cpp:584:9 (libxul.so+0x771bb6e)
    #4 nsGlobalWindowInner::Fetch(mozilla::dom::RequestOrUSVString const&, mozilla::dom::RequestInit const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:3899:10 (libxul.so+0x5bc83eb) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #5 fetch /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:20512:60 (libxul.so+0x6b115a9) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #6 mozilla::dom::Window_Binding::fetch_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:20528:13 (libxul.so+0x6b115a9)
    #7 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13 (libxul.so+0x7076248) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #8 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13 (libxul.so+0xbe5b62b) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #9 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12 (libxul.so+0xbe5b62b)
    #10 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0xbe5173c) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #11 CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10 (libxul.so+0xbe5173c)
    #12 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16 (libxul.so+0xbe5173c)
    #13 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13 (libxul.so+0xbe44a1f) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #14 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13 (libxul.so+0xbe5b700) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #15 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0xbe5c3b3) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #16 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0xbe5c3b3)
    #17 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0xbef046b) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #18 mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8 (libxul.so+0x6da5337) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #19 HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12 (libxul.so+0x76bd708) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #20 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1308:43 (libxul.so+0x76bd708)
    #21 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1504:17 (libxul.so+0x76be502) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #22 HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5 (libxul.so+0x76b3062) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #23 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17 (libxul.so+0x76b3062)
    #24 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16 (libxul.so+0x76b2434) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #25 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11 (libxul.so+0x76b5155) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #26 nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1079:7 (libxul.so+0x959b701) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #27 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6447:20 (libxul.so+0xb335b1a) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #28 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5840:7 (libxul.so+0xb335399) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #29 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp (libxul.so+0xb33636b) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #30 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3 (libxul.so+0x51de0fe) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #31 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14 (libxul.so+0x51dd7ef) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #32 nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9 (libxul.so+0x51db776) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #33 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5 (libxul.so+0x51dcbb9) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #34 nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13864:23 (libxul.so+0xb3544be) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #35 non-virtual thunk to nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp (libxul.so+0xb3546e8) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #36 mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22 (libxul.so+0x441b860) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #37 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10 (libxul.so+0x441cf12) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #38 DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11551:18 (libxul.so+0x5ce0b60) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #39 mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11489:9 (libxul.so+0x5ce0b60)
    #40 mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8016:3 (libxul.so+0x5cf3f2d) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #41 applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12 (libxul.so+0x5d6da29) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #42 apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12 (libxul.so+0x5d6da29)
    #43 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13 (libxul.so+0x5d6da29)
    #44 mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20 (libxul.so+0x4206d1f) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #45 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16 (libxul.so+0x421354f) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #46 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26 (libxul.so+0x420cb4d) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #47 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15 (libxul.so+0x420b0c6) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #48 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36 (libxul.so+0x420b4a0) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #49 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37 (libxul.so+0x4215f07) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #50 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5 (libxul.so+0x4215f07)
    #51 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16 (libxul.so+0x422c7a0) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #52 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10 (libxul.so+0x42331d6) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #53 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x4f1841b) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #54 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x4f18f4b) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #55 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4e32197) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #56 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4e32197)
    #57 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4e32197)
    #58 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x90f56e6) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #59 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20 (libxul.so+0xbbee7dc) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #60 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x4f18efd) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #61 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4e32197) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #62 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4e32197)
    #63 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4e32197)
    #64 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34 (libxul.so+0xbbee429) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #65 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0xbbf8692) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #66 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x142d43) (BuildId: 340dcf8ba0bcd325da86754af51ac7332ecde9cc)
    #67 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18 (firefox-bin+0x142d43)

  Thread T21 'StreamTrans #1' (tid=22736, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1022:3 (firefox-bin+0xc206d) (BuildId: 340dcf8ba0bcd325da86754af51ac7332ecde9cc)
    #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x4948f) (BuildId: 52931621dd94ed517e41d68bcd1513e37b97d712)
    #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x3e2a5) (BuildId: 52931621dd94ed517e41d68bcd1513e37b97d712)
    #3 nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:618:18 (libxul.so+0x4229847) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #4 nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:542:12 (libxul.so+0x423211f) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #5 NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:173:57 (libxul.so+0x423ac65) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #6 NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:165:10 (libxul.so+0x4234e24) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #7 nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:125:17 (libxul.so+0x4234e24)
    #8 nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:365:5 (libxul.so+0x42363ba) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #9 non-virtual thunk to nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp (libxul.so+0x4236b48) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #10 mozilla::net::nsStreamTransportService::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsStreamTransportService.cpp:293:16 (libxul.so+0x4492ea9) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #11 non-virtual thunk to mozilla::net::nsStreamTransportService::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsStreamTransportService.cpp (libxul.so+0x4492f78) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #12 mozilla::net::ChannelEventQueue::ResumeInternal() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:174:15 (libxul.so+0x4c5a7ad) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #13 Resume /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:121:3 (libxul.so+0x4c5a44f) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #14 mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:103:5 (libxul.so+0x4c5a44f)
    #15 MaybeFlushQueue /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:337:5 (libxul.so+0x4c7ebaf) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #16 mozilla::net::ChannelEventQueue::CompleteResume() /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:316:5 (libxul.so+0x4c7ebaf)
    #17 mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:152:17 (libxul.so+0x4c7e99f) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #18 mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20 (libxul.so+0x4206d1f) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #19 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16 (libxul.so+0x421354f) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #20 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26 (libxul.so+0x420cb4d) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #21 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15 (libxul.so+0x420b0c6) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #22 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36 (libxul.so+0x420b4a0) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #23 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:191:37 (libxul.so+0x4215f6a) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #24 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5 (libxul.so+0x4215f6a)
    #25 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16 (libxul.so+0x422c7a0) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #26 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10 (libxul.so+0x42331d6) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #27 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5 (libxul.so+0x4f1849c) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #28 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x4f18f4b) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #29 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4e32197) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #30 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4e32197)
    #31 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4e32197)
    #32 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x90f56e6) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #33 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20 (libxul.so+0xbbee7dc) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #34 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x4f18efd) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #35 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x4e32197) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #36 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x4e32197)
    #37 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x4e32197)
    #38 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34 (libxul.so+0xbbee429) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #39 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0xbbf8692) (BuildId: e41df21683ec4acd27ce46828983c6e402482a21)
    #40 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x142d43) (BuildId: 340dcf8ba0bcd325da86754af51ac7332ecde9cc)
    #41 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18 (firefox-bin+0x142d43)
Flags: in-testsuite?

This looks like a race on FetchDriver::mObserver.

This could well be sec-high. Not sure how much control an attacker has over this race condition because it depends on data coming over the network.

Group: dom-core-security → network-core-security
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged] [necko-priority-review]
Whiteboard: [necko-triaged] [necko-priority-review] → [necko-triaged][necko-priority-review][necko-next]
Whiteboard: [necko-triaged][necko-priority-review][necko-next] → [necko-triaged][necko-priority-next]
Whiteboard: [necko-triaged][necko-priority-next] → [necko-triaged][necko-priority-queue]
Assignee: nobody → smayya

The problem here is we can have data races (FetchDriver::mObserver) when OnDataAvailable is running OMT and parallel code execution in Main thread.
A straightforward solution would be guarding all the data members with a mutex.
However, this will make the code messy (as we need a guard in every member function) and have significant impact on the performance.
I think there should be a simpler way to solve this.

OnDataAvailable accesses the following data members OMT are the potential candidates for data races:
mPipeOutputStream
mNeedToObserveOnDataAvailable
mObserver
mMainThreadEventTarget
mResponse
mRequest

In case of this Bug, we have a data race on mObserver.
I have made detailed analysis on the access patterns of the above members to check the possibility of a race. Please find the list of member functions accessing the members above and explanation of why a mutex guard might or might not be needed.

In general, we know that OnStartAvailable/OnDataAvailable/OnStopRequest are serialised by ChannelEvenQueue and hence no race can exist for these calls. Hence, functions originating from these members need not be guarded.

FetchDriver::Fetch() - Before start of a request, hence cannot race with OnDataAvailable

HttpFetch - Before start of a request, hence cannot race with OnDataAvailable

BeginAndGetFilteredResponse - Called during OnStartRequest, hence cannot race with OnDataAvailable

FailWithNetworkError - Reported by the bug. Called from Main thread. Can race with ODA.

OnStartRequest - Cannot race with OnDataAvailable.

OnDataAvailable

OnStopRequest - Cannot race with OnDataAvailable.

FinishOnStopRequest - Called in OnStopRequest, hence cannot race with OnDataAvailable

FetchDriverAbortActions - Can be called with Main thread and race with OnDataAvailable

FetchDriver::FindPreload - Called before start of a request, hence cannot race with OnDataAvailable

AsyncOnChannelRedirect - Called between OnStartRequest and OnDataAvailable. Hence, no possibility of a race

UpdateReferrerInfoFromNewChannel - Called from AsyncOnChannelRedirect, no possibility of a race.

From the above analysis, I have concluded that we need to add a guard only in OnDataAvailable, FetchDriverAbortActions, and FailWithNetworkError.

Attachment #9364713 - Attachment description: Bug 1810805 - add recursive mutex guard in FetchDriver. r=#necko → Bug 1810805 - update mObserver modifications in FetchDriver. r=#necko
Pushed by smayya@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dcfa4149aaf3 update mObserver modifications in FetchDriver. r=necko-reviewers,edenchuang

Comment on attachment 9364713 [details]
Bug 1810805 - update mObserver modifications in FetchDriver. r=#necko

Landed without sec approval as it is a sec-moderate.
As per this guideline we don't sec approval for sec-moderates.

Attachment #9364713 - Flags: sec-approval?
Attachment #9364713 - Flags: sec-approval?
Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch

The patch landed in nightly and beta is affected.
:smayya, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox121 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(smayya)

Comment on attachment 9364713 [details]
Bug 1810805 - update mObserver modifications in FetchDriver. r=#necko

Beta/Release Uplift Approval Request

  • User impact if declined: This could lead to a potential browser crash.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): We are delaying the assignment of a member variable as a fix. This patch does not change any existing functional behavior.
  • String changes made/needed: no
  • Is Android affected?: Yes
Flags: needinfo?(smayya)
Attachment #9364713 - Flags: approval-mozilla-beta?

Comment on attachment 9364713 [details]
Bug 1810805 - update mObserver modifications in FetchDriver. r=#necko

Approved for 121.0b8 and 115.6esr.

Attachment #9364713 - Flags: approval-mozilla-esr115+
Attachment #9364713 - Flags: approval-mozilla-beta?
Attachment #9364713 - Flags: approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [necko-triaged][necko-priority-queue] → [necko-triaged][necko-priority-queue][adv-main121+r]
Whiteboard: [necko-triaged][necko-priority-queue][adv-main121+r] → [necko-triaged][necko-priority-queue][adv-main121+r][adv-esr115.6+r]

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: