Closed Bug 1828024 Opened 2 years ago Closed 2 years ago

ThreadSanitizer: data race [@ js::gc::GCRuntime::updateHelperThreadCount] vs. [@ js::gc::GCRuntime::updateMarkersVector]

Categories

(Core :: JavaScript: GC, defect, P2)

defect

Tracking

()

RESOLVED FIXED
116 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 117+ fixed
firefox114 --- wontfix
firefox115 --- wontfix
firefox116 --- fixed

People

(Reporter: tsmith, Assigned: jonco)

References

(Blocks 3 open bugs)

Details

(Keywords: csectype-race, sec-moderate, testcase-wanted, Whiteboard: [adv-main116+r][adv-esr115.2+r])

Attachments

(1 file)

Found while fuzzing m-c 20230413-5c9aa60ea6f4 (--enable-thread-sanitizer --enable-fuzzing)

Unfortunately no test case is available.

WARNING: ThreadSanitizer: data race (pid=136199)
  Write of size 8 at 0x7b5800018850 by thread T84 (mutexes: write M0):
    #0 setGCParallelThreadCount src/js/src/vm/HelperThreadState.h:341:27 (libxul.so+0xc7453d2) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #1 js::gc::GCRuntime::updateHelperThreadCount() src/js/src/gc/GC.cpp:1363:23 (libxul.so+0xc7453d2)
    #2 js::gc::GCRuntime::init(unsigned int) src/js/src/gc/GC.cpp:826:3 (libxul.so+0xc744e3d) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #3 JSRuntime::init(JSContext*, unsigned int) src/js/src/vm/Runtime.cpp:195:11 (libxul.so+0xc2a52fe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #4 js::NewContext(unsigned int, JSRuntime*) src/js/src/vm/JSContext.cpp:185:17 (libxul.so+0xc1826cd) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #5 JS_NewContext(unsigned int, JSRuntime*) src/js/src/jsapi.cpp:402:10 (libxul.so+0xc456213) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #6 mozilla::net::JSContextWrapper::Create(unsigned int) src/netwerk/base/ProxyAutoConfig.cpp:392:21 (libxul.so+0x43d7503) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #7 mozilla::net::ProxyAutoConfig::SetupJS() src/netwerk/base/ProxyAutoConfig.cpp:541:16 (libxul.so+0x43d6b7e) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #8 mozilla::net::ProxyAutoConfig::ConfigurePAC(nsTSubstring<char> const&, nsTSubstring<char> const&, bool, unsigned int, nsIEventTarget*) src/netwerk/base/ProxyAutoConfig.cpp:517:29 (libxul.so+0x43d6994) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #9 mozilla::net::ExecutePACThreadAction::Run() src/netwerk/base/nsPACMan.cpp:275:22 (libxul.so+0x4497410) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #10 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1233:16 (libxul.so+0x423222a) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #11 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:479:10 (libxul.so+0x4238b76) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #12 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x4f55bfe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #13 RunInternal src/ipc/chromium/src/base/message_loop.cc:369:10 (libxul.so+0x4e6d9c8) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #14 RunHandler src/ipc/chromium/src/base/message_loop.cc:362:3 (libxul.so+0x4e6d9c8)
    #15 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:344:3 (libxul.so+0x4e6d9c8)
    #16 nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:391:10 (libxul.so+0x422d349) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #17 _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4fc29) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)

  Previous read of size 8 at 0x7b5800018850 by thread T83:
    #0 getGCParallelThreadCount src/js/src/vm/HelperThreadState.h:336:52 (libxul.so+0xc7454a9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #1 js::gc::GCRuntime::updateMarkersVector() src/js/src/gc/GC.cpp:1397:53 (libxul.so+0xc7454a9)
    #2 js::gc::GCRuntime::init(unsigned int) src/js/src/gc/GC.cpp:835:8 (libxul.so+0xc744e45) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #3 JSRuntime::init(JSContext*, unsigned int) src/js/src/vm/Runtime.cpp:195:11 (libxul.so+0xc2a52fe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #4 js::NewContext(unsigned int, JSRuntime*) src/js/src/vm/JSContext.cpp:185:17 (libxul.so+0xc1826cd) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #5 JS_NewContext(unsigned int, JSRuntime*) src/js/src/jsapi.cpp:402:10 (libxul.so+0xc456213) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #6 mozilla::CycleCollectedJSContext::Initialize(JSRuntime*, unsigned int) src/xpcom/base/CycleCollectedJSContext.cpp:129:16 (libxul.so+0x40fe53b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #7 mozilla::dom::WorkerJSContext::Initialize(JSRuntime*) src/dom/workers/RuntimeService.cpp:875:44 (libxul.so+0x8d7be63) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #8 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() src/dom/workers/RuntimeService.cpp:2128:30 (libxul.so+0x8d7b33b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #9 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1233:16 (libxul.so+0x423222a) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #10 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:479:10 (libxul.so+0x4238b76) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #11 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x4f55bfe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #12 RunInternal src/ipc/chromium/src/base/message_loop.cc:369:10 (libxul.so+0x4e6d9c8) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #13 RunHandler src/ipc/chromium/src/base/message_loop.cc:362:3 (libxul.so+0x4e6d9c8)
    #14 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:344:3 (libxul.so+0x4e6d9c8)
    #15 nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:391:10 (libxul.so+0x422d349) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #16 _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4fc29) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)

  Location is heap block of size 720 at 0x7b5800018600 allocated by main thread:
    #0 malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:692:5 (firefox-bin+0xb774c) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
    #1 malloc src/memory/build/malloc_decls.h:51:1 (firefox-bin+0x143cc5) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
    #2 moz_arena_malloc src/memory/build/malloc_decls.h:51:1 (firefox-bin+0x143cc5)
    #3 moz_arena_malloc src/memory/build/malloc_decls.h:142:1 (firefox-bin+0x143cc5)
    #4 js_arena_malloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:366:10 (libxul.so+0xc143288) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #5 js_malloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:370:10 (libxul.so+0xc143288)
    #6 js_new<js::GlobalHelperThreadState> /builds/worker/workspace/obj-build/dist/include/js/Utility.h:520:1 (libxul.so+0xc143288)
    #7 js::CreateHelperThreadsState() src/js/src/vm/HelperThreads.cpp:63:24 (libxul.so+0xc143288)
    #8 JS::detail::InitWithFailureDiagnostic(bool) src/js/src/vm/Initialization.cpp:188:3 (libxul.so+0xc15391b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #9 JS_InitWithFailureDiagnostic /builds/worker/workspace/obj-build/dist/include/js/Initialization.h:82:10 (libxul.so+0x4274d8e) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #10 InitializeJS src/xpcom/build/XPCOMInit.cpp:224:37 (libxul.so+0x4274d8e)
    #11 NS_InitXPCOM src/xpcom/build/XPCOMInit.cpp:418:3 (libxul.so+0x4274d8e)
    #12 ScopedXPCOMStartup::Initialize(bool) src/toolkit/xre/nsAppRunner.cpp:1986:8 (libxul.so+0xbdd9d73) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #13 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5879:22 (libxul.so+0xbde602e) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #14 XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5939:21 (libxul.so+0xbde6701) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #15 mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/Bootstrap.cpp:45:12 (libxul.so+0xbdf5a92) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #16 do_main src/browser/app/nsBrowserApp.cpp:227:22 (firefox-bin+0x141e85) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
    #17 main src/browser/app/nsBrowserApp.cpp:445:16 (firefox-bin+0x141e85)

  Mutex M0 (0x7f50b2b5cb60) created at:
    #0 pthread_mutex_init /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1341:3 (firefox-bin+0xbadf0) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
    #1 mozilla::detail::MutexImpl::MutexImpl() src/mozglue/misc/Mutex_posix.cpp:78:3 (firefox-bin+0x1ad83e) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
    #2 MutexImpl src/js/src/threading/Mutex.h:39:17 (libxul.so+0xc15e229) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #3 Mutex src/js/src/threading/Mutex.h:74:12 (libxul.so+0xc15e229)
    #4 __cxx_global_var_init src/js/src/vm/HelperThreads.cpp:56:7 (libxul.so+0xc15e229)
    #5 _GLOBAL__sub_I_Unified_cpp_js_src15.cpp /builds/worker/workspace/obj-build/js/src/Unified_cpp_js_src15.cpp (libxul.so+0xc15e229)
    #6 call_init /build/glibc-SzIz7B/glibc-2.31/elf/dl-init.c:72:3 (ld-linux-x86-64.so.2+0x11b99) (BuildId: 4587364908de169dec62ffa538170118c1c3a078)
    #7 GetLibHandle src/xpcom/glue/standalone/nsXPCOMGlue.cpp:89:29 (firefox-bin+0x143931) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
    #8 ReadDependentCB src/xpcom/glue/standalone/nsXPCOMGlue.cpp:144:3 (firefox-bin+0x143931)
    #9 XPCOMGlueLoad src/xpcom/glue/standalone/nsXPCOMGlue.cpp:323:9 (firefox-bin+0x143931)
    #10 mozilla::GetBootstrap(char const*, mozilla::LibLoadingStrategy) src/xpcom/glue/standalone/nsXPCOMGlue.cpp:405:3 (firefox-bin+0x143931)
    #11 InitXPCOMGlue(mozilla::LibLoadingStrategy) src/browser/app/nsBrowserApp.cpp:242:7 (firefox-bin+0x14205c) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
    #12 main src/browser/app/nsBrowserApp.cpp:434:17 (firefox-bin+0x1419fe) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)

  Thread T84 'ProxyResolution' (tid=136415, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1048:3 (firefox-bin+0xb947b) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
    #1 _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x46cbe) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)
    #2 PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x3bd44) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)
    #3 nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:633:18 (libxul.so+0x422efa5) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #4 nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:548:12 (libxul.so+0x423799f) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #5 NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) src/xpcom/threads/nsThreadUtils.cpp:175:57 (libxul.so+0x42404a6) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #6 NS_NewNamedThread<16UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:87:10 (libxul.so+0x4448166) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #7 mozilla::net::nsPACMan::DispatchToPAC(already_AddRefed<nsIRunnable>, bool) src/netwerk/base/nsPACMan.cpp:449:5 (libxul.so+0x4448166)
    #8 mozilla::net::nsPACMan::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) src/netwerk/base/nsPACMan.cpp:928:5 (libxul.so+0x444b570) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #9 mozilla::net::nsStreamLoader::OnStopRequest(nsIRequest*, nsresult) src/netwerk/base/nsStreamLoader.cpp:86:20 (libxul.so+0x449ea19) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #10 nsBaseChannel::OnStopRequest(nsIRequest*, nsresult) src/netwerk/base/nsBaseChannel.cpp:852:16 (libxul.so+0x43f5f26) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #11 non-virtual thunk to nsBaseChannel::OnStopRequest(nsIRequest*, nsresult) src/netwerk/base/nsBaseChannel.cpp (libxul.so+0x43f6093) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #12 nsInputStreamPump::OnStateStop() src/netwerk/base/nsInputStreamPump.cpp:695:15 (libxul.so+0x4424e13) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #13 nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp:415:21 (libxul.so+0x4423dbc) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #14 non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp (libxul.so+0x4425119) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #15 RunAsyncWaitCallback src/xpcom/io/NonBlockingAsyncInputStream.cpp:388:13 (libxul.so+0x41a93b1) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #16 mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() src/xpcom/io/NonBlockingAsyncInputStream.cpp:33:14 (libxul.so+0x41a93b1)
    #17 mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:553:16 (libxul.so+0x4218670) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #18 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:869:26 (libxul.so+0x42116b9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #19 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:700:15 (libxul.so+0x420fc26) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #20 mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:464:36 (libxul.so+0x421001f) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #21 operator() src/xpcom/threads/TaskController.cpp:191:37 (libxul.so+0x421aea4) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #22 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() src/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x421aea4)
    #23 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1239:16 (libxul.so+0x4231f2b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #24 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:479:10 (libxul.so+0x4238b76) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #25 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x4f54ffe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #26 RunInternal src/ipc/chromium/src/base/message_loop.cc:369:10 (libxul.so+0x4e6d9c8) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #27 RunHandler src/ipc/chromium/src/base/message_loop.cc:362:3 (libxul.so+0x4e6d9c8)
    #28 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:344:3 (libxul.so+0x4e6d9c8)
    #29 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x9360193) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #30 nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:295:30 (libxul.so+0xbc7f5d2) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #31 XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:5683:22 (libxul.so+0xbde5502) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #32 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5883:8 (libxul.so+0xbde6043) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #33 XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5939:21 (libxul.so+0xbde6701) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #34 mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/Bootstrap.cpp:45:12 (libxul.so+0xbdf5a92) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #35 do_main src/browser/app/nsBrowserApp.cpp:227:22 (firefox-bin+0x141e85) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
    #36 main src/browser/app/nsBrowserApp.cpp:445:16 (firefox-bin+0x141e85)

  Thread T83 'DOM Worker' (tid=136402, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1048:3 (firefox-bin+0xb947b) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
    #1 _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x46cbe) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)
    #2 PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x3bd44) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)
    #3 nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:633:18 (libxul.so+0x422efa5) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) src/dom/workers/WorkerThread.cpp:102:7 (libxul.so+0x8dae58b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) src/dom/workers/RuntimeService.cpp:1331:37 (libxul.so+0x8d5e183) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) src/dom/workers/RuntimeService.cpp:1213:19 (libxul.so+0x8d5d571) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&) src/dom/workers/WorkerPrivate.cpp:2653:24 (libxul.so+0x8d8ff3f) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #8 mozilla::dom::ChromeWorker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/workers/ChromeWorker.cpp:33:41 (libxul.so+0x8d58acf) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #9 mozilla::dom::ChromeWorker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:322:58 (libxul.so+0x6c0c279) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #10 CallJSNative src/js/src/vm/Interpreter.cpp:486:13 (libxul.so+0xc02fc0a) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #11 CallJSNativeConstructor src/js/src/vm/Interpreter.cpp:502:8 (libxul.so+0xc02fc0a)
    #12 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:727:10 (libxul.so+0xc02fc0a)
    #13 ConstructFromStack src/js/src/vm/Interpreter.cpp:755:10 (libxul.so+0xc03ee3a) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #14 js::Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3380:16 (libxul.so+0xc03ee3a)
    #15 MaybeEnterInterpreterTrampoline src/js/src/vm/Interpreter.cpp:400:10 (libxul.so+0xc02dd3c) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #16 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:458:13 (libxul.so+0xc02dd3c)
    #17 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:612:13 (libxul.so+0xc02e7c9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #18 InternalCall src/js/src/vm/Interpreter.cpp:647:10 (libxul.so+0xc02f3b7) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #19 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:679:8 (libxul.so+0xc02f3b7)
    #20 js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:801:10 (libxul.so+0xc0300cf) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #21 CallGetter src/js/src/vm/NativeObject.cpp:2020:12 (libxul.so+0xc200081) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #22 GetExistingProperty<(js::AllowGC)1> src/js/src/vm/NativeObject.cpp:2048:12 (libxul.so+0xc200081)
    #23 NativeGetPropertyInline<(js::AllowGC)1> src/js/src/vm/NativeObject.cpp:2196:14 (libxul.so+0xc200081)
    #24 js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2227:10 (libxul.so+0xc200081)
    #25 GetProperty src/js/src/vm/ObjectOperations-inl.h:118:10 (libxul.so+0xc04e497) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #26 GetProperty src/js/src/vm/ObjectOperations-inl.h:125:10 (libxul.so+0xc04e497)
    #27 js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:4787:10 (libxul.so+0xc04e497)
    #28 GetPropertyOperation src/js/src/vm/Interpreter.cpp:245:10 (libxul.so+0xc03b53d) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #29 js::Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3050:12 (libxul.so+0xc03b53d)
    #30 MaybeEnterInterpreterTrampoline src/js/src/vm/Interpreter.cpp:400:10 (libxul.so+0xc02dd3c) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #31 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:458:13 (libxul.so+0xc02dd3c)
    #32 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:612:13 (libxul.so+0xc02e7c9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #33 InternalCall src/js/src/vm/Interpreter.cpp:647:10 (libxul.so+0xc02f3b7) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #34 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:679:8 (libxul.so+0xc02f3b7)
    #35 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/SelfHosting.cpp:1473:10 (libxul.so+0xc2cf52f) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #36 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) src/js/src/vm/AsyncFunction.cpp:149:8 (libxul.so+0xc0b8af6) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #37 js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) src/js/src/vm/AsyncFunction.cpp:190:10 (libxul.so+0xc0b8817) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #38 AsyncFunctionPromiseReactionJob src/js/src/builtin/Promise.cpp:2111:12 (libxul.so+0xc250ccd) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #39 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) src/js/src/builtin/Promise.cpp:2174:12 (libxul.so+0xc250ccd)
    #40 CallJSNative src/js/src/vm/Interpreter.cpp:486:13 (libxul.so+0xc02e6f9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #41 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:580:12 (libxul.so+0xc02e6f9)
    #42 InternalCall src/js/src/vm/Interpreter.cpp:647:10 (libxul.so+0xc02f3b7) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #43 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:679:8 (libxul.so+0xc02f3b7)
    #44 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0xc0dbe99) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #45 mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8 (libxul.so+0x6534493) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #46 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12 (libxul.so+0x4114593) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #47 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12 (libxul.so+0x4114593)
    #48 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) src/xpcom/base/CycleCollectedJSContext.cpp:213:18 (libxul.so+0x4114593)
    #49 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) src/xpcom/base/CycleCollectedJSContext.cpp:676:17 (libxul.so+0x40ff986) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #50 LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:246:7 (libxul.so+0x77b753c) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #51 ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:394:13 (libxul.so+0x77b753c)
    #52 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1335:3 (libxul.so+0x77b753c)
    #53 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1502:17 (libxul.so+0x77b7fa8) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #54 HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:395:5 (libxul.so+0x77acbe1) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #55 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:347:17 (libxul.so+0x77acbe1)
    #56 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:549:16 (libxul.so+0x77abed4) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #57 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1122:11 (libxul.so+0x77aed22) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #58 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp (libxul.so+0x77b2019) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #59 nsPresContext::FireDOMPaintEvent(nsTArray<nsRect>*, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType>, mozilla::TimeStamp) src/layout/base/nsPresContext.cpp:2230:3 (libxul.so+0x9874307) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #60 DelayedFireDOMPaintEvent::Run() src/layout/base/nsPresContext.cpp:2358:21 (libxul.so+0x9882be3) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #61 mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:553:16 (libxul.so+0x4218670) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #62 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:869:26 (libxul.so+0x42116b9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #63 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:700:15 (libxul.so+0x420fc26) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #64 mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:464:36 (libxul.so+0x421001f) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #65 operator() src/xpcom/threads/TaskController.cpp:191:37 (libxul.so+0x421aea4) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #66 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() src/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x421aea4)
    #67 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1239:16 (libxul.so+0x4231f2b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #68 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:479:10 (libxul.so+0x4238b76) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #69 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x4f54ffe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #70 RunInternal src/ipc/chromium/src/base/message_loop.cc:369:10 (libxul.so+0x4e6d9c8) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #71 RunHandler src/ipc/chromium/src/base/message_loop.cc:362:3 (libxul.so+0x4e6d9c8)
    #72 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:344:3 (libxul.so+0x4e6d9c8)
    #73 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x9360193) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #74 nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:295:30 (libxul.so+0xbc7f5d2) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #75 XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:5683:22 (libxul.so+0xbde5502) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #76 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5883:8 (libxul.so+0xbde6043) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #77 XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5939:21 (libxul.so+0xbde6701) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #78 mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/Bootstrap.cpp:45:12 (libxul.so+0xbdf5a92) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
    #79 do_main src/browser/app/nsBrowserApp.cpp:227:22 (firefox-bin+0x141e85) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
    #80 main src/browser/app/nsBrowserApp.cpp:445:16 (firefox-bin+0x141e85)

This specific race doesn't seem that bad, but it does look rather dodgy that ProxyAutoConfig and a DOM worker are racing on JSRuntime::init.

First thing first, why do we have 2 JSRuntime::init called concurrently, without first initializing a main-thread JSRuntime?
Sounds like the setGCParallelThreadCount should only be called in the parent JSRuntime only.

Steve, sounds like this could be a simple fix?

Severity: -- → S4
Flags: needinfo?(sphink)
Priority: -- → P2

This one slipped through the cracks. Jon, you've done the work in this area and would know if there are any issues with the change.

Flags: needinfo?(sphink) → needinfo?(jcoppeard)
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)

(In reply to Andrew McCreight [:mccr8] from comment #1)
It's OK for there to be different runtimes being created at the same time on different threads. The helper thread system is shared however (it's per-process) so we need to be careful there.

I am a bit surprised though because I assumed that there was always one main thread parent runtime per-process and multiple DOM workers child runtimes. I forgot that ProxyAutoConfig could create its own runtime which I guess is a separate parent runtime that's different than the main thread one.

This makes us take a lock to read this state (we already lock when writing it).

Also it adds a release assert in case something goes wrong with the thread
count calculations, as a crash is preferable to the potential deadlock.

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.

The patch landed in nightly and beta is affected.
:jonco, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox115 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jcoppeard)

I don't think this is worth uplifting.

Flags: needinfo?(jcoppeard)
QA Whiteboard: [post-critsmash-triage]
Whiteboard: [adv-main116+r]

Please nominate this for ESR115 approval.

Flags: needinfo?(jcoppeard)

Comment on attachment 9339565 [details]
Bug 1828024 - Require the helper thread lock in the GC helper thread count getter r?sfink

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Requested for uplift.
  • User impact if declined: Possible race condition. This is unlikely to have user impact.
  • Fix Landed on Version: 116
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a very simple change to add some locking around getting the value of some shared state.
Flags: needinfo?(jcoppeard)
Attachment #9339565 - Flags: approval-mozilla-esr115?

Comment on attachment 9339565 [details]
Bug 1828024 - Require the helper thread lock in the GC helper thread count getter r?sfink

Approved for 115.2esr.

Attachment #9339565 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Whiteboard: [adv-main116+r] → [adv-main116+r][adv-esr115.2+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: