ThreadSanitizer: data race [@ js::gc::GCRuntime::updateHelperThreadCount] vs. [@ js::gc::GCRuntime::updateMarkersVector]
Categories
(Core :: JavaScript: GC, defect, P2)
Tracking
()
People
(Reporter: tsmith, Assigned: jonco)
References
(Blocks 3 open bugs)
Details
(Keywords: csectype-race, sec-moderate, testcase-wanted, Whiteboard: [adv-main116+r][adv-esr115.2+r])
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-esr115+
|
Details | Review |
Found while fuzzing m-c 20230413-5c9aa60ea6f4 (--enable-thread-sanitizer --enable-fuzzing)
Unfortunately no test case is available.
WARNING: ThreadSanitizer: data race (pid=136199)
Write of size 8 at 0x7b5800018850 by thread T84 (mutexes: write M0):
#0 setGCParallelThreadCount src/js/src/vm/HelperThreadState.h:341:27 (libxul.so+0xc7453d2) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#1 js::gc::GCRuntime::updateHelperThreadCount() src/js/src/gc/GC.cpp:1363:23 (libxul.so+0xc7453d2)
#2 js::gc::GCRuntime::init(unsigned int) src/js/src/gc/GC.cpp:826:3 (libxul.so+0xc744e3d) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#3 JSRuntime::init(JSContext*, unsigned int) src/js/src/vm/Runtime.cpp:195:11 (libxul.so+0xc2a52fe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#4 js::NewContext(unsigned int, JSRuntime*) src/js/src/vm/JSContext.cpp:185:17 (libxul.so+0xc1826cd) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#5 JS_NewContext(unsigned int, JSRuntime*) src/js/src/jsapi.cpp:402:10 (libxul.so+0xc456213) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#6 mozilla::net::JSContextWrapper::Create(unsigned int) src/netwerk/base/ProxyAutoConfig.cpp:392:21 (libxul.so+0x43d7503) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#7 mozilla::net::ProxyAutoConfig::SetupJS() src/netwerk/base/ProxyAutoConfig.cpp:541:16 (libxul.so+0x43d6b7e) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#8 mozilla::net::ProxyAutoConfig::ConfigurePAC(nsTSubstring<char> const&, nsTSubstring<char> const&, bool, unsigned int, nsIEventTarget*) src/netwerk/base/ProxyAutoConfig.cpp:517:29 (libxul.so+0x43d6994) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#9 mozilla::net::ExecutePACThreadAction::Run() src/netwerk/base/nsPACMan.cpp:275:22 (libxul.so+0x4497410) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#10 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1233:16 (libxul.so+0x423222a) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#11 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:479:10 (libxul.so+0x4238b76) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#12 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x4f55bfe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#13 RunInternal src/ipc/chromium/src/base/message_loop.cc:369:10 (libxul.so+0x4e6d9c8) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#14 RunHandler src/ipc/chromium/src/base/message_loop.cc:362:3 (libxul.so+0x4e6d9c8)
#15 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:344:3 (libxul.so+0x4e6d9c8)
#16 nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:391:10 (libxul.so+0x422d349) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#17 _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4fc29) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)
Previous read of size 8 at 0x7b5800018850 by thread T83:
#0 getGCParallelThreadCount src/js/src/vm/HelperThreadState.h:336:52 (libxul.so+0xc7454a9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#1 js::gc::GCRuntime::updateMarkersVector() src/js/src/gc/GC.cpp:1397:53 (libxul.so+0xc7454a9)
#2 js::gc::GCRuntime::init(unsigned int) src/js/src/gc/GC.cpp:835:8 (libxul.so+0xc744e45) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#3 JSRuntime::init(JSContext*, unsigned int) src/js/src/vm/Runtime.cpp:195:11 (libxul.so+0xc2a52fe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#4 js::NewContext(unsigned int, JSRuntime*) src/js/src/vm/JSContext.cpp:185:17 (libxul.so+0xc1826cd) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#5 JS_NewContext(unsigned int, JSRuntime*) src/js/src/jsapi.cpp:402:10 (libxul.so+0xc456213) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#6 mozilla::CycleCollectedJSContext::Initialize(JSRuntime*, unsigned int) src/xpcom/base/CycleCollectedJSContext.cpp:129:16 (libxul.so+0x40fe53b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#7 mozilla::dom::WorkerJSContext::Initialize(JSRuntime*) src/dom/workers/RuntimeService.cpp:875:44 (libxul.so+0x8d7be63) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#8 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() src/dom/workers/RuntimeService.cpp:2128:30 (libxul.so+0x8d7b33b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#9 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1233:16 (libxul.so+0x423222a) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#10 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:479:10 (libxul.so+0x4238b76) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#11 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x4f55bfe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#12 RunInternal src/ipc/chromium/src/base/message_loop.cc:369:10 (libxul.so+0x4e6d9c8) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#13 RunHandler src/ipc/chromium/src/base/message_loop.cc:362:3 (libxul.so+0x4e6d9c8)
#14 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:344:3 (libxul.so+0x4e6d9c8)
#15 nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:391:10 (libxul.so+0x422d349) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#16 _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4fc29) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)
Location is heap block of size 720 at 0x7b5800018600 allocated by main thread:
#0 malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:692:5 (firefox-bin+0xb774c) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
#1 malloc src/memory/build/malloc_decls.h:51:1 (firefox-bin+0x143cc5) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
#2 moz_arena_malloc src/memory/build/malloc_decls.h:51:1 (firefox-bin+0x143cc5)
#3 moz_arena_malloc src/memory/build/malloc_decls.h:142:1 (firefox-bin+0x143cc5)
#4 js_arena_malloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:366:10 (libxul.so+0xc143288) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#5 js_malloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:370:10 (libxul.so+0xc143288)
#6 js_new<js::GlobalHelperThreadState> /builds/worker/workspace/obj-build/dist/include/js/Utility.h:520:1 (libxul.so+0xc143288)
#7 js::CreateHelperThreadsState() src/js/src/vm/HelperThreads.cpp:63:24 (libxul.so+0xc143288)
#8 JS::detail::InitWithFailureDiagnostic(bool) src/js/src/vm/Initialization.cpp:188:3 (libxul.so+0xc15391b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#9 JS_InitWithFailureDiagnostic /builds/worker/workspace/obj-build/dist/include/js/Initialization.h:82:10 (libxul.so+0x4274d8e) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#10 InitializeJS src/xpcom/build/XPCOMInit.cpp:224:37 (libxul.so+0x4274d8e)
#11 NS_InitXPCOM src/xpcom/build/XPCOMInit.cpp:418:3 (libxul.so+0x4274d8e)
#12 ScopedXPCOMStartup::Initialize(bool) src/toolkit/xre/nsAppRunner.cpp:1986:8 (libxul.so+0xbdd9d73) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#13 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5879:22 (libxul.so+0xbde602e) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#14 XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5939:21 (libxul.so+0xbde6701) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#15 mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/Bootstrap.cpp:45:12 (libxul.so+0xbdf5a92) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#16 do_main src/browser/app/nsBrowserApp.cpp:227:22 (firefox-bin+0x141e85) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
#17 main src/browser/app/nsBrowserApp.cpp:445:16 (firefox-bin+0x141e85)
Mutex M0 (0x7f50b2b5cb60) created at:
#0 pthread_mutex_init /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1341:3 (firefox-bin+0xbadf0) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
#1 mozilla::detail::MutexImpl::MutexImpl() src/mozglue/misc/Mutex_posix.cpp:78:3 (firefox-bin+0x1ad83e) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
#2 MutexImpl src/js/src/threading/Mutex.h:39:17 (libxul.so+0xc15e229) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#3 Mutex src/js/src/threading/Mutex.h:74:12 (libxul.so+0xc15e229)
#4 __cxx_global_var_init src/js/src/vm/HelperThreads.cpp:56:7 (libxul.so+0xc15e229)
#5 _GLOBAL__sub_I_Unified_cpp_js_src15.cpp /builds/worker/workspace/obj-build/js/src/Unified_cpp_js_src15.cpp (libxul.so+0xc15e229)
#6 call_init /build/glibc-SzIz7B/glibc-2.31/elf/dl-init.c:72:3 (ld-linux-x86-64.so.2+0x11b99) (BuildId: 4587364908de169dec62ffa538170118c1c3a078)
#7 GetLibHandle src/xpcom/glue/standalone/nsXPCOMGlue.cpp:89:29 (firefox-bin+0x143931) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
#8 ReadDependentCB src/xpcom/glue/standalone/nsXPCOMGlue.cpp:144:3 (firefox-bin+0x143931)
#9 XPCOMGlueLoad src/xpcom/glue/standalone/nsXPCOMGlue.cpp:323:9 (firefox-bin+0x143931)
#10 mozilla::GetBootstrap(char const*, mozilla::LibLoadingStrategy) src/xpcom/glue/standalone/nsXPCOMGlue.cpp:405:3 (firefox-bin+0x143931)
#11 InitXPCOMGlue(mozilla::LibLoadingStrategy) src/browser/app/nsBrowserApp.cpp:242:7 (firefox-bin+0x14205c) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
#12 main src/browser/app/nsBrowserApp.cpp:434:17 (firefox-bin+0x1419fe) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
Thread T84 'ProxyResolution' (tid=136415, running) created by main thread at:
#0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1048:3 (firefox-bin+0xb947b) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
#1 _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x46cbe) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)
#2 PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x3bd44) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)
#3 nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:633:18 (libxul.so+0x422efa5) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#4 nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:548:12 (libxul.so+0x423799f) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#5 NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) src/xpcom/threads/nsThreadUtils.cpp:175:57 (libxul.so+0x42404a6) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#6 NS_NewNamedThread<16UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:87:10 (libxul.so+0x4448166) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#7 mozilla::net::nsPACMan::DispatchToPAC(already_AddRefed<nsIRunnable>, bool) src/netwerk/base/nsPACMan.cpp:449:5 (libxul.so+0x4448166)
#8 mozilla::net::nsPACMan::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) src/netwerk/base/nsPACMan.cpp:928:5 (libxul.so+0x444b570) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#9 mozilla::net::nsStreamLoader::OnStopRequest(nsIRequest*, nsresult) src/netwerk/base/nsStreamLoader.cpp:86:20 (libxul.so+0x449ea19) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#10 nsBaseChannel::OnStopRequest(nsIRequest*, nsresult) src/netwerk/base/nsBaseChannel.cpp:852:16 (libxul.so+0x43f5f26) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#11 non-virtual thunk to nsBaseChannel::OnStopRequest(nsIRequest*, nsresult) src/netwerk/base/nsBaseChannel.cpp (libxul.so+0x43f6093) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#12 nsInputStreamPump::OnStateStop() src/netwerk/base/nsInputStreamPump.cpp:695:15 (libxul.so+0x4424e13) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#13 nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp:415:21 (libxul.so+0x4423dbc) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#14 non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp (libxul.so+0x4425119) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#15 RunAsyncWaitCallback src/xpcom/io/NonBlockingAsyncInputStream.cpp:388:13 (libxul.so+0x41a93b1) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#16 mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() src/xpcom/io/NonBlockingAsyncInputStream.cpp:33:14 (libxul.so+0x41a93b1)
#17 mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:553:16 (libxul.so+0x4218670) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#18 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:869:26 (libxul.so+0x42116b9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#19 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:700:15 (libxul.so+0x420fc26) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#20 mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:464:36 (libxul.so+0x421001f) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#21 operator() src/xpcom/threads/TaskController.cpp:191:37 (libxul.so+0x421aea4) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#22 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() src/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x421aea4)
#23 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1239:16 (libxul.so+0x4231f2b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#24 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:479:10 (libxul.so+0x4238b76) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#25 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x4f54ffe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#26 RunInternal src/ipc/chromium/src/base/message_loop.cc:369:10 (libxul.so+0x4e6d9c8) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#27 RunHandler src/ipc/chromium/src/base/message_loop.cc:362:3 (libxul.so+0x4e6d9c8)
#28 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:344:3 (libxul.so+0x4e6d9c8)
#29 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x9360193) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#30 nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:295:30 (libxul.so+0xbc7f5d2) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#31 XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:5683:22 (libxul.so+0xbde5502) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#32 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5883:8 (libxul.so+0xbde6043) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#33 XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5939:21 (libxul.so+0xbde6701) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#34 mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/Bootstrap.cpp:45:12 (libxul.so+0xbdf5a92) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#35 do_main src/browser/app/nsBrowserApp.cpp:227:22 (firefox-bin+0x141e85) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
#36 main src/browser/app/nsBrowserApp.cpp:445:16 (firefox-bin+0x141e85)
Thread T83 'DOM Worker' (tid=136402, running) created by main thread at:
#0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1048:3 (firefox-bin+0xb947b) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
#1 _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x46cbe) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)
#2 PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x3bd44) (BuildId: 945a52327a31724678a4ab6ec7b6b4ae5c2148aa)
#3 nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:633:18 (libxul.so+0x422efa5) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) src/dom/workers/WorkerThread.cpp:102:7 (libxul.so+0x8dae58b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) src/dom/workers/RuntimeService.cpp:1331:37 (libxul.so+0x8d5e183) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) src/dom/workers/RuntimeService.cpp:1213:19 (libxul.so+0x8d5d571) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&) src/dom/workers/WorkerPrivate.cpp:2653:24 (libxul.so+0x8d8ff3f) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#8 mozilla::dom::ChromeWorker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/workers/ChromeWorker.cpp:33:41 (libxul.so+0x8d58acf) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#9 mozilla::dom::ChromeWorker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:322:58 (libxul.so+0x6c0c279) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#10 CallJSNative src/js/src/vm/Interpreter.cpp:486:13 (libxul.so+0xc02fc0a) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#11 CallJSNativeConstructor src/js/src/vm/Interpreter.cpp:502:8 (libxul.so+0xc02fc0a)
#12 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:727:10 (libxul.so+0xc02fc0a)
#13 ConstructFromStack src/js/src/vm/Interpreter.cpp:755:10 (libxul.so+0xc03ee3a) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#14 js::Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3380:16 (libxul.so+0xc03ee3a)
#15 MaybeEnterInterpreterTrampoline src/js/src/vm/Interpreter.cpp:400:10 (libxul.so+0xc02dd3c) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#16 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:458:13 (libxul.so+0xc02dd3c)
#17 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:612:13 (libxul.so+0xc02e7c9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#18 InternalCall src/js/src/vm/Interpreter.cpp:647:10 (libxul.so+0xc02f3b7) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#19 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:679:8 (libxul.so+0xc02f3b7)
#20 js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:801:10 (libxul.so+0xc0300cf) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#21 CallGetter src/js/src/vm/NativeObject.cpp:2020:12 (libxul.so+0xc200081) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#22 GetExistingProperty<(js::AllowGC)1> src/js/src/vm/NativeObject.cpp:2048:12 (libxul.so+0xc200081)
#23 NativeGetPropertyInline<(js::AllowGC)1> src/js/src/vm/NativeObject.cpp:2196:14 (libxul.so+0xc200081)
#24 js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2227:10 (libxul.so+0xc200081)
#25 GetProperty src/js/src/vm/ObjectOperations-inl.h:118:10 (libxul.so+0xc04e497) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#26 GetProperty src/js/src/vm/ObjectOperations-inl.h:125:10 (libxul.so+0xc04e497)
#27 js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:4787:10 (libxul.so+0xc04e497)
#28 GetPropertyOperation src/js/src/vm/Interpreter.cpp:245:10 (libxul.so+0xc03b53d) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#29 js::Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3050:12 (libxul.so+0xc03b53d)
#30 MaybeEnterInterpreterTrampoline src/js/src/vm/Interpreter.cpp:400:10 (libxul.so+0xc02dd3c) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#31 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:458:13 (libxul.so+0xc02dd3c)
#32 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:612:13 (libxul.so+0xc02e7c9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#33 InternalCall src/js/src/vm/Interpreter.cpp:647:10 (libxul.so+0xc02f3b7) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#34 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:679:8 (libxul.so+0xc02f3b7)
#35 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/SelfHosting.cpp:1473:10 (libxul.so+0xc2cf52f) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#36 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) src/js/src/vm/AsyncFunction.cpp:149:8 (libxul.so+0xc0b8af6) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#37 js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) src/js/src/vm/AsyncFunction.cpp:190:10 (libxul.so+0xc0b8817) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#38 AsyncFunctionPromiseReactionJob src/js/src/builtin/Promise.cpp:2111:12 (libxul.so+0xc250ccd) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#39 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) src/js/src/builtin/Promise.cpp:2174:12 (libxul.so+0xc250ccd)
#40 CallJSNative src/js/src/vm/Interpreter.cpp:486:13 (libxul.so+0xc02e6f9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#41 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:580:12 (libxul.so+0xc02e6f9)
#42 InternalCall src/js/src/vm/Interpreter.cpp:647:10 (libxul.so+0xc02f3b7) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#43 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:679:8 (libxul.so+0xc02f3b7)
#44 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0xc0dbe99) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#45 mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8 (libxul.so+0x6534493) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#46 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12 (libxul.so+0x4114593) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#47 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12 (libxul.so+0x4114593)
#48 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) src/xpcom/base/CycleCollectedJSContext.cpp:213:18 (libxul.so+0x4114593)
#49 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) src/xpcom/base/CycleCollectedJSContext.cpp:676:17 (libxul.so+0x40ff986) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#50 LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:246:7 (libxul.so+0x77b753c) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#51 ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:394:13 (libxul.so+0x77b753c)
#52 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1335:3 (libxul.so+0x77b753c)
#53 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1502:17 (libxul.so+0x77b7fa8) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#54 HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:395:5 (libxul.so+0x77acbe1) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#55 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:347:17 (libxul.so+0x77acbe1)
#56 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:549:16 (libxul.so+0x77abed4) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#57 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1122:11 (libxul.so+0x77aed22) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#58 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp (libxul.so+0x77b2019) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#59 nsPresContext::FireDOMPaintEvent(nsTArray<nsRect>*, mozilla::layers::BaseTransactionId<mozilla::layers::TransactionIdType>, mozilla::TimeStamp) src/layout/base/nsPresContext.cpp:2230:3 (libxul.so+0x9874307) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#60 DelayedFireDOMPaintEvent::Run() src/layout/base/nsPresContext.cpp:2358:21 (libxul.so+0x9882be3) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#61 mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:553:16 (libxul.so+0x4218670) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#62 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:869:26 (libxul.so+0x42116b9) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#63 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:700:15 (libxul.so+0x420fc26) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#64 mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:464:36 (libxul.so+0x421001f) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#65 operator() src/xpcom/threads/TaskController.cpp:191:37 (libxul.so+0x421aea4) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#66 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() src/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x421aea4)
#67 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1239:16 (libxul.so+0x4231f2b) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#68 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:479:10 (libxul.so+0x4238b76) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#69 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x4f54ffe) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#70 RunInternal src/ipc/chromium/src/base/message_loop.cc:369:10 (libxul.so+0x4e6d9c8) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#71 RunHandler src/ipc/chromium/src/base/message_loop.cc:362:3 (libxul.so+0x4e6d9c8)
#72 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:344:3 (libxul.so+0x4e6d9c8)
#73 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x9360193) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#74 nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:295:30 (libxul.so+0xbc7f5d2) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#75 XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:5683:22 (libxul.so+0xbde5502) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#76 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5883:8 (libxul.so+0xbde6043) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#77 XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5939:21 (libxul.so+0xbde6701) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#78 mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/Bootstrap.cpp:45:12 (libxul.so+0xbdf5a92) (BuildId: 865c8d28ca918a1ff5e2c18984d5a7cb3a46ea01)
#79 do_main src/browser/app/nsBrowserApp.cpp:227:22 (firefox-bin+0x141e85) (BuildId: 72ac42421c60ad490201a8b1c61eec489ac1f5f2)
#80 main src/browser/app/nsBrowserApp.cpp:445:16 (firefox-bin+0x141e85)
Comment 1•2 years ago
|
||
This specific race doesn't seem that bad, but it does look rather dodgy that ProxyAutoConfig and a DOM worker are racing on JSRuntime::init.
Comment 2•2 years ago
|
||
First thing first, why do we have 2 JSRuntime::init called concurrently, without first initializing a main-thread JSRuntime?
Sounds like the setGCParallelThreadCount
should only be called in the parent JSRuntime only.
Steve, sounds like this could be a simple fix?
Updated•2 years ago
|
Comment 3•2 years ago
|
||
This one slipped through the cracks. Jon, you've done the work in this area and would know if there are any issues with the change.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 4•2 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #1)
It's OK for there to be different runtimes being created at the same time on different threads. The helper thread system is shared however (it's per-process) so we need to be careful there.
I am a bit surprised though because I assumed that there was always one main thread parent runtime per-process and multiple DOM workers child runtimes. I forgot that ProxyAutoConfig could create its own runtime which I guess is a separate parent runtime that's different than the main thread one.
Assignee | ||
Comment 5•2 years ago
|
||
This makes us take a lock to read this state (we already lock when writing it).
Also it adds a release assert in case something goes wrong with the thread
count calculations, as a crash is preferable to the potential deadlock.
Comment 6•2 years ago
|
||
Require the helper thread lock in the GC helper thread count getter r=sfink
https://hg.mozilla.org/integration/autoland/rev/22c38e18f9e88ca912a22de5fe1b578e9f77959a
https://hg.mozilla.org/mozilla-central/rev/22c38e18f9e8
Comment 7•2 years ago
|
||
Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.
Comment 8•2 years ago
|
||
The patch landed in nightly and beta is affected.
:jonco, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox115
towontfix
.
For more information, please visit BugBot documentation.
Updated•2 years ago
|
Updated•2 years ago
|
Updated•1 years ago
|
Updated•1 years ago
|
Assignee | ||
Comment 11•1 years ago
|
||
Comment on attachment 9339565 [details]
Bug 1828024 - Require the helper thread lock in the GC helper thread count getter r?sfink
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Requested for uplift.
- User impact if declined: Possible race condition. This is unlikely to have user impact.
- Fix Landed on Version: 116
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is a very simple change to add some locking around getting the value of some shared state.
Comment 12•1 years ago
|
||
Comment on attachment 9339565 [details]
Bug 1828024 - Require the helper thread lock in the GC helper thread count getter r?sfink
Approved for 115.2esr.
Comment 13•1 years ago
|
||
uplift |
Updated•1 years ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Description
•