Closed Bug 1856072 Opened 1 year ago Closed 1 year ago

ThreadSanitizer: data race [@ mozilla::dom::quota::RemoteQuotaObject::ClearActor] vs. [@ mozilla::dom::quota::RemoteQuotaObject::Close]

Categories

(Core :: DOM: File, defect, P2)

Product:
Core
Component:
DOM: File
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
120 Branch
Tracking Flags:
Tracking Status
firefox-esr115 120+ fixed
firefox118 --- wontfix
firefox119 --- wontfix
firefox120 + fixed

People

(Reporter: tsmith, Assigned: janv)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: csectype-race, regression, sec-high, Whiteboard: [fuzzblocker][adv-main120+r][adv-esr115.5+r])

Attachments

(9 files)

Bug 1856072 - Add proper handling for failed build worker refs; r=#dom-storage
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-esr115+
Details | Review
Bug 1856072 - Add a new test; r=#dom-storage
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-esr115+
Details | Review
Bug 1856072 - Add proper handling for failed worker refs; r=#dom-storage
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-esr115+
Details | Review
Bug 1856072 - Move WriteImpl to FileSystemWritableFileStream; r=#dom-storage
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-esr115+
Details | Review
Bug 1856072 - Make sure FileSystemWritableFileStream can't go away during Seek, Truncate and Close; r=#dom-storage
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-esr115+
Details | Review
Bug 1856072 - Deserialize stream for FileSystemWritableFileStream lazily; r=#dom-storage
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-esr115+
Details | Review
Bug 1856072 - Change FileSystemWritableFileStream::Create to return constructed streams synchronously; r=#dom-storage
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-esr115+
Details | Review
Bug 1856072 - Remove redundant build worker ref; r=#dom-storage
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-esr115+
Details | Review
Bug 1856072 - Remove custom ResolveCallback for FileSystemGetWritableFileStreamResponse; r=#dom-storage
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-esr115+
Details | Review

Found while fuzzing m-c 20230922-efa8aa7a4f54 (--enable-thread-sanitizer --enable-fuzzing)

The nature of this issue makes it difficult reproduce reliably and therefore reduce. I will attach a Pernosco session shortly.

This issue is frequently reported by fuzzer, marking as fuzzblocker.

WARNING: ThreadSanitizer: data race (pid=90209)
  Read of size 8 at 0x7b0c00047240 by thread T24:
    #0 operator! /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:350:36 (libxul.so+0x71c9316) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #1 mozilla::dom::quota::RemoteQuotaObject::Close() /builds/worker/checkouts/gecko/dom/quota/RemoteQuotaObject.cpp:34:7 (libxul.so+0x71c9316)
    #2 Close /builds/worker/checkouts/gecko/dom/quota/FileStreams.cpp:51:26 (libxul.so+0x7184953) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #3 mozilla::dom::quota::FileRandomAccessStream::~FileRandomAccessStream() /builds/worker/checkouts/gecko/dom/quota/FileStreams.h:152:39 (libxul.so+0x7184953)
    #4 mozilla::dom::quota::FileRandomAccessStream::~FileRandomAccessStream() /builds/worker/checkouts/gecko/dom/quota/FileStreams.h:152:37 (libxul.so+0x71849e5) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #5 Release /builds/worker/checkouts/gecko/netwerk/base/nsFileStreams.cpp:55:1 (libxul.so+0x35ad3a3) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #6 nsFileRandomAccessStream::Release() /builds/worker/checkouts/gecko/netwerk/base/nsFileStreams.cpp:923:1 (libxul.so+0x35ad3a3)
    #7 Release /builds/worker/checkouts/gecko/dom/quota/FileStreams.h:127:3 (libxul.so+0x7184f39) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #8 non-virtual thunk to mozilla::dom::quota::FileRandomAccessStream::Release() /builds/worker/checkouts/gecko/dom/quota/FileStreams.h (libxul.so+0x7184f39)
    #9 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:40 (libxul.so+0x6492058) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #10 ~nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:344:7 (libxul.so+0x6492058)
    #11 ~FileSystemThreadSafeStreamOwner /builds/worker/checkouts/gecko/dom/fs/include/fs/FileSystemThreadSafeStreamOwner.h:38:54 (libxul.so+0x6492058)
    #12 mozilla::dom::fs::FileSystemThreadSafeStreamOwner::~FileSystemThreadSafeStreamOwner() /builds/worker/checkouts/gecko/dom/fs/include/fs/FileSystemThreadSafeStreamOwner.h:38:54 (libxul.so+0x6492058)
    #13 Release /builds/worker/checkouts/gecko/dom/fs/include/fs/FileSystemThreadSafeStreamOwner.h:27:3 (libxul.so+0x645faf7) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #14 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:40 (libxul.so+0x645faf7)
    #15 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:420:36 (libxul.so+0x645faf7)
    #16 ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:85:7 (libxul.so+0x645faf7)
    #17 mozilla::dom::FileSystemWritableFileStream::~FileSystemWritableFileStream() /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:294:1 (libxul.so+0x645faf7)
    #18 mozilla::dom::FileSystemWritableFileStream::~FileSystemWritableFileStream() /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:289:63 (libxul.so+0x645fb95) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #19 mozilla::dom::WritableStream::DeleteCycleCollectable() /builds/worker/checkouts/gecko/dom/streams/WritableStream.cpp:47:1 (libxul.so+0x78dc2ce) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #20 mozilla::dom::WritableStream::cycleCollection::DeleteCycleCollectable(void*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WritableStream.h:34:3 (libxul.so+0x6465cae) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #21 MaybeKillObject /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2486:29 (libxul.so+0x32f0f80) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #22 SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2473:7 (libxul.so+0x32f0f80)
    #23 nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2663:3 (libxul.so+0x32f0515) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #24 nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3660:3 (libxul.so+0x32f557e) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #25 nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3484:9 (libxul.so+0x32f4f83) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #26 nsCycleCollector_collect(mozilla::CCReason, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3995:28 (libxul.so+0x32f6f86) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #27 mozilla::dom::workerinternals::(anonymous namespace)::WorkerJSRuntime::CustomGCCallback(JSGCStatus) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:820:11 (libxul.so+0x77d484c) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #28 mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus, JS::GCReason) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1888:3 (libxul.so+0x32ce72a) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #29 mozilla::CycleCollectedJSRuntime::GCCallback(JSContext*, JSGCStatus, JS::GCReason, void*) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1040:9 (libxul.so+0x32cabbb) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #30 callGCCallback /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:1433:3 (libxul.so+0xa815036) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #31 js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4106:3 (libxul.so+0xa815036)
    #32 ~AutoCallGCCallbacks /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4079:32 (libxul.so+0xa815981) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #33 js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4196:1 (libxul.so+0xa815981)
    #34 js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4381:9 (libxul.so+0xa8163ff) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #35 js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4458:3 (libxul.so+0xa7f8ced) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #36 JS::NonIncrementalGC(JSContext*, JS::GCOptions, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GCAPI.cpp:298:21 (libxul.so+0xa82477a) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #37 mozilla::dom::WorkerPrivate::GarbageCollectInternal(JSContext*, bool, bool) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:5503:7 (libxul.so+0x77eda3c) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #38 mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3250:9 (libxul.so+0x77ec5cc) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #39 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2114:42 (libxul.so+0x77d3a4e) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #40 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1192:16 (libxul.so+0x33df43a) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #41 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x33e5a04) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #42 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x3ee37de) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #43 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5d338) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #44 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5d338)
    #45 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5d338)
    #46 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10 (libxul.so+0x33dad93) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #47 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4b1b9) (BuildId: b6f58db5ff0819afc822840d196a0175d36eee04)

  Previous write of size 8 at 0x7b0c00047240 by thread T17:
    #0 assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:71:13 (libxul.so+0x71c93bd) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #1 operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:188:5 (libxul.so+0x71c93bd)
    #2 mozilla::dom::quota::RemoteQuotaObject::ClearActor() /builds/worker/checkouts/gecko/dom/quota/RemoteQuotaObject.cpp:30:10 (libxul.so+0x71c93bd)
    #3 mozilla::dom::quota::RemoteQuotaObjectChild::ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason) /builds/worker/checkouts/gecko/dom/quota/RemoteQuotaObjectChild.cpp:28:25 (libxul.so+0x71dc339) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #4 mozilla::ipc::IProtocol::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason) /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:626:3 (libxul.so+0x3ef0a0d) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #5 mozilla::dom::quota::PRemoteQuotaObjectChild::OnChannelClose() /builds/worker/workspace/obj-build/ipc/ipdl/PRemoteQuotaObjectChild.cpp:182:5 (libxul.so+0x71fb09d) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #6 mozilla::ipc::MessageChannel::NotifyChannelClosed(mozilla::ReleasableMonitorAutoLock&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2197:14 (libxul.so+0x3edfb15) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #7 mozilla::ipc::MessageChannel::NotifyMaybeChannelError(mozilla::ReleasableMonitorAutoLock&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2026:5 (libxul.so+0x3edf9a6) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #8 mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2072:3 (libxul.so+0x3edfc54) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #9 operator()<> /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:1164:18 (libxul.so+0x3ef7c79) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #10 __invoke_impl<void, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14 (libxul.so+0x3ef7c79)
    #11 __invoke<(lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14 (libxul.so+0x3ef7c79)
    #12 __apply_impl<(lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14 (libxul.so+0x3ef7c79)
    #13 apply<(lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14 (libxul.so+0x3ef7c79)
    #14 apply<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()> /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:1162:12 (libxul.so+0x3ef7c79)
    #15 mozilla::detail::RunnableMethodImpl<mozilla::ipc::MessageChannel*, void (mozilla::ipc::MessageChannel::*)(), false, (mozilla::RunnableKind)1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:1213:13 (libxul.so+0x3ef7c79)
    #16 mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:257:20 (libxul.so+0x33bf5c8) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #17 nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14 (libxul.so+0x33e8210) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #18 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1192:16 (libxul.so+0x33df43a) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #19 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x33e5a04) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #20 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x3ee37de) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #21 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5d338) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #22 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5d338)
    #23 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5d338)
    #24 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10 (libxul.so+0x33dad93) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #25 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4b1b9) (BuildId: b6f58db5ff0819afc822840d196a0175d36eee04)

  Location is heap block of size 40 at 0x7b0c00047220 allocated by thread T17:
    #0 malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:663:5 (firefox-bin+0xd13ac) (BuildId: 0161cb4ba2f38f4ad8fa8c1eb00c88691e772bc0)
    #1 moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15 (firefox-bin+0x15dfc8) (BuildId: 0161cb4ba2f38f4ad8fa8c1eb00c88691e772bc0)
    #2 operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10 (libxul.so+0x71c115d) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #3 MakeRefPtr<mozilla::dom::quota::RemoteQuotaObject, RefPtr<mozilla::dom::quota::RemoteQuotaObjectChild> &> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:642:15 (libxul.so+0x71c115d)
    #4 mozilla::dom::quota::QuotaObject::Deserialize(mozilla::dom::quota::IPCQuotaObject&) /builds/worker/checkouts/gecko/dom/quota/QuotaObject.cpp:70:10 (libxul.so+0x71c115d)
    #5 mozilla::dom::quota::FileRandomAccessStream::Deserialize(mozilla::ipc::RandomAccessStreamParams&) /builds/worker/checkouts/gecko/dom/quota/FileStreams.cpp:152:18 (libxul.so+0x7182eee) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #6 non-virtual thunk to mozilla::dom::quota::FileRandomAccessStream::Deserialize(mozilla::ipc::RandomAccessStreamParams&) /builds/worker/checkouts/gecko/dom/quota/FileStreams.cpp (libxul.so+0x7183082) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #7 mozilla::ipc::DeserializeRandomAccessStream(mozilla::ipc::RandomAccessStreamParams&) /builds/worker/checkouts/gecko/ipc/glue/RandomAccessStreamUtils.cpp:64:16 (libxul.so+0x3ef9eae) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #8 operator() /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:409:24 (libxul.so+0x6478a96) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #9 mozilla::detail::ProxyFunctionRunnable<mozilla::dom::FileSystemWritableFileStream::Create(nsCOMPtr<nsIGlobalObject> const&, RefPtr<mozilla::dom::FileSystemManager>&, RefPtr<mozilla::dom::FileSystemWritableFileStreamChild>, mozilla::ipc::RandomAccessStreamParams&&, mozilla::dom::fs::FileSystemEntryMetadata&&, RefPtr<mozilla::dom::StrongWorkerRef>)::$_2, mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream>>, nsresult, true>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1690:29 (libxul.so+0x6478a96)
    #10 mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:257:20 (libxul.so+0x33bf5c8) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #11 nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14 (libxul.so+0x33e8210) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #12 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1192:16 (libxul.so+0x33df43a) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #13 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x33e5a04) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #14 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x3ee37de) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #15 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5d338) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #16 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5d338)
    #17 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5d338)
    #18 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10 (libxul.so+0x33dad93) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #19 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4b1b9) (BuildId: b6f58db5ff0819afc822840d196a0175d36eee04)

  Thread T24 'DOM Worker' (tid=90252, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1020:3 (firefox-bin+0xd2f8b) (BuildId: 0161cb4ba2f38f4ad8fa8c1eb00c88691e772bc0)
    #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x4242e) (BuildId: b6f58db5ff0819afc822840d196a0175d36eee04)
    #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x376c4) (BuildId: b6f58db5ff0819afc822840d196a0175d36eee04)
    #3 nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:20 (libxul.so+0x33dc4b7) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:101:7 (libxul.so+0x78072bb) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1313:37 (libxul.so+0x77bc573) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1195:19 (libxul.so+0x77bb967) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2692:24 (libxul.so+0x77e9102) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #8 mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:50:41 (libxul.so+0x77c9a52) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #9 mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./WorkerBinding.cpp:1158:52 (libxul.so+0x587dc03) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #10 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13 (libxul.so+0xa171b7a) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #11 CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:502:8 (libxul.so+0xa171b7a)
    #12 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:727:10 (libxul.so+0xa171b7a)
    #13 ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:755:10 (libxul.so+0xa180f5a) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #14 js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3381:16 (libxul.so+0xa180f5a)
    #15 MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:400:10 (libxul.so+0xa16fd4c) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #16 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13 (libxul.so+0xa16fd4c)
    #17 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13 (libxul.so+0xa1707a6) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #18 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10 (libxul.so+0xa171357) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #19 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8 (libxul.so+0xa171357)
    #20 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10 (libxul.so+0xa214559) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #21 mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8 (libxul.so+0x5a76c53) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #22 HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12 (libxul.so+0x63375ba) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #23 mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1342:43 (libxul.so+0x63375ba)
    #24 mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1663:12 (libxul.so+0x6338a0b) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #25 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1560:35 (libxul.so+0x6337d50) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #26 HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5 (libxul.so+0x632ae21) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #27 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:363:17 (libxul.so+0x632ae21)
    #28 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:610:18 (libxul.so+0x6329b9e) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #29 mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1222:11 (libxul.so+0x632ddc8) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #30 nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1084:7 (libxul.so+0x8188f7d) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #31 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6406:20 (libxul.so+0x98ec444) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #32 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5800:7 (libxul.so+0x98ebc9b) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #33 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp (libxul.so+0x98ecd19) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #34 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3 (libxul.so+0x41623c9) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #35 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14 (libxul.so+0x4161a9f) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #36 nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:795:9 (libxul.so+0x415fd64) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #37 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:678:5 (libxul.so+0x4160fa2) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #38 nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13900:23 (libxul.so+0x990a11f) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #39 non-virtual thunk to nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp (libxul.so+0x990a347) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #40 mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:631:22 (libxul.so+0x35c5f0e) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #41 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:535:10 (libxul.so+0x35c741c) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #42 DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11701:18 (libxul.so+0x4ba2a89) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #43 mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11639:9 (libxul.so+0x4ba2a89)
    #44 mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8151:3 (libxul.so+0x4bb5f3a) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #45 operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18 (libxul.so+0x4c26069) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #46 __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14 (libxul.so+0x4c26069)
    #47 __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14 (libxul.so+0x4c26069)
    #48 __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14 (libxul.so+0x4c26069)
    #49 apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14 (libxul.so+0x4c26069)
    #50 apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12 (libxul.so+0x4c26069)
    #51 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13 (libxul.so+0x4c26069)
    #52 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16 (libxul.so+0x33c68f2) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #53 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26 (libxul.so+0x33bd3f0) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #54 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15 (libxul.so+0x33bbaf6) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #55 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36 (libxul.so+0x33bbeef) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #56 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37 (libxul.so+0x33c97a4) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #57 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x33c97a4)
    #58 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x33df26a) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #59 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x33e5a04) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #60 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x3ee2c4e) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #61 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3ee371b) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #62 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5d338) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #63 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5d338)
    #64 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5d338)
    #65 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7d13f13) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #66 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20 (libxul.so+0x9fd867f) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #67 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3ee36ca) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #68 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5d338) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #69 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5d338)
    #70 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5d338)
    #71 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34 (libxul.so+0x9fd82e0) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #72 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9fe4652) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #73 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15be42) (BuildId: 0161cb4ba2f38f4ad8fa8c1eb00c88691e772bc0)
    #74 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15be42)

  Thread T17 'StreamTrans #1' (tid=90241, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1020:3 (firefox-bin+0xd2f8b) (BuildId: 0161cb4ba2f38f4ad8fa8c1eb00c88691e772bc0)
    #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x4242e) (BuildId: b6f58db5ff0819afc822840d196a0175d36eee04)
    #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x376c4) (BuildId: b6f58db5ff0819afc822840d196a0175d36eee04)
    #3 nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:20 (libxul.so+0x33dc4b7) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #4 nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:597:22 (libxul.so+0x33e4536) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #5 NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:176:57 (libxul.so+0x33ed0ef) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #6 NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:168:10 (libxul.so+0x33e74ff) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #7 nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:126:17 (libxul.so+0x33e74ff)
    #8 Dispatch /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:380:3 (libxul.so+0x33e8e64) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #9 non-virtual thunk to nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp (libxul.so+0x33e8e64)
    #10 Dispatch /builds/worker/checkouts/gecko/netwerk/base/nsStreamTransportService.cpp:296:16 (libxul.so+0x363c029) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #11 non-virtual thunk to mozilla::net::nsStreamTransportService::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsStreamTransportService.cpp (libxul.so+0x363c029)
    #12 nsJARChannel::OpenLocalFile() /builds/worker/checkouts/gecko/modules/libjar/nsJARChannel.cpp:434:19 (libxul.so+0x408c760) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #13 nsJARChannel::AsyncOpen(nsIStreamListener*) /builds/worker/checkouts/gecko/modules/libjar/nsJARChannel.cpp:1136:8 (libxul.so+0x408eaea) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #14 mozilla::dom::workerinternals::loader::WorkerScriptLoader::LoadScript(mozilla::dom::ThreadSafeRequestHandle*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1056:19 (libxul.so+0x77c4fe7) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #15 mozilla::dom::workerinternals::loader::ScriptLoaderRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1414:36 (libxul.so+0x77c7065) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #16 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16 (libxul.so+0x33c68f2) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #17 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26 (libxul.so+0x33bd3f0) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #18 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15 (libxul.so+0x33bbaf6) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #19 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36 (libxul.so+0x33bbeef) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #20 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221:37 (libxul.so+0x33c97f7) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #21 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x33c97f7)
    #22 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x33df26a) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #23 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x33e5a04) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #24 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5 (libxul.so+0x3ee2cc6) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #25 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3ee371b) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #26 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5d338) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #27 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5d338)
    #28 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5d338)
    #29 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7d13f13) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #30 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20 (libxul.so+0x9fd867f) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #31 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3ee36ca) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #32 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5d338) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #33 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5d338)
    #34 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5d338)
    #35 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34 (libxul.so+0x9fd82e0) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #36 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9fe4652) (BuildId: a25ec5831b07ce7985c376cdb38929d748996b93)
    #37 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15be42) (BuildId: 0161cb4ba2f38f4ad8fa8c1eb00c88691e772bc0)
    #38 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15be42)

This also appears as:

Assertion failure: mWorkerThread && mWorkerThread->IsOnCurrentThread() (not on worker thread!), at /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/MessageChannel.h:504

Hit MOZ_CRASH(RemoteQuotaObject not thread-safe) at /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:64

Assertion failure: mActor->GetActorEventTarget()->IsOnCurrentThread(), at /builds/worker/checkouts/gecko/dom/quota/RemoteQuotaObject.cpp:38

A Pernosco session is available here: https://pernos.co/debug/Tpr47Worucm7JAyLq6DYwA/index.html

This looks like the same race as bug 1856091, except there's more information, so I'll mark it as blocking.

Blocks: 1856091

I marked bug 1856091 as sec-moderate because it was a single report, but I'm going to mark this one sec-high because it is frequent enough to be a fuzz blocker, and in debug builds it is hitting thread safety assertions.

Keywords: sec-high

Jan, any ideas what could have regressed this? I'm guessing this is a regression based on that it is a fuzz blocker and it just showed up on TreeHerder. Bug 1841702 landed a week or so ago and changed FileSystemWritableFileStream.cpp, but none of the other files in the stack have changed recently as far as I could see. Thanks.

Flags: needinfo?(jvarga)

Comment 0 says this is reproducible in 20230922-efa8aa7a4f54, and bug 1841702 got merged to central late on 2023-09-21, so that seems consistent at least.

Keywords: regression

[Tracking Requested - why for this release]: apparent sec-high regression

tracking-firefox120: --- → ?

The bug is marked as tracked for firefox120 (nightly). However, the bug still isn't assigned.

:jstutte, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(jstutte)

From the pernosco trace, the call to Close() (https://searchfox.org/mozilla-central/rev/d895cf273d8cdceb4256f561c1ad1bf91135202a/dom/quota/FileStreams.h#152) is happening on a worker thread. This ends up calling RemoteQuotaObject::Close (https://searchfox.org/mozilla-central/rev/d895cf273d8cdceb4256f561c1ad1bf91135202a/dom/quota/FileStreams.cpp#51). The RemoteQuotaObject type should only ever be closed on the thread belonging to its actor (https://searchfox.org/mozilla-central/rev/d895cf273d8cdceb4256f561c1ad1bf91135202a/dom/quota/RemoteQuotaObject.cpp#38), which in this case is actually a TaskQueue (WritableStreamQueue), backed by the stream transport service.

The nsFileStreamBase appears to have been held alive by a FileSystemThreadSafeStreamOwner (https://searchfox.org/mozilla-central/rev/d895cf273d8cdceb4256f561c1ad1bf91135202a/dom/fs/include/fs/FileSystemThreadSafeStreamOwner.h#44), which seems like a bit of a misnomer, given that the type which it is managing appears to be definitely not-threadsafe. It seems on first glance like the intention of the type was to effectively be a nsMainThreadPtrHolder<T> except without implementing destruction correctly, and for a different event target.

It appears that the dom::fs component does have a TargetPtrHolder type which they are using for cases like this until bug 1805830 adds a generic version of nsMainThreadPtrHolder (though I am unsure if the implementation is correct).

I believe we could also get a crash like this if we enter this error return case, as aValue.ResolveValue() will still be owned by the current stack frame (https://searchfox.org/mozilla-central/rev/d895cf273d8cdceb4256f561c1ad1bf91135202a/dom/fs/api/FileSystemWritableFileStream.cpp#343).

Yeah, FileSystemWritableFileStream::Create deserializes the stream on a background thread, so the stream must be then closed on the same background thread. The creation of FileSystemWritableFileStream is quite complex, actually more complex than FileSystemSyncAccessHandle::Create because FileSystemSyncAccessHandle deserializes the stream lazily. We could try to simplify FileSystemWritableFileStream::Create a bit while we are here.

Flags: needinfo?(jvarga)
Assignee: nobody → jvarga
Component: Storage: Quota Manager → DOM: File
Flags: needinfo?(jstutte)

I filed bug 1857155. I think we should try to simplify the construction first.

Depends on: 1857155
Severity: -- → S2
Priority: -- → P2

This was last report by fuzzers targeting mc-20231009-6404412771ea.

(In reply to Tyson Smith [:tsmith] from comment #12)

This was last report by fuzzers targeting mc-20231009-6404412771ea.

Bug 1857155 was fixed on 2023-10-10, can you re-run the tests to see if there's still the data race ?

Flags: needinfo?(twsmith)

(In reply to Jan Varga [:janv] from comment #13)

Bug 1857155 was fixed on 2023-10-10, can you re-run the tests to see if there's still the data race ?

Sorry, yes that what I mean. I wanted to double check bug 1857155 was intended to fix this issue.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED

Jan, do you think we can uplift the patches from bug 1857155 to ESR (maybe here on this bug) ?

Flags: needinfo?(jvarga)

(In reply to Jens Stutte [:jstutte] from comment #15)

Jan, do you think we can uplift the patches from bug 1857155 to ESR (maybe here on this bug) ?

Yeah, we can do that.

Flags: needinfo?(jvarga)

It'll need rebasing, FWIW. Let's target next cycle.

Group: dom-core-security → core-security-release
status-firefox118: --- → wontfix
status-firefox119: --- → wontfix
status-firefox120: affectedfixed
status-firefox-esr115: --- → affected
tracking-firefox-esr115: --- → 120+
Target Milestone: --- → 120 Branch

Depends on D191960

QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-

(In reply to Ryan VanderMeulen [:RyanVM] from comment #17)

It'll need rebasing, FWIW. Let's target next cycle.

I rebased patches for bug 1841702 and bug 1857155 and attached them to this bug. They should now apply cleanly to ESR 115.

Thanks, go ahead and request approval.

Flags: needinfo?(jvarga)

Comment on attachment 9360392 [details]
Bug 1856072 - Add proper handling for failed build worker refs; r=#dom-storage

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is a sec-high bug.
  • User impact if declined: Users would still experience sporadic crashes.
  • Fix Landed on Version: 119 and 120
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Despite there are many patches with relatively larger changes, it's mostly about reducing complexity of object construction the patches landed a month ago on Nightly without causing regressions.
Flags: needinfo?(jvarga)
Attachment #9360392 - Flags: approval-mozilla-esr115?
Attachment #9360393 - Flags: approval-mozilla-esr115?
Attachment #9360394 - Flags: approval-mozilla-esr115?
Attachment #9360395 - Flags: approval-mozilla-esr115?
Attachment #9360396 - Flags: approval-mozilla-esr115?
Attachment #9360397 - Flags: approval-mozilla-esr115?
Attachment #9360398 - Flags: approval-mozilla-esr115?
Attachment #9360399 - Flags: approval-mozilla-esr115?
Attachment #9360401 - Flags: approval-mozilla-esr115?

(In reply to Jens Stutte [:jstutte] from comment #15)

Jan, do you think we can uplift the patches from bug 1857155 to ESR (maybe here on this bug) ?

Do we NEED this fix on ESR 115? back in comment 5 this was claimed to be a regression and blamed on bug 1841702. If true that was way after the ESR 115 branch and it shouldn't be affected. Now we have a patch proposing to put that bug on the ESR branch (and it's fix).

Flags: needinfo?(jvarga)
Flags: needinfo?(jstutte)

I leave it to Jan to answer, if we think this was a 100% regression from bug 1841702 or if there is potential to happen also otherwise on the current ESR. But I must admit I might have caused confusion here asking for it in comment 15... sorry, if that was the case.

Flags: needinfo?(jstutte)

(In reply to Daniel Veditz [:dveditz] from comment #31)

(In reply to Jens Stutte [:jstutte] from comment #15)

Jan, do you think we can uplift the patches from bug 1857155 to ESR (maybe here on this bug) ?

Do we NEED this fix on ESR 115? back in comment 5 this was claimed to be a regression and blamed on bug 1841702. If true that was way after the ESR 115 branch and it shouldn't be affected. Now we have a patch proposing to put that bug on the ESR branch (and it's fix).

I suspect the issue was introduced by bug 1815837 which changed FileSystemWritableFileStream construction to be async. The construction is now synchronous again after bug 1841702 and bug 1857155.

Flags: needinfo?(jvarga)

(In reply to Jan Varga [:janv] from comment #33)

I suspect the issue was introduced by bug 1815837 which changed FileSystemWritableFileStream construction to be async.

That was introduced in 111, so ESR would be affected. Should we update the regressing bug then?

Flags: needinfo?(jvarga)

Comment on attachment 9360392 [details]
Bug 1856072 - Add proper handling for failed build worker refs; r=#dom-storage

Approved for 115.5esr

Attachment #9360392 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9360393 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9360394 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9360395 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9360396 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9360397 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9360398 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9360399 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9360401 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Flags: needinfo?(jvarga)
Regressed by: 1815837
Whiteboard: [fuzzblocker] → [fuzzblocker][adv-main120+r][adv-esr115.5+r]

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: