Closed
Bug 1856090
Opened 1 year ago
Closed 11 months ago
ThreadSanitizer: data race [@ mozilla::dom::ServiceWorkerDescriptor::SetState] vs. [@ mozilla::dom::ServiceWorkerDescriptor::State]
Categories
(Core :: DOM: Service Workers, defect, P2)
Core
DOM: Service Workers
Tracking
()
RESOLVED
FIXED
121 Branch
People
(Reporter: tsmith, Assigned: asuth)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-race, sec-moderate, Whiteboard: [adv-main121+r][adv-esr115.6+r])
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr115+
|
Details | Review |
Found while fuzzing m-c 20230730-ce5b2b0d4bc0 (--enable-thread-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -t --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --headless
WARNING: ThreadSanitizer: data race (pid=518910)
Read of size 1 at 0x7b3800002818 by main thread:
#0 mozilla::dom::ServiceWorkerDescriptor::State() const /builds/worker/checkouts/gecko/dom/serviceworkers/ServiceWorkerDescriptor.cpp:110:17 (libxul.so+0x7b43b34) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#1 mozilla::dom::workerinternals::loader::CacheLoadHandler::CacheLoadHandler(mozilla::dom::ThreadSafeWorkerRef*, mozilla::dom::ThreadSafeRequestHandle*, bool, mozilla::dom::workerinternals::loader::WorkerScriptLoader*) /builds/worker/checkouts/gecko/dom/workers/loader/CacheLoadHandler.cpp:246:66 (libxul.so+0x7857198) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#2 MakeNotNull<RefPtr<mozilla::dom::workerinternals::loader::CacheLoadHandler>, RefPtr<mozilla::dom::ThreadSafeWorkerRef> &, mozilla::dom::ThreadSafeRequestHandle *&, bool, RefPtr<mozilla::dom::workerinternals::loader::WorkerScriptLoader> &> /builds/worker/workspace/obj-build/dist/include/mozilla/NotNull.h:402:25 (libxul.so+0x77c8ab1) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#3 mozilla::dom::workerinternals::loader::ScriptLoaderRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1431:30 (libxul.so+0x77c8ab1)
#4 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16 (libxul.so+0x33c8452) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#5 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26 (libxul.so+0x33bef50) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#6 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15 (libxul.so+0x33bd656) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#7 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36 (libxul.so+0x33bda4f) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#8 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221:37 (libxul.so+0x33cb357) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#9 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x33cb357)
#10 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x33e0dca) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#11 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x33e7564) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#12 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5 (libxul.so+0x3ee4dd6) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#13 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3ee582b) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#14 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5f448) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#15 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5f448)
#16 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5f448)
#17 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7d156a3) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#18 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20 (libxul.so+0x9fd9e4f) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#19 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3ee57da) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#20 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5f448) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#21 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5f448)
#22 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5f448)
#23 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34 (libxul.so+0x9fd9ab0) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#24 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9fe5e22) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#25 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15be42) (BuildId: 422cdb6af12ae05212b27dfbebd3fb77454d8639)
#26 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15be42)
Previous write of size 1 at 0x7b3800002818 by thread T19:
#0 mozilla::dom::ServiceWorkerDescriptor::SetState(mozilla::dom::ServiceWorkerState) /builds/worker/checkouts/gecko/dom/serviceworkers/ServiceWorkerDescriptor.cpp:114:18 (libxul.so+0x7b43bc9) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#1 UpdateServiceWorkerState /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:802:53 (libxul.so+0x7bb45d9) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#2 mozilla::dom::UpdateServiceWorkerStateOp::Exec(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/serviceworkers/ServiceWorkerOp.cpp:579:21 (libxul.so+0x7bb45d9)
#3 mozilla::dom::UpdateServiceWorkerStateOp::UpdateStateOpRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/serviceworkers/ServiceWorkerOp.cpp:541:27 (libxul.so+0x7bacfbc) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#4 mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:372:12 (libxul.so+0x77fddc6) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#5 mozilla::dom::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4030:9 (libxul.so+0x77ef6a2) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#6 mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4468:25 (libxul.so+0x77f42fa) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#7 mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1613:27 (libxul.so+0x63fb326) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#8 mozilla::dom::workerinternals::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTArray<nsTString<char16_t>> const&, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:262:14 (libxul.so+0x77caeab) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#9 mozilla::dom::workerinternals::Load(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTArray<nsTString<char16_t>> const&, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1883:3 (libxul.so+0x77cb005) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#10 mozilla::dom::WorkerGlobalScope::ImportScripts(JSContext*, mozilla::dom::Sequence<nsTString<char16_t>> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/WorkerScope.cpp:569:5 (libxul.so+0x7802456) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#11 mozilla::dom::WorkerGlobalScope_Binding::importScripts(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./WorkerGlobalScopeBinding.cpp:229:24 (libxul.so+0x5886126) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#12 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3327:13 (libxul.so+0x5d28d8f) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#13 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13 (libxul.so+0xa171eb9) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#14 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12 (libxul.so+0xa171eb9)
#15 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10 (libxul.so+0xa1729a5) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#16 js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10 (libxul.so+0xa1729a5)
#17 js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1649:10 (libxul.so+0xa973726) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#18 <null> <null> (0x7f51ee71814c)
#19 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:448:32 (libxul.so+0xa1712b6) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#20 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:13 (libxul.so+0xa171f86) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#21 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10 (libxul.so+0xa172b37) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#22 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8 (libxul.so+0xa172b37)
#23 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1519:10 (libxul.so+0xa3f11df) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#24 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:149:8 (libxul.so+0xa1f5151) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#25 js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:190:10 (libxul.so+0xa1f4e77) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#26 AsyncFunctionPromiseReactionJob /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2115:12 (libxul.so+0xa376ba0) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#27 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2178:12 (libxul.so+0xa376ba0)
#28 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13 (libxul.so+0xa171eb9) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#29 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12 (libxul.so+0xa171eb9)
#30 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10 (libxul.so+0xa172b37) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#31 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:8 (libxul.so+0xa172b37)
#32 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10 (libxul.so+0xa2163b9) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#33 mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./PromiseBinding.cpp:83:8 (libxul.so+0x51f45e3) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#34 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12 (libxul.so+0x32da177) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#35 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12 (libxul.so+0x32da177)
#36 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18 (libxul.so+0x32da177)
#37 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17 (libxul.so+0x32c6786) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#38 mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3 (libxul.so+0x32c74c7) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#39 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1236:24 (libxul.so+0x33e134d) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#40 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x33e7564) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#41 mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3413:7 (libxul.so+0x77ee483) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#42 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2114:42 (libxul.so+0x77d522e) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#43 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1192:16 (libxul.so+0x33e0f9a) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#44 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x33e7564) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#45 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x3ee58ee) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#46 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5f448) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#47 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5f448)
#48 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5f448)
#49 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10 (libxul.so+0x33dc8f3) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#50 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4b1b9) (BuildId: b6f58db5ff0819afc822840d196a0175d36eee04)
Location is heap block of size 216 at 0x7b3800002760 allocated by main thread:
#0 malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:663:5 (firefox-bin+0xd13ac) (BuildId: 422cdb6af12ae05212b27dfbebd3fb77454d8639)
#1 moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15 (firefox-bin+0x15dfc8) (BuildId: 422cdb6af12ae05212b27dfbebd3fb77454d8639)
#2 operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10 (libxul.so+0x7b4c6b4) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#3 MakeUnique<mozilla::dom::IPCServiceWorkerDescriptor, const mozilla::dom::IPCServiceWorkerDescriptor &> /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:605:23 (libxul.so+0x7b4c6b4)
#4 mozilla::dom::ServiceWorkerDescriptor::ServiceWorkerDescriptor(mozilla::dom::IPCServiceWorkerDescriptor const&) /builds/worker/checkouts/gecko/dom/serviceworkers/ServiceWorkerDescriptor.cpp:45:13 (libxul.so+0x7b4c6b4)
#5 emplace<mozilla::dom::IPCServiceWorkerDescriptor &> /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:845:39 (libxul.so+0x7811dbe) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#6 mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:322:35 (libxul.so+0x7811dbe)
#7 operator() /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:198:29 (libxul.so+0x782e536) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#8 mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5 (libxul.so+0x782e536)
#9 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16 (libxul.so+0x33c8452) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#10 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26 (libxul.so+0x33bef50) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#11 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15 (libxul.so+0x33bd656) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#12 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36 (libxul.so+0x33bda4f) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#13 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221:37 (libxul.so+0x33cb357) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#14 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x33cb357)
#15 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x33e0dca) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#16 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x33e7564) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#17 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5 (libxul.so+0x3ee4dd6) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#18 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3ee582b) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#19 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5f448) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#20 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5f448)
#21 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5f448)
#22 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7d156a3) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#23 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20 (libxul.so+0x9fd9e4f) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#24 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3ee57da) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#25 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5f448) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#26 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5f448)
#27 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5f448)
#28 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34 (libxul.so+0x9fd9ab0) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#29 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9fe5e22) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#30 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15be42) (BuildId: 422cdb6af12ae05212b27dfbebd3fb77454d8639)
#31 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15be42)
Thread T19 'DOM Worker' (tid=519364, running) created by main thread at:
#0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1020:3 (firefox-bin+0xd2f8b) (BuildId: 422cdb6af12ae05212b27dfbebd3fb77454d8639)
#1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x4242e) (BuildId: b6f58db5ff0819afc822840d196a0175d36eee04)
#2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x376c4) (BuildId: b6f58db5ff0819afc822840d196a0175d36eee04)
#3 nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:20 (libxul.so+0x33de017) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:101:7 (libxul.so+0x7808a9b) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1313:37 (libxul.so+0x77bdd53) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1195:19 (libxul.so+0x77bd147) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2692:24 (libxul.so+0x77ea8e2) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#8 mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:346:41 (libxul.so+0x78120fe) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#9 operator() /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:198:29 (libxul.so+0x782e536) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#10 mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5 (libxul.so+0x782e536)
#11 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:559:16 (libxul.so+0x33c8452) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#12 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:886:26 (libxul.so+0x33bef50) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#13 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:709:15 (libxul.so+0x33bd656) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#14 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:495:36 (libxul.so+0x33bda4f) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#15 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:221:37 (libxul.so+0x33cb357) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#16 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x33cb357)
#17 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x33e0dca) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#18 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x33e7564) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#19 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5 (libxul.so+0x3ee4dd6) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#20 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3ee582b) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#21 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5f448) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#22 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5f448)
#23 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5f448)
#24 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7d156a3) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#25 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20 (libxul.so+0x9fd9e4f) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#26 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3ee57da) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#27 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3e5f448) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#28 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3e5f448)
#29 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3e5f448)
#30 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34 (libxul.so+0x9fd9ab0) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#31 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9fe5e22) (BuildId: 1ee24ca62179d0f57f107b509f126a7029f32719)
#32 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15be42) (BuildId: 422cdb6af12ae05212b27dfbebd3fb77454d8639)
#33 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15be42)
|
||
Comment 1•1 year ago
|
||
This looks related to worker script handling.
|
Assignee | |
Updated•1 year ago
|
Assignee: nobody → bugmail
Status: NEW → ASSIGNED
|
|
||
Comment 2•1 year ago
|
||
Thanks for taking it, Andrew. This is an enum so I'll mark it sec-moderate.
Keywords: sec-moderate
|
|
Assignee | |
Comment 3•1 year ago
•
|
||
I mischaracterized the scenario somewhat in triage, but the pragmatic solution that Nika proposed is the same.
What's happening:
- With the state update performing the write:
- The ServiceWorker is being told by its owner (ServiceWorkerManager) to change its state.
- This is done via a control runnable for unclear reasons I can only speculate about but where there's some risk to changing the behavior[1] and so shouldn't happen in a sec-bug. This means we update the state even if we're in a syncloop.
- Because the classic scriptloader is synchronous and uses a syncloop, it can be a bit cavalier about what it's accessing on WorkerPrivate unless control runnables are involved.
- With the read:
- The script loader cares about the SW state because we have policies that forbid loading scripts that aren't cached after installation. It is latching the value, but on the main thread, which is too late because of the control runnable above. This would be "fine" if not for the control runnable in this case.
The fix:
- Latch the value on the worker thread. The spot where we create the WorkerLoadContext in WorkerModuleLoader::CreateDynamicImport and are already snapshotting the ClientInfo would be the most consistent and reasonable spot. We could even snapshot the whole descriptor.
Does this raise other security-ish bugs?:
- Auditing searchfox's experimental diagram of all control runnable subclasses, this is the only control runnable that is messing with state that could impact the scriptloader. That said, there are some that manipulate JS engine parameters, but all the script loader JS script evaluation explicitly happens on the worker thread, so that's fine.
- Auditing a text query on all uses of
path:dom/workers/loader Private()->doesn't make me super happy but there's nothing else like the problem we're addressing.
1: A bunch of our APIs snapshot the descriptor from the WorkerLoadInfo that's being updated by the control runnable. The major side effect from being a control runnable besides getting to run when there are syncloops on the stack is that control runnables get to run before normal runnables, so that descriptor gets updated very quickly. This means that calls will staple an up-to-date descriptor much sooner than they would if this was a normal runnable. That's not particularly helpful though, as the content code couldn't have known about this change, and having the state out of sync is not useful there. And APIs like the Clients API can't depend on this "early update" side effect in any way because the control runnable doesn't eliminate async lag, just reduces the impact of contention for the worker.
|
||
Comment 4•1 year ago
|
||
(In reply to Andrew Sutherland [:asuth] (he/him) from comment #3)
1: A bunch of our APIs snapshot the descriptor from the WorkerLoadInfo that's being updated by the control runnable. The major side effect from being a control runnable besides getting to run when there are syncloops on the stack is that control runnables get to run before normal runnables, so that descriptor gets updated very quickly. This means that calls will staple an up-to-date descriptor much sooner than they would if this was a normal runnable. That's not particularly helpful though, as the content code couldn't have known about this change, and having the state out of sync is not useful there. And APIs like the Clients API can't depend on this "early update" side effect in any way because the control runnable doesn't eliminate async lag, just reduces the impact of contention for the worker.
Can we hope to get rid of those control runnables and in case do we have a bug on file for this?
|
|
Assignee | |
Comment 5•1 year ago
|
||
|
||
Updated•1 year ago
|
Severity: -- → S3
Priority: -- → P2
Pushed by bugmail@asutherland.org: https://hg.mozilla.org/integration/autoland/rev/43cc2c666d8f Improve ServiceWorker state propagation. r=smaug
|
||
Comment 7•11 months ago
|
||
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox121:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch
|
||
Comment 8•11 months ago
|
||
The patch landed in nightly and beta is affected.
:asuth, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox120towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(bugmail)
|
||
Updated•11 months ago
|
status-firefox-esr115:
--- → affected
tracking-firefox120:
--- → +
tracking-firefox121:
--- → +
tracking-firefox-esr115:
--- → 120+
Flags: in-testsuite?
|
|
Assignee | |
Comment 9•11 months ago
|
||
Although it's important to make TSAN happy, I don't think there's an actual concern about what happens if the race occurs, so uplift is not necessary.
Flags: needinfo?(bugmail)
|
|
||
Updated•11 months ago
|
|
|
Assignee | |
Comment 10•10 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D190245
|
||
Updated•10 months ago
|
Attachment #9365769 -
Flags: approval-mozilla-esr115?
|
|
||
Comment 11•10 months ago
|
||
Uplift Approval Request
- Explanation of risk level: Reasonably straightforward plumbing changes that have baked on trunk for a while.
- Is Android affected?: yes
- String changes made/needed: no
- Needs manual QE test: no
- User impact if declined: Users who run with TSAN active would experience warnings.
- Steps to reproduce for manual QE testing: n/a
- Risk associated with taking this patch: Very low.
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
|
|
||
Comment 12•10 months ago
|
||
Comment on attachment 9365769 [details]
Bug 1856090 - Improve ServiceWorker state propagation. r=smaug!
Approved for 115.6esr.
Attachment #9365769 -
Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
|
||
Comment 13•10 months ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr115/rev/751d8526f060
|
|
||
Updated•10 months ago
|
|
||
Updated•10 months ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
||
Updated•9 months ago
|
Whiteboard: [adv-main121+r]
|
|
||
Updated•9 months ago
|
Whiteboard: [adv-main121+r] → [adv-main121+r][adv-esr115.6+r]
|
||
Comment 14•5 months ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•