Closed Bug 1891545 Opened 1 year ago Closed 1 year ago

ThreadSanitizer: data race [@ NotifyCallbacks] vs. [@ pref_Lookup]

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox125 --- wontfix
firefox126 + fixed
firefox127 + verified

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed] [adv-main126+r])

Attachments

(3 files)

testcase.zip
14.17 KB, application/x-zip-compressed
Details
Bug 1891545 - Migrate gfx.downloadable_fonts.disable_cache to StaticPrefList. r=emilio
48 bytes, text/x-phabricator-request
Details | Review
Bug 1891545 - Migrate gfx.downloadable_fonts.disable_cache to StaticPrefList.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Attached file testcase.zip

Found while fuzzing m-c 20240405-68ef8d3216be (--enable-thread-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -t --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid> --no-harness --repeat 20

This test case is not 100% reliable but it is reduced.

WARNING: ThreadSanitizer: data race (pid=55558)
  Write of size 8 at 0x7f0006447e00 by main thread:
    #0 NotifyCallbacks(nsTString<char> const&, PrefWrapper const*) /src/modules/libpref/Preferences.cpp:1952:17 (libxul.so+0x32ac87c) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #1 mozilla::Preferences::SetPreference(mozilla::dom::Pref const&) /src/modules/libpref/Preferences.cpp (libxul.so+0x328d7d9) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #2 mozilla::dom::ContentChild::RecvPreferenceUpdate(mozilla::dom::Pref const&) /src/dom/ipc/ContentChild.cpp:2234:3 (libxul.so+0x7663a95) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #3 mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:9895:80 (libxul.so+0x77df4bb) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #4 mozilla::dom::ContentChild::OnMessageReceived(IPC::Message const&) /src/dom/ipc/ContentChild.cpp:3710:25 (libxul.so+0x766ae60) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #5 mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:1818:25 (libxul.so+0x3da847f) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #6 mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /src/ipc/glue/MessageChannel.cpp:1737:9 (libxul.so+0x3da6b68) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #7 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1530:3 (libxul.so+0x3da7173) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #8 mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:1628:14 (libxul.so+0x3da7ab7) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #9 mozilla::RunnableTask::Run() /src/xpcom/threads/TaskController.cpp:578:16 (libxul.so+0x3228652) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #10 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /src/xpcom/threads/TaskController.cpp:905:26 (libxul.so+0x321cc1e) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #11 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /src/xpcom/threads/TaskController.cpp:728:15 (libxul.so+0x321b446) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #12 mozilla::TaskController::ProcessPendingMTTask(bool) /src/xpcom/threads/TaskController.cpp:514:36 (libxul.so+0x321b77f) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #13 operator() /src/xpcom/threads/TaskController.cpp:235:37 (libxul.so+0x322b947) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #14 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /src/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x322b947)
    #15 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x3240898) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #16 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x3247044) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #17 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:107:5 (libxul.so+0x3dac526) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #18 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3dacf7b) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #19 RunInternal /src/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d1f3d8) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #20 RunHandler /src/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d1f3d8)
    #21 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d1f3d8)
    #22 nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7e6b0f3) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #23 nsAppShell::Run() /src/widget/gtk/nsAppShell.cpp:470:33 (libxul.so+0x7f5eb0c) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #24 XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:712:20 (libxul.so+0x9de82bf) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #25 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3dacf2a) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #26 RunInternal /src/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d1f3d8) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #27 RunHandler /src/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d1f3d8)
    #28 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d1f3d8)
    #29 XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:647:34 (libxul.so+0x9de7f10) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #30 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9df4402) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #31 content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15c272) (BuildId: 82445d6743d2308787a564cfc502c59dcc46b13a)
    #32 main /src/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15c272)

  Previous read of size 8 at 0x7f0006447e00 by thread T23:
    #0 pref_Lookup(char const*, bool) /src/modules/libpref/Preferences.cpp:1803:7 (libxul.so+0x3282be5) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #1 nsresult mozilla::Internals::GetPrefValue<bool*>(char const*, bool*&&, mozilla::PrefValueKind) /src/modules/libpref/Preferences.cpp:4767:35 (libxul.so+0x3321f52) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #2 GetPref<bool> /src/modules/libpref/Preferences.cpp:4806:5 (libxul.so+0x3309adb) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #3 mozilla::Preferences::GetBool(char const*, bool, mozilla::PrefValueKind) /src/modules/libpref/Preferences.cpp:5195:10 (libxul.so+0x3309adb)
    #4 gfxUserFontSet::UserFontCache::CacheFont(gfxFontEntry*) /src/gfx/thebes/gfxUserFontSet.cpp:1238:7 (libxul.so+0x46ecd6e) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #5 gfxUserFontEntry::LoadPlatformFont(unsigned int, unsigned char const*, unsigned int, gfxUserFontType, unsigned char const*, unsigned int, nsTArray<gfxUserFontEntry::OTSMessage>&&) /src/gfx/thebes/gfxUserFontSet.cpp:823:5 (libxul.so+0x46ec27f) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #6 gfxUserFontEntry::LoadPlatformFontSync(unsigned int, unsigned char const*, unsigned int) /src/gfx/thebes/gfxUserFontSet.cpp:676:10 (libxul.so+0x46eb99d) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #7 gfxUserFontEntry::DoLoadNextSrc(bool) /src/gfx/thebes/gfxUserFontSet.cpp:622:11 (libxul.so+0x46e9dbd) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #8 LoadNextSrc /src/gfx/thebes/gfxUserFontSet.cpp:392:3 (libxul.so+0x46de69e) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #9 gfxUserFontEntry::Load() /src/gfx/thebes/gfxUserFontSet.cpp:843:3 (libxul.so+0x46de69e)
    #10 DoLoad /src/layout/style/FontFaceImpl.cpp:354:19 (libxul.so+0x8194273) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #11 mozilla::dom::FontFaceImpl::InitializeSourceBuffer(unsigned char*, unsigned int) /src/layout/style/FontFaceImpl.cpp:138:3 (libxul.so+0x8194273)
    #12 mozilla::dom::FontFace::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char> const&, mozilla::dom::UTF8StringOrArrayBufferOrArrayBufferView const&, mozilla::dom::FontFaceDescriptors const&, mozilla::ErrorResult&) /src/layout/style/FontFace.cpp:141:17 (libxul.so+0x8193a90) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #13 mozilla::dom::FontFace_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./FontFaceBinding.cpp:2199:54 (libxul.so+0x5b3d126) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #14 mozilla::dom::InterfaceObjectJSNative(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:763:10 (libxul.so+0x5cef305) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #15 CallJSNative /src/js/src/vm/Interpreter.cpp:479:13 (libxul.so+0x9f8441a) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #16 CallJSNativeConstructor /src/js/src/vm/Interpreter.cpp:495:8 (libxul.so+0x9f8441a)
    #17 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /src/js/src/vm/Interpreter.cpp:701:14 (libxul.so+0x9f8441a)
    #18 ConstructFromStack /src/js/src/vm/Interpreter.cpp:748:10 (libxul.so+0x9f93d36) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #19 js::Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3045:16 (libxul.so+0x9f93d36)
    #20 MaybeEnterInterpreterTrampoline /src/js/src/vm/Interpreter.cpp:393:10 (libxul.so+0x9f82881) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #21 js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:451:13 (libxul.so+0x9f82881)
    #22 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:605:13 (libxul.so+0x9f83306) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #23 InternalCall /src/js/src/vm/Interpreter.cpp:640:10 (libxul.so+0x9f83eb7) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #24 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /src/js/src/vm/Interpreter.cpp:672:8 (libxul.so+0x9f83eb7)
    #25 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/SelfHosting.cpp:1586:10 (libxul.so+0xa23ad6f) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #26 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /src/js/src/vm/AsyncFunction.cpp:151:8 (libxul.so+0xa02e3d1) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #27 js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) /src/js/src/vm/AsyncFunction.cpp:192:10 (libxul.so+0xa02e0f7) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #28 AsyncFunctionPromiseReactionJob /src/js/src/builtin/Promise.cpp:2113:12 (libxul.so+0xa1bd73e) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #29 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /src/js/src/builtin/Promise.cpp:2176:12 (libxul.so+0xa1bd73e)
    #30 CallJSNative /src/js/src/vm/Interpreter.cpp:479:13 (libxul.so+0x9f83239) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #31 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:573:12 (libxul.so+0x9f83239)
    #32 InternalCall /src/js/src/vm/Interpreter.cpp:640:10 (libxul.so+0x9f83eb7) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #33 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /src/js/src/vm/Interpreter.cpp:672:8 (libxul.so+0x9f83eb7)
    #34 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/CallAndConstruct.cpp:119:10 (libxul.so+0xa0580d3) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #35 mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./PromiseBinding.cpp:83:8 (libxul.so+0x515dca3) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #36 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12 (libxul.so+0x3137977) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #37 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12 (libxul.so+0x3137977)
    #38 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /src/xpcom/base/CycleCollectedJSContext.cpp:210:18 (libxul.so+0x3137977)
    #39 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /src/xpcom/base/CycleCollectedJSContext.cpp:712:17 (libxul.so+0x3123e46) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #40 mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /src/xpcom/base/CycleCollectedJSContext.cpp:499:3 (libxul.so+0x3124b87) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #41 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1237:24 (libxul.so+0x3240e4d) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #42 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x3247044) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #43 mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /src/dom/workers/WorkerPrivate.cpp:3413:7 (libxul.so+0x791675d) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #44 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /src/dom/workers/RuntimeService.cpp:2129:42 (libxul.so+0x78fbc31) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #45 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1193:16 (libxul.so+0x3240aae) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #46 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x3247044) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #47 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x3dad03e) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #48 RunInternal /src/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d1f3d8) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #49 RunHandler /src/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d1f3d8)
    #50 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d1f3d8)
    #51 nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:370:10 (libxul.so+0x323c323) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #52 _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4ba79) (BuildId: e38e45ce06f49cf2783acf0b8b3ae9897adc5815)

  Location is global 'gCallbackPref' of size 8 at 0x7f0006447e00 (libxul.so+0xd047e00)

  Thread T23 'DOM Worker' (tid=55615, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1020:3 (firefox-bin+0xd33bb) (BuildId: 82445d6743d2308787a564cfc502c59dcc46b13a)
    #1 _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x42cee) (BuildId: e38e45ce06f49cf2783acf0b8b3ae9897adc5815)
    #2 PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x37f84) (BuildId: e38e45ce06f49cf2783acf0b8b3ae9897adc5815)
    #3 nsThread::Init(nsTSubstring<char> const&) /src/xpcom/threads/nsThread.cpp:620:20 (libxul.so+0x323dac7) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /src/dom/workers/WorkerThread.cpp:109:7 (libxul.so+0x7931e1b) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /src/dom/workers/RuntimeService.cpp:1328:37 (libxul.so+0x78e41d3) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /src/dom/workers/RuntimeService.cpp:1210:19 (libxul.so+0x78e35c7) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&) /src/dom/workers/WorkerPrivate.cpp:2655:24 (libxul.so+0x791270c) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #8 mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /src/dom/workers/Worker.cpp:48:41 (libxul.so+0x78f18d2) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #9 mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./WorkerBinding.cpp:1140:52 (libxul.so+0x580625a) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #10 mozilla::dom::InterfaceObjectJSNative(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:763:10 (libxul.so+0x5cef305) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #11 CallJSNative /src/js/src/vm/Interpreter.cpp:479:13 (libxul.so+0x9f8441a) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #12 CallJSNativeConstructor /src/js/src/vm/Interpreter.cpp:495:8 (libxul.so+0x9f8441a)
    #13 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /src/js/src/vm/Interpreter.cpp:701:14 (libxul.so+0x9f8441a)
    #14 ConstructFromStack /src/js/src/vm/Interpreter.cpp:748:10 (libxul.so+0x9f93d36) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #15 js::Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3045:16 (libxul.so+0x9f93d36)
    #16 MaybeEnterInterpreterTrampoline /src/js/src/vm/Interpreter.cpp:393:10 (libxul.so+0x9f82881) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #17 js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:451:13 (libxul.so+0x9f82881)
    #18 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:605:13 (libxul.so+0x9f83306) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #19 InternalCall /src/js/src/vm/Interpreter.cpp:640:10 (libxul.so+0x9f83eb7) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #20 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /src/js/src/vm/Interpreter.cpp:672:8 (libxul.so+0x9f83eb7)
    #21 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/CallAndConstruct.cpp:119:10 (libxul.so+0xa0580d3) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #22 mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8 (libxul.so+0x59f7d83) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #23 HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12 (libxul.so+0x6325b80) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #24 mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /src/dom/events/EventListenerManager.cpp:1307:43 (libxul.so+0x6325b80)
    #25 mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /src/dom/events/EventListenerManager.cpp:1630:12 (libxul.so+0x6326f2b) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #26 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /src/dom/events/EventListenerManager.cpp:1527:35 (libxul.so+0x6326270) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #27 HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5 (libxul.so+0x6319291) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #28 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:365:17 (libxul.so+0x6319291)
    #29 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:606:16 (libxul.so+0x63180a8) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #30 mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:1221:11 (libxul.so+0x631c326) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #31 nsDocumentViewer::LoadComplete(nsresult) /src/layout/base/nsDocumentViewer.cpp:1030:7 (libxul.so+0x83015a2) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #32 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /src/docshell/base/nsDocShell.cpp:6267:13 (libxul.so+0x9692f89) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #33 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp:5659:7 (libxul.so+0x969279a) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #34 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /src/docshell/base/nsDocShell.cpp (libxul.so+0x9693849) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #35 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /src/uriloader/base/nsDocLoader.cpp:1356:3 (libxul.so+0x40411a9) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #36 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /src/uriloader/base/nsDocLoader.cpp:962:14 (libxul.so+0x404086f) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #37 nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /src/uriloader/base/nsDocLoader.cpp:784:9 (libxul.so+0x403eb54) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #38 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /src/uriloader/base/nsDocLoader.cpp:667:5 (libxul.so+0x403fd72) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #39 nsDocShell::OnStopRequest(nsIRequest*, nsresult) /src/docshell/base/nsDocShell.cpp:13723:23 (libxul.so+0x96b109f) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #40 non-virtual thunk to nsDocShell::OnStopRequest(nsIRequest*, nsresult) /src/docshell/base/nsDocShell.cpp (libxul.so+0x96b12c7) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #41 mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /src/netwerk/base/nsLoadGroup.cpp:632:22 (libxul.so+0x343667e) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #42 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /src/netwerk/base/nsLoadGroup.cpp:536:10 (libxul.so+0x3437b8c) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #43 DoUnblockOnload /src/dom/base/Document.cpp:11736:18 (libxul.so+0x4ae95c9) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #44 mozilla::dom::Document::UnblockOnload(bool) /src/dom/base/Document.cpp:11674:9 (libxul.so+0x4ae95c9)
    #45 mozilla::dom::Document::DispatchContentLoadedEvents() /src/dom/base/Document.cpp:8160:3 (libxul.so+0x4afd147) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #46 operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18 (libxul.so+0x4b74c09) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #47 __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14 (libxul.so+0x4b74c09)
    #48 __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14 (libxul.so+0x4b74c09)
    #49 __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14 (libxul.so+0x4b74c09)
    #50 apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14 (libxul.so+0x4b74c09)
    #51 apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12 (libxul.so+0x4b74c09)
    #52 mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13 (libxul.so+0x4b74c09)
    #53 mozilla::RunnableTask::Run() /src/xpcom/threads/TaskController.cpp:578:16 (libxul.so+0x3228652) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #54 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /src/xpcom/threads/TaskController.cpp:905:26 (libxul.so+0x321cc1e) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #55 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /src/xpcom/threads/TaskController.cpp:728:15 (libxul.so+0x321b446) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #56 mozilla::TaskController::ProcessPendingMTTask(bool) /src/xpcom/threads/TaskController.cpp:514:36 (libxul.so+0x321b77f) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #57 operator() /src/xpcom/threads/TaskController.cpp:232:37 (libxul.so+0x322b8f4) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #58 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /src/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x322b8f4)
    #59 nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x3240898) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #60 NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x3247044) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #61 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x3dac4ae) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #62 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3dacf7b) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #63 RunInternal /src/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d1f3d8) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #64 RunHandler /src/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d1f3d8)
    #65 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d1f3d8)
    #66 nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7e6b0f3) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #67 nsAppShell::Run() /src/widget/gtk/nsAppShell.cpp:470:33 (libxul.so+0x7f5eb0c) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #68 XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:712:20 (libxul.so+0x9de82bf) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #69 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3dacf2a) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #70 RunInternal /src/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d1f3d8) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #71 RunHandler /src/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d1f3d8)
    #72 MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d1f3d8)
    #73 XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:647:34 (libxul.so+0x9de7f10) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #74 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9df4402) (BuildId: a6f9f92804e974f5d47a36bdde28b479824ff4a3)
    #75 content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15c272) (BuildId: 82445d6743d2308787a564cfc502c59dcc46b13a)
    #76 main /src/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15c272)

It looks like the main process changed the value of the gfx.downloadable_fonts.disable_cache pref, and that's racing with a worker thread checking the value of that pref. It seems like a good idea to change this pref to a real pref using the config file, and make it threadsafe, but it seems difficult to exploit. Although, the test case does not seem to actually set the pref, so maybe this is some kind of startup race, where the content process is racing with the loading of all.js? I wouldn't have thought that the content process could observe all.js loading. Honestly that seems like a more worrying possibility than the specific race here.

Keywords: sec-low

Verified bug as reproducible on mozilla-central 20240415203932-61472b53afe5.
The bug appears to have been introduced in the following build range:

Start: 343e945a502ea35f40687ffca3eab7543522fe79 (20240311161830)
End: 856a612ce3d555ad6ec378bc99e74accba55c54a (20240311123227)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=343e945a502ea35f40687ffca3eab7543522fe79&tochange=856a612ce3d555ad6ec378bc99e74accba55c54a

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1884464

Presumably if this were running in a debug build, it would've fired the assertion here because we shouldn't be calling pref_Lookup() from a worker thread.

More generally, gfxUserFontSet::UserFontCache::CacheFont never expected to be called from non-main threads; note that it potentially calls the observer service, and uses a global sUserFonts hashtable with no locking.

Its caller gfxUserFontEntry::LoadPlatformFont starts out by asserting that we're on the main thread. So in a debug build, we'd have triggered that assertion in the worker thread before ever reaching the code that looks at the pref.

And it turns out that's exactly the assertion that's firing in bug 1891482, so I think that's essentially an --enable-debug equivalent of this issue.

See Also: → 1891482

It looks like converting the pref to StaticPrefList should actually be enough to avoid the immediate issue here, because gfxUserFontSet::UserFontCache::CacheFont will then detect that the source was a buffer, and bail out before reaching the rest of its non-threadsafe code.

Making the rest of CacheFont usable off-main-thread might also be desirable, but I think that can be a separate followup.

(The prior assertion in bug 1891482 will still need to be considered, too, now that LoadPlatformFont is sometimes being called by a worker.)

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/816b0704084e Migrate gfx.downloadable_fonts.disable_cache to StaticPrefList. r=emilio

https://hg.mozilla.org/mozilla-central/rev/816b0704084e

Group: gfx-core-security → core-security-release
status-firefox127: affectedfixed
tracking-firefox126: --- → +
tracking-firefox127: --- → +
Target Milestone: --- → 127 Branch
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED

Verified bug as fixed on rev mozilla-central 20240416214037-23ea0b523dc6.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox127: fixedverified
Keywords: bugmon

The patch landed in nightly and beta is affected.
:jfkthame, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox126 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jfkthame)

Although IMO this seems unlikely to be exploitable in any meaningful way, the patch here is trivial/safe and the issue is a recent regression, so I'd be inclined to go ahead and uplift the fix.

Flags: needinfo?(jfkthame)
Attachment #9397138 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: Possible data race accessing a pref
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: n/a
  • Risk associated with taking this patch: minimal
  • Explanation of risk level: just moving a bool pref from all.js to StaticPrefsList
  • String changes made/needed: none
  • Is Android affected?: yes
Attachment #9397138 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed] [adv-main126+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: