Closed Bug 1892286 Opened 1 year ago Closed 1 year ago

heap-use-after-free in [@ JSRope::flattenInternal]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1890909
Tracking Flags:
Tracking Status
firefox127 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-high)

Found with m-c 20240418-e725b213623e (--enable-thread-sanitizer --enable-fuzzing)

This was found by visiting a live website with a TSan build.

STR:

WARNING: ThreadSanitizer: heap-use-after-free (pid=33793)
  Read of size 1 at 0x7b20001dbf80 by main thread:
    #0 memcpy /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/x86_64-linux-gnu/bits/string3.h:51:10 (libxul.so+0xa288257) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #1 PodAssign<unsigned char> /builds/worker/workspace/obj-build/dist/include/mozilla/PodOperations.h:88:3 (libxul.so+0xa288257)
    #2 PodCopy<unsigned char> /builds/worker/workspace/obj-build/dist/include/mozilla/PodOperations.h:106:7 (libxul.so+0xa288257)
    #3 void js::CopyChars<unsigned char>(unsigned char*, JSLinearString const&) /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:779:5 (libxul.so+0xa288257)
    #4 JSLinearString* JSRope::flattenInternal<(JSRope::UsingBarrier)1, unsigned char>(JSRope*) /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:1006:5 (libxul.so+0xa299cae) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #5 flattenInternal<(JSRope::UsingBarrier)1> /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:869:10 (libxul.so+0xa288546) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #6 flattenInternal /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:857:12 (libxul.so+0xa288546)
    #7 JSRope::flatten(JSContext*) /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:847:25 (libxul.so+0xa288546)
    #8 ensureLinear /builds/worker/checkouts/gecko/js/src/vm/StringType.h:2030:46 (libxul.so+0xa3359b4) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #9 js::StringEndsWith(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>, bool*) /builds/worker/checkouts/gecko/js/src/builtin/String.cpp:2831:33 (libxul.so+0xa3359b4)
    #10 <null> <null> (0x7ff6101166e7)
    #11 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:441:32 (libxul.so+0x9f99786) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #12 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13 (libxul.so+0x9f9a486) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #13 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:704:10 (libxul.so+0x9f9b3c4) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #14 Construct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:761:8 (libxul.so+0x9fb8b4a) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #15 js::SpreadCallOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4889:10 (libxul.so+0x9fb8b4a)
    #16 js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:2988:12 (libxul.so+0x9faabb0) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #17 MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:393:10 (libxul.so+0x9f99a01) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #18 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13 (libxul.so+0x9f99a01)
    #19 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13 (libxul.so+0x9f9a486) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #20 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:704:10 (libxul.so+0x9f9b3c4) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #21 Construct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:761:8 (libxul.so+0x9fb8b4a) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #22 js::SpreadCallOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:4889:10 (libxul.so+0x9fb8b4a)
    #23 js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:2988:12 (libxul.so+0x9faabb0) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #24 MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:393:10 (libxul.so+0x9f99a01) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #25 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13 (libxul.so+0x9f99a01)
    #26 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13 (libxul.so+0x9f9a486) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #27 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:704:10 (libxul.so+0x9f9b3c4) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #28 js::ConstructFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:748:10 (libxul.so+0x9f9b10e) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #29 js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1638:10 (libxul.so+0xa8140c0) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #30 <null> <null> (0x7ff610113834)
    #31 js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:1906:17 (libxul.so+0x9f9ebf2) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #32 MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:393:10 (libxul.so+0x9f99a01) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #33 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:451:13 (libxul.so+0x9f99a01)
    #34 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:605:13 (libxul.so+0x9f9a486) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #35 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10 (libxul.so+0x9f9b037) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #36 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8 (libxul.so+0x9f9b037)
    #37 Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.h:116:10 (libxul.so+0xa1d4f59) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #38 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2242:10 (libxul.so+0xa1d4f59)
    #39 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:479:13 (libxul.so+0x9f9a3b9) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #40 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:573:12 (libxul.so+0x9f9a3b9)
    #41 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:640:10 (libxul.so+0x9f9b037) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #42 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:672:8 (libxul.so+0x9f9b037)
    #43 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10 (libxul.so+0xa06f323) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #44 mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./PromiseBinding.cpp:83:8 (libxul.so+0x516b963) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #45 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12 (libxul.so+0x313e987) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #46 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12 (libxul.so+0x313e987)
    #47 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:210:18 (libxul.so+0x313e987)
    #48 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:712:17 (libxul.so+0x312ae56) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #49 LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:241:7 (libxul.so+0x63350ed) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #50 ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:390:13 (libxul.so+0x63350ed)
    #51 mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1315:3 (libxul.so+0x63350ed)
    #52 mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1630:12 (libxul.so+0x63363bb) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #53 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1527:35 (libxul.so+0x6335700) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #54 HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5 (libxul.so+0x6328721) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #55 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17 (libxul.so+0x6328721)
    #56 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16 (libxul.so+0x6327538) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #57 mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1221:11 (libxul.so+0x632b7b6) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #58 mozilla::dom::ScriptElement::ScriptEvaluated(nsresult, nsIScriptElement*, bool) /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:80:5 (libxul.so+0x7c10e41) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #59 mozilla::dom::ScriptLoader::FireScriptEvaluated(nsresult, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2268:18 (libxul.so+0x7c237b9) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #60 mozilla::dom::ScriptLoader::ProcessRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2206:3 (libxul.so+0x7c1f040) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #61 mozilla::dom::ScriptLoader::ProcessOffThreadRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2105:12 (libxul.so+0x7c22af9) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #62 mozilla::dom::(anonymous namespace)::OffThreadCompilationCompleteTask::Run() /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1650:20 (libxul.so+0x7c2cc1d) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #63 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26 (libxul.so+0x3223c2e) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #64 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15 (libxul.so+0x3222456) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #65 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36 (libxul.so+0x322278f) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #66 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37 (libxul.so+0x3232904) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #67 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x3232904)
    #68 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x32478a8) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #69 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x324e054) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #70 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x3db3eee) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #71 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3db49bb) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #72 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d26e18) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #73 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d26e18)
    #74 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d26e18)
    #75 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7e7d763) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #76 nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33 (libxul.so+0x7f7237c) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #77 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20 (libxul.so+0x9dff36f) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #78 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3db496a) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #79 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d26e18) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #80 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d26e18)
    #81 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d26e18)
    #82 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34 (libxul.so+0x9dfefc0) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #83 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9e0b4b2) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #84 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15c272) (BuildId: 0e1defd7300885c5455b0f4f7998c6bce10bfd61)
    #85 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15c272)

  Previous write of size 8 at 0x7b20001dbf80 by thread T24:
    #0 free /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:722:3 (firefox-bin+0xd1f35) (BuildId: 0e1defd7300885c5455b0f4f7998c6bce10bfd61)
    #1 js_free /builds/worker/workspace/obj-build/dist/include/js/Utility.h:418:3 (libxul.so+0xa701c8f) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #2 freeUntracked /builds/worker/checkouts/gecko/js/src/gc/GCContext.h:117:33 (libxul.so+0xa701c8f)
    #3 js::gc::GCRuntime::freeFromBackgroundThread(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:479:12 (libxul.so+0xa701c8f)
    #4 js::gc::BackgroundFreeTask::run(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:459:7 (libxul.so+0xa701a98) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #5 js::GCParallelTask::runTask(JS::GCContext*, js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:201:3 (libxul.so+0xa6bd9f7) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #6 js::GCParallelTask::runHelperThreadTask(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:183:3 (libxul.so+0xa6bdcb1) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #7 runTaskLocked /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1728:9 (libxul.so+0xa0dfb7b) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #8 js::GlobalHelperThreadState::runOneTask(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1697:5 (libxul.so+0xa0dfb7b)
    #9 JS::RunHelperThreadTask() /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1684:23 (libxul.so+0xa0df994) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #10 HelperThreadTaskHandler::Run() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1113:5 (libxul.so+0x3f239af) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #11 mozilla::TaskController::RunPoolThread() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:370:33 (libxul.so+0x3220b7e) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #12 mozilla::ThreadFuncPoolThread(void*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:222:26 (libxul.so+0x32202be) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #13 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4ba79) (BuildId: e38e45ce06f49cf2783acf0b8b3ae9897adc5815)

  Thread T24 'TaskCon~ller #2' (tid=33838, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1020:3 (firefox-bin+0xd33bb) (BuildId: 0e1defd7300885c5455b0f4f7998c6bce10bfd61)
    #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x42cee) (BuildId: e38e45ce06f49cf2783acf0b8b3ae9897adc5815)
    #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x37f84) (BuildId: e38e45ce06f49cf2783acf0b8b3ae9897adc5815)
    #3 mozilla::TaskController::InitializeThreadPool() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:271:10 (libxul.so+0x32215c9) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #4 mozilla::TaskController::AddTask(already_AddRefed<mozilla::Task>&&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:436:7 (libxul.so+0x3221fe5) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #5 mozilla::dom::ScriptLoader::AttemptOffThreadScriptCompile(JS::loader::ScriptLoadRequest*, bool*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1750:26 (libxul.so+0x7c204ce) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #6 mozilla::dom::ScriptLoader::PrepareLoadedRequest(JS::loader::ScriptLoadRequest*, nsIIncrementalStreamLoader*, nsresult) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:3845:19 (libxul.so+0x7c282da) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #7 mozilla::dom::ScriptLoader::OnStreamComplete(nsIIncrementalStreamLoader*, JS::loader::ScriptLoadRequest*, nsresult, nsresult, mozilla::dom::SRICheckDataVerifier*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:3301:12 (libxul.so+0x7c165f8) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #8 mozilla::dom::ScriptLoadHandler::OnStreamComplete(nsIIncrementalStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) /builds/worker/checkouts/gecko/dom/script/ScriptLoadHandler.cpp:459:23 (libxul.so+0x7c15efb) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #9 nsIncrementalStreamLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsIncrementalStreamLoader.cpp:82:20 (libxul.so+0x3437021) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #10 mozilla::net::InterceptFailedOnStop::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpBaseChannel.cpp:1427:19 (libxul.so+0x39a4571) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #11 mozilla::net::nsHTTPCompressConv::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:283:20 (libxul.so+0x37a5f48) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #12 mozilla::net::HttpChannelChild::DoOnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:1299:15 (libxul.so+0x3967444) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #13 mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:1095:5 (libxul.so+0x3966c99) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #14 operator() /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:922:15 (libxul.so+0x39b58de) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #15 std::_Function_handler<void (), mozilla::net::HttpChannelChild::ProcessOnStopRequest(nsresult const&, mozilla::net::ResourceTimingStructArgs const&, mozilla::net::nsHttpHeaderArray const&, nsTArray<mozilla::net::ConsoleReportCollected>&&, bool, mozilla::TimeStamp const&)::$_2>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:297:2 (libxul.so+0x39b58de)
    #16 operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14 (libxul.so+0x388b393) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #17 mozilla::net::ChannelFunctionEvent::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:55:25 (libxul.so+0x388b393)
    #18 mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:94:12 (libxul.so+0x3b6459d) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #19 MaybeFlushQueue /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.h:354:5 (libxul.so+0x3b88c0c) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #20 mozilla::net::ChannelEventQueue::CompleteResume() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.h:333:5 (libxul.so+0x3b88c0c)
    #21 mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:152:17 (libxul.so+0x3b889ff) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #22 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16 (libxul.so+0x322f662) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #23 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26 (libxul.so+0x3223c2e) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #24 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15 (libxul.so+0x3222456) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #25 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36 (libxul.so+0x322278f) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #26 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37 (libxul.so+0x3232904) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #27 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x3232904)
    #28 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x32478a8) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #29 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x324e054) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #30 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x3db3eee) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #31 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3db49bb) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #32 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d26e18) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #33 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d26e18)
    #34 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d26e18)
    #35 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7e7d763) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #36 nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33 (libxul.so+0x7f7237c) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #37 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20 (libxul.so+0x9dff36f) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #38 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3db496a) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #39 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3d26e18) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #40 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3d26e18)
    #41 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3d26e18)
    #42 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34 (libxul.so+0x9dfefc0) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #43 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9e0b4b2) (BuildId: bcc552827d5f4ad6ac179f10332f40e235db3f78)
    #44 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x15c272) (BuildId: 0e1defd7300885c5455b0f4f7998c6bce10bfd61)
    #45 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x15c272)

The stacks look very similar to bug 1890909.

See Also: → 1890909

Steve, given how related this one looks, going ni? you here as well...

Flags: needinfo?(sphink)
Severity: -- → S2
Priority: -- → P2
Priority: P2 → P1

It's not definite, but I'm going to assume that this recent cluster of bugs is from the same cause and dupe them. The stacks are different but very probably have the same cause.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1890909
Flags: needinfo?(sphink)
Resolution: --- → DUPLICATE
See Also: 1890909
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.