Closed
Bug 1898108
Opened 10 months ago
Closed 10 months ago
Intermittent SUMMARY: ThreadSanitizer: data race /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2694:23 in AppendElementInternal<nsTArrayInfallibleAllocator, mozilla::dom::WorkerRunnable *const &>
Categories
(Core :: DOM: Workers, defect)
Core
DOM: Workers
Tracking
()
RESOLVED
FIXED
128 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox126 | --- | unaffected |
| firefox127 | --- | unaffected |
| firefox128 | --- | fixed |
People
(Reporter: intermittent-bug-filer, Assigned: edenchuang)
References
Details
(Keywords: csectype-race, intermittent-failure, sec-moderate)
Attachments
(2 files)
Filed by: nfay [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=459081084&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/WrQxWxyLS-m8zf5GZDUfrg/runs/0/artifacts/public/logs/live_backing.log
TEST-START | devtools/client/webconsole/test/browser/browser_console_webconsole_private_browsing.js
...
GECKO(18176) | WARNING: ThreadSanitizer: data race (pid=18176)
GECKO(18176) | Write of size 4 at 0x726c0024a860 by main thread (mutexes: write M0):
GECKO(18176) | #0 AppendElementInternal<nsTArrayInfallibleAllocator, mozilla::dom::WorkerRunnable *const &> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2694:23 (libxul.so+0x7737c3c) (BuildId: d66feaf756a054140232f420cf187b11369c938e)
GECKO(18176) | #1 AppendElement<mozilla::dom::WorkerRunnable *const &> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2832:24 (libxul.so+0x7737c3c)
GECKO(18176) | #2 Push /builds/worker/workspace/obj-build/dist/include/mozilla/dom/workerinternals/Queue.h:37:14 (libxul.so+0x7737c3c)
GECKO(18176) | #3 Push /builds/worker/workspace/obj-build/dist/include/mozilla/dom/workerinternals/Queue.h:116:5 (libxul.so+0x7737c3c)
GECKO(18176) | #4 mozilla::dom::WorkerPrivate::DispatchDebuggerRunnable(already_AddRefed<mozilla::dom::WorkerRunnable>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:1770:18 (libxul.so+0x7737c3c)
...
GECKO(18176) | Previous read of size 4 at 0x726c0024a860 by thread T398:
GECKO(18176) | #0 Length /builds/worker/workspace/obj-build/dist/include/nsTArray.h:397:43 (libxul.so+0x774645d) (BuildId: d66feaf756a054140232f420cf187b11369c938e)
GECKO(18176) | #1 IsEmpty /builds/worker/workspace/obj-build/dist/include/nsTArray.h:400:33 (libxul.so+0x774645d)
GECKO(18176) | #2 IsEmpty /builds/worker/workspace/obj-build/dist/include/mozilla/dom/workerinternals/Queue.h:33:23 (libxul.so+0x774645d)
GECKO(18176) | #3 IsEmpty /builds/worker/workspace/obj-build/dist/include/mozilla/dom/workerinternals/Queue.h:111:47 (libxul.so+0x774645d)
GECKO(18176) | #4 mozilla::dom::WorkerPrivate::InterruptCallback(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3976:34 (libxul.so+0x774645d)
GECKO(18176) | #5 mozilla::dom::workerinternals::(anonymous namespace)::InterruptCallback(JSContext*) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:473:33 (libxul.so+0x772879c) (BuildId: d66feaf756a054140232f420cf187b11369c938e)
|
||
Comment 1•10 months ago
|
||
Here's the full TSan log. It looks like this is a race on WorkerPrivate::mDebuggerQueue.
|
|
||
Updated•10 months ago
|
Group: core-security → dom-core-security
Component: Layout → DOM: Workers
|
|
||
Updated•10 months ago
|
Keywords: csectype-race,
sec-moderate
|
|
||
Comment 2•10 months ago
|
||
This looks at least in the ballpark of bug 1821250, which landed recently.
Flags: needinfo?(poirot.alex)
|
||
Comment 3•10 months ago
|
||
This is about:
mDebuggerQueue.IsEmpty()done fromWorkerPrivate::InterruptCallback
which isn't guarded by any mutex
https://searchfox.org/mozilla-central/rev/55944eaee1e358b5443eaedc8adcd37e3fd23fd3/dom/workers/WorkerPrivate.cpp#3976
versus
mDebuggerQueue.Push(runnable.forget().take());done fromWorkerPrivate::DispatchDebuggerRunnable
which is quarded bymMutex
https://searchfox.org/mozilla-central/rev/55944eaee1e358b5443eaedc8adcd37e3fd23fd3/dom/workers/WorkerPrivate.cpp#1770
Should we simply guard the isEmpty call behind mMutex?
Flags: needinfo?(poirot.alex)
|
||
Updated•10 months ago
|
Flags: needinfo?(echuang)
|
Assignee | |
Comment 4•10 months ago
|
||
|
|
Assignee | |
Updated•10 months ago
|
Flags: needinfo?(echuang)
|
||
Updated•10 months ago
|
Assignee: nobody → echuang
Attachment #9403222 -
Attachment description: WIP: Bug 1898108 - Making WorkerPrivate::mDebuggerQueue accesses protected by WorkerPrivate::mMutex. r=#dom-worker-reviewers → Bug 1898108 - Making WorkerPrivate::mDebuggerQueue accesses protected by WorkerPrivate::mMutex. r=#dom-worker-reviewers
Status: NEW → ASSIGNED
Pushed by echuang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/06aacf2f4ea6
Making WorkerPrivate::mDebuggerQueue accesses protected by WorkerPrivate::mMutex. r=dom-worker-reviewers,asuth
|
||
Comment 6•10 months ago
|
||
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
status-firefox126:
--- → unaffected
status-firefox127:
--- → unaffected
status-firefox128:
--- → fixed
status-firefox-esr115:
--- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch
|
||
Updated•9 months ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
||
Updated•9 days ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•