1920123 - ThreadSanitizer: data race [@ Test] vs. [@ operator=]

Reporter

Description

•

1 year ago

Found while fuzzing m-c 20240915-a51b9d3e7251 (--enable-thread-sanitizer --enable-fuzzing)

This issue is triggered usually at startup and does not seem to be related to test case execution.

This issue is likely triggered by a combination of the prefs:
javascript.options.baselinejit.threshold = 10
javascript.options.ion.offthread_compilation = false
javascript.options.ion.threshold = 1000
javascript.options.mem.gc_zeal.mode = 13

WARNING: ThreadSanitizer: data race (pid=101954)
  Read of size 4 at 0x01cc89103f40 by main thread:
    #0 Test /builds/worker/workspace/obj-build/dist/include/mozilla/BitSet.h:82:12 (libxul.so+0x9f5e72b) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #1 operator bool /builds/worker/workspace/obj-build/dist/include/mozilla/BitSet.h:58:57 (libxul.so+0x9f5e72b)
    #2 js::gc::Arena::allocated() const /builds/worker/checkouts/gecko/js/src/gc/Heap.cpp:99:18 (libxul.so+0x9f5e72b)
    #3 IsGCThingValidAfterMovingGC<js::gc::Cell> /builds/worker/checkouts/gecko/js/src/gc/Marking-inl.h:225:25 (libxul.so+0x9fbc9a7) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #4 CheckHeapTracer::checkCell(js::gc::Cell*, char const*) /builds/worker/checkouts/gecko/js/src/gc/Verifier.cpp:941:39 (libxul.so+0x9fbc9a7)
    #5 HeapCheckTracerBase::onChild(JS::GCCellPtr, char const*) /builds/worker/checkouts/gecko/js/src/gc/Verifier.cpp:846:3 (libxul.so+0x9fbc2f7) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #6 onEdge<JSString> /builds/worker/workspace/obj-build/dist/include/js/TracingAPI.h:245:5 (libxul.so+0x34e77bd) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #7 js::GenericTracerImpl<JS::CallbackTracer>::onStringEdge(JSString**, char const*) /builds/worker/workspace/obj-build/dist/include/js/TracingAPI.h:219:3 (libxul.so+0x34e77bd)
    #8 TraceEdgeInternal /builds/worker/checkouts/gecko/js/src/gc/Tracer.h:109:1 (libxul.so+0x9a0bd8e) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #9 TraceRoot<JSAtom *> /builds/worker/checkouts/gecko/js/src/gc/Tracer.h:221:3 (libxul.so+0x9a0bd8e)
    #10 tracePinnedAtoms /builds/worker/checkouts/gecko/js/src/vm/JSAtomUtils.cpp:288:5 (libxul.so+0x9a0bd8e)
    #11 js::TraceAtoms(JSTracer*) /builds/worker/checkouts/gecko/js/src/vm/JSAtomUtils.cpp:295:17 (libxul.so+0x9a0bd8e)
    #12 traceRuntimeAtoms /builds/worker/checkouts/gecko/js/src/gc/RootMarking.cpp:291:3 (libxul.so+0x9f8e98d) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #13 js::gc::GCRuntime::traceRuntime(JSTracer*, js::gc::AutoTraceSession&) /builds/worker/checkouts/gecko/js/src/gc/RootMarking.cpp:285:3 (libxul.so+0x9f8e98d)
    #14 traceHeap /builds/worker/checkouts/gecko/js/src/gc/Verifier.cpp:872:12 (libxul.so+0x9fbca95) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #15 CheckHeapTracer::check(js::gc::AutoTraceSession&) /builds/worker/checkouts/gecko/js/src/gc/Verifier.cpp:950:8 (libxul.so+0x9fbca95)
    #16 js::gc::CheckHeapAfterGC(JSRuntime*) /builds/worker/checkouts/gecko/js/src/gc/Verifier.cpp:973:10 (libxul.so+0x9fbcd44) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #17 js::gc::GCRuntime::minorGC(JS::GCReason, js::gcstats::PhaseKind) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4827:5 (libxul.so+0x9f2a8b8) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #18 void* js::gc::CellAllocator::RetryNurseryAlloc<(js::AllowGC)1>(JSContext*, JS::TraceKind, js::gc::AllocKind, unsigned long, js::gc::AllocSite*) /builds/worker/checkouts/gecko/js/src/gc/Allocator.cpp:103:23 (libxul.so+0x9f2a59c) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #19 void* js::gc::CellAllocator::AllocNurseryOrTenuredCell<(JS::TraceKind)0, (js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::Heap, js::gc::AllocSite*) /builds/worker/checkouts/gecko/js/src/gc/Allocator-inl.h:199:12 (libxul.so+0x98abf5e) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #20 NewObject<js::ArrayObject, (js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/gc/Allocator-inl.h:94:16 (libxul.so+0x988a027) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #21 NewCell<js::ArrayObject, (js::AllowGC)1, js::gc::AllocKind &, js::gc::Heap &, const JSClass *&, js::gc::AllocSite *&> /builds/worker/checkouts/gecko/js/src/gc/Allocator-inl.h:35:12 (libxul.so+0x988a027)
    #22 newCell<js::ArrayObject, (js::AllowGC)1, js::gc::AllocKind &, js::gc::Heap &, const JSClass *&, js::gc::AllocSite *&> /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:359:10 (libxul.so+0x988a027)
    #23 create /builds/worker/checkouts/gecko/js/src/vm/ArrayObject-inl.h:41:27 (libxul.so+0x988a027)
    #24 NewArrayWithShape<4294967295U> /builds/worker/checkouts/gecko/js/src/builtin/Array.cpp:5256:22 (libxul.so+0x988a027)
    #25 NewArray<4294967295U> /builds/worker/checkouts/gecko/js/src/builtin/Array.cpp:5326:10 (libxul.so+0x988a027)
    #26 js::NewDenseFullyAllocatedArray(JSContext*, unsigned int, js::NewObjectKind, js::gc::AllocSite*) /builds/worker/checkouts/gecko/js/src/builtin/Array.cpp:5434:10 (libxul.so+0x988a027)
    #27 js::NewArrayObjectOptimizedFallback(JSContext*, unsigned int, js::gc::AllocKind, js::NewObjectKind) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:5578:24 (libxul.so+0x98e1448) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #28 <null> <null> ([anon:js-executable-memory]+0x4a92)
    #29 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:480:32 (libxul.so+0x98bad88) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #30 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:644:13 (libxul.so+0x98bbb70) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #31 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:10 (libxul.so+0x98bc777) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #32 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:711:8 (libxul.so+0x98bc777)
    #33 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1575:10 (libxul.so+0x9b513af) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #34 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:156:8 (libxul.so+0x9960034) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #35 js::AsyncFunctionAwaitedRejected(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:211:10 (libxul.so+0x996027a) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #36 AsyncFunctionPromiseReactionJob /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2121:10 (libxul.so+0x9ad93e3) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #37 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2179:12 (libxul.so+0x9ad93e3)
    #38 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:518:13 (libxul.so+0x98bba8b) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #39 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:612:12 (libxul.so+0x98bba8b)
    #40 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:679:10 (libxul.so+0x98bc777) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #41 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:711:8 (libxul.so+0x98bc777)
    #42 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10 (libxul.so+0x9986f93) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #43 mozilla::dom::VoidFunction::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./JSActorBinding.cpp:35:8 (libxul.so+0x57b1ac3) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #44 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12 (libxul.so+0x34ead07) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #45 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12 (libxul.so+0x34ead07)
    #46 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:209:18 (libxul.so+0x34ead07)
    #47 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:714:17 (libxul.so+0x34d7076) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #48 mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:501:3 (libxul.so+0x34d7ce7) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #49 XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1476:28 (libxul.so+0x41e2718) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #50 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:24 (libxul.so+0x35f2852) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #51 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x35f87a4) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #52 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x40c894e) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #53 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:267:30 (libxul.so+0x40c916b) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #54 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x4047268) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #55 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x4047268)
    #56 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x4047268)
    #57 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x8778163) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #58 nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33 (libxul.so+0x885fc5c) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #59 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:710:20 (libxul.so+0x973408f) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #60 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x40c911a) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #61 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x4047268) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #62 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x4047268)
    #63 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x4047268)
    #64 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:645:34 (libxul.so+0x9733ce6) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #65 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:63:12 (libxul.so+0x973fa22) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #66 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:403:22 (firefox-bin+0x14d5ad) (BuildId: fe7df774836fb87d3c2b0476c703868afbde787c)

  Previous write of size 4 at 0x01cc89103f40 by thread T20 (mutexes: write M0):
    #0 operator= /builds/worker/workspace/obj-build/dist/include/mozilla/BitSet.h:54:12 (libxul.so+0x9f60af1) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #1 js::gc::ArenaChunk::releaseArena(js::gc::GCRuntime*, js::gc::Arena*, js::AutoLockGC const&) /builds/worker/checkouts/gecko/js/src/gc/Heap.cpp:360:42 (libxul.so+0x9f60af1)
    #2 js::gc::GCRuntime::releaseArena(js::gc::Arena*, js::AutoLockGC const&) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:400:19 (libxul.so+0x9f3938e) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #3 js::gc::GCRuntime::sweepBackgroundThings(js::gc::ZoneList&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:371:9 (libxul.so+0x9fa2971) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #4 js::gc::GCRuntime::sweepFromBackgroundThread(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:427:5 (libxul.so+0x9fa2c96) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #5 js::gc::BackgroundSweepTask::run(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/Sweeping.cpp:418:7 (libxul.so+0x9fa2c08) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #6 js::GCParallelTask::runTask(JS::GCContext*, js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:218:3 (libxul.so+0x9f5e2a7) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #7 js::GCParallelTask::runHelperThreadTask(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:200:3 (libxul.so+0x9f5e561) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #8 runTaskLocked /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:650:11 (libxul.so+0x99ecae5) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #9 runOneTask /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:606:3 (libxul.so+0x99ecae5)
    #10 JS::RunHelperThreadTask(JS::HelperThreadTask*) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:595:23 (libxul.so+0x99ecae5)
    #11 HelperThreadTaskHandler::Run() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1133:5 (libxul.so+0x41f987f) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #12 mozilla::TaskController::RunPoolThread(mozilla::PoolThread*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:350:29 (libxul.so+0x35cd325) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #13 mozilla::ThreadFuncPoolThread(void*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:257:26 (libxul.so+0x35ccde8) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #14 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x4aef8) (BuildId: 4d19424047847c24517bd43b12f47ea44bdff1dc)

  Location is global '??' at 0x000000000000 ([anon:js-gc-heap]+0x1cc89103f40)

  Mutex M0 (0x72b400001ab0) created at:
    #0 pthread_mutex_init /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1316:3 (firefox-bin+0xd086f) (BuildId: fe7df774836fb87d3c2b0476c703868afbde787c)
    #1 mozilla::detail::MutexImpl::MutexImpl() /builds/worker/checkouts/gecko/mozglue/misc/Mutex_posix.cpp:76:3 (firefox-bin+0x1ba2b2) (BuildId: fe7df774836fb87d3c2b0476c703868afbde787c)
    #2 MutexImpl /builds/worker/checkouts/gecko/js/src/threading/Mutex.h:39:3 (libxul.so+0x9f39dd3) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #3 Mutex /builds/worker/checkouts/gecko/js/src/threading/Mutex.h:75:12 (libxul.so+0x9f39dd3)
    #4 js::gc::GCRuntime::GCRuntime(JSRuntime*) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:488:7 (libxul.so+0x9f39dd3)
    #5 JSRuntime::JSRuntime(JSRuntime*) /builds/worker/checkouts/gecko/js/src/vm/Runtime.cpp:124:7 (libxul.so+0x9b1b2c9) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #6 js_new<JSRuntime, JSRuntime *&> /builds/worker/workspace/obj-build/dist/include/js/Utility.h:545:1 (libxul.so+0x9a23013) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #7 js::NewContext(unsigned int, JSRuntime*) /builds/worker/checkouts/gecko/js/src/vm/JSContext.cpp:169:24 (libxul.so+0x9a23013)
    #8 JS_NewContext(unsigned int, JSRuntime*) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:407:10 (libxul.so+0x9cb66b3) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #9 mozilla::CycleCollectedJSContext::Initialize(JSRuntime*, unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:125:16 (libxul.so+0x34d5cab) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #10 XPCJSContext::Initialize() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1196:32 (libxul.so+0x41e0c2c) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #11 XPCJSContext::NewXPCJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1409:23 (libxul.so+0x41e1e47) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #12 nsXPConnect::InitJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:93:25 (libxul.so+0x4225d63) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #13 xpc::InitializeJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:108:35 (libxul.so+0x4225e2f) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #14 NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:519:5 (libxul.so+0x362aef5) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #15 mozilla::dom::ContentProcess::InfallibleInit(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:166:8 (libxul.so+0x8088448) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #16 mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:70:3 (libxul.so+0x8087852) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #17 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:612:21 (libxul.so+0x9733cc1) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #18 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:63:12 (libxul.so+0x973fa22) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #19 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:403:22 (firefox-bin+0x14d5ad) (BuildId: fe7df774836fb87d3c2b0476c703868afbde787c)

  Thread T20 'TaskCon~ller #0' (tid=102266, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1023:3 (firefox-bin+0xcf07b) (BuildId: fe7df774836fb87d3c2b0476c703868afbde787c)
    #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x4219e) (BuildId: 4d19424047847c24517bd43b12f47ea44bdff1dc)
    #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x374a4) (BuildId: 4d19424047847c24517bd43b12f47ea44bdff1dc)
    #3 mozilla::TaskController::InitializeThreadPool() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:282:23 (libxul.so+0x35cdef7) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #4 mozilla::TaskController::AddTask(already_AddRefed<mozilla::Task>&&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:406:7 (libxul.so+0x35cea35) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #5 DispatchOffThreadTask(JS::HelperThreadTask*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1150:26 (libxul.so+0x41e19fc) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #6 js::AutoHelperTaskQueue::dispatchQueuedTasks() /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:677:5 (libxul.so+0x99ecdbf) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #7 ~AutoHelperTaskQueue /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.h:77:28 (libxul.so+0x9f5da3c) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #8 ~AutoLockHelperThreadState /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.h:91:16 (libxul.so+0x9f5da3c)
    #9 js::GCParallelTask::start() /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:67:1 (libxul.so+0x9f5da3c)
    #10 js::gc::GCRuntime::beginPreparePhase(JS::GCReason, js::gc::AutoGCSession&) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:2786:16 (libxul.so+0x9f44b89) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #11 js::gc::GCRuntime::incrementalSlice(JS::SliceBudget&, JS::GCReason, bool) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:3808:12 (libxul.so+0x9f4a023) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #12 js::gc::GCRuntime::gcCycle(bool, JS::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4420:3 (libxul.so+0x9f4c519) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #13 js::gc::GCRuntime::collect(bool, JS::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4609:9 (libxul.so+0x9f4d36c) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #14 js::gc::GCRuntime::startGC(JS::GCOptions, JS::GCReason, JS::SliceBudget const&) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp (libxul.so+0x9f4d98e) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #15 JS::StartIncrementalGC(JSContext*, JS::GCOptions, JS::GCReason, JS::SliceBudget const&) /builds/worker/checkouts/gecko/js/src/gc/GCAPI.cpp:310:21 (libxul.so+0x9f5af15) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #16 GarbageCollectImpl(JS::GCReason, nsJSContext::IsShrinking, JS::SliceBudget const&) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1013:5 (libxul.so+0x558ac8b) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #17 nsJSContext::RunIncrementalGCSlice(JS::GCReason, nsJSContext::IsShrinking, JS::SliceBudget&) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1030:3 (libxul.so+0x558ae43) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #18 mozilla::CCGCScheduler::GCRunnerFiredDoGC(mozilla::TimeStamp, mozilla::GCRunnerStep const&) /builds/worker/checkouts/gecko/dom/base/CCGCScheduler.cpp:353:3 (libxul.so+0x530a58d) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #19 mozilla::CCGCScheduler::GCRunnerFired(mozilla::TimeStamp) /builds/worker/checkouts/gecko/dom/base/CCGCScheduler.cpp:312:10 (libxul.so+0x5309d5e) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #20 operator() /builds/worker/checkouts/gecko/dom/base/CCGCScheduler.cpp:554:44 (libxul.so+0x5315be1) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #21 std::_Function_handler<bool (mozilla::TimeStamp), mozilla::CCGCScheduler::EnsureGCRunner(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>)::$_0>::_M_invoke(std::_Any_data const&, mozilla::TimeStamp&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:282:9 (libxul.so+0x5315be1)
    #22 operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14 (libxul.so+0x35c5d83) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #23 mozilla::IdleTaskRunner::Run() /builds/worker/checkouts/gecko/xpcom/threads/IdleTaskRunner.cpp:124:14 (libxul.so+0x35c5d83)
    #24 mozilla::IdleTaskRunnerTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/IdleTaskRunner.cpp:45:15 (libxul.so+0x35c6876) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #25 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:945:26 (libxul.so+0x35d0a93) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #26 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:810:15 (libxul.so+0x35cf496) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #27 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:554:36 (libxul.so+0x35cf60f) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #28 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:268:37 (libxul.so+0x35dede4) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #29 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x35dede4)
    #30 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1155:16 (libxul.so+0x35f227d) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #31 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x35f87a4) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #32 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x40c894e) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #33 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:267:30 (libxul.so+0x40c916b) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #34 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x4047268) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #35 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x4047268)
    #36 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x4047268)
    #37 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x8778163) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #38 nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33 (libxul.so+0x885fc5c) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #39 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:710:20 (libxul.so+0x973408f) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #40 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x40c911a) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #41 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x4047268) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #42 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x4047268)
    #43 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x4047268)
    #44 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:645:34 (libxul.so+0x9733ce6) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #45 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:63:12 (libxul.so+0x973fa22) (BuildId: 9bc0c18af9b8110cff5110d26de42bee93fce7aa)
    #46 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:403:22 (firefox-bin+0x14d5ad) (BuildId: fe7df774836fb87d3c2b0476c703868afbde787c)

Steven DeTar [:sdetar]

Comment 1

•

1 year ago

Jon, could you take a look at this tsan bug. After some quick initial investigation during triage today, we think it is a real issue, just not sure about the priority.

Severity: -- → S3

Depends on: sm-security

Flags: needinfo?(jcoppeard)

Jon Coppeard (:jonco)

Assignee

Comment 2

•

1 year ago

This looks similar to bug 1918224 and it's not something that affects real builds. It's a race between background sweeping and heap check zeal mode.

(I'm not sure why the stack shows CheckHeapAfterGC being called as that is run in zeal mode 15, but the descriptions shows mode 13 is enabled.)

Jon Coppeard (:jonco)

Assignee

Comment 3

•

1 year ago

Tyson, can you confirm the zeal mode required for this? I can't reproduce locally with either zeal mode 13 or 15, but 15 would make more sense given the stack.

Flags: needinfo?(jcoppeard) → needinfo?(twsmith)

Tyson Smith [:tsmith]

Reporter

Comment 4

•

1 year ago

I only see zeal mode 13 and 15 in the prefs files reported. 13 is much more common (~5:1).

Flags: needinfo?(twsmith)

Will Medina [:willyelm]

Updated

•

1 year ago

Priority: -- → P3

Will Medina [:willyelm]

Updated

•

1 year ago

Priority: P3 → P2

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Group: javascript-core-security

Jon Coppeard (:jonco)

Assignee

Comment 5

•

1 year ago

I haven't been able to reproduce this but I'm pretty sure I can see what's going wrong. Feel free to reopen the bug if the patch doesn't fix things.

Assignee: nobody → jcoppeard

Jon Coppeard (:jonco)

Assignee

Comment 6

•

1 year ago

Attached file Bug 1920123 - Wait for background sweeping to finish when checking GC things after minor GC r?sfink — Details

Arena::allocated() can race with background sweeping so ensure this has
finished before doing any heap checking or hash table checking.

Pulsebot

Comment 7

•

1 year ago

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/01ac14fe2c9a Wait for background sweeping to finish when checking GC things after minor GC r=sfink

Cristian Tuns

Comment 8

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/01ac14fe2c9a

Status: NEW → RESOLVED

Closed: 1 year ago

status-firefox133: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 133 Branch

BugBot [:suhaib / :marco/ :calixte]

Comment 9

•

1 year ago

The patch landed in nightly and beta is affected.
:jonco, is this bug important enough to require an uplift?

If yes, please nominate the patch for beta approval.
If no, please set status-firefox132 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jcoppeard)

Jon Coppeard (:jonco)

Assignee

Comment 10

•

1 year ago

This doesn't affect release builds so we can let this ride the trains.

Flags: needinfo?(jcoppeard)

Jon Coppeard (:jonco)

Assignee

Updated

•

1 year ago

status-firefox132: affected → wontfix

Bugzilla

ThreadSanitizer: data race [@ Test] vs. [@ operator=]

Categories

(Core :: JavaScript: GC, defect, P2)

Tracking

()

People

(Reporter: tsmith, Assigned: jonco)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: csectype-race)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Updated

Updated

Comment 5

Comment 6

Comment 7

Comment 8

Comment 9

Comment 10

Updated

Attachment

General

Description

File Name

Content Type