Closed Bug 1796706 Opened 2 years ago Closed 2 years ago

ThreadSanitizer: data race [@ mozilla::dom::FontFaceImpl::GetUnicodeRangeAsCharacterMap] vs. [@ mozilla::dom::FontFaceImpl::SetDescriptor]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1793127

Tracking Flags:

Tracking

Status

firefox107

---

fixed

firefox108

---

fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords)

Attachments

(2 files)

testcase.html 2 years ago Tyson Smith [:tsmith] (deleted), text/html		Details
tsan_01.txt 2 years ago Tyson Smith [:tsmith] (deleted), text/plain		Details

Tyson Smith [:tsmith]

Reporter

Description

•

2 years ago

Attached file testcase.html (deleted) — Details

Found while fuzzing m-c 20221020-ca2873779214 (--enable-thread-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -t --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

This is likely related or a duplicate of one of these issue Bug 1793127, Bug 1793314 or Bug 1794528. I am logging this because I can reproduce this with the attached test case fairly reliably. If it as a dup feel free to close it and use the test case else where.

WARNING: ThreadSanitizer: data race (pid=5300)
  Write of size 1 at 0x7b18000237b0 by main thread:
    #0 mozilla::dom::FontFaceImpl::GetUnicodeRangeAsCharacterMap() /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:702:22 (libxul.so+0x5a3125c) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #1 mozilla::dom::FontFaceSetImpl::FindOrCreateUserFontEntryFromFontFace(nsTSubstring<char> const&, mozilla::dom::FontFaceImpl*, mozilla::StyleOrigin) /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp:458:47 (libxul.so+0x5a3a959) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #2 FindOrCreateUserFontEntryFromFontFace /builds/worker/checkouts/gecko/layout/style/FontFaceSetImpl.cpp:345:10 (libxul.so+0x5a30026) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #3 mozilla::dom::FontFaceImpl::CreateUserFontEntry() /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:326:9 (libxul.so+0x5a30026)
    #4 mozilla::dom::FontFaceImpl::DoLoad() /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:342:8 (libxul.so+0x5a2fac6) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #5 operator() /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:338:65 (libxul.so+0x5a403af) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #6 mozilla::detail::RunnableFunction<mozilla::dom::FontFaceImpl::DoLoad()::$_9>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5 (libxul.so+0x5a403af)
    #7 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16 (libxul.so+0x1166722) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #8 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26 (libxul.so+0x116065f) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #9 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15 (libxul.so+0x115ed16) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #10 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36 (libxul.so+0x115f0e4) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #11 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:190:37 (libxul.so+0x116907a) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #12 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5 (libxul.so+0x116907a)
    #13 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16 (libxul.so+0x117e2b7) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #14 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x1184b15) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #15 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5 (libxul.so+0x1d68e3d) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #16 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x1d6963b) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #17 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1c92d9c) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #18 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1c92d9c)
    #19 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1c92d9c)
    #20 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27 (libxul.so+0x5760636) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #21 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20 (libxul.so+0x7fcc3f9) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #22 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x1d695ed) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #23 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1c92d9c) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #24 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1c92d9c)
    #25 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1c92d9c)
    #26 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34 (libxul.so+0x7fcbb5d) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #27 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x7fd50e2) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #28 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0xe3e57) (BuildId: 41a656254ac132ad4967fb620fc4d64505857ce4)
    #29 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:357:18 (firefox+0xe3e57)

  Previous write of size 1 at 0x7b18000237b0 by thread T21:
    #0 mozilla::dom::FontFaceImpl::SetDescriptor(nsCSSFontDesc, nsTSubstring<char> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:426:24 (libxul.so+0x5a2f8dd) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #1 SetUnicodeRange /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:184:7 (libxul.so+0x5a2dac0) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #2 mozilla::dom::FontFace::SetUnicodeRange(nsTSubstring<char> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/layout/style/FontFace.cpp:176:10 (libxul.so+0x5a2dac0)
    #3 mozilla::dom::FontFace_Binding::set_unicodeRange(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/FontFaceBinding.cpp:1234:24 (libxul.so+0x3997f05) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #4 bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3235:8 (libxul.so+0x3b3ac35) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #5 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13 (libxul.so+0x9077fcf) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #6 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12 (libxul.so+0x9077fcf)
    #7 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0x9078dcc) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #8 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0x9078dcc)
    #9 js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:790:10 (libxul.so+0x9079d1c) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #10 SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2549:8 (libxul.so+0x8397cea) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #11 bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2583:14 (libxul.so+0x839671c) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #12 SetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:306:10 (libxul.so+0x906afc2) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #13 SetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:1861:10 (libxul.so+0x906afc2)
    #14 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3121:12 (libxul.so+0x906afc2)
    #15 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13 (libxul.so+0x9061174) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #16 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13 (libxul.so+0x9078095) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #17 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0x9078dcc) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #18 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0x9078dcc)
    #19 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1488:10 (libxul.so+0x8454337) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #20 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:154:8 (libxul.so+0x825b7b8) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #21 js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:195:10 (libxul.so+0x825b537) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #22 AsyncFunctionPromiseReactionJob /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2111:12 (libxul.so+0x83e34af) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #23 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2174:12 (libxul.so+0x83e34af)
    #24 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13 (libxul.so+0x9077fcf) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #25 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12 (libxul.so+0x9077fcf)
    #26 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0x9078dcc) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #27 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0x9078dcc)
    #28 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0x827f0e1) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #29 mozilla::dom::VoidFunction::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/JSActorBinding.cpp:35:8 (libxul.so+0x2e023de) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #30 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12 (libxul.so+0x107475e) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #31 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12 (libxul.so+0x107475e)
    #32 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18 (libxul.so+0x107475e)
    #33 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17 (libxul.so+0x1061e33) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #34 mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3 (libxul.so+0x1062ad7) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #35 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1241:24 (libxul.so+0x117e7c6) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #36 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x1184b15) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #37 mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3205:7 (libxul.so+0x529a6d9) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #38 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2042:42 (libxul.so+0x5285c33) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #39 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x117e4d2) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #40 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x1184b15) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #41 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x1d6972e) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #42 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1c92d9c) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #43 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1c92d9c)
    #44 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1c92d9c)
    #45 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10 (libxul.so+0x11798d6) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #46 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x44f1d) (BuildId: 0878e5a9e40e234a7d46a1206bfb40bc90fa0916)

  Location is heap block of size 88 at 0x7b1800023760 allocated by thread T21:
    #0 malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:667:5 (firefox+0x61dd1) (BuildId: 41a656254ac132ad4967fb620fc4d64505857ce4)
    #1 moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15 (firefox+0xe5ccb) (BuildId: 41a656254ac132ad4967fb620fc4d64505857ce4)
    #2 operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10 (libxul.so+0x5a2c5c8) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #3 mozilla::dom::FontFace::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char> const&, mozilla::dom::UTF8StringOrArrayBufferOrArrayBufferView const&, mozilla::dom::FontFaceDescriptors const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/layout/style/FontFace.cpp:122:16 (libxul.so+0x5a2c5c8)
    #4 mozilla::dom::FontFace_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FontFaceBinding.cpp:2268:54 (libxul.so+0x3996349) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #5 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13 (libxul.so+0x90796d1) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #6 CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:475:8 (libxul.so+0x90796d1)
    #7 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:694:10 (libxul.so+0x90796d1)
    #8 ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:722:10 (libxul.so+0x906de5e) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #9 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3360:16 (libxul.so+0x906de5e)
    #10 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13 (libxul.so+0x9061174) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #11 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13 (libxul.so+0x9078095) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #12 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0x9078dcc) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #13 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0x9078dcc)
    #14 js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1488:10 (libxul.so+0x8454337) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #15 AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:154:8 (libxul.so+0x825b7b8) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #16 js::AsyncFunctionAwaitedFulfilled(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/AsyncFunction.cpp:195:10 (libxul.so+0x825b537) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #17 AsyncFunctionPromiseReactionJob /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2111:12 (libxul.so+0x83e34af) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #18 PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2174:12 (libxul.so+0x83e34af)
    #19 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13 (libxul.so+0x9077fcf) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #20 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12 (libxul.so+0x9077fcf)
    #21 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0x9078dcc) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #22 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0x9078dcc)
    #23 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0x827f0e1) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #24 mozilla::dom::VoidFunction::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/JSActorBinding.cpp:35:8 (libxul.so+0x2e023de) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #25 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12 (libxul.so+0x107475e) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #26 Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12 (libxul.so+0x107475e)
    #27 mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18 (libxul.so+0x107475e)
    #28 mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17 (libxul.so+0x1061e33) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #29 mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3 (libxul.so+0x1062ad7) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #30 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1241:24 (libxul.so+0x117e7c6) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #31 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x1184b15) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #32 mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3205:7 (libxul.so+0x529a6d9) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #33 mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2042:42 (libxul.so+0x5285c33) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #34 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198:16 (libxul.so+0x117e4d2) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #35 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x1184b15) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #36 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20 (libxul.so+0x1d6972e) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #37 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1c92d9c) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #38 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1c92d9c)
    #39 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1c92d9c)
    #40 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10 (libxul.so+0x11798d6) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #41 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x44f1d) (BuildId: 0878e5a9e40e234a7d46a1206bfb40bc90fa0916)

  Thread T21 'DOM Worker' (tid=5334, running) created by main thread at:
    #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1022:3 (firefox+0x6358d) (BuildId: 41a656254ac132ad4967fb620fc4d64505857ce4)
    #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x3bfb5) (BuildId: 0878e5a9e40e234a7d46a1206bfb40bc90fa0916)
    #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x31115) (BuildId: 0878e5a9e40e234a7d46a1206bfb40bc90fa0916)
    #3 nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:617:18 (libxul.so+0x117b435) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #4 mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102:7 (libxul.so+0x52b33d1) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #5 mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1323:37 (libxul.so+0x526e8e2) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #6 mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1205:19 (libxul.so+0x526dcde) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #7 mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2588:24 (libxul.so+0x5297852) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #8 mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43:41 (libxul.so+0x527807e) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #9 mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1107:52 (libxul.so+0x36beb5d) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #10 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13 (libxul.so+0x90796d1) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #11 CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:475:8 (libxul.so+0x90796d1)
    #12 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:694:10 (libxul.so+0x90796d1)
    #13 ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:722:10 (libxul.so+0x906de5e) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #14 Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3360:16 (libxul.so+0x906de5e)
    #15 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13 (libxul.so+0x9061174) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #16 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13 (libxul.so+0x9078095) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #17 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10 (libxul.so+0x9078dcc) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #18 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8 (libxul.so+0x9078dcc)
    #19 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10 (libxul.so+0x827f0e1) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #20 mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8 (libxul.so+0x38e13b1) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #21 HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12 (libxul.so+0x40ea00c) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #22 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1310:43 (libxul.so+0x40ea00c)
    #23 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17 (libxul.so+0x40ead1a) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #24 HandleEvent /builds/worker/checkouts/gecko/dom/events/EventListenerManager.h:395:5 (libxul.so+0x40e00ce) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #25 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17 (libxul.so+0x40e00ce)
    #26 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16 (libxul.so+0x40df469) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #27 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11 (libxul.so+0x40e20fd) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #28 nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1079:7 (libxul.so+0x5b95533) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #29 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6434:20 (libxul.so+0x783efb2) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #30 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5827:7 (libxul.so+0x783e896) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #31 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp (libxul.so+0x783f7fb) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #32 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1380:3 (libxul.so+0x1fbe5fe) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #33 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:978:14 (libxul.so+0x1fbdd0a) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #34 nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:797:9 (libxul.so+0x1fbbe71) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #35 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5 (libxul.so+0x1fbd1c9) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #36 nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13841:23 (libxul.so+0x785b26c) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #37 non-virtual thunk to nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp (libxul.so+0x785b468) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #38 mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22 (libxul.so+0x1344fbc) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #39 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10 (libxul.so+0x13463c2) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #40 DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11476:18 (libxul.so+0x29c5b43) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #41 mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11414:9 (libxul.so+0x29c5b43)
    #42 mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7950:3 (libxul.so+0x29d7a36) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #43 applyImpl<FdWatcher, void (FdWatcher::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12 (libxul.so+0x1052196) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #44 apply<FdWatcher, void (FdWatcher::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12 (libxul.so+0x1052196)
    #45 mozilla::detail::RunnableMethodImpl<nsUpdateProcessor*, void (nsUpdateProcessor::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13 (libxul.so+0x1052196)
    #46 mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20 (libxul.so+0x115ae6f) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #47 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16 (libxul.so+0x1166722) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #48 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26 (libxul.so+0x116065f) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #49 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15 (libxul.so+0x115ed16) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #50 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36 (libxul.so+0x115f0e4) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #51 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37 (libxul.so+0x1169037) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #52 mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5 (libxul.so+0x1169037)
    #53 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16 (libxul.so+0x117e2b7) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #54 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10 (libxul.so+0x1184b15) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #55 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21 (libxul.so+0x1d68dbb) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #56 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x1d6963b) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #57 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1c92d9c) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #58 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1c92d9c)
    #59 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1c92d9c)
    #60 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27 (libxul.so+0x5760636) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #61 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20 (libxul.so+0x7fcc3f9) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #62 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x1d695ed) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #63 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1c92d9c) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #64 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1c92d9c)
    #65 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1c92d9c)
    #66 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34 (libxul.so+0x7fcbb5d) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #67 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x7fd50e2) (BuildId: 28934208f3a2232934c24e7dcba101d6270e316e)
    #68 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0xe3e57) (BuildId: 41a656254ac132ad4967fb620fc4d64505857ce4)
    #69 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:357:18 (firefox+0xe3e57)

Flags: in-testsuite?

Tyson Smith [:tsmith]

Reporter

Comment 1

•

2 years ago

Attached file tsan_01.txt (deleted) — Details

A similar stack with the same test case.

Andrew McCreight [:mccr8]

Updated

•

2 years ago

Keywords: reproducible, sec-high

Tyson Smith [:tsmith]

Reporter

Comment 2

•

2 years ago

Is this related to bug 1793127?

Flags: needinfo?(aosmond)

Andrew Osmond [:aosmond] (he/him)

Comment 3

•

2 years ago

I can confirm this is a duplicate of bug 1793127. It is a bit different from the others, not a UAF (which should be impossible as we hold a RefPtr<FontFaceImpl> in the runnable keeping it alive), just a thread data race but solved as part of my patch. We should now only access these flags/pointers on the owning thread (main or DOM worker).

Status: NEW → RESOLVED

Closed: 2 years ago

Flags: needinfo?(aosmond)

Resolution: --- → DUPLICATE

Dianna Smith [:diannaS]

Updated

•

2 years ago

status-firefox107: affected → fixed

status-firefox108: affected → fixed

Bugmon [:jkratzer for issues]

Comment 4

•

2 years ago

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Group: gfx-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

ThreadSanitizer: data race [@ mozilla::dom::FontFaceImpl::GetUnicodeRangeAsCharacterMap] vs. [@ mozilla::dom::FontFaceImpl::SetDescriptor]

Categories

(Core :: Graphics: Text, defect)

Tracking

()

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords)

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Updated

Comment 2

Comment 3

Updated

Comment 4

Updated

Attachment

General

Description

File Name

Content Type