(In reply to Christian Holler (:decoder) from comment #9) > (In reply to Luca Greco [:rpl] [:luca] [:lgreco] from comment #6) > > > I have the feeling that this may not be something that would happen outside of the fuzzing harness, I would expect NS_ShutdownXPCOM to be called before exiting the process in a regular browser instance not running under the fuzzing harness. > > Yes, this is very much possible and we had similar problems with the ContentParentIPC and other IPC fuzzing targets before. > > We do register an at-exit handler because of that `exit` call in libFuzzer here: > > https://searchfox.org/mozilla-central/rev/819be4899a92213abf121b449779ced662f2ce13/tools/fuzzing/interface/harness/FuzzerRunner.cpp#46 > > Do you think that `DeinitXPCOM` method needs a call to `NS_ShutdownXPCOM` ? Unfortunately I'm not really that much experienced on how xpcom shutdown sequence, and so I should definitely like to double-check it with something that has more direct knowledge about those pieces, but in the meantime I took a look to get an initial picture and if I'm not reading it wrong I think that `DeinitXPCOM` should be already calling `NS_ShutdownXPCOM`. Would you mind to double-check if any of the following details are not right? - the ScopedXPCOM class used by InitLibFuzzer is the one defined in FuzzerTestHarness.h here: https://searchfox.org/mozilla-central/rev/61728de8273c04fe2417c475fc0637e8b79210d7/tools/fuzzing/interface/harness/FuzzerTestHarness.h#59 - at-exit FuzzerRunner.cpp calls DeinitXPCOM, which does call InitLibFuzzer.DeinitXPCOM() - InitLibFuzzer.DeinitXPCOM() does then destroy the ScopedXPCOM instance, which will invoke its destructor - The FuzzerTestHarness.h's ScopedXPCOM destructor should already be calling NS_ShutdownXPCOM here: https://searchfox.org/mozilla-central/rev/61728de8273c04fe2417c475fc0637e8b79210d7/tools/fuzzing/interface/harness/FuzzerTestHarness.h#106 - and NS_ShutdownXPCOM should be executing all the ClearOnShutdown's pointers added to the `sShutdownObservers` list of shutdown observers here: https://searchfox.org/mozilla-central/rev/61728de8273c04fe2417c475fc0637e8b79210d7/xpcom/build/XPCOMInit.cpp#656-660 I did want to also double-check if the pernosco trace linked in comment 10 does confirm that the sequence described above is actually consistent with what is really happening during the fuzzy test shutdown, but I couldn't load successfully the Pernosco trace (I already asked in the Pernosco support channel about the issue I'm having on loading this trace, but I'll try to take another look if I can get access to the trace again).
Bug 1669466 Comment 10 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Christian Holler (:decoder) from comment #9) > (In reply to Luca Greco [:rpl] [:luca] [:lgreco] from comment #6) > > > I have the feeling that this may not be something that would happen outside of the fuzzing harness, I would expect NS_ShutdownXPCOM to be called before exiting the process in a regular browser instance not running under the fuzzing harness. > > Yes, this is very much possible and we had similar problems with the ContentParentIPC and other IPC fuzzing targets before. > > We do register an at-exit handler because of that `exit` call in libFuzzer here: > > https://searchfox.org/mozilla-central/rev/819be4899a92213abf121b449779ced662f2ce13/tools/fuzzing/interface/harness/FuzzerRunner.cpp#46 > > Do you think that `DeinitXPCOM` method needs a call to `NS_ShutdownXPCOM` ? Unfortunately I'm not really that much experienced on how xpcom shutdown sequence, and so I should definitely like to double-check it with something that has more direct knowledge about those pieces, but in the meantime I took a look to get an initial picture and if I'm not reading it wrong I think that `DeinitXPCOM` should be already calling `NS_ShutdownXPCOM`. Would you mind to double-check if any of the following details are not right? - the ScopedXPCOM class used by InitLibFuzzer is the one defined in FuzzerTestHarness.h here: https://searchfox.org/mozilla-central/rev/61728de8273c04fe2417c475fc0637e8b79210d7/tools/fuzzing/interface/harness/FuzzerTestHarness.h#59 - at-exit FuzzerRunner.cpp calls DeinitXPCOM, which does call InitLibFuzzer.DeinitXPCOM() - InitLibFuzzer.DeinitXPCOM() does then destroy the ScopedXPCOM instance, which will invoke its destructor - The FuzzerTestHarness.h's ScopedXPCOM destructor should already be calling NS_ShutdownXPCOM here: https://searchfox.org/mozilla-central/rev/61728de8273c04fe2417c475fc0637e8b79210d7/tools/fuzzing/interface/harness/FuzzerTestHarness.h#106 - and NS_ShutdownXPCOM should be executing all the ClearOnShutdown's pointers added to the `sShutdownObservers` list of shutdown observers here: https://searchfox.org/mozilla-central/rev/61728de8273c04fe2417c475fc0637e8b79210d7/xpcom/build/XPCOMInit.cpp#656-660 I did want to also double-check if the pernosco trace linked in comment 5 does confirm that the sequence described above is actually consistent with what is really happening during the fuzzy test shutdown, but I couldn't load successfully the Pernosco trace (I already asked in the Pernosco support channel about the issue I'm having on loading this trace, but I'll try to take another look if I can get access to the trace again).