Closed Bug 1667493 Opened 4 years ago Closed 3 years ago

crash near null in [@ mozilla::intl::LocaleService::GetAppLocaleAsBCP47]

Categories

(Core :: Internationalization, defect, P2)

defect

Tracking

()

RESOLVED FIXED
84 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox82 --- wontfix
firefox83 --- wontfix
firefox84 --- fixed

People

(Reporter: tsmith, Assigned: m_kato)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

Attached file testcase.html

Found with m-c 20200923-efc5aeff23bd

==34271==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7fdfec4be2fe bp 0x7ffe07253d30 sp 0x7ffe07253d20 T0)
==34271==The signal is caused by a READ memory access.
==34271==Hint: address points to the zero page.
    #0 0x7fdfec4be2fe in Length /builds/worker/workspace/obj-build/dist/include/nsTArray.h:413:37
    #1 0x7fdfec4be2fe in IsEmpty /builds/worker/workspace/obj-build/dist/include/nsTArray.h:416:33
    #2 0x7fdfec4be2fe in mozilla::intl::LocaleService::GetAppLocaleAsBCP47(nsTSubstring<char>&) src/intl/locale/LocaleService.cpp:435:19
    #3 0x7fdfec4e0e2b in ICUUtils::LanguageTagIterForContent::GetNext(nsTSubstring<char>&) src/intl/unicharutil/util/ICUUtils.cpp:63:35
    #4 0x7fdfec4e21c2 in ICUUtils::ParseNumber(nsTSubstring<char16_t>&, ICUUtils::LanguageTagIterForContent&) src/intl/unicharutil/util/ICUUtils.cpp:127:13
    #5 0x7fdff232c3d1 in mozilla::dom::NumericInputTypeBase::ConvertStringToNumber(nsTSubstring<char16_t>&, blink::Decimal&) const src/dom/html/input/NumericInputTypes.cpp:100:27
    #6 0x7fdff2199380 in mozilla::dom::HTMLInputElement::SanitizeValue(nsTSubstring<char16_t>&, mozilla::dom::HTMLInputElement::ForValueGetter) src/dom/html/HTMLInputElement.cpp:4496:29
    #7 0x7fdff22a5dd3 in mozilla::TextControlState::GetValue(nsTSubstring<char16_t>&, bool) const src/dom/html/TextControlState.cpp:2532:25
    #8 0x7fdff22dd953 in mozilla::TextControlState::HasNonEmptyValue() src/dom/html/TextControlState.cpp:2989:3
    #9 0x7fdff219a274 in mozilla::dom::HTMLInputElement::IsValueEmpty() const src/dom/html/HTMLInputElement.cpp:1497:32
    #10 0x7fdff219775f in IsValueMissing src/dom/html/HTMLInputElement.cpp:6410:22
    #11 0x7fdff219775f in mozilla::dom::HTMLInputElement::UpdateValueMissingValidityState() src/dom/html/HTMLInputElement.cpp:6499:50
    #12 0x7fdff21b21b6 in mozilla::dom::HTMLInputElement::UnbindFromTree(bool) src/dom/html/HTMLInputElement.cpp:4246:3
    #13 0x7fdfefa841c4 in mozilla::dom::Element::UnbindFromTree(bool) src/dom/base/Element.cpp:1872:12
    #14 0x7fdff22fa3d1 in nsGenericHTMLElement::UnbindFromTree(bool) src/dom/html/nsGenericHTMLElement.cpp:492:20
    #15 0x7fdfefa841c4 in mozilla::dom::Element::UnbindFromTree(bool) src/dom/base/Element.cpp:1872:12
    #16 0x7fdff22fa3d1 in nsGenericHTMLElement::UnbindFromTree(bool) src/dom/html/nsGenericHTMLElement.cpp:492:20
    #17 0x7fdff2284d90 in mozilla::dom::HTMLSharedElement::UnbindFromTree(bool) src/dom/html/HTMLSharedElement.cpp:250:25
    #18 0x7fdfef9d6d4f in mozilla::dom::Document::cycleCollection::Unlink(void*) src/dom/base/Document.cpp:2251:12
    #19 0x7fdfec18e2b5 in nsCycleCollector::CollectWhite() src/xpcom/base/nsCycleCollector.cpp:3083:26
    #20 0x7fdfec190e6d in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3432:24
    #21 0x7fdfec1909f5 in nsCycleCollector::ShutdownCollect() src/xpcom/base/nsCycleCollector.cpp:3352:20
    #22 0x7fdfec1928d6 in nsCycleCollector::Shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3641:5
    #23 0x7fdfec194513 in nsCycleCollector_shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3956:18
    #24 0x7fdfec3c6fcd in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:719:3
    #25 0x7fdff7f7d120 in ScopedXPCOMStartup::~ScopedXPCOMStartup() src/toolkit/xre/nsAppRunner.cpp:1299:5
    #26 0x7fdff7f977fe in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:460:5
    #27 0x7fdff7f977fe in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:302:7
    #28 0x7fdff7f977fe in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:275:5
    #29 0x7fdff7f977fe in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4998:16
    #30 0x7fdff7f98073 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5038:21
    #31 0x557163ef2ab5 in do_main src/browser/app/nsBrowserApp.cpp:218:22
    #32 0x557163ef2ab5 in main src/browser/app/nsBrowserApp.cpp:336:16
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/_N1ES6m2etWEBZ1D4Hwgxw/index.html

Severity: -- → S2
Priority: -- → P2
Assignee: nobody → m_kato

Although ICUUtils uses locale service, locale service will be shut down before
shut down observer. So This shouldn't use locale service after starting
shut down.

Also, when getting locale service by GetInstance(), it will create own
unfortunately even if shutting down, then it hits an assertion by
ClearOnShutdown. So we should not create own instance after shutting down
is started.

Attachment #9184187 - Attachment description: Bug 1667493 - Locale service will return nullptr during shutting down. → Bug 1667493 - Locale service shouldn't shutdown during normal shutting down phase. r=jfkthame
Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/a7ba6638fa20
Locale service shouldn't shutdown during normal shutting down phase. r=jfkthame
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: