Open Bug 1681681 Opened 5 years ago Updated 4 years ago

JS shell and fuzz-tests crash when libFuzzer calls `exit`

Categories

(Core :: Fuzzing, defect)

Product:
Core
Component:
Fuzzing
Platform:
All
Linux
Type:
defect

Tracking

()

Status:
REOPENED
Milestone:
85 Branch
Tracking Flags:
Tracking Status
firefox85 --- wontfix
firefox86 --- wontfix
firefox87 --- fix-optional

People

(Reporter: decoder, Assigned: decoder)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1681681 - Call JS_ShutDown when libFuzzer exits in JS. r?jandem
47 bytes, text/x-phabricator-request
Details | Review

Since the refactoring in bug 1664810, both the JS shell (when used in jsrtfuzzing mode) and the fuzz-tests binary crash when libFuzzer calls exit, because an in-use mutex is being destroyed. This affects mostly merge jobs and coverage runs because in these situations, libFuzzer will exit eventually (in regular fuzzing, libFuzzer just keeps going forever until it crashes).

Right now, the easiest solution seems to be another atexit handler, just like we have in Firefox already for deinitializing XPCOM.

Pushed by choller@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2a964c5fd1a9 Call JS_ShutDown when libFuzzer exits in JS. r=jandem

https://hg.mozilla.org/mozilla-central/rev/2a964c5fd1a9

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox85: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch

Reopening this, because we need a follow-up to silence a warning I am seeing now in some targets. The problem is that we should also free any active runtimes before calling shutdown. This isn't a blocker like the previous issue, but it would still be much cleaner to properly shutdown all runtimes instead of leaking them.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Severity: -- → S4
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: