Assertion failure: gAtomTable, at /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:450
Categories
(Core :: Internationalization, defect, P3)
Tracking
()
People
(Reporter: tsmith, Assigned: m_kato)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, pernosco, regression, Whiteboard: [fuzzblocker])
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
|
Details | Review |
Found while fuzzing m-c 20230801-195161a06a7a (--enable-debug --enable-fuzzing)
This issue is frequently reported by fuzzer, marking as fuzzblocker.
A reduced test case is unavailable but a Pernosco session is available here: https://pernos.co/debug/ayB1RykLMCfymgx1brMTTg/index.html
Assertion failure: gAtomTable, at /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:450
#0 0x7f7add76eb0f in nsDynamicAtom::GCAtomTable() /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:450:3
#1 0x7f7add762100 in operator() /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:295:9
#2 0x7f7add762100 in ForEachSlot<(lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:293:53)> /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:359:9
#3 0x7f7add762100 in ForEachSlot<(lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:293:53)> /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:349:7
#4 0x7f7add762100 in PLDHashTable::~PLDHashTable() /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:293:17
#5 0x7f7add9518dd in ~nsTHashtable /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:246:27
#6 0x7f7add9518dd in ~nsLanguageAtomService /builds/worker/checkouts/gecko/intl/locale/nsLanguageAtomService.h:23:7
#7 0x7f7add9518dd in mozilla::DefaultDelete<nsLanguageAtomService>::operator()(nsLanguageAtomService*) const /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:459:5
#8 0x7f7af183f494 in __run_exit_handlers stdlib/exit.c:113:8
#9 0x7f7af183f60f in exit stdlib/exit.c:143:3
#10 0x7f7af1823d96 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:74:3
#11 0x7f7af1823e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#12 0x563c52dec848 in _start (/home/worker/builds/m-c-20230801034557-fuzzing-debug/firefox-bin+0x58848) (BuildId: 52148a511e512f9d4a669f12c6ca730cd43cd3ec)
|
||
Comment 1•1 year ago
|
||
The severity field is not set for this bug.
:m_kato, could you have a look please?
For more information, please visit BugBot documentation.
|
Assignee | |
Comment 2•1 year ago
|
||
I guess that this occurs on shutdown process. and I cannot find same signature in crash reporter. P3.
nsLanguageAtomService::GetService should return nullptr after staring shutdown phase.
|
|
||
Comment 3•1 year ago
|
||
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:m_kato, could you consider increasing the severity?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 4•1 year ago
|
||
As long as looking pernosco session, since nsLayoutStatics isn't shutdown due to leaking object, gLangAtomService isn't clear.
This is a regression by bug 1729642. Even if leaking document etc during shutdown, should we clear gLangAtomService?
|
|
Assignee | |
Comment 5•1 year ago
|
||
When looking pernos debug session, since nsLayoutStatics isn't destroyed,
nsLanguageAtomService isn't destroyed. It seems to be some objects are
leaked according to stdout and stderr on debug build.
So we should destroy this service to avoid other debug assertion even if
nsLayoutStatics isn't destroyed.
|
||
Comment 7•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 8•1 year ago
|
||
The patch landed in nightly and beta is affected.
:m_kato, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox120towontfix.
For more information, please visit BugBot documentation.
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 9•1 year ago
|
||
Comment on attachment 9361678 [details]
Bug 1856084 - Destroy nsLanguageAtomService even if nsLayoutStatics isn't destroyed. r=#platform-i18n-reviewers
Beta/Release Uplift Approval Request
- User impact if declined: When window or document object is leaked during quitting Firefox, it causes possible crash.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): I move releasing ATOM object for I18N from layout code to XPCOM code.
- String changes made/needed: N/A
- Is Android affected?: Yes
|
||
Comment 10•1 year ago
|
||
Comment on attachment 9361678 [details]
Bug 1856084 - Destroy nsLanguageAtomService even if nsLayoutStatics isn't destroyed. r=#platform-i18n-reviewers
Approved for 120.0b9
|
||
Comment 11•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
Description
•