Closed Bug 1856084 Opened 9 months ago Closed 8 months ago

Assertion failure: gAtomTable, at /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:450

Categories

(Core :: Internationalization, defect, P3)

Product:
Core
Component:
Internationalization
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox119 --- wontfix
firefox120 --- fixed
firefox121 --- fixed

People

(Reporter: tsmith, Assigned: m_kato)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, pernosco, regression, Whiteboard: [fuzzblocker])

Attachments

(1 file)

Bug 1856084 - Destroy nsLanguageAtomService even if nsLayoutStatics isn't destroyed. r=#platform-i18n-reviewers
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
Details | Review

Found while fuzzing m-c 20230801-195161a06a7a (--enable-debug --enable-fuzzing)

This issue is frequently reported by fuzzer, marking as fuzzblocker.

A reduced test case is unavailable but a Pernosco session is available here: https://pernos.co/debug/ayB1RykLMCfymgx1brMTTg/index.html

Assertion failure: gAtomTable, at /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:450

#0 0x7f7add76eb0f in nsDynamicAtom::GCAtomTable() /builds/worker/checkouts/gecko/xpcom/ds/nsAtomTable.cpp:450:3
#1 0x7f7add762100 in operator() /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:295:9
#2 0x7f7add762100 in ForEachSlot<(lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:293:53)> /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:359:9
#3 0x7f7add762100 in ForEachSlot<(lambda at /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:293:53)> /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:349:7
#4 0x7f7add762100 in PLDHashTable::~PLDHashTable() /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:293:17
#5 0x7f7add9518dd in ~nsTHashtable /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:246:27
#6 0x7f7add9518dd in ~nsLanguageAtomService /builds/worker/checkouts/gecko/intl/locale/nsLanguageAtomService.h:23:7
#7 0x7f7add9518dd in mozilla::DefaultDelete<nsLanguageAtomService>::operator()(nsLanguageAtomService*) const /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:459:5
#8 0x7f7af183f494 in __run_exit_handlers stdlib/exit.c:113:8
#9 0x7f7af183f60f in exit stdlib/exit.c:143:3
#10 0x7f7af1823d96 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:74:3
#11 0x7f7af1823e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#12 0x563c52dec848 in _start (/home/worker/builds/m-c-20230801034557-fuzzing-debug/firefox-bin+0x58848) (BuildId: 52148a511e512f9d4a669f12c6ca730cd43cd3ec)

The severity field is not set for this bug.
:m_kato, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(m_kato)

I guess that this occurs on shutdown process. and I cannot find same signature in crash reporter. P3.

nsLanguageAtomService::GetService should return nullptr after staring shutdown phase.

Severity: -- → S3
Flags: needinfo?(m_kato)
Priority: -- → P3

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:m_kato, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Flags: needinfo?(m_kato)
Assignee: nobody → m_kato

As long as looking pernosco session, since nsLayoutStatics isn't shutdown due to leaking object, gLangAtomService isn't clear.

This is a regression by bug 1729642. Even if leaking document etc during shutdown, should we clear gLangAtomService?

Flags: needinfo?(m_kato)

When looking pernos debug session, since nsLayoutStatics isn't destroyed,
nsLanguageAtomService isn't destroyed. It seems to be some objects are
leaked according to stdout and stderr on debug build.

So we should destroy this service to avoid other debug assertion even if
nsLayoutStatics isn't destroyed.

Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/4184b410e6d5
Destroy nsLanguageAtomService even if nsLayoutStatics isn't destroyed. r=platform-i18n-reviewers,dminor

https://hg.mozilla.org/mozilla-central/rev/4184b410e6d5

Status: NEW → RESOLVED
Closed: 8 months ago
status-firefox121: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch

The patch landed in nightly and beta is affected.
:m_kato, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox120 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(m_kato)

Comment on attachment 9361678 [details]
Bug 1856084 - Destroy nsLanguageAtomService even if nsLayoutStatics isn't destroyed. r=#platform-i18n-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: When window or document object is leaked during quitting Firefox, it causes possible crash.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): I move releasing ATOM object for I18N from layout code to XPCOM code.
  • String changes made/needed: N/A
  • Is Android affected?: Yes
Flags: needinfo?(m_kato)
Attachment #9361678 - Flags: approval-mozilla-beta?

Comment on attachment 9361678 [details]
Bug 1856084 - Destroy nsLanguageAtomService even if nsLayoutStatics isn't destroyed. r=#platform-i18n-reviewers

Approved for 120.0b9

Attachment #9361678 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: