Found while fuzzing m-c 20231111-03298dc094d1 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ ASAN_OPTIONS=detect_leaks=1 python -m grizzly.replay.bugzilla ./firefox/firefox <bugid> --no-harness

==447879==ERROR: LeakSanitizer: detected memory leaks

The 1 top leak(s):
Direct leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x561b60b5ef0e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x561b60ba4025 in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f97b0195ce2 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f97b0195ce2 in MakeGlyphAtlas /builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp:130:10
    #4 0x7f97b0195ce2 in GetGlyphAtlas /builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp:159:23
    #5 0x7f97b0195ce2 in gfxFontMissingGlyphs::DrawMissingGlyph(unsigned int, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawTarget&, mozilla::gfx::Pattern const&, mozilla::gfx::BaseMatrix<float> const*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp:446:13
    #6 0x7f97b0193a2c in gfxFont::DrawMissingGlyph(TextRunDrawParams const&, FontDrawParams const&, gfxShapedText::DetailedGlyph const*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2224:5
    #7 0x7f97b01a1d46 in bool gfxFont::DrawGlyphs<(gfxFont::FontComplexityT)0, (gfxFont::SpacingT)0>(gfxShapedText const*, unsigned int, unsigned int, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, mozilla::gfx::BaseMatrix<float> const*, GlyphBufferAzure&) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2052:18
    #8 0x7f97b019ac13 in gfxFont::Draw(gfxTextRun const*, unsigned int, unsigned int, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, TextRunDrawParams&, mozilla::gfx::ShapedTextFlags) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2562:13
    #9 0x7f97b02d8aa0 in gfxTextRun::DrawGlyphs(gfxFont*, gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>*, gfxTextRun::PropertyProvider const*, gfxTextRun::Range, TextRunDrawParams&, mozilla::gfx::ShapedTextFlags) const /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:431:10
    #10 0x7f97b02db8df in gfxTextRun::Draw(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>, gfxTextRun::DrawParams const&) const /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:685:5
    #11 0x7f97b928d962 in DrawTextRun(gfxTextRun const*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, gfxTextRun::Range, nsTextFrame::DrawTextRunParams const&, nsTextFrame*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:6922:17
    #12 0x7f97b928cbcb in nsTextFrame::DrawTextRun(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, nsTextFrame::DrawTextRunParams const&) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:6933:3
    #13 0x7f97b927d47a in nsTextFrame::DrawText(gfxTextRun::Range, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, nsTextFrame::DrawTextParams const&) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:7176:5
    #14 0x7f97b9283201 in nsTextFrame::PaintTextWithSelectionColors(nsTextFrame::PaintTextSelectionParams const&, mozilla::UniquePtr<SelectionDetails, mozilla::DefaultDelete<SelectionDetails>> const&, unsigned short*, nsTextFrame::ClipEdges const&) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:6338:5
    #15 0x7f97b92879ed in nsTextFrame::PaintTextWithSelection(nsTextFrame::PaintTextSelectionParams const&, nsTextFrame::ClipEdges const&) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:6428:8
    #16 0x7f97b928b53a in nsTextFrame::PaintText(nsTextFrame::PaintTextParams const&, int, int, nsPoint const&, bool, float) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:6803:9
    #17 0x7f97b972219f in mozilla::nsDisplayText::RenderToContext(gfxContext*, mozilla::nsDisplayListBuilder*, nsRect const&, float, bool) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7651:6
    #18 0x7f97b9721618 in mozilla::nsDisplayText::Paint(mozilla::nsDisplayListBuilder*, gfxContext*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7479:3
    #19 0x7f97aff6ee74 in mozilla::layers::PaintItemByDrawTarget(mozilla::nsDisplayItem*, mozilla::gfx::DrawTarget*, mozilla::gfx::PointTyped<mozilla::LayoutDevicePixel, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::BaseScaleFactors2D<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::DeviceColor>&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2351:38
    #20 0x7f97aff6b92e in mozilla::layers::WebRenderCommandBuilder::GenerateFallbackData(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*, mozilla::gfx::RectTyped<mozilla::LayoutDevicePixel, float>&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2609:7
    #21 0x7f97aff614fd in mozilla::layers::WebRenderCommandBuilder::PushItemAsImage(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2897:48
    #22 0x7f97aff5daf4 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2130:7
    #23 0x7f97b97005ad in CreateWebRenderCommandsNewClipListOption /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4607:30
    #24 0x7f97b97005ad in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4944:12
    #25 0x7f97b97005ad in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5233:22
    #26 0x7f97aff61327 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1864:41
    #27 0x7f97aff5daf4 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2130:7
    #28 0x7f97aff5a177 in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1785:5
    #29 0x7f97aff87cc5 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:364:30
    #30 0x7f97b96cb42a in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2290:18
    #31 0x7f97b8dd53f6 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3432:9
    #32 0x7f97b8c966ba in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6471:5
    #33 0x7f97b81cc8c3 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:408:18
    #34 0x7f97b81cbb9b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:343:22

Objects leaked above:
0x5030008c27e0 (24 bytes)

Verified bug as reproducible on mozilla-central 20240112045806-1d2ccbe0bb6d.
The bug appears to have been introduced in the following build range:

Start: a7b749260f1138fa49a360ebdcbc65e91403072e (20230325065130)
End: 8cc1378a958cabe32424bac91f97d63c3e6d1e91 (20230325115312)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a7b749260f1138fa49a360ebdcbc65e91403072e&tochange=8cc1378a958cabe32424bac91f97d63c3e6d1e91

Given the range in comment 1, it's clearly bug 1823365 that must be involved here.

The glyph atlas is supposed to be purged during shutdown (via gfxFontMissingGlyphs::Shutdown, called from gfxPlatform::Shutdown), so the question is why that's not working (or not being called at all?) in this case.

As there's a single global glyph atlas involved, this is just a singleton that's not being freed as expected, not a cumulative leak. So there should be no impact on actual users.

Set release status flags based on info from the regressing bug 1823365

Set release status flags based on info from the regressing bug 1823365