While running a try build for bug 1013571 I encountered this assertion: Assertion failure: isEmpty(), at dist\include\mozilla/LinkedList.h:305 With the stack trace: 12:29:53 INFO - 0 xul.dll!mozilla::LinkedList<mozilla::ipc::IToplevelProtocol>::~LinkedList<mozilla::ipc::IToplevelProtocol>() [LinkedList.h:67265addfa29 : 305 + 0x20] 12:29:53 INFO - eip = 0x6560b0fc esp = 0x0031cb88 ebp = 0x0031cbb8 ebx = 0x00000001 12:29:53 INFO - esi = 0x24e2e74c edi = 0x6711a1f8 eax = 0x00000000 ecx = 0x7f8ba88c 12:29:53 INFO - edx = 0x6814e4d8 efl = 0x00000216 12:29:53 INFO - Found by: given as instruction pointer in context 12:29:53 INFO - 1 xul.dll!mozilla::ipc::IToplevelProtocol::~IToplevelProtocol() [ProtocolUtils.cpp:67265addfa29 : 23 + 0x7] 12:29:53 INFO - eip = 0x6560c6bb esp = 0x0031cb90 ebp = 0x0031cbb8 12:29:53 INFO - Found by: call frame info 12:29:53 INFO - 2 xul.dll!mozilla::dom::PContentParent::~PContentParent() [PContentParent.cpp:67265addfa29 : 210 + 0x10c] 12:29:53 INFO - eip = 0x656b8cdc esp = 0x0031cb9c ebp = 0x0031cbb8 12:29:53 INFO - Found by: call frame info 12:29:53 INFO - 3 xul.dll!mozilla::dom::ContentParent::~ContentParent() [ContentParent.cpp:67265addfa29 : 1672 + 0x5c] 12:29:53 INFO - eip = 0x65fdfe96 esp = 0x0031cba8 ebp = 0x0031cbb8 12:29:53 INFO - Found by: call frame info 12:29:53 INFO - 4 xul.dll!mozilla::dom::ContentParent::`scalar deleting destructor'(unsigned int) + 0xa 12:29:53 INFO - eip = 0x65fe2aaf esp = 0x0031cbc0 ebp = 0x0031cbc4 12:29:53 INFO - Found by: call frame info 12:29:53 INFO - 5 xul.dll!mozilla::dom::ContentParent::DeleteCycleCollectable() [ContentParent.cpp:67265addfa29 : 2156 + 0xf] 12:29:53 INFO - eip = 0x65fd2715 esp = 0x0031cbcc ebp = 0x0031cbd0 12:29:53 INFO - Found by: call frame info This suggests that the root PContentParent can get cycle collected prior to its open actors getting cleaned up. Is this legal? If so, then we should probably clear mOpenActors somehow. Alternatively, should we forcibly close all open actors if the top level actor is deleted? I was only able to produce this once out of ~20 runs. As far as I can tell, its unrelated to the changes in bug 1013571.

Not sure how long these live on the try server, but here is the link to the full stack trace: https://tbpl.mozilla.org/php/getParsedLog.php?id=40567673&tree=Try&full=1#error2

This is ContentParent() getting freed under nsCycleCollector_doDeferredDeletion(), so there's no cycle collection per se involved. Instead, the ref count just dropped to 0, and we're calling the destructor.