doron pulled this version of the crash from talkback: 0x10101010 js_GetSlotThreadSafe [d:/builds/seamonkey/mozilla/js/src/jslock.c, line 563] JS_GetPrivate [d:/builds/seamonkey/mozilla/js/src/jsapi.c, line 1928] js_CloneFunctionObject [d:/builds/seamonkey/mozilla/js/src/jsfun.c, line 1954] JS_CloneFunctionObject [d:/builds/seamonkey/mozilla/js/src/jsapi.c, line 2771] DefinePropertyIfFound [d:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 439] XPC_WN_ModsAllowed_Proto_Resolve [d:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1416] js_LookupProperty [d:/builds/seamonkey/mozilla/ A user comment on one of the talkbacks: " Trying to get this ***** javascript debugger to tell me the **** errors of my javascript page, but it told me jack **** in the way of information, and decided to crash." References: bug 90378 cri sspitzer@netscape.com VERI FIXE MailNews Address nbaca@netscape.com Address Book, "select all" and "delete" leads to crash - M096 [@ 0x10101010 - js_GetSlotThreadSafe] bug 105332 nor khanson@netscape.com VERI DUPL Browser JavaScri pschwartau@netscape.com stack trace should have a bug on file [@0x10101010] bug 127047 cri joki@netscape.com VERI DUPL Browser DOM Even vladimire@netscape.com M1RC1 Trunk crashes [@ 0x01101010 | 0x10101010 - js_GetSlotThreadSafe | JS_GetPrivate] Here's my version: 10101010() js_GetSlotThreadSafe(JSContext * 0x004f7e70, JSObject * 0x0153cc40, unsigned long 2) line 553 + 37 bytes JS_GetPrivate(JSContext * 0x004f7e70, JSObject * 0x0153cc40) line 1926 + 231 bytes js_CloneFunctionObject(JSContext * 0x004f7e70, JSObject * 0x0153cc40, JSObject * 0x03309090) line 1953 + 13 bytes JS_CloneFunctionObject(JSContext * 0x004f7e70, JSObject * 0x0153cc40, JSObject * 0x03309090) line 2770 + 17 bytes DefinePropertyIfFound(XPCCallContext & {...}, JSObject * 0x03309090, long 16927268, XPCNativeSet * 0x02e6dbb0, XPCNativeInterface * 0x005359d0, XPCNativeMember * 0x00535a0c, XPCWrappedNativeScope * 0x040559c0, int 1, XPCWrappedNative * 0x04060330, XPCWrappedNative * 0x04060330, XPCNativeScriptableInfo * 0x00000000, unsigned int 7, int * 0x00000000) line 438 + 26 bytes XPC_WN_NoHelper_Resolve(JSContext * 0x004f7e70, JSObject * 0x03309090, long 16927268) line 720 + 50 bytes _js_LookupProperty(JSContext * 0x004f7e70, JSObject * 0x03309090, long 5463568, JSObject * * 0x0012d2e0, JSProperty * * 0x0012d2d4, const char * 0x100cf114, unsigned int 2478) line 2317 + 42 bytes js_GetProperty(JSContext * 0x004f7e70, JSObject * 0x03309090, long 5463568, long * 0x0012da1c) line 2478 + 35 bytes js_Interpret(JSContext * 0x004f7e70, long * 0x0012db9c) line 2634 + 1785 bytes js_Invoke(JSContext * 0x004f7e70, unsigned int 1, unsigned int 2) line 856 + 13 bytes js_InternalInvoke(JSContext * 0x004f7e70, JSObject * 0x03309060, long 53514128, unsigned int 0, unsigned int 1, long * 0x0012dc98, long * 0x0012dcb0) line 931 + 20 bytes JS_CallFunctionValue(JSContext * 0x004f7e70, JSObject * 0x03309060, long 53514128, unsigned int 1, long * 0x0012dc98, long * 0x0012dcb0) line 3431 + 31 bytes nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject(XPCCallContext & {...}, JSObject * 0x03309060, const nsID & {...}) line 262 + 28 bytes nsXPCWrappedJSClass::DelegatedQueryInterface(nsXPCWrappedJSClass * const 0x03b1c700, nsXPCWrappedJS * 0x04060390, const nsID & {...}, void * * 0x0012dddc) line 588 + 25 bytes nsXPCWrappedJS::QueryInterface(nsXPCWrappedJS * const 0x04060390, const nsID & {...}, void * * 0x0012dddc) line 93 nsQueryInterface::operator()(const nsID & {...}, void * * 0x0012dddc) line 47 + 25 bytes nsCOMPtr<nsIClassInfo>::assign_from_helper(const nsCOMPtr_helper & {...}, const nsID & {...}) line 922 + 18 bytes nsCOMPtr<nsIClassInfo>::nsCOMPtr<nsIClassInfo>(const nsQueryInterface & {...}) line 566 XPCWrappedNative::GetNewOrUsed(XPCCallContext & {...}, nsISupports * 0x04060390, XPCWrappedNativeScope * 0x005032a0, XPCNativeInterface * 0x004e1060, XPCWrappedNative * * 0x0012df60) line 274 XPCConvert::NativeInterface2JSObject(XPCCallContext & {...}, nsIXPConnectJSObjectHolder * * 0x0012e0ac, nsISupports * 0x04060390, const nsID * 0x0012e0d0, JSObject * 0x03308d48, unsigned int * 0x0012e020) line 1059 + 30 bytes nsXPConnect::WrapNative(nsXPConnect * const 0x004dffc0, JSContext * 0x004f7e70, JSObject * 0x03308d48, nsISupports * 0x04060390, const nsID & {...}, nsIXPConnectJSObjectHolder * * 0x0012e0ac) line 566 + 29 bytes nsJSCID::GetService(nsJSCID * const 0x04055e50, nsISupports * * 0x0012e288) line 886 + 57 bytes XPTC_InvokeByIndex(nsISupports * 0x04055e50, unsigned int 11, unsigned int 1, nsXPTCVariant * 0x0012e288) line 106 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2016 + 42 bytes XPC_WN_CallMethod(JSContext * 0x004f7e70, JSObject * 0x03308d48, unsigned int 0, long * 0x01077ef8, long * 0x0012e52c) line 1281 + 14 bytes js_Invoke(JSContext * 0x004f7e70, unsigned int 0, unsigned int 0) line 839 + 23 bytes js_Interpret(JSContext * 0x004f7e70, long * 0x0012fe50) line 2803 + 15 bytes js_Execute(JSContext * 0x004f7e70, JSObject * 0x010240c0, JSScript * 0x0050aa10, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fe50) line 1020 + 13 bytes JS_ExecuteScript(JSContext * 0x004f7e70, JSObject * 0x010240c0, JSScript * 0x0050aa10, long * 0x0012fe50) line 3277 + 25 bytes Process(JSContext * 0x004f7e70, JSObject * 0x010240c0, char * 0x00000000, _iobuf * 0x10256808) line 517 + 22 bytes ProcessArgs(JSContext * 0x004f7e70, JSObject * 0x010240c0, char * * 0x004a4434, int 2) line 655 + 33 bytes main(int 2, char * * 0x004a4434) line 912 + 21 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87903() EAX = 0153CC48 EBX = 7FFDF000 ECX = 0153C6A1 EDX = 0153CC40 ESI = 00000000 EDI = 00000000 EIP = 10101010 ESP = 0012CF44 EBP = 0012CF68 EFL = 00000202 CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 0038 GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=0 CY=0 ST0 = +0.00000000000000000e+0000 here's the code: js_GetSlotThreadSafe(JSContext * 0x004f7e70, JSObject * 0x0153cc40, unsigned long 2) line 553 + 37 bytes 552: if (!OBJ_IS_NATIVE(obj)) 1005C826 mov eax,dword ptr [obj] 1005C829 mov ecx,dword ptr [eax] 1005C82B cmp dword ptr [ecx+4],offset _js_ObjectOps (100ccba8) 1005C832 je js_GetSlotThreadSafe+6Dh (1005c88d) 1005C834 mov edx,dword ptr [obj] 1005C837 mov eax,dword ptr [edx] 1005C839 cmp dword ptr [eax+4],0 1005C83D je js_GetSlotThreadSafe+31h (1005c851) 1005C83F mov ecx,dword ptr [obj] 1005C842 mov edx,dword ptr [ecx] 1005C844 mov eax,dword ptr [edx+4] 1005C847 mov ecx,dword ptr [eax] 1005C849 cmp ecx,dword ptr [_js_ObjectOps (100ccba8)] 1005C84F je js_GetSlotThreadSafe+6Dh (1005c88d) 553: return OBJ_GET_REQUIRED_SLOT(cx, obj, slot); 1005C851 mov edx,dword ptr [obj] 1005C854 mov eax,dword ptr [edx] 1005C856 mov ecx,dword ptr [eax+4] 1005C859 cmp dword ptr [ecx+58h],0 1005C85D je js_GetSlotThreadSafe+5Eh (1005c87e) 1005C85F mov edx,dword ptr [slot] 1005C862 push edx 1005C863 mov eax,dword ptr [obj] 1005C866 push eax 1005C867 mov ecx,dword ptr [cx] 1005C86A push ecx 1005C86B mov edx,dword ptr [obj] 1005C86E mov eax,dword ptr [edx] 1005C870 mov ecx,dword ptr [eax+4] 1005C873 call dword ptr [ecx+58h] <-- crash here 1005C876 add esp,0Ch 1005C879 mov dword ptr [ebp-14h],eax 1005C87C jmp js_GetSlotThreadSafe+65h (1005c885) 1005C87E mov dword ptr [ebp-14h],80000001h 1005C885 mov eax,dword ptr [ebp-14h] 1005C888 jmp js_GetSlotThreadSafe+267h (1005ca87) 554: 555: /* 556: * Native object locking is inlined here to optimize the single-threaded 557: * and contention-free multi-threaded cases. 558: */ 559: scope = OBJ_SCOPE(obj); the way i tickled this (yes, the code is very invalid, but it's good for tickling problems) js> const C=Components.classes, I=Components.interfaces; js> var o; for (a in C) if (!/dom|box/i.test(a)) try {o=C[a].getService(); for (i in I) o instanceof I[i];} catch (e) {} ###!!! ASSERTION: null ptr: 'aURI != nsnull', file i:/build/mozilla/rdf/base/src/nsRDFService.cpp, line 1501 Break: at file i:/build/mozilla/rdf/base/src/nsRDFService.cpp, line 1501 ************************************************************ * Call to xpconnect wrapped JSObject produced this error: * [Exception... "Component returned failure code: 0x80004003 (NS_ERROR_INVALID_POINTER) [nsIRDFService.GetDataSource]" nsresult: "0x80004003 (NS_ERROR_INVALID_POINTER)" location: "JS frame :: file:///I:/build/mozilla/dist/bin/components/nsSidebar.js :: nsSidebar :: line 65" data: no] ************************************************************ nsComm4xMailImport Module Created WARNING: NS_ENSURE_TRUE(gNameSpaceManager) failed, file i:/build/mozilla/dom/src/build/nsDOMFactory.cpp, line 184 WARNING: NS_ENSURE_TRUE(gNameSpaceManager) failed, file i:/build/mozilla/dom/src/build/nsDOMFactory.cpp, line 184 I'm running with a few unregistered patches for crashes in various other modules (mostly dom inspector) I'm looking for help figuring out how the EIP became 0x10101010. I'm going to leave this stack alive in my debugger for a while so if people want more information from any frame please contact me.

Looks like the function object of the member on the XPCNativeInterface was collected. I'll have to look at the marking code to see if there are any holes.

Running this code in xpcshell, I'm crashing out at: nsGenericFactory::GetHelperForLanguage(nsGenericFactory * const 0x03036904, unsigned int 0x00000002, nsISupports * * 0x0012ddc4) line 110 + 6 bytes XPCWrappedNative::GatherProtoScriptableCreateInfo(nsIClassInfo * 0x03036904, XPCNativeScriptableCreateInfo * 0x0012df40) line 565 + 38 bytes XPCWrappedNative::GatherScriptableCreateInfo(nsISupports * 0x03036900, nsIClassInfo * 0x03036904, XPCNativeScriptableCreateInfo * 0x0012df40, XPCNativeScriptableCreateInfo * 0x0012df34) line 597 + 13 bytes XPCWrappedNative::GetNewOrUsed(XPCCallContext & {...}, nsISupports * 0x03036900, XPCWrappedNativeScope * 0x010056e0, XPCNativeInterface * 0x00fe1928, XPCWrappedNative * * 0x0012df78) line 281 + 61 bytes XPCConvert::NativeInterface2JSObject(XPCCallContext & {...}, nsIXPConnectJSObjectHolder * * 0x0012e0c8, nsISupports * 0x03036900, const nsID * 0x0012e0ec, JSObject * 0x030a2640, unsigned int * 0x0012e03c) line 1059 + 30 bytes nsXPConnect::WrapNative(nsXPConnect * const 0x00fdc5e8, JSContext * 0x00ff27e0, JSObject * 0x030a2640, nsISupports * 0x03036900, const nsID & {...}, nsIXPConnectJSObjectHolder * * 0x0012e0c8) line 566 + 29 bytes nsJSCID::GetService(nsJSCID * const 0x0301f778, nsISupports * * 0x0012e278) line 886 + 57 bytes XPTC_InvokeByIndex(nsISupports * 0x0301f778, unsigned int 0x0000000b, unsigned int 0x00000001, nsXPTCVariant * 0x0012e278) line 106 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2012 + 42 bytes XPC_WN_CallMethod(JSContext * 0x00ff27e0, JSObject * 0x030a2640, unsigned int 0x00000000, long * 0x01011048, long * 0x0012e528) line 1281 + 14 bytes js_Invoke(JSContext * 0x00ff27e0, unsigned int 0x00000000, unsigned int 0x00000000) line 839 + 23 bytes js_Interpret(JSContext * 0x00ff27e0, long * 0x0012fe50) line 2803 + 15 bytes js_Execute(JSContext * 0x00ff27e0, JSObject * 0x00f7e8c0, JSScript * 0x01008b58, JSStackFrame * 0x00000000, unsigned int 0x00000000, long * 0x0012fe50) line 1020 + 13 bytes JS_ExecuteScript(JSContext * 0x00ff27e0, JSObject * 0x00f7e8c0, JSScript * 0x01008b58, long * 0x0012fe50) line 3277 + 25 bytes Process(JSContext * 0x00ff27e0, JSObject * 0x00f7e8c0, char * 0x00000000, _iobuf * 0x10261828 __iob) line 517 + 22 bytes ProcessArgs(JSContext * 0x00ff27e0, JSObject * 0x00f7e8c0, char * * 0x004e6e7c, int 0x00000000) line 655 + 33 bytes main(int 0x00000000, char * * 0x004e6e7c) line 912 + 21 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e9ca90() when doing mInfo->mGetLanguageHelperProc in nsGenericFactory::GetHelperForLanguage because mInfo is null.

nsGenericFactory is another bug with patch assigned to me. i haven't had a working tree for months so i couldn't get it tested and committed. I'll work on that before i disappear for thanksgiving. Oh hrm, i wonder if my tree has that code. Nope, it's not in my tree, it's sitting in "nsGenericFactory.cpp.0".

dbradley: This is the automarking scheme I mentioned to you (I hope you didn't already implement something like this yourself). You can use it as is if it turns out to help or change it as you will. Note that I added support for handing it a pointer to a jsval, but didn't actually use that suppport. I figured that there would be times when you have a jsval whose actual value will change during the life of this auto pointer - so a pointer to it is appropriate. As some point you could extend it to work with JSObject**, JSString**, and JSDouble**. As it is now it can be used with jsval* and jsval (and thus JSObject* etc). FWIW, this will also help in proving if gc is really the culprit here. All you have to do is set a breakpoint in XPCMarkableJSVal::MarkBeforeJSFinalize and you'll catch the case where gc runs while this object is in scope. Hope this helps.

No hadn't started on it yet. I'll give it a try, thanks a lot, I'm sure it will save me a good bit of time, which is much appreciated right now.

Comment on attachment 107101 [details] [diff] [review] possible fix I that GC is occuring in JS_CloneFunctionObject and causing the jsval passed in to be collected. This just might be the source of some other the other sporadic GC bugs we've seen. If in less stressful case the memory wasn't reused we would probably crash further down. But there may be other similar cases elsewhere. I think its important to get this in ASAP so that we can see what effect it has on other sporadic GC related crashes. A couple of minor nits, I don't think we really need the private construct. The presence of other constructors will prevent default construction. And there probably isn't a need for the empty destructor. Below is an example stack. XPCMarkableJSVal::MarkBeforeJSFinalize(JSContext * 0x00bf4028) line 3121 AutoMarkingJSVal::MarkBeforeJSFinalize(JSContext * 0x00bf4028) line 3206 + 31 bytes XPCPerThreadData::MarkAutoRootsBeforeJSFinalize(JSContext * 0x00bf4028) line 445 XPCJSRuntime::GCCallback(JSContext * 0x00bf4028, JSGCStatus JSGC_MARK_END) line 262 js_GC(JSContext * 0x00bf4028, unsigned int 0x00000005) line 1281 + 12 bytes js_AllocGCThing(JSContext * 0x00bf4028, unsigned int 0x00000000) line 523 + 11 bytes js_NewObject(JSContext * 0x00bf4028, JSClass * 0x100c0bd8 _js_FunctionClass, JSObject * 0x014192b0, JSObject * 0x03838338) line 1645 + 11 bytes js_CloneFunctionObject(JSContext * 0x00bf4028, JSObject * 0x014192b0, JSObject * 0x03838338) line 1950 + 22 bytes JS_CloneFunctionObject(JSContext * 0x00bf4028, JSObject * 0x014192b0, JSObject * 0x03838338) line 2770 + 17 bytes DefinePropertyIfFound(XPCCallContext & {...}, JSObject * 0x03838338, long 0x00bcfe3c, XPCNativeSet * 0x0142f1d8, XPCNativeInterface * 0x00c3cb78, XPCNativeMember * 0x00c3cbb4, XPCWrappedNativeScope * 0x036f4d60, int 0x00000001, XPCWrappedNative * 0x03842c90, XPCWrappedNative * 0x03842c90, XPCNativeScriptableInfo * 0x00000000, unsigned int 0x00000007, int * 0x00000000) line 445 + 29

Good to have confirmation that this was the real problem. Feel free to take out those lines if you like - neither of them actually cause any code to be generated. It is probably worth digging around in xpconnect for other cases where a gcthing is created and not protected before making other potentially gc invoking calls into JS. For those who have not looked closer: this automarking code is very cheap - just a little linked list manipulation as the stack based object goes in and out of scope - no locking, allocation, or jsapi calls involved (except if gc actually runs).

Comment on attachment 107101 [details] [diff] [review] possible fix sr=jst

patch checked in to trunk.

Checkin verified on trunk -

*** Bug 130183 has been marked as a duplicate of this bug. ***