When I tried to execute a script that calls alert from a close hook (support for which was added recently), I got the assert: JS_Assert (s=0x52fd80 "rt->requestCount > 0", file=0x52fe34 "/home/igor/w/mozilla/js/src/jsapi.c", ln=862) at /home/igor/w/mozilla/js/src/jsutil.c:62 with the following stack trace: #3 0x00ee5c88 in JS_Assert (s=0xef8e20 "rt->requestCount > 0", file=0xef8ed4 "/home/igor/w/mozilla/js/src/jsapi.c", ln=862) at /home/igor/w/mozilla/js/src/jsutil.c:58 #4 0x00e66cf0 in JS_EndRequest (cx=0xa69c6c8) at /home/igor/w/mozilla/js/src/jsapi.c:862 #5 0x00e66d69 in JS_SuspendRequest (cx=0xa69c6c8) at /home/igor/w/mozilla/js/src/jsapi.c:907 #6 0x008c7cdc in AutoJSSuspendRequest::SuspendRequest (this=0xbf8401fc) at /home/igor/w/mozilla/js/src/xpconnect/src/xpcprivate.h:3198 #7 0x008c7d24 in AutoJSSuspendRequest (this=0xbf8401fc, aCCX=@0xbf840298) at /home/igor/w/mozilla/js/src/xpconnect/src/xpcprivate.h:3186 #8 0x008c2c08 in XPCWrappedNative::CallMethod (ccx=@0xbf840298, mode=XPCWrappedNative::CALL_METHOD) at /home/igor/w/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2147 #9 0x008cf0e1 in XPC_WN_CallMethod (cx=0xa69c6c8, obj=0xa82e0a0, argc=1, argv=0xa89a7c8, vp=0xbf8403c0) at /home/igor/w/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1446 #10 0x00ea88e3 in js_Invoke (cx=0xa69c6c8, argc=1, flags=0) at /home/igor/w/mozilla/js/src/jsinterp.c:1328 #11 0x00e9ed66 in js_Interpret (cx=0xa69c6c8, pc=0xa89a200 ":", result=0xbf8406dc) at /home/igor/w/mozilla/js/src/jsinterp.c:4017 #12 0x00ea895a in js_Invoke (cx=0xa69c6c8, argc=0, flags=2) at /home/igor/w/mozilla/js/src/jsinterp.c:1347 #13 0x00ea8ff3 in js_InternalInvoke (cx=0xa69c6c8, obj=0xa891d28, fval=176757704, flags=0, argc=0, argv=0x0, rval=0xbf840804) at /home/igor/w/mozilla/js/src/jsinterp.c:1422 #14 0x00ea93c7 in generator_closehook (cx=0xa69c6c8, obj=0xa891d28) at /home/igor/w/mozilla/js/src/jsiter.c:632 #15 0x00e8f5e2 in ExecuteCloseHooks (cx=0xa69c6c8, toClose=0xbf840908) at /home/igor/w/mozilla/js/src/jsgc.c:859 #16 0x00e907db in js_GC (cx=0xa69c6c8, gcflags=0) at /home/igor/w/mozilla/js/src/jsgc.c:2619 #17 0x00e90938 in js_ForceGC (cx=0xa69c6c8, gcflags=0) at /home/igor/w/mozilla/js/src/jsgc.c:2100 #18 0x00e649a7 in JS_GC (cx=0xa69c6c8) at /home/igor/w/mozilla/js/src/jsapi.c:1907 #19 0x00e64a0f in JS_MaybeGC (cx=0xa69c6c8) at /home/igor/w/mozilla/js/src/jsapi.c:1972 #20 0x01e9a550 in nsJSContext::DOMBranchCallback (cx=0xa69c6c8, script=0xa89a238) at /home/igor/w/mozilla/dom/src/base/nsJSEnvironment.cpp:603 #21 0x00e9489a in js_Interpret (cx=0xa69c6c8, pc=0xa89a2a7 "\006&#65533;&#65533;&#65533;\n&#65533;\026&#65533;&#65533;\a&#65533;\n&#65533;", result=0xbf840e5c) at /home/igor/w/mozilla/js/src/jsinterp.c:2396 #22 0x00ea7cd5 in js_Execute (cx=0xa69c6c8, chain=0xa82e0a0, script=0xa89a238, down=0x0, flags=0, result=0xbf840f44) ---Type <return> to continue, or q <return> to quit--- at /home/igor/w/mozilla/js/src/jsinterp.c:1573 #23 0x00e60b8f in JS_EvaluateUCScriptForPrincipals (cx=0xa69c6c8, obj=0xa82e0a0, principals=0xa8707f4, chars=0xa8965c0, length=285, filename=0xa82f0e8 "file:///home/igor/s/test.html", lineno=7, rval=0xbf840f44) at /home/igor/w/mozilla/js/src/jsapi.c:4293 #24 0x01e98fc8 in nsJSContext::EvaluateString (this=0xa69c618, aScript=@0xbf8410a4, aScopeObject=0xa82e0a0, aPrincipal=0xa8707f0, aURL=0xa82f0e8 "file:///home/igor/s/test.html", aLineNo=7, aVersion=0, aRetValue=0x0, aIsUndefined=0xbf841058) at /home/igor/w/mozilla/dom/src/base/nsJSEnvironment.cpp:1185 #25 0x01ceee76 in nsScriptLoader::EvaluateScript (this=0xa870ac0, aRequest=0xa899ff8, aScript=@0xbf8410a4) at /home/igor/w/mozilla/content/base/src/nsScriptLoader.cpp:800 #26 0x01cef0d2 in nsScriptLoader::ProcessRequest (this=0xa870ac0, aRequest=0xa899ff8) at /home/igor/w/mozilla/content/base/src/nsScriptLoader.cpp:704 #27 0x01cf0c14 in nsScriptLoader::DoProcessScriptElement (this=0xa870ac0, aElement=0xa8988bc, aObserver=0xa8988b8, aFireErrorNotification=0xbf8416d8) at /home/igor/w/mozilla/content/base/src/nsScriptLoader.cpp:637 #28 0x01cf0e08 in nsScriptLoader::ProcessScriptElement (this=0xa870ac0, aElement=0xa8988bc, aObserver=0xa8988b8) at /home/igor/w/mozilla/content/base/src/nsScriptLoader.cpp:344 #29 0x01d8b510 in nsHTMLScriptElement::MaybeProcessScript (this=0xa898898) at /home/igor/w/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:717 #30 0x01d8b69f in nsHTMLScriptElement::DoneAddingChildren (this=0xa898898, aHaveNotified=0) at /home/igor/w/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:572 #31 0x01dacddb in HTMLContentSink::ProcessSCRIPTEndTag (this=0xa870b18, content=0xa898898, aHaveNotified=0, aMalformed=0) at /home/igor/w/mozilla/content/html/document/src/nsHTMLContentSink.cpp:3803 #32 0x01db03fd in SinkContext::CloseContainer (this=0xa832f78, aTag=eHTMLTag_script, aMalformed=0) at /home/igor/w/mozilla/content/html/document/src/nsHTMLContentSink.cpp:1278 #33 0x01db098c in HTMLContentSink::CloseContainer (this=0xa870b18, aTag=eHTMLTag_script) at /home/igor/w/mozilla/content/html/document/src/nsHTMLContentSink.cpp:2856 #34 0x01120583 in CNavDTD::CloseContainer (this=0xa87e498, aTag=eHTMLTag_script, aMalformed=0) at /home/igor/w/mozilla/parser/htmlparser/src/CNavDTD.cpp:2682 #35 0x01122a19 in CNavDTD::HandleEndToken (this=0xa87e498, aToken=0xa831e88) at /home/igor/w/mozilla/parser/htmlparser/src/CNavDTD.cpp:1587 #36 0x01124022 in CNavDTD::HandleToken (this=0xa87e498, aToken=0xa831e88, aParser=0xa870308) at /home/igor/w/mozilla/parser/htmlparser/src/CNavDTD.cpp:698 ---Type <return> to continue, or q <return> to quit--- #37 0x011245e6 in CNavDTD::BuildModel (this=0xa87e498, aParser=0xa870308, aTokenizer=0xa87ec20, anObserver=0x0, aSink=0xa870b64) at /home/igor/w/mozilla/parser/htmlparser/src/CNavDTD.cpp:331 #38 0x0112d3a0 in nsParser::BuildModel (this=0xa870308) at /home/igor/w/mozilla/parser/htmlparser/src/nsParser.cpp:1731 #39 0x0113090b in nsParser::ResumeParse (this=0xa870308, allowIteration=1, aIsFinalChunk=0, aCanInterrupt=1) at /home/igor/w/mozilla/parser/htmlparser/src/nsParser.cpp:1608 #40 0x0112d848 in nsParser::OnDataAvailable (this=0xa870308, request=0xa82f298, aContext=0x0, pIStream=0xa82f6b4, sourceOffset=0, aLength=405) at /home/igor/w/mozilla/parser/htmlparser/src/nsParser.cpp:2245 #41 0x0684896d in nsDocumentOpenInfo::OnDataAvailable (this=0xa82f518, request=0xa82f298, aCtxt=0x0, inStr=0xa82f6b4, sourceOffset=0, count=405) at /home/igor/w/mozilla/uriloader/base/nsURILoader.cpp:361 #42 0x06ed620a in nsBaseChannel::OnDataAvailable (this=0xa82f268, request=0xa82f550, ctxt=0x0, stream=0xa82f6b4, offset=0, count=405) at /home/igor/w/mozilla/netwerk/base/src/nsBaseChannel.cpp:648 #43 0x06ee91e7 in nsInputStreamPump::OnStateTransfer (this=0xa82f550) at /home/igor/w/mozilla/netwerk/base/src/nsInputStreamPump.cpp:498 #44 0x06ee94fb in nsInputStreamPump::OnInputStreamReady (this=0xa82f550, stream=0xa82f6b4) at /home/igor/w/mozilla/netwerk/base/src/nsInputStreamPump.cpp:388 #45 0x00181259 in nsInputStreamReadyEvent::Run (this=0xa82f1a0) at /home/igor/w/mozilla/xpcom/io/nsStreamUtils.cpp:111 #46 0x001aba37 in nsThread::ProcessNextEvent (this=0xa027210, mayWait=1, result=0xbf841c50) at /home/igor/w/mozilla/xpcom/threads/nsThread.cpp:482 #47 0x001431a1 in NS_ProcessNextEvent_P (thread=0xa027210, mayWait=1) at nsThreadUtils.cpp:225 #48 0x06530b55 in nsBaseAppShell::Run (this=0xa0aada8) at /home/igor/w/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:153 #49 0x00b782b1 in nsAppStartup::Run (this=0xa0ec530) at /home/igor/w/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:171 #50 0x00b23d79 in XRE_main (argc=2, argv=0xbf842034, aAppData=0x8049760) at /home/igor/w/mozilla/toolkit/xre/nsAppRunner.cpp:2349 #51 0x08048603 in main (argc=75, argv=0x1612b220) at /home/igor/w/mozilla/browser/app/nsBrowserApp.cpp:61 It looks like there is a missed JS_BeginRequest somewhere.

The GC implicitly suspends any requests on the context on which GC is activated by decreasing rt->requestCount appropriately, but it does not zero cx->requestDepth and restore it later, so this is not surprising. We could make the GC keep cx->requestDepth consistent with rt->requestCount. That is a minimal fix. But bug 341821 would fix this bug too. Is it more expedient to fix this bug first? In any case, Igor, could you take this one too? Thanks, /be

To say a bit more: the GC's implicit auto-suspension was "just so", and minimal in the sense that leaving cx->requestDepth non-zero saved cycles and code size. It was not important to make all the state consistent, since only mark and finalize functions (and GC callbacks) could run with such state, and none of those hooks should begin, end, suspend, or resume requests. But with close hooks, which may be scripted, of course it could (and does) matter. /be

(In reply to comment #2) > We could make the GC keep cx->requestDepth consistent with rt->requestCount. > That is a minimal fix. But bug 341821 would fix this bug too. Is it more > expedient to fix this bug first? In any case, Igor, could you take this one > too? I missed the fact that it is OK to call JS_SuspendRequest when cx->requestDepth is 0. I filed this bug separately from bug 341821 since I did not see JS_BeginRequest call and fixing bug 341821 would not prevent calling JS_SuspendRequest with cx->requestDepth == 0. But since this is OK, the bug is essentailly a dup of bug 341821. *** This bug has been marked as a duplicate of 341821 ***

I reopen the bug and change title: the test case still crashes the browser, but now not via JS_EndRequest.

Can you attach a backtrace? Thanks, /be

(In reply to comment #6) > Can you attach a backtrace? Thanks, > > /be > It turned out the crashes I saw was caused by the broken patch from bug 341821. But even with the right patch the test case from comment 1 crashes the browser after 2-3-4 alerts. The crashes happens at different places but AFAICS they preceed with printouts like: ++DOMWINDOW == 10 ###!!! ASSERTION: This is not supposed to fail!: 'Error', file /home/igor/w/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 395 WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed: file /home/igor/w/mozilla/dom/src/base/nsJSEnvironment.cpp, line 2196 --DOMWINDOW == 9

One of the test cases show that close hooks should not be run from GC that is invoked from js_DestroyContext: #0 0xffffe410 in __kernel_vsyscall () #1 0xb74f7136 in nanosleep () from /lib/tls/i686/cmov/libc.so.6 #2 0xb74f6f3c in sleep () from /lib/tls/i686/cmov/libc.so.6 #3 0xb7f7d84a in ah_crap_handler (signum=-1218880804) at nsSigHandlers.cpp:133 #4 0xb7f918b2 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:210 #5 <signal handler called> #6 0x00000019 in ?? () #7 0xb7ead236 in js_GetSlotThreadSafe (cx=0x8e598d0, obj=0x91624ec, slot=2) at /home/igor/w/mozilla/js/src/jslock.c:585 #8 0xb7e8ffff in RunCloseHooks (cx=0x8e598d0) at /home/igor/w/mozilla/js/src/jsgc.c:1055 #9 0xb7e92704 in js_GC (cx=0x8e598d0, gckind=GC_NORMAL) at /home/igor/w/mozilla/js/src/jsgc.c:2924 #10 0xb7e916cd in js_ForceGC (cx=0x8e598d0, gckind=GC_NORMAL) at /home/igor/w/mozilla/js/src/jsgc.c:2310 #11 0xb7e6dc20 in js_DestroyContext (cx=0x8e598d0, mode=JSDCM_FORCE_GC) at /home/igor/w/mozilla/js/src/jscntxt.c:389 #12 0xb7e5e75c in JS_DestroyContext (cx=0x19) at /home/igor/w/mozilla/js/src/jsapi.c:952 #13 0xb6ff015e in nsXPConnect::ReleaseJSContext (this=0x80b1d18, aJSContext=0x8e598d0, noGC=0) at /home/igor/w/mozilla/js/src/xpconnect/src/nsXPConnect.cpp:1308 #14 0xb6bf5dfc in ~nsJSContext (this=0x9c3f490) at /home/igor/w/mozilla/dom/src/base/nsJSEnvironment.cpp:998 #15 0xb6bf618d in nsJSContext::Release (this=0x9c3f490) at /home/igor/w/mozilla/dom/src/base/nsJSEnvironment.cpp:1027 #16 0xb7e05daf in nsTimerImpl::ReleaseCallback (this=0x961b8e0) at nsTimerImpl.h:114 #17 0xb7e05073 in ~nsTimerImpl (this=0x961b8e0) at /home/igor/w/mozilla/xpcom/threads/nsTimerImpl.cpp:161 #18 0xb7e05129 in nsTimerImpl::Release (this=0x961b8e0) at /home/igor/w/mozilla/xpcom/threads/nsTimerImpl.cpp:95 #19 0xb7e05f73 in ~nsRefPtr (this=0xbffe5c98) at nsAutoPtr.h:956 #20 0xb7e05a6f in nsTimerEvent::Run (this=0xb1475038) at /home/igor/w/mozilla/xpcom/threads/nsTimerImpl.cpp:458 #21 0xb7dffff4 in nsThread::ProcessNextEvent (this=0x8084248, mayWait=1, result=0x8e598d0) at /home/igor/w/mozilla/xpcom/threads/nsThread.cpp:482 #22 0xb7d9a0e1 in NS_ProcessNextEvent_P (thread=0x82bbe08, mayWait=25) at nsThreadUtils.cpp:225 #23 0xb5dc92bb in nsBaseAppShell::Run (this=0x809e370) at /home/igor/w/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:153 #24 0xb708927d in nsAppStartup::Run (this=0x842a3b8) at /home/igor/w/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:171 #25 0xb7f83e94 in XRE_main (argc=2, argv=0xbffe60c4, aAppData=0x80497c0) at /home/igor/w/mozilla/toolkit/xre/nsAppRunner.cpp:2387 #26 0x08048630 in main (argc=25, argv=0x19) at /home/igor/w/mozilla/browser/app/nsBrowserApp.cpp:61 (gdb) frame 7 #7 0xb7ead236 in js_GetSlotThreadSafe (cx=0x8e598d0, obj=0x91624ec, slot=2) at /home/igor/w/mozilla/js/src/jslock.c:585 585 return OBJ_GET_REQUIRED_SLOT(cx, obj, slot); Current language: auto; currently c (gdb) print *obj $1 = {map = 0x82bbe08, slots = 0x8ce7350}

Here is a typical stack tracewith the test case: #0 0xffffe410 in __kernel_vsyscall () #1 0xb74bf136 in nanosleep () from /lib/tls/i686/cmov/libc.so.6 #2 0xb74bef3c in sleep () from /lib/tls/i686/cmov/libc.so.6 #3 0xb7f4584a in ah_crap_handler (signum=-1219110180) at nsSigHandlers.cpp:133 #4 0xb7f598b2 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:210 #5 <signal handler called> #6 js_MarkAtom (cx=0x8c883e0, atom=0x632e7965) at /home/igor/w/mozilla/js/src/jsgc.c:1738 #7 0xb7eaa22f in js_MarkScript (cx=0x8c883e0, script=0x8f9b058) at /home/igor/w/mozilla/js/src/jsscript.c:1385 #8 0xb7e59649 in js_MarkStackFrame (cx=0x8c883e0, fp=0xbfbad0bc) at /home/igor/w/mozilla/js/src/jsgc.c:2325 #9 0xb7e59dba in js_GC (cx=0x8c883e0, gckind=GC_NORMAL) at /home/igor/w/mozilla/js/src/jsgc.c:2632 #10 0xb7e595c5 in js_ForceGC (cx=0x8c883e0, gckind=GC_NORMAL) at /home/igor/w/mozilla/js/src/jsgc.c:2298 #11 0xb7e27f63 in JS_GC (cx=0x8c883e0) at /home/igor/w/mozilla/js/src/jsapi.c:1917 #12 0xb7e27fc2 in JS_MaybeGC (cx=0x8c883e0) at /home/igor/w/mozilla/js/src/jsapi.c:1982 #13 0xb6bc2cfd in nsJSContext::DOMBranchCallback (cx=0x8c883e0, script=0x6d6f726c) at /home/igor/w/mozilla/dom/src/base/nsJSEnvironment.cpp:688 #14 0xb7e5f0fe in js_Interpret (cx=0x8c883e0, pc=<value optimized out>, result=0xbfbad0dc) at /home/igor/w/mozilla/js/src/jsinterp.c:2434 #15 0xb7e5d3a0 in js_Execute (cx=0x8c883e0, chain=0x8f58af8, script=0x8f9b058, down=0x0, flags=1836020332, result=0xbfbad1c4) at /home/igor/w/mozilla/js/src/jsinterp.c:1599 #16 0xb7e2dc12 in JS_EvaluateUCScriptForPrincipals (cx=0x8c883e0, obj=0x8f58af8, principals=0x6d6f726c, chars=0x6d6f726c, length=1836020332, filename=0x6d6f726c <Address 0x6d6f726c out of bounds>, lineno=1836020332, rval=0x6d6f726c) at /home/igor/w/mozilla/js/src/jsapi.c:4330 #17 0xb6bc0650 in nsJSContext::EvaluateString (this=0x8cb1658, aScript=@0xbfbad324, aScopeObject=0x8f58af8, aPrincipal=0x8e0d440, aURL=0x6b2e6975 <Address 0x6b2e6975 out of bounds>, aLineNo=1798203765, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfbad2d8) at /home/igor/w/mozilla/dom/src/base/nsJSEnvironment.cpp:1298 #18 0xb6a1ef0d in nsScriptLoader::EvaluateScript (this=0x8e9ab68, aRequest=0x8f95f78, aScript=@0x6d6f726c) at /home/igor/w/mozilla/content/base/src/nsScriptLoader.cpp:800 #19 0xb6a1f176 in nsScriptLoader::ProcessRequest (this=0x8e9ab68, aRequest=0x8f95f78) at /home/igor/w/mozilla/content/base/src/nsScriptLoader.cpp:704 #20 0xb6a2083e in nsScriptLoader::DoProcessScriptElement (this=0x8e9ab68, aElement=0x8f91484, aObserver=0x6d6f726c, aFireErrorNotification=0xbfbad8b8) at /home/igor/w/mozilla/content/base/src/nsScriptLoader.cpp:637 #21 0xb6a209be in nsScriptLoader::ProcessScriptElement (this=0x8e9ab68, aElement=0x8f91484, aObserver=0x8f91480) at /home/igor/w/mozilla/content/base/src/nsScriptLoader.cpp:344 #22 0xb6ab920b in nsHTMLScriptElement::MaybeProcessScript (this=0x8f91460) at /home/igor/w/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:716 #23 0xb6ab938d in nsHTMLScriptElement::DoneAddingChildren (this=0x6d6f726c, aHaveNotified=0) at /home/igor/w/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:571 #24 0xb6ae00b9 in HTMLContentSink::ProcessSCRIPTEndTag (this=0x8f51380, content=0x8f91460, aHaveNotified=1836020332, aMalformed=0) at /home/igor/w/mozilla/content/html/document/src/nsHTMLContentSink.cpp:3816 #25 0xb6ae0456 in SinkContext::CloseContainer (this=0x82c4790, aTag=eHTMLTag_script, aMalformed=1798203765) at /home/igor/w/mozilla/content/html/document/src/nsHTMLContentSink.cpp:1279 #26 0xb6ae07fc in HTMLContentSink::CloseContainer (this=0x8c883e0, aTag=1798203765) at /home/igor/w/mozilla/content/html/document/src/nsHTMLContentSink.cpp:2868 #27 0xb5944360 in CNavDTD::CloseContainer (this=0x8d28e60, aTag=eHTMLTag_script, aMalformed=0) at /home/igor/w/mozilla/parser/htmlparser/src/CNavDTD.cpp:2700 #28 0xb5945c19 in CNavDTD::HandleEndToken (this=0x8d28e60, aToken=0x8f37820) at /home/igor/w/mozilla/parser/htmlparser/src/CNavDTD.cpp:1594 #29 0xb5947a07 in CNavDTD::HandleToken (this=0x8d28e60, aToken=0x8f37820, aParser=0x8aed568) at /home/igor/w/mozilla/parser/htmlparser/src/CNavDTD.cpp:702 #30 0xb594340f in CNavDTD::BuildModel (this=0x8d28e60, aParser=0x8aed568, aTokenizer=0x8f50fe8, anObserver=0x0, aSink=0x8f513cc) at /home/igor/w/mozilla/parser/htmlparser/src/CNavDTD.cpp:331 #31 0xb59514f9 in nsParser::BuildModel (this=0x8aed568) at /home/igor/w/mozilla/parser/htmlparser/src/nsParser.cpp:1731 #32 0xb5953e71 in nsParser::ResumeParse (this=0x8aed568, allowIteration=1, aIsFinalChunk=0, aCanInterrupt=1) at /home/igor/w/mozilla/parser/htmlparser/src/nsParser.cpp:1608 #33 0xb5951e94 in nsParser::OnDataAvailable (this=0x8aed568, request=0x8e9e158, aContext=0x0, pIStream=0x8e9d44c, sourceOffset=0, aLength=1836020332) at /home/igor/w/mozilla/parser/htmlparser/src/nsParser.cpp:2245 #34 0xb7190f73 in nsDocumentOpenInfo::OnDataAvailable (this=0x8e9e718, request=0x6b2e6975, aCtxt=0x6b2e6975, inStr=0x6b2e6975, sourceOffset=1798203765, count=1798203765) at /home/igor/w/mozilla/uriloader/base/nsURILoader.cpp:360 #35 0xb6ea872a in nsBaseChannel::OnDataAvailable (this=0x8e9e128, request=0x8e9e858, ctxt=0x0, stream=0x6b2e6975, offset=0, count=460) at /home/igor/w/mozilla/netwerk/base/src/nsBaseChannel.cpp:640 #36 0xb6eba629 in nsInputStreamPump::OnStateTransfer (this=0x8e9e858) at /home/igor/w/mozilla/netwerk/base/src/nsInputStreamPump.cpp:503 #37 0xb6ebaa5f in nsInputStreamPump::OnInputStreamReady (this=0x8e9e858, stream=0x8e9d44c) at /home/igor/w/mozilla/netwerk/base/src/nsInputStreamPump.cpp:393 #38 0xb7d9e653 in nsInputStreamReadyEvent::Run (this=0x8e9e750) at /home/igor/w/mozilla/xpcom/io/nsStreamUtils.cpp:111 #39 0xb7dc7ff4 in nsThread::ProcessNextEvent (this=0x8084788, mayWait=1, result=0x6b2e6975) at /home/igor/w/mozilla/xpcom/threads/nsThread.cpp:482 #40 0xb7d620e1 in NS_ProcessNextEvent_P (thread=0x8c883e0, mayWait=1836020332) at nsThreadUtils.cpp:225 #41 0xb5d912bb in nsBaseAppShell::Run (this=0x83fbf78) at /home/igor/w/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:153 #42 0xb705127d in nsAppStartup::Run (this=0x8434540) at /home/igor/w/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:171 #43 0xb7f4be94 in XRE_main (argc=1, argv=0xbfbae214, aAppData=0x80497c0) at /home/igor/w/mozilla/toolkit/xre/nsAppRunner.cpp:2387 #44 0x08048630 in main (argc=1836020332, argv=0x6d6f726c) at /home/igor/w/mozilla/browser/app/nsBrowserApp.cpp:61 This does not happen when browser runs in a safe mode.

I have found yet another problem with close hooks that could be related to this bug. Close hooks should not be allowed to run from GC called from js_DestroyContext. That GC is run when the context is unlinked from the list which is breaks numerous invariants. For example, since close hooks can trigger GC, a nested GC call would skip objects reachable through roots from the context under js_DestroyContext.

*** Bug 346484 has been marked as a duplicate of this bug. ***

With the fix for the bug 341821 committed, the test case no longer crashes.

Checking in regress-341815.js; /cvsroot/mozilla/js/tests/js1_7/iterable/regress-341815.js,v <-- regress-341815.js initial revision: 1.1 note that the alert will continue to fire even if you leave the test page. It will be blocked on non-blank pages but will successfully fire if you go to about:blank.

Checking in regress-341815.js; /cvsroot/mozilla/js/tests/js1_7/iterable/regress-341815.js,v <-- regress-341815.js new revision: 1.2; previous revision: 1.1 correct bug number.

crash in browser 1.9 windows debug 20060811 build in > ntdll.dll!_RtlEnterCriticalSection@4() + 0x90 bytes > ntdll.dll!_RtlEnterCriticalSection@4() + 0x90 bytes msvcr80d.dll!_lock_file(_iobuf * pf=0x00240000) Line 238 C msvcr80d.dll!fprintf(_iobuf * str=0x00240000, const char * format=0x00553bf0, ...) Line 63 + 0x9 bytes C js3250.dll!js_Interpret(JSContext * cx=0x039b8fd8, unsigned char * pc=0x03df30eb, long * result=0x0012dd8c) Line 6168 + 0x4f bytes C js3250.dll!generator_send(JSContext * cx=0x039b8fd8, JSObject * obj=0x0513b8b8, unsigned int argc=0, long * argv=0x03dd6b7c, long * rval=0x0012de78) Line 795 + 0x14 bytes C js3250.dll!generator_close(JSContext * cx=0x039b8fd8, JSObject * obj=0x0513b8b8, unsigned int argc=0, long * argv=0x03dd6b7c, long * rval=0x0012de78) Line 846 + 0x17 bytes C js3250.dll!js_Invoke(JSContext * cx=0x039b8fd8, unsigned int argc=0, unsigned int flags=2) Line 1350 + 0x20 bytes C js3250.dll!js_InternalInvoke(JSContext * cx=0x039b8fd8, JSObject * obj=0x0513b8b8, long fval=85178576, unsigned int flags=0, unsigned int argc=0, long * argv=0x00000000, long * rval=0x0012dfcc) Line 1448 + 0x14 bytes C js3250.dll!js_CloseGeneratorObject(JSContext * cx=0x039b8fd8, JSGenerator * gen=0x03be38e0) Line 623 + 0x1b bytes C js3250.dll!js_RunCloseHooks(JSContext * cx=0x039b8fd8) Line 1057 + 0xd bytes C js3250.dll!JS_GC(JSContext * cx=0x039b8fd8) Line 1943 + 0x9 bytes C ...

bc: are you sure you're correctly building js shell against threadsafe crt? (don't answer "i'm correctly using the makefiles", make sure the makefiles are correct)

(In reply to comment #16) > bc: are you sure you're correctly building js shell against threadsafe crt? > (don't answer "i'm correctly using the makefiles", make sure the makefiles are > correct) > timeless: are you sure you're reading the comment? crash in browser 1.9 windows debug 20060811 build And don't answer "I don't have time", get yourself some glasses.

oops, sorry. yes, this will happen if two threads decide to try to write dump complaints (e.g. xpconnect complaining about js on a second thread) at the same time.

filed Bug 348606 on the _RtlEnterCriticalSection debug browser crash

no crash 1.9 20060818 windows/mac(ppc|tel)/linux although my alert dismissal didn't prevent the test from timing out. Windows spider timed out loading the page, but no longer crashing. verified fixed 1.9

note to self: js1_7/iterable/regress-341815.js is crashing on mac in the test automation but it appears to be a result of spider's dialog closer closing the slow script warning dialog.

Checking in regress-341815.js; /cvsroot/mozilla/js/tests/js1_7/iterable/regress-341815.js,v <-- regress-341815.js new revision: 1.4; previous revision: 1.3