Closed Bug 389753 Opened 17 years ago Closed 17 years ago

Frequent crashes at Gmail [@ JS_GetParent]

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: roc, Unassigned)

References

Details

(Keywords: crash, dogfood, regression)

Crash Data

I'm getting a lot of crashes, seem to be related to Javascript, seem to be related to GMail activity.

###!!! ASSERTION: What crazy object are we getting here?: 'JS_GET_CLASS(cx, outerObj) == &sXPC_XOW_JSClass.base', file /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/XPCCrossOriginWrapper.cpp, line 414

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x80000000
0x01018cdd in JS_GetParent (cx=0x3f337f70, obj=0x3ef7d6c0) at /Users/roc/mozilla-checkin/mozilla/js/src/jsapi.c:2831
2831        return parent && parent->map ? parent : NULL;
(gdb) where
#0  0x01018cdd in JS_GetParent (cx=0x3f337f70, obj=0x3ef7d6c0) at /Users/roc/mozilla-checkin/mozilla/js/src/jsapi.c:2831
#1  0x12a24227 in XPCConvert::NativeData2JS (ccx=@0xbfffba00, d=0xbfffb854, s=0xbfffb7b0, type=@0xbfffb837, iid=0xbfffb874, scope=0x2728dc0, pErr=0xbfffb870) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcconvert.cpp:490
#2  0x12a444f2 in XPCWrappedNative::CallMethod (ccx=@0xbfffba00, mode=CALL_GETTER) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2365
#3  0x12a7e0d5 in XPCWrappedNative::GetAttribute (ccx=@0xbfffba00) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:2070
#4  0x12a4bd2f in XPC_WN_GetterSetter (cx=0x3f337f70, obj=0x2728dc0, argc=0, argv=0x3ec09c84, vp=0xbfffbb0c) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1499
#5  0x0105df9a in js_Invoke (cx=0x3f337f70, argc=0, flags=2) at /Users/roc/mozilla-checkin/mozilla/js/src/jsinterp.c:1312
#6  0x0105e3bb in js_InternalInvoke (cx=0x3f337f70, obj=0x2728dc0, fval=1051137184, flags=0, argc=0, argv=0x0, rval=0xbfffc0fc) at /Users/roc/mozilla-checkin/mozilla/js/src/jsinterp.c:1406
#7  0x0105e615 in js_InternalGetOrSet (cx=0x3f337f70, obj=0x2728dc0, id=1020779104, fval=1051137184, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfffc0fc) at /Users/roc/mozilla-checkin/mozilla/js/src/jsinterp.c:1478
#8  0x0108cafa in js_NativeGet (cx=0x3f337f70, obj=0x2728dc0, pobj=0x3ea71dc0, sprop=0x3eb331d0, vp=0xbfffc0fc) at /Users/roc/mozilla-checkin/mozilla/js/src/jsobj.c:3457
#9  0x0108d66b in js_GetProperty (cx=0x3f337f70, obj=0x2728dc0, id=1020779104, vp=0xbfffc0fc) at /Users/roc/mozilla-checkin/mozilla/js/src/jsobj.c:3600
#10 0x0106dc4a in js_Interpret (cx=0x3f337f70, pc=0x3f37e690 "?", result=0xbfffc388) at /Users/roc/mozilla-checkin/mozilla/js/src/jsinterp.c:3791
#11 0x0105e025 in js_Invoke (cx=0x3f337f70, argc=1, flags=2) at /Users/roc/mozilla-checkin/mozilla/js/src/jsinterp.c:1331
#12 0x12a3ef93 in nsXPCWrappedJSClass::CallMethod (this=0x370d08e0, wrapper=0x41ee3130, methodIndex=3, info=0x2178958, nativeParams=0xbfffc834) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1457
#13 0x12a37731 in nsXPCWrappedJS::CallMethod (this=0x41ee3130, methodIndex=3, info=0x2178958, params=0xbfffc834) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp:565
#14 0x0136f5ca in PrepareAndDispatch (self=0x41ee3170, methodIndex=3, args=0xbfffc954) at /Users/roc/mozilla-checkin/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
#15 0x0136f628 in nsXPTCStubBase::Stub3 (this=0x41ee3170) at ../../../../../../dist/include/xpcom/xptcstubsdef.inc:5
#16 0x19192108 in nsEventListenerManager::HandleEventSubType (this=0x402d81f0, aListenerStruct=0x41ee3180, aListener=0x41ee3170, aDOMEvent=0x3fc287d0, aCurrentTarget=0x3eb53000, aPhaseFlags=2) at /Users/roc/mozilla-checkin/mozilla/content/events/src/nsEventListenerManager.cpp:1096
(This is a trunk build from about one hour ago)
Seems to happen very often when I'm composing an email, I suspect it's trying to auto-save the draft. (I use the HTML composer, if that matters.)
Some of the crashes leave me in never never land --- we seem to be jumping to random addresses in those cases.
This is a critical regression since it makes Gmail almost unusable for me.
Keywords: regression
Another micro-stack:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadada00
0xdadada00 in ?? ()
(gdb) where
#0  0xdadada00 in ?? ()
#1  0x0107e619 in js_GetSlotThreadSafe (cx=0x1, obj=0x29070f0, slot=1069061328) at /Users/roc/mozilla-checkin/mozilla/js/src/jslock.c:599
Previous frame inner to this frame (corrupt stack?)
I can't reproduce this, but I have a couple of ideas how it can happen. I'll try some stuff out tomorrow.
Keywords: crash, dogfood
Summary: Frequent Javascript crashes → Frequent crashes at Gmail [@ JS_GetParent]
Easily reproducible on trunk linux while visiting yahoo mail. No action other than logging in required.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a7pre) Gecko/2007073005 Minefield/3.0a7pre ID:2007073005

happens on Win32 when scrolling a gmail.
Unreproducable and infrequent crash.
Confirmed by multiple people on XP
Happens to me quite frequently when scrolling in Gmail, in OS X.
Uri, also with the 2007-07-31 build ?
(In reply to comment #10)
> Uri, also with the 2007-07-31 build ?
> 

Haven't tried it yet. I'll switch to it and report.
So far no crashes with 2007-07-31, despite intensive scrolling.
same here (on windows)
Looks like bug 390083 did us some good.
I'm going to optimistically close this. I suspect that bug 389985 might have also fixed this bug. Please reopen if I'm out of line (or it's not completely fixed).
Blocks: xow
Status: NEW → RESOLVED
Closed: 17 years ago
Depends on: 389985, 390083
Resolution: --- → FIXED
Flags: in-testsuite-
Crash Signature: [@ JS_GetParent]
You need to log in before you can comment on or make changes to this bug.