Closed Bug 390083 Opened 17 years ago Closed 17 years ago

Frequent crashes [@ XPCContext::GetRuntime] during GC after closing a tab

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha7

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(Keywords: crash, dogfood, regression)

Crash Data

Attachments

(1 file, 1 obsolete file)

Updated
(deleted), patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review 
I got this crash twice in the last hour, both times after closing a tab to return to a bug list.

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   libxpconnect.dylib       	0x02a6f187 XPCContext::GetRuntime() const + 9 (xpcprivate.h:757)
1   libxpconnect.dylib       	0x02a6f6cf XPCCallContext::GetRuntime() const + 39 (xpcprivate.h:85)
2   libxpconnect.dylib       	0x02a51e3c XPCWrappedNativeScope::FindInJSObjectScope(XPCCallContext&, JSObject*, int) + 128 (xpcwrappednativescope.cpp:676)
3   libxpconnect.dylib       	0x02a57be7 XPC_XOW_Finalize(JSContext*, JSObject*) + 139 (XPCCrossOriginWrapper.cpp:711)
4   libmozjs.dylib           	0x0108aea5 js_FinalizeObject + 136 (jsobj.c:2788)
5   libmozjs.dylib           	0x0105b51e js_GC + 2316 (jsgc.c:2448)
6   libmozjs.dylib           	0x010288fc js_DestroyContext + 600 (jscntxt.c:432)
7   libmozjs.dylib           	0x01015383 JS_DestroyContext + 25 (jsapi.c:986)
8   libxpconnect.dylib       	0x02a094e5 nsXPConnect::ReleaseJSContext(JSContext*, int) + 349 (nsXPConnect.cpp:1857)
9   libgklayout.dylib        	0x17d4df08 nsJSContext::~nsJSContext [in-charge deleting]() + 344 (nsJSEnvironment.cpp:1024)
10  libgklayout.dylib        	0x17d4e5c9 nsJSContext::Release() + 285 (nsJSEnvironment.cpp:1091)
11  libgklayout.dylib        	0x18068b7e nsCOMPtr<nsIScriptContext>::assign_assuming_AddRef(nsIScriptContext*) + 94 (nsContentUtils.cpp:568)
12  libgklayout.dylib        	0x18068bb0 nsCOMPtr<nsIScriptContext>::assign_with_AddRef(nsISupports*) + 48 (nsContentUtils.cpp:1236)
13  libgklayout.dylib        	0x18069d74 nsCOMPtr<nsIScriptContext>::operator=(nsIScriptContext*) + 24 (nsCOMPtr.h:714)
14  libgklayout.dylib        	0x17d0beee nsXBLDocGlobalObject::SetContext(nsIScriptContext*) + 40 (nsXBLDocumentInfo.cpp:256)
15  libgklayout.dylib        	0x17d0c036 nsXBLDocGlobalObject::SetScriptContext(unsigned, nsIScriptContext*) + 86 (nsXBLDocumentInfo.cpp:278)
16  libgklayout.dylib        	0x17d0bc29 nsXBLDocumentInfo::~nsXBLDocumentInfo [in-charge deleting]() + 123 (nsXBLDocumentInfo.cpp:501)
17  libgklayout.dylib        	0x17d0b76f nsXBLDocumentInfo::Release() + 283 (nsXBLDocumentInfo.cpp:472)
18  libgklayout.dylib        	0x180d9462 nsCOMPtr<nsIXBLDocumentInfo>::~nsCOMPtr [in-charge]() + 66 (nsCOMPtr.h:583)
19  libgklayout.dylib        	0x180dd890 nsBaseHashtableET<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo> >::~nsBaseHashtableET [in-charge]() + 20 (nsBaseHashtable.h:312)
20  libgklayout.dylib        	0x180dd8b1 nsTHashtable<nsBaseHashtableET<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo> > >::s_ClearEntry(PLDHashTable*, PLDHashEntryHdr*) + 17 (nsTHashtable.h:391)
21  libxpcom_core.dylib      	0x012f7af5 PL_DHashTableFinish + 166 (pldhash.c:375)
22  libgklayout.dylib        	0x180dbffb nsTHashtable<nsBaseHashtableET<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo> > >::~nsTHashtable [not-in-charge]() + 27 (nsTHashtable.h:312)
23  libgklayout.dylib        	0x180dc025 nsBaseHashtable<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo>, nsIXBLDocumentInfo*>::~nsBaseHashtable [not-in-charge]() + 17 (nsBaseHashtable.h:84)
24  libgklayout.dylib        	0x180dc04d nsInterfaceHashtable<nsURIHashKey, nsIXBLDocumentInfo>::~nsInterfaceHashtable [in-charge]() + 17 (nsInterfaceHashtable.h:56)
25  libgklayout.dylib        	0x17d1f017 nsBindingManager::~nsBindingManager [in-charge]() + 207 (nsBindingManager.cpp:406)
26  libgklayout.dylib        	0x17d1f140 nsBindingManager::Release() + 276 (nsBindingManager.cpp:383)
27  libgklayout.dylib        	0x17ba3021 nsDocument::~nsDocument [not-in-charge]() + 1507 (nsDocument.cpp:875)
28  libgklayout.dylib        	0x17c8c8ca nsHTMLDocument::~nsHTMLDocument [in-charge deleting]() + 678 (nsHTMLDocument.cpp:343)
29  libgklayout.dylib        	0x17bd5d84 nsNodeUtils::LastRelease(nsINode*) + 710 (nsNodeUtils.cpp:229)
30  libgklayout.dylib        	0x17b9df41 nsDocument::Release() + 279 (nsDocument.cpp:927)
31  libgklayout.dylib        	0x17c8a435 nsHTMLDocument::Release() + 23 (nsHTMLDocument.cpp:382)
32  libxpcom_core.dylib      	0x012fa69d nsCOMPtr_base::~nsCOMPtr_base [not-in-charge]() + 69 (nsCOMPtr.cpp:82)
33  libgklayout.dylib        	0x17ff744a nsCOMPtr<nsISupports>::~nsCOMPtr [in-charge]() + 14 (nsCSSFrameConstructor.cpp:929)
34  libgklayout.dylib        	0x1800774c nsEvent::~nsEvent [in-charge]() + 48 (nsGUIEvent.h:375)
35  libgklayout.dylib        	0x17c1d77a nsDOMEvent::~nsDOMEvent [not-in-charge]() + 190 (nsDOMEvent.cpp:141)
36  libgklayout.dylib        	0x1808ca21 nsDOMPageTransitionEvent::~nsDOMPageTransitionEvent [in-charge deleting]() + 93 (nsDOMPageTransitionEvent.h:47)
37  libgklayout.dylib        	0x17c1ddcd nsDOMEvent::Release() + 283 (nsDOMEvent.cpp:156)
38  libgklayout.dylib        	0x17c26ece nsDOMPageTransitionEvent::Release() + 26 (nsDOMPageTransitionEvent.cpp:63)
39  libxpconnect.dylib       	0x02a2dc2f XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) + 2139 (xpcjsruntime.cpp:603)
40  libgklayout.dylib        	0x17d4f1c9 DOMGCCallback(JSContext*, JSGCStatus) + 47 (nsJSEnvironment.cpp:3337)
41  libxpconnect.dylib       	0x02a0a9bf XPCCycleGCCallback(JSContext*, JSGCStatus) + 47 (nsXPConnect.cpp:523)
42  libmozjs.dylib           	0x0105b92d js_GC + 3355 (jsgc.c:2589)
43  libmozjs.dylib           	0x01017b0f JS_GC + 85 (jsapi.c:2360)
44  libxpconnect.dylib       	0x02a0a179 nsXPConnect::BeginCycleCollection() + 409 (nsXPConnect.cpp:573)
45  libxpcom_core.dylib      	0x01368d67 nsCycleCollector::Collect(unsigned) + 215 (nsCycleCollector.cpp:2037)
46  libxpcom_core.dylib      	0x01368ec4 nsCycleCollector_collect() + 48 (nsCycleCollector.cpp:2555)
47  libgklayout.dylib        	0x17d510d9 nsJSContext::Notify(nsITimer*) + 165 (nsJSEnvironment.cpp:3239)
48  libxpcom_core.dylib      	0x0135c79f nsTimerImpl::Fire() + 925 (nsTimerImpl.cpp:387)
49  libxpcom_core.dylib      	0x0135c92b nsTimerEvent::Run() + 191 (nsTimerImpl.cpp:458)
50  libxpcom_core.dylib      	0x01358d97 nsThread::ProcessNextEvent(int, int*) + 627 (nsThread.cpp:491)
51  libxpcom_core.dylib      	0x01302256 NS_ProcessNextEvent_P(nsIThread*, int) + 76 (nsThreadUtils.cpp:227)
52  libwidget_mac.dylib      	0x05034ae2 nsBaseAppShell::Run() + 70 (nsBaseAppShell.cpp:153)
53  libwidget_mac.dylib      	0x05017054 nsAppShell::Run() + 190 (nsAppShell.mm:355)
54  libwidget_mac.dylib      	0x050173d0 -[AppShellDelegate runAppShell] + 36 (nsAppShell.mm:459)
55  com.apple.Foundation     	0x9280a03b __NSFireDelayedPerform + 403
56  com.apple.CoreFoundation 	0x9082d7e2 CFRunLoopRunSpecific + 3341
57  com.apple.CoreFoundation 	0x9082cace CFRunLoopRunInMode + 61
58  com.apple.HIToolbox      	0x92dec8d8 RunCurrentEventLoopInMode + 285
59  com.apple.HIToolbox      	0x92debfe2 ReceiveNextEventCommon + 385
60  com.apple.HIToolbox      	0x92debe39 BlockUntilNextEventMatchingListInMode + 81
61  com.apple.AppKit         	0x93292465 _DPSNextEvent + 572
62  com.apple.AppKit         	0x93292056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
63  com.apple.AppKit         	0x9328bddb -[NSApplication run] + 512
64  libwidget_mac.dylib      	0x05017028 nsAppShell::Run() + 146 (nsAppShell.mm:352)
65  libtoolkitcomps.dylib    	0x1669773f nsAppStartup::Run() + 147 (nsAppStartup.cpp:170)
66  XUL                      	0x0020fbbc XRE_main + 11592 (nsAppRunner.cpp:3057)
67  org.mozilla.firefox      	0x00002798 main + 708 (nsBrowserApp.cpp:153)
68  org.mozilla.firefox      	0x00001dca _start + 216
69  org.mozilla.firefox      	0x00001cf1 start + 41
(I'm using a debug build of Firefox trunk on Mac.)
Attached patch Proposed fix (obsolete) (deleted) — Splinter Review 
This should fix this by:
a) Making sure we only use valid XPCCallContexts -- valid means that we, at the very least, have a context (which is what this bug is about).
b) Using the safe context in the finalizer so we don't run into the problem of a weird context causing us to leave XOWs in the map.
Assignee: general → mrbkap
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #274426 - Flags: superreview?(jst)
Attachment #274426 - Flags: review?(jst)
Assignee: mrbkap → nobody
Status: ASSIGNED → NEW
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
Assignee: nobody → mrbkap
Comment on attachment 274426 [details] [diff] [review]
Proposed fix

 GetSecurityManager(JSContext *cx)
 {
   XPCCallContext ccx(JS_CALLER, cx);
+  NS_ENSURE_TRUE(ccx.IsValid(), nsnull);

Seems getting at a security manager would be rather important. Is there other code that guarantees that we do the right thing if we hit an invalid ccx here?
Flags: blocking1.9+
Target Milestone: --- → mozilla1.9 M7
Attached patch Updated (deleted) — Splinter Review 
Good point. I went through the callers of GetSecurityManager, and made them return failure if we can't get a security manager for whatever reason.
Attachment #274426 - Attachment is obsolete: true
Attachment #274479 - Flags: superreview?(jst)
Attachment #274479 - Flags: review?(jst)
Attachment #274426 - Flags: superreview?(jst)
Attachment #274426 - Flags: review?(jst)
Attachment #274479 - Flags: superreview?(jst)
Attachment #274479 - Flags: superreview+
Attachment #274479 - Flags: review?(jst)
Attachment #274479 - Flags: review+
Fix checked into trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Blocks: 389753
Crash Signature: [@ XPCContext::GetRuntime]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: