Closed
Bug 390083
Opened 17 years ago
Closed 17 years ago
Frequent crashes [@ XPCContext::GetRuntime] during GC after closing a tab
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha7
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(Keywords: crash, dogfood, regression)
Crash Data
Attachments
(1 file, 1 obsolete file)
(deleted),
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
I got this crash twice in the last hour, both times after closing a tab to return to a bug list.
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000
Thread 0 Crashed:
0 libxpconnect.dylib 0x02a6f187 XPCContext::GetRuntime() const + 9 (xpcprivate.h:757)
1 libxpconnect.dylib 0x02a6f6cf XPCCallContext::GetRuntime() const + 39 (xpcprivate.h:85)
2 libxpconnect.dylib 0x02a51e3c XPCWrappedNativeScope::FindInJSObjectScope(XPCCallContext&, JSObject*, int) + 128 (xpcwrappednativescope.cpp:676)
3 libxpconnect.dylib 0x02a57be7 XPC_XOW_Finalize(JSContext*, JSObject*) + 139 (XPCCrossOriginWrapper.cpp:711)
4 libmozjs.dylib 0x0108aea5 js_FinalizeObject + 136 (jsobj.c:2788)
5 libmozjs.dylib 0x0105b51e js_GC + 2316 (jsgc.c:2448)
6 libmozjs.dylib 0x010288fc js_DestroyContext + 600 (jscntxt.c:432)
7 libmozjs.dylib 0x01015383 JS_DestroyContext + 25 (jsapi.c:986)
8 libxpconnect.dylib 0x02a094e5 nsXPConnect::ReleaseJSContext(JSContext*, int) + 349 (nsXPConnect.cpp:1857)
9 libgklayout.dylib 0x17d4df08 nsJSContext::~nsJSContext [in-charge deleting]() + 344 (nsJSEnvironment.cpp:1024)
10 libgklayout.dylib 0x17d4e5c9 nsJSContext::Release() + 285 (nsJSEnvironment.cpp:1091)
11 libgklayout.dylib 0x18068b7e nsCOMPtr<nsIScriptContext>::assign_assuming_AddRef(nsIScriptContext*) + 94 (nsContentUtils.cpp:568)
12 libgklayout.dylib 0x18068bb0 nsCOMPtr<nsIScriptContext>::assign_with_AddRef(nsISupports*) + 48 (nsContentUtils.cpp:1236)
13 libgklayout.dylib 0x18069d74 nsCOMPtr<nsIScriptContext>::operator=(nsIScriptContext*) + 24 (nsCOMPtr.h:714)
14 libgklayout.dylib 0x17d0beee nsXBLDocGlobalObject::SetContext(nsIScriptContext*) + 40 (nsXBLDocumentInfo.cpp:256)
15 libgklayout.dylib 0x17d0c036 nsXBLDocGlobalObject::SetScriptContext(unsigned, nsIScriptContext*) + 86 (nsXBLDocumentInfo.cpp:278)
16 libgklayout.dylib 0x17d0bc29 nsXBLDocumentInfo::~nsXBLDocumentInfo [in-charge deleting]() + 123 (nsXBLDocumentInfo.cpp:501)
17 libgklayout.dylib 0x17d0b76f nsXBLDocumentInfo::Release() + 283 (nsXBLDocumentInfo.cpp:472)
18 libgklayout.dylib 0x180d9462 nsCOMPtr<nsIXBLDocumentInfo>::~nsCOMPtr [in-charge]() + 66 (nsCOMPtr.h:583)
19 libgklayout.dylib 0x180dd890 nsBaseHashtableET<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo> >::~nsBaseHashtableET [in-charge]() + 20 (nsBaseHashtable.h:312)
20 libgklayout.dylib 0x180dd8b1 nsTHashtable<nsBaseHashtableET<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo> > >::s_ClearEntry(PLDHashTable*, PLDHashEntryHdr*) + 17 (nsTHashtable.h:391)
21 libxpcom_core.dylib 0x012f7af5 PL_DHashTableFinish + 166 (pldhash.c:375)
22 libgklayout.dylib 0x180dbffb nsTHashtable<nsBaseHashtableET<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo> > >::~nsTHashtable [not-in-charge]() + 27 (nsTHashtable.h:312)
23 libgklayout.dylib 0x180dc025 nsBaseHashtable<nsURIHashKey, nsCOMPtr<nsIXBLDocumentInfo>, nsIXBLDocumentInfo*>::~nsBaseHashtable [not-in-charge]() + 17 (nsBaseHashtable.h:84)
24 libgklayout.dylib 0x180dc04d nsInterfaceHashtable<nsURIHashKey, nsIXBLDocumentInfo>::~nsInterfaceHashtable [in-charge]() + 17 (nsInterfaceHashtable.h:56)
25 libgklayout.dylib 0x17d1f017 nsBindingManager::~nsBindingManager [in-charge]() + 207 (nsBindingManager.cpp:406)
26 libgklayout.dylib 0x17d1f140 nsBindingManager::Release() + 276 (nsBindingManager.cpp:383)
27 libgklayout.dylib 0x17ba3021 nsDocument::~nsDocument [not-in-charge]() + 1507 (nsDocument.cpp:875)
28 libgklayout.dylib 0x17c8c8ca nsHTMLDocument::~nsHTMLDocument [in-charge deleting]() + 678 (nsHTMLDocument.cpp:343)
29 libgklayout.dylib 0x17bd5d84 nsNodeUtils::LastRelease(nsINode*) + 710 (nsNodeUtils.cpp:229)
30 libgklayout.dylib 0x17b9df41 nsDocument::Release() + 279 (nsDocument.cpp:927)
31 libgklayout.dylib 0x17c8a435 nsHTMLDocument::Release() + 23 (nsHTMLDocument.cpp:382)
32 libxpcom_core.dylib 0x012fa69d nsCOMPtr_base::~nsCOMPtr_base [not-in-charge]() + 69 (nsCOMPtr.cpp:82)
33 libgklayout.dylib 0x17ff744a nsCOMPtr<nsISupports>::~nsCOMPtr [in-charge]() + 14 (nsCSSFrameConstructor.cpp:929)
34 libgklayout.dylib 0x1800774c nsEvent::~nsEvent [in-charge]() + 48 (nsGUIEvent.h:375)
35 libgklayout.dylib 0x17c1d77a nsDOMEvent::~nsDOMEvent [not-in-charge]() + 190 (nsDOMEvent.cpp:141)
36 libgklayout.dylib 0x1808ca21 nsDOMPageTransitionEvent::~nsDOMPageTransitionEvent [in-charge deleting]() + 93 (nsDOMPageTransitionEvent.h:47)
37 libgklayout.dylib 0x17c1ddcd nsDOMEvent::Release() + 283 (nsDOMEvent.cpp:156)
38 libgklayout.dylib 0x17c26ece nsDOMPageTransitionEvent::Release() + 26 (nsDOMPageTransitionEvent.cpp:63)
39 libxpconnect.dylib 0x02a2dc2f XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) + 2139 (xpcjsruntime.cpp:603)
40 libgklayout.dylib 0x17d4f1c9 DOMGCCallback(JSContext*, JSGCStatus) + 47 (nsJSEnvironment.cpp:3337)
41 libxpconnect.dylib 0x02a0a9bf XPCCycleGCCallback(JSContext*, JSGCStatus) + 47 (nsXPConnect.cpp:523)
42 libmozjs.dylib 0x0105b92d js_GC + 3355 (jsgc.c:2589)
43 libmozjs.dylib 0x01017b0f JS_GC + 85 (jsapi.c:2360)
44 libxpconnect.dylib 0x02a0a179 nsXPConnect::BeginCycleCollection() + 409 (nsXPConnect.cpp:573)
45 libxpcom_core.dylib 0x01368d67 nsCycleCollector::Collect(unsigned) + 215 (nsCycleCollector.cpp:2037)
46 libxpcom_core.dylib 0x01368ec4 nsCycleCollector_collect() + 48 (nsCycleCollector.cpp:2555)
47 libgklayout.dylib 0x17d510d9 nsJSContext::Notify(nsITimer*) + 165 (nsJSEnvironment.cpp:3239)
48 libxpcom_core.dylib 0x0135c79f nsTimerImpl::Fire() + 925 (nsTimerImpl.cpp:387)
49 libxpcom_core.dylib 0x0135c92b nsTimerEvent::Run() + 191 (nsTimerImpl.cpp:458)
50 libxpcom_core.dylib 0x01358d97 nsThread::ProcessNextEvent(int, int*) + 627 (nsThread.cpp:491)
51 libxpcom_core.dylib 0x01302256 NS_ProcessNextEvent_P(nsIThread*, int) + 76 (nsThreadUtils.cpp:227)
52 libwidget_mac.dylib 0x05034ae2 nsBaseAppShell::Run() + 70 (nsBaseAppShell.cpp:153)
53 libwidget_mac.dylib 0x05017054 nsAppShell::Run() + 190 (nsAppShell.mm:355)
54 libwidget_mac.dylib 0x050173d0 -[AppShellDelegate runAppShell] + 36 (nsAppShell.mm:459)
55 com.apple.Foundation 0x9280a03b __NSFireDelayedPerform + 403
56 com.apple.CoreFoundation 0x9082d7e2 CFRunLoopRunSpecific + 3341
57 com.apple.CoreFoundation 0x9082cace CFRunLoopRunInMode + 61
58 com.apple.HIToolbox 0x92dec8d8 RunCurrentEventLoopInMode + 285
59 com.apple.HIToolbox 0x92debfe2 ReceiveNextEventCommon + 385
60 com.apple.HIToolbox 0x92debe39 BlockUntilNextEventMatchingListInMode + 81
61 com.apple.AppKit 0x93292465 _DPSNextEvent + 572
62 com.apple.AppKit 0x93292056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
63 com.apple.AppKit 0x9328bddb -[NSApplication run] + 512
64 libwidget_mac.dylib 0x05017028 nsAppShell::Run() + 146 (nsAppShell.mm:352)
65 libtoolkitcomps.dylib 0x1669773f nsAppStartup::Run() + 147 (nsAppStartup.cpp:170)
66 XUL 0x0020fbbc XRE_main + 11592 (nsAppRunner.cpp:3057)
67 org.mozilla.firefox 0x00002798 main + 708 (nsBrowserApp.cpp:153)
68 org.mozilla.firefox 0x00001dca _start + 216
69 org.mozilla.firefox 0x00001cf1 start + 41
Reporter | ||
Comment 1•17 years ago
|
||
(I'm using a debug build of Firefox trunk on Mac.)
Assignee | ||
Comment 2•17 years ago
|
||
This should fix this by:
a) Making sure we only use valid XPCCallContexts -- valid means that we, at the very least, have a context (which is what this bug is about).
b) Using the safe context in the finalizer so we don't run into the problem of a weird context causing us to leave XOWs in the map.
Assignee: general → mrbkap
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #274426 -
Flags: superreview?(jst)
Attachment #274426 -
Flags: review?(jst)
Assignee: mrbkap → nobody
Status: ASSIGNED → NEW
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
Comment 3•17 years ago
|
||
Comment on attachment 274426 [details] [diff] [review]
Proposed fix
GetSecurityManager(JSContext *cx)
{
XPCCallContext ccx(JS_CALLER, cx);
+ NS_ENSURE_TRUE(ccx.IsValid(), nsnull);
Seems getting at a security manager would be rather important. Is there other code that guarantees that we do the right thing if we hit an invalid ccx here?
Updated•17 years ago
|
Flags: blocking1.9+
Target Milestone: --- → mozilla1.9 M7
Assignee | ||
Comment 4•17 years ago
|
||
Good point. I went through the callers of GetSecurityManager, and made them return failure if we can't get a security manager for whatever reason.
Attachment #274426 -
Attachment is obsolete: true
Attachment #274479 -
Flags: superreview?(jst)
Attachment #274479 -
Flags: review?(jst)
Attachment #274426 -
Flags: superreview?(jst)
Attachment #274426 -
Flags: review?(jst)
Updated•17 years ago
|
Attachment #274479 -
Flags: superreview?(jst)
Attachment #274479 -
Flags: superreview+
Attachment #274479 -
Flags: review?(jst)
Attachment #274479 -
Flags: review+
Assignee | ||
Comment 5•17 years ago
|
||
Fix checked into trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Crash Signature: [@ XPCContext::GetRuntime]
You need to log in
before you can comment on or make changes to this bug.
Description
•