238218 - M17beta topcrash [@ nsJSContext::DOMBranchCallback ]

Status: VERIFIED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[chris hofmann]

Not much helpful in the comments but looks like something at startup.

this is the number 2 top crash in very early 1.7beta data

    Crash date range: 19-MAR-04 to 21-MAR-04
     Min/Max Seconds since last crash: 1 - 144623
     Min/Max Runtime: 1 - 144623
 
     Count   Platform List 
     9   [Windows NT 5.1 build 2600]   
     6   [Windows NT 5.0 build 2195]   
     2   [Windows 98 4.10 build 67766446]   
     1   [Windows 98 4.90 build 73010104]   
 
     Count   Build Id List 
     18   2004031615
 
     No of Unique Users        15
 
 Stack trace(Frame) 

	 nsJSContext::DOMBranchCallback
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp
 line 417] 
	 js_Interpret
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 1671] 
	 js_Invoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 959] 
	 js_InternalInvoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 1036] 
	 js_InternalGetOrSet
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 1079] 
	 js_GetProperty
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c  line
2673] 
	 JS_GetProperty
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c  line
2472] 
	 nsXPCWrappedJSClass::CallMethod
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp
 line 1316] 
	 nsXPCWrappedJS::CallMethod
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp
 line 450] 
	 PrepareAndDispatch
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp
 line 119] 
	 SharedStub
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp
 line 147] 
	 MessageWindow::WindowProc
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsNativeAppSupportWin.cpp
 line 975] 
	 USER32.dll + 0x3eb0 (0x77e03eb0)  
	 USER32.dll + 0x591b (0x77e0591b)  
	 USER32.dll + 0x595d (0x77e0595d)  
	 ntdll.dll + 0x1fb83 (0x77f9fb83)  
	 USER32.dll + 0x69a7 (0x77e069a7)  
	 USER32.dll + 0x3eb0 (0x77e03eb0)  
	 USER32.dll + 0x591b (0x77e0591b)  
	 USER32.dll + 0x595d (0x77e0595d)  
	 ntdll.dll + 0x1fb83 (0x77f9fb83)  
	 USER32.dll + 0x4b2e (0x77e04b2e)  
	 PeekKeyAndIMEMessage
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp
 line 91] 
	 nsAppShell::Run
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp
 line 138] 
	 nsAppShellService::Run
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp
 line 524] 
	 main1
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp
 line 1308] 
	 main
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp
 line 1712] 
	 WinMain
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp
 line 1734] 
	 WinMainCRTStartup()  
	 KERNEL32.DLL + 0x7903 (0x77e77903)   
 
     (2845)	Comments: after OS loaded netscape has broken
     (2389)	Comments: I have just restartde my pc !
     (2344)	Comments: actualy I can't make it work. So  I use WinXP and it used
to work fine  however  after I have reinstalled the system it stoped.  When I
click on the Netscape icon on my desktop nothing hapen. I have tried to
reinstall the browser many times  but the
     (2344)	Comments:  result is the same. I wonder if you could help me  I
realy like Netscape much more then Microsoft IE. Thank you for your help.  it-s
     (2152)	Comments: cvbxcbcxvb

Comment 1

[Nicholas Allen]

This crash looks like it was exposed by removing the null check on ctx.  That
was done in bug 13350 because the consensus was that it's bogus to have a
context whose private data is not a valid context.

Comment 2

[Brendan Eich [:brendan]]

Argh.  The XPConnect "safe context" is not so safe, after all.  Why does it have
the DOMBranchCallback configured on it, but no nsJSContext as private data?  The
two should go together.

jst, I'm inferring that this is the safe context, because the stack shows JS
being called from C++ without any underlying JS-API-invoked JS active on the
main thread stack.  Can you diagnose and suggest a 1.7 fix?  Obviously we can
restore the nul check, but it would be better if we can fix the flagrant
inconsistency between the context's branch callback and its private data.

/be

Comment 3

[Johnny Stenback (:jst)]

Attachment: Clear the branch callback on nsJSContext destruction

Thanks to brendan for helping track this down. This is needed since XPConnect
sometimes defers destruction of JSContexts when its told to destroy a
JSContext, so it's possible for JS to run on a context whose nsJSContext has
been destroyed.

Comment 4

[Brendan Eich [:brendan]]

Comment on attachment 144622 [details] [diff] [review]
Clear the branch callback on nsJSContext destruction

Comment citing this bug, or at least talking about how XPConnect defers
destruction till the stack unwinds.

I forget exactly how we can be closing a window and still running JS on the
context for it, but I can believe it (chrome JS, presumably; modal dialog?
http://bugzilla.mozilla.org/show_bug.cgi?id=94752#c17 and below may say, but at
a glance they seem to find a different context active below the one whose
nsJSContext is being destroyed...).

/be

Comment 5

[Johnny Stenback (:jst)]

Comment on attachment 144622 [details] [diff] [review]
Clear the branch callback on nsJSContext destruction

Comment added locally, citing this bug.

Requesting approval to land this for 1.7.

Comment 6

[chris hofmann]

Comment on attachment 144622 [details] [diff] [review]
Clear the branch callback on nsJSContext destruction

a=chofmann for 1.7

Comment 7

[Johnny Stenback (:jst)]

Fix checked in.

Comment 8

[Brendan Eich [:brendan]]

*** Bug 241050 has been marked as a duplicate of this bug. ***

Comment 9

[Jay Patel [:jay]]

Reopening since I'm seeing quite a few of these crashes with Mozilla 1.7 RC1. 
Here is a recent Talkback incident:

Incident ID: 28665
Stack Signature	nsJSContext::DOMBranchCallback e1b894d7
Email Address	
Product ID	Mozilla17
Build ID	2004042109
Trigger Time	2004-04-23 11:21:11.0
Platform	Win32
Operating System	Windows NT 5.0 build 2195
Module	gklayout.dll + (0014ca14)
URL visited	
User Comments	
Since Last Crash	sec
Total Uptime	sec
Trigger Reason	Access violation
Source File Name
d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp
Trigger Line No.	417
Stack Trace 	
nsJSContext::DOMBranchCallback
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 417]
js_Interpret
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1671]
js_Invoke
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 959]
js_InternalInvoke
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1036]
js_InternalGetOrSet
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1079]
js_GetProperty
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2679]
JS_GetProperty
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 2490]
nsXPCWrappedJSClass::CallMethod
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 1316]
nsXPCWrappedJS::CallMethod
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 450]
PrepareAndDispatch
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 119]
SharedStub
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 147]
MessageWindow::WindowProc
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsNativeAppSupportWin.cpp,
line 975]
USER32.dll + 0x1ef0 (0x77e01ef0)
USER32.dll + 0x3869 (0x77e03869)
USER32.dll + 0x38ab (0x77e038ab)
ntdll.dll + 0x1ff57 (0x7847ff57)
USER32.dll + 0x343f (0x77e0343f)
USER32.dll + 0x1ef0 (0x77e01ef0)
USER32.dll + 0x3d1e (0x77e03d1e)
USER32.dll + 0x6e9b (0x77e06e9b)
nsWindow::WindowProc
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1361]
USER32.dll + 0x1ef0 (0x77e01ef0)
USER32.dll + 0x3869 (0x77e03869)
USER32.dll + 0x38ab (0x77e038ab)
ntdll.dll + 0x1ff57 (0x7847ff57)
USER32.dll + 0x18ec (0x77e018ec)
PeekKeyAndIMEMessage
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp,
line 91]
nsAppShell::Run
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp,
line 138]
nsAppShellService::Run
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 524]
main1
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1313]
main
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1783]
WinMain
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1809]
WinMainCRTStartup()
KERNEL32.DLL + 0x11af6 (0x77e81af6)

Updating summary with M17rc1 for tracking.

Comment 10

[Brendan Eich [:brendan]]

bz filed a new bug, can we use that?  I think we fixed this one, and the
repeated signature is due to another bug.  jst, you concur?

/be

Comment 11

[Jay Patel [:jay]]

Ok, return M17beta to summary and marking fixed.  We can track the more recent
crashes in bug 241050.

Comment 12

[Jay Patel [:jay]]

Verified fixed based on latest Talkback data for MozillaTrunk and Mozilla 1.7 rc1.