Closed
Bug 287861
Opened 19 years ago
Closed 19 years ago
event queue code ignores creation error, crashes on null mEventQueue
Categories
(Core :: XPCOM, defect)
Core
XPCOM
Tracking
()
RESOLVED
FIXED
People
(Reporter: brendan, Assigned: brendan)
References
Details
(Keywords: crash, Whiteboard: [greasemonkey])
Attachments
(2 files, 2 obsolete files)
11.16 KB,
patch
|
dougt
:
review+
darin.moz
:
superreview+
|
Details | Diff | Splinter Review |
4.46 KB,
patch
|
Details | Diff | Splinter Review |
I ran into this by installing greasemonkey and surfing around. Patch with narrative analysis: #0 0x0058b7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x007f1734 in raise () from /lib/tls/libpthread.so.0 #2 0x0805556a in nsProfileLock::FatalSignalHandler () #3 <signal handler called> Crashing on null |queue| here: #4 0xf6f4f9be in PL_IsQueueNative () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/libxpcom.so Called from here with null |mEventQueue|: #5 0xf6f50c00 in nsEventQueueImpl::NotifyObservers () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/libxpcom.so Called from here: #6 0xf6f50d79 in nsEventQueueImpl::InitFromPRThread () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/libxpcom.so with aNative true, so PL_CreateNativeEventQueue must have failed. Looking at PL_CreateNativeEventQueue, the only way its _pl_CreateEventQueue can fail other than OOM is if _pl_SetupNativeNotifier fails. Looking there, I see a pipe(2) call, which can fail on file table overflow. Are we (in combination with greasemonkey, but it can't be solely to blame) leaking fds? In any event, nsEventQueueImpl::InitFromPRThread is clearly broken -- it fails to check for PL_Create*EventQueue failure and therefore pass let a null mEventQueue in |this| flow into NotifyObservers, etc. It should propagate the error to its caller with an early return. #7 0xf6f51c77 in nsEventQueueServiceImpl::MakeNewQueue () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/libxpcom.so #8 0xf6f521a4 in nsEventQueueServiceImpl::PushThreadEventQueue () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/libxpcom.so #9 0xf6657f78 in nsXMLDocument::Load () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/components/libgklayout.so #10 0xf6f685c9 in XPTC_InvokeByIndex () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/libxpcom.so #11 0xf6c09e2e in XPCWrappedNative::CallMethod () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/components/libxpconnect.so #12 0xf6c0fb26 in XPC_WN_CallMethod () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/components/libxpconnect.so #13 0xf6fc97bc in js_Invoke () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/libmozjs.so GreaseMonkey (chrome://greasemonkey/content/greasemonkey.js), trying to load a default-config.xml user script at the *'d line: this.load = function() { var doc = document.implementation.createDocument("", "", null); doc.async = false; try { doc.load(getScriptChrome("config.xml")); } catch (exc) { * doc.load(getScriptChrome("default-config.xml")); } . . . } #14 0xf6fc0c1a in js_Interpret () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/libmozjs.so #15 0xf6fc9881 in js_Invoke () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/libmozjs.so #16 0xf6c0630a in nsXPCWrappedJSClass::CallMethod () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/components/libxpconnect.so #17 0xf6c024e6 in nsXPCWrappedJS::CallMethod () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/components/libxpconnect.so #18 0xf6f690e1 in PrepareAndDispatch () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/libxpcom.so #19 0xf65784f7 in nsEventListenerManager::HandleEventSubType () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/components/libgklayout.so #20 0xf6578f69 in nsEventListenerManager::HandleEvent () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/components/libgklayout.so #21 0xf66ff6fc in nsXULElement::HandleDOMEvent () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/components/libgklayout.so #22 0xf66ff7dd in nsXULElement::HandleDOMEvent () from /home/brendan/src/firefox1.0.1/mozilla/dist/bin/components/libgklayout.so Patch next. /be
Assignee | ||
Comment 1•19 years ago
|
||
Note that if we are leaking fds (possibly due to greasemonkey attempting to load lots of XML docs), I should have reached a state where I couldn't load other types of docs. I didn't see that (but of course, I crashed right after pipe presumably failed, possibly due to too many open files per process being reached, so there *could* be a leak). So I've added a printf to plevent.c right after pipe fails. I'll report here if I see that printf. /be
Assignee | ||
Updated•19 years ago
|
Attachment #178694 -
Flags: superreview?(darin)
Attachment #178694 -
Flags: review?(danm.moz)
Assignee | ||
Comment 2•19 years ago
|
||
Comment on attachment 178694 [details] [diff] [review] proposed fix This is a 1.0.1 branch patch, but it applies to the trunk too. /be
Assignee | ||
Updated•19 years ago
|
Whiteboard: [greasemonkey]
this is a subset of the changes from bug 215085. which i was planning on resurrecting because i recently revisited eventqueue's (there's some live bug about onfocus=alert which results in us exhausting a system resource and the eventqueue code crashes because it makes a really bogus assertion about windows never failing to create windows...).
Comment 4•19 years ago
|
||
Comment on attachment 178694 [details] [diff] [review] proposed fix looks good to me. do callers of these functions handle these errors properly?
Attachment #178694 -
Flags: superreview?(darin) → superreview+
Assignee | ||
Comment 5•19 years ago
|
||
Comment on attachment 178694 [details] [diff] [review] proposed fix I forgot to patch this hunk, which comes just before the one hunk shown for nsEventQueue.cpp: @@ -145,16 +145,18 @@ nsEventQueueImpl::~nsEventQueueImpl() NS_IMETHODIMP nsEventQueueImpl::Init(PRBool aNative) { PRThread *thread = PR_GetCurrentThread(); if (aNative) mEventQueue = PL_CreateNativeEventQueue("Thread event queue...", thread); else mEventQueue = PL_CreateMonitoredEventQueue("Thread event queue...", thread); + if (!mEventQueue) + return NS_ERROR_FAILURE; NotifyObservers(gActivatedNotification); return NS_OK; } NS_IMETHODIMP nsEventQueueImpl::InitFromPRThread(PRThread* thread, PRBool aNative) { if (thread == NS_CURRENT_THREAD) darin: the callers can be chased from http://lxr.mozilla.org/mozilla/search?string=InitFromPRThread -- I looked until I got sleepy, all was well (if you include the stylized checking done after the fact at http://lxr.mozilla.org/mozilla/source/xpfe/appshell/src/nsXULWindow.cpp#1736). Asking dougt for r=, I don't think danm.moz is doing Mozilla stuff right now (or ever again -- wahhh). /be
Attachment #178694 -
Flags: review?(danm.moz) → review?(dougt)
Assignee | ||
Updated•19 years ago
|
Assignee: dougt → brendan
the failure is due to a lack of resources, we tend to use oom for that instead of generic failure.
Comment 7•19 years ago
|
||
Comment on attachment 178694 [details] [diff] [review] proposed fix Be sure to indent mEventQTable.Put in nsEventQueueService.cpp. I can't tell if you missed it. There is a bit of inconsistency in error checking after MakeNewQueue. Is it enough to just check to see if queue is non-null before putting it into the mEventQTable or do we also have to ensure that MakeNewQueue doesn't return failure? Either way, lets make both calls to MakeNewQueue do the same error check.
Assignee | ||
Comment 8•19 years ago
|
||
timeless: pipe(2) failure is not "out of memory" except in a strained sense. If we don't have an EMFILE (see errno(3)) analogue, I'd rather just "fail". dougt: that patch is a diff -w (I cleaned up whitespace elsewhere in the file), see the diff options at the top -- hence the appearance of unindented code. Everything's lined up right in vi (and no tabs). In the patch, all cases of MakeNewQueue callers propagate failing rv from that method. The differences are due to my attempt to minimize change, and to avoid duplicating PR_ExitMonitor call where possible (one of the two cases). If you think it's important to have the same early-return-or-not control flow in both cases, I'll have to use an else in the second ("or-not" -- can't early return there because of a later nsCOMPtr in the enclosing block scope). /be
Assignee | ||
Comment 9•19 years ago
|
||
and an else in the second case will overindent a whole bunch of existing code, but hey, it's a diff -w. Here you go. /be
Attachment #178893 -
Flags: superreview?(darin)
Attachment #178893 -
Flags: review?(dougt)
Comment 10•19 years ago
|
||
i think consistency is more important than the early return. Either check the out, return, or both.
Assignee | ||
Comment 11•19 years ago
|
||
dougt: then how about the second patch? /be
Assignee | ||
Comment 12•19 years ago
|
||
Comment on attachment 178893 [details] [diff] [review] alterna-patch Oh, dougt wanted rv tested in both call sites. New patch in a trice (doug, I didn't deCOMtaminate -- I wanted to avoid owning too much code here, and I wanted MakeNewQueue to be in charge of its own failure code). /be
Attachment #178893 -
Attachment is obsolete: true
Attachment #178893 -
Flags: superreview?(darin)
Attachment #178893 -
Flags: review?(dougt)
Assignee | ||
Comment 13•19 years ago
|
||
Remember, this is a diff -w. /be
Attachment #178969 -
Flags: superreview?(darin)
Attachment #178969 -
Flags: review?(dougt)
Assignee | ||
Comment 14•19 years ago
|
||
Sorry, changed patch filename conventions mid-stream. /be
Updated•19 years ago
|
Attachment #178694 -
Attachment is obsolete: true
Updated•19 years ago
|
Attachment #178969 -
Flags: review?(dougt) → review+
Updated•19 years ago
|
Attachment #178969 -
Flags: superreview?(darin) → superreview+
Assignee | ||
Comment 15•19 years ago
|
||
Fixed. /be
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 16•19 years ago
|
||
Comment on attachment 178694 [details] [diff] [review] proposed fix (Clearing old review flag)
Attachment #178694 -
Flags: review?(dougt)
Comment 17•18 years ago
|
||
*** Bug 241146 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•