Closed Bug 292027 Opened 20 years ago Closed 20 years ago

code to release nsISupportsWeakReference wrapped JS objects crashes when GC repeats

Categories

(Core :: XPConnect, defect, P1)

Product:
Core
Component:
XPConnect
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: dbaron, Assigned: dbaron)

References

Details

(Whiteboard: [patch])

Attachments

(1 file)

patch
10.10 KB, patch
jst
: review+
brendan
: superreview+
brendan
: approval1.8b3+
Details | Diff | Splinter Review
The code to handling nsXPCWrappedJS objects that implement nsISupportsWeakReference can crash when js_GC does more than one pass of garbage collection. I'm running into this crash with my patch to bug 241518. The problem is the following: XPCJSRuntime::GCCallback deals with self->mWrappedJSToReleaseArray in two places, a JSGC_MARK_END callback and a JSGC_END callback. In the first, it calls JS_IsAboutToBeFinalized on the JS object for each wrapper that could be finalized. In the second, it releases those wrappers. This all works fine if js_GC doesn't "goto repeat". However, when it does, JSGC_MARK_END can be called multiple times before JSGC_END is called. When the second call happens, the objects for which JS_IsAboutToBeFinalized was true have *already* been finalized, but the nsXPCWrappedJS has a dangling mJSObj pointer, so we crash calling JS_IsAboutToBeFinalized on a JSObject that was already finalized: js_IsAboutToBeFinalized JS_IsAboutToBeFinalized (/builds/trunk/mozilla/js/src/jsapi.c:1796) WrappedJSDyingJSObjectFinder (/builds/trunk/mozilla/js/src/xpconnect/src/xpcjsruntime.cpp:92) JS_DHashTableEnumerate (/builds/trunk/mozilla/js/src/jsdhash.c:619) JSObject2WrappedJSMap::Enumerate(JSDHashOperator (*)(JSDHashTable*, JSDHashEntryHdr*, unsigned int, void*), void*) (/builds/trunk/mozilla/js/src/xpconnect/src/xpcmaps.h:156) XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) (/builds/trunk/mozilla/js/src/xpconnect/src/xpcjsruntime.cpp:290) DOMGCCallback (/builds/trunk/mozilla/dom/src/base/nsJSEnvironment.cpp:2107) js_GC (/builds/trunk/mozilla/js/src/jsgc.c:1780)
So, after looking back at bug 66950, JSGC_FINALIZE_END didn't exist back then, so the choice to use JSGC_END rather than JSGC_FINALIZE_END may not have been as intentional as it seemed from looking at the current code. It actually almost seems better to me to do the releases in the JSGC_FINALIZE_END callback -- the destruction of the wrapped JS and the call to ClearWeakReferences are probably better off happening sooner than later, and shouldn't be able to cause any cascading destructors, and the removal from the JSObject2WrappedJS map is what would fix this bug. The only issue seems to me to be potential cascading destructors from releasing mOuter (and maybe mClass). Perhaps they could use XPCJSRuntime::DeferredRelease while GC is running (via a boolean we note on the runtime using the GC callback)?
Severity: normal → critical
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [patch]
Target Milestone: --- → mozilla1.8beta2
Attachment #182006 - Flags: review?(dbradley) → review?(jst)
Comment on attachment 182006 [details] [diff] [review] patch r=jst
Attachment #182006 - Flags: review?(jst) → review+
Comment on attachment 182006 [details] [diff] [review] patch sr+a=me, thanks for the in-person explanation -- a trip down cvs-annotate memory lane! /be
Attachment #182006 - Flags: superreview?(brendan)
Attachment #182006 - Flags: superreview+
Attachment #182006 - Flags: approval1.8b3+
Fix checked in to trunk, 2005-06-14 17:21/23 -0700.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: