Closed Bug 402966 Opened 17 years ago Closed 17 years ago

JS_Assert "!rt->gcRunning"

Categories

(Core :: XPConnect, defect, P1)

Product:
Core
Component:
XPConnect
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9beta3

People

(Reporter: roc, Assigned: peterv)

References

Details

(Keywords: crash, dogfood)

Attachments

(3 files, 7 obsolete files)

v1.4
29.37 KB, patch
peterv
: review+
peterv
: superreview+
Details | Diff | Splinter Review
fix DEBUG_CC bustage
1.55 KB, patch
Details | Diff | Splinter Review
fix DEBUG_CC bustage on Windows
950 bytes, patch
peterv
: review+
peterv
: superreview+
Details | Diff | Splinter Review 
The stack kinda tells all. We're in cycle collection, we release an image element which cancels an image load, triggering notifications to fire which run along and do all sorts of things, eventually reentering JS-land. Sorry, I don't have steps to reproduce, it just happened in the middle of dogfooding. This is a trunk build containing the big beta1 cycle collector patch (in fact it's almost exactly beta1).

#0  JS_Assert (s=0x11027e4 "!rt->gcRunning", file=0x1101ec4 "/Users/roc/mozilla-checkin/mozilla/js/src/jsgc.c", ln=1352) at /Users/roc/mozilla-checkin/mozilla/js/src/jsutil.c:63
#1  0x0105c5bf in js_NewGCThing (cx=0x4b36fb40, flags=0, nbytes=32) at /Users/roc/mozilla-checkin/mozilla/js/src/jsgc.c:1352
#2  0x0108f81c in js_NewObject (cx=0x4b36fb40, clasp=0x30479064, proto=0x3bfc8060, parent=0x1ff8de0) at /Users/roc/mozilla-checkin/mozilla/js/src/jsobj.c:2546
#3  0x0101a536 in JS_NewObject (cx=0x4b36fb40, clasp=0x30479064, proto=0x3bfc8060, parent=0x1ff8de0) at /Users/roc/mozilla-checkin/mozilla/js/src/jsapi.c:2903
#4  0x12a47959 in XPCWrappedNative::Init (this=0x36cb2730, ccx=@0xbfffc180, parent=0x1ff8de0, isGlobal=0, sci=0xbfffbef4) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:879
#5  0x12a4855d in XPCWrappedNative::GetNewOrUsed (ccx=@0xbfffc180, Object=0x4918f790, Scope=0x29b2c40, Interface=0x30478b60, isGlobal=0, resultWrapper=0xbfffbfb4) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:482
#6  0x12a2011d in XPCConvert::NativeInterface2JSObject (ccx=@0xbfffc180, dest=0xbfffc09c, src=0x4918f790, iid=0xbfffc2b8, scope=0x28a9060, allowNativeWrapper=1, isGlobal=0, pErr=0x0) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcconvert.cpp:1105
#7  0x12a2478d in XPCConvert::NativeData2JS (ccx=@0xbfffc180, d=0xbfffc264, s=0xbfffc474, type=@0xbfffc2e9, iid=0xbfffc2b8, scope=0x28a9060, pErr=0x0) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcconvert.cpp:479
#8  0x12a3f702 in nsXPCWrappedJSClass::CallMethod (this=0x3cd1a370, wrapper=0x3eb87ea0, methodIndex=3, info=0x2142758, nativeParams=0xbfffc474) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1339
#9  0x12a382ef in nsXPCWrappedJS::CallMethod (this=0x3eb87ea0, methodIndex=3, info=0x2142758, params=0xbfffc474) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp:567
#10 0x0137bf04 in PrepareAndDispatch (self=0x3eb87890, methodIndex=3, args=0xbfffc594) at /Users/roc/mozilla-checkin/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
#11 0x0137bf62 in nsXPTCStubBase::Stub3 (this=0x3eb87890) at ../../../../../../dist/include/xpcom/xptcstubsdef.inc:5
#12 0x191e1652 in nsEventListenerManager::HandleEventSubType (this=0x3c10bad0, aListenerStruct=0x36e7d840, aListener=0x3eb87890, aDOMEvent=0x4918f790, aCurrentTarget=0x359e44c0, aPhaseFlags=4) at /Users/roc/mozilla-checkin/mozilla/content/events/src/nsEventListenerManager.cpp:1097
#13 0x191e4e9a in nsEventListenerManager::HandleEvent (this=0x3c10bad0, aPresContext=0x491d4560, aEvent=0xbfffc8f8, aDOMEvent=0xbfffc864, aCurrentTarget=0x359e44c0, aFlags=4, aEventStatus=0xbfffc868) at /Users/roc/mozilla-checkin/mozilla/content/events/src/nsEventListenerManager.cpp:1211
#14 0x192070b1 in nsEventTargetChainItem::HandleEvent (this=0x4cef5660, aVisitor=@0xbfffc85c, aFlags=4) at /Users/roc/mozilla-checkin/mozilla/content/events/src/nsEventDispatcher.cpp:206
#15 0x19207195 in nsEventTargetChainItem::HandleEventTargetChain (this=0x4cef5740, aVisitor=@0xbfffc85c, aFlags=6, aCallback=0x0) at /Users/roc/mozilla-checkin/mozilla/content/events/src/nsEventDispatcher.cpp:237
#16 0x19207b34 in nsEventDispatcher::Dispatch (aTarget=0x35b717a0, aPresContext=0x491d4560, aEvent=0xbfffc8f8, aDOMEvent=0x0, aEventStatus=0xbfffc924, aCallback=0x0) at /Users/roc/mozilla-checkin/mozilla/content/events/src/nsEventDispatcher.cpp:479
#17 0x18f4403a in DocumentViewerImpl::LoadComplete (this=0x4d3789b0, aStatus=0) at /Users/roc/mozilla-checkin/mozilla/layout/base/nsDocumentViewer.cpp:959
#18 0x15cfee5f in nsDocShell::EndPageLoad (this=0x460fdc90, aProgress=0x460fdca4, aChannel=0x3bac2ea0, aStatus=0) at /Users/roc/mozilla-checkin/mozilla/docshell/base/nsDocShell.cpp:4970
#19 0x15d06d9a in nsWebShell::EndPageLoad (this=0x460fdc90, aProgress=0x460fdca4, channel=0x3bac2ea0, aStatus=0) at /Users/roc/mozilla-checkin/mozilla/docshell/base/nsWebShell.cpp:1014
#20 0x15cee54b in nsDocShell::OnStateChange (this=0x460fdc90, aProgress=0x460fdca4, aRequest=0x3bac2ea0, aStateFlags=131088, aStatus=0) at /Users/roc/mozilla-checkin/mozilla/docshell/base/nsDocShell.cpp:4870
#21 0x15d16099 in nsDocLoader::FireOnStateChange (this=0x460fdc90, aProgress=0x460fdca4, aRequest=0x3bac2ea0, aStateFlags=131088, aStatus=0) at /Users/roc/mozilla-checkin/mozilla/uriloader/base/nsDocLoader.cpp:1235
#22 0x15d163f0 in nsDocLoader::doStopDocumentLoad (this=0x460fdc90, request=0x3bac2ea0, aStatus=0) at /Users/roc/mozilla-checkin/mozilla/uriloader/base/nsDocLoader.cpp:858
#23 0x15d165e5 in nsDocLoader::DocLoaderIsEmpty (this=0x460fdc90) at /Users/roc/mozilla-checkin/mozilla/uriloader/base/nsDocLoader.cpp:763
#24 0x15d170f4 in nsDocLoader::OnStopRequest (this=0x460fdc90, aRequest=0x35bd3d10, aCtxt=0x0, aStatus=0) at /Users/roc/mozilla-checkin/mozilla/uriloader/base/nsDocLoader.cpp:679
#25 0x1397890f in nsLoadGroup::RemoveRequest (this=0x3fb51580, request=0x35bd3d10, ctxt=0x0, aStatus=0) at /Users/roc/mozilla-checkin/mozilla/netwerk/base/src/nsLoadGroup.cpp:688
#26 0x2ffbe134 in imgRequestProxy::RemoveFromLoadGroup (this=0x35bd3d10, releaseLoadGroup=1) at /Users/roc/mozilla-checkin/mozilla/modules/libpr0n/src/imgRequestProxy.cpp:157
#27 0x2ffbe29f in imgRequestProxy::OnStopRequest (this=0x35bd3d10, request=0x0, ctxt=0x0, statusCode=2152398850, lastPart=1) at /Users/roc/mozilla-checkin/mozilla/modules/libpr0n/src/imgRequestProxy.cpp:497
#28 0x2ffbb808 in imgRequest::RemoveProxy (this=0x4737ed00, proxy=0x35bd3d10, aStatus=2147500037, aNotify=0) at /Users/roc/mozilla-checkin/mozilla/modules/libpr0n/src/imgRequest.cpp:157
#29 0x2ffbd844 in imgRequestProxy::Cancel (this=0x35bd3d10, status=2147500037) at /Users/roc/mozilla-checkin/mozilla/modules/libpr0n/src/imgRequestProxy.cpp:211
#30 0x191a03c1 in nsImageLoadingContent::DestroyImageLoadingContent (this=0x4933f29c) at /Users/roc/mozilla-checkin/mozilla/content/base/src/nsImageLoadingContent.cpp:122
#31 0x1922dc8c in nsHTMLImageElement::~nsHTMLImageElement (this=0x4933f280) at /Users/roc/mozilla-checkin/mozilla/content/html/content/src/nsHTMLImageElement.cpp:185
#32 0x191a8458 in nsNodeUtils::LastRelease (aNode=0x4933f280) at /Users/roc/mozilla-checkin/mozilla/content/base/src/nsNodeUtils.cpp:237
#33 0x1918d47c in nsGenericElement::Release (this=0x4933f280) at /Users/roc/mozilla-checkin/mozilla/content/base/src/nsGenericElement.cpp:3420
#34 0x1922dd21 in nsHTMLImageElement::Release (this=0x4933f280) at /Users/roc/mozilla-checkin/mozilla/content/html/content/src/nsHTMLImageElement.cpp:190
#35 0x0130fb2c in nsXPCOMCycleCollectionParticipant::Unroot (this=0x19815d40, p=0x4933f280) at nsCycleCollectionParticipant.cpp:74
#36 0x0137a4d1 in nsCycleCollector::CollectWhite (this=0xa7000, graph=@0xbfffd4b0) at /Users/roc/mozilla-checkin/mozilla/xpcom/base/nsCycleCollector.cpp:1526
#37 0x0137adc7 in nsCycleCollector::DoCollect (this=0xa7000) at /Users/roc/mozilla-checkin/mozilla/xpcom/base/nsCycleCollector.cpp:2217
#38 0x0137ae60 in nsCycleCollector_doCollect () at /Users/roc/mozilla-checkin/mozilla/xpcom/base/nsCycleCollector.cpp:2651
#39 0x12a0adb8 in XPCCycleCollectGCCallback (cx=0x3047a650, status=JSGC_MARK_END) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/nsXPConnect.cpp:424
#40 0x0105f82e in js_GC (cx=0x3047a650, gckind=GC_NORMAL) at /Users/roc/mozilla-checkin/mozilla/js/src/jsgc.c:2557
#41 0x01018cc7 in JS_GC (cx=0x3047a650) at /Users/roc/mozilla-checkin/mozilla/js/src/jsapi.c:2381
#42 0x12a074da in nsXPConnect::Collect (this=0x2929960) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/nsXPConnect.cpp:510
#43 0x0137af46 in nsCycleCollector::Collect (this=0xa7000, aTryCollections=1) at /Users/roc/mozilla-checkin/mozilla/xpcom/base/nsCycleCollector.cpp:2094
#44 0x0137afe0 in nsCycleCollector_collect () at /Users/roc/mozilla-checkin/mozilla/xpcom/base/nsCycleCollector.cpp:2645
#45 0x19349244 in nsJSContext::CC () at /Users/roc/mozilla-checkin/mozilla/dom/src/base/nsJSEnvironment.cpp:3261
#46 0x19349305 in nsJSContext::MaybeCC (aHigherProbability=0) at /Users/roc/mozilla-checkin/mozilla/dom/src/base/nsJSEnvironment.cpp:3283
#47 0x1934bccd in nsUserActivityObserver::Observe (this=0x30479a10, aSubject=0x0, aTopic=0x195e6328 "user-interaction-active", aData=0x0) at /Users/roc/mozilla-checkin/mozilla/dom/src/base/nsJSEnvironment.cpp:280
#48 0x013211af in nsObserverList::NotifyObservers (this=0x23b773c, aSubject=0x0, aTopic=0x195e6328 "user-interaction-active", someData=0x0) at /Users/roc/mozilla-checkin/mozilla/xpcom/ds/nsObserverList.cpp:128
#49 0x01321859 in nsObserverService::NotifyObservers (this=0x2922f80, aSubject=0x0, aTopic=0x195e6328 "user-interaction-active", someData=0x0) at /Users/roc/mozilla-checkin/mozilla/xpcom/ds/nsObserverService.cpp:181
#50 0x191e78e2 in nsUITimerCallback::Notify (this=0x304a3b70, aTimer=0x304a3140) at /Users/roc/mozilla-checkin/mozilla/content/events/src/nsEventStateManager.cpp:208
#51 0x0136dfa5 in nsTimerImpl::Fire (this=0x304a3140) at /Users/roc/mozilla-checkin/mozilla/xpcom/threads/nsTimerImpl.cpp:403
#52 0x0136e1a9 in nsTimerEvent::Run (this=0x3f983680) at /Users/roc/mozilla-checkin/mozilla/xpcom/threads/nsTimerImpl.cpp:487
#53 0x01369f91 in nsThread::ProcessNextEvent (this=0x2912860, mayWait=0, result=0xbfffdad4) at /Users/roc/mozilla-checkin/mozilla/xpcom/threads/nsThread.cpp:490
#54 0x0130f5a5 in NS_ProcessPendingEvents_P (thread=0x2912860, timeout=20) at nsThreadUtils.cpp:180
#55 0x1671014d in nsBaseAppShell::NativeEventCallback (this=0x293c760) at /Users/roc/mozilla-checkin/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:112
#56 0x166f0da1 in nsAppShell::ProcessGeckoEvents (aInfo=0x293c760) at /Users/roc/mozilla-checkin/mozilla/widget/src/cocoa/nsAppShell.mm:272
#57 0x9082cf92 in CFRunLoopRunSpecific ()
#58 0x9082cace in CFRunLoopRunInMode ()
#59 0x92ded8d8 in RunCurrentEventLoopInMode ()
#60 0x92decf19 in ReceiveNextEventCommon ()
#61 0x92dece39 in BlockUntilNextEventMatchingListInMode ()
#62 0x93293465 in _DPSNextEvent ()
#63 0x93293056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#64 0x9328cddb in -[NSApplication run] ()
#65 0x166f015c in nsAppShell::Run (this=0x293c760) at /Users/roc/mozilla-checkin/mozilla/widget/src/cocoa/nsAppShell.mm:546
#66 0x17ddec41 in nsAppStartup::Run (this=0x29144a0) at /Users/roc/mozilla-checkin/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:170
#67 0x00211312 in XRE_main (argc=3, argv=0xbfffeedc, aAppData=0x290b600) at /Users/roc/mozilla-checkin/mozilla/toolkit/xre/nsAppRunner.cpp:3142
#68 0x00002798 in main (argc=3, argv=0xbfffeedc) at /Users/roc/mozilla-checkin/mozilla/browser/app/nsBrowserApp.cpp:153
Assignee: nobody → pavlov
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Attached patch v1 (obsolete) — Splinter Review 
Any chance for steps to reproduce or a testcase? Delaying the release of objects in released cycles (like this patch does) should fix it, but it'd be nice to verify that it does.
Assignee: pavlov → peterv
Status: NEW → ASSIGNED
Should we also try to stop the event from firing synchronously from the dtor? Objects going away seems like it could happen when it's not safe to run scripts
The problem is that the image node is going away, so we have to tell the image request proxy about that.

Given that we have cycle collector now maybe a better approach is to have strong refs both ways (instead of the weak ref imagelib has now, which we introduced to fix leaks) and just have them all cycle collect each other...  That should work OK even with stuff like jpeg push, since necko has a ref to the imgRequest, not the proxy.

Then again, imgRequestProxy's destructor doesn't remove it from the loadgroup, so we could end up with a dead object in the loadgroup if we did things that way.  Or if _would_ remove itself, and we'd be back in the situation where we are now.  :(

Perhaps the loadgroup should fire onload async, but that's a pretty scary change.
Attached patch v1.1 (obsolete) — Splinter Review 
I think we should do this regardless of whether we do comment 3, we don't know what other destructor code ends up in JS.
The patch splits off the unrooting of white objects from the rest of cycle collection. XPConnect then does that unrooting (through FinishCollection) when getting a callback for JSGC_END (at which point it should be safe to call into JS). This is similar to how XPConnect does deferred releases. I also made us do only one cycle collection per call to nsXPConnect::Collect, even when the JS GC restarts. Restarting doesn't call JSGC_END, so we'd have to accumulate all the white objects from the multiple cycle collections. It seemed to make things a bit too complicated. From testing it doesn't seem to change much to do only one cycle collection (we'll still repeatedly call nsXPConnect::Collect on shutdown). I also made XPCWrappedNative's Root/Unroot calls noops, we don't want to AddRef the XPCWrappedNative between JSGC_MARK_END and JSGC_END, otherwise XPConnect will root the XPCWrappedNative's JS objects and the XPCWrappedNative would be uncollectable.
Attachment #288196 - Attachment is obsolete: true
Attachment #289491 - Flags: superreview?(jst)
Attachment #289491 - Flags: review?(dbaron)
Attached patch v1.2 (obsolete) — Splinter Review 
Need to keep the PtrInfo's alive until FinishCollection is called, so make the graph a member of nsCycleCollector.
Attachment #289491 - Attachment is obsolete: true
Attachment #289818 - Flags: superreview?(jst)
Attachment #289818 - Flags: review?(dbaron)
Attachment #289491 - Flags: superreview?(jst)
Attachment #289491 - Flags: review?(dbaron)
Attached patch v1.3 (obsolete) — Splinter Review 
Need to return something in NS_IMETHOD.
Attachment #289818 - Attachment is obsolete: true
Attachment #290589 - Flags: superreview?(jst)
Attachment #290589 - Flags: review?(dbaron)
Attachment #289818 - Flags: superreview?(jst)
Attachment #289818 - Flags: review?(dbaron)
I applied this patch but I'm still crashing with this assertion. I'll try to get a stack.
Here's a stack:

#0  JS_Assert (s=0x11026d0 "!rt->gcRunning", file=0x1101e0c "/Users/roc/mozilla-checkin/mozilla/js/src/jsgc.c", ln=1336) at /Users/roc/mozilla-checkin/mozilla/js/src/jsutil.c:63
#1  0x0105d639 in js_NewGCThing (cx=0x30b75840, flags=7, nbytes=8) at /Users/roc/mozilla-checkin/mozilla/js/src/jsgc.c:1336
#2  0x01018e36 in JS_NewExternalString (cx=0x30b75840, chars=0x3f797f80, length=35, type=0) at /Users/roc/mozilla-checkin/mozilla/js/src/jsapi.c:2513
#3  0x12a244f7 in XPCConvert::NativeData2JS (ccx=@0xbfffcce0, d=0xbfffcdc4, s=0xbfffcfd4, type=@0xbfffce49, iid=0xbfffce18, scope=0x34abb060, pErr=0x0) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcconvert.cpp:409
#4  0x12a3f68a in nsXPCWrappedJSClass::CallMethod (this=0x34b78510, wrapper=0x34b787f0, methodIndex=6, info=0x20e8838, nativeParams=0xbfffcfd4) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1341
#5  0x12a3828f in nsXPCWrappedJS::CallMethod (this=0x34b787f0, methodIndex=6, info=0x20e8838, params=0xbfffcfd4) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp:567
#6  0x01380c8c in PrepareAndDispatch (self=0x34b78830, methodIndex=6, args=0xbfffd0f4) at /Users/roc/mozilla-checkin/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
#7  0x01380de0 in nsXPTCStubBase::Stub6 (this=0x34b78830) at ../../../../../../dist/include/xpcom/xptcstubsdef.inc:8
#8  0x2b1b0a19 in nsIOService::NewURI (this=0x2926510, aSpec=@0xbfffd22c, aCharset=0x44942be8 "UTF-8", aBaseURI=0x34752f40, result=0xbfffd384) at /Users/roc/mozilla-checkin/mozilla/netwerk/base/src/nsIOService.cpp:500
#9  0x002536b8 in NS_NewURI (result=0xbfffd384, spec=@0xbfffd22c, charset=0x44942be8 "UTF-8", baseURI=0x34752f40, ioService=0x2926510) at ../../../dist/include/xpcom/nsCOMPtr.h:127
#10 0x13e29903 in NS_NewURI (result=0xbfffd384, spec=@0xbfffd2ec, charset=0x44942be8 "UTF-8", baseURI=0x34752f40, ioService=0x2926510) at ../../dist/include/xpcom/nsServiceManagerUtils.h:138
#11 0x13929dd1 in nsContentUtils::NewURIWithDocumentCharset (aResult=0xbfffd384, aSpec=@0xbfffd2ec, aDocument=0x42567800, aBaseURI=0x34752f40) at /Users/roc/mozilla-checkin/mozilla/content/base/src/nsContentUtils.cpp:1829
#12 0x139eccbb in nsGenericHTMLElement::GetHrefURIForAnchors (this=0x35372250, aURI=0xbfffd384) at /Users/roc/mozilla-checkin/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:1315
#13 0x139ecd56 in nsGenericHTMLElement::IsHTMLLink (this=0x35372250, aURI=0xbfffd384) at /Users/roc/mozilla-checkin/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:1292
#14 0x139f591e in nsHTMLAnchorElement::IsLink (this=0x35372250, aURI=0xbfffd384) at /Users/roc/mozilla-checkin/mozilla/content/html/content/src/nsHTMLAnchorElement.cpp:294
#15 0x1395000d in nsDocument::ForgetLink (this=0x42567800, aContent=0x35372250) at /Users/roc/mozilla-checkin/mozilla/content/base/src/nsDocument.cpp:5904
#16 0x139f6667 in nsHTMLAnchorElement::UnbindFromTree (this=0x35372250, aDeep=1, aNullParent=1) at /Users/roc/mozilla-checkin/mozilla/content/html/content/src/nsHTMLAnchorElement.cpp:204
#17 0x1396dc17 in nsGenericElement::cycleCollection::Unlink (this=0x13ffc140, p=0x353721b0) at /Users/roc/mozilla-checkin/mozilla/content/base/src/nsGenericElement.cpp:3361
#18 0x0137f116 in nsCycleCollector::CollectWhite (this=0xa7000) at /Users/roc/mozilla-checkin/mozilla/xpcom/base/nsCycleCollector.cpp:1542
#19 0x0137fb93 in nsCycleCollector::BeginCollection (this=0xa7000) at /Users/roc/mozilla-checkin/mozilla/xpcom/base/nsCycleCollector.cpp:2252
#20 0x0137fbd2 in nsCycleCollector_beginCollection () at /Users/roc/mozilla-checkin/mozilla/xpcom/base/nsCycleCollector.cpp:2694
#21 0x12a0ad3e in XPCCycleCollectGCCallback (cx=0x30b75840, status=JSGC_MARK_END) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/nsXPConnect.cpp:428
#22 0x010607d0 in js_GC (cx=0x30b75840, gckind=GC_NORMAL) at /Users/roc/mozilla-checkin/mozilla/js/src/jsgc.c:2526
#23 0x01018c1f in JS_GC (cx=0x30b75840) at /Users/roc/mozilla-checkin/mozilla/js/src/jsapi.c:2383
#24 0x12a07476 in nsXPConnect::Collect (this=0x292d9f0) at /Users/roc/mozilla-checkin/mozilla/js/src/xpconnect/src/nsXPConnect.cpp:518
#25 0x0137fcb1 in nsCycleCollector::Collect (this=0xa7000, aTryCollections=1) at /Users/roc/mozilla-checkin/mozilla/xpcom/base/nsCycleCollector.cpp:2132
#26 0x0137fd54 in nsCycleCollector_collect () at /Users/roc/mozilla-checkin/mozilla/xpcom/base/nsCycleCollector.cpp:2688
#27 0x13b266c2 in nsJSContext::CC () at /Users/roc/mozilla-checkin/mozilla/dom/src/base/nsJSEnvironment.cpp:3313
#28 0x13b26783 in nsJSContext::MaybeCC (aHigherProbability=0) at /Users/roc/mozilla-checkin/mozilla/dom/src/base/nsJSEnvironment.cpp:3335
#29 0x13b293b1 in nsUserActivityObserver::Observe (this=0x30b75180, aSubject=0x0, aTopic=0x13dc8c1c "user-interaction-active", aData=0x0) at /Users/roc/mozilla-checkin/mozilla/dom/src/base/nsJSEnvironment.cpp:279
#30 0x01325e2f in nsObserverList::NotifyObservers (this=0x226893c, aSubject=0x0, aTopic=0x13dc8c1c "user-interaction-active", someData=0x0) at /Users/roc/mozilla-checkin/mozilla/xpcom/ds/nsObserverList.cpp:128
#31 0x013264d9 in nsObserverService::NotifyObservers (this=0x2921bd0, aSubject=0x0, aTopic=0x13dc8c1c "user-interaction-active", someData=0x0) at /Users/roc/mozilla-checkin/mozilla/xpcom/ds/nsObserverService.cpp:181
#32 0x139c3ec2 in nsUITimerCallback::Notify (this=0x30ba4f20, aTimer=0x30ba1650) at /Users/roc/mozilla-checkin/mozilla/content/events/src/nsEventStateManager.cpp:208
#33 0x01372c4b in nsTimerImpl::Fire (this=0x30ba1650) at /Users/roc/mozilla-checkin/mozilla/xpcom/threads/nsTimerImpl.cpp:403
#34 0x01372e4f in nsTimerEvent::Run (this=0x34918080) at /Users/roc/mozilla-checkin/mozilla/xpcom/threads/nsTimerImpl.cpp:487
#35 0x0136ec37 in nsThread::ProcessNextEvent (this=0x2912840, mayWait=0, result=0xbfffdad4) at /Users/roc/mozilla-checkin/mozilla/xpcom/threads/nsThread.cpp:490
I guess that's really a different bug, by the look of it.
For this one, maybe nsHTMLAnchorElement should cache the link URI for IsLink and nsDocument::ForgetLink should call a version of IsLink that only uses the cached value if there is one? After all there should be no need to forget the link if IsLink has never returned one to any callers.
Or just the PRUint32 hash should be cached, otherwise there'd be major memory bloat.
Given that we're unlinking the element, and the element IsInDoc(), that means that the document is being unlinked too, right?

It might make sense to skip the unbind/remove here and have the document handle teardown of the whole DOM in that case.  Then the document could set a flag indicating that it's in such teardown and nsHTMLAnchorElement could check it before doing the ForgetLink thing.

In fact, that might be a good idea in other cases where calling ForgetLink is pointless (places where the doc clears the hashtable anyway).
I just hit this stack again. The URL is "irc://irc.mozilla.org/%23airmozilla". Which suggests that it's Chatzilla triggering the problem (although the real problem is in our code of course).
Could we move that to a different bug? It sort of is a separate issue, and we can't really defer unlinking like my patch does for release.
(In reply to comment #5)
> I also made XPCWrappedNative's Root/Unroot calls noops,

How do you guarantee that this is safe?  What if it and other things get Unlink calls?  Particularly if it wasn't kept alive through JS anymore?


Also, was the change from PR_TRUE to PR_FALSE in NS_CycleCollectorForget intentional?  If so, why?
For comment 15, the new bug seems to be 407034.
Keywords: crash, dogfood, regression
Removing dogfood keyword, since this bug is older than the regression I'm hitting.  I guess I'm hitting bug 410323.
Keywords: dogfood, regression
I got easy steps to reproduce, at least on SeaMonkey:

 - Open Chatzilla
 - attach to a server
 - join a channel
 - leave the channel

For instance, load:
irc://freenode/#asdkadsj

and press control+w.

It always crash after 3 or 5 seconds.

Trunk CZ on Firefox should do the same.
Version: unspecified → Trunk
I'm still seeing the "gcrunning" assertion now that bug 410323 is fixed.  My stack looks like the one here: nsHTMLImageElement::~nsHTMLImageElement during GC leads to onload trying to fire during GC.

"WINNT 5.2 fxdbug-win32-tb Dep Debug + Leak Test" is still hitting it occasionally too, but I don't know what its stack trace looks like.
Keywords: dogfood
Jesse, I've crashed very few times with the stack and the "GetNewOrUsed" assertion from bug 410323, mainly on pages with intensive JS usage.

I crash much often with this stack here and I crashed with the same steps I used on comment 19 with a build with the fix from bug 410323 applied.

This CZ regression I posted is newer than this bug (I yet couldn't track the exact day), but the stack is almost the same.
OS: Mac OS X → All
Severity: normal → blocker
Upping to P1 since this is a dogfood blocker that is hurting both developers and tinderboxen.
Priority: P3 → P1
(In reply to comment #16)
> > I also made XPCWrappedNative's Root/Unroot calls noops,
> 
> How do you guarantee that this is safe?  What if it and other things get Unlink
> calls?  Particularly if it wasn't kept alive through JS anymore?

XPCWrappedNative's Unlink doesn't do anything, so this should be fine.

> Also, was the change from PR_TRUE to PR_FALSE in NS_CycleCollectorForget
> intentional?  If so, why?

I think it makes more sense to return PR_TRUE, if the cycle collector has been shut down we already forgot about all purple nodes anyway. IIRC the change isn't needed for this bug, so I could undo it if you prefer.
Comment on attachment 290589 [details] [diff] [review]
v1.3

Yeah, I suppose the NS_CycleCollectorForget change does make sense.

nsCycleCollector.cpp has two "Didn't call Empty()?" that should, I
think, refer to Clear() rather than Empty().

Given how rare users of NS_DECL_CYCLE_COLLECTION_CLASS_NO_UNLINK are
likely to be, it's probably not worth putting the empty Root and Unroot
methods in a common base class (inheriting
nsXPCOMCycleCollectionParticipant), but it might be worth leaving a
comment with the idea in case it's used more in the future.

Should ClearGraph also set mRootCount to 0?  Given that it frees the
nodes, I think that's probably a good idea.

Seems like you could eliminate sCurrGraph and use sCollector->mGraph
instead (and replace the null-checks of sCurrGraph with a check of
mRootCount, maybe, or some other non-emptiness check?).

Maybe rename CollectWhite to RootAndUnlinkWhite or just UnlinkWhite?

Maybe assert...
+        if(!gDidCollection)
+        {
+            gInCollection = nsCycleCollector_beginCollection();
...right here...
+            gDidCollection = PR_TRUE;
+        }
...that gDidCollection is still false, to ensure that there wasn't
recursion into the same point?

And maybe assert...
+        if(gInCollection)
+        {
... right here ...
+            gCollected = nsCycleCollector_finishCollection();
+            gInCollection = PR_FALSE;
+        }
that gCollected is false, for the same reason.


CollectWhite starts with an mBuf.Empty().  You need to make sure
BeginCollection does this mBuf.Empty() even if CollectWhite isn't
called (in the case where it returns true), since FinishCollection will
need to know that that buf was cleared.  Probably the best way to do
this is to move the clearing of mBuf into BeginCollection.

r+sr=dbaron with that (unless you really wanted both jst and me to
review)

Sorry for the really long delay here.
Attachment #290589 - Flags: superreview?(jst)
Attachment #290589 - Flags: superreview+
Attachment #290589 - Flags: review?(dbaron)
Attachment #290589 - Flags: review+
One other thing -- what prevents the finishCollection call from recurring into cycle collection?  It seems like that could be a problem since there's only a single |mBuf|.  (It might be better to make it be ok rather than preventing it from happening.)
(In reply to comment #24)
> CollectWhite starts with an mBuf.Empty().  You need to make sure
> BeginCollection does this mBuf.Empty() even if CollectWhite isn't
> called (in the case where it returns true), since FinishCollection will
> need to know that that buf was cleared.  Probably the best way to do
> this is to move the clearing of mBuf into BeginCollection.

I think this is fine as is, if BeginCollection doesn't call CollectWhite then mBuf.GetSize() == 0.

Took care of all the other comments, still need to look at finishCollection recursion.
I'm going to disable recursion through finishCollection, I don't think we should try to collect again while we haven't yet released all the white nodes from the previous collection.
Attached patch v1.4Splinter Review 
With dbaron's comments taken care of.
Attachment #290589 - Attachment is obsolete: true
Attachment #296316 - Flags: superreview+
Attachment #296316 - Flags: review+
Blocks: 411531
No longer blocks: 411531
Blocks: 407034
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M11
This trivial patch fixes DEBUG_CC compilation errors from the previous patch.  I'll check it in shortly.
Attached file Still crashing here (obsolete) — 

    
    

    
  

      
      
      
      

        Attached file
          
        crashing here (obsolete)
        — 
      

    


  
This is the stack that I got for the steps on comment #19.

    
    

    
  

      
      
      
      

        Attached file
          
        and here... (obsolete)
        — 
      

    


  
On self built trunk, with clean tree, updated 23:00h GMT.

    
    

    
  
(In reply to comment #31)
> Created an attachment (id=296657) [details]
> crashing here
> 
> This is the stack that I got for the steps on comment #19.

I got this one while closing a tab outside CZ too.

And sorry for the incomplete stack on the last attachment =/.





    
    

    
  
Nope, all of those stacks show bug 407034.

    
    

    
  
Oh, ok.

        Attachment #296655 -
        Attachment is obsolete: true

        Attachment #296657 -
        Attachment is obsolete: true

        Attachment #296659 -
        Attachment is obsolete: true

    
  

        Attachment #307617 -
        Flags: superreview?(peterv)

        Attachment #307617 -
        Flags: superreview+

        Attachment #307617 -
        Flags: review?(peterv)

        Attachment #307617 -
        Flags: review+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: