Closed Bug 54121 Opened 25 years ago Closed 25 years ago

[crash] root_points_to_gcArenaPool assertion with root name "nsGenericElement::mScriptObject"

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sean, Assigned: jst)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [rtm++])

Attachments

(9 files)

proposed fix - patch to free script object's named reference
1.03 KB, patch
Details | Diff | Splinter Review
stack trace of gc_root_marker assert
7.62 KB, text/plain
Details
another (different) stack trace of the gc_root_marker assert for mScriptObject
3.26 KB, text/plain
Details
yet another stack trace for the same mScriptObject assert - using same rough testcase
3.38 KB, text/plain
Details
Proposed fix, unroot the jsobject after calling SetScriptObject(null)
4.78 KB, patch
Details | Diff | Splinter Review
MacsBug stdlog per kurtw's description
18.95 KB, text/plain
Details
Updated patch, only unroot script object if it was rooted.
895 bytes, patch
Details | Diff | Splinter Review
trace of assert using latest patch (with mDomSlots mod)
4.72 KB, text/plain
Details
updated patch
1009 bytes, patch
Details | Diff | Splinter Review
JS API usage error: the address passed to JS_AddNamedRoot currently holds an invalid jsval. This is usually caused by a missing call to JS_RemoveRoot. The root's name is "nsGenericElement::mScriptObject". Assertion failure: root_points_to_gcArenaPool, at h:\moz\mozilla\js\src\jsgc.c:8 45 Similar to bug 50705 except that this is a different root name and this occurs after simply navigating around http://www.beatnik.com. No eMixes involved. No popup windows involved. To reproduce, install the Beatnik plugin in 4x and then copy npBeatnk.dll from the 4x plugins directory to the mozilla plugins directory and navigate around beatnik.com for about 2 minutes (even though the 4x plugin won't work in mozilla, its presence enables certain functionality in the site that is necessary to repro the assert).
Johnny: nsGenericElement::SetScriptObject() at http://lxr.mozilla.org/seamonkey/source/layout/base/src/nsGenericElement.cpp#170 8 overwrites slots->mScriptObject. Should any named references associated with the old script object be cleared before overwriting it?
Keywords: beatnik, nsbeta3, rtm
adding crash keywords
Keywords: nsbeta34xp, crash
Summary: root_points_to_gcArenaPool assertion with root name "nsGenericElement::mScriptObject" → [crash] root_points_to_gcArenaPool assertion with root name "nsGenericElement::mScriptObject"
Sean, can you take a stab at this? Johnny is pretty overloaded.
This bug also caused a crash for me at http://www.live365.com updating keywords
Keywords: patch, review
Marking rtm need info. Johnny, how risky do you think this patch is? If you think it is low risk, please get it reviewed and super-reviewed and I'll mark it rtm+ to get it on the PDT radar.
Whiteboard: [rtm need info]
Sean: does that patch cure anything? You shouldn't have to remove a GC root when setting mScriptObject. You just need to keep the one that was added, if there is one. Or am I misunderstanding, and the remove is needed to get rid of the root in all cases? Is bug 54431 a dup of this one? /be
Brendan: On the day I submitted the patch I did a pull from the trunk and was still able to repro the assert. Could no longer repro after I applied the patch. I'll remove the patch tomorrow and attach a stack trace of the assertion. As far as the reasoning behind the patch - it was a shot in the dark made only on the assumption that there probably was a missing call to JS_RemoveRoot (per the text of the assertion). Saw that "nsGenericElement::mScriptObject" was set using AddNamedReference so I looked for RemoveReference rather than JS_RemoveRoot and looked for places where mDOMSlots->mScriptObject gets cleared without calling RemoveReference. Found that SetScriptObject often overwrites mScriptObject and the attached patch fixed it for me. Will post followup Fri.
Wow, so if this patch "fixes" the bug, then what must be happening is we're getting a call to nsGenericElement::SetScriptObject() with aScriptObject == null, but then we've never unrooted it? I thought that SetScriptObject() was only called from the finalizer...
http://lxr.mozilla.org/mozilla/search/search?string=SetScriptObject%28nsnull%29 discloses http://lxr.mozilla.org/mozilla/source/layout/html/content/src/nsHTMLEmbedElement.cpp#351 Argh! Should be easy to fix, and I do believe this is a topcrash, but can't prove it without details about whether a plugin was involved. /be
A plugin is definitely involved. The initial description details how to repro using the Beatnik 4x Netscape plugin. I also experienced the same assert at http://www.live365.com - they use Real Audio.
jst, that code has r1.27 and your fingerprints on it. I don't think that you can safely call SetScriptObject(nsnull) except from the JS finalizer. What exactly were you trying to do there?
jst's comments say he wants to give back the old script object, but then make sure a new one is created on the next request, because GetPluginInstance's failure means there is no frame for this element yet. Or something like that. Are we using the nullity of mScriptObject to decide not to remove the root? If so then we should do a RemoveReference when clearing mScriptObject outside of a finalizer. But: where, and how many nsIScriptObjectOwner impls need to do this? /be
I produced the asserts by first going to a couple of pages at Beatnik.com and then going to live365.com. If you've been to live365.com you'll need to remove your cookies that it sets in order to get their splash page. I previously wrote that they use Real Audio - while true, the plugin being used when the assert is generated is actually Flash. The Flash splash will not appear on subsequent visits unless you remove their cookies.
Per bug 50705, http://www.fortunecity.com should also be a good testcase for this one.
*** Bug 54431 has been marked as a duplicate of this bug. ***
Let's get a good patch, fast -- the rtm keyword still applies, but I'm removing patch and review. /be
Keywords: patch, review
I'm seeing a crash with the same root name at http://www.fortunecity.com . Go there, click on the "Music Scene" link (in the "Explore" section, toward the middle of the page). Click the "back" toolbar button. Click "forward." Repeat as necessary; it is a GC problem after all. I've never had to repeat more than once. And I've tried a couple of Music Scene's sibling links with the same results.
URL: http://www.beatnik.comhttp://www.beatnik.com, http://www.fo...
tested patch and am not able to repro the assertions anymore
Thanks Sean! Oh, I forgot to say what the patch does. The patch makes us unroot the script object slot (rooted in nsGenericElement::GetSciptObject()) if we end up setting the script object to null (which is done if the plugin frame is not yet available so that the next call to GetScriptObject() will create a new script object that hopefully wraps the plugin object), if we don't do this we'll end up rooting the same script object slot more than once, and that's causing the problem, me thinks. Brendan, Waterson, does this make sense?
Status: NEW → ASSIGNED
jst: not quite -- it's ok to call JS_AddRoot more than once on a given address of a root without an intervening JS_RemoveRoot (these are AddNamedReference and RemoveReference, in nsJSContext parlance). The problem here is that by setting mScriptObject to nsnull you tell the subsequent SetDocument code that it doesn't need to RemoveReference. So the nsGenericElement is deleted, and its memory (including the rooted pointer to a script object) recycled. Then the GC runs and tries to trace the root. I need to study your patch after I've caught up on sleep. Hope this helps in the mean time. /be
http://www.fortunecity.com/ did *not* cause crash under Mac OS 9.0.4 running Moz trunk build 2000101215. What it *did* do was take an inordinate amount of time to load nothing. Went to "Music Scene" link like danm suggested. Clicked back and forth. Moz status bar spun and spun, but Moz itself did not crash. The statusbar then reported "Document: Done" after about two minutes, and displayed a blank page. Attempted to repeat. No crash, so busted into MacsBug to get the stdlog that follows.
Brendan, ok, I get it, thanks. So, to my knowledge there's no way to know in SetDocument() if the script object had been rooted or not (if mScriptObject is null) so I think the best thing to do is to do what my patch does, then we know that the script object will be unrooted even in the case where we do SetScriptObject(null), the nsHTMLEmbedElement code is the only place where that's done (at least I couldn't find any other place). My patch isn't complete tho, the code needs to check if mInner.mDocument is non zero before the script object is unrooted, if there's no document it won't be rooted in GetScriptObject() so there's no need to unroot it. I'll attach a new patch.
Whoa -- jst, your next-to-last patch (http://bugzilla.mozilla.org/showattachment.cgi?attach_id=17084, Proposed fix, unroot the jsobject ...) is against 1.26. But your last patch (Updated patch, only unroot...) is against 1.31. No wonder I was confused and sleepy! The latest patch looks good to me. Waterson? /be
Whoa, I attached the wrong patch the first time, ironically the patch I attached was the patch that contained the code that caused this problem in the first place (I should start removing old diff files from my system!). I'm sorry about that. Sean, did you try to attach the second-to-last patch? Did you revert the changes that patch contained and the assertions went away? Could you please retest with the last patch?
Yikes - I applied jst's first patch as a reverse patch. Which meant that, yes, the assert stopped happening but also that plugins probably can't be scripted (was trying to do too many things at once...). Will fix it, apply the new patch and test on Monday.
Applied the patch and got a crash dereferencing mInner.mDOMSlots. Changed this: + if (mInner.mDocument) { to this: + if (mInner.mDocument && mInner.mDOMSlots) { But I still got the mScriptObject root assert. Will try again and get stack trace.
The crash dereferencing mDomSlots is related to why the patch doesn't work. The SetScriptObject call should happen after the RemoveReference call.
Attached patch updated patchSplinter Review
sean's last patch looks right to me
Looks good to me too, I should've realized that we need to unroot before we call SetScriptObject(null).
r=brendan@mozilla.org, and I think waterson just gave an a=. If this patch is not ok, remove the [rtm+] I am adding here. I still believe this bug may be a topcrash. /be
Whiteboard: [rtm need info] → [rtm+]
PDT says rtm++, okay to land on branch.
Whiteboard: [rtm+] → [rtm++]
Fix checked in on both branch and trunk. Thanks to all of you for the help here!
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Verified with 2000-10-16-09.
Status: RESOLVED → VERIFIED
Keywords: beatnik, rtmnsrtm
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: