Closed Bug 180182 Opened 22 years ago Closed 22 years ago

crash[@ 0x10101010 - js_GetSlotThreadSafe - JS_GetPrivate]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: timeless, Assigned: dbradley)

References

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file)

possible fix
3.24 KB, patch
dbradley
: review+
jst
: superreview+
Details | Diff | Splinter Review 
doron pulled this version of the crash from talkback:
0x10101010
js_GetSlotThreadSafe [d:/builds/seamonkey/mozilla/js/src/jslock.c, line 563]
JS_GetPrivate [d:/builds/seamonkey/mozilla/js/src/jsapi.c, line 1928]
js_CloneFunctionObject [d:/builds/seamonkey/mozilla/js/src/jsfun.c, line 1954]
JS_CloneFunctionObject [d:/builds/seamonkey/mozilla/js/src/jsapi.c, line 2771]
DefinePropertyIfFound
[d:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 439]
XPC_WN_ModsAllowed_Proto_Resolve
[d:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1416]
js_LookupProperty [d:/builds/seamonkey/mozilla/

A user comment on one of the talkbacks: " Trying to get this ***** javascript
debugger to tell me the **** errors of my javascript page, but it told me jack
**** in the way of information, and decided to crash."

References:
bug 90378 cri sspitzer@netscape.com VERI FIXE MailNews Address
nbaca@netscape.com Address Book, "select all" and "delete" leads to crash - M096
[@ 0x10101010 - js_GetSlotThreadSafe]
bug 105332 nor khanson@netscape.com VERI DUPL Browser JavaScri
pschwartau@netscape.com stack trace should have a bug on file [@0x10101010]
bug 127047 cri joki@netscape.com VERI DUPL Browser DOM Even
vladimire@netscape.com M1RC1 Trunk crashes [@ 0x01101010 | 0x10101010 -
js_GetSlotThreadSafe | JS_GetPrivate]

Here's my version:
10101010()
js_GetSlotThreadSafe(JSContext * 0x004f7e70, JSObject * 0x0153cc40, unsigned
long 2) line 553 + 37 bytes
JS_GetPrivate(JSContext * 0x004f7e70, JSObject * 0x0153cc40) line 1926 + 231 bytes
js_CloneFunctionObject(JSContext * 0x004f7e70, JSObject * 0x0153cc40, JSObject *
0x03309090) line 1953 + 13 bytes
JS_CloneFunctionObject(JSContext * 0x004f7e70, JSObject * 0x0153cc40, JSObject *
0x03309090) line 2770 + 17 bytes
DefinePropertyIfFound(XPCCallContext & {...}, JSObject * 0x03309090, long
16927268, XPCNativeSet * 0x02e6dbb0, XPCNativeInterface * 0x005359d0,
XPCNativeMember * 0x00535a0c, XPCWrappedNativeScope * 0x040559c0, int 1,
XPCWrappedNative * 0x04060330, XPCWrappedNative * 0x04060330,
XPCNativeScriptableInfo * 0x00000000, unsigned int 7, int * 0x00000000) line 438
+ 26 bytes
XPC_WN_NoHelper_Resolve(JSContext * 0x004f7e70, JSObject * 0x03309090, long
16927268) line 720 + 50 bytes
_js_LookupProperty(JSContext * 0x004f7e70, JSObject * 0x03309090, long 5463568,
JSObject * * 0x0012d2e0, JSProperty * * 0x0012d2d4, const char * 0x100cf114,
unsigned int 2478) line 2317 + 42 bytes
js_GetProperty(JSContext * 0x004f7e70, JSObject * 0x03309090, long 5463568, long
* 0x0012da1c) line 2478 + 35 bytes
js_Interpret(JSContext * 0x004f7e70, long * 0x0012db9c) line 2634 + 1785 bytes
js_Invoke(JSContext * 0x004f7e70, unsigned int 1, unsigned int 2) line 856 + 13
bytes
js_InternalInvoke(JSContext * 0x004f7e70, JSObject * 0x03309060, long 53514128,
unsigned int 0, unsigned int 1, long * 0x0012dc98, long * 0x0012dcb0) line 931 +
20 bytes
JS_CallFunctionValue(JSContext * 0x004f7e70, JSObject * 0x03309060, long
53514128, unsigned int 1, long * 0x0012dc98, long * 0x0012dcb0) line 3431 + 31 bytes
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject(XPCCallContext & {...},
JSObject * 0x03309060, const nsID & {...}) line 262 + 28 bytes
nsXPCWrappedJSClass::DelegatedQueryInterface(nsXPCWrappedJSClass * const
0x03b1c700, nsXPCWrappedJS * 0x04060390, const nsID & {...}, void * *
0x0012dddc) line 588 + 25 bytes
nsXPCWrappedJS::QueryInterface(nsXPCWrappedJS * const 0x04060390, const nsID &
{...}, void * * 0x0012dddc) line 93
nsQueryInterface::operator()(const nsID & {...}, void * * 0x0012dddc) line 47 +
25 bytes
nsCOMPtr<nsIClassInfo>::assign_from_helper(const nsCOMPtr_helper & {...}, const
nsID & {...}) line 922 + 18 bytes
nsCOMPtr<nsIClassInfo>::nsCOMPtr<nsIClassInfo>(const nsQueryInterface & {...})
line 566
XPCWrappedNative::GetNewOrUsed(XPCCallContext & {...}, nsISupports * 0x04060390,
XPCWrappedNativeScope * 0x005032a0, XPCNativeInterface * 0x004e1060,
XPCWrappedNative * * 0x0012df60) line 274
XPCConvert::NativeInterface2JSObject(XPCCallContext & {...},
nsIXPConnectJSObjectHolder * * 0x0012e0ac, nsISupports * 0x04060390, const nsID
* 0x0012e0d0, JSObject * 0x03308d48, unsigned int * 0x0012e020) line 1059 + 30 bytes
nsXPConnect::WrapNative(nsXPConnect * const 0x004dffc0, JSContext * 0x004f7e70,
JSObject * 0x03308d48, nsISupports * 0x04060390, const nsID & {...},
nsIXPConnectJSObjectHolder * * 0x0012e0ac) line 566 + 29 bytes
nsJSCID::GetService(nsJSCID * const 0x04055e50, nsISupports * * 0x0012e288) line
886 + 57 bytes
XPTC_InvokeByIndex(nsISupports * 0x04055e50, unsigned int 11, unsigned int 1,
nsXPTCVariant * 0x0012e288) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2016 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x004f7e70, JSObject * 0x03308d48, unsigned int 0,
long * 0x01077ef8, long * 0x0012e52c) line 1281 + 14 bytes
js_Invoke(JSContext * 0x004f7e70, unsigned int 0, unsigned int 0) line 839 + 23
bytes
js_Interpret(JSContext * 0x004f7e70, long * 0x0012fe50) line 2803 + 15 bytes
js_Execute(JSContext * 0x004f7e70, JSObject * 0x010240c0, JSScript * 0x0050aa10,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fe50) line 1020 + 13 bytes
JS_ExecuteScript(JSContext * 0x004f7e70, JSObject * 0x010240c0, JSScript *
0x0050aa10, long * 0x0012fe50) line 3277 + 25 bytes
Process(JSContext * 0x004f7e70, JSObject * 0x010240c0, char * 0x00000000, _iobuf
* 0x10256808) line 517 + 22 bytes
ProcessArgs(JSContext * 0x004f7e70, JSObject * 0x010240c0, char * * 0x004a4434,
int 2) line 655 + 33 bytes
main(int 2, char * * 0x004a4434) line 912 + 21 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e87903()

 EAX = 0153CC48 EBX = 7FFDF000 ECX = 0153C6A1 EDX = 0153CC40
 ESI = 00000000 EDI = 00000000 EIP = 10101010 ESP = 0012CF44
 EBP = 0012CF68 EFL = 00000202 CS = 001B DS = 0023 ES = 0023
 SS = 0023 FS = 0038 GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0
 PE=0 CY=0 ST0 = +0.00000000000000000e+0000

here's the code:
js_GetSlotThreadSafe(JSContext * 0x004f7e70, JSObject * 0x0153cc40, unsigned
long 2) line 553 + 37 bytes
552:      if (!OBJ_IS_NATIVE(obj))
1005C826   mov         eax,dword ptr [obj]
1005C829   mov         ecx,dword ptr [eax]
1005C82B   cmp         dword ptr [ecx+4],offset _js_ObjectOps (100ccba8)
1005C832   je          js_GetSlotThreadSafe+6Dh (1005c88d)
1005C834   mov         edx,dword ptr [obj]
1005C837   mov         eax,dword ptr [edx]
1005C839   cmp         dword ptr [eax+4],0
1005C83D   je          js_GetSlotThreadSafe+31h (1005c851)
1005C83F   mov         ecx,dword ptr [obj]
1005C842   mov         edx,dword ptr [ecx]
1005C844   mov         eax,dword ptr [edx+4]
1005C847   mov         ecx,dword ptr [eax]
1005C849   cmp         ecx,dword ptr [_js_ObjectOps (100ccba8)]
1005C84F   je          js_GetSlotThreadSafe+6Dh (1005c88d)
553:          return OBJ_GET_REQUIRED_SLOT(cx, obj, slot);
1005C851   mov         edx,dword ptr [obj]
1005C854   mov         eax,dword ptr [edx]
1005C856   mov         ecx,dword ptr [eax+4]
1005C859   cmp         dword ptr [ecx+58h],0
1005C85D   je          js_GetSlotThreadSafe+5Eh (1005c87e)
1005C85F   mov         edx,dword ptr [slot]
1005C862   push        edx
1005C863   mov         eax,dword ptr [obj]
1005C866   push        eax
1005C867   mov         ecx,dword ptr [cx]
1005C86A   push        ecx
1005C86B   mov         edx,dword ptr [obj]
1005C86E   mov         eax,dword ptr [edx]
1005C870   mov         ecx,dword ptr [eax+4]
1005C873   call        dword ptr [ecx+58h] <-- crash here
1005C876   add         esp,0Ch
1005C879   mov         dword ptr [ebp-14h],eax
1005C87C   jmp         js_GetSlotThreadSafe+65h (1005c885)
1005C87E   mov         dword ptr [ebp-14h],80000001h
1005C885   mov         eax,dword ptr [ebp-14h]
1005C888   jmp         js_GetSlotThreadSafe+267h (1005ca87)
554:
555:      /*
556:       * Native object locking is inlined here to optimize the single-threaded
557:       * and contention-free multi-threaded cases.
558:       */
559:      scope = OBJ_SCOPE(obj);

the way i tickled this (yes, the code is very invalid, but it's good for
tickling problems)

js> const C=Components.classes, I=Components.interfaces;
js> var o; for (a in C) if (!/dom|box/i.test(a)) try {o=C[a].getService(); for
(i in I) o instanceof I[i];} catch (e) {}
###!!! ASSERTION: null ptr: 'aURI != nsnull', file
i:/build/mozilla/rdf/base/src/nsRDFService.cpp, line 1501
Break: at file i:/build/mozilla/rdf/base/src/nsRDFService.cpp, line 1501
************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "Component returned failure code: 0x80004003
(NS_ERROR_INVALID_POINTER) [nsIRDFService.GetDataSource]"  nsresult: "0x80004003
(NS_ERROR_INVALID_POINTER)"  location: "JS frame ::
file:///I:/build/mozilla/dist/bin/components/nsSidebar.js :: nsSidebar :: line
65"  data: no]
************************************************************
nsComm4xMailImport Module Created
WARNING: NS_ENSURE_TRUE(gNameSpaceManager) failed, file
i:/build/mozilla/dom/src/build/nsDOMFactory.cpp, line 184
WARNING: NS_ENSURE_TRUE(gNameSpaceManager) failed, file
i:/build/mozilla/dom/src/build/nsDOMFactory.cpp, line 184

I'm running with a few unregistered patches for crashes in various other modules
(mostly dom inspector)

I'm looking for help figuring out how the EIP became 0x10101010.  I'm going to
leave this stack alive in my debugger for a while so if people want more
information from any frame please contact me.
Looks like the function object of the member on the XPCNativeInterface was
collected. I'll have to look at the marking code to see if there are any holes.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, topcrash
Running this code in xpcshell, I'm crashing out at:

nsGenericFactory::GetHelperForLanguage(nsGenericFactory * const 0x03036904,
unsigned int 0x00000002, nsISupports * * 0x0012ddc4) line 110 + 6 bytes
XPCWrappedNative::GatherProtoScriptableCreateInfo(nsIClassInfo * 0x03036904,
XPCNativeScriptableCreateInfo * 0x0012df40) line 565 + 38 bytes
XPCWrappedNative::GatherScriptableCreateInfo(nsISupports * 0x03036900,
nsIClassInfo * 0x03036904, XPCNativeScriptableCreateInfo * 0x0012df40,
XPCNativeScriptableCreateInfo * 0x0012df34) line 597 + 13 bytes
XPCWrappedNative::GetNewOrUsed(XPCCallContext & {...}, nsISupports * 0x03036900,
XPCWrappedNativeScope * 0x010056e0, XPCNativeInterface * 0x00fe1928,
XPCWrappedNative * * 0x0012df78) line 281 + 61 bytes
XPCConvert::NativeInterface2JSObject(XPCCallContext & {...},
nsIXPConnectJSObjectHolder * * 0x0012e0c8, nsISupports * 0x03036900, const nsID
* 0x0012e0ec, JSObject * 0x030a2640, unsigned int * 0x0012e03c) line 1059 + 30 bytes
nsXPConnect::WrapNative(nsXPConnect * const 0x00fdc5e8, JSContext * 0x00ff27e0,
JSObject * 0x030a2640, nsISupports * 0x03036900, const nsID & {...},
nsIXPConnectJSObjectHolder * * 0x0012e0c8) line 566 + 29 bytes
nsJSCID::GetService(nsJSCID * const 0x0301f778, nsISupports * * 0x0012e278) line
886 + 57 bytes
XPTC_InvokeByIndex(nsISupports * 0x0301f778, unsigned int 0x0000000b, unsigned
int 0x00000001, nsXPTCVariant * 0x0012e278) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2012 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x00ff27e0, JSObject * 0x030a2640, unsigned int
0x00000000, long * 0x01011048, long * 0x0012e528) line 1281 + 14 bytes
js_Invoke(JSContext * 0x00ff27e0, unsigned int 0x00000000, unsigned int
0x00000000) line 839 + 23 bytes
js_Interpret(JSContext * 0x00ff27e0, long * 0x0012fe50) line 2803 + 15 bytes
js_Execute(JSContext * 0x00ff27e0, JSObject * 0x00f7e8c0, JSScript * 0x01008b58,
JSStackFrame * 0x00000000, unsigned int 0x00000000, long * 0x0012fe50) line 1020
+ 13 bytes
JS_ExecuteScript(JSContext * 0x00ff27e0, JSObject * 0x00f7e8c0, JSScript *
0x01008b58, long * 0x0012fe50) line 3277 + 25 bytes
Process(JSContext * 0x00ff27e0, JSObject * 0x00f7e8c0, char * 0x00000000, _iobuf
* 0x10261828 __iob) line 517 + 22 bytes
ProcessArgs(JSContext * 0x00ff27e0, JSObject * 0x00f7e8c0, char * * 0x004e6e7c,
int 0x00000000) line 655 + 33 bytes
main(int 0x00000000, char * * 0x004e6e7c) line 912 + 21 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e9ca90()

when doing mInfo->mGetLanguageHelperProc in
nsGenericFactory::GetHelperForLanguage because mInfo is null.
nsGenericFactory is another bug with patch assigned to me. i haven't had a
working tree for months so i couldn't get it tested and committed. I'll work on
that before i disappear for thanksgiving.  Oh hrm, i wonder if my tree has that
code. Nope, it's not in my tree, it's sitting in "nsGenericFactory.cpp.0".
Attached patch possible fixSplinter Review 
dbradley: This is the automarking scheme I mentioned to you (I hope you didn't
already implement something like this yourself). You can use it as is if it
turns out to help or change it as you will. Note that I added support for
handing it a pointer to a jsval, but didn't actually use that suppport. I
figured that there would be times when you have a jsval whose actual value will
change during the life of this auto pointer - so a pointer to it is
appropriate. As some point you could extend it to work with JSObject**,
JSString**, and JSDouble**. As it is now it can be used with jsval* and jsval
(and thus JSObject* etc).

FWIW, this will also help in proving if gc is really the culprit here. All you
have to do is set a breakpoint in XPCMarkableJSVal::MarkBeforeJSFinalize and
you'll catch the case where gc runs while this object is in scope. Hope this
helps.
No hadn't started on it yet. I'll give it a try, thanks a lot, I'm sure it will
save me a good bit of time, which is much appreciated right now.
Blocks: 181518
Blocks: 181519
No longer blocks: 181518
Comment on attachment 107101 [details] [diff] [review]
possible fix

I that GC is occuring in JS_CloneFunctionObject and causing the jsval passed in
to be collected. This just might be the source of some other the other sporadic
GC bugs we've seen. If in less stressful case the memory wasn't reused we would
probably crash further down. But there may be other similar cases elsewhere. I
think its important to get this in ASAP so that we can see what effect it has
on other sporadic GC related crashes.

A couple of minor nits, I don't think we really need the private construct. The
presence of other constructors will prevent default construction. And there
probably isn't a need for the empty destructor.

Below is an example stack.

XPCMarkableJSVal::MarkBeforeJSFinalize(JSContext * 0x00bf4028) line 3121
AutoMarkingJSVal::MarkBeforeJSFinalize(JSContext * 0x00bf4028) line 3206 + 31
bytes
XPCPerThreadData::MarkAutoRootsBeforeJSFinalize(JSContext * 0x00bf4028) line
445
XPCJSRuntime::GCCallback(JSContext * 0x00bf4028, JSGCStatus JSGC_MARK_END) line
262
js_GC(JSContext * 0x00bf4028, unsigned int 0x00000005) line 1281 + 12 bytes
js_AllocGCThing(JSContext * 0x00bf4028, unsigned int 0x00000000) line 523 + 11
bytes
js_NewObject(JSContext * 0x00bf4028, JSClass * 0x100c0bd8 _js_FunctionClass,
JSObject * 0x014192b0, JSObject * 0x03838338) line 1645 + 11 bytes
js_CloneFunctionObject(JSContext * 0x00bf4028, JSObject * 0x014192b0, JSObject
* 0x03838338) line 1950 + 22 bytes
JS_CloneFunctionObject(JSContext * 0x00bf4028, JSObject * 0x014192b0, JSObject
* 0x03838338) line 2770 + 17 bytes
DefinePropertyIfFound(XPCCallContext & {...}, JSObject * 0x03838338, long
0x00bcfe3c, XPCNativeSet * 0x0142f1d8, XPCNativeInterface * 0x00c3cb78,
XPCNativeMember * 0x00c3cbb4, XPCWrappedNativeScope * 0x036f4d60, int
0x00000001, XPCWrappedNative * 0x03842c90, XPCWrappedNative * 0x03842c90,
XPCNativeScriptableInfo * 0x00000000, unsigned int 0x00000007, int *
0x00000000) line 445 + 29
Attachment #107101 - Flags: superreview?(jst)
Attachment #107101 - Flags: review+
Good to have confirmation that this was the real problem. Feel free to take out
those lines if you like - neither of them actually cause any code to be
generated. It is probably worth digging around in xpconnect for other cases
where a gcthing is created and not protected before making other potentially gc
invoking calls into JS. For those who have not looked closer: this automarking
code is very cheap - just a little linked list manipulation as the stack based
object goes in and out of scope - no locking, allocation, or jsapi calls
involved (except if gc actually runs).

Comment on attachment 107101 [details] [diff] [review]
possible fix

sr=jst
Attachment #107101 - Flags: superreview?(jst) → superreview+
patch checked in to trunk.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Checkin verified on trunk -
Status: RESOLVED → VERIFIED
*** Bug 130183 has been marked as a duplicate of this bug. ***
Crash Signature: [@ 0x10101010 - js_GetSlotThreadSafe - JS_GetPrivate]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: