Closed Bug 314989 Opened 19 years ago Closed 19 years ago

Crash: obj->slots [@ js_FinalizeObject] finalizing object that is being constructed

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 307317

People

(Reporter: colin, Unassigned)

Details

00 js3250!js_FinalizeObject(struct JSContext * cx = 0x00add9d1, struct JSObject * obj = 0x01984dd0)+0x3a
01 js3250!js_GC(struct JSContext * cx = 0x01984dd0, unsigned int gcflags = 5)+0x62f
02 js3250!js_NewGCThing(struct JSContext * cx = 0x01984dd0, unsigned int flags = 4, unsigned int nbytes = 0x18)+0xf0
03 js3250!AllocSlots(struct JSContext * cx = 0x01984dd0, long * slots = 0x00a2dfc8, unsigned long nslots = 5)+0x42
04 js3250!js_NewObject(struct JSContext * cx = 0x01984dd0, struct JSClass * clasp = 0x00b20720, struct JSObject * proto = 0x04b827d8, struct JSObject * parent = 0x320465d8)+0x165
05 js3250!js_CloneFunctionObject(struct JSContext * cx = 0x00aa727f, struct JSObject * funobj = 0x0012f50c, struct JSObject * parent = 0x04b827d8)+0x19
06 js3250!JS_CloneFunctionObject(struct JSContext * cx = 0x00aa727f, struct JSObject * funobj = 0x0012f50c, struct JSObject * parent = 0x04b827d8)+0x57
07 xpc3250!xpc_CloneJSFunction(class XPCCallContext * ccx = 0x0012f50c, struct JSObject * funobj = 0x04b827d8, struct JSObject * parent = 0x320465d8)+0x19
08 xpc3250!DefinePropertyIfFound(class XPCCallContext * ccx = 0x0012f50c, struct JSObject * obj = 0x320465d8, long idval = 10674120, class XPCNativeSet * set = 0x00a016f4, class XPCNativeInterface * iface = 0x16aa6320, class XPCNativeMember * member = 0x16aa638c, class XPCWrappedNativeScope * scope = 0x0012f580, int reflectToStringAndToSource = 1, class XPCWrappedNative * wrapperToReflectInterfaceNames = 0x0c7c0b98, class XPCWrappedNative * wrapperToReflectDoubleWrap = 0x0c7c0b98, class XPCNativeScriptableInfo * scriptableInfo = 0x00000000, unsigned int propFlags = 6, int * resolved = 0x00000000)+0x41f
09 xpc3250!XPC_WN_NoHelper_Resolve(struct JSContext * cx = 0x01984dd0, struct JSObject * obj = 0x320465d8, long idval = 10089876)+0x7b
0a js3250!js_LookupPropertyWithFlags(struct JSContext * cx = 0x00000000, struct JSObject * obj = 0x320465d8, long id = 10100048, unsigned int flags = 0, struct JSObject ** objp = 0x0012f61c, struct JSProperty ** propp = 0x0012f618)+0x325
0b js3250!js_LookupProperty(struct JSContext * cx = 0x01984dd0, struct JSObject * obj = 0x320465d8, long id = 10100048, struct JSObject ** objp = 0x0012f61c, struct JSProperty ** propp = 0x0012f618)+0x19
0c js3250!js_GetProperty(struct JSContext * cx = 0x01984dd0, struct JSObject * obj = 0x320465d8, long id = 10100048, long * vp = 0x0012f790)+0x71
0d js3250!js_Interpret(struct JSContext * cx = 0x01984dd0, unsigned char * pc = 0x02750b3b "???", long * result = 0x0012f83c)+0x7c22
0e js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 1, unsigned int flags = 0)+0x57a
0f js3250!js_Interpret(struct JSContext * cx = 0x01984dd0, unsigned char * pc = 0x048fd876 ":", long * result = 0x0012fa54)+0x4ff9
10 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 0, unsigned int flags = 0)+0x57a
11 js3250!js_Interpret(struct JSContext * cx = 0x01984dd0, unsigned char * pc = 0x049462b4 ":", long * result = 0x0012fc6c)+0x4ff9
12 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 1, unsigned int flags = 2)+0x57a
13 js3250!js_InternalInvoke(struct JSContext * cx = 0x01984df8, struct JSObject * obj = 0x0190bd28, long fval = 323511872, unsigned int flags = 0, unsigned int argc = 1, long * argv = 0x30ca6070, long * rval = 0x0012fdcc)+0x86
14 js3250!JS_CallFunctionValue(struct JSContext * cx = 0x01984dd0, struct JSObject * obj = 0x0190bd28, long fval = 323511872, unsigned int argc = 1, long * argv = 0x30ca6070, long * rval = 0x0012fdcc)+0x1e
15 gklayout!nsJSContext::CallEventHandler(struct JSObject * aTarget = 0x0190bd28, struct JSObject * aHandler = 0x13486640, unsigned int argc = 1, long * argv = 0x30ca6070, long * rval = 0x00000000)+0xa6
16 gklayout!nsGlobalWindow::RunTimeout(struct nsTimeout * aTimeout = 0x00000000)+0x1b3
17 gklayout!nsGlobalWindow::TimerCallback(class nsITimer * aTimer = 0x0161d667, void * aClosure = 0x019b9980)+0x10
18 xpcom_core!nsTimerImpl::Fire(void)+0x69
19 xpcom_core!nsTimerManager::FireNextIdleTimer(void)+0x77
1a gkwidget!nsAppShell::Run(void)+0xb2
1b appcomps!nsAppStartup::Run(void)+0xd
1c seamonkey!main1(int argc = 3, char ** argv = 0x002a3e50, class nsISupports * nativeApp = 0x00a2dfc8)+0x355
1d seamonkey!main(int argc = 3, char ** argv = 0x002a3e50)+0xc5

Frame 4 in js_NewObject is where the fun starts. We allocate a new JSObject

obj = (JSObject *) js_NewGCThing(cx, GCX_OBJECT, sizeof(JSObject));

and then a few lines further down try to allocate some slots for it:

newslots = AllocSlots(cx, NULL, nslots);

Problem is that AllocSlots calls js_GC and in js_FinalizeObject we die
because there are no slots when we hit:

LOCKED_OBJ_GET_CLASS(obj)->finalize(cx, obj);

This is the same scenario as described at the start of bug 278725.
Here's how we get into the JS_ClearNewbornRoots which wipes out the pointer to the obj being created.

0d ntdll!DbgBreakPoint
0e js3250!JS_ClearNewbornRoots(struct JSContext * cx = 0x00ade7c8)+0x1a
0f xpc3250!XPCCallContext::~XPCCallContext(void)+0x8a
10 xpc3250!XPC_WN_JSOp_Enumerate(struct JSContext * cx = 0x018c15c8, struct JSObject * obj = 0x0aff66f8, JSIterateOp enum_op = JSENUMERATE_DESTROY (2), long * statep = 0x0012f40c, long * idp = 0x00000000)+0x15b
11 js3250!prop_iterator_finalize(struct JSContext * cx = 0x018c15c8, struct JSObject * obj = 0x00000000)+0x38
12 js3250!js_FinalizeObject(struct JSContext * cx = 0x00a01cc8, struct JSObject * obj = 0x00000002)+0x45
13 js3250!js_GC(struct JSContext * cx = 0x00a01cc8, unsigned int gcflags = 2)+0xa2d
14 js3250!js_NewGCThing(struct JSContext * cx = <Memory access error>, unsigned int flags = <Memory access error>, unsigned int nbytes = <Memory access error>)+0x3e3
15 js3250!AllocSlots(struct JSContext * cx = 0x0012f9e4, long * slots = 0x90909000, unsigned long nslots = 0xff8b9090, int check = -2081649835)+0xb6
16 js3250!js_NewObject(struct JSContext * cx = 0x00000000, struct JSClass * clasp = 0x003c000a, struct JSObject * proto = 0x00620074, struct JSObject * parent = 0x0064006f)+0x2a2
17 js3250!js_StringToObject(struct JSContext * cx = 0x00aed0ac, struct JSString * str = 0x018c15c8)+0x15
18 js3250!js_ValueToObject(struct JSContext * cx = 0x018c15c8, long v = 382983644, struct JSObject ** objp = 0x0012f53c)+0x60
19 js3250!js_ValueToNonNullObject(struct JSContext * cx = 0x018c15c8, long v = 382983644)+0x13
1a js3250!js_Interpret(struct JSContext * cx = 0x018c15c8, unsigned char * pc = 0x02764a8d "5", long * result = 0x0012f750)+0x4342
1b js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 2, unsigned int flags = 0)+0x57a
1c js3250!js_Interpret(struct JSContext * cx = 0x018c15c8, unsigned char * pc = 0x0492590f ":", long * result = 0x0012f968)+0x4ff9
1d js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 4, unsigned int flags = 2)+0x57a
I bet that this doesn't crash on the trunk. Brendan has a WAY_TOO_MUCH_GC patch over in bug 307317 that probably should fix this (specifically the one to not make xpconnect clear newborn roots after each XPCCallContext dies, only after one dies and we've popped the last fp). I'm afraid that because of the other problems with the patches in that bug, that fix missed the branch (and it might be hard to sell to drivers at this late point in the game).
I think you're right, and the newborn patch over in 307317 will fix the problem I'm seeing. That saves me from having to worry about how to fix it. Thanks!



*** This bug has been marked as a duplicate of 307317 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Component: JavaScript Engine → XPConnect
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.