Closed Bug 810560 Opened 12 years ago Closed 12 years ago

Intermittent Assertion failure: !thing->compartment()->scheduledForDestruction in test_bug518122.html [@ js::gc::MarkInternal]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla19
Tracking Flags:
Tracking Status
firefox18 --- unaffected

People

(Reporter: philor, Assigned: billm)

References

Details

(Keywords: assertion, intermittent-failure)

Attachments

(1 file)

fix
12.77 KB, patch
luke
: review+
Details | Diff | Splinter Review 
https://tbpl.mozilla.org/php/getParsedLog.php?id=16918272&tree=Mozilla-Inbound
Rev4 MacOSX Snow Leopard 10.6 mozilla-inbound debug test mochitest-1 on 2012-11-09 20:56:56 PST for push 98e22583895a
slave: talos-r4-snow-082

10916 INFO TEST-START | /tests/content/html/content/test/test_bug518122.html
++DOMWINDOW == 96 (0x14e026300) [serial = 2133] [outer = 0x12918d680]
Assertion failure: !thing->compartment()->scheduledForDestruction, at ../../../js/src/gc/Marking.cpp:92
[Child 357] WARNING: shutting down early because of crash!: file ../../../dom/ipc/ContentChild.cpp, line 813
[Child 357] WARNING: content process _exit()ing: file ../../../dom/ipc/ContentChild.cpp, line 858
TEST-UNEXPECTED-FAIL | /tests/content/html/content/test/test_bug518122.html | Exited with code 1 during test run
INFO | automation.py | Application ran for: 0:20:06.484813
INFO | automation.py | Reading PID log: /var/folders/Hs/HsDn6a9SG8idoIya6p9mtE+++TI/-Tmp-/tmp8wq0rdpidlog
Downloading symbols from: http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-inbound-macosx64-debug/1352521172/firefox-19.0a1.en-US.mac64.crashreporter-symbols.zip
PROCESS-CRASH | /tests/content/html/content/test/test_bug518122.html | application crashed (minidump found)
Crash dump filename: /var/folders/Hs/HsDn6a9SG8idoIya6p9mtE+++TI/-Tmp-/tmpxjqB02/minidumps/CBF78EE0-EAE0-49AE-AC6E-9CA0B95BA210.dmp
Operating system: Mac OS X
                  10.6.8 10K549
CPU: amd64
     family 6 model 23 stepping 10
     2 CPUs

Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash address: 0x0

Thread 0 (crashed)
 0  XUL!void js::gc::MarkInternal<JSObject>(JSTracer*, JSObject**) [Marking.cpp : 110 + 0x0]
    rbx = 0x00007fff701a72f8   r12 = 0x000000010549a2a8
    r13 = 0x000000010549a000   r14 = 0x0000000148fd5250
    r15 = 0x0000000107b92701   rip = 0x000000010392fec0
    rsp = 0x00007fff5fbfad00   rbp = 0x00007fff5fbfad30
    Found by: given as instruction pointer in context
 1  XUL!js::ObjectImpl::writeBarrierPre(js::ObjectImpl*) [ObjectImpl-inl.h : 438 + 0x16]
    rbx = 0x0000000148fd5250   r12 = 0x0000000000000000
    r13 = 0x000000014c5dbc00   r14 = 0x0000000100c59a00
    r15 = 0x0000000107b92701   rip = 0x00000001036c8ca4
    rsp = 0x00007fff5fbfad40   rbp = 0x00007fff5fbfad50
    Found by: call frame info
 2  XUL!js::IncrementalReferenceBarrier(void*) [jsfriendapi.cpp : 912 + 0x7]
    rbx = 0x0000000148fd5250   r12 = 0x0000000000000000
    r13 = 0x000000014c5dbc00   r14 = 0x0000000100c59a00
    r15 = 0x0000000107b92701   rip = 0x0000000103717af1
    rsp = 0x00007fff5fbfad60   rbp = 0x00007fff5fbfad80
    Found by: call frame info
 3  XUL!nsNodeSH::PreCreate(nsISupports*, JSContext*, JSObject*, JSObject**) [xpcpublic.h : 152 + 0x7]
    rbx = 0x00000001462bfc01   r12 = 0x0000000148fd5250
    r13 = 0x000000014c5dbc00   r14 = 0x000000014c5dbc08
    r15 = 0x0000000107b92740   rip = 0x00000001022e4890
    rsp = 0x00007fff5fbfad90   rbp = 0x00007fff5fbfae30
    Found by: call frame info
 4  XUL!nsElementSH::PreCreate(nsISupports*, JSContext*, JSObject*, JSObject**) [nsDOMClassInfo.cpp : 8144 + 0x4]
    rbx = 0x00000001462bfca8   r12 = 0x00007fff5fbfb570
    r13 = 0x00000001022e5a80   r14 = 0x0000000107b92740
    r15 = 0x00007fff5fbfb050   rip = 0x00000001022e55f5
    rsp = 0x00007fff5fbfae40   rbp = 0x00007fff5fbfae80
    Found by: call frame info
 5  XUL!ConstructSlimWrapper(XPCCallContext&, xpcObjectHelper&, XPCWrappedNativeScope*, JS::Value*) [XPCWrappedNative.cpp : 3814 + 0xc]
    rbx = 0x00000001462bfca8   r12 = 0x00007fff5fbfb570
    r13 = 0x00000001022e5a80   r14 = 0x000000010aabb060
    r15 = 0x00007fff5fbfb050   rip = 0x0000000102832854
    rsp = 0x00007fff5fbfae90   rbp = 0x00007fff5fbfaf40
    Found by: call frame info
 6  XUL!XPCConvert::NativeInterface2JSObject(XPCLazyCallContext&, JS::Value*, nsIXPConnectJSObjectHolder**, xpcObjectHelper&, nsID const*, XPCNativeInterface**, bool, tag_nsresult*) [XPCConvert.cpp : 875 + 0x15]
    rbx = 0x0000000000000000   r12 = 0x00007fff5fbfb280
    r13 = 0x0000000107b92748   r14 = 0x00007fff5fbfb270
Mmm, PreCreate.
Attached patch fixSplinter Review 
I think this should take care of the problem.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #680784 - Flags: review?(luke)
Comment on attachment 680784 [details] [diff] [review]
fix

Review of attachment 680784 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsapi.cpp
@@ +1556,5 @@
>      JS_ASSERT(origobj != target);
>      JS_ASSERT(!IsCrossCompartmentWrapper(origobj));
>      JS_ASSERT(!IsCrossCompartmentWrapper(target));
>  
> +    AutoDeadCompartmentGC agc(cx);

A "dead compartment GC" sounds like a different thing.  How about AutoMaybeTouchDeadCompartments?

::: js/src/jswrapper.h
@@ +299,5 @@
> + * This auto class should be used around any code, such as brain transplants,
> + * that may touch dead compartments. Brain transplants can cause problems
> + * because they operate on all compartments, whether live or dead. A brain
> + * transplant can cause a formerly dead object to be "reanimated" by causing a
> + * read or write barrier to be invoked on it during the transplant.

I would not be opposed to appending:
"In this way, a compartment becomes a zombie, kept alive by repeatedly consuming (transplanted) brains."

::: js/xpconnect/src/XPCWrappedNative.cpp
@@ +510,5 @@
>      mozilla::Maybe<JSAutoCompartment> ac;
>  
>      if (sciWrapper.GetFlags().WantPreCreate()) {
> +        // PreCreate may touch dead compartments.
> +        js::AutoDeadCompartmentGC agc(parent);

It seems like you'd want to scope 'agc' here (and below x2) as narrowly as possible to avoid unintended full GCs.  There is a lot of code below PreCreate, so perhaps you could either block-scope it or, if that looks ugly, use Maybe<> and call 'destruct' after.
Attachment #680784 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/a10481c78d8e
https://hg.mozilla.org/mozilla-central/rev/866e9c7d656d
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Blocks: 811587
Whiteboard: [orange]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: