98207 - about:config crashes the second time - Trunk [@ js_Interpret]

Status: VERIFIED FIXED

(Core :: XUL, defect, P1)

Description

[Brian Nesse (gone)]

From bug 37592...
------- Additional Comments From Matti (Matthias Versen) 2001-09-01 17:45 -------

This is crashing for me if I use about:config the second time.
1. Type about:config
2. Load another page
3. type about:config again -> crash

win2k build 20010901.. (CVS opt)

Comment 1

[Brian Nesse (gone)]

When I leave the about:config page the first time, I see a bunch of debug spew
in the console window... almost like it's trying to re-draw the about:config
page after deleting it or something...

************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "'[JavaScript Error: "arr is not defined" {file:
"chrome://global/content/config.js" line: 27}]' when calling method:
[nsIOutlinerView::getCellText]"  nsresult: "0x80570021
(NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)"  location: "<unknown>"  data: yes]
************************************************************

When you try and return to about:config it crashes in JS. Stack coming.

Comment 2

[Brian Nesse (gone)]

Attachment: Stack crawl of crash

Comment 3

[Chip Clark]

Segmentation fault on linux - debugging problem

Comment 4

[Chase Tingley]

bug 97444 is also a crash at JS_GetPrivate; may be a dup but I'm not quite ready
to pull the trigger yet.

Comment 5

[Brendan Eich [:brendan]]

Actually, this looks like another skidmark from the same bug that's causing bug
97293.  This bug may be more reproducible, so I'm not marking it dup.  dbaron,
is this the smoking gun?  I'll try to debug later today, but someone feel free
to beat me to it.

(The JS_GetPrivate crash is not the interesting part that links this bug's
backtrace to bug 97293 rather than to the also-in-JS_GetPrivate bug 97444 --
rather, the nsXULDocument::ExecuteScript that passes a bad, probably-GC'd script
object into JS_ExecuteScript, is the key.)

/be

Comment 6

[John Bandhauer]

I just gave this a whirl and got the same results as Brendan - the 
aScriptObject is garbage. FWIW, on NT my debug build goes off into the weeds 
without leaving me a usable stack. My release-with-symbols build yields the same 
stack as already posted to this bug.

Comment 7

[Brendan Eich [:brendan]]

jband: I still haven't tried to debug this, but I will tonight.  Did you divine
whether a XUL precompiled script object reference was unrooted?

/be

Comment 8

[John Bandhauer]

brendan: I didn't dig that deep. The 'bad' JSObject is the one called 
'aScriptProto->mJSObject' in nsXULDocument::LoadScript. aScriptProto looks like 
a nice object. But the JSObject is smelly.

Comment 9

[Jussi-Pekka Mantere]

Adding topcrash as per Bug 97293. P1, 0.9.5, component JavaScript Engine
(belongs to khanson@netscape.com as well?)

Comment 10

[Brendan Eich [:brendan]]

jpatel: I'm betting this will end up a XUL bug, but you can assign it to me or
to jband.  The other bug, bug 97293, might better be forward-duped against this
one, because this bug has reproducible instructions.  But bug 97293 has some
nice dbaron disassembly analysis, so I've been hesitant to dup it.  Yeah, I'm
just shy.

/be

Comment 11

[Brendan Eich [:brendan]]

*** Bug 97293 has been marked as a duplicate of this bug. ***

Comment 12

[Brendan Eich [:brendan]]

jussi, sorry -- I saw a leading "j" in your name, saw "topcrash", and my brain
went off like a plastic trap.

/be

Comment 13

[Jay Patel [:jay]]

Adding Trunk [@ js_Interpret] for tracking, since bug 97293 was just marked a dup.  

Comment 14

[Brendan Eich [:brendan]]

This is a XUL bug, and I caused it with my FastLoad hacking (sob).  The
about:config URL loads but does not enter its XUL prototype nodes, including
prototype scripts that contain rooted JSObject pointers, into the XUL prototype
cache -- because the URL scheme is not chrome.

But, code in nsXULDocument.cpp nsXULDocument::LoadScript, needed by FastLoad for
"exactly-once" script loading, does enter the
chrome:/navigator/content/config.js script into the XUL script cache -- becaus
ethe URL scheme *is* chrome.  That XUL script cache entry holds an unrooted
JSObject* -- it counts on there being a companion XUL prototype cache entry
holding a root.  Blammo.

Patch soon.

/be

Comment 15

[Brendan Eich [:brendan]]

Attachment: proposed fix (one-line change, excluding comments)

Comment 16

[Chris Waterson]

Comment on attachment 48374 [details] [diff] [review]
proposed fix (one-line change, excluding comments)

r/sr=waterson

Comment 17

[John Bandhauer]

Comment on attachment 48374 [details] [diff] [review]
proposed fix (one-line change, excluding comments)

sr=jband

Comment 18

[Asa Dotzler [:asa]]

Comment on attachment 48374 [details] [diff] [review]
proposed fix (one-line change, excluding comments)

a=asa for checkin to 0.9.4 branch.

Comment 19

[Brendan Eich [:brendan]]

(Fixing component and QA contact...)

Fix checked into trunk and branch.

/be

Comment 20

[John Morrison]

verified fixed -- does not crash on second use of about:config and config.js is 
not serialized into the fastload file (or placed in xul cache) -- 
mac/linux/win32 2001-09-06-08 builds. 

[Note: needed a slight workaround to test about:config on Linux -- bug 98667].

Comment 21

[John Morrison]

*** Bug 98823 has been marked as a duplicate of this bug. ***