Open Bug 1017639 Opened 10 years ago Updated 2 months ago

PContentParent can be cycle collected before all its open actors have been released

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Type:
defect

Tracking

()

People

(Reporter: bkelly, Unassigned)

References

Details

Attachments

(1 obsolete file) 

While running a try build for bug 1013571 I encountered this assertion:

  Assertion failure: isEmpty(), at dist\include\mozilla/LinkedList.h:305

With the stack trace:

12:29:53     INFO -   0  xul.dll!mozilla::LinkedList<mozilla::ipc::IToplevelProtocol>::~LinkedList<mozilla::ipc::IToplevelProtocol>() [LinkedList.h:67265addfa29 : 305 + 0x20]
12:29:53     INFO -      eip = 0x6560b0fc   esp = 0x0031cb88   ebp = 0x0031cbb8   ebx = 0x00000001
12:29:53     INFO -      esi = 0x24e2e74c   edi = 0x6711a1f8   eax = 0x00000000   ecx = 0x7f8ba88c
12:29:53     INFO -      edx = 0x6814e4d8   efl = 0x00000216
12:29:53     INFO -      Found by: given as instruction pointer in context
12:29:53     INFO -   1  xul.dll!mozilla::ipc::IToplevelProtocol::~IToplevelProtocol() [ProtocolUtils.cpp:67265addfa29 : 23 + 0x7]
12:29:53     INFO -      eip = 0x6560c6bb   esp = 0x0031cb90   ebp = 0x0031cbb8
12:29:53     INFO -      Found by: call frame info
12:29:53     INFO -   2  xul.dll!mozilla::dom::PContentParent::~PContentParent() [PContentParent.cpp:67265addfa29 : 210 + 0x10c]
12:29:53     INFO -      eip = 0x656b8cdc   esp = 0x0031cb9c   ebp = 0x0031cbb8
12:29:53     INFO -      Found by: call frame info
12:29:53     INFO -   3  xul.dll!mozilla::dom::ContentParent::~ContentParent() [ContentParent.cpp:67265addfa29 : 1672 + 0x5c]
12:29:53     INFO -      eip = 0x65fdfe96   esp = 0x0031cba8   ebp = 0x0031cbb8
12:29:53     INFO -      Found by: call frame info
12:29:53     INFO -   4  xul.dll!mozilla::dom::ContentParent::`scalar deleting destructor'(unsigned int) + 0xa
12:29:53     INFO -      eip = 0x65fe2aaf   esp = 0x0031cbc0   ebp = 0x0031cbc4
12:29:53     INFO -      Found by: call frame info
12:29:53     INFO -   5  xul.dll!mozilla::dom::ContentParent::DeleteCycleCollectable() [ContentParent.cpp:67265addfa29 : 2156 + 0xf]
12:29:53     INFO -      eip = 0x65fd2715   esp = 0x0031cbcc   ebp = 0x0031cbd0
12:29:53     INFO -      Found by: call frame info

This suggests that the root PContentParent can get cycle collected prior to its open actors getting cleaned up.

Is this legal?  If so, then we should probably clear mOpenActors somehow.  Alternatively, should we forcibly close all open actors if the top level actor is deleted?

I was only able to produce this once out of ~20 runs.  As far as I can tell, its unrelated to the changes in bug 1013571.
Not sure how long these live on the try server, but here is the link to the full stack trace:

https://tbpl.mozilla.org/php/getParsedLog.php?id=40567673&tree=Try&full=1#error2
This is ContentParent() getting freed under nsCycleCollector_doDeferredDeletion(), so there's no cycle collection per se involved.  Instead, the ref count just dropped to 0, and we're calling the destructor.
Severity: normal → S3
Attachment #9386427 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: