Closed Bug 1125005 Opened 9 years ago Closed 9 years ago

Assertion failure: false (Try to avoid re-entering ReleaseNow!)

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox38 --- fixed

People

(Reporter: jya, Assigned: mccr8)

References

Details

(Keywords: sec-other, Whiteboard: [adv-main38-])

Attachments

(2 files)

backtrace.txt
138.87 KB, text/plain
Details
Change the reentrance assertion in IncrementalFinalizeRunnable to a warning.
1019 bytes, patch
smaug
: review+
Details | Diff | Splinter Review 
I am running the patch from bug 1124603 (without it central is unusable on my machine).

(lldb) bt
* thread #1: tid = 0x590e31, 0x0000000103619b63 XUL`mozilla::IncrementalFinalizeRunnable::ReleaseNow(this=0x000000011e17b400, aLimited=false) + 83 at CycleCollectedJSRuntime.cpp:1137, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000103619b63 XUL`mozilla::IncrementalFinalizeRunnable::ReleaseNow(this=0x000000011e17b400, aLimited=false) + 83 at CycleCollectedJSRuntime.cpp:1137
    frame #1: 0x000000010361a0f3 XUL`mozilla::CycleCollectedJSRuntime::FinalizeDeferredThings(this=0x0000000100475000, aType=FinalizeNow) + 83 at CycleCollectedJSRuntime.cpp:1218
    frame #2: 0x000000010361849c XUL`mozilla::CycleCollectedJSRuntime::OnGC(this=0x0000000100475000, aStatus=JSGC_END) + 204 at CycleCollectedJSRuntime.cpp:1276
    frame #3: 0x00000001036171d1 XUL`mozilla::CycleCollectedJSRuntime::GCCallback(aRuntime=0x0000000117ec4000, aStatus=JSGC_END, aData=0x0000000100475000) + 145 at CycleCollectedJSRuntime.cpp:749
    frame #4: 0x00000001090e018f XUL`js::gc::GCRuntime::collect(this=0x0000000117ec4360, incremental=true, budget=(deadline = 9223372036854775807, counter = 9223372036854379390), reason=MAYBEGC) + 1151 at jsgc.cpp:6213
    frame #5: 0x00000001090d43d3 XUL`js::gc::GCRuntime::startGC(this=0x0000000117ec4360, gckind=GC_NORMAL, reason=MAYBEGC, millis=0) + 179 at jsgc.cpp:6277
    frame #6: 0x000000010908ede8 XUL`js::gc::GCRuntime::maybeGC(this=0x0000000117ec4360, zone=0x000000012a98f800) + 424 at jsgc.cpp:3246
    frame #7: 0x000000010908ec1f XUL`JS_MaybeGC(cx=0x000000012b04d4e0) + 63 at jsapi.cpp:1666
    frame #8: 0x0000000104dffd81 XUL`mozilla::dom::AutoEntryScript::~AutoEntryScript(this=0x00007fff5fbfae28) + 129 at ScriptSettings.cpp:560
    frame #9: 0x0000000104dffdd5 XUL`mozilla::dom::AutoEntryScript::~AutoEntryScript(this=0x00007fff5fbfae28) + 21 at ScriptSettings.cpp:548
    frame #10: 0x00000001044c2160 XUL`nsXPCWrappedJSClass::CallMethod(this=0x000000011e175ba0, wrapper=0x0000000121a49800, methodIndex=4, info_=0x0000000117e2b380, nativeParams=0x00007fff5fbfb040) + 11040 at XPCWrappedJSClass.cpp:1428
    frame #11: 0x00000001044bad7b XUL`nsXPCWrappedJS::CallMethod(this=0x0000000121a49800, methodIndex=4, info=0x0000000117e2b380, params=0x00007fff5fbfb040) + 203 at XPCWrappedJS.cpp:532
    frame #12: 0x000000010372adc6 XUL`PrepareAndDispatch(self=0x000000011e156720, methodIndex=4, args=0x00007fff5fbfb160, gpregs=0x00007fff5fbfb0e0, fpregs=0x00007fff5fbfb110) + 1654 at xptcstubs_x86_64_darwin.cpp:122
    frame #13: 0x00000001037297db XUL`SharedStub + 91
    frame #14: 0x00000001072f096e XUL`nsTreeBodyFrame::DestroyFrom(this=0x0000000131ca1948, aDestructRoot=0x0000000131bd1458) + 862 at nsTreeBodyFrame.cpp:311
    frame #15: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131ca15d8, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54
    frame #16: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131ca1578, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201
    frame #17: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131ca1578, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958
    frame #18: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131ca1208, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54
    frame #19: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131ca11a8, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201
    frame #20: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131ca11a8, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958
    frame #21: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131ca07b8, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54
    frame #22: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131ca0758, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201
    frame #23: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131ca0758, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958
    frame #24: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131c9a530, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54
    frame #25: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131c9a4d0, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201
    frame #26: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131c9a4d0, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958
    frame #27: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131c99d60, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54
    frame #28: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131c99d00, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201
    frame #29: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131c99d00, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958
    frame #30: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000121a56260, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54
    frame #31: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000121a56200, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201
    frame #32: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000121a56200, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958
    frame #33: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131c94a70, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54
    frame #34: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131c94a10, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201
    frame #35: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131c94a10, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958
    frame #36: 0x000000010715cf4f XUL`nsLineBox::DeleteLineList(aPresContext=0x0000000131a63000, aLines=0x0000000131c943c8, aDestructRoot=0x0000000131bd1458, aFrames=0x0000000131c943b0) + 335 at nsLineBox.cpp:391
    frame #37: 0x000000010708fa84 XUL`nsBlockFrame::DestroyFrom(this=0x0000000131c94350, aDestructRoot=0x0000000131bd1458) + 164 at nsBlockFrame.cpp:323
    frame #38: 0x000000010715cf4f XUL`nsLineBox::DeleteLineList(aPresContext=0x0000000131a63000, aLines=0x0000000131c93b18, aDestructRoot=0x0000000131bd1458, aFrames=0x0000000131c93b00) + 335 at nsLineBox.cpp:391
    frame #39: 0x000000010708fa84 XUL`nsBlockFrame::DestroyFrom(this=0x0000000131c93aa0, aDestructRoot=0x0000000131bd1458) + 164 at nsBlockFrame.cpp:323
    frame #40: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131bd21d0, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54
    frame #41: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131bd2170, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201
    frame #42: 0x00000001070b7cd5 XUL`nsCanvasFrame::DestroyFrom(this=0x0000000131bd2170, aDestructRoot=0x0000000131bd1458) + 501 at nsCanvasFrame.cpp:203
    frame #43: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131bd24e8, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54
    frame #44: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131bd2488, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201
    frame #45: 0x0000000107110f69 XUL`nsHTMLScrollFrame::DestroyFrom(this=0x0000000131bd2488, aDestructRoot=0x0000000131bd1458) + 73 at nsGfxScrollFrame.cpp:135
    frame #46: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131bd14b8, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54
    frame #47: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131bd1458, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201
    frame #48: 0x000000010700da0e XUL`nsIFrame::Destroy(this=0x0000000131bd1458) + 30 at nsIFrame.h:442
    frame #49: 0x0000000106f8f5cf XUL`nsFrameManager::Destroy(this=0x000000013196a050) + 143 at nsFrameManager.cpp:136
    frame #50: 0x0000000106f8f468 XUL`nsCSSFrameConstructor::WillDestroyFrameTree(this=0x000000013196a050) + 120 at nsCSSFrameConstructor.cpp:8466
    frame #51: 0x000000010703793e XUL`PresShell::Destroy(this=0x0000000131b9e000) + 2526 at nsPresShell.cpp:1245
    frame #52: 0x0000000106fd9a4b XUL`nsDocumentViewer::DestroyPresShell(this=0x000000012f579d00) + 251 at nsDocumentViewer.cpp:4424
    frame #53: 0x0000000106fd1fb5 XUL`nsDocumentViewer::Destroy(this=0x000000012f579d00) + 1829 at nsDocumentViewer.cpp:1673
    frame #54: 0x00000001076c2e38 XUL`nsSHEntryShared::RemoveFromBFCacheSync(this=0x0000000131968100) + 200 at nsSHEntryShared.cpp:242
    frame #55: 0x00000001076c3867 XUL`nsSHEntryShared::~nsSHEntryShared(this=0x0000000131968100) + 231 at nsSHEntryShared.cpp:102
    frame #56: 0x00000001076c39a5 XUL`nsSHEntryShared::~nsSHEntryShared(this=0x0000000131968100) + 21 at nsSHEntryShared.cpp:84
    frame #57: 0x00000001076c3d15 XUL`nsSHEntryShared::Release(this=0x0000000131968100) + 501 at nsSHEntryShared.cpp:106
    frame #58: 0x00000001076d247d XUL`nsRefPtr<nsSHEntryShared>::~nsRefPtr(this=0x000000012fbe85d8) + 45 at nsRefPtr.h:60
    frame #59: 0x00000001076ced25 XUL`nsRefPtr<nsSHEntryShared>::~nsRefPtr(this=0x000000012fbe85d8) + 21 at nsRefPtr.h:58
    frame #60: 0x00000001076bfd70 XUL`nsSHEntry::~nsSHEntry(this=0x000000012fbe85b0) + 272 at nsSHEntry.cpp:76
    frame #61: 0x00000001076bfde5 XUL`nsSHEntry::~nsSHEntry(this=0x000000012fbe85b0) + 21 at nsSHEntry.cpp:73
    frame #62: 0x00000001076c0265 XUL`nsSHEntry::Release(this=0x000000012fbe85b0) + 501 at nsSHEntry.cpp:82
    frame #63: 0x0000000104e7709b XUL`nsCOMPtr<nsISHEntry>::~nsCOMPtr(this=0x0000000131adb670) + 91 at nsCOMPtr.h:391
    frame #64: 0x0000000104e68a25 XUL`nsCOMPtr<nsISHEntry>::~nsCOMPtr(this=0x0000000131adb670) + 21 at nsCOMPtr.h:388
    frame #65: 0x00000001076c4885 XUL`nsSHTransaction::~nsSHTransaction(this=0x0000000131adb640) + 53 at nsSHTransaction.cpp:22
    frame #66: 0x00000001076c48b5 XUL`nsSHTransaction::~nsSHTransaction(this=0x0000000131adb640) + 21 at nsSHTransaction.cpp:21
    frame #67: 0x00000001076c48d9 XUL`nsSHTransaction::~nsSHTransaction(this=0x0000000131adb640) + 25 at nsSHTransaction.cpp:21
    frame #68: 0x00000001076c4c29 XUL`nsSHTransaction::Release(this=0x0000000131adb640) + 505 at nsSHTransaction.cpp:29
    frame #69: 0x0000000103619806 XUL`ReleaseSliceNow(aSlice=11979, aData=0x000000011e17b420) + 246 at CycleCollectedJSRuntime.cpp:1091
    frame #70: 0x0000000103619db2 XUL`mozilla::IncrementalFinalizeRunnable::ReleaseNow(this=0x000000011e17b400, aLimited=false) + 674 at CycleCollectedJSRuntime.cpp:1171
    frame #71: 0x000000010361a2a6 XUL`mozilla::CycleCollectedJSRuntime::FinalizeDeferredThings(this=0x0000000100475000, aType=FinalizeNow) + 518 at CycleCollectedJSRuntime.cpp:1236
    frame #72: 0x000000010361849c XUL`mozilla::CycleCollectedJSRuntime::OnGC(this=0x0000000100475000, aStatus=JSGC_END) + 204 at CycleCollectedJSRuntime.cpp:1276
    frame #73: 0x00000001036171d1 XUL`mozilla::CycleCollectedJSRuntime::GCCallback(aRuntime=0x0000000117ec4000, aStatus=JSGC_END, aData=0x0000000100475000) + 145 at CycleCollectedJSRuntime.cpp:749
    frame #74: 0x00000001090e018f XUL`js::gc::GCRuntime::collect(this=0x0000000117ec4360, incremental=true, budget=(deadline = 9223372036854775807, counter = 9223372036854227982), reason=CC_FORCED) + 1151 at jsgc.cpp:6213
    frame #75: 0x00000001090e066f XUL`js::gc::GCRuntime::finishGC(this=0x0000000117ec4360, reason=CC_FORCED) + 143 at jsgc.cpp:6291
    frame #76: 0x00000001090e0f72 XUL`JS::FinishIncrementalGC(rt=0x0000000117ec4000, reason=CC_FORCED) + 34 at jsgc.cpp:7081
    frame #77: 0x0000000104f72d0e XUL`FinishAnyIncrementalGC() + 46 at nsJSEnvironment.cpp:1315
    frame #78: 0x0000000104f72ec1 XUL`FireForgetSkippable(aSuspected=11611, aRemoveChildless=false) + 33 at nsJSEnvironment.cpp:1323
    frame #79: 0x0000000104f74445 XUL`CCTimerFired(aTimer=0x000000011e1a9b60, aClosure=0x0000000000000000) + 405 at nsJSEnvironment.cpp:1864
    frame #80: 0x0000000103708d82 XUL`nsTimerImpl::Fire(this=0x000000011e1a9b60) + 994 at nsTimerImpl.cpp:631
    frame #81: 0x0000000103709191 XUL`nsTimerEvent::Run(this=0x000000011ed416b0) + 209 at nsTimerImpl.cpp:724
    frame #82: 0x0000000103703c28 XUL`nsThread::ProcessNextEvent(this=0x0000000100437310, aMayWait=false, aResult=0x00007fff5fbfd063) + 2088 at nsThread.cpp:855
    frame #83: 0x000000010375da6a XUL`NS_ProcessPendingEvents(aThread=0x0000000100437310, aTimeout=20) + 154 at nsThreadUtils.cpp:207
    frame #84: 0x0000000106b1d379 XUL`nsBaseAppShell::NativeEventCallback(this=0x000000011b57afc0) + 201 at nsBaseAppShell.cpp:98
    frame #85: 0x0000000106b96b2d XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x000000011b57afc0) + 445 at nsAppShell.mm:373
    frame #86: 0x00007fff98ee9661 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #87: 0x00007fff98edb7ed CoreFoundation`__CFRunLoopDoSources0 + 269
    frame #88: 0x00007fff98edae1f CoreFoundation`__CFRunLoopRun + 927
    frame #89: 0x00007fff98eda838 CoreFoundation`CFRunLoopRunSpecific + 296
    frame #90: 0x00007fff9142543f HIToolbox`RunCurrentEventLoopInMode + 235
    frame #91: 0x00007fff914251ba HIToolbox`ReceiveNextEventCommon + 431
    frame #92: 0x00007fff91424ffb HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
    frame #93: 0x00007fff8b7086d1 AppKit`_DPSNextEvent + 964
    frame #94: 0x00007fff8b707e80 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194
    frame #95: 0x0000000106b95677 XUL`-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x0000000117c37430, _cmd=0x00007fff8c05bb88, mask=18446744073709551615, expiration=0x422d63c37f00000d, mode=0x00007fff7d64df60, flag='\x01') + 119 at nsAppShell.mm:118
    frame #96: 0x00007fff8b6fbe23 AppKit`-[NSApplication run] + 594
    frame #97: 0x0000000106b974e7 XUL`nsAppShell::Run(this=0x000000011b57afc0) + 167 at nsAppShell.mm:647
    frame #98: 0x0000000107a8d36c XUL`nsAppStartup::Run(this=0x000000011b3e1d80) + 156 at nsAppStartup.cpp:281
    frame #99: 0x0000000107b3cca0 XUL`XREMain::XRE_mainRun(this=0x00007fff5fbfefe8) + 6208 at nsAppRunner.cpp:4145
    frame #100: 0x0000000107b3d54e XUL`XREMain::XRE_main(this=0x00007fff5fbfefe8, argc=5, argv=0x00007fff5fbff918, aAppData=0x00007fff5fbff298) + 798 at nsAppRunner.cpp:4221
    frame #101: 0x0000000107b3da12 XUL`XRE_main(argc=5, argv=0x00007fff5fbff918, aAppData=0x00007fff5fbff298, aFlags=0) + 98 at nsAppRunner.cpp:4441
    frame #102: 0x0000000100002d0e firefox`do_main(argc=5, argv=0x00007fff5fbff918, xreDirectory=0x000000010040dd40) + 1950 at nsBrowserApp.cpp:294
    frame #103: 0x0000000100002073 firefox`main(argc=5, argv=0x00007fff5fbff918) + 323 at nsBrowserApp.cpp:667
    frame #104: 0x0000000100001ad4 firefox`start + 52
(lldb)
Attached file backtrace.txt 
Full backtrace.

Note that I've only experienced it once so far.
Well, here's an example of re-entering IncrementalFinalizeRunnable::ReleaseNow()...
Happened another 3 times since I lodged this bug 1 hour ago
And this shows a possible security issue. We really shouldn't call any JS stuff at that point.
Group: core-security
Component: JavaScript: GC → XUL
Component: XUL → Layout
I wonder if we'd be able to prevent bug 997918 by preventing calls to js::gc::GCRuntime::startGC (from js::gc::GCRuntime::maybeGC) while js::gc::GCRuntime::finishGC is on the stack?
(In reply to Steven Michaud from comment #5)
> I wonder if we'd be able to prevent bug 997918 by preventing calls to
> js::gc::GCRuntime::startGC (from js::gc::GCRuntime::maybeGC) while
> js::gc::GCRuntime::finishGC is on the stack?

I'm not sure how reentrance-proof the GC is, but stopping us from GCing may just make us crash.
I think we could work around this reentrance by ensuring we never call ReleaseNow() when this == mFinalizeRunnable.
(In reply to Andrew McCreight [:mccr8] from comment #7)
> I think we could work around this reentrance by ensuring we never call
> ReleaseNow() when this == mFinalizeRunnable.

Eh, never mind, then you lose the ability to finish off the runnable on CC.  So I guess the current code should be okay enough when we hit this.  Aside from whatever other badness is happening in this stack.
(Following up comment #5)

> I wonder if we'd be able to prevent bug 997918 ...

The bug number is 997908.
Olli, what sort of security rating should this have do you think?
Flags: needinfo?(bugs)
It is xul layout stuff calling JS when it is not really safe to do so...
sec-moderate?
Flags: needinfo?(bugs)
Keywords: sec-moderate
It's not clear to me what's wrong with line 311 in nsTreeBodyFrame::DestroyFrom.
http://hg.mozilla.org/mozilla-central/annotate/5cbae82bdb4b/layout/xul/tree/nsTreeBodyFrame.cpp#l276
Is the problem that nsITreeView/nsITreeSelection is scriptable and therefore
we're not allowed to touch it here?
Flags: needinfo?(bugs)
Yes. We really shouldn't touch scriptable stuff during frame tree destruction, as far as I know.
Scripts may after all re-construct the frames and what not.
Maybe we need a thin wrapper over some C++ object, and JS side has a pointer to that
wrapper, but releasing the wrapper from layout side should be safe.
(after such release, if JS side would do anything with the wrapper, it would just throw a js exception)
Flags: needinfo?(bugs)
The rules for privileged script might be different from the rules for Web script; we might have rules that say that certain nsITreeView methods, implemented in JS, are only allowed to do certain things.  In this case it looks like there's now a rule that frame destruction isn't allowed to run privileged script at all, which might not be a rule that's existed since the beginning of the codebase.
Well, the issue is that, like the stack trace shows, that GC may be called, and that may cause
random C++ destructors to run, and pretty much anything can happen then.

If we could prevent GC to run, then letting privileged script to run would be fine, I think.
In this case we might be able to solve it by using nsIWeakReference, although that might be a substantive change to the tree API.
See Also: → 1129127
(In reply to Olli Pettay [:smaug] from comment #15)
> If we could prevent GC to run, then letting privileged script to run would
> be fine, I think.

I'd prefer that too, rather than messing with regression prone XUL code.

So who will write an AutoSuppressGC thing we can use? ;-)
Olli and I discussed this, and we think it is probably okay, so we'll just remove the assertion...
Assignee: nobody → continuation
Keywords: sec-moderatesec-other
smaug told me over IRC that I could ask for review despite his review ban. ;)
Attachment #8560564 - Flags: review?(bugs)
Attachment #8560564 - Flags: review?(bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/4f92dc4510bf
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox38: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
>> If we could prevent GC to run, then letting privileged script to
>> run would be fine, I think.
>
> I'd prefer that too, rather than messing with regression prone XUL
> code.
>
> So who will write an AutoSuppressGC thing we can use? ;-)

So are we going to do anything about this?
If we can live without suppressing GC, the better. It would be a hack anyway.
The issue is that JS can always just run any code, and end up spinning event loop and what not, so
GC must be able to run at some point JS runs.
I'd still like to try the idea I expressed in comment #5, just as an experiment (for at least a week on trunk), to see if it makes bug 997908 go away.

Otherwise I think we've lost any chance that the insights gained here will help us with bug 997908.
Whiteboard: [adv-main38-]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: