Closed Bug 1146316 Opened 11 years ago Closed 7 years ago

Remove nsWrapperCache::SetIsNotDOMBinding and IsDOMBinding()

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox62 --- fixed

People

(Reporter: bzbarsky, Assigned: peterv)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

Attachments

(5 files, 1 obsolete file)

Preserve the wrapper of sandboxes, so that we never try to call WrapObject on them v1
4.48 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Remove nsWrapperCache::SetIsNotDOMBinding and IsDOMBinding() v2
18.61 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Leak fix, make sure we call PollJSSampling at least once after stopping profiler
1.78 KB, patch
mstange
: review+
Details | Diff | Splinter Review
Leak fix, set up CC in XPCShell too.
1.91 KB, patch
smaug
: review+
Details | Diff | Splinter Review
Leak fix, declare ServiceWorkerPrivate::mSandbox to the CC.
6.27 KB, patch
bkelly
: review+
Details | Diff | Splinter Review
We need to move all the current consumers to webidl: sandbox and the various message manager bits.
Blocks: 1146318
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Attached patch v1 (obsolete) — Splinter Review
Comment on attachment 8967074 [details] [diff] [review] Preserve the wrapper of sandboxes, so that we never try to call WrapObject on them v1 >+ JS_SetPrivate(global, sbp.forget().downcast<nsIScriptObjectPrincipal>().take()); Hmm. So this class does: NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_AMBIGUOUS(SandboxPrivate, nsIGlobalObject) and NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsIScriptObjectPrincipal) Shouldn't those two match? In any case, whatever places need to match here (e.g. does the QI need to match the private value bit?) should really have comments pointing to each other. It's also a bit weird to call downcast() when you're really doing an upcast; might deserve a comment there too. r=me
Attachment #8967074 - Flags: review?(bzbarsky) → review+
Comment on attachment 8967076 [details] [diff] [review] Remove nsWrapperCache::SetIsNotDOMBinding and IsDOMBinding() v2 You should change WRAPPER_CACHE_FLAGS_BITS_USED to 1. That adds a free bit on nodes, yay! > +// Only set aAllowNativeWrapper to false if you really know you need it, if in s/,/;/ >+ Throw(aCx, NS_ERROR_UNEXPECTED); >+ return false; Could just be: return Throw(aCx, NS_ERROR_UNEXPECTED); > // Wrapping of our native parent, for cases when it's a WebIDL object (though > // possibly preffed off). There is no "preffed off" case now. r=me. Thank you for cleaning this up!
Attachment #8967076 - Flags: review?(bzbarsky) → review+
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #4) > Hmm. So this class does: > > NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_AMBIGUOUS(SandboxPrivate, > nsIGlobalObject) > > and > > NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsIScriptObjectPrincipal) > > Shouldn't those two match? No, the CC uses an nsISupports that may be different from the canonical nsISupports (for various reasons). I don't think it's worth commenting about that here, it's just a general rule (nsCycleCollectionParticipant.h has a comment about it). > In any case, whatever places need to match here (e.g. does the QI need to > match the private value bit?) should really have comments pointing to each > other. I don't think anything relies on the private being the canonical nsISupports. I added comments to Create and GetPrivate that the type needs to match. > It's also a bit weird to call downcast() when you're really doing an upcast; > might deserve a comment there too. I switched to ToSupports instead.
https://hg.mozilla.org/integration/mozilla-inbound/rev/1316c78daeb6fd1883b3c1688c2591ee02c4d3e5 Bug 1146316 - Preserve the wrapper of sandboxes, so that we never try to call WrapObject on them. r=bz. https://hg.mozilla.org/integration/mozilla-inbound/rev/719f7596c208eab1f2c8a1a250f1a6d2a7304d65 Bug 1146316 - Remove nsWrapperCache::SetIsNotDOMBinding and IsDOMBinding(). r=bz.
Backed out 8 changesets (bug 1453011, bug 1452981, bug 1146316) For xpcshell and mochitest failures on multiple files. CLOSED TREE Log of the failure: https://treeherder.mozilla.org/logviewer.html#?job_id=174810370&repo=mozilla-inbound&lineNumber=1577 09:36:27 INFO - TEST-PASS | devtools/client/performance/test/unit/test_jit-graph-data.js | took 12963ms 09:36:27 INFO - TEST-START | devtools/client/performance/test/unit/test_tree-model-06.js 09:36:31 INFO - TEST-PASS | devtools/client/performance/test/unit/test_tree-model-02.js | took 11871ms 09:36:31 INFO - TEST-START | devtools/client/performance/test/unit/test_tree-model-07.js 09:36:31 INFO - mozcrash Saved minidump as /Users/cltbld/tasks/task_1524241879/build/blobber_upload_dir/F9603462-C1C9-4C82-BB9E-546B04DCD948.dmp 09:36:31 INFO - mozcrash Saved app info as /Users/cltbld/tasks/task_1524241879/build/blobber_upload_dir/F9603462-C1C9-4C82-BB9E-546B04DCD948.extra 09:36:31 WARNING - PROCESS-CRASH | xpcshell-remote.ini:browser/components/extensions/test/xpcshell/test_ext_geckoProfiler_control.js | application crashed [@ ProcessExecutableMemory::release()] 09:36:31 INFO - Crash dump filename: /var/folders/x8/56fhxqzs7rx3spfwdg5l65t800000w/T/xpc-other-Wm7KED/F9603462-C1C9-4C82-BB9E-546B04DCD948.dmp 09:36:31 INFO - Operating system: Mac OS X 09:36:31 INFO - 10.10.5 14F27 09:36:31 INFO - CPU: amd64 09:36:31 INFO - family 6 model 69 stepping 1 09:36:31 INFO - 4 CPUs 09:36:31 INFO - GPU: UNKNOWN 09:36:31 INFO - Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS 09:36:31 INFO - Crash address: 0x0 09:36:31 INFO - Process uptime: 25 seconds 09:36:31 INFO - Thread 0 (crashed) 09:36:31 INFO - 0 XUL!ProcessExecutableMemory::release() [ProcessExecutableMemory.cpp:033299f2733900eb0da9b5b4d814aea39ce552d4 : 492 + 0x0] 09:36:31 INFO - rax = 0x0000000000000000 rdx = 0x00007fff75f5c1f8 09:36:31 INFO - rcx = 0x0000000000000000 rbx = 0x0000000117fb6690 09:36:31 INFO - rsi = 0x0003c3000003c300 rdi = 0x0003c2000003c303 09:36:31 INFO - rbp = 0x00007fff50502dd0 rsp = 0x00007fff50502dc0 09:36:31 INFO - r8 = 0x00007fff50502d70 r9 = 0x00007fff75f86300 09:36:31 INFO - r10 = 0x0000000000000000 r11 = 0x0000000000000246 09:36:31 INFO - r12 = 0x000000011860a9d0 r13 = 0x00007fff50502e30 09:36:31 INFO - r14 = 0x0000000117fcd690 r15 = 0x00007fff50502e08 09:36:31 INFO - rip = 0x0000000114af2026 09:36:31 INFO - Found by: given as instruction pointer in context Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/30ed797c2454b1f5f259f1c26f85bd7a62380ef5 Push of the failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=033299f2733900eb0da9b5b4d814aea39ce552d4
This triggers a leak in browser/components/extensions/test/xpcshell/test_ext_geckoProfiler_control.js. I have this in a rr recording, and have been poking at it for a while. This looks like an existing problem, that I just triggered because I made sandboxes preserve their binding. What I think is happening: - mozilla::ProfilerChild::RecvStop ends up calling into locked_profiler_stop - locked_profiler_stop calls StopJSSampling on one RegisteredThread - locked_profiler_stop does not call PollJSSampling on that RegisteredThread, because |registeredThread->Info()->ThreadId() == tid| is false here: https://searchfox.org/mozilla-central/rev/795575287259a370d00518098472eaa5b362bfa7/tools/profiler/core/platform.cpp#2997 - nothing else calls PollJSSampling - we end up marking things from the js::jit::JitcodeGlobalTable. I think this is because we're relying on PollJSSampling calling GeckoProfilerRuntime::enable, which would clear things from the js::jit::JitcodeGlobalTable. Markus, you fixed a similar problem in bug 1355566 by making mozilla::ShutdownXPCOM call profiler_clear_js_context. However, that doesn't do anything here because |ActivePS::Exists(lock)| is false here: https://searchfox.org/mozilla-central/rev/795575287259a370d00518098472eaa5b362bfa7/tools/profiler/core/platform.cpp#3467 Do you happen to know who should be calling PollJSSampling or GeckoProfilerRuntime::enable in this case?
Flags: needinfo?(mstange)
(In reply to Peter Van der Beken [:peterv] from comment #9) > Do you happen to know who should be calling PollJSSampling or > GeckoProfilerRuntime::enable in this case? The hope was that there would be an upcoming call to profiler_js_interrupt_callback() (which calls into PollJSSampling() via PollJSSamplingForCurrentThread()). However, if no more JS runs, I guess that means that there will be no more JS interrupt callbacks. I think this can be fixed by calling TriggerPollJSSamplingOnMainThread() from locked_profiler_stop, similarly to how it's called from locked_profiler_start. Thanks for debugging this! I think this also explains bug 1442877 (see bug 1442877 comment 2 and bug 1442877 comment 3).
Flags: needinfo?(mstange)
Comment on attachment 8980652 [details] [diff] [review] Leak fix, make sure we call PollJSSampling at least once after stopping profiler Review of attachment 8980652 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8980652 - Flags: review?(mstange) → review+
Comment on attachment 8980665 [details] [diff] [review] Leak fix, declare ServiceWorkerPrivate::mSandbox to the CC. Review of attachment 8980665 [details] [diff] [review]: ----------------------------------------------------------------- Ok, but note I have patches to completely remove this sandbox in bug 1462466.
Attachment #8980665 - Flags: review?(bkelly) → review+
Attachment #8980663 - Flags: review?(bugs) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/f5ed451a71cfe08912a64913ab88b46c269124d5 Bug 1146316 - Preserve the wrapper of sandboxes, so that we never try to call WrapObject on them. r=bz. https://hg.mozilla.org/integration/mozilla-inbound/rev/a833d415b782d3f76366bd5098c1a187730ed020 Bug 1146316 - Remove nsWrapperCache::SetIsNotDOMBinding and IsDOMBinding(). r=bz. https://hg.mozilla.org/integration/mozilla-inbound/rev/d27ecca6fe612114bd91003d7ceafc364ca62eac Bug 1146316 - Leak fix, make sure we call PollJSSampling at least once after stopping profiler. r=mstange. https://hg.mozilla.org/integration/mozilla-inbound/rev/5c390ce65c956c29c028f02cb122529233d13680 Bug 1146316 - Leak fix, set up CC in XPCShell too. r=smaug. https://hg.mozilla.org/integration/mozilla-inbound/rev/50808ac6967ff99d90173c55023242133f3c1bb7 Bug 1146316 - Leak fix, declare ServiceWorkerPrivate::mSandbox to the CC. r=bkelly.
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: