1150906 - Tree Style Tab and/or Session Manager crashes Nightly [@ js::gc::StoreBuffer::isOkayToUseBuffer() ]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Fanolian]

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150403030204

Steps to reproduce:

1. Install Tree Style Tab 0.15.2015030601 in a new profile in Nightly 20150403 build. Restart the browser. (https://addons.mozilla.org/en-us/firefox/addon/tree-style-tab/versions/)


Actual results:

Nightly crashes at startup.

Nightly did not crash on 2015-04-02 build.

Crash report: https://crash-stats.mozilla.com/report/index/3c9aff8a-0d75-446f-9813-fbffd2150403

Comment 1

[Fanolian]

Filed a bug report at https://github.com/piroor/treestyletab/issues/866

Comment 2

[Alice0775 White]

[Tracking Requested - why for this release]:

Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=93166201fca0&tochange=b3ef9fce0df5

Triggered by: Bug 1138499

Comment 3

[Alice0775 White]

bp-53085550-34c2-4b93-8237-5b2192150403 on ubuntu14.04

Comment 5

[IU]

It's not a problem with just Tree Style Tab.  I don't have that extension and I crashed repeatedly trying to start the browser after a prior crash.  I had to revert to yesterday's nightly.  I do have other extensions, but I don't know if any of them could be a contributor.

bp-4eddb779-7c6f-4fc4-9259-79a582150403

Comment 6

[[:Aleksej]]

Also happens with Session Manager 0.8.1.6 https://addons.mozilla.org/en-US/firefox/addon/session-manager/

Comment 9

[Tom S [:evilpie]]

If you run this in debug mode you get the following stack snippet:
#0  0x00007ffff2ec5629 in JS::PropertyDescriptorOperations<JS::Handle<JSPropertyDescriptor> >::assertValid (this=<optimized out>) at /home/tom/projects/mozilla-inbound/js/src/jsapi.h:2600
#1  0x00007ffff2eb9287 in js::NativeDefineProperty (cx=cx@entry=0x7fffd31f75d0, obj=(js::NativeObject * const) 0x7fffd2b46100 [object Sandbox] delegate, id=$jsid("TreeStyleTabUtils"), desc_=
    {obj = (JSObject *) 0x7fffd2b46100 [object Sandbox] delegate, attrs = 81, getter = 0x7fffcd280980, setter = 0x7ffff0e9de39 <writeToProto_setProperty(JSContext*, JS::HandleObject, JS::HandleId, JS::MutableHandleValue, JS::ObjectOpResult&)>, value = JSVAL_VOID}, result=...) at /home/tom/projects/mozilla-inbound/js/src/vm/NativeObject.cpp:1287
#2  0x00007ffff2eba0ef in js::NativeDefineProperty (cx=cx@entry=0x7fffd31f75d0, obj=..., obj@entry=(js::NativeObject * const) 0x7fffd2b46100 [object Sandbox] delegate, id=..., id@entry=$jsid("TreeStyleTabUtils"), value=..., 
    value@entry=JSVAL_VOID, getter=getter@entry=0x7fffcd280980, setter=<optimized out>, attrs=attrs@entry=81, result=...) at /home/tom/projects/mozilla-inbound/js/src/vm/NativeObject.cpp:1483
#3  0x00007ffff3277f90 in DefinePropertyOnObject (cx=cx@entry=0x7fffd31f75d0, obj=(js::NativeObject * const) 0x7fffd2b46100 [object Sandbox] delegate, id=..., id@entry=$jsid("TreeStyleTabUtils"), desc=
  {obj = (JSObject *) 0x7fffd2b46100 [object Sandbox] delegate, attrs = 81, getter = 0x7fffcd280980, setter = 0x0, value = JSVAL_VOID}, result=...) at /home/tom/projects/mozilla-inbound/js/src/jsobj.cpp:557

So what happens is that Tree Style Tabs uses something like Object.defineProperty(this, "TreeStyleTabUtils", {get: function() {} }).
`this` here is a sandbox with that writeToProto_setProperty JSSetterOp. Because of our weird behavior around those we take that JSSetterOp and use it as a setter instead of null. Not sure yet if this is somehow messing up the marking as well, but at least it causes this assert.

Comment 10

[Keshav Kini [:kini]]

Here's a crash report for Session Manager as well, since only crash reports for Tree Style Tab have been posted above:

bp-3c8f05ef-b51b-4862-8832-263872150405

Comment 11

[Ioana Chiorean]

I am getting this without having the add-on installed. Even with a clean profile I got it once.
bp-1c7c0809-0fc1-460a-971a-8338d2150406
bp-91306112-22c0-47d4-a76c-04bcd2150406
bp-d5ad875b-ceaf-41df-8cd3-b8a182150406
bp-4ced9106-3cf9-4784-abfe-3da6d2150406
bp-48ec7815-b93b-46e8-a4a7-06db92150406
bp-4253a96b-bddc-412f-bada-bc9422150406

bp-dcb3d170-a076-4be0-b06c-058152150406

Comment 12

[Keshav Kini [:kini]]

All of the crash reports you just linked show that the Session Manager extension was enabled (extension ID 1280606b-2510-4fe0-97ef-9b5a22eafe30).

Comment 13

[Ioana Chiorean]

Indeed - Sorry - I was referring at Tree Style Tab Add-on ( I only saw after that session manager was another cause  - was early in the morning before coffee.. Sorry again :S)

Comment 14

[Keshav Kini [:kini]]

Oh, no problem.  The bug was originally reported against TST and the title was only changed to include Session Manager in comment #6, after all, so I don't blame you.  Just thought I'd point it out though.

Comment 15

[Tracy Walker [:tracy]]

The signatures listed: one for each Win, Mac and Linux account for the top 3 crashers on Nightly.  All three are startup crashers associated with add-ons.

Highest Add-on correlations:

On Windows:
50% Tree Style Tab
50% Session Manager
44% Adblock Plus

On Mac:
52% Session Manager
47% Tree Style Tab
48% NoScript
30% Greasemonkey
24% Web Developer
24% BetterPrivacy

On Linux:
78% Tree Style Tab
55% Session Manager
38% Greasemonkey

Comment 16

[Michael Kraft [:morac]]

I checked the Session Manager code and every object (two objects) that has a getter function also has a setter function as such I'm not sure what change in bug 1138499 is causing the problem.

Session Manager only triggers this crash if it is set to display a prompt window on startup.  I've noticed that a "sessionStartup.onceInitialized.then" call fires immediately on startup under Firefox 40.  Under Firefox 39, it waits until Session Manager's prompt is dismissed.  I'm not sure why that is or if it has anything to do with this crash.

I'm also seeing this is a Session Manager log trace when Session Manager tries to open a browser window shortly before the crash.  Again it could be a red herring.

EXCEPTION - {Window is not tracked} 
ssi_getClosedTabCount@resource:///modules/sessionstore/SessionStore.jsm:1669:1
ss_getClosedTabCount@resource:///modules/sessionstore/SessionStore.jsm:222:12
exports.loadBrowserWindow/SessionManagerWindow.updateUndoButton@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///C:/Users/u6016752/AppData/Roaming/Mozilla/Firefox/Profiles/n98m9xq6.test/extensions/%7B1280606b-2510-4fe0-97ef-9b5a22eafe30%7D.xpi!/bootstrap.js -> jar:file:///C:/Users/u6016752/AppData/Roaming/Mozilla/Firefox/Profiles/n98m9xq6.test/extensions/%7B1280606b-2510-4fe0-97ef-9b5a22eafe30%7D.xpi!/packages/browserWindowOverlay.js:1325:18
exports.loadBrowserWindow/SessionManagerWindow.onTabOpenClose@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///C:/Users/u6016752/AppData/Roaming/Mozilla/Firefox/Profiles/n98m9xq6.test/extensions/%7B1280606b-2510-4fe0-97ef-9b5a22eafe30%7D.xpi!/bootstrap.js -> jar:file:///C:/Users/u6016752/AppData/Roaming/Mozilla/Firefox/Profiles/n98m9xq6.test/extensions/%7B1280606b-2510-4fe0-97ef-9b5a22eafe30%7D.xpi!/packages/browserWindowOverlay.js:967:5
addTab@chrome://browser/content/tabbrowser.xml:1845:13
loadTabs@chrome://browser/content/tabbrowser.xml:1469:23
loadOneOrMoreURIs@chrome://browser/content/browser.js:12627:5
gBrowserInit._delayedStartup@chrome://browser/content/browser.js:12004:9

Comment 17

[Michael Kraft [:morac]]

It's actually not only prompting on start up.  It's any time the Session Manager session window is opened.  I'm still tracking down what specific code is triggering the crash.

Comment 18

[Michael Kraft [:morac]]

I think I found potentially what the problem is. My Session window loads three separate JavaScript files.  Each of these files uses the XPCOMUtils.defineLazyModuleGetter function to delay load a jsm module.  The problem appears to occur is the same jsm module is loaded in each of the three different files.

This got me to thinking so I tried to do the same exact XPCOMUtils.defineLazyModuleGetter function twice in a row.  That immediately causes a crash.

So for example if the following is in my a Javascript file loaded by my addon, Firefox crashes:

XPCOMUtils.defineLazyModuleGetter(this, "log", "chrome://sessionmanager/content/modules/logger.jsm");
XPCOMUtils.defineLazyModuleGetter(this, "log", "chrome://sessionmanager/content/modules/logger.jsm");

If I remove one of the lines or I change the second parameter to a different name, it won't crash.  Since XPCOMUtils.defineLazyModuleGetter simply calls XPCOMUtils.defineLazyGetter I tried the following, which also crashed:

Components.utils.import("resource://gre/modules/XPCOMUtils.jsm");

XPCOMUtils.defineLazyGetter(this, "test", function() { return ""; }); 
XPCOMUtils.defineLazyGetter(this, "test", function() { return ""; }); 


This only happened in dialog "pop-up" windows.  If I add the above code to scripts that load in browser windows it works fine.

The problem is when I tried to make a simplified test case, it didn't crash so there must be something else involved.

Comment 19

[Michael Kraft [:morac]]

I've uploaded a developers channel version of Session Manager which no longer crashes by removing "duplicate" defineLazyModuleGetter calls.

Comment 20

[Jason Orendorff [:jorendorff]]

This crash is caused by a change in rev 034027f41aaf. Fix coming.

Comment 21

[Jason Orendorff [:jorendorff]]

Attachment: Fix "Assertion failure: !has(SHADOWABLE)" and subsequent GC crashes introduced in rev 034027f41aaf

Comment 22

[Jason Orendorff [:jorendorff]]

Attachment: Fix "Assertion failure: !has(SHADOWABLE)" and subsequent GC crashes introduced in rev 034027f41aaf

Comment 23

[Jason Orendorff [:jorendorff]]

Attachment: Fix "Assertion failure: !has(SHADOWABLE)" and subsequent GC crashes introduced in rev 034027f41aaf

Comment 24

[Jason Orendorff [:jorendorff]]

With a little luck, the code being modified in this patch, and 150+ lines in both directions, will all be gone in a week. The axe falls in bug 1125624. I probably just jinxed it. Oh well.

Comment 25

[Jason Orendorff [:jorendorff]]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=a973c68e1484

Comment 26

[Jason Orendorff [:jorendorff]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/95357a580708

Comment 27

[CruNcher]

Tried your try Build looks good neither Session Manager nor Tree Style Tab nor Noscript Crash anymore :)

Comment 28

[Jason Orendorff [:jorendorff]]

As of now, the try server run is all green (a minor miracle), but with Windows results >1hr "overdue". I pushed it to inbound in order to get the fix into Nightly. I can't stop jinxing things somebody get help.

Comment 29

[Paul herring]

TST still crashing for me on Nightly (did a pull -vu and rebuild about an hour ago,) Linux.

bp-28d37a2d-e86c-4d58-80f5-a52762150408

Disabling Tree Style Tabs stops the crashing.

(Other reports generated from around the same time:
bp-099050cc-2cbc-4158-ae66-171ab2150408
bp-889ae207-6d2f-49cc-bc91-b56672150408
bp-445513a9-ff7a-4cef-8783-75c9d2150408)

Comment 30

[Tom S [:evilpie]]

The fix is not in Nightly yet, is your build based on https://hg.mozilla.org/integration/mozilla-inbound/?

Comment 32

[Paul herring]

(In reply to Tom Schuster [:evilpie] from comment #30)
> The fix is not in Nightly yet, is your build based on
> https://hg.mozilla.org/integration/mozilla-inbound/?

Ah - my apologies; no; I'm on https://hg.mozilla.org/mozilla-central/

Comment 33

[Lily Kim]

How high are the chances for this hitting today's nightly?

Comment 34

[Jan de Mooij [:jandem]]

(In reply to Daniel from comment #33)
> How high are the chances for this hitting today's nightly?

It won't make today's Nightly, builds are already in progress. Maybe there will be a respin but that's up to the sheriffs.

Comment 35

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/95357a580708

Comment 36

[Lily Kim]

Can confirm the latest nightly fixes the issue! 
Thanks for the fix!

Comment 37

[Tracy Walker [:tracy]]

Verified from crash stats as well. No crashes with builds since the fix landed.