If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

M17beta topcrash [@ nsJSContext::DOMBranchCallback ]

VERIFIED FIXED

Status

()

Core
DOM: Core & HTML
VERIFIED FIXED
14 years ago
6 years ago

People

(Reporter: chris hofmann, Assigned: jst)

Tracking

({crash, topcrash})

Trunk
x86
Windows XP
crash, topcrash
Points:
---
Bug Flags:
blocking1.7 +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
Not much helpful in the comments but looks like something at startup.

this is the number 2 top crash in very early 1.7beta data

    Crash date range: 19-MAR-04 to 21-MAR-04
     Min/Max Seconds since last crash: 1 - 144623
     Min/Max Runtime: 1 - 144623
 
     Count   Platform List 
     9   [Windows NT 5.1 build 2600]   
     6   [Windows NT 5.0 build 2195]   
     2   [Windows 98 4.10 build 67766446]   
     1   [Windows 98 4.90 build 73010104]   
 
     Count   Build Id List 
     18   2004031615
 
     No of Unique Users        15
 
 Stack trace(Frame) 

	 nsJSContext::DOMBranchCallback
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp
 line 417] 
	 js_Interpret
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 1671] 
	 js_Invoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 959] 
	 js_InternalInvoke
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 1036] 
	 js_InternalGetOrSet
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 1079] 
	 js_GetProperty
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c  line
2673] 
	 JS_GetProperty
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c  line
2472] 
	 nsXPCWrappedJSClass::CallMethod
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp
 line 1316] 
	 nsXPCWrappedJS::CallMethod
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp
 line 450] 
	 PrepareAndDispatch
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp
 line 119] 
	 SharedStub
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp
 line 147] 
	 MessageWindow::WindowProc
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsNativeAppSupportWin.cpp
 line 975] 
	 USER32.dll + 0x3eb0 (0x77e03eb0)  
	 USER32.dll + 0x591b (0x77e0591b)  
	 USER32.dll + 0x595d (0x77e0595d)  
	 ntdll.dll + 0x1fb83 (0x77f9fb83)  
	 USER32.dll + 0x69a7 (0x77e069a7)  
	 USER32.dll + 0x3eb0 (0x77e03eb0)  
	 USER32.dll + 0x591b (0x77e0591b)  
	 USER32.dll + 0x595d (0x77e0595d)  
	 ntdll.dll + 0x1fb83 (0x77f9fb83)  
	 USER32.dll + 0x4b2e (0x77e04b2e)  
	 PeekKeyAndIMEMessage
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp
 line 91] 
	 nsAppShell::Run
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp
 line 138] 
	 nsAppShellService::Run
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp
 line 524] 
	 main1
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp
 line 1308] 
	 main
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp
 line 1712] 
	 WinMain
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp
 line 1734] 
	 WinMainCRTStartup()  
	 KERNEL32.DLL + 0x7903 (0x77e77903)   
 
     (2845)	Comments: after OS loaded netscape has broken
     (2389)	Comments: I have just restartde my pc !
     (2344)	Comments: actualy I can't make it work. So  I use WinXP and it used
to work fine  however  after I have reinstalled the system it stoped.  When I
click on the Netscape icon on my desktop nothing hapen. I have tried to
reinstall the browser many times  but the
     (2344)	Comments:  result is the same. I wonder if you could help me  I
realy like Netscape much more then Microsoft IE. Thank you for your help.  it-s
     (2152)	Comments: cvbxcbcxvb

Comment 1

14 years ago
This crash looks like it was exposed by removing the null check on ctx.  That
was done in bug 13350 because the consensus was that it's bogus to have a
context whose private data is not a valid context.
Argh.  The XPConnect "safe context" is not so safe, after all.  Why does it have
the DOMBranchCallback configured on it, but no nsJSContext as private data?  The
two should go together.

jst, I'm inferring that this is the safe context, because the stack shows JS
being called from C++ without any underlying JS-API-invoked JS active on the
main thread stack.  Can you diagnose and suggest a 1.7 fix?  Obviously we can
restore the nul check, but it would be better if we can fix the flagrant
inconsistency between the context's branch callback and its private data.

/be
Assignee: general → jst
Flags: blocking1.7+
(Assignee)

Comment 3

14 years ago
Created attachment 144622 [details] [diff] [review]
Clear the branch callback on nsJSContext destruction

Thanks to brendan for helping track this down. This is needed since XPConnect
sometimes defers destruction of JSContexts when its told to destroy a
JSContext, so it's possible for JS to run on a context whose nsJSContext has
been destroyed.
(Assignee)

Updated

14 years ago
Attachment #144622 - Flags: superreview?(brendan)
Attachment #144622 - Flags: review?(brendan)
(Reporter)

Updated

14 years ago
Blocks: 238446
Comment on attachment 144622 [details] [diff] [review]
Clear the branch callback on nsJSContext destruction

Comment citing this bug, or at least talking about how XPConnect defers
destruction till the stack unwinds.

I forget exactly how we can be closing a window and still running JS on the
context for it, but I can believe it (chrome JS, presumably; modal dialog?
http://bugzilla.mozilla.org/show_bug.cgi?id=94752#c17 and below may say, but at
a glance they seem to find a different context active below the one whose
nsJSContext is being destroyed...).

/be
Attachment #144622 - Flags: superreview?(brendan)
Attachment #144622 - Flags: superreview+
Attachment #144622 - Flags: review?(brendan)
Attachment #144622 - Flags: review+
(Assignee)

Comment 5

14 years ago
Comment on attachment 144622 [details] [diff] [review]
Clear the branch callback on nsJSContext destruction

Comment added locally, citing this bug.

Requesting approval to land this for 1.7.
Attachment #144622 - Flags: approval1.7?
(Reporter)

Comment 6

14 years ago
Comment on attachment 144622 [details] [diff] [review]
Clear the branch callback on nsJSContext destruction

a=chofmann for 1.7
Attachment #144622 - Flags: approval1.7? → approval1.7+
(Assignee)

Comment 7

14 years ago
Fix checked in.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED

Updated

14 years ago
Keywords: crash
Summary: topcrash [@ nsJSContext::DOMBranchCallback ] → M17b opcrash [@ nsJSContext::DOMBranchCallback ]

Updated

14 years ago
Summary: M17b opcrash [@ nsJSContext::DOMBranchCallback ] → M17b topcrash [@ nsJSContext::DOMBranchCallback ]
*** Bug 241050 has been marked as a duplicate of this bug. ***

Comment 9

14 years ago
Reopening since I'm seeing quite a few of these crashes with Mozilla 1.7 RC1. 
Here is a recent Talkback incident:

Incident ID: 28665
Stack Signature	nsJSContext::DOMBranchCallback e1b894d7
Email Address	
Product ID	Mozilla17
Build ID	2004042109
Trigger Time	2004-04-23 11:21:11.0
Platform	Win32
Operating System	Windows NT 5.0 build 2195
Module	gklayout.dll + (0014ca14)
URL visited	
User Comments	
Since Last Crash	sec
Total Uptime	sec
Trigger Reason	Access violation
Source File Name
d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp
Trigger Line No.	417
Stack Trace 	
nsJSContext::DOMBranchCallback
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 417]
js_Interpret
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1671]
js_Invoke
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 959]
js_InternalInvoke
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1036]
js_InternalGetOrSet
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1079]
js_GetProperty
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2679]
JS_GetProperty
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 2490]
nsXPCWrappedJSClass::CallMethod
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 1316]
nsXPCWrappedJS::CallMethod
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 450]
PrepareAndDispatch
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 119]
SharedStub
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 147]
MessageWindow::WindowProc
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsNativeAppSupportWin.cpp,
line 975]
USER32.dll + 0x1ef0 (0x77e01ef0)
USER32.dll + 0x3869 (0x77e03869)
USER32.dll + 0x38ab (0x77e038ab)
ntdll.dll + 0x1ff57 (0x7847ff57)
USER32.dll + 0x343f (0x77e0343f)
USER32.dll + 0x1ef0 (0x77e01ef0)
USER32.dll + 0x3d1e (0x77e03d1e)
USER32.dll + 0x6e9b (0x77e06e9b)
nsWindow::WindowProc
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1361]
USER32.dll + 0x1ef0 (0x77e01ef0)
USER32.dll + 0x3869 (0x77e03869)
USER32.dll + 0x38ab (0x77e038ab)
ntdll.dll + 0x1ff57 (0x7847ff57)
USER32.dll + 0x18ec (0x77e018ec)
PeekKeyAndIMEMessage
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp,
line 91]
nsAppShell::Run
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp,
line 138]
nsAppShellService::Run
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 524]
main1
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1313]
main
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1783]
WinMain
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1809]
WinMainCRTStartup()
KERNEL32.DLL + 0x11af6 (0x77e81af6)

Updating summary with M17rc1 for tracking.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: M17b topcrash [@ nsJSContext::DOMBranchCallback ] → M17rc1 topcrash [@ nsJSContext::DOMBranchCallback ]
bz filed a new bug, can we use that?  I think we fixed this one, and the
repeated signature is due to another bug.  jst, you concur?

/be

Comment 11

14 years ago
Ok, return M17beta to summary and marking fixed.  We can track the more recent
crashes in bug 241050.
Status: REOPENED → RESOLVED
Last Resolved: 14 years ago14 years ago
Resolution: --- → FIXED
Summary: M17rc1 topcrash [@ nsJSContext::DOMBranchCallback ] → M17beta topcrash [@ nsJSContext::DOMBranchCallback ]

Comment 12

14 years ago
Verified fixed based on latest Talkback data for MozillaTrunk and Mozilla 1.7 rc1.
Status: RESOLVED → VERIFIED

Updated

9 years ago
Component: DOM: Core → DOM: Core & HTML
QA Contact: ian → general
Crash Signature: [@ nsJSContext::DOMBranchCallback ]
You need to log in before you can comment on or make changes to this bug.