238322 - Crash near jsds_GCCallbackProc and XPCJSRuntime::GCCallback

Status: RESOLVED INCOMPLETE

(Core :: XPConnect, defect, P5)

Description

[timeless]

build is still pre 1.7a (really will move shortly), there's a patch to DOM for 
popup windows (tickled in current execution) and a pair of patches to jsd core 
(bugs filed w/ patches). JS_MARK_DEBUG is set...

What I had done:
loaded a mozilla window
hooked an event listener to catch PopupWindow
loaded http://viper.haque.net/~timeless/blog/classic.example.com/firstpage/
(a new mozilla window opens)
the event listener hooked itself in the new window
I set a breakpoint in venkman for a click creature of sorts
I caused the breakpoint to be hit from the new window.
I closed both navigator windows (* this is probably very bad)
I went back to venkman and asked it to continue the stopped script - note: the 
script's host is very much gone.
mozilla crashed :)

I'm not quite sure about the logic venkman uses to prevent windows from going 
away while they're being debugged (it does have some to prevent some forms of 
interaction), but for whatever reason it didn't seem to affect my interaction 
this time. anyway, i can leave this crash alive for a bit in case there's some 
fun stuff we could poke.

+	cx	0x03a306e8	JSContext *
	gLastGCProc	0x00eab316 XPCJSRuntime::GCCallback(JSContext *, 
JSGCStatus)	int (JSContext *, JSGCStatus)*
	status	JSGC_END	JSGCStatus

So this could be an xpconnect crash, or a jsd crash. The stack trace only shows 
that jsd tried to call xpconnect's gccallback. 

 	01c3e218()	
>	jsd3250.dll!jsds_GCCallbackProc(JSContext * cx=0x03a306e8, JSGCStatus 
status=JSGC_END)  Line 518 + 0x7	C++
 	js3250.dll!js_GC(JSContext * cx=0x7472c301, unsigned int 
gcflags=2032680)  Line 1420	C
 	js3250.dll!js_ForceGC(JSContext * cx=0x03a306e8, unsigned int 
gcflags=0)  Line 1000 + 0x19	C
 	js3250.dll!JS_GC(JSContext * cx=0x03a306e8)  Line 1684 + 0x8	C
 	jsdom.dll!nsJSContext::Notify(nsITimer * timer=0x0333a300)  Line 1768
	C++
 	xpcom.dll!nsTimerImpl::Fire()  Line 395	C++
 	xpcom.dll!nsTimerManager::FireNextIdleTimer()  Line 616	C++
 	gkwidget.dll!nsAppShell::Run()  Line 142	C++
 	appshell.dll!nsAppShellService::Run()  Line 484	C++
 	mozilla.exe!main1(int argc=1953678081, char * * argv=0x001f0428, 
nsISupports * nativeApp=0x00000001)  Line 1291 + 0x9	C++
 	mozilla.exe!main(int argc=1, char * * argv=0x002a27c8)  Line 1678 + 0x16
	C++
 	mozilla.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ * 
__formal=0x00400000, char * args=0x00152303, HINSTANCE__ * 
__formal=0x00400000)  Line 1702 + 0x17	C++
 	mozilla.exe!WinMainCRTStartup()  Line 392 + 0xf	C
 	kernel32.dll!GetCurrentDirectoryW()  + 0x44

Comment 1

[timeless]

trunk, purify

[E] NPR: NULL pointer read in XPCJSRuntime::GCCallback(JSContext *,JSGCStatus)
{1 occurrence}
        Reading 4 bytes from 0x00000009 (4 bytes at 0x00000009 illegal)
        Address 0x00000009 points into invalid memory 
        Thread ID: 0x34c
        Error location
            XPCJSRuntime::GCCallback(JSContext *,JSGCStatus)+0xea2
[r:\mozilla\js\src\xpconnect\src\xpcjsruntime.cpp:556 ip=0x03ba28a4]
                                    {
                                        nsISupports* obj;
                                        {
                                            XPCAutoLock al(lock); // lock if
necessary
                                            PRInt32 count = array->Count();
                                            if(!count)
                                            {
                                                array->Compact();
                                                break;
                                            }
                                            obj = NS_REINTERPRET_CAST(nsISupports*,
                                                    array->ElementAt(count-1));
                                            array->RemoveElementAt(count-1);
                                        }
             =>                         NS_RELEASE(obj);
                                    }
                #ifdef XPC_TRACK_DEFERRED_RELEASES
                                    printf("XPC - End deferred Releases\n");
                #endif
                                }
                                break;
                            }
                            default:
                                break;
                        }
                    }
                
                    // always chain to old GCCallback if non-null.
                    return gOldJSGCCallback ? gOldJSGCCallback(cx, status) :
JS_TRUE;
            XPCJSRuntime::GCCallback(JSContext *,JSGCStatus)+0xe98
[r:\mozilla\js\src\xpconnect\src\xpcjsruntime.cpp:556 ip=0x03ba289a]
            jsds_GCCallbackProc+0xa8 [r:\mozilla\js\jsd\jsd_xpc.cpp:523
ip=0x045652de]
            js_GC+0x18b3         [r:\mozilla\js\src\jsgc.c:1422 ip=0x03c61f37]
            js_ForceGC+0x89      [r:\mozilla\js\src\jsgc.c:1000 ip=0x03c623a9]
            JS_GC+0xad           [r:\mozilla\js\src\jsapi.c:1699 ip=0x03c13330]
            nsJSContext::Notify(nsITimer *)+0x23
[r:\mozilla\dom\src\base\nsjsenvironment.cpp:1955 ip=0x049bfd98]
            nsTimerImpl::Fire(void)+0x20d
[r:\mozilla\xpcom\threads\nstimerimpl.cpp:386 ip=0x023ce7e6]
            nsTimerManager::FireNextIdleTimer(void)+0x1ac
[r:\mozilla\xpcom\threads\nstimerimpl.cpp:615 ip=0x023cecc4]
            nsAppShell::Run(void)+0x2b3
[r:\mozilla\widget\src\windows\nsappshell.cpp:141 ip=0x0535dc18]
            nsAppShellService::Run(void)+0x2f
[r:\mozilla\xpfe\appshell\src\nsappshellservice.cpp:487 ip=0x05308235]
            main1+0xb6a          [r:\mozilla\xpfe\bootstrap\nsapprunner.cpp:1321
ip=0x004070f7]

Comment 2

[David Bradley]

Looks like one of the deferred objects died, are you able to do ref count
logging? As that's where the problem should live, unless the object was trashed
instead of released early.

Comment 3

[Reinout van Schouwen]

Related to bug 254161?