Closed Bug 241050 Opened 21 years ago Closed 21 years ago

M17rc1 and Trunk topcrash [@ nsJSContext::DOMBranchCallback]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.7final

People

(Reporter: bzbarsky, Assigned: brendan)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

proposed fix
3.34 KB, patch
shaver
: review+
brendan
: approval1.7+
Details | Diff | Splinter Review
See http://talkback-public.mozilla.org/reports/Trunk/smart-analysis.all and http://talkback-public.mozilla.org/reports/M17b/smart-analysis.all Stack: nsJSContext::DOMBranchCallback [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp line 413] js_Interpret [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 2033] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 1302] ...etc The line number for branch is 417; for trunk, 413. lxr has: 409 nsJSContext *ctx = NS_STATIC_CAST(nsJSContext *, ::JS_GetContextPrivate(cx)); 410 411 // Filter out most of the calls to this callback 412 if (++ctx->mBranchCallbackCount & MAYBE_GC_BRANCH_COUNT_MASK) 413 return JS_TRUE; 414 415 // Run the GC if we get this far. 416 JS_MaybeGC(cx); 417 418 // Filter out even more of the calls to this callback Could "ctx" be coming out null or bogus? This is the #2 topcrash in 1.7b.
Boris: you should read first bug 238446 and look for the dependencies :-)
you will find there bug 238218
What bernd said. /be *** This bug has been marked as a duplicate of 238218 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Note the "and trunk" part of the summary and the first URL I cite in comment 0. If talkback is lying, fine; otherwise this crash is still happening (in fact happened with builds from 2004-04-13-10 and 2004-04-10-09, which is way after bug 238218 got checked in and marked fixed). Today may be my day for filing dups, but we may still have a real bug here...
Sorry, didn't read the trunk part. nsJSContext::DOMBranchCallback [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp line 413] js_Interpret [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 2033] js_Invoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 1302] js_InternalInvoke [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 1379] js_InternalGetOrSet [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 1422] js_GetProperty [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c line 2720] JS_GetProperty [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c line 2473] nsXPCWrappedJSClass::CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp line 1316] nsXPCWrappedJS::CallMethod [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp line 450] PrepareAndDispatch [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp line 119] SharedStub [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp line 147] MessageWindow::WindowProc [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsNativeAppSupportWin.cpp line 975] USER32.dll + 0x3a50 (0x77d43a50) USER32.dll + 0x3b1f (0x77d43b1f) USER32.dll + 0x44f5 (0x77d444f5) USER32.dll + 0x4525 (0x77d44525) ntdll.dll + 0x25da3 (0x77f75da3) USER32.dll + 0x58ce (0x77d458ce) nsWindow::DefaultWindowProc [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp line 1375] USER32.dll + 0x3a50 (0x77d43a50) USER32.dll + 0x3b1f (0x77d43b1f) USER32.dll + 0x5b2c (0x77d45b2c) USER32.dll + 0x5b4b (0x77d45b4b) nsWindow::WindowProc [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp line 1361] USER32.dll + 0x3a50 (0x77d43a50) USER32.dll + 0x3b1f (0x77d43b1f) USER32.dll + 0x44f5 (0x77d444f5) USER32.dll + 0x4525 (0x77d44525) ntdll.dll + 0x25da3 (0x77f75da3) USER32.dll + 0x3fd4 (0x77d43fd4) PeekKeyAndIMEMessage [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp line 91] nsAppShell::Run [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp line 138] nsAppShellService::Run [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 524] main1 [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1313] main [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1783] WinMain [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1809] WinMainCRTStartup() kernel32.dll + 0x214c7 (0x77e814c7) Looks like we're running on the safe context. Why would its JSContext have null private data? /be
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Keywords: crash
Bug 238218 is fixed, but I have been seeing similar crashes in the latest Talkback data for the Trunk and Mozilla 1.7rc1. So we should probably have a look at these more recent crashes. Here is a recent crash in the Mozilla 1.7 branch (from 1.7rc1): Incident ID: 28665 Stack Signature nsJSContext::DOMBranchCallback e1b894d7 Email Address Product ID Mozilla17 Build ID 2004042109 Trigger Time 2004-04-23 11:21:11.0 Platform Win32 Operating System Windows NT 5.0 build 2195 Module gklayout.dll + (0014ca14) URL visited User Comments Since Last Crash sec Total Uptime sec Trigger Reason Access violation Source File Name d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp Trigger Line No. 417 Stack Trace nsJSContext::DOMBranchCallback [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp, line 417] js_Interpret [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1671] js_Invoke [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 959] js_InternalInvoke [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1036] js_InternalGetOrSet [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c, line 1079] js_GetProperty [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2679] JS_GetProperty [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 2490] nsXPCWrappedJSClass::CallMethod [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 1316] nsXPCWrappedJS::CallMethod [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 450] PrepareAndDispatch [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp, line 119] SharedStub [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp, line 147] MessageWindow::WindowProc [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsNativeAppSupportWin.cpp, line 975] USER32.dll + 0x1ef0 (0x77e01ef0) USER32.dll + 0x3869 (0x77e03869) USER32.dll + 0x38ab (0x77e038ab) ntdll.dll + 0x1ff57 (0x7847ff57) USER32.dll + 0x343f (0x77e0343f) USER32.dll + 0x1ef0 (0x77e01ef0) USER32.dll + 0x3d1e (0x77e03d1e) USER32.dll + 0x6e9b (0x77e06e9b) nsWindow::WindowProc [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1361] USER32.dll + 0x1ef0 (0x77e01ef0) USER32.dll + 0x3869 (0x77e03869) USER32.dll + 0x38ab (0x77e038ab) ntdll.dll + 0x1ff57 (0x7847ff57) USER32.dll + 0x18ec (0x77e018ec) PeekKeyAndIMEMessage [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp, line 91] nsAppShell::Run [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp, line 138] nsAppShellService::Run [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 524] main1 [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1313] main [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1783] WinMain [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1809] WinMainCRTStartup() KERNEL32.DLL + 0x11af6 (0x77e81af6)
Keywords: topcrash
Summary: 1.7b and trunk topcrash [@ nsJSContext::DOMBranchCallback] → 1.7rc1 and Trunk topcrash [@ nsJSContext::DOMBranchCallback]
Summary: 1.7rc1 and Trunk topcrash [@ nsJSContext::DOMBranchCallback] → M17rc1 and Trunk topcrash [@ nsJSContext::DOMBranchCallback]
OS: Linux → All
So the callstack in comment 6 goes through the JS component that implements -killAll: http://lxr.mozilla.org/mozilla/source/xpfe/components/killAll/nsKillAll.js. This component has a chromeUrlForTask getter that implements the command-line option by looping over DOM windows using the window mediator service, closing each in turn. That must be closing the hidden window whose JSContext we're running on, because it is the "safe" JSContext that XPConnect uses when in doubt, when C++ is calling into JS: http://lxr.mozilla.org/mozilla/source/js/src/xpconnect/src/xpcwrappedjsclass.cpp#976, see also http://lxr.mozilla.org/mozilla/source/js/src/xpconnect/src/xpccallcontext.cpp#92 and the comment above it. This says that GlobalWindowImpl::Close (domWindow.close() from nsKillAll.js calls this) is not setting a termination function and returning early at http://lxr.mozilla.org/mozilla/source/dom/src/base/nsGlobalWindow.cpp#3641. Good thing, because XPConnect won't call the termination function (http://lxr.mozilla.org/mozilla/source/js/src/xpconnect/src/xpcwrappedjsclass.cpp#106, http://lxr.mozilla.org/mozilla/source/dom/src/base/nsJSEnvironment.cpp#1710, note the PR_FALSE aTerminated parameter). But how can that be? Is the hidden window's JSContext not hooked up to its nsJSContext? jst, any ideas? Certainly, if this is peculiar to nsKillAll.js, as it seems to be from the talkback, then there's probably a specific fix. Didn't we find last time that nsJSContext's dtor needed to JS_SetBranchCallback(cx, nsnull) exactly to handle a case we didn't quite grok, where XPConnect is using the JSContext and the stack must unwind from the point where that cx's private data (its nsJSContext) is being dtor'd? That once again raises the possibility in DOMBranchCallback that the cx may have null private data. Before we throw in the towel and restore the null check that we removed from DOMBranchCallback, I'd like to know why the termination function is not used. That, provided XPConnect were fixed to actually call it (indirectly via ScriptExecuted => ScriptEvaluated(PR_TRUE)), would fix the bug without adding a null check to DOMBranchCallback. /be
> Good thing, because XPConnect won't call the termination function > (http://lxr.mozilla.org/mozilla/source/js/src/xpconnect/src/xpcwrappedjsclass.cpp#106, > http://lxr.mozilla.org/mozilla/source/dom/src/base/nsJSEnvironment.cpp#1710, > note the PR_FALSE aTerminated parameter). Second link should be http://lxr.mozilla.org/mozilla/source/dom/src/base/nsJSEnvironment.cpp#1819 -- lxr is pretty busted. See http://lxr.mozilla.org/mozilla/source/js/src/xpconnect/src/nsXPConnect.cpp#1071. Oh, and I recall now that XPConnect does its own kind of termination function, based on XPCCallContext::mDestroyJSContextInDestructor. We have redundant mechanism in the DOM and XPConnect for modularity's sake, but it still seems to me we could simplify this twisted maze a bit. So what is really going on in this bug? If the DOM called JS_SetBranchCallback(cx, nsnull), and the JS engine reloaded cx->branchCallback, then there'd be no problem. Since the DOM calls JS_SetBranchCallback(cx, nsnull) right after JS_SetContextPrivate(cx, nsnull), it must be the case that js_Interpret has not reloaded cx->branchCallback, and is using its onbranch local to call the old callback. This suggests a fix: change js_Interpret to reload onbranch after any native call-out (getter/setter or native function). I'll attach a patch in a minute. /be
Assignee: general → brendan
Status: REOPENED → NEW
Component: DOM → JavaScript Engine
Keywords: js1.5
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.7final
Attached patch proposed fixSplinter Review
Correction: reload onbranch from cx->branchCallback only after native (possibly native, actually) function calls. Restoring after getters, setters, and other low-level hooks is hard, and not worth it. The API users must clear the branch callback, if it matters (as it does for the DOM, due to this deferred destroy of the context on which one is running), only from a native function such as domWindow.close(). /be
Attachment #147360 - Flags: review?(shaver)
Please help test this patch by running -killAll or whatever it is, with and without QuickStart if you're on Windows. /be
Status: NEW → ASSIGNED
Flags: blocking1.7+
Comment on attachment 147360 [details] [diff] [review] proposed fix r=shaver. Go for 1.7!
Attachment #147360 - Flags: review?(shaver) → review+
Comment on attachment 147360 [details] [diff] [review] proposed fix Safe fix for topcrash bug, easy a=. /be
Attachment #147360 - Flags: approval1.7?
Comment on attachment 147360 [details] [diff] [review] proposed fix a=chofmann for 1.7
Comment on attachment 147360 [details] [diff] [review] proposed fix Marking chofmann's approval1.7+. This patch already landed on the trunk, and I have just landed it on the 1.7 branch. Thanks, great to have talkback stack analysis with line numbers! /be
Attachment #147360 - Flags: approval1.7? → approval1.7+
Marking fixed based on comment 14
Status: ASSIGNED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → FIXED
Keywords: fixed1.7
Flags: testcase-
Crash Signature: [@ nsJSContext::DOMBranchCallback]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: