Closed Bug 264577 Opened 21 years ago Closed 16 years ago

XPConnect GC holes and hazards

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Future

People

(Reporter: brendan, Unassigned)

References

Details

(Keywords: crash, Whiteboard: not holding RC1 for this -- [have patch] need review shaver; xpcwrappednative.cpp changes landed)

Attachments

(4 files)

proposed fixes, plus some debugging grot not for check-in
9.80 KB, patch
dbradley
: review+
shaver
: superreview+
Details | Diff | Splinter Review
DOM fix, independent of XPConnect patch
1.52 KB, patch
jst
: review+
jst
: superreview+
brendan
: approval-aviary+
brendan
: approval1.7.5+
Details | Diff | Splinter Review
Add WAY_TOO_MUCH_GC ifdef to jsgc.c
1.48 KB, patch
Details | Diff | Splinter Review
cleaned up patch
3.00 KB, patch
Details | Diff | Splinter Review
Timeless is finding these in his day job, one unlikely last-ditch GC at a time. To help him, I advised turning on TOO_MUCH_GC in jsobj.c and jsgc.c -- that works all too well, and crashes Firefox (trunk) on startup (jst had a branch Firefox go off into some weeds, maybe looping or thread-death, not sure). Patches coming up, and I'd like to work fast and fix several problems in this bug, so fasten your seatbelts! These may explain some longstanding topcrash and talkback-reported crash bugs. /be
I'll post a cleaned-up version when ready for reviews. For now, you *want* this patch if you define TOO_MUCH_GC in jsgc.h. DOM patch next. /be
<brendan> TOO_MUCH_GC is not TOTALLY_TOO_MUCH_GC, which sets rt->gcPoke before calling js_GC from js_AllocGCThing <brendan> all the time <brendan> *that*, i just tried, and xpconnect frustrates it <shaver> does that make it worse? <shaver> ah <brendan> jband has his own data structure mark/sweep GC <shaver> yes <brendan> and he sweeps only the XPCNativeInterfaces that he puts in the XPCJSRuntime's mIID2NativeInterfaceMap <brendan> but with my fixes to close real GC holes, he marks other interfaces <brendan> and then assertions botch and the member count has a high (15th from 0) mark bit set in its member count, and stuff <brendan> but, with just TOO_MUCH_GC, i can now bring up firefox <brendan> this nests a last ditch if the gc has been poked <brendan> on every alloc after a poke <brendan> found jst being naughty too, with the recently added global scope polluter (window.id hack) object <brendan> it was flapping in the breeze <brendan> in SetNewDocument <shaver> nice finds <shaver> wow <brendan> patches coming <shaver> that'll help us a lot <shaver> I stand by to r!
Attachment #162259 - Flags: superreview?(jst)
Attachment #162259 - Flags: review?(jst)
Attachment #162258 - Flags: superreview?(shaver)
Attachment #162258 - Flags: review?(dbradley)
Calling for early reviews, don't worry about the debugging hacks and printf in xpcwrappednative.cpp. Questions: - Is there a way we can tell that the wrapper will be marked by its scope, if it's in a scope's map, and avoid the JS_MarkGCThing on mFlatJSObject (xpcprivate.h)? Not a big deal, but maybe worth avoiding that JS API call. - Any better way to protect the new parent returned by PreCreate in XPCWrappedNative::GetNewOrUsed? - Suggestions on how to turn on TOTALLY_TOO_MUCH_GC (which would poke the GC before every js_GC call from js_AllocGCThing)? As noted in comment 2, the IRC log part, this leads to XPConnect marking some XPCNativeInterfaces reachable from wrapped natives (I think), but not yet in the runtime's mIID2NativeInterfaceMap -- so not swept. That leaves the mark bit set, which botches assertions and makes the XPCNativeInterface's member count look huge. /be
WAY_, not TOTALLY_. Note that if you define WAY_TOO_MUCH_GC that defines TOO_MUCH_GC, so this pain is convenient pain. /be
Many thanks to jst for bug-buddying and using a better debugger (gdb is *even worse* in FC2! WTF?!) /be
Comment on attachment 162259 [details] [diff] [review] DOM fix, independent of XPConnect patch r+sr=jst
Attachment #162259 - Flags: superreview?(jst)
Attachment #162259 - Flags: superreview+
Attachment #162259 - Flags: review?(jst)
Attachment #162259 - Flags: review+
Comment on attachment 162258 [details] [diff] [review] proposed fixes, plus some debugging grot not for check-in +--xpc_nogcflag; return rv; this is asking for a macro or autoobject :)
Timeless: it's just a local hack, not worth the trouble because it may give false alarms (nested GCs may collect true temporary garbage, although I'm not sure yet that such garbage is not a bug). /be
Comment on attachment 162259 [details] [diff] [review] DOM fix, independent of XPConnect patch a=me for branches, this is a clean fix. /be
Attachment #162259 - Flags: approval1.7.x+
Attachment #162259 - Flags: approval-aviary+
Flags: blocking1.7.x+
Flags: blocking-aviary1.0+
Comment on attachment 162259 [details] [diff] [review] DOM fix, independent of XPConnect patch This patch has been checked into trunk and branches. /be
Severity: normal → critical
Whiteboard: [have patch] ready to land
There's more to patch here, and the attached patch (no comments from dbradley or shaver yet) is *not* ready to land. /be
Whiteboard: [have patch] ready to land
Whiteboard: [have patch] need review shaver dbradley
This looks like it may have hurt Tp on btek a bit.
We looked harder and saw NSPR's linux.h changing, which caused a big recompile, which may have reordered the build enough to hurt Tp. We're not sure, but I am not feeling guilty enough to back out. Someone might convince me, or perhaps we could back out locally on Btek? /be
Comment on attachment 162258 [details] [diff] [review] proposed fixes, plus some debugging grot not for check-in r=dbradley I went back to some of the objects graphs I did for GC and realized that the flattened JSObject was no where to be found. So this does seem like a good idea as does protecting that parent object.
Attachment #162258 - Flags: review?(dbradley) → review+
Attached patch cleaned up patchSplinter Review
I'm worried that jband requires mFlatObject to be ephemeral if there are no strong XPCOM refs on the wrapper, and that we'll have leaks with the xpcprivate.h patch included here. The xpcwrappednative.cpp patch is good, we need it to avoid death if a last-ditch GC should nest while a parent revised by PreCreate is flapping in the breeze. I'm going to check just xpcwrappednative.cpp into branches and trunk now, for Firefox 1.0 RC1. I need more testing, thinking, and advice on the xpcprivate.h patch. /be
Depends on: 265545
This bug seems to have an aviary branch checkin associated with it. If this has landed on the aviary branch (as much as it's going to for 1.0) can you please add the "fixed-aviary1.0" keyword? Thanks.
Whiteboard: [have patch] need review shaver dbradley → [have patch] need review shaver; xpcwrappednative.cpp changes landed
Whiteboard: [have patch] need review shaver; xpcwrappednative.cpp changes landed → not holding RC1 for this -- [have patch] need review shaver; xpcwrappednative.cpp changes landed
Not sure what to do, crave some advice from jband. /be
Flags: blocking1.7.x?
Flags: blocking1.7.x+
Flags: blocking-aviary1.0?
Flags: blocking-aviary1.0+
Hey Brendan, I just started seeing some talkback reports using builds from 10/23 and later involving JS garbage collection. could they be related to this change? See: http://hal.mozilla.org/reports/incidenttemplate.cfm?bbid=1576913 or it could just be coincidence...
Nothing more to do here without better ideas from dbradley and jband. /be
Assignee: brendan → dbradley
Flags: blocking1.7.x?
Flags: blocking1.7.x-
Flags: blocking-aviary1.0?
Flags: blocking-aviary1.0-
Target Milestone: --- → Future
Hey Brendan, did you see my comments in comment #18 before you minused and moved this off the 1.0 radar?
Attachment #162258 - Flags: superreview?(shaver) → superreview+
Assignee: dbradley → nobody
QA Contact: pschwartau → xpconnect
brendan, is this bug still in need of more work or has 3 years of development taken care of things?
This bug is done. Comment 19 should have invited new bugs for new ideas. /be
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: