273953 - Crash during GC after leaving page in URL

Status: RESOLVED FIXED

(Core :: XPConnect, defect)

Description

[Blake Kaplan (:mrbkap) (inactive)]

It looks like |this| has already been deleted (all its members are 0xfeeefee).
Here's the stack:

>	xpc3250.dll!XPCDispInterface::SetJSObject(JSObject * jsobj=0x00000000)  Line
309 + 0x6	C++
 	xpc3250.dll!XPCWrappedNativeTearOff::SetJSObject(JSObject * JSObj=0x00000000)
 Line 593	C++
 	xpc3250.dll!XPCWrappedNativeTearOff::JSObjectFinalized()  Line 1687 + 0x11	C++
 	xpc3250.dll!XPC_WN_TearOff_Finalize(JSContext * cx=0x037c87c0, JSObject *
obj=0x03829c40)  Line 1583	C++
 	js3250.dll!js_FinalizeObject(JSContext * cx=0x037c87c0, JSObject *
obj=0x03829c40)  Line 1983 + 0x60	C
 	js3250.dll!js_GC(JSContext * cx=0x037c87c0, unsigned int gcflags=0)  Line
1684 + 0xb	C
 	js3250.dll!js_ForceGC(JSContext * cx=0x037c87c0, unsigned int gcflags=0)  Line
1363 + 0xd	C
 	js3250.dll!JS_GC(JSContext * cx=0x037c87c0)  Line 1747 + 0xb	C
 	gklayout.dll!nsJSContext::Notify(nsITimer * timer=0x03abc260)  Line 1955 + 0xd	C++
 	xpcom_core.dll!nsTimerImpl::Fire()  Line 387	C++
 	xpcom_core.dll!nsTimerManager::FireNextIdleTimer()  Line 617	C++
 	gkwidget.dll!nsAppShell::Run()  Line 142	C++
 	appcomps.dll!nsAppStartup::Run()  Line 216	C++
 	mozilla.exe!main1(int argc=1, char * * argv=0x002a55e0, nsISupports *
nativeApp=0x00ee3e08)  Line 1320 + 0x20	C++
 	mozilla.exe!main(int argc=1, char * * argv=0x002a55e0)  Line 1798 + 0x25	C++
 	mozilla.exe!mainCRTStartup()  Line 398 + 0x11	C
 	kernel32.dll!7c816d4f() 	
 	kernel32.dll!7c8399f3()

Comment 1

[David Bradley]

I've been able to reproduce. Unfortunately due to forgetting to turn off
optimizations my crash stack is pretty much useless. Will report back after
rebuilding.

Comment 2

[David Bradley]

Attachment: Eliminates creating uneeded IDispatch tearoffs

The IDispatch logic was calling FindTearoff which actually created the tearoff
if it didn't exist. My intent with the IDispatch logic was just to find one if
it existed and try and resolve the property, not create one if it didn't exist.


This patch fixes that issue. However I think there's and additional underlying
issue here as well. I'd like to go ahead and get this patch in, and then I'll
track down why we're double freeing/finalizing the tearoff. I suspect in a real
IDispatch situation may still be an issue.

Comment 3

[Johnny Stenback (:jst)]

Comment on attachment 171350 [details] [diff] [review]
Eliminates creating uneeded IDispatch tearoffs

r=jst

Comment 4

[Brendan Eich [:brendan]]

Comment on attachment 171350 [details] [diff] [review]
Eliminates creating uneeded IDispatch tearoffs

Odd for loop style with that newline after the for(, your call but it seems
like a change from the style of old....

/be

Comment 5

[timeless]

Comment on attachment 171350 [details] [diff] [review]
Eliminates creating uneeded IDispatch tearoffs

mozilla/js/src/xpconnect/src/XPCIDispatchExtension.cpp	1.15
mozilla/js/src/xpconnect/src/xpcprivate.h	1.148
mozilla/js/src/xpconnect/src/xpcwrappednative.cpp	1.87

Comment 6

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Comment on attachment 171350 [details] [diff] [review]
Eliminates creating uneeded IDispatch tearoffs

too late for 1.8b; please land on trunk (which is now open)

Comment 7

[Brendan Eich [:brendan]]

Timeless, say what you did more clearly.  It looks like you checked in.  If so,
shouldn't this bug be marked FIXED?

/be

Comment 8

[David Bradley]

Looks like the patch was checked in, and so this shouldn't be an issue anymore.
Feel free to reopen if this crash occurs again.

Marking FIXED.