Closed Bug 282743 Opened 20 years ago Closed 20 years ago

ABBA deadlock componentmanager monitor/jsgc claimscope

Categories

(Core :: XPCOM, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: timeless, Assigned: timeless)

Details

Attachments

(1 obsolete file)

main thread:
 	nspr4.dll!PR_Lock(PRLock * lock=0x002aee20)  Line 240	C
 	nspr4.dll!PR_EnterMonitor(PRMonitor * mon=0x002aee08)  Line 99 + 0x6
	C
 	xpcom_core.dll!nsAutoMonitor::nsAutoMonitor(PRMonitor * 
mon=0x002aee08)  Line 250 + 0x7	C++
>	xpcom_core.dll!nsComponentManagerImpl::GetServiceByContractID(const 
char * aContractID=0x012d65ac, const nsID & aIID={...}, void * * 
result=0x0012f764)  Line 2354	C++
 	xpcom_core.dll!nsGetServiceByContractID::operator()(const nsID & aIID=
{...}, void * * aInstancePtr=0x0012f764)  Line 183 + 0xf	C++
 	xpcom_core.dll!nsCOMPtr_base::assign_from_helper(const nsCOMPtr_helper 
& helper={...}, const nsID & iid={...})  Line 114 + 0x10	C++
 	gklayout.dll!nsCOMPtr<nsIObserverService>::nsCOMPtr<nsIObserverService>
(const nsCOMPtr_helper & helper={...})  Line 591	C++
 	gklayout.dll!nsEventStateManager::~nsEventStateManager()  Line 296
	C++
 	gklayout.dll!nsEventStateManager::`scalar deleting destructor'()  + 0x8
	C++
 	gklayout.dll!nsJSEventListener::Release()  Line 73 + 0x18	C++
 	gklayout.dll!nsPresContext::~nsPresContext()  Line 214 + 0x9	C++
 	gklayout.dll!nsPresContext::Release()  Line 253 + 0x1b	C++
 	xpcom_core.dll!nsCOMPtr_base::~nsCOMPtr_base()  Line 82	C++
 	gklayout.dll!nsDOMEvent::~nsDOMEvent()  Line 136 + 0x24	C++
 	gklayout.dll!nsDOMEvent::`scalar deleting destructor'()  + 0x8	C++
 	gklayout.dll!nsDOMEvent::Release()  Line 139 + 0x18	C++
 	xpc3250.dll!XPCJSRuntime::GCCallback(JSContext * cx=0x00a1e7e8, 
JSGCStatus status=JSGC_END)  Line 557	C++
 	jsd3250.dll!jsds_GCCallbackProc(JSContext * cx=0x00a1e7e8, JSGCStatus 
status=JSGC_END)  Line 522 + 0x7	C++
 	js3250.dll!js_GC(JSContext * cx=0x00a1e7e8, unsigned int gcflags=0)  
Line 1448	C
 	js3250.dll!js_ForceGC(JSContext * cx=0x00a1e7e8, unsigned int 
gcflags=0)  Line 1028 + 0x19	C
 	js3250.dll!JS_GC(JSContext * cx=0x00a1e7e8)  Line 1747 + 0x8	C
 	js3250.dll!JS_MaybeGC(JSContext * cx=0x00a1e7e8)  Line 1766 + 0x6
	C
 	gklayout.dll!nsJSContext::ScriptEvaluated(int aTerminated=0)  Line 1875 
+ 0xc	C++
 	gklayout.dll!nsJSContext::ScriptExecuted()  Line 1946	C++
 	xpc3250.dll!AutoScriptEvaluate::~AutoScriptEvaluate()  Line 107	C++
 	xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * 
wrapper=0x0012f764, unsigned short methodIndex=4217, const nsXPTMethodInfo * 
info=0x0012f798, nsXPTCMiniVariant * nativeParams=0x00000000)  Line 1588 + 0x11
	C++
 	xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=7, 
const nsXPTMethodInfo * info=0x01f3c5f0, nsXPTCMiniVariant * 
params=0x0012fa4c)  Line 450	C++
 	xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x019edec0, 
unsigned int methodIndex=7, unsigned int * args=0x0012fb08, unsigned int * 
stackBytesToPop=0x0012faf8)  Line 117 + 0x12	C++
 	xpcom_core.dll!SharedStub()  Line 147	C++
 	appcomps.dll!nsBrowserStatusFilter::OnSecurityChange(nsIWebProgress * 
aWebProgress=0x0292328c, nsIRequest * aRequest=0x0245ad60, unsigned int 
aState=4)  Line 263	C++
 	docshell.dll!nsDocLoaderImpl::OnSecurityChange(nsISupports * 
aContext=0x0245ad60, unsigned int aState=4)  Line 1500 + 0xd	C++
 	pipboot.dll!nsSecureBrowserUIImpl::UpdateSecurityState(nsIRequest * 
aRequest=0x0245ad60)  Line 1104	C++
 	pipboot.dll!nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress * 
aWebProgress=0x02789740, nsIRequest * aRequest=0x0245ad60, unsigned int 
aProgressStateFlags=0, unsigned int aStatus=0)  Line 839 + 0xb	C++
 	docshell.dll!nsDocLoaderImpl::FireOnStateChange(nsIWebProgress * 
aProgress=0x0292328c, nsIRequest * aRequest=0x0245ad60, int aStateFlags=65552, 
unsigned int aStatus=0)  Line 1234 + 0x12	C++
 	docshell.dll!nsDocLoaderImpl::doStopURLLoad(nsIRequest * 
request=0x0245ad60, unsigned int aStatus=0)  Line 805	C++
 	docshell.dll!nsDocLoaderImpl::OnStopRequest(nsIRequest * 
aRequest=0x0245ad60, nsISupports * aCtxt=0x00000000, unsigned int aStatus=0)  
Line 653	C++
 	necko.dll!nsLoadGroup::RemoveRequest(nsIRequest * request=0x0292327c, 
nsISupports * ctxt=0x00000000, unsigned int aStatus=0)  Line 701 + 0xd	C++
 	necko.dll!nsHttpChannel::OnStopRequest(nsIRequest * request=0x05e50588, 
nsISupports * ctxt=0x00000000, unsigned int status=0)  Line 3782	C++
 	necko.dll!nsInputStreamPump::OnStateStop()  Line 505	C++
 	necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * 
stream=0x05ecf3b0)  Line 342	C++
 	xpcom_core.dll!nsOutputStreamReadyEvent::EventHandler(PLEvent * 
plevent=0x05e17edc)  Line 119	C++
 	xpcom_core.dll!PL_HandleEvent(PLEvent * self=0x05e17edc)  Line 693
	C
 	xpcom_core.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x009fe900)  
Line 627 + 0x6	C
 	xpcom_core.dll!_md_EventReceiverProc(HWND__ * hwnd=0x002f06a6, unsigned 
int uMsg=49514, unsigned int wParam=0, long lParam=10479872)  Line 1434	C
 	user32.dll!_InternalCallWinProc@20()  + 0x28	
 	user32.dll!_UserCallWinProcCheckWow@32()  + 0xb7	
 	user32.dll!_DispatchMessageWorker@8()  + 0xdc	
 	user32.dll!_DispatchMessageW@4()  + 0xf	
 	gkwidget.dll!nsAppShell::Run()  Line 159	C++
 	appcomps.dll!nsAppStartup::Run()  Line 216	C++
 	mozilla.exe!main1(int argc=2, char * * argv=0x002a4dc0, nsISupports * 
nativeApp=0x012e7388)  Line 1321 + 0x9	C++
 	mozilla.exe!main(int argc=2, char * * argv=0x002a4dc0)  Line 1813 + 0x13
	C++
 	mozilla.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ * 
__formal=0x00400000, char * args=0x0015235a, HINSTANCE__ * 
__formal=0x00400000)  Line 1841 + 0x17	C++
 	mozilla.exe!WinMainCRTStartup()  Line 390 + 0x1b	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23	

monitor @ nsComponentManagerImpl::GetServiceByContractID
there's /some/ sort of lock @ js_GC

other thread:
>	nspr4.dll!_PR_MD_WAIT_CV(_MDCVar * cv=0x009e4204, _MDLock * 
lock=0x009baf7c, unsigned int timeout=4294967295)  Line 282	C
 	nspr4.dll!_PR_WaitCondVar(PRThread * thread=0x009ff478, PRCondVar * 
cvar=0x009e4190, PRLock * lock=0x009baf60, unsigned int timeout=4294967295)  
Line 205	C
 	nspr4.dll!PR_WaitCondVar(PRCondVar * cvar=0x009e4190, unsigned int 
timeout=4294967295)  Line 551 + 0xd	C
 	js3250.dll!ClaimScope(JSScope * scope=0x00eef910, JSContext * 
cx=0x7ffda000)  Line 504	C
 	js3250.dll!js_LockScope(JSContext * cx=0x01a10cd0, JSScope * 
scope=0x02996cd0)  Line 1055 + 0xf	C
 	js3250.dll!js_LockObj(JSContext * cx=0x01a10cd0, JSObject * 
obj=0x02970070)  Line 1207	C
 	js3250.dll!js_FindProperty(JSContext * cx=0x01a10cd0, long id=33141104, 
JSObject * * objp=0x00eefb6c, JSObject * * pobjp=0x00eefb1c, JSProperty * * 
propp=0x00eefb24)  Line 2528 + 0xc	C
 	js3250.dll!js_Interpret(JSContext * cx=0x00000002, long * 
result=0x00eefa40)  Line 3686 + 0x18	C
 	js3250.dll!js_Invoke(JSContext * cx=0x009ff478, unsigned int argc=2, 
unsigned int flags=15661632)  Line 1313 + 0xa	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x01a10cfc, JSObject * 
obj=0x029701e0, long fval=43450488, unsigned int flags=0, unsigned int argc=1, 
long * argv=0x00eefd28, long * rval=0x00eefd0c)  Line 1390 + 0xe	C
 	js3250.dll!JS_CallFunctionValue(JSContext * cx=0x01a10cd0, JSObject * 
obj=0x029701e0, long fval=43450488, unsigned int argc=1, long * 
argv=0x00eefd28, long * rval=0x00eefd0c)  Line 3767 + 0x1a	C
 	xpc3250.dll!nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject
(XPCCallContext & ccx={...}, JSObject * jsobj=0x029701e0, const nsID & aIID=
{...})  Line 271 + 0x17	C++
 	xpc3250.dll!nsXPCWrappedJSClass::DelegatedQueryInterface(nsXPCWrappedJS 
* self=0x02999308, const nsID & aIID={...}, void * * aInstancePtr=0x00eefe40)  
Line 589	C++
 	xpc3250.dll!nsXPCWrappedJS::QueryInterface(const nsID & aIID={...}, 
void * * aInstancePtr=0x00eefe40)  Line 97 + 0xa	C++
 	xpcom_core.dll!nsComponentManagerImpl::GetServiceByContractID(const 
char * aContractID=0x00b92680, const nsID & aIID={...}, void * * 
result=0x00eefe40)  Line 2362 + 0xb	C++
 	xpcom_core.dll!nsGetServiceByContractID::operator()(const nsID & aIID=
{...}, void * * aInstancePtr=0x00eefe40)  Line 183 + 0xf	C++
 	xpcom_core.dll!nsCOMPtr_base::assign_from_helper(const nsCOMPtr_helper 
& helper={...}, const nsID & iid={...})  Line 114 + 0x10	C++
 	necko.dll!nsCOMPtr<nsIHttpChannelSink>::nsCOMPtr<nsIHttpChannelSink>
(const nsCOMPtr_helper & helper={...})  Line 591	C++
 	necko.dll!nsHttpTransaction::ReadRequestSegment(nsIInputStream * 
stream=0x05e7d738, void * closure=0x05f4c2a8, const char * buf=0x02ba0b98, 
unsigned int offset=0, unsigned int count=421, unsigned int * 
countRead=0x00eefef0)  Line 359	C++
 	xpcom_core.dll!nsStringInputStream::ReadSegments(unsigned int 
(nsIInputStream *, void *, const char *, unsigned int, unsigned int, unsigned 
int *)* writer=0x00b79da0, void * closure=0x05f4c2a8, unsigned int aCount=421, 
unsigned int * result=0x00eefef0)  Line 248	C++
 	necko.dll!nsHttpTransaction::ReadSegments(nsAHttpSegmentReader * 
reader=0x02b710a8, unsigned int count=4096, unsigned int * 
countRead=0x00eefef0)  Line 404	C++
 	necko.dll!nsHttpConnection::OnSocketWritable()  Line 549 + 0xf	C++
 	necko.dll!nsHttpConnection::OnOutputStreamReady(nsIAsyncOutputStream * 
out=0x05e9ee90)  Line 760	C++
 	necko.dll!nsSocketOutputStream::OnSocketReady(unsigned int 
condition=45551796)  Line 483	C++
 	necko.dll!nsSocketTransport::OnSocketReady(PRFileDesc * fd=0x02682278, 
short outFlags=2)  Line 1392	C++
 	necko.dll!nsSocketTransportService::Run()  Line 540 + 0x19	C++
 	xpcom_core.dll!nsThread::Main(void * arg=0x02a72c30)  Line 134	C++
 	nspr4.dll!_PR_NativeRunThread(void * arg=0x02b9be98)  Line 458	C
 	xpcom_core.dll!nsCOMPtr_base::assign_from_qi(nsQueryInterface qi={...}, 
const nsID & iid={...})  Line 98 + 0xa	C++
 	msvcr71.dll!__endthreadex()  + 0xa0	

condvar @ ClaimScope
monitor @ nsComponentManagerImpl::GetServiceByContractID

we're using some changes to nsHttpTransaction, but the general problem is 
possible without our changes (it just takes more luck and cycles, we're good at 
finding problems with fewer cycles).

i seem to recall discussing this problem w/ someone before, but i can't find a 
bug for it. this is really a blocker for our current product release cycle.
Attached patch release monitor before QI (obsolete) — Splinter Review
Assignee: dougt → timeless
Status: NEW → ASSIGNED
Attachment #174717 - Flags: superreview?(dbaron)
Attachment #174717 - Flags: review?(dbradley)
Comment on attachment 174717 [details] [diff] [review]
release monitor before QI

looks fine.
Attachment #174717 - Flags: review?(dbradley) → review+
Comment on attachment 174717 [details] [diff] [review]
release monitor before QI

sr=bzbarsky
Attachment #174717 - Flags: superreview?(dbaron) → superreview+
Comment on attachment 174717 [details] [diff] [review]
release monitor before QI

sr=dbaron, but could the same problem occur with AddRef on an XPCWrappedNative
in some sort of double- or multiple-wrapping situation?
Comment on attachment 174717 [details] [diff] [review]
release monitor before QI

>Index: nsComponentManager.cpp
>===================================================================
>RCS file: /cvsroot/mozilla/xpcom/components/nsComponentManager.cpp,v
>retrieving revision 1.259
>diff -up50 -r1.259 nsComponentManager.cpp

More than enough context, doncha think? ;-)

>         if (entry->mServiceObject) {
>-            return entry->mServiceObject->QueryInterface(aIID, result);
>+            nsCOMPtr<nsISupports> serviceObject = entry->mServiceObject;
>+            // We need to not be holding the service manager's monitor while calling
>+            // QueryInterface, because it invokes user code which could try to re-enter
>+            // the service manager, or try to grab some other lock/monitor/condvar
>+            // and deadlock, e.g. bug 282743.
>+            mon.Exit();
>+            return serviceObject->QueryInterface(aIID, result);
>         }

Wouldn't this read better if the comment were above the nsCOMPtr decl?	Or even
better in the order above, but with a blank line between the nsCOMPtr
initialized declaration and the comment?

/be
Comment on attachment 174717 [details] [diff] [review]
release monitor before QI

mozilla/xpcom/components/nsComponentManager.cpp 	1.260
mozilla/xpcom/components/nsComponentManager.cpp 	1.261
Attachment #174717 - Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: