Closed
Bug 298459
Opened 19 years ago
Closed 19 years ago
Crash @gc_root_marker (JS_ASSERT)
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: csthomas, Assigned: bryner)
References
Details
(Keywords: crash)
Attachments
(1 file)
1.06 KB,
patch
|
darin.moz
:
review+
brendan
:
superreview+
brendan
:
approval1.8b4+
|
Details | Diff | Splinter Review |
I'm hitting the JS_ASSERT at jsgc.c:1474 JS_ASSERT(root_points_to_gcArenaPool); The console shows: JS API usage error: the address passed to JS_AddNamedRoot currently holds an invalid jsval. This is usually caused by a missing call to JS_RemoveRoot. The root's name is "WindowStateHolder::mJSObj". I first hit this with 20050616 or 0618, and did not notice it in 0613. browser.sessionhistory.max_viewers is 5. I don't know steps to reproduce.
Reporter | ||
Updated•19 years ago
|
Severity: normal → major
Comment 1•19 years ago
|
||
We talked about this on IRC, remember? It's an API user error, not a JS engine bug, when you see this assertion. Looking at nsGlobalWindow.cpp, though, I don't see how the WindowStateHolder dtor can not be called, yet the memory go free (or really, mJSObj become invalid). Cc'ing bryner. Since this is suite, is there any code not checked in that is in your build? We need to see all the sources. /be
Assignee: general → general
Updated•19 years ago
|
Component: JavaScript Engine → History: Session
Comment 2•19 years ago
|
||
Maybe an allocation and then a GC (or two GCs) are nesting in the ctor. I said to bryner on IRC that I should have noticed during review the lateness of the call to JS_AddNamedRoot (the last thing the ctor does). Moving that up to be first may just fix this bug, although it would be even better to understand how the mJSObj root comes to dangle. /be
Assignee | ||
Comment 3•19 years ago
|
||
Moved AddNamedRoot earlier in WindowStateHolder's ctor after talking this over with brendan. Checking in nsGlobalWindow.cpp; /cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v <-- nsGlobalWindow.cpp new revision: 1.746; previous revision: 1.745 done marking fixed.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 4•19 years ago
|
||
Just had this happen. I'm running an optimized trunk build. Is there a missing virtual dtor or something? /be
Status: RESOLVED → UNCONFIRMED
Flags: blocking-aviary1.1+
Resolution: FIXED → ---
Comment 5•19 years ago
|
||
THis is real, it's still happening. Need to figure out why. Theories, speculation welcome. /be
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: general → general
Comment 6•19 years ago
|
||
*** Bug 302236 has been marked as a duplicate of this bug. ***
Comment 7•19 years ago
|
||
*** Bug 299159 has been marked as a duplicate of this bug. ***
Comment 8•19 years ago
|
||
*** Bug 303900 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 9•19 years ago
|
||
Something on this page is making us unhappy, and among other things we hit the case where we fail to copy a property. The cleanup deletes the state object as an nsISupports*, which fails to run the WindowStateHolder dtor. This fixes that by using Release() via an nsCOMPtr.
Comment 10•19 years ago
|
||
Comment on attachment 192038 [details] [diff] [review] fix r=darin
Attachment #192038 -
Flags: review?(darin) → review+
Assignee | ||
Comment 11•19 years ago
|
||
Comment on attachment 192038 [details] [diff] [review] fix requesting approval, this is a dead-simple fix
Attachment #192038 -
Flags: approval1.8b4?
Comment 12•19 years ago
|
||
Comment on attachment 192038 [details] [diff] [review] fix I should have seen this, it was just what it should have been to cause the symptom. /be
Attachment #192038 -
Flags: superreview+
Attachment #192038 -
Flags: approval1.8b4?
Attachment #192038 -
Flags: approval1.8b4+
Updated•19 years ago
|
Flags: blocking1.8b4+
Assignee | ||
Comment 13•19 years ago
|
||
checked in
Status: ASSIGNED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
Comment 14•19 years ago
|
||
this might have caused bug 304003
*** Bug 300681 has been marked as a duplicate of this bug. ***
Component: History: Session → Document Navigation
QA Contact: general → docshell
You need to log in
before you can comment on or make changes to this bug.
Description
•