Closed Bug 304249 Opened 19 years ago Closed 19 years ago

Assertion failure: scope->ownercx == cx, at .../jslock.c:1254

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: tuukka.tolvanen, Assigned: jst)

References

Details

(Keywords: crash, fixed1.8)

Attachments

(5 files)

output + bt
46.21 KB, text/plain
Details
output + bt + jsstack
52.55 KB, text/plain
Details
Another stack
48.99 KB, text/plain
Details
Testcase
433 bytes, text/html
Details
Make nsJSContext::BindCompiledEventHandler() push cx onto the context stack
2.01 KB, patch
mrbkap
: review+
brendan
: superreview+
brendan
: approval1.8b4+
Details | Diff | Splinter Review
crashes every few days on this. Assertion failure: scope->ownercx == cx, at /home/tt/src/mozilla/HEAD/mozilla/js/src/jslock.c:1254
Attached file output + bt
tweaking a textarea somewhere on http://www.okcupid.com/tests (not reproducible) build firefox-debug_2005-08-08-06Z
Attached file output + bt + jsstack
same build, navigating somewheres
In js_DefineNativeProperty, what is *clasp? These stacks show (a) clasp->addProperty not a stub; (b) clasp->addProperty failing; (c) after failure, scope is unlocked or single-thread-locked by another context -- suggesting strongly that the failing addProperty wrongly unlocked its obj param (which would unlock scope). This should be investigated and fixed pronto. /be
Flags: blocking1.8b4+
jst, why would defining "onselect" or "onload" run into an addProperty failure, or should I ask: which nsDOMClassInfo.cpp scriptable helper hook might be to blame? More confusion: even if something in an addProperty helper "unlocked" obj, if obj is single-threaded, scope->ownercx would remain unchanged. For it to change, obj would have to be multi-threaded, and contended for by more than one thread (at some point in its life). Reporter: please list all extensions installed. /be
Assignee: general → general
Component: JavaScript Engine → DOM: Level 0
> In js_DefineNativeProperty, what is *clasp? just killed the process, sorry :\ > Reporter: please list all extensions installed. domi, reporter, livehttpheaders
> > Reporter: please list all extensions installed. > domi, reporter, livehttpheaders ...and magpie(disabled), downthemall(disabled)
Oh, and what is *scope? All these for next time, unless you dumped *scope in an attachment and I missed it. /be
*** Bug 303809 has been marked as a duplicate of this bug. ***
Attached file Another stack
Attached file Testcase
Warning this testcase opens many windows in a rather uncontrolled manner. STEPS TO REPRODUCE 1. load the testcase, this should give you two windows, one with the testcase itself and one with Google in it. Note that it's the Google page that has the "onload" that focus its text input. 2. if you give focus back to the testcase window by clicking on the window bar there will be a new window spawned, do this a few times... 3. close some windows repeat 2 and 3 for a while - I can get it to crash in less than 30 seconds.
Brendan can you take a look?
Assignee: general → brendan
So what I found in my investigation for this is that we're executing JS code on a chrome context and we're dealing with a scope owned by the current page's context. This was triggerd by clicking a bookmarklet, so not the exact testcase in this bug. But the problem seems likely to be in nsEventReceiverSH::RegisterCompileHandler() since it makes a call to nsJSUtils::GetStaticScriptContext() to find the context to run event handlers in... That's about all I know so far...
jst's getting close, he updated me on IRC: <jst> brendan: this problem was introduced by the second hunk in https://bugzilla.mozilla.org/attachment.cgi?id=191095&action=diff#mozilla/content/events/src/nsEventListenerManager.cpp_sec7 <jst> brendan: we're executing code on the page that does textarea.select() <jst> that ends up firing DOM events... <jst> which are captured by our chrome code <jst> our chrome code ends up having to compile an event handler... <jst> and in compiling the event handler we do a JS_DefineProperty() <jst> when caps does the security check <jst> the code it finds is the code that called textarea.select() <jst> uses that as the subject principal <brendan> we should push the script_cx on the XPCThreadJSContextStack, eh? <jst> yeah, something like that... <jst> need to crash tho <brendan> ok <jst> I'll dig more tomorrow <brendan> want to take the bug? <jst> feel free to give it to me, if not I'll take it tomorrow /be
Assignee: brendan → jst
Here's what I believe is the right fix for this problem. We're compiling a chrome event handler in code that's being triggered from content code (textarea.select()), and as we do that, we need the compilation to occure w/o us thinking we're called directly from content code.
Attachment #193061 - Flags: superreview?(brendan)
Attachment #193061 - Flags: review?(mrbkap)
While this is not exactly *dependent* on the split window work, this was introduced by fixing a bug in the event listener manager code when the split window work landed. The change in question was to make us do the security check in nsEventListenerManager::RegisterScriptEventListener() all the time, not just the first time we get there :)
Status: NEW → ASSIGNED
Depends on: splitwindows
OS: Linux → All
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta4
Blocks: splitwindows
No longer depends on: splitwindows
Comment on attachment 193061 [details] [diff] [review] Make nsJSContext::BindCompiledEventHandler() push cx onto the context stack r=mrbkap
Attachment #193061 - Flags: review?(mrbkap) → review+
*** Bug 303809 has been marked as a duplicate of this bug. ***
Comment on attachment 193061 [details] [diff] [review] Make nsJSContext::BindCompiledEventHandler() push cx onto the context stack Thanks, this looks good to me -- there shouldn't be other calls into the JS engine (thence back into dom and caps code) outside of this section, that also need mContext pushed. /be
Attachment #193061 - Flags: superreview?(brendan)
Attachment #193061 - Flags: superreview+
Attachment #193061 - Flags: approval1.8b4+
Fixed on trunk and branch.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: