Closed Bug 304249 Opened 19 years ago Closed 19 years ago

Assertion failure: scope->ownercx == cx, at .../jslock.c:1254

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: tuukka.tolvanen, Assigned: jst)

References

Details

(Keywords: crash, fixed1.8)

Attachments

(5 files)

output + bt
46.21 KB, text/plain
Details
output + bt + jsstack
52.55 KB, text/plain
Details
Another stack
48.99 KB, text/plain
Details
Testcase
433 bytes, text/html
Details
Make nsJSContext::BindCompiledEventHandler() push cx onto the context stack
2.01 KB, patch
mrbkap
: review+
brendan
: superreview+
brendan
: approval1.8b4+
Details | Diff | Splinter Review 
crashes every few days on this.

Assertion failure: scope->ownercx == cx, at
/home/tt/src/mozilla/HEAD/mozilla/js/src/jslock.c:1254
Attached file output + bt 
tweaking a textarea somewhere on http://www.okcupid.com/tests (not
reproducible) build firefox-debug_2005-08-08-06Z
Attached file output + bt + jsstack 
same build, navigating somewheres
In js_DefineNativeProperty, what is *clasp?

These stacks show (a) clasp->addProperty not a stub; (b) clasp->addProperty
failing; (c) after failure, scope is unlocked or single-thread-locked by another
context -- suggesting strongly that the failing addProperty wrongly unlocked its
obj param (which would unlock scope).

This should be investigated and fixed pronto.

/be
Flags: blocking1.8b4+
jst, why would defining "onselect" or "onload" run into an addProperty failure,
or should I ask: which nsDOMClassInfo.cpp scriptable helper hook might be to blame?

More confusion: even if something in an addProperty helper "unlocked" obj, if
obj is single-threaded, scope->ownercx would remain unchanged.  For it to
change, obj would have to be multi-threaded, and contended for by more than one
thread (at some point in its life).

Reporter: please list all extensions installed.

/be
Assignee: general → general
Component: JavaScript Engine → DOM: Level 0
> In js_DefineNativeProperty, what is *clasp?

just killed the process, sorry :\

> Reporter: please list all extensions installed.

domi, reporter, livehttpheaders
> > Reporter: please list all extensions installed.
> domi, reporter, livehttpheaders
...and magpie(disabled), downthemall(disabled)
Oh, and what is *scope?  All these for next time, unless you dumped *scope in an
attachment and I missed it.

/be
*** Bug 303809 has been marked as a duplicate of this bug. ***
Attached file Another stack 

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase
      

    


  
Warning this testcase opens many windows in a rather uncontrolled manner.

STEPS TO REPRODUCE
1. load the testcase, this should give you two windows, one with the testcase
   itself and one with Google in it. Note that it's the Google page that has
   the "onload" that focus its text input.
2. if you give focus back to the testcase window by clicking on the window bar
   there will be a new window spawned, do this a few times...
3. close some windows

repeat 2 and 3 for a while - I can get it to crash in less than 30 seconds.

    
    

    
  
Brendan can you take a look?
Assignee: general → brendan

    
    

    
  
So what I found in my investigation for this is that we're executing JS code on
a chrome context and we're dealing with a scope owned by the current page's
context. This was triggerd by clicking a bookmarklet, so not the exact testcase
in this bug. But the problem seems likely to be in
nsEventReceiverSH::RegisterCompileHandler() since it makes a call to
nsJSUtils::GetStaticScriptContext() to find the context to run event handlers
in... That's about all I know so far...

    
    

    
  
jst's getting close, he updated me on IRC:

<jst> brendan: this problem was introduced by the second hunk in
https://bugzilla.mozilla.org/attachment.cgi?id=191095&action=diff#mozilla/content/events/src/nsEventListenerManager.cpp_sec7
<jst> brendan: we're executing code on the page that does textarea.select()
<jst> that ends up firing DOM events...
<jst> which are captured by our chrome code
<jst> our chrome code ends up having to compile an event handler...
<jst> and in compiling the event handler we do a JS_DefineProperty()
<jst> when caps does the security check
<jst> the code it finds is the code that called textarea.select()
<jst> uses that as the subject principal
<brendan> we should push the script_cx on the XPCThreadJSContextStack, eh?
<jst> yeah, something like that...
<jst> need to crash tho
<brendan> ok
<jst> I'll dig more tomorrow
<brendan> want to take the bug?
<jst> feel free to give it to me, if not I'll take it tomorrow

/be
Assignee: brendan → jst

    
    

    
  


  
Here's what I believe is the right fix for this problem. We're compiling a
chrome event handler in code that's being triggered from content code
(textarea.select()), and as we do that, we need the compilation to occure w/o
us thinking we're called directly from content code.

        Attachment #193061 -
        Flags: superreview?(brendan)

        Attachment #193061 -
        Flags: review?(mrbkap)

    
    

    
  
While this is not exactly *dependent* on the split window work, this was
introduced by fixing a bug in the event listener manager code when the split
window work landed. The change in question was to make us do the security check
in nsEventListenerManager::RegisterScriptEventListener() all the time, not just
the first time we get there :)
Status: NEW → ASSIGNED
Depends on: splitwindows
OS: Linux → All
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta4

    
  
Blocks: splitwindows
No longer depends on: splitwindows

    
    

    
  
Comment on attachment 193061 [details] [diff] [review]
Make nsJSContext::BindCompiledEventHandler() push cx onto the context stack

r=mrbkap

        Attachment #193061 -
        Flags: review?(mrbkap) → review+

    
    

    
  
*** Bug 303809 has been marked as a duplicate of this bug. ***

    
    

    
  
Comment on attachment 193061 [details] [diff] [review]
Make nsJSContext::BindCompiledEventHandler() push cx onto the context stack

Thanks, this looks good to me -- there shouldn't be other calls into the JS
engine (thence back into dom and caps code) outside of this section, that also
need mContext pushed.

/be

        Attachment #193061 -
        Flags: superreview?(brendan)

        Attachment #193061 -
        Flags: superreview+

        Attachment #193061 -
        Flags: approval1.8b4+

    
    

    
  
Fixed on trunk and branch.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: