335013 - jsd_GetScopeChainForStackFrame triggers ABBA deadlock

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[timeless]

one thread is doing:
03 kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
04 nspr4!_PR_MD_WAIT_CV(struct _MDCVar * cv = 0x00d4eb6c, struct _MDLock * lock = 0x00d73d9c, unsigned int timeout = 0xffffffff)+0x7f (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\nsprpub\pr\src\md\windows\w95cv.c @ 280]
05 nspr4!_PR_WaitCondVar(struct PRThread * thread = 0x00a55958, struct PRCondVar * cvar = 0x00d4eaf8, struct PRLock * lock = 0x00d73d80, unsigned int timeout = 0xffffffff)+0xd1 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\nsprpub\pr\src\threads\combined\prucv.c @ 204]
06 nspr4!PR_WaitCondVar(struct PRCondVar * cvar = 0x00d4eaf8, unsigned int timeout = 0xffffffff)+0x7f (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\nsprpub\pr\src\threads\combined\prucv.c @ 551]
07 js3250!ClaimScope(struct JSScope * scope = 0x0362f5c8, struct JSContext * cx = 0x04f119f0)+0x211 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jslock.c @ 534]
08 js3250!js_GetSlotThreadSafe(struct JSContext * cx = 0x04f119f0, struct JSObject * obj = 0x034617d0, unsigned long slot = 2)+0x11d (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jslock.c @ 610]
09 js3250!js_GetClassPrototype(struct JSContext * cx = 0x04f119f0, struct JSObject * scope = 0x036536f0, struct JSAtom * classAtom = 0x00d52bc8, struct JSObject ** protop = 0x0012e6bc)+0x154 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsobj.c @ 3889]
0a js3250!js_NewObject(struct JSContext * cx = 0x04f119f0, struct JSClass * clasp = 0x00fcc148, struct JSObject * proto = 0x00000000, struct JSObject * parent = 0x036536f0)+0x58 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsobj.c @ 1970]
0b js3250!js_GetCallObject(struct JSContext * cx = 0x04f119f0, struct JSStackFrame * fp = 0x04f151e8, struct JSObject * parent = 0x036536f0)+0x1a9 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsfun.c @ 566]
0c js3250!JS_GetFrameCallObject(struct JSContext * cx = 0x04f119f0, struct JSStackFrame * fp = 0x04f151e8)+0x2f (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsdbgapi.c @ 810]
0d js3250!JS_GetFrameScopeChain(struct JSContext * cx = 0x04f119f0, struct JSStackFrame * fp = 0x04f151e8)+0x10 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsdbgapi.c @ 792]
0e jsd3250!jsd_GetScopeChainForStackFrame(struct JSDContext * jsdc = 0x00db2aa8, struct JSDThreadState * jsdthreadstate = 0x067dada8, struct JSDStackFrameInfo * jsdframe = 0x067dae08)+0x5b (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\jsd\jsd_stak.c @ 322]
0f jsd3250!JSD_GetScopeChainForStackFrame(struct JSDContext * jsdc = 0x00db2aa8, struct JSDThreadState * jsdthreadstate = 0x067dada8, struct JSDStackFrameInfo * jsdframe = 0x067dae08)+0x20 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\jsd\jsdebug.c @ 713]
10 jsd3250!jsdStackFrame::GetScope(class jsdIValue ** _rval = 0x0012e890)+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [r:\mozilla\js\jsd\jsd_xpc.cpp @ 1945]

frame 0e grabbed the jsd lock, it then called out of jsd into spidermonkey which tries to poke a lock at frame 07. unfortunately that loses to the other js thread:
04 nspr4!PR_Lock(struct PRLock * lock = 0x00db3040)+0xac (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\nsprpub\pr\src\threads\combined\prulock.c @ 255]
05 jsd3250!jsd_Lock(struct JSDStaticLock * lock = 0x00db2ff0)+0x65 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\jsd\jsd_lock.c @ 153]
06 jsd3250!jsd_NewThreadState(struct JSDContext * jsdc = 0x00db2aa8, struct JSContext * cx = 0x068ec948)+0x1ab (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\jsd\jsd_stak.c @ 164]
07 jsd3250!jsd_CallExecutionHook(struct JSDContext * jsdc = 0x00db2aa8, struct JSContext * cx = 0x068ec948, unsigned int type = 1, <function> * hook = 0x019a24c0, void * hookData = 0x00000001, long * rval = 0x0778fa34)+0x2c (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\jsd\jsd_hook.c @ 165]
08 jsd3250!jsd_TrapHandler(struct JSContext * cx = 0x068ec948, struct JSScript * script = 0x034f51a0, unsigned char * pc = 0x034f5204 "SW", long * rval = 0x0778fa34, void * closure = 0x0692d1b1)+0x1bf (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\jsd\jsd_scpt.c @ 745]
09 js3250!JS_HandleTrap(struct JSContext * cx = 0x068ec948, struct JSScript * script = 0x034f51a0, unsigned char * pc = 0x034f5204 "SW", long * rval = 0x0778fa34)+0x67 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsdbgapi.c @ 217]
0a js3250!js_Interpret(struct JSContext * cx = 0x068ec948, unsigned char * pc = 0x034f5204 "SW", long * result = 0x0778fb64)+0x10dbb (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsinterp.c @ 4489]
0b js3250!js_Invoke(struct JSContext * cx = 0x068ec948, unsigned int argc = 0, unsigned int flags = 2)+0xba5 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsinterp.c @ 1274]
0c xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 0x0663d800, unsigned short methodIndex = 3, class nsXPTMethodInfo * info = 0x019f5ba0, struct nsXPTCMiniVariant * nativeParams = 0x0778fe84)+0xd39 (FPO: [Non-Fpo]) (CONV: stdcall) [r:\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 1507]
0d xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 3, class nsXPTMethodInfo * info = 0x019f5ba0, struct nsXPTCMiniVariant * params = 0x0778fe84)+0x3f (FPO: [Non-Fpo]) (CONV: stdcall) [r:\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 519]

this thread owns the jsscope or something and triggers a trap a which tries to get the jsdlock  in frame 06, but it can't get it because thread 0 has the jsd lock. and thread 0 is waiting for this thread to let go of js.

Comment 1

[:Gijs (he/him)]

timeless, I think all of us know this bug is not going to get fixed soon unless you do it. :-(

Comment 2

[Luke Wagner [:luke]]

Title code was deleted.