Closed Bug 367006 Opened 18 years ago Closed 18 years ago

[@ nsJSContext::LoadEnd] with cycle collection

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: philor, Assigned: jst)

References

Details

(Keywords: topcrash)

Crash Data

Attachments

(1 file)

Better book keeping of timer related state.
1.57 KB, patch
sicking
: review+
sicking
: superreview+
Details | Diff | Splinter Review 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a2pre) Gecko/20070114 Firefox/3.0a2pre ID:2007011416

Two crashes, over two days, with a Firefox self-build on Intel Mac. Both times, Google search results were loading in a background tab, once from a context menu search for selected text, once from a bookmark keyword typed in the addressbar, and then backgrounded. No idea whether the site, or the background/foreground is significant.

Crashed thread, from Apple crash report:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   org.mozilla.firefox            	0x00479f09 nsJSContext::LoadEnd() + 41
1   org.mozilla.firefox            	0x00178736 NS_NewDocumentViewer(nsIDocumentViewer**) + 752
2   org.mozilla.firefox            	0x0051cfea nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) + 82
3   org.mozilla.firefox            	0x0024ec58 nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) + 190
4   org.mozilla.firefox            	0x00523f7a nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*) + 1706
5   org.mozilla.firefox            	0x00250a69 nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, unsigned) + 287
6   org.mozilla.firefox            	0x00250dc1 nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned) + 49
7   org.mozilla.firefox            	0x00250ecd nsDocLoader::DocLoaderIsEmpty() + 229
8   org.mozilla.firefox            	0x002512e2 nsDocLoader::doStartDocumentLoad() + 678
9   org.mozilla.firefox            	0x0006a925 nsLoadGroup::~nsLoadGroup [in-charge]() + 719
10  org.mozilla.firefox            	0x0026bc08 imgRequestProxy::RemoveFromLoadGroup(int) + 66
11  org.mozilla.firefox            	0x0026bc7f imgRequestProxy::OnStopRequest(nsIRequest*, nsISupports*, unsigned, int) + 81
12  org.mozilla.firefox            	0x005329f9 imgRequest::RemoveProxy(imgRequestProxy*, unsigned, int) + 111
13  org.mozilla.firefox            	0x0026b846 imgRequestProxy::ChangeOwner(imgRequest*) + 218
14  org.mozilla.firefox            	0x004a2bdb nsImageLoadingContent::DestroyImageLoadingContent() + 39
15  org.mozilla.firefox            	0x00190010 nsHTMLImageElement::~nsHTMLImageElement [in-charge deleting]() + 56
16  org.mozilla.firefox            	0x004559fe nsNodeUtils::LastRelease(nsINode*, int) + 424
17  org.mozilla.firefox            	0x0044a8bc nsGenericElement::LeaveLink(nsPresContext*) + 286
18  org.mozilla.firefox            	0x0019005f nsHTMLImageElement::~nsHTMLImageElement [in-charge deleting]() + 135
19  org.mozilla.firefox            	0x0034ca4b XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) + 1399
20  libjsd.dylib                   	0x018dccb8 NSGetModule + 11216
21  org.mozilla.firefox            	0x00479f61 nsJSContext::LoadEnd() + 129
22  libmozjs.dylib                 	0x00d33ae5 js_GC + 2908
23  libmozjs.dylib                 	0x00d080a2 JS_GC + 66
24  org.mozilla.firefox            	0x000abf8f nsXPConnect::BeginCycleCollection() + 201
25  libxpcom_core.dylib            	0x00df253c nsCycleCollector::Collect() + 36
26  libxpcom_core.dylib            	0x00df2d71 nsCycleCollector_collect() + 35
27  org.mozilla.firefox            	0x0047a3f8 nsJSContext::FireGCTimer(int) + 224
28  libxpcom_core.dylib            	0x00de8a4b nsTimerImpl::Fire() + 145
29  libxpcom_core.dylib            	0x00de8c2a nsTimerImpl::InitCommon(unsigned, unsigned) + 296
30  libxpcom_core.dylib            	0x00de66e2 nsThread::nsChainedEventQueue::PutEvent(nsIRunnable*) + 1024
31  libxpcom_core.dylib            	0x00db1fd5 NS_ProcessNextEvent_P(nsIThread*, int) + 53
32  org.mozilla.firefox            	0x0053383d nsBaseAppShell::DoProcessNextNativeEvent(int) + 103
33  org.mozilla.firefox            	0x0026e91d nsAppShell::ProcessNextNativeEvent(int) + 525
34  org.mozilla.firefox            	0x0026eb47 nsAppShell::ProcessNextNativeEvent(int) + 1079
35  com.apple.Foundation           	0x9260b0c7 __NSFireDelayedPerform + 403
36  com.apple.CoreFoundation       	0x90829bc9 CFRunLoopRunSpecific + 3341
37  com.apple.CoreFoundation       	0x90828eb5 CFRunLoopRunInMode + 61
38  com.apple.HIToolbox            	0x92dcdb90 RunCurrentEventLoopInMode + 285
39  com.apple.HIToolbox            	0x92dcd297 ReceiveNextEventCommon + 385
40  com.apple.HIToolbox            	0x92dcd0ee BlockUntilNextEventMatchingListInMode + 81
41  com.apple.AppKit               	0x9326f465 _DPSNextEvent + 572
42  com.apple.AppKit               	0x9326f056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
43  org.mozilla.firefox            	0x0026e7ab nsAppShell::ProcessNextNativeEvent(int) + 155
44  org.mozilla.firefox            	0x005337f8 nsBaseAppShell::DoProcessNextNativeEvent(int) + 34
45  org.mozilla.firefox            	0x005339f0 nsBaseAppShell::Init() + 234
46  org.mozilla.firefox            	0x0026e982 nsAppShell::ProcessNextNativeEvent(int) + 626
47  libxpcom_core.dylib            	0x00de6681 nsThread::nsChainedEventQueue::PutEvent(nsIRunnable*) + 927
48  libxpcom_core.dylib            	0x00db207a NS_ProcessPendingEvents_P(nsIThread*, unsigned) + 70
49  org.mozilla.firefox            	0x005337b3 nsBaseAppShell::NativeEventCallback() + 71
50  org.mozilla.firefox            	0x0026e5ce nsAppShell::ProcessGeckoEvents() + 176
51  org.mozilla.firefox            	0x0026eb23 nsAppShell::ProcessNextNativeEvent(int) + 1043
52  com.apple.Foundation           	0x92646a4c __NSFireMachPort + 307
53  com.apple.CoreFoundation       	0x90839773 __CFMachPortPerform + 136
54  com.apple.CoreFoundation       	0x90829a14 CFRunLoopRunSpecific + 2904
55  com.apple.CoreFoundation       	0x90828eb5 CFRunLoopRunInMode + 61
56  com.apple.HIToolbox            	0x92dcdb90 RunCurrentEventLoopInMode + 285
57  com.apple.HIToolbox            	0x92dcd1ce ReceiveNextEventCommon + 184
58  com.apple.HIToolbox            	0x92dcd0ee BlockUntilNextEventMatchingListInMode + 81
59  com.apple.AppKit               	0x9326f465 _DPSNextEvent + 572
60  com.apple.AppKit               	0x9326f056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
61  com.apple.AppKit               	0x93268ddb -[NSApplication run] + 512
62  org.mozilla.firefox            	0x0026e8ff nsAppShell::ProcessNextNativeEvent(int) + 495
63  org.mozilla.firefox            	0x002dbb21 nsAppStartup::AttemptingQuit(int) + 245
64  org.mozilla.firefox            	0x00006a9c XRE_main + 10478
65  org.mozilla.firefox            	0x0000244c main + 32
66  org.mozilla.firefox            	0x000023d2 start + 270
67  org.mozilla.firefox            	0x000022ed start + 41
Apparently background isn't significant; same stack with Google loading in the foreground.

/me looks for a new search engine
[@ nsJSContext::LoadEnd] is currently #5 topcrasher. TB stack traces
aren't too useful in this case.
Flags: blocking1.9?
OS: Mac OS X → All
(In reply to comment #0)
> Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000
> 
> Thread 0 Crashed:
> 0   org.mozilla.firefox                 0x00479f09 nsJSContext::LoadEnd() + 41

Hmm, must be sGCTimer that's null when sLoadInProgressGCTimer is true with no pending loads. Odd...

> 26  libxpcom_core.dylib                 0x00df2d71 nsCycleCollector_collect() +
> 35
> 27  org.mozilla.firefox                 0x0047a3f8
> nsJSContext::FireGCTimer(int) + 224

This however is even more odd. We're calling the cycle collector from nsJSContext::FireGCTimer(), but the only case when we do that is when we fail to create a timer! I can't imagine why that would fail, other than being out of memory which doesn't sound likely.

I don't understand why we'd fail to create a timer, but I do see how that could cause crashes if the stack here reflects what's really going on here. I've got a patch that should fix that...
This makes sLoadInProgressGCTimer reflect reality even in error cases etc.
Attachment #252707 - Flags: superreview?(jonas)
Attachment #252707 - Flags: review?(jonas)
Comment on attachment 252707 [details] [diff] [review]
Better book keeping of timer related state.

Weird, but the patch is the right thing to do anyway.

r/sr=sicking
Attachment #252707 - Flags: superreview?(jonas)
Attachment #252707 - Flags: superreview+
Attachment #252707 - Flags: review?(jonas)
Attachment #252707 - Flags: review+
Fix checked in, let's see if this crasher truly does go away.
No new crashes since 2007012504
Assignee: nobody → jst
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking1.9?
Resolution: --- → FIXED
Crash Signature: [@ nsJSContext::LoadEnd]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: