Closed Bug 369805 Opened 18 years ago Closed 17 years ago

"Assertion failure: cx->lockedSealedScope != newscope" in jslock.c on startup

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(4 keywords)

Attachments

(3 files)

some debugging
20.62 KB, text/plain; charset=UTF-8
Details
Patch rev. 1
1.36 KB, patch
brendan
: review+
Details | Diff | Splinter Review
what I just landed
984 bytes, patch
dveditz
: approval1.8.1.4+
dveditz
: approval1.8.0.12+
Details | Diff | Splinter Review 
This happened to me twice in a row during Firefox startup just now.  The third launch succeeded.

Assertion failure: cx->lockedSealedScope != newscope, at /Users/jruderman/trunk/mozilla/js/src/jslock.c:1200

0   libmozjs.dylib           	0x010d1195 JS_Assert + 70 (jsutil.c:60)
1   libmozjs.dylib           	0x0107cad0 js_TransferScopeLock + 222 (jslock.c:1201)
2   libmozjs.dylib           	0x010c171b js_GetMutableScope + 317 (jsscope.c:79)
3   libmozjs.dylib           	0x01088dba js_DefineNativeProperty + 627 (jsobj.c:3044)
4   libmozjs.dylib           	0x01088b45 js_DefineProperty + 82 (jsobj.c:2949)
5   libmozjs.dylib           	0x0101827e DefineUCProperty + 309 (jsapi.c:2539)
6   libmozjs.dylib           	0x010193c9 JS_DefineUCProperty + 82 (jsapi.c:2950)
7   libgklayout.dylib        	0x1876ee48 nsXBLProtoImplMethod::InstallMember(nsIScriptContext*, nsIContent*, void*, void*, nsCString const&) + 636 (nsXBLProtoImplMethod.cpp:168)
8   libgklayout.dylib        	0x18770246 nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding*, nsIContent*) + 488 (nsXBLProtoImpl.cpp:86)
9   libgklayout.dylib        	0x18763638 nsXBLPrototypeBinding::InstallImplementation(nsIContent*) + 44 (nsXBLPrototypeBinding.cpp:436)
10  libgklayout.dylib        	0x18761b48 nsXBLBinding::InstallImplementation() + 180 (nsXBLBinding.cpp:764)
11  libgklayout.dylib        	0x18761acd nsXBLBinding::InstallImplementation() + 57 (nsXBLBinding.cpp:758)
12  libgklayout.dylib        	0x1877acf2 nsXBLService::LoadBindings(nsIContent*, nsIURI*, int, nsXBLBinding**, int*) + 1432 (nsXBLService.cpp:663)
13  libgklayout.dylib        	0x18803c14 nsElementSH::PostCreate(nsIXPConnectWrappedNative*, JSContext*, JSObject*) + 1012 (nsDOMClassInfo.cpp:6830)
14  libxpconnect.dylib       	0x13048cb7 XPCWrappedNative::GetNewOrUsed(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, int, XPCWrappedNative**) + 3269 (xpcwrappednative.cpp:508)
15  libxpconnect.dylib       	0x13022322 XPCConvert::NativeInterface2JSObject(XPCCallContext&, nsIXPConnectJSObjectHolder**, nsISupports*, nsID const*, JSObject*, int, int, unsigned*) + 424 (xpcconvert.cpp:1098)
16  libxpconnect.dylib       	0x13026812 XPCConvert::NativeData2JS(XPCCallContext&, long*, void const*, nsXPTType const&, nsID const*, JSObject*, unsigned*) + 2572 (xpcconvert.cpp:472)
17  libxpconnect.dylib       	0x130459af XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) + 6017 (xpcwrappednative.cpp:2303)
18  libxpconnect.dylib       	0x1304cf5a XPC_WN_CallMethod(JSContext*, JSObject*, unsigned, long*, long*) + 398 (xpcwrappednativejsops.cpp:1470)
19  libmozjs.dylib           	0x0105c51d js_Invoke + 3284 (jsinterp.c:1348)
20  libmozjs.dylib           	0x0106d769 js_Interpret + 63990 (jsinterp.c:4047)
21  libmozjs.dylib           	0x0105cf0c js_Execute + 885 (jsinterp.c:1607)
22  libmozjs.dylib           	0x0101c681 JS_EvaluateUCScriptForPrincipals + 158 (jsapi.c:4313)
23  libgklayout.dylib        	0x187b1587 nsJSContext::EvaluateStringWithValue(nsAString_internal const&, void*, nsIPrincipal*, char const*, unsigned, unsigned, void*, int*) + 1011 (nsJSEnvironment.cpp:1129)
24  libgklayout.dylib        	0x1876f845 nsXBLProtoImplField::InstallMember(nsIScriptContext*, nsIContent*, void*, void*, nsCString const&) + 455 (nsXBLProtoImplField.cpp:131)
25  libgklayout.dylib        	0x18770246 nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding*, nsIContent*) + 488 (nsXBLProtoImpl.cpp:86)
26  libgklayout.dylib        	0x18763638 nsXBLPrototypeBinding::InstallImplementation(nsIContent*) + 44 (nsXBLPrototypeBinding.cpp:436)
27  libgklayout.dylib        	0x18761b48 nsXBLBinding::InstallImplementation() + 180 (nsXBLBinding.cpp:764)
28  libgklayout.dylib        	0x18761acd nsXBLBinding::InstallImplementation() + 57 (nsXBLBinding.cpp:758)
29  libgklayout.dylib        	0x1877acf2 nsXBLService::LoadBindings(nsIContent*, nsIURI*, int, nsXBLBinding**, int*) + 1432 (nsXBLService.cpp:663)
30  libgklayout.dylib        	0x18803c14 nsElementSH::PostCreate(nsIXPConnectWrappedNative*, JSContext*, JSObject*) + 1012 (nsDOMClassInfo.cpp:6830)
31  libxpconnect.dylib       	0x13048cb7 XPCWrappedNative::GetNewOrUsed(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, int, XPCWrappedNative**) + 3269 (xpcwrappednative.cpp:508)
32  libxpconnect.dylib       	0x13022322 XPCConvert::NativeInterface2JSObject(XPCCallContext&, nsIXPConnectJSObjectHolder**, nsISupports*, nsID const*, JSObject*, int, int, unsigned*) + 424 (xpcconvert.cpp:1098)
33  libxpconnect.dylib       	0x13026812 XPCConvert::NativeData2JS(XPCCallContext&, long*, void const*, nsXPTType const&, nsID const*, JSObject*, unsigned*) + 2572 (xpcconvert.cpp:472)
34  libxpconnect.dylib       	0x130459af XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) + 6017 (xpcwrappednative.cpp:2303)
35  libxpconnect.dylib       	0x1304cf5a XPC_WN_CallMethod(JSContext*, JSObject*, unsigned, long*, long*) + 398 (xpcwrappednativejsops.cpp:1470)
36  libmozjs.dylib           	0x0105c51d js_Invoke + 3284 (jsinterp.c:1348)
37  libmozjs.dylib           	0x0106d769 js_Interpret + 63990 (jsinterp.c:4047)
38  libmozjs.dylib           	0x0105cf0c js_Execute + 885 (jsinterp.c:1607)
39  libmozjs.dylib           	0x0101c681 JS_EvaluateUCScriptForPrincipals + 158 (jsapi.c:4313)
40  libgklayout.dylib        	0x187b1587 nsJSContext::EvaluateStringWithValue(nsAString_internal const&, void*, nsIPrincipal*, char const*, unsigned, unsigned, void*, int*) + 1011 (nsJSEnvironment.cpp:1129)
41  libgklayout.dylib        	0x1876f845 nsXBLProtoImplField::InstallMember(nsIScriptContext*, nsIContent*, void*, void*, nsCString const&) + 455 (nsXBLProtoImplField.cpp:131)
42  libgklayout.dylib        	0x18770246 nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding*, nsIContent*) + 488 (nsXBLProtoImpl.cpp:86)
43  libgklayout.dylib        	0x18763638 nsXBLPrototypeBinding::InstallImplementation(nsIContent*) + 44 (nsXBLPrototypeBinding.cpp:436)
44  libgklayout.dylib        	0x18761b48 nsXBLBinding::InstallImplementation() + 180 (nsXBLBinding.cpp:764)
45  libgklayout.dylib        	0x1877acf2 nsXBLService::LoadBindings(nsIContent*, nsIURI*, int, nsXBLBinding**, int*) + 1432 (nsXBLService.cpp:663)
46  libgklayout.dylib        	0x183b35cf nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int) + 211 (nsCSSFrameConstructor.cpp:7480)
47  libgklayout.dylib        	0x183b4002 nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) + 440 (nsCSSFrameConstructor.cpp:7436)
48  libgklayout.dylib        	0x183b5e09 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsIFrame*, int, nsFrameItems&, int) + 381 (nsCSSFrameConstructor.cpp:11249)
49  libgklayout.dylib        	0x183b33a1 nsCSSFrameConstructor::ConstructXULFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int, int, int*) + 4145 (nsCSSFrameConstructor.cpp:6160)
50  libgklayout.dylib        	0x183b3a02 nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int) + 1286 (nsCSSFrameConstructor.cpp:7569)
51  libgklayout.dylib        	0x183b4002 nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) + 440 (nsCSSFrameConstructor.cpp:7436)
52  libgklayout.dylib        	0x183b5e09 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsIFrame*, int, nsFrameItems&, int) + 381 (nsCSSFrameConstructor.cpp:11249)
53  libgklayout.dylib        	0x183b33a1 nsCSSFrameConstructor::ConstructXULFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int, int, int*) + 4145 (nsCSSFrameConstructor.cpp:6160)
54  libgklayout.dylib        	0x183b3a02 nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int) + 1286 (nsCSSFrameConstructor.cpp:7569)
55  libgklayout.dylib        	0x183b4002 nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) + 440 (nsCSSFrameConstructor.cpp:7436)
56  libgklayout.dylib        	0x183b5e09 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsIFrame*, int, nsFrameItems&, int) + 381 (nsCSSFrameConstructor.cpp:11249)
57  libgklayout.dylib        	0x183b33a1 nsCSSFrameConstructor::ConstructXULFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int, int, int*) + 4145 (nsCSSFrameConstructor.cpp:6160)
58  libgklayout.dylib        	0x183b3a02 nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int) + 1286 (nsCSSFrameConstructor.cpp:7569)
59  libgklayout.dylib        	0x183b4002 nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) + 440 (nsCSSFrameConstructor.cpp:7436)
60  libgklayout.dylib        	0x183b5e09 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsIFrame*, int, nsFrameItems&, int) + 381 (nsCSSFrameConstructor.cpp:11249)
61  libgklayout.dylib        	0x183c0912 nsCSSFrameConstructor::ConstructDocElementFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIFrame**) + 1760 (nsCSSFrameConstructor.cpp:4339)
62  libgklayout.dylib        	0x183c2019 nsCSSFrameConstructor::ContentInserted(nsIContent*, nsIContent*, int, nsILayoutHistoryState*, int) + 567 (nsCSSFrameConstructor.cpp:8836)
63  libgklayout.dylib        	0x18407130 PresShell::InitialReflow(int, int) + 634 (nsPresShell.cpp:2489)
64  libgklayout.dylib        	0x1878f390 nsXULDocument::StartLayout() + 960 (nsXULDocument.cpp:1970)
65  libgklayout.dylib        	0x18790861 nsXULDocument::DoneWalking() + 843 (nsXULDocument.cpp:3087)
66  libgklayout.dylib        	0x18795e2d nsXULDocument::ResumeWalk() + 2735 (nsXULDocument.cpp:3029)
67  libgklayout.dylib        	0x18796495 nsXULDocument::OnStreamComplete(nsIStreamLoader*, nsISupports*, unsigned, unsigned, unsigned char const*) + 1313 (nsXULDocument.cpp:3401)
68  libnecko.dylib           	0x13b69ea4 nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned) + 166 (nsStreamLoader.cpp:110)
69  libjar50.dylib           	0x157420ad nsJARChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned) + 187 (nsJARChannel.cpp:752)
70  libnecko.dylib           	0x13b45791 nsInputStreamPump::OnStateStop() + 271 (nsInputStreamPump.cpp:572)
71  libnecko.dylib           	0x13b458af nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) + 153 (nsInputStreamPump.cpp:396)
72  libxpcom_core.dylib      	0x013a4a28 nsInputStreamReadyEvent::Run() + 100 (nsStreamUtils.cpp:112)
73  libxpcom_core.dylib      	0x01347b64 nsThread::ProcessNextEvent(int, int*) + 556 (nsThread.cpp:483)
74  libxpcom_core.dylib      	0x012f062e NS_ProcessNextEvent_P(nsIThread*, int) + 130 (nsThreadUtils.cpp:225)
75  libwidget_mac.dylib      	0x15921348 nsBaseAppShell::Run() + 124 (nsBaseAppShell.cpp:152)
76  libwidget_mac.dylib      	0x159056ac nsAppShell::Run() + 190 (nsAppShell.mm:330)
77  libwidget_mac.dylib      	0x1590598e -[AppShellDelegate runAppShell] + 36 (nsAppShell.mm:429)
78  com.apple.Foundation     	0x9260e0c7 __NSFireDelayedPerform + 403
79  com.apple.CoreFoundation 	0x9082b822 CFRunLoopRunSpecific + 3341
80  com.apple.CoreFoundation 	0x9082ab0e CFRunLoopRunInMode + 61
81  com.apple.HIToolbox      	0x92ddabef RunCurrentEventLoopInMode + 285
82  com.apple.HIToolbox      	0x92dda2fd ReceiveNextEventCommon + 385
83  com.apple.HIToolbox      	0x92dda154 BlockUntilNextEventMatchingListInMode + 81
84  com.apple.AppKit         	0x9327f465 _DPSNextEvent + 572
85  com.apple.AppKit         	0x9327f056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
86  libwidget_mac.dylib      	0x159054a3 nsAppShell::ProcessNextNativeEvent(int) + 275 (nsAppShell.mm:284)
87  libwidget_mac.dylib      	0x159212b9 nsBaseAppShell::DoProcessNextNativeEvent(int) + 51 (nsBaseAppShell.cpp:136)
88  libwidget_mac.dylib      	0x1592166a nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, int, unsigned) + 94 (nsBaseAppShell.cpp:209)
89  libwidget_mac.dylib      	0x1590576e nsAppShell::OnProcessNextEvent(nsIThreadInternal*, int, unsigned) + 180 (nsAppShell.mm:354)
90  libxpcom_core.dylib      	0x01347a60 nsThread::ProcessNextEvent(int, int*) + 296 (nsThread.cpp:472)
91  libxpcom_core.dylib      	0x012f078f NS_ProcessPendingEvents_P(nsIThread*, unsigned) + 145 (nsThreadUtils.cpp:179)
92  libwidget_mac.dylib      	0x15921255 nsBaseAppShell::NativeEventCallback() + 83 (nsBaseAppShell.cpp:115)
93  libwidget_mac.dylib      	0x15906011 nsAppShell::ProcessGeckoEvents() + 253 (nsAppShell.mm:209)
94  libwidget_mac.dylib      	0x15906153 -[AppShellDelegate handlePortMessage:] + 107 (nsAppShell.mm:420)
95  com.apple.Foundation     	0x92649a4c __NSFireMachPort + 307
96  com.apple.CoreFoundation 	0x9083b3c5 __CFMachPortPerform + 136
97  com.apple.CoreFoundation 	0x9082b66d CFRunLoopRunSpecific + 2904
98  com.apple.CoreFoundation 	0x9082ab0e CFRunLoopRunInMode + 61
99  com.apple.HIToolbox      	0x92ddabef RunCurrentEventLoopInMode + 285
100 com.apple.HIToolbox      	0x92dda234 ReceiveNextEventCommon + 184
101 com.apple.HIToolbox      	0x92dda154 BlockUntilNextEventMatchingListInMode + 81
102 com.apple.AppKit         	0x9327f465 _DPSNextEvent + 572
103 com.apple.AppKit         	0x9327f056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
104 com.apple.AppKit         	0x93278ddb -[NSApplication run] + 512
105 libwidget_mac.dylib      	0x15905680 nsAppShell::Run() + 146 (nsAppShell.mm:327)
106 libtoolkitcomps.dylib    	0x16f9ce79 nsAppStartup::Run() + 147 (nsAppStartup.cpp:171)
107 XUL                      	0x0020ef49 XRE_main + 9609 (nsAppRunner.cpp:2763)
108 org.mozilla.firefox      	0x00002eec main + 40 (nsBrowserApp.cpp:62)
109 org.mozilla.firefox      	0x00002852 _start + 216
110 org.mozilla.firefox      	0x00002779 start + 41
When did you last update js/src or your entire trunk tree?

This sure is not known to me, so I'd like to finger the recent change responsible (it may not be in js/src, though).

/be
About two hours ago.  I think js/src is up to date.
And before that, I had probably last updated about 24h earlier, so a guess at a regression range is:

http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-02-07+12&maxdate=2007-02-08+16&cvsroot=%2Fcvsroot

I just launched firefox 10 times in a row without hitting this, so it's going to be hard to be sure it's a regression and/or narrow the regression window.
This could be a latent bug (unmatched or missing js_UnlockScope) triggered by object sealing, which is done for XPCNativeWrapper.prototype and now for jst's XPCSafeJSObjectWrapper.prototype.

/be
Me too.  Updated about 2 hours ago.  Have core file.  Can debug.
Attached file some debugging 
This is from my core file.
I think I know why this occurs. I traced the js_[Un]lock[Scope,Obj]
calls and what happens is that:
1 js_LockObj succeeds, using lockedSealedScope (line 1249)
2 js_UnLockObj calls js_UnlockScope which returns early (line 1126)
3 the scope is deleted
4 we reach js_GetMutableScope for this context which still has
    lockedSealedScope set:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/js/src/jsscope.c&rev=3.57&root=/cvsroot&mark=71,78#63
when the 'newscope' is allocated at the same address the assert
eventually occurs in js_TransferScopeLock...

It seems the problem is that js_LockObj does not check if
CX_THREAD_IS_RUNNING_GC(cx) in the "lockedSealedScope" case, whereas
js_UnlockScope always checks it. Seems to me it should be symmetric.
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/js/src/jslock.c&rev=3.62&root=/cvsroot&mark=1126-1129#1121
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/js/src/jslock.c&rev=3.62&root=/cvsroot&mark=1240,1249#1239

Making an early return in js_LockObj if CX_THREAD_IS_RUNNING_GC(cx)
seems to fix it...
OS: Mac OS X → All
Hardware: PC → All
Mats: brilliant! (to quote Basil Fawlty) -- do you hav a patch?

/be
Attached patch Patch rev. 1Splinter Review 
Something like this perhaps...
... I'm assuming CX_THREAD_IS_RUNNING_GC(cx) will not become true during
the loop in case it was false to begin with...
Comment on attachment 254832 [details] [diff] [review]
Patch rev. 1

r=me, thanks!  I'll check this in ASAP and nominate for branches. It's an old bug, latent but more easy to hit now due to XPCSafeJSObjectWrapper.

/be
Attachment #254832 - Flags: review+
Attachment #254832 - Flags: approval1.8.1.3?
Attachment #254832 - Flags: approval1.8.0.11?
Attachment #254832 - Flags: approval1.8.1.3?
Attachment #254832 - Flags: approval1.8.0.11?
Blocks: js1.7src
Thanks again, mats. I transposed the assertion and new conditional-early-return code, and added a comment.

js/src/jslock.c 3.62

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #254841 - Flags: approval1.8.1.3?
Attachment #254841 - Flags: approval1.8.0.11?
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite-
Comment on attachment 254841 [details] [diff] [review]
what I just landed

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #254841 - Flags: approval1.8.1.4?
Attachment #254841 - Flags: approval1.8.1.4+
Attachment #254841 - Flags: approval1.8.0.12?
Attachment #254841 - Flags: approval1.8.0.12+
js/src/jslock.c 3.55.20.3
js/src/jslock.c 3.55.24.2

/be
Keywords: fixed1.8.0.12, fixed1.8.1.4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: