Closed Bug 380512 Opened 18 years ago Closed 17 years ago

"ASSERTION: JSContext still in threadjscontextstack" and crash removing a <frame> with an http auth prompt for a <script> load

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha8

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?] using freed JSContext)

Attachments

(3 files)

testcase
481 bytes, text/html
Details
Stack
10.10 KB, text/html
Details
Patch rev. 1
1.92 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review
Attached file testcase
Tested in Mac trunk debug. 1. Load the testcase. 2. Wait 3 seconds for the blue to disappear. ###!!! ASSERTION: JSContext still in threadjscontextstack!: '!tls->GetJSContextStack() || !tls->GetJSContextStack()-> DEBUG_StackHasJSContext(aJSContext)', mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 1852 3. Press *Enter* to *accept* the http auth dialog. (sometimes) Assertion failure: !cx->fp, at /Users/jruderman/trunk/mozilla/js/src/jsapi.c:4933 There is a related EXC_BAD_INSTRUCTION crash requiring no user interaction, but I don't know how to reproduce it.
Whiteboard: [sg:critical?]
Attached file Stack
Here's the stack for that assertion. I also had a breakpoint in nsWindowWatcher::OpenWindowJSInternal printing out the local variable 'cx' (blue). We delete that JSContext while it's still on the stack of the local event loop of the dialog. http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/xpfe/appshell/src/nsXULWindow.cpp&rev=1.171&root=/cvsroot&mark=383,398,401-402#383
Attached patch Patch rev. 1Splinter Review
FWIW, a kung-fu death grip on the script context fixes the crash...
Bug 307247 and bug 234013 looks like it could be the same problem.
OS: Mac OS X → All
Hardware: PC → All
Whiteboard: [sg:critical?] → [sg:critical?] using freed JSContext
I suppose that would work; we could also change the Push() callers to pass in the nsIScriptContext unless it would be more work... We should probably audit other places that push non-null JSContexts.
Flags: blocking1.9?
Blocking on getting the wip patch reviewed and checked in at least, even if there's more that could be done here.
Assignee: nobody → mats.palmgren
Flags: blocking1.9? → blocking1.9+
Attachment #264681 - Flags: superreview?(jst)
Attachment #264681 - Flags: review?(jst)
Comment on attachment 264681 [details] [diff] [review] Patch rev. 1 Clearing review request. I'd like to investigate this further...
Attachment #264681 - Flags: superreview?(jst)
Attachment #264681 - Flags: review?(jst)
Comment on attachment 264681 [details] [diff] [review] Patch rev. 1 Sorry for the delay. I investigated this last week and this path is the only problem I could find.
Attachment #264681 - Attachment description: wip → Patch rev. 1
Attachment #264681 - Flags: superreview?(jst)
Attachment #264681 - Flags: review?(jst)
Attachment #264681 - Flags: superreview?(jst)
Attachment #264681 - Flags: superreview+
Attachment #264681 - Flags: review?(jst)
Attachment #264681 - Flags: review+
mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp 1.131 -> FIXED
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9beta1
The patch would also apply to branches if we like it there too. The testcase does not crash branch builds, presumably because someone else is holding a strong ref, but the patch is low risk so maybe we should take it just in case...
Now, when I follow the steps in comment 0, I get: ###!!! ASSERTION: null request in stream complete handler: 'request', file /Users/jruderman/trunk/mozilla/content/base/src/nsScriptLoader.cpp, line 791 Is that bad?
Filed bug 388523 for the assertion.
Flags: in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: