Closed Bug 383552 Opened 17 years ago Closed 17 years ago

Frequent crash [@ ToParticipant] after closing a tab

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: dbaron)

References

Details

(Keywords: crash, dogfood, regression)

Crash Data

This happened to me twice just now, both times shortly after I closed a tab (Mac trunk debug).  I suspect that this is a regression from bug 383234.

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000040

Thread 0 Crashed:
0   <<00000000>> 	0x00000040 0 + 64
1   libxpcom_core.dylib      	0x0136776a ToParticipant(nsISupports*, nsXPCOMCycleCollectionParticipant**) + 30 (nsCycleCollector.cpp:929)
2   libxpcom_core.dylib      	0x01367f31 nsCycleCollector::MarkRoots(GCGraph&) + 109 (nsCycleCollector.cpp:1208)
3   libxpcom_core.dylib      	0x01368a98 nsCycleCollector::Collect(unsigned) + 346 (nsCycleCollector.cpp:2000)
4   libxpcom_core.dylib      	0x01368b80 nsCycleCollector_collect() + 48 (nsCycleCollector.cpp:2256)
5   libgklayout.dylib        	0x17f9947d nsJSContext::Notify(nsITimer*) + 165 (nsJSEnvironment.cpp:3193)
6   libxpcom_core.dylib      	0x0135c57d nsTimerImpl::Fire() + 925 (nsTimerImpl.cpp:387)
7   libxpcom_core.dylib      	0x0135c709 nsTimerEvent::Run() + 191 (nsTimerImpl.cpp:458)
8   libxpcom_core.dylib      	0x01358bb4 nsThread::ProcessNextEvent(int, int*) + 508 (nsThread.cpp:483)
9   libxpcom_core.dylib      	0x0130453e NS_ProcessNextEvent_P(nsIThread*, int) + 76 (nsThreadUtils.cpp:227)
10  libwidget_mac.dylib      	0x0550c274 nsBaseAppShell::Run() + 70 (nsBaseAppShell.cpp:153)
11  libwidget_mac.dylib      	0x054f0398 nsAppShell::Run() + 190 (nsAppShell.mm:348)
12  libwidget_mac.dylib      	0x054f067a -[AppShellDelegate runAppShell] + 36 (nsAppShell.mm:447)
13  com.apple.Foundation     	0x9280503b __NSFireDelayedPerform + 403
14  com.apple.CoreFoundation 	0x9082c7e2 CFRunLoopRunSpecific + 3341
15  com.apple.CoreFoundation 	0x9082bace CFRunLoopRunInMode + 61
16  com.apple.HIToolbox      	0x92de78d8 RunCurrentEventLoopInMode + 285
17  com.apple.HIToolbox      	0x92de6fe2 ReceiveNextEventCommon + 385
18  com.apple.HIToolbox      	0x92de6e39 BlockUntilNextEventMatchingListInMode + 81
19  com.apple.AppKit         	0x9328d465 _DPSNextEvent + 572
20  com.apple.AppKit         	0x9328d056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
21  libwidget_mac.dylib      	0x054f018f nsAppShell::ProcessNextNativeEvent(int) + 275 (nsAppShell.mm:302)
22  libwidget_mac.dylib      	0x0550c21b nsBaseAppShell::DoProcessNextNativeEvent(int) + 51 (nsBaseAppShell.cpp:137)
23  libwidget_mac.dylib      	0x0550c5e0 nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, int, unsigned) + 94 (nsBaseAppShell.cpp:225)
24  libwidget_mac.dylib      	0x054f045a nsAppShell::OnProcessNextEvent(nsIThreadInternal*, int, unsigned) + 180 (nsAppShell.mm:372)
25  libxpcom_core.dylib      	0x01358ab0 nsThread::ProcessNextEvent(int, int*) + 248 (nsThread.cpp:472)
26  libxpcom_core.dylib      	0x0130462b NS_ProcessPendingEvents_P(nsIThread*, unsigned) + 91 (nsThreadUtils.cpp:180)
27  libwidget_mac.dylib      	0x0550c1b7 nsBaseAppShell::NativeEventCallback() + 83 (nsBaseAppShell.cpp:116)
28  libwidget_mac.dylib      	0x054f0c17 nsAppShell::ProcessGeckoEvents() + 263 (nsAppShell.mm:213)
29  libwidget_mac.dylib      	0x054f0d61 -[AppShellDelegate handlePortMessage:] + 107 (nsAppShell.mm:438)
30  com.apple.Foundation     	0x928409c0 __NSFireMachPort + 307
31  com.apple.CoreFoundation 	0x9083c385 __CFMachPortPerform + 136
32  com.apple.CoreFoundation 	0x9082c62d CFRunLoopRunSpecific + 2904
33  com.apple.CoreFoundation 	0x9082bace CFRunLoopRunInMode + 61
34  com.apple.HIToolbox      	0x92de78d8 RunCurrentEventLoopInMode + 285
35  com.apple.HIToolbox      	0x92de6f19 ReceiveNextEventCommon + 184
36  com.apple.HIToolbox      	0x92de6e39 BlockUntilNextEventMatchingListInMode + 81
37  com.apple.AppKit         	0x9328d465 _DPSNextEvent + 572
38  com.apple.AppKit         	0x9328d056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
39  com.apple.AppKit         	0x93286ddb -[NSApplication run] + 512
40  libwidget_mac.dylib      	0x054f036c nsAppShell::Run() + 146 (nsAppShell.mm:345)
41  libtoolkitcomps.dylib    	0x16ab2edb nsAppStartup::Run() + 147 (nsAppStartup.cpp:171)
42  XUL                      	0x0020f3a1 XRE_main + 9817 (nsAppRunner.cpp:2814)
43  org.mozilla.firefox      	0x00002ec0 main + 40 (nsBrowserApp.cpp:70)
44  org.mozilla.firefox      	0x00002826 _start + 216
45  org.mozilla.firefox      	0x0000274d start + 41
Flags: blocking1.9?
Hrm.  This code looks like it assumes that all roots are XPCOM cycle collection participants, never other types.  That seems wrong, especially with the patch to suspect all native wrappers.  (But we should probably also make the nsRefPtr-based XBL objects put themselves in the purple buffer as well.)
(That said, that assumption wouldn't explain the crash.)
Actually, it's fine for native wrappers, but it's probably not the best assumption for future work.

Maybe regression from bug 368869?
(In reply to comment #1)
> Hrm.  This code looks like it assumes that all roots are XPCOM cycle collection
> participants, never other types.  That seems wrong, especially with the patch
> to suspect all native wrappers.

Currently only XPCOM objects suspect themselves. If we want to have non-XPCOM objects suspect themselves we'll probably need to store the participant along with the pointer in the purple buffer.
WFM now that bug 368869 has been backed out.
Blocks: 368869
No longer blocks: 383234
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
I'm seeing these crashes again.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
I only find one breakpad report with this signature:

http://crash-stats.mozilla.com/report/list?range_unit=months&range_value=1&signature=nsCycleCollectionXPCOMRuntime%3A%3AToParticipant(void+*)

So blocking- unless it shows up there.
Flags: blocking1.9? → blocking1.9-
Assignee: nobody → dbaron
Status: REOPENED → NEW
This was fixed by the newer version of bug 368869.
Status: NEW → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → FIXED
Crash Signature: [@ ToParticipant]
You need to log in before you can comment on or make changes to this bug.