Closed Bug 386947 Opened 18 years ago Closed 18 years ago

"ASSERTION: Fault in cycle collector: zero refcount" and/or crash related to cycle collector with -moz-binding

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: dbaron)

References

Details

(4 keywords)

Attachments

(3 files, 2 obsolete files)

testcase (can crash Firefox)
295 bytes, application/vnd.mozilla.xul+xml
Details
make Fault more informative, #ifdef DEBUG_CC
4.27 KB, patch
graydon
: review+
Details | Diff | Splinter Review
patch
1.46 KB, patch
sicking
: review+
sicking
: superreview+
Details | Diff | Splinter Review
Reloading this testcase about 20 times triggers: ###!!! ASSERTION: Fault in cycle collector: zero refcount (ptr: 3bfa0a40) : 'Not Reached', file /Users/jruderman/trunk/mozilla/xpcom/base/nsCycleCollector.cpp, line 920 or ###!!! ASSERTION: nsCycleCollectionParticipant shouldn't change!: 'result->mParticipant == aParticipant', file /Users/jruderman/trunk/mozilla/xpcom/base/nsCycleCollector.cpp, line 1107 Sometimes the first assertion is repeated and/or accompanied by ###!!! ASSERTION: JS object but unknown to the JS GC?: 'refcount > 0', file /Users/jruderman/trunk/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 672 The testcase can also cause crashes, e.g. during shutdown, but not reliably. Tested with Mac trunk debug.
Flags: blocking1.9?
Attached file testcase (can crash Firefox) (obsolete) —
Changed to reference url('#t') instead of url('t') so it doesn't try to load an extra URL from Bugzilla each time.
Attachment #271017 - Attachment is obsolete: true
This is a 1.9 blocker, and it's great to have a small testcase. The bug needs an assignee. Any takers from the cc: list? /be
This helps debugging. On Jesse's testcase, it tells me: Fault in cycle collector: zero refcount while operating on pointer 0x1837ac0 nsXULPrototypeNode which has internal references from: 0x16d8bf0 nsXULPrototypeNode
Attachment #271129 - Flags: review?(graydon)
We have an nsXULPrototypeNode for a window element with 2 children. The first is an nsXULPrototypeNode for a script element. The second is a garbage pointer. We get this fault after traversing the garbage pointer (and finding that the memory location happens to have a 0 for the reference count).
Which probably happens because we've called ReleaseSubtree on the prototype tree.
Attachment #271129 - Flags: review?(graydon) → review+
Attached patch patch (obsolete) — Splinter Review
This fixes the bug, except my "ReleaseSubtree not called" assertion keeps firing...
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Attached patch patchSplinter Review
Er, oops.
Attachment #271132 - Attachment is obsolete: true
Attachment #271134 - Flags: superreview?(jonas)
Attachment #271134 - Flags: review?(jonas)
Attachment #271134 - Flags: superreview?(jonas)
Attachment #271134 - Flags: superreview+
Attachment #271134 - Flags: review?(jonas)
Attachment #271134 - Flags: review+
Both patches checked in to trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: