Closed Bug 389985 Opened 17 years ago Closed 17 years ago

crash [@ XPCWrappedNativeScope::FindInJSObjectScope]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha7

People

(Reporter: ted, Assigned: mrbkap)

References

Details

Attachments

(1 file)

Possible fix
4.11 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review 
I've crashed multiple times with today's build in XPCWrappedNativeScope::FindInJSObjectScope.  I don't have STR, unfortunately, but I do have a stack:

0012f7e4 603f801a xul!XPCWrappedNativeScope::FindInJSObjectScope+0x43 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrappednativescope.cpp @ 674]
0012f87c 6007d6d4 xul!XPC_XOW_Finalize+0x3f [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpccrossoriginwrapper.cpp @ 711]
0012f89c 6006f483 js3250!js_FinalizeObject+0x43 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsobj.c @ 2788]
0012f93c 6005a022 js3250!js_GC+0x305 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsgc.c @ 2444]
0012f958 60051456 js3250!js_DestroyContext+0x13a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jscntxt.c @ 432]
0012f964 603dfabf js3250!JS_DestroyContext+0xb [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 985]
0012f96c 60624704 xul!nsXPConnect::ReleaseJSContext+0x4f [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\nsxpconnect.cpp @ 1857]
0012f988 606253de xul!nsJSContext::~nsJSContext+0x8e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsjsenvironment.cpp @ 1024]
0012f990 60625419 xul!nsJSContext::`scalar deleting destructor'+0x8
0012f9a0 604514a0 xul!nsJSContext::Release+0x27 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\dom\src\base\nsjsenvironment.cpp @ 1091]
0012f9a8 6088d2ad xul!nsRefPtr<nsFtpChannel>::assign_assuming_AddRef+0x12 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\obj-fx-trunk\dist\include\xpcom\nsautoptr.h @ 945]
0012f9b8 6070a1ca xul!nsCOMPtr_base::assign_with_AddRef+0x18 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\obj-fx-trunk\xpcom\build\nscomptr.cpp @ 89]
0012f9c4 6070a1d8 xul!nsXBLDocGlobalObject::SetContext+0x37 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\content\xbl\src\nsxbldocumentinfo.cpp @ 270]
0012f9cc 6070a74f xul!nsXBLDocGlobalObject::SetScriptContext+0x9 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\content\xbl\src\nsxbldocumentinfo.cpp @ 278]
0012f9e4 6070a80a xul!nsXBLDocumentInfo::~nsXBLDocumentInfo+0x2d [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\content\xbl\src\nsxbldocumentinfo.cpp @ 501]
0012f9ec 6070a268 xul!nsXBLDocumentInfo::`scalar deleting destructor'+0x8
0012f9fc 607b2938 xul!nsXBLDocumentInfo::Release+0x24 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\content\xbl\src\nsxbldocumentinfo.cpp @ 473]
0012fa04 6047a374 xul!nsRefPtr<nsPluginTag>::~nsRefPtr<nsPluginTag>+0xc [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\obj-fx-trunk\dist\include\xpcom\nsautoptr.h @ 957]
0012fa0c 60894a97 xul!nsBaseHashtableET<PrincipalKey,nsCOMPtr<nsIPrincipal> >::~nsBaseHashtableET<PrincipalKey,nsCOMPtr<nsIPrincipal> >+0xb [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\obj-fx-trunk\dist\include\xpcom\nsbasehashtable.h @ 312]
0012fa28 604b1ae1 xul!PL_DHashTableFinish+0x36 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\obj-fx-trunk\xpcom\build\pldhash.c @ 373]
This has been crashing me very frequently. 8 so far today, 8 yesterday, and 2 on the 27th (~11pm)... Prior to this, I only have Breakpad crash reports once every few days.
Flags: blocking1.9?
Updating HW/OS to All, since I'm seeing this on OS X.
OS: Windows XP → All
Hardware: PC → All
At Peter6's advice, I reset all my prefs, and I don't seem to be experiencing this anymore.  I'm not sure what exactly the problem was, though.
Target Milestone: --- → mozilla1.9 M7
I bet this is exactly the same bug as bug 390083.
I take that back, I think I have a patch for this.
Assignee: nobody → mrbkap
Attached patch Possible fixSplinter Review 
Further inspection shows that this bug is, in fact, the same as bug 390083, but I think we need this patch anyway. The idea is that calling FindInJSObjectScope from our finalizer is not legal (our parent could have been finalized already), so we stash the wrapped native scope where we can find it, even in the finalizer.
Attachment #274512 - Flags: superreview?(jst)
Attachment #274512 - Flags: review?(jst)
Attachment #274512 - Flags: superreview?(jst)
Attachment #274512 - Flags: superreview+
Attachment #274512 - Flags: review?(jst)
Attachment #274512 - Flags: review+
Fix checked into trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Blocks: 389753
Flags: blocking1.9?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: