391209 - cycle collector crash with python objects

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Klaus Nowikow]

User-Agent:       Mozilla/5.0 (compatible; Konqueror/3.5) KHTML/3.5.5 (like Gecko)
Build Identifier: xulrunner 1.9a8pre (CVS trunk)

I am getting a segmentation fault when I add the 'script-type="application/x-python"' attribute to a XUL window AND add an event handler to any child node of the window.

Reproducible: Always

Steps to Reproduce:
1. build xulrunner with python enabled (I'll attach my .mozconfig file)
2. cd $MOZ_OBJDIR/dist/xpi-stage/pyxultest
3. run 'LD_LIBRARY_PATH=../../bin ../../bin/xulrunner-bin application.ini'
4. Wait ~15 seconds after the program started
Actual Results:  
A segmentation fault. I'll attach the output of a gdb session.
It fails here: (js/src/jsgc.c:1436)
1422| JS_PUBLIC_API(void)
1423│ JS_TraceChildren(JSTracer *trc, void *thing, uint32 kind)
1424│ {
1425│     JSObject *obj;
1426│     size_t nslots, i;
1427│     jsval v;
1428│     JSString *str;
1429│
1430│     switch (kind) {
1431│       case JSTRACE_OBJECT:
1432│         /* If obj has no map, it must be a newborn. */
1433│         obj = (JSObject *) thing;
1434│         if (!obj->map)
1435│             break;
1436├>        if (obj->map->ops->trace) {
1437│             obj->map->ops->trace(trc, obj);
1438│         } else {
1439│             nslots = STOBJ_NSLOTS(obj);


Expected Results:  
no crash

I am using Python 2.5 and gcc 4.1.2 on Gentoo Linux with KDE 3.5.5

If I don't cd to dist/xpi-stage/pyxultest, but to dist/bin, and run
'LD_LIBRARY_PATH=. xulrunner-bin ../xpi-stage/pyxultest/application.ini'
instead, then the problem is not always reproducible.

Comment 1

[Klaus Nowikow]

Attachment: The mozconfig file that I used to build xulrunner

Comment 2

[Klaus Nowikow]

Attachment: A debugging session with gdb

Comment 3

[Todd Whiteman]

I get a similar crash everytime I open the pyDom pyxultest "chrome://pyxultest/content/pyxultest.xul" window.

It seems to crash exactly when the image timer is being removed.

This occurs using the latest trunk (Feb 18th 2008) builds of Firefox on both Windows and Linux platforms.

I'll attached the debug output from my session, include the gdb stacktrace.

Comment 4

[Todd Whiteman]

Attachment: Debug output from pydom crash

Comment 5

[Mark Hammond [:markh] [:mhammond]]

I see the same stacktrace as Todd.  The problem seems to be these 2 entries:

xul.dll!nsContentUtils::DropScriptObjects(unsigned int aLangID=3, void * aScriptObjectHolder=0x01dafc40, nsScriptObjectTracer * aTracer=0x01dafc40)  Line 1047
xul.dll!nsJSEventListener::cycleCollection::Unlink(void * p=0x03ee0760)  Line 109 + 0x2a bytes

DropScriptObjects has special support for JS, and it appears the implementation is incorrect for other languages.  Specifically, the 'void *aScriptObjectHolder' is being used as an ISupports, which it is not.  It is apparently a "class nsJSEventListener::cycleCollection".

I'm afraid I don't know anything about the cycle collector.  I'm adding peterv as a CC as he appears on the blame and on all other CC related bugs.

Comment 6

[Peter Van der Beken [:peterv]]

Attachment: v1

Grrr.

Comment 7

[Mark Hammond [:markh] [:mhammond]]

Works for me - thanks.  It does leave lots of assertions though, so I opened bug 419745 to track the implementation of a cycle collector for Python.

Comment 8

[Todd]

Thanks, I can verify that this patch solves the problem for me as well (Linux).

Comment 9

[Peter Van der Beken [:peterv]]

Comment on attachment 305712 [details] [diff] [review]
v1

This fixes a crash when using XUL with Python. Trivial fix.

Comment 10

[Mike Beltzner [:beltzner, not reading bugmail]]

Comment on attachment 305712 [details] [diff] [review]
v1

a1.9b4=beltzner