Closed Bug 391209 Opened 14 years ago Closed 14 years ago

cycle collector crash with python objects

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: knowikow, Assigned: peterv)

Details

Attachments

(4 files)

User-Agent:       Mozilla/5.0 (compatible; Konqueror/3.5) KHTML/3.5.5 (like Gecko)
Build Identifier: xulrunner 1.9a8pre (CVS trunk)

I am getting a segmentation fault when I add the 'script-type="application/x-python"' attribute to a XUL window AND add an event handler to any child node of the window.

Reproducible: Always

Steps to Reproduce:
1. build xulrunner with python enabled (I'll attach my .mozconfig file)
2. cd $MOZ_OBJDIR/dist/xpi-stage/pyxultest
3. run 'LD_LIBRARY_PATH=../../bin ../../bin/xulrunner-bin application.ini'
4. Wait ~15 seconds after the program started
Actual Results:  
A segmentation fault. I'll attach the output of a gdb session.
It fails here: (js/src/jsgc.c:1436)
1422| JS_PUBLIC_API(void)
1423│ JS_TraceChildren(JSTracer *trc, void *thing, uint32 kind)
1424│ {
1425│     JSObject *obj;
1426│     size_t nslots, i;
1427│     jsval v;
1428│     JSString *str;
1429│
1430│     switch (kind) {
1431│       case JSTRACE_OBJECT:
1432│         /* If obj has no map, it must be a newborn. */
1433│         obj = (JSObject *) thing;
1434│         if (!obj->map)
1435│             break;
1436├>        if (obj->map->ops->trace) {
1437│             obj->map->ops->trace(trc, obj);
1438│         } else {
1439│             nslots = STOBJ_NSLOTS(obj);


Expected Results:  
no crash

I am using Python 2.5 and gcc 4.1.2 on Gentoo Linux with KDE 3.5.5

If I don't cd to dist/xpi-stage/pyxultest, but to dist/bin, and run
'LD_LIBRARY_PATH=. xulrunner-bin ../xpi-stage/pyxultest/application.ini'
instead, then the problem is not always reproducible.
I get a similar crash everytime I open the pyDom pyxultest "chrome://pyxultest/content/pyxultest.xul" window.

It seems to crash exactly when the image timer is being removed.

This occurs using the latest trunk (Feb 18th 2008) builds of Firefox on both Windows and Linux platforms.

I'll attached the debug output from my session, include the gdb stacktrace.
I see the same stacktrace as Todd.  The problem seems to be these 2 entries:

xul.dll!nsContentUtils::DropScriptObjects(unsigned int aLangID=3, void * aScriptObjectHolder=0x01dafc40, nsScriptObjectTracer * aTracer=0x01dafc40)  Line 1047
xul.dll!nsJSEventListener::cycleCollection::Unlink(void * p=0x03ee0760)  Line 109 + 0x2a bytes

DropScriptObjects has special support for JS, and it appears the implementation is incorrect for other languages.  Specifically, the 'void *aScriptObjectHolder' is being used as an ISupports, which it is not.  It is apparently a "class nsJSEventListener::cycleCollection".

I'm afraid I don't know anything about the cycle collector.  I'm adding peterv as a CC as he appears on the blame and on all other CC related bugs.


Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: PC → All
Version: unspecified → Trunk
Summary: PyDOM: Segmentation fault when running pyxultest → cycle collector crash with python objects
Attached patch v1Splinter Review
Grrr.
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Attachment #305712 - Flags: superreview?(jst)
Attachment #305712 - Flags: review?(jst)
Attachment #305712 - Flags: superreview?(jst)
Attachment #305712 - Flags: superreview+
Attachment #305712 - Flags: review?(jst)
Attachment #305712 - Flags: review+
Works for me - thanks.  It does leave lots of assertions though, so I opened bug 419745 to track the implementation of a cycle collector for Python.
Thanks, I can verify that this patch solves the problem for me as well (Linux).
Comment on attachment 305712 [details] [diff] [review]
v1

This fixes a crash when using XUL with Python. Trivial fix.
Attachment #305712 - Flags: approval1.9b4?
Comment on attachment 305712 [details] [diff] [review]
v1

a1.9b4=beltzner
Attachment #305712 - Flags: approval1.9b4? → approval1.9b4+
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.