Closed
Bug 402404
Opened 17 years ago
Closed 17 years ago
Cycle collector crash on shutdown with setUserData
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.9beta1
People
(Reporter: jruderman, Assigned: peterv)
References
(Depends on 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?])
Attachments
(1 file)
|
1.31 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
|
Details | Diff | Splinter Review |
Loading attachment 223709 [details] (the testcase for bug 324871) makes Firefox crash on shutdown.
I'm guessing this is a regression from bug 401687.
Flags: blocking1.9?
|
Reporter | |
Comment 1•17 years ago
|
||
Just before the crash, I see:
###!!! ASSERTION: Must be tracaeble: 'JSVAL_IS_TRACEABLE(mJSVal)', file /Users/jruderman/trunk/mozilla/js/src/xpconnect/src/xpcvariant.cpp, line 66
###!!! ASSERTION: Must be linked: 'mSelfp', file /Users/jruderman/trunk/mozilla/js/src/xpconnect/src/xpcjsruntime.cpp, line 1404
|
Assignee | |
Updated•17 years ago
|
Assignee: nobody → peterv
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9 M9
|
|
Assignee | |
Comment 2•17 years ago
|
||
After unlinking an XPCTraceableVariant we remove it from the set of XPConnect roots and set its mJSVal to JSVAL_NULL. We must not remove it twice from the set of XPConnect roots (that causes a crash), so in the destructor we need to check if its non-null before trying to remove it. JSVAL_IS_TRACEABLE is defined as |(JSVAL_IS_GCTHING(v) && !JSVAL_IS_NULL(v))|, so the assertion should use JSVAL_IS_GCTHING and we need to check for !JSVAL_IS_NULL before removing it from the root set. Again, whoever gets to this first please r/sr.
Attachment #287298 -
Flags: superreview?(jst)
Attachment #287298 -
Flags: review?(jonas)
|
|
Assignee | |
Updated•17 years ago
|
Status: NEW → ASSIGNED
Attachment #287298 -
Flags: superreview?(jst)
Attachment #287298 -
Flags: superreview+
Attachment #287298 -
Flags: review?(jonas)
Attachment #287298 -
Flags: review+
I'm gonna take the liberty to land this even though it isn't formally approved yet. Feel free to back me out if you disagree.
Flags: blocking1.9? → blocking1.9+
Checked in. Leaving for peter to mark as fixed.
I filed bug 402490 on my mistake (didn't know we had process for that, but apparently we do)
|
|
Assignee | |
Comment 7•17 years ago
|
||
Thanks for the reviews/checkin.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Comment 8•17 years ago
|
||
I filed bug 403358 on getting Mochitests for the DOM userdata functionality, since apparently we have none at the moment (and thus existing tests didn't catch this).
Depends on: 403358
Flags: in-testsuite?
|
||
Comment 10•17 years ago
|
||
what does comment 9 mean? That this testcase now exposes a different bug (don't need to do anything more here) or that it's not fixed?
Depends on: 403145
Whiteboard: [sg:critical?]
|
||
Comment 11•17 years ago
|
||
That it now shows a double free on shutdown as in bug 403145 which is a different bug.
|
|
Reporter | |
Comment 12•17 years ago
|
||
The cycle collector was added after the 1.8 branch, so this bug doesn't affect the 1.8 branch.
Group: security
Flags: wanted1.8.1.x-
|
|
Reporter | |
Comment 13•17 years ago
|
||
I checked in the testcase for bug 324871 as content/base/crashtests/324871-1.html.
Flags: in-testsuite? → in-testsuite+
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•