411249 - Top crash [@ jsds_ScriptHookProc][@jsds_ScriptHookProc(JSDContext*, JSDScript*, int, void*)] on shutdown with Firebug 1.1.0b10 installed

Status: VERIFIED FIXED

(Other Applications Graveyard :: Venkman JS Debugger, defect, P1)

Description

[Samuel Sidler (old account; do not CC)]

There's a new topcrash that seems to have started around December 31.

See bp-c650086b-bdb2-11dc-a707-001a4bd43e5c and others based on the query in the URL field.

Crashing Thread
Frame 	Signature 	Source
0 	jsds_ScriptHookProc 	mozilla/js/jsd/jsd_xpc.cpp:707
1 	jsd_DestroyScriptHookProc 	mozilla/js/jsd/jsd_scpt.c:630
2 	js_CallDestroyScriptHook 	
3 	js_DestroyScript 	
4 	js_FinalizeFunction 	
5 	js_GC 	
6 	JS_GC 	
7 	nsXPConnect::Collect() 	mozilla/js/src/xpconnect/src/nsXPConnect.cpp:516
8 	nsCycleCollector::Collect(unsigned int) 	mozilla/xpcom/base/nsCycleCollector.cpp:2128
9 	nsCycleCollector::Shutdown() 	mozilla/xpcom/base/nsCycleCollector.cpp:2283
10 	nsCycleCollector_shutdown() 	mozilla/xpcom/base/nsCycleCollector.cpp:2701
11 	NS_ShutdownXPCOM_P 	mozilla/xpcom/build/nsXPComInit.cpp:785
12 	ScopedXPCOMStartup::~ScopedXPCOMStartup() 	mozilla/toolkit/xre/nsAppRunner.cpp:898
13 	XRE_main 	mozilla/toolkit/xre/nsAppRunner.cpp:3249
14 	NS_internal_main(int, char**) 	mozilla/browser/app/nsBrowserApp.cpp:158
15 	wmain 	mozilla/toolkit/xre/nsWindowsWMain.cpp:55
16 	__tmainCRTStartup 	crtexe.c:594
17 	BaseProcessStart

Comment 1

[Samuel Sidler (old account; do not CC)]

This seems to be crashing @ jsds_ScriptHookProc(JSDContext*, JSDScript*, int, void*) on Linux and Mac.

See bp-5380a87a-bdae-11dc-9a7e-001a4bd43ef6

http://crash-stats.mozilla.com/report/list?range_unit=weeks&version=Firefox%3A3.0b3pre&range_value=2&signature=jsds_ScriptHookProc%28JSDContext%2A%2C+JSDScript%2A%2C+int%2C+void%2A%29

Comment 2

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008010705 Minefield/3.0b3pre ID:2008010705

It happens for me on each shutdown of Minefield after I have installed Firebug 1.1.0b10. I'm sure that I was also seeing this with my OS X debug build. I could try to run a debug session today evening.

Comment 3

[Henrik Skupin [:whimboo][⌚️UTC+1]]

(gdb) frame 0
#0  0x2f132e03 in jsds_ScriptHookProc (jsdc=0x36873840, jsdscript=0x3aba7bb0, creating=0, callerdata=0x0) at /Users/henrik/Projects/mozilla/source/mozilla/js/jsd/jsd_xpc.cpp:707
707	    gJsds->GetScriptHook (getter_AddRefs(hook));
(gdb) p gJsds
$1 = (jsdService *) 0x0

Comment 5

[Tony Chung [:tchung]]

i confirm too, i see this with firebug 1.1.0b10 installed in my profile.  this has crashed multiple times for me with the same stack.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; es-ES; rv:1.9b3pre) Gecko/2008010904 Minefield/3.0b3pre

Stacktraces:
http://crash-stats.mozilla.com/report/index/2ee93478-beec-11dc-a68f-001a4bd43ef6?date=2008-01-09-19

http://crash-stats.mozilla.com/report/index/ed9bbbb5-bee4-11dc-b5e9-001a4bd43ef6?date=2008-01-09-18

Comment 6

[John J. Barton]

As I said on the duplicate:
Firebug could call jsd.off() in its ShutdownObserver. I also wonder if that would
help the FF2 crash on jsds_NotifyPendingDeadScripts,which also happens on exit.

Comment 7

[Henrik Skupin [:whimboo][⌚️UTC+1]]

So is this an extension issue only or a core one which is raised by Firebug? I don't know for what jsd.off() is used for.

But anyway, an extension shouldn't crash Firefox.

Comment 8

[John J. Barton]

(In reply to comment #7)
> So is this an extension issue only or a core one which is raised by Firebug? I
> don't know for what jsd.off() is used for.
> 
> But anyway, an extension shouldn't crash Firefox.
> 
Core, since as you say javascript should not crash Firefox. However, I *might* be able to make the only case that triggers it go away. In which case you might work on 391280 which blocks me from work on FF3. (If you can crash with firebug unpacked from .jar file, you can add jsd.off() just b4 jsd=null in the shutdown method of firebug-service.js).

Comment 9

[Henrik Skupin [:whimboo][⌚️UTC+1]]

(In reply to comment #8)
> unpacked from .jar file, you can add jsd.off() just b4 jsd=null in the shutdown
> method of firebug-service.js).

That's the solution. After adding jsd.off() no more crash happens on shutdown.  

Comment 10

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Does it mean that each registered debugger has to unregister itself on shutdown at the moment?

Comment 11

[John J. Barton]

(In reply to comment #10)
> Does it mean that each registered debugger has to unregister itself on shutdown
> at the moment?
> 

I'm not sure if you are asking about firebug-service registerDebugger or jsd? if jsd, then yes that list is short, venkman, firebug, any other?

Comment 12

[Henrik Skupin [:whimboo][⌚️UTC+1]]

I just asked because without this unregister process we run into this crash. From a js-novice point of view it looks like that the js debugger service doesn't wait that running debuggers (in that case Firebug) are stopped while running its own dtor. So if Firebug wants to access the service it will crash.

Comment 13

[timeless]

3152 NS_IMETHODIMP
3153 jsdService::SetScriptHook (jsdIScriptHook *aHook)
3154 {    

3163     if (aHook)
3164         JSD_SetScriptHook (mCx, jsds_ScriptHookProc, NULL);
3165     /* we can't unset it if !aHook, because we still need to see script
3166      * deletes in order to Release the jsdIScripts held in JSDScript
3167      * private data. */

 698 jsds_ScriptHookProc (JSDContext* jsdc, JSDScript* jsdscript, JSBool creating,
 699                      void* callerdata)
 700 {
 707     gJsds->GetScriptHook (getter_AddRefs(hook));

3265 jsdService::~jsdService()
3266 {
3268     Off();
3269     gJsds = nsnull;

http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/js/jsd/jsd_xpc.cpp&rev=1.16&mark=922,1165
Shows this comment stuff used to be valid.

http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/extensions/venkman/resources/content/venkman-debugger.js&rev=1.14&mark=414#393
venkman started using the hook in: 1.11 <rginda@netscape.com> 2001-05-04 15:32

http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=/mozilla/js/jsd&command=DIFF_FRAMESET&file=jsd_xpc.cpp&rev2=1.29&rev1=1.28
1.29 <rginda@netscape.com> 2002-01-11 16:56
bug 115695, rs=brendan, venkman only
netive changes relating to pretty print support, includes...
* remove jsdIPC interface, replaced with ulong offsets from PC 0.
* add |pcmap| parameter to select between sourcetext/prettyprint linemaps (pcToLine, lineToPc, and isLineExecutable.)
* add |functionSource| property to jsdIScript.
* add |tag| to jsdIScript.
* fixed potential jsdIScript leaks.

Is what introduced this change on the jsd_xpc side.

from my perspective, jsd_xpc is buggy. And so, I'm going to take this bug. If someone wants to figure out how the cycle collector or JS_Debug apis changed, that's fine by me, but I'm going to try my side using this bug :)

Comment 14

[timeless]

Attachment: handle two unclearable callback cases

Comment 15

[Tony Chung [:tchung]]

Drivers: can we get this approved for beta 3?  it's a top crash.

Comment 16

[John J. Barton]

If anyone will work on 391280 I'll ask xucia to build Firebug with the workaround.

Comment 17

[:Gijs (he/him)]

Comment on attachment 298547 [details] [diff] [review]
handle two unclearable callback cases

rs=me

Timeless, could you ask for approval to get this in?

Comment 18

[timeless]

Comment on attachment 298547 [details] [diff] [review]
handle two unclearable callback cases

not quite sure how to do that :)

Comment 19

[Mike Beltzner [:beltzner, not reading bugmail]]

Comment on attachment 298547 [details] [diff] [review]
handle two unclearable callback cases

a=beltzner for 1.9 and beta 3 (timeless: that's how!)

Comment 20

[timeless]

Comment on attachment 298547 [details] [diff] [review]
handle two unclearable callback cases

mozilla/js/jsd/jsd_xpc.cpp 	1.85

Comment 21

[Henrik Skupin [:whimboo][⌚️UTC+1]]

No crash on shutdown with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b3pre) Gecko/2008020104 Minefield/3.0b3pre ID:2008020104 anymore => Verified. Thanks timeless.

Comment 22

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Got this crash again some minutes ago with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b4pre) Gecko/2008030111 Minefield/3.0b4pre ID:2008030111

Breakpad id: bp-5468657a-e7ed-11dc-b9eb-001a4bd43ed6

The strack trace looks a bit different now:

0  	jsds_ScriptHookProc(JSDContext*, JSDScript*, int, void*)  	 mozilla/js/jsd/jsd_xpc.cpp:716
1 	jsd_DestroyScriptHookProc 	mozilla/js/jsd/jsd_scpt.c:630
2 	js_DestroyScript 	mozilla/js/src/jsscript.c:1504
3 	js_FinalizeObject 	mozilla/js/src/jsobj.c:2817
4 	js_GC 	mozilla/js/src/jsgc.c:3224
5 	JS_GC 	mozilla/js/src/jsapi.c:2393
6 	nsXPConnect::Collect() 	mozilla/js/src/xpconnect/src/nsXPConnect.cpp:526
7 	nsCycleCollector::Collect(unsigned int) 	mozilla/xpcom/base/nsCycleCollector.cpp:2191

Comment 23

[John J. Barton]

Just to verify Henrik, you are running as-released firebug-1.1b10? The firebug-1.1b12 from http://getfirebug.com/releases has the jsd.off() call and I'm hope we don't get this crash.

Comment 24

[timeless]

that's a different crash, it should be fixed by attachment 305891 [details] [diff] [review], it's in the wrong bug, but....

Comment 25

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Indeed. After upgrading to Firefox 3 for my daily profile yesterday I didn't noticed that Firebug 1.05 was installed. So it's really a different issue. Resetting target milestone.