Closed Bug 464676 Opened 16 years ago Closed 15 years ago

Cycle collector sometimes unlinks live cycles

Categories

(Core :: XPConnect, defect, P2)

Product:
Core
Component:
XPConnect
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.1

People

(Reporter: peterv, Assigned: peterv)

Details

(Keywords: fixed1.9.1)

Attachments

(2 files, 3 obsolete files)

v3.1
4.55 KB, patch
bent.mozilla
: review+
jst
: superreview+
Details | Diff | Splinter Review
v3.2
4.91 KB, patch
bent.mozilla
: review+
jst
: superreview+
Details | Diff | Splinter Review 
We currently only add the JS objects of XPCWrappedNatives to the cycle collector if they are marked as main-thread-only. We really should be adding all the JS objects of XPCWrappedNatives, but not traverse to the XPCWrappedNatives themselves. With the current code we do not detect if a cycle is held by a JS object of a non-main-thread-only wrapper and so we try to unlink that cycle, even though it's still 'live'. Anything held by the XPCWrappedNative will be marked black if we don't traverse to it (because it'll have a missing refcount).
Flags: blocking1.9.1?
Sounds like this can cause random crashers in multi-threaded JS code then? Like the new places code?
I don't think it'll cause crashes, unless the unlinking makes us access nulled out members (but that could then happen without this bug too). We'll still mark all the live JS objects once cycle collection is done, because we never set the "unlink" bit on the non-main-thread-only XPCWrappedNatives and they're the ones holding everything else alive.
Sounds like this should be fixed for 1.9.1.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Attached patch v1 (obsolete) — Splinter Review 

    
  

        Attachment #355816 -
        Flags: superreview?(jst)

        Attachment #355816 -
        Flags: review?(bent.mozilla)

    
    

    
  
Comment on attachment 355816 [details] [diff] [review]
v1

Waiting on a new patch.

>+        if(IS_PROTO_CLASS(clazz))

We chatted on IRC and this should probably become:

  if(IS_WRAPPER_CLASS(clazz) || IS_TEAROFF_CLASS(clazz))

>+        else {

nit: separate line for that '{' (I <3 xpconnect).

        Attachment #355816 -
        Attachment is obsolete: true

        Attachment #355816 -
        Flags: superreview?(jst)

        Attachment #355816 -
        Flags: review?(bent.mozilla)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v2 (obsolete)
        — Splinter Review
      

    


  
This ended up slightly different, since we were already dealing with tearoffs separately in nsXPConnect::Traverse. Also decided to not call GetWrappedNativeOfJSObject since we don't need most of that function.

    
    

    
  
Comment on attachment 357075 [details] [diff] [review]
v2

Verified in the debugger that it works ok. No leaks on mochitest.

        Attachment #357075 -
        Flags: superreview?(jst)

        Attachment #357075 -
        Flags: review?(bent.mozilla)

        Attachment #357075 -
        Flags: review?(bent.mozilla) → review+

    
    

    
  
This is the right thing to do, but thinking this over I think it doesn't completely solve the problem. We need to add the JS objects of non-main thread only wrappers that have external references to the cycle collector as marked, since if we don't traverse to those wrappers the wrappers themselves can't mark the JS objects as black.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v3 (obsolete)
        — Splinter Review
      

    


  
Ben: sorry for the third review request in a row, I don't think I'll come up with more issues ;-).

        Attachment #357075 -
        Attachment is obsolete: true

        Attachment #357383 -
        Flags: superreview?(jst)

        Attachment #357383 -
        Flags: review?(bent.mozilla)

        Attachment #357075 -
        Flags: superreview?(jst)

    
  

        Attachment #357383 -
        Attachment is obsolete: true

        Attachment #357383 -
        Flags: superreview?(jst)

        Attachment #357383 -
        Flags: review?(bent.mozilla)

    
    

    
  
Comment on attachment 357383 [details] [diff] [review]
v3

Ugh, this isn't right either.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v3.1Splinter Review
      

    


  

        Attachment #357422 -
        Flags: superreview?(jst)

        Attachment #357422 -
        Flags: review?(bent.mozilla)

    
    

    
  
Comment on attachment 357422 [details] [diff] [review]
v3.1

Cool, that makes sense. r=me.

        Attachment #357422 -
        Flags: review?(bent.mozilla) → review+

        Attachment #357422 -
        Flags: superreview?(jst) → superreview+

    
  
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
    

    
  
Had to back out, chrome and browser tests are leaking, which is worrying since it means we might be relying on unlinking live cycles to mask leaks.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v3.2Splinter Review
      

    


  
We have a number of objects that participate in cycle collection but that don't have classinfo. These objects should only be used on the main thread, but we can't detect that from the wrapper. We can detect it by checking if they participate in cycle collection, so I added code to WrapperIsNotMainThreadOnly that does just that. It's a bit expensive (QI), but on the other hand it might make us traverse less XPCWrappedNatives than we do currently.

This seems to fix all the leaks, I'll double-check that before checking in.

        Attachment #358467 -
        Flags: superreview?(jst)

        Attachment #358467 -
        Flags: review?(bent.mozilla)

        Attachment #358467 -
        Flags: review?(bent.mozilla) → review+

    
    

    
  
Comment on attachment 358467 [details] [diff] [review]
v3.2

This looks good, though if we need to (want to?) optimize this I think we should do this QI up front when creating the wrappers and set a bit somewhere.

        Attachment #358467 -
        Flags: superreview?(jst) → superreview+

    
    

    
  
Checked in again and backed out again, no leaks on the unit boxes but the leak boxes turned red with:

*** Potential deadlock between XPCJSRuntime::mMapLockMonitor@22698b0 and nsComponentManagerImplMonitor@c3bb30

They did have one green cycle after my checkin and I can't reproduce locally (and the stacks in the logs are useless). I'm not sure this patch was to blame, so I might try landing again tomorrow.

    
    

    
  
I've seen that assertion lots of times before without this patch... Maybe this increases the frequency or something but the problem is elsewhere.

    
    

    
  
Relanded on trunk, seems to stick.
Status: REOPENED → RESOLVED
Closed: 16 years ago15 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: