Closed Bug 481302 Opened 12 years ago Closed 12 years ago

TM: Crash on webpage with [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]


(Core :: JavaScript Engine, defect, P2)






(Reporter: alice0775, Unassigned)




(Keywords: crash, verified1.9.1, Whiteboard: fixed-in-tracemonkey)

Crash Data


(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090303 Firefox/3.1b3pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090303 Minefield/3.2a1pre

Crash When rloading of the page is completed.

Reproducible: Always

Steps to Reproduce:
1.Start Minefield with New Profile.
2.set to true in about:config.
3.Go URL
Actual Results:  
Crash Minefield with the crash report.

Expected Results:  
No crash.

If not set to true, Minefield did not crash.
Confirmed with latest 3.1b3pre on Linux.

Odd that it's the chrome JIT that is needed, and not the content JIT.
OS: Windows XP → All
Hardware: x86 → All
Summary: Crash [@ XPCWrappedNative::HasProto() ] → Crash with [@ XPCWrappedNative::HasProto() ]
Ever confirmed: true
I get the same stack as you on Windows XP, but get completely different stacks for Shiretoko and Minefield on Linux.

3.1b3pre and 3.2a1pre on Windows:
0  	xul.dll  	XPCWrappedNative::HasProto  	 js/src/xpconnect/src/xpcprivate.h:2181
1 	xul.dll 	XPCWrappedNative::GetProto 	js/src/xpconnect/src/xpcprivate.h:2187
2 	xul.dll 	nsXPConnect::Traverse 	js/src/xpconnect/src/nsXPConnect.cpp:749
3 	xul.dll 	xul.dll@0xa0299f 

3.1b3pre on Linux:
0  	JS_CallTracer  	js/src/jsgc.cpp:1086
1 	js_TraceObject 	js/src/jsobj.cpp:5489
2 	JS_TraceChildren 	js/src/jsgc.cpp:2428
3 	JS_CallTracer 	js/src/jsgc.cpp:2704
4 	TraceScopeJSObjects 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:653
5 	js_TraceObject 	js/src/jsobj.cpp:5467
6 	JS_TraceChildren 	js/src/jsgc.cpp:2428
7 	JS_CallTracer 	js/src/jsgc.cpp:2704
8 	XPCWrappedNativeProto::TraceJS 	js/src/xpconnect/src/nsXPConnect.cpp:1985
9 	XPCWrappedNative::TraceJS 	js/src/xpconnect/src/xpcprivate.h:2339
10 	xpc_TraceForValidWrapper 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:694
11 	XPC_WN_Shared_Trace 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:706
12 	js_TraceObject 	js/src/jsobj.cpp:5467
13 	JS_TraceChildren 	js/src/jsgc.cpp:2428
14 	JS_CallTracer 	js/src/jsgc.cpp:2704
15 	js_TraceContext 	js/src/jsgc.cpp:3028
16 	js_TraceRuntime 	js/src/jsgc.cpp:3113
17 	js_GC 	js/src/jsgc.cpp:3521
18 	JS_GC 	js/src/jsapi.cpp:2499
19 	nsXPConnect::Collect 	js/src/xpconnect/src/nsXPConnect.cpp:478
20 	nsCycleCollector::Collect 	xpcom/base/nsCycleCollector.cpp:2256
21 	nsCycleCollector_collect 	xpcom/base/nsCycleCollector.cpp:2904

3.2a1pre on Linux:
0  	WrapperIsNotMainThreadOnly  	 js/src/xpconnect/src/xpcprivate.h:2187
1 	nsXPConnect::Traverse 	js/src/xpconnect/src/nsXPConnect.cpp:749
2 	GCGraphBuilder::Traverse 	xpcom/base/nsCycleCollector.cpp:1319
3 	nsCycleCollector::MarkRoots 	xpcom/base/nsCycleCollector.cpp:1519
4 	nsCycleCollector::BeginCollection 	xpcom/base/nsCycleCollector.cpp:2374
5 	nsCycleCollector_beginCollection 	xpcom/base/nsCycleCollector.cpp:2916
6 	XPCCycleCollectGCCallback 	js/src/xpconnect/src/nsXPConnect.cpp:391
7 	js_GC 	js/src/jsgc.cpp:3532
8 	JS_GC 	js/src/jsapi.cpp:2498
9 	nsXPConnect::Collect 	js/src/xpconnect/src/nsXPConnect.cpp:478
10 	nsCycleCollector::Collect 	xpcom/base/nsCycleCollector.cpp:2256
11 	nsCycleCollector_collect 	xpcom/base/nsCycleCollector.cpp:2904
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Summary: Crash with [@ XPCWrappedNative::HasProto() ] → TM: Crash on webpage with [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Version: unspecified → 1.9.1 Branch
Version: 1.9.1 Branch → Trunk
Regression range:
No Crash:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090216 Minefield/3.2a1pre

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090217 Minefield/3.2a1pre

Changesets between the above regression range:
I can confirm the crash using the steps in comment 0.  with enabled, the URL will crash after trying to fully load.  with disabled, the site loads without crashing.
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Priority: -- → P2
bsmedberg suggested we block on this since it can likely happen from content as well
Flags: blocking1.9.1? → blocking1.9.1+
Attached file assertion
Nothing happens to me if I run this from a started browser, but if I start up with ./firefox going directly to the page, I get the assertion in this attachment.

chrome jit on.
Crashes 3.1b4pre build 20090314050040.

I do have chrome jit on as well.
This seems to be fixed in the latest Tracemonkey branch build.
(tested w/ WinXP & Linux)
Whiteboard: fixed-in-tracemonkey
Duplicate of this bug: 483485
Going to with 3.1b4pre build 20090315052502 still crashes.

Vista Ultimate SP2 32bit and = true.
Blocks: 453668
This should be fixed in m-c now too, but not yet in Shiretoko. Look for fixed1.9.1 to mark that.
Closed: 12 years ago
Resolution: --- → FIXED
Keywords: fixed1.9.1
Verified fixed on trunk and 1.9.1 with builds on Windows and OS X:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090526 Minefield/3.6a1pre ID:20090526031623

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre)
Gecko/20090526 Shiretoko/3.5pre ID:20090526031155
Target Milestone: --- → mozilla1.9.2a1
Crash Signature: [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Crash Signature: [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ] → [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Flags: wanted1.9.1?
You need to log in before you can comment on or make changes to this bug.