Closed Bug 486585 Opened 15 years ago Closed 15 years ago

"ASSERTION: bad!" in XPCCallContext::XPCCallContext with feed in frame, gc

Categories

(Core :: XPConnect, defect, P4)

Product:
Core
Component:
XPConnect
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: jruderman, Assigned: peterv)

References

Details

(Keywords: assertion, testcase, verified1.9.1)

Attachments

(3 files)

testcase (refers to feed on squarefree.com)
178 bytes, text/html
Details
stack
5.88 KB, text/plain
Details
v1
1.36 KB, patch
mrbkap
: review+
mrbkap
: superreview+
Details | Diff | Splinter Review 
Steps:
1. Load the testcase.
2. Wait a few seconds while it reloads itself a few times.
3. Cmd+Q.

Result: near the end of shutdown, several of
###!!! ASSERTION: bad!: 'Error', file  js/src/xpconnect/src/xpccallcontext.cpp, line 88

in XPCCallContext::XPCCallContext:

    if(!stack || NS_FAILED(stack->Peek(&topJSContext)))
    {
        NS_ERROR("bad!");
        mJSContext = nsnull;
        return;
    }
Attached file stack 

    
    

    
  
For what it's worth, the steps in comment 0 work for me.  No assertions.

That said, I see no reason the stack given here couldn't arise if the wrapped js lives long enough into shutdown (e.g. leaks).

    
    

    
  
I can only reproduce about 50% of the time.  I forgot to mention that in comment 0, sorry.

Is the assertion bogus or does it point to a real problem?  Or is it hard to tell without debugging?

    
    

    
  
I'm not sure.  It points to an inability to actually set up an XPCCallContext properly because we're too far into shutdown.  But I'm not sure what that means in practice.

    
    

    
  
We could avoid this particular case by checking if mIdentity is an nsXPCWrappedJS, but not sure we want to do that for every call to FlatJSObjectFinalized.

    
    

    
  
BTW, nothing bad happens after the assertion AFAICT, because we check if the XPCCallContext is valid.

    
    

    
  
Test disabled in TM tre until this is fixed.

http://hg.mozilla.org/tracemonkey/rev/1d2bb1304fe4

    
  
Flags: blocking1.9.1+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1Splinter Review
      

    


  
I added the assertion to SetCallInfo and SetIDispatchInfo because they set mState and we want to know if somebody clobbers INIT_FAILED/SYSTEM_SHUTDOWN.
Assignee: nobody → peterv
Status: NEW → ASSIGNED

        Attachment #371128 -
        Flags: superreview?(mrbkap)

        Attachment #371128 -
        Flags: review?(mrbkap)

    
  
Blocks: 484692

        Attachment #371128 -
        Flags: superreview?(mrbkap)

        Attachment #371128 -
        Flags: superreview+

        Attachment #371128 -
        Flags: review?(mrbkap)

        Attachment #371128 -
        Flags: review+

    
    

    
  
I also reenabled test_urlformatter.js on trunk.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Keywords: fixed1.9.1
Priority: -- → P4
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1

    
    

    
  
verified FIXED on debug builds using the attached testcase (no assertions):

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre)
Gecko/20090608 Shiretoko/3.5pre ID:20090608122057

and

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090608 Minefield/3.6a1pre ID:20090608122028
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: