Closed Bug 493366 Opened 16 years ago Closed 16 years ago

Assertion failure: (cx)->requestDepth || (cx)->thread == (cx)->runtime->gcThread, at mozilla/js/src/jsapi.cpp:5196

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: smaug, Assigned: smaug)

References

Details

(Keywords: assertion, verified1.9.0.12, verified1.9.1, Whiteboard: regression from 461861 [fixed on 1.9.0.12 by 461861])

Attachments

(2 files, 1 obsolete file)

Full stack trace
75.78 KB, text/plain
Details
patch
660 bytes, patch
mrbkap
: review+
mrbkap
: superreview+
Details | Diff | Splinter Review
I get the assertion when running mochitest on a x86_64 linux debug build. #7 0x00002aaaaadcd79c in JS_Assert (s=<value optimized out>, file=<value optimized out>, ln=<value optimized out>) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsutil.cpp:69 #8 0x00002aaaaad26be6 in JS_CallFunctionValue (cx=0x33af790, obj=0x4054740, fval=67461760, argc=0, argv=0x0, rval=0x7fff8f095780) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5196 #9 0x00002aaab0af0a61 in nsXBLProtoImplAnonymousMethod::Execute (this=0x17ee2b0, aBoundElement=0x2a4eb40) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp:332 #10 0x00002aaab0afe9d5 in nsBindingManager::ProcessAttachedQueue (this=0x328c380, aSkipSize=0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsBindingManager.cpp:1015 #11 0x00002aaab0afea6e in nsBindingManager::EndOutermostUpdate (this=0x328c380) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsBindingManager.cpp:1677 #12 0x00002aaab097abde in nsDocument::EndUpdate (this=0x3539960, aUpdateType=<value optimized out>) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsDocument.cpp:3709 #13 0x00002aaab0a7492f in nsHTMLDocument::EndUpdate (this=0x3ec9, aUpdateType=16073) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/html/document/src/nsHTMLDocument.cpp:3045
Can you attach the full stack trace?
Blocks: 372581
Assignee: general → igor
Hardware: x86 → x86_64
This bug is a regression from the bug 413774. Here is a relevant source of nsXBLProtoImplAnonymousMethod::Execute that triggers this bug, http://hg.mozilla.org/mozilla-central/file/998d6f6e95b7/content/xbl/src/nsXBLProtoImplMethod.cpp#l266 309 JSAutoRequest ar(cx); ... 320 // Use nsCxPusher to make sure we call ScriptEvaluated when we're done. 321 nsCxPusher pusher; 322 NS_ENSURE_STATE(pusher.Push(aBoundElement)); ... 331 ok = ::JS_CallFunctionValue(cx, thisObject, OBJECT_TO_JSVAL(method), 332 0 /* argc */, nsnull /* argv */, &retval); What happens here is that pusher.Push(aBoundElement) pushes a JSContext instance that is different from the one stored in the cx variable. Since the bug 413774 that lead to suspending the previous top of the stack, that is, the cx. Now, this bug may not be a true regression from the bug 413774 as the latter could just expose some latent problem. For example, shouldn't the code use the pushed context by pusher.Push(aBoundElement), not the cx locals, when doing JS_CallFunctionValue?
Blocks: 413774
Uh... how do cx and the context the pusher pushes end up different? Both look like they go through the owner document, then one uses the script global object, the other the script handling object. Is that the issue? After that they're identical again.
bug 413774 did land long time ago. This assertion is something recent. (In reply to comment #4) > Uh... how do cx and the context the pusher pushes end up different? Yeah, I can't see how that could happen.
(In reply to comment #5) > bug 413774 did land long time ago. This assertion is something recent. > > (In reply to comment #4) > > Uh... how do cx and the context the pusher pushes end up different? > Yeah, I can't see how that could happen. Right, the context instance is the same, I was too quick to assume that. So the issue is unrelated to the bug 413774. The real cause is the following code in XPCJSContextStack::Push, http://mxr.mozilla.org/mozilla-central/source/js/src/xpconnect/src/xpcthreadcontext.cpp#134 : 141 XPCJSContextInfo & e = mStack[mStack.Length() - 2]; ... 149 nsIPrincipal* globalObjectPrincipal = 150 GetPrincipalFromCx(cx); ... 153 nsIPrincipal* subjectPrincipal = ssm->GetCxSubjectPrincipal(cx); 154 PRBool equals = PR_FALSE; 155 globalObjectPrincipal->Equals(subjectPrincipal, &equals); 156 if(equals) 157 { 158 return NS_OK; 159 } ... 162 } 163 164 e.frame = JS_SaveFrameChain(e.cx); 165 166 if(JS_GetContextThread(e.cx)) 167 e.requestDepth = JS_SuspendRequest(e.cx); Here the check globalObjectPrincipal->Equals returns false leading to fallthrough to the code suspending the e.cx and the current cx. That points directly to the bug 461861.
Blocks: 461861
No longer blocks: 413774
Ah, fun, I caused this.
Assignee: igor → Olli.Pettay
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
Attached patch not tested (obsolete) — Splinter Review
This needs to block 1.9.1.
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Comment on attachment 378421 [details] [diff] [review] not tested >- if(JS_GetContextThread(e.cx)) >+ if(JS_GetContextThread(e.cx) && e.cx != cx) I suspect that JS_GetContextThread returning null here would be a bug as no code in the FF codebase calls JS_ClearContextThread. But even if it is possible it is better to avoid this function call that a compiler cannot optimize when e.cx == cx.
Attached patch patchSplinter Review
Attachment #378421 - Attachment is obsolete: true
Attachment #378565 - Flags: superreview?(mrbkap)
Attachment #378565 - Flags: review?(mrbkap)
Attachment #378565 - Flags: superreview?(mrbkap)
Attachment #378565 - Flags: superreview+
Attachment #378565 - Flags: review?(mrbkap)
Attachment #378565 - Flags: review+
Comment on attachment 378565 [details] [diff] [review] patch Sorry, should have spotted this when I reviewed the last patch.
http://hg.mozilla.org/mozilla-central/rev/0f4de606acd7 Thanks Igor!
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Needed if we take bug 461861
Flags: wanted1.9.0.x?
Flags: blocking1.9.0.12?
Whiteboard: regression from 461861
Olli, I think this works for trunk and 1.9.1 for you now?
Target Milestone: --- → mozilla1.9.2a1
Yes, I pushed the patch to trunk and 1.9.1
Based on comment 17 everything should be fine now. I can't test on my own due to the lack of a 64bit Linux system. Marking as verified.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.12?
Flags: blocking1.9.0.12+
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.next?
This was 1.9.0.12fixed in Bug 461861
Keywords: fixed1.9.0.12
Whiteboard: regression from 461861 → regression from 461861 [fixed on 1.9.0.12 by 461861]
Marking verified for 1.9.0.12 based on Bug 461861.
Keywords: fixed1.9.0.12verified1.9.0.12
Flags: blocking1.8.1.next? → blocking1.8.1.next-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: