Closed Bug 522839 Opened 15 years ago Closed 15 years ago

Remaining crash [@ WillDeadlock] after the fix for bug 514554

Categories

(Core :: XPConnect, defect, P2)

Product:
Core
Component:
XPConnect
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a1
Tracking Flags:
Tracking Status
status1.9.2 --- beta3-fixed
blocking1.9.1 --- .6+
status1.9.1 --- .6-fixed

People

(Reporter: mrbkap, Assigned: mrbkap)

References

Details

(Whiteboard: [sg:investigate])

Attachments

(1 file)

Easiest fix
1.06 KB, patch
bent.mozilla
: review+
samuel.sidler+old
: approval1.9.1.6+
Details | Diff | Splinter Review 
See bug 514554, comment 29 and following. This is likely a race that's left over. I'll mark this security sensitive since the original bug is and because the testcase isn't yet public.
http://crash-stats.mozilla.com/report/index/1f4d1c31-bee6-41e1-a967-edc5d2091016
0  	js3250.dll  	WillDeadlock  	 js/src/jslock.cpp:385
1 	js3250.dll 	js3250.dll@0x6b06e 	
2 	js3250.dll 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:3802
3 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1950
4 	js3250.dll 	js_GetPropertyHelper 	js/src/jsobj.cpp:4258
Summary: Remaining crash after the fix for bug 514554 → Remaining crash [@ WillDeadlock] after the fix for bug 514554
blocking1.9.1: --- → ?
status1.9.1: --- → wanted
Flags: blocking1.9.2?
Whiteboard: [sg:investigate][3.6.x]
Group: core-security
blocking1.9.1: ? → .5+
Whiteboard: [sg:investigate][3.6.x] → [sg:investigate]
Ben, any thoughts on this bug?
Assignee: nobody → bent.mozilla
Ben says this one's all Blake's. Blake, do you think this should block the release?
Assignee: bent.mozilla → nobody
Component: DOM: Mozilla Extensions → XPConnect
OS: Mac OS X → All
QA Contact: general → xpconnect
Hardware: x86 → All
I'm confused, in bug 514554 Al said the crash he saw on this testcase was http://crash-stats.mozilla.com/report/index/62c11801-4dbe-403b-811f-3d2ad2091016?p=1 which is very different crash.
Assignee: nobody → mrbkap
It's looking like I'm not going to be able to get to this... I'll fix the crash in comment 5, but Al's answer to comment 5 should probably weigh in on blocking/FIXED markings.
Attached patch Easiest fixSplinter Review 
It would be a bit cleaner to be able to tell the thread pool manager that we shouldn't create the thread if creating the context fails, but it ignores the return value of OnThreadCreated, so we end up with this partially-constructed thread anyway. I went through the other places that look up contexts and I believe that they are all safe (either null check or in order to get to that point, we must have successfully run code on this thread and therefore have a context).
Attachment #410757 - Flags: review?(bent.mozilla)
Is there a question for me? I just reported what I got when I crashed. The explanations as to cause were from you. :-)
Al, did you crash in WillDeadlock or JS_SetContextPrivate or both?
Both, separately, when I tested.
Comment on attachment 410757 [details] [diff] [review]
Easiest fix

Sorry Blake, I meant the crash in comment 1 would be all you. We need to spin that out into a separate bug I guess. The null check you have here is ok for now.
Attachment #410757 - Flags: review?(bent.mozilla) → review+
Comment on attachment 410757 [details] [diff] [review]
Easiest fix

No reason not to take this null pointer check for 1.9.1 IMO.
Attachment #410757 - Flags: approval1.9.1.6?
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Target Milestone: --- → mozilla1.9.2
Comment on attachment 410757 [details] [diff] [review]
Easiest fix

Approved for 1.9.1.6. a=ss
Attachment #410757 - Flags: approval1.9.1.6? → approval1.9.1.6+
Keywords: checkin-needed
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/e5261adb8014

Marking fixed for 1.9.1.6, but leaving bug open as there's likely more to do here (or in followup bugs that get filed once mrbkap is back).
status1.9.1: wanted.6-fixed
http://hg.mozilla.org/mozilla-central/rev/f5ab4934c855
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ea520cb019ce
Status: NEW → RESOLVED
Closed: 15 years ago
status1.9.2: --- → final-fixed
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: mozilla1.9.2 → mozilla1.9.3a1
I'm still crashing using the "index.html" file from the testcase in 1.9.1.6 pretty reliably when I click on the red 'x' to close Firefox.

I'm not getting the crashreporter in my debug build but my debug output shows:

WARNING: NS_ENSURE_TRUE(browserChrome) failed: file c:/projects/moz1.9.1/docshel
l/base/nsDocShell.cpp, line 9324
WARNING: Something wrong when creating the docshell for a frameloader!: file c:/
projects/moz1.9.1/content/base/src/nsFrameLoader.cpp, line 902
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file c:/projec
ts/moz1.9.1/content/base/src/nsFrameLoader.cpp, line 926
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file c:/projec
ts/moz1.9.1/content/base/src/nsFrameLoader.cpp, line 182
++WEBSHELL 02EDC940 == 5
++DOMWINDOW == 6 (02EDD3A0) [serial = 6] [outer = 00000000]
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
++DOMWINDOW == 7 (031B5020) [serial = 7] [outer = 023844C8]
++DOMWINDOW == 8 (030BD5A0) [serial = 8] [outer = 02EDD370]
pldhash: for the table at address 0325CA68, the given entrySize of 52 probably f
avors chaining over double hashing.
++DOMWINDOW == 9 (03339068) [serial = 9] [outer = 02EDD370]
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa
youtPhase_FrameC] == 0', file c:\projects\moz1.9.1\layout\base\nsPresContext.h,
line 1026
--DOMWINDOW == 8 (030BD5A0) [serial = 8] [outer = 02EDD370] [url = about:blank]
++DOMWINDOW == 9 (05003FE0) [serial = 10] [outer = 02EDD370]
WARNING: getting z level of unregistered window: file c:/projects/moz1.9.1/xpfe/
appshell/src/nsWindowMediator.cpp, line 635
WARNING: getting z level of unregistered window: file c:/projects/moz1.9.1/xpfe/
appshell/src/nsWindowMediator.cpp, line 635
--WEBSHELL 0239E640 == 4
--DOMWINDOW == 8 (023844F8) [serial = 5] [outer = 00000000] [url = about:blank]
--DOMWINDOW == 7 (031B5020) [serial = 7] [outer = 00000000] [url = about:blank]
WARNING: NS_ENSURE_SUCCESS(rv, rv--WEBSHELL 0212ED10 == 3
--WEBSHELL 020A81C0 == 2
) failed with result 0x80040111: file c:/projects/moz1.9.1/dom/src/threads/nsDOM
Worker.cpp, line 1242
WARNING: Thread pool cap reached!: file c:/projects/moz1.9.1/dom/src/threads/nsD
OMThreadService.cpp, line 985
--DWARNIOMWINDOW == 6 (02139790) [serial = 3] [outer = 0212FB18] [url = about:bl
ank]
--DOMWINDOW == 5 (020BF158) [serial = 1] [outer = 00000000] [url = resource://gr
e/res/hiddenWindow.html]
NG: Thread pool cap reached!: file c:/projects/moz1.9.1/dom/src/threads/nsDOMThr
eadService.cpp, line 985
--DOMWINDOW == 4 (0212FB48) [serial = 2] [outer = 00000000] [url = chrome://brow
ser/content/browser.xul]
--DOMWINDOW == 3 (022386A0) [serial = 4] [outer = 00000000] [url = resource://gr
e/res/hiddenWindow.html]
--DOMWINDOW == 2 (03339068) [serial = 9] [outer = 02EDD370] [url = http://www.mo
zilla.org/projects/shiretoko/]
--WEBSHELL 02EDC940 == 1
WARNING: Thread pool cap reached!: file c:/projects/moz1.9.1/dom/src/threads/nsD
OMThreadService.cpp, line 985
WARNING: Thread pool cap reached!: file c:/projects/moz1.9.1/dom/src/threads/nsD
OMThreadService.cpp, line 985
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1388
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1365
WARNING: NS_ENSURE_TRUE(!mShutdown) failed: file c:/projects/moz1.9.1/xpcom/thre
ads/nsThreadPool.cpp, line 240
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1388
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1365
WARNING: NS_ENSURE_TRUE(gDbBackgroundThread) failed: file c:/projects/moz1.9.1/t
oolkit/components/url-classifier/src/nsUrlClassifierDBService.cpp, line 4082
************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "Component returned failure code: 0xc1f30001 (NS_ERROR_NOT_INITIAL
IZED) [nsIUrlClassifierDBService.getTables]"  nsresult: "0xc1f30001 (NS_ERROR_NO
T_INITIALIZED)"  location: "JS frame :: file:///C:/projects/moz1.9.1/ffx-dbg/dis
t/firefox/components/nsUrlClassifierListManager.js :: anonymous :: line 359"  da
ta: no]
************************************************************
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x8000FFFF: file c:/projec
ts/moz1.9.1/dom/src/threads/nsDOMThreadService.cpp, line 999
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1388
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0xC1F30001: file c:/projec
ts/moz1.9.1/toolkit/components/places/src/nsAnnotationService.cpp, line 1365

(these last two lines repeat over and over many times)
Talked this over with Blake, and he's comfortable shipping with the above issue based on his reproduction attempts and analysis in a debug build.
Might or might not be related, but I have just witnessed
13:58:50     INFO -  11-19 13:57:20.328 E/GeckoConsole( 2226): [JavaScript Error: "[Exception... "Component returned failure code: 0xc1f30001 (NS_ERROR_NOT_INITIALIZED) [nsIUrlClassifierDBService.getTables]"  nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)"  location: "JS frame :: jar:jar:file:///data/app/org.mozilla.fennec-1.apk!/assets/omni.ja!/components/nsUrlClassifierListManager.js :: PROT_ListManager.prototype.checkForUpdates :: line 359"  data: no]" {file: "jar:jar:file:///data/app/org.mozilla.fennec-1.apk!/assets/omni.ja!/components/nsUrlClassifierListManager.js" line: 359}]

on Android.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: