Closed Bug 57070 Opened 24 years ago Closed 24 years ago

new crash [@ gc_find_flags] in branch

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jay, Assigned: brendan)

References

Details

(Keywords: crash, topcrash, Whiteboard: [rtm++])

Crash Data

Attachments

(1 file)

proposed fix (please r= and a= soon)
635 bytes, patch
Details | Diff | Splinter Review 
A similar crash to the one resolved fixed in bug 53123 has returned, so logging 
a new bug on it here.  Below are the latest talkback entries and a stack trace:

gc_find_flags 16ab37bb
        http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsgc.c line 
215
        Build: 2000101309 CrashDate: 2000-10-13 UptimeMinutes: 184  Total: 184 
        OS: Windows NT  4.0 build 1381
        URL: 
        Comment: crash trying to send a message
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=19039496
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=19039496

    gc_find_flags() b7c465b4
        jsgc.c line 213
        Build: 2000101308 CrashDate: 2000-10-13 UptimeMinutes: 11  Total: 11 
        OS: MacOS version 8.6
        URL: 
        Comment: 
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=19041783
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=19041783

gc_find_flags 5edf0504
        http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsgc.c line 
215
        Build: 2000101213 CrashDate: 2000-10-16 UptimeMinutes: 2926  Total: 2926 
        OS: Windows NT  4.0 build 1381
        URL: 
        Comment: Instant Messenger and Browser crash
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=19154390
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=19154390

gc_find_flags 5c2ba49b
        http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsgc.c line 
215
        Build: 2000101609 CrashDate: 2000-10-16 UptimeMinutes: 51  Total: 51 
        OS: Windows NT  4.0 build 1381
        URL: www.abcnews.go.com
        Comment: Just typing in the url and hitting enter crashed Seamonkey.
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=19193042
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=19193042

gc_find_flags 80580bed
        http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsgc.c line 
215
        Build: 2000101609 CrashDate: 2000-10-16 UptimeMinutes: 6  Total: 19 
        OS: Windows 95  4.0 build 67109814
        URL: 
        Comment: 
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=19193656
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=19193656

    gc_find_flags() feda89fc
         line 
        Build: 2000101609 CrashDate: 2000-10-16 UptimeMinutes: 1  Total: 1 
        OS: Linux 2.2.16
        URL: 
        Comment: trying to install java 2 plugin
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=19197087
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=19197087

gc_find_flags 9a6cceb1
        http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/jsgc.c line 
215
        Build: 2000101609 CrashDate: 2000-10-16 UptimeMinutes: 1  Total: 1 
        OS: Windows 98  4.10 build 67766222
        URL: 
        Comment: 
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=19211371
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=19211371

    gc_find_flags() 877f0bc6
         line 
        Build: 2000101609 CrashDate: 2000-10-17 UptimeMinutes: 112  Total: 389 
        OS: Linux 2.2.14-5.0
        URL: 
        Comment: closing window
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=19218471
         StackTrace: 
http://climate/reports/stackcommentemail.cfm?dynamicBBID=19218471

Incident ID 19211371 
gc_find_flags [d:\builds\seamonkey\mozilla\js\src\jsgc.c, line 215] 
js_MarkGCThing [d:\builds\seamonkey\mozilla\js\src\jsgc.c, line 721] 
js_GC [d:\builds\seamonkey\mozilla\js\src\jsgc.c, line 1129] 
js_ForceGC [d:\builds\seamonkey\mozilla\js\src\jsgc.c, line 872] 
JS_GC [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 1543] 
nsJSContext::GC [d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, 
line 1288] 
KERNEL32.DLL + 0xb9b6 (0xbff7b9b6) 
DocumentViewerImpl::Init 
[d:\builds\seamonkey\mozilla\layout\base\src\nsDocumentViewer.cpp, line 537] 
nsDocShell::SetupNewViewer 
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2902] 
nsWebShell::SetupNewViewer 
[d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 359] 
nsDocShell::Embed [d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, 
line 2488] 
nsWebShell::Embed [d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, 
line 383] 
nsDocShell::CreateContentViewer 
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 2668] 
nsDSURIContentListener::DoContent 
[d:\builds\seamonkey\mozilla\docshell\base\nsDSURIContentListener.cpp, line 104] 
nsDocumentOpenInfo::DispatchContent 
[d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 362] 
nsDocumentOpenInfo::OnStartRequest 
[d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp, line 234] 
nsHTTPFinalListener::OnStartRequest 
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHTTPResponseListener.cp
p, line 1118] 
InterceptStreamListener::OnStartRequest 
[d:\builds\seamonkey\mozilla\netwerk\cache\mgr\nsCachedNetData.cpp, line 1186] 
nsHTTPServerListener::FinishedResponseHeaders 
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHTTPResponseListener.cp
p,
line 1056] 
nsHTTPServerListener::OnDataAvailable 
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHTTPResponseListener.cp
p, line 428] 
nsOnDataAvailableEvent::HandleEvent 
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line 
406] 
nsStreamListenerEvent::HandlePLEvent 
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line 
106] 
PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 581] 
PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, 
line 517] 
_md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 
1051] 
KERNEL32.DLL + 0x242e7 (0xbff942e7) 
0x00688b52 

These stack traces are similar to the ones in bug 57066, so if this is a dup of 
that bug, please mark it so.  I just wanted to log both crashes separately at 
first to avoid any confusion.
adding topcrash keywords and [@ gc_find_flags] for tracking
Keywords: crash, topcrash
Jband and I were trying to reproduce bug 56845, and I noticed with horror a one
character typo-botch in jsgc.c that could be the cause of this bug, and of bug
57066.  Patch coming up.

/be
Status: NEW → ASSIGNED
Adding more r= buddies.  Looking to [rtm+] ASAP.

/be
r=mccabe.
a=jband for sure!
Fix in trunk.  This is a topcrash with a one-character fix -- pdt, how about a
rtm++?  Thanks.

/be
Whiteboard: [rtm+]
Phil, we went over talkback that showed JS GC crashes after 53123 was fixed two
times, and now I think we've found the topcrash causes.  This bug accounts for
the stacks, and bug 57096 for others.  Both bugs have patches attached now, this
one has reviews and is in the trunk.  57096 has a one-line fix that should be
reviewed quickly.  FYI.

/be
this would a great one for the NS 6.0 branch.

jband / brendan:  is this the cause of the problems you were seeing last night?
 (as opposed to a missing JS_PopArguments()?)

cc'ing valeski, in case he wants this on the embedding branch.
[rtm++]. One character for the #1 Talkback crasher? I love that! You've noticed
that JS GC is also #3 and #6 on the hit parade?
Whiteboard: [rtm+] → [rtm++]
sspitzer: yes, this is it.  The problem is that the JS_PopArguments is "missing"
in the sense that the "lower" (stack bottom) call to that function has yet to
occur, and the "upper" JS_PopArguments has run, followed by a JS_MaybeGC every
20th XPConnected call into JS, which might just run JS_GC -- which would nuke
the entire JS stack on which the lower args were still living, scannable by the
subsequent mark phase.

Those other bad calls to JS_PopArguments (the ones that were conditioned by a
successful rv from OpenDialog) still need to be fixed.

The right fix, I think (inspired by nsAutoLock.h) is to make a helper class that
hides the jsapi.h usage and has a destructor worry about the pop.  I'll work on
that in the trunk.

/be
Oops, comments in wrong bug.  Meant those for bug 57096, an evil older sibling
of this bug.

/be
phil: #6 is 57096.  I'm adding topcrash there.  #3 and #1 are both this bug,
which is dup'ed by 57066, I bet.  I'm going to mark 57066 a dup.

/be
*** Bug 57066 has been marked as a duplicate of this bug. ***
Fix in branch.

(I am the dream engineer of the pdt, two-for-two on one-line changes that fix
topcrash bugs! ;-)

/be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Hey, you planted those bugs!
I wish I planted those, but no such luck.  With all due modesty, I'm pretty
happy with the way the humongous patch to bug 49816 landed with few bugs, and no
major diffs yet required.  Knock on wood....

/be
> phil: #6 is 57096.  I'm adding topcrash there.  #3 and #1 are both this bug,
> which is dup'ed by 57066, I bet.  I'm going to mark 57066 a dup.

Whee! BTW, those rankings seem to be for the trunk, in case that's a surprise to
you (it was a surprise to me).
Keywords: vtrunk
verified
Status: RESOLVED → VERIFIED
Crash Signature: [@ gc_find_flags]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: