Closed
Bug 604087
Opened 14 years ago
Closed 14 years ago
Intermittent crash in crashtests after brain transplants landed [@ JSObject::getParent]
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jst, Assigned: mrbkap)
References
Details
(Keywords: intermittent-failure)
Attachments
(3 files)
2.33 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
3.33 KB,
patch
|
jst
:
review+
gal
:
review+
|
Details | Diff | Splinter Review |
3.35 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
We're seeing an intermittent crash in crashtests on tinderbox after the brain transplants work landed (bug 580128). The stack looks like this: Thread 0 (crashed) 0 libxul.so!JSObject::getParent [jsobj.h : 643 + 0x4] rbx = 0x05775290 r12 = 0x0212f440 r13 = 0x8ac20628 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8ac279be rsp = 0x327e0318 rbp = 0x327e0318 Found by: given as instruction pointer in context 1 libxul.so!JSObject::getGlobal [jsobj.cpp:db5b6e24f421 : 6341 + 0x8] rbx = 0x05775290 r12 = 0x0212f440 r13 = 0x8ac20628 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8bb82d45 rsp = 0x327e0328 rbp = 0x327e0340 Found by: call frame info 2 libxul.so!js::AutoCompartment::enter [jswrapper.cpp:db5b6e24f421 : 346 + 0xc] rbx = 0x05775290 r12 = 0x0212f440 r13 = 0x8ac20628 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8bc2a6a4 rsp = 0x327e0350 rbp = 0x327e0380 Found by: call frame info 3 libxul.so!JS_EnterCrossCompartmentCall [jsapi.cpp:db5b6e24f421 : 1170 + 0x8] rbx = 0x05775290 r12 = 0x0212f440 r13 = 0x8ac20628 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8bad50da rsp = 0x327e0390 rbp = 0x327e03d0 Found by: call frame info 4 libxul.so!JSAutoEnterCompartment::enter [jsapi.cpp:db5b6e24f421 : 1194 + 0xc] rbx = 0x056d97f0 r12 = 0x0212f440 r13 = 0x8ac20628 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8bad519a rsp = 0x327e03e0 rbp = 0x327e0410 Found by: call frame info 5 libxul.so!JS_TransplantWrapper [jsapi.cpp:db5b6e24f421 : 1292 + 0x16] rbx = 0x027ba370 r12 = 0x0212f440 r13 = 0x8ac20628 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8bad540b rsp = 0x327e0420 rbp = 0x327e0550 Found by: call frame info 6 libxul.so!nsGlobalWindow::SetNewDocument [nsGlobalWindow.cpp:db5b6e24f421 : 1935 + 0x1d] rbx = 0x027ba370 r12 = 0x0212f440 r13 = 0x8ac20628 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8ac62faf rsp = 0x327e0560 rbp = 0x327e0920 Found by: call frame info 7 libxul.so!DocumentViewerImpl::InitInternal [nsDocumentViewer.cpp:db5b6e24f421 : 957 + 0x3f] rbx = 0x027ba1b0 r12 = 0x8ac61cca r13 = 0x05783c60 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8a60f940 rsp = 0x327e0930 rbp = 0x327e0a60 Found by: call frame info 8 libxul.so!DocumentViewerImpl::Init [nsDocumentViewer.cpp:db5b6e24f421 : 694 + 0x21] rbx = 0x05775b40 r12 = 0x8a60fda6 r13 = 0x05783c60 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8a60fddc rsp = 0x327e0a70 rbp = 0x327e0a90 Found by: call frame info 9 libxul.so!nsDocShell::SetupNewViewer [nsDocShell.cpp:db5b6e24f421 : 7582 + 0x3b] rbx = 0x05775b40 r12 = 0x8a60fda6 r13 = 0x05783c60 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b27756d rsp = 0x327e0aa0 rbp = 0x327e0ee0 Found by: call frame info 10 libxul.so!nsDocShell::Embed [nsDocShell.cpp:db5b6e24f421 : 5685 + 0x19] rbx = 0x8b28c220 r12 = 0x8a374f8a r13 = 0x05783c60 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b28c268 rsp = 0x327e0ef0 rbp = 0x327e0f30 Found by: call frame info 11 libxul.so!nsDocShell::CreateContentViewer [nsDocShell.cpp:db5b6e24f421 : 7369 + 0x36] rbx = 0x8b28c220 r12 = 0x8a374f8a r13 = 0x05783c60 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b284f68 rsp = 0x327e0f40 rbp = 0x327e10d0 Found by: call frame info 12 libxul.so!nsDSURIContentListener::DoContent [nsDSURIContentListener.cpp:db5b6e24f421 : 138 + 0x2a] rbx = 0x8b29bab6 r12 = 0x05783fb0 r13 = 0x05783c60 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b29bc63 rsp = 0x327e10e0 rbp = 0x327e1180 Found by: call frame info 13 libxul.so!nsDocumentOpenInfo::TryContentListener [nsURILoader.cpp:db5b6e24f421 : 757 + 0x66] rbx = 0x8b29bab6 r12 = 0x05783fb0 r13 = 0x05783c60 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b2a22ee rsp = 0x327e1190 rbp = 0x327e1280 Found by: call frame info 14 libxul.so!nsDocumentOpenInfo::DispatchContent [nsURILoader.cpp:db5b6e24f421 : 455 + 0x45] rbx = 0x05783c60 r12 = 0x8b2a35dc r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b2a2b12 rsp = 0x327e1290 rbp = 0x327e1650 Found by: call frame info 15 libxul.so!nsDocumentOpenInfo::OnStartRequest [nsURILoader.cpp:db5b6e24f421 : 295 + 0x10] rbx = 0x05783f90 r12 = 0x8b2a35dc r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b2a37cf rsp = 0x327e1660 rbp = 0x327e16f0 Found by: call frame info 16 libxul.so!nsBaseChannel::OnStartRequest [nsBaseChannel.cpp:db5b6e24f421 : 712 + 0x3d] rbx = 0x05783f90 r12 = 0x8b2a35dc r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8a375cef rsp = 0x327e1700 rbp = 0x327e1740 Found by: call frame info 17 libxul.so!nsInputStreamPump::OnStateStart [nsInputStreamPump.cpp:db5b6e24f421 : 441 + 0x33] rbx = 0x05783c80 r12 = 0x8a375ba8 r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8a3880b2 rsp = 0x327e1750 rbp = 0x327e1780 Found by: call frame info 18 libxul.so!nsInputStreamPump::OnInputStreamReady [nsInputStreamPump.cpp:db5b6e24f421 : 397 + 0x8] rbx = 0x057840c8 r12 = 0x8a388c6a r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8a388cec rsp = 0x327e1790 rbp = 0x327e17c0 Found by: call frame info 19 libxul.so!nsInputStreamReadyEvent::Run [nsStreamUtils.cpp:db5b6e24f421 : 112 + 0x2f] rbx = 0x057840c8 r12 = 0x8a388c6a r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b90aac5 rsp = 0x327e17d0 rbp = 0x327e17f0 Found by: call frame info 20 libxul.so!nsThread::ProcessNextEvent [nsThread.cpp:db5b6e24f421 : 547 + 0x17] rbx = 0x00000001 r12 = 0x8b6bfd56 r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b9341a2 rsp = 0x327e1800 rbp = 0x327e1890 Found by: call frame info 21 libxul.so!NS_ProcessNextEvent_P [nsThreadUtils.cpp : 250 + 0x1a] rbx = 0x00000001 r12 = 0x8b6bfd56 r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b8c136a rsp = 0x327e18a0 rbp = 0x327e18d0 Found by: call frame info 22 libxul.so!mozilla::ipc::MessagePump::Run [MessagePump.cpp:db5b6e24f421 : 110 + 0x11] rbx = 0x00000001 r12 = 0x8b6bfd56 r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b750018 rsp = 0x327e18e0 rbp = 0x327e1950 Found by: call frame info 23 libxul.so!MessageLoop::RunInternal [message_loop.cc:db5b6e24f421 : 219 + 0x22] rbx = 0x02269190 r12 = 0x8b6bfd56 r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b99cb0f rsp = 0x327e1960 rbp = 0x327e1990 Found by: call frame info 24 libxul.so!MessageLoop::RunHandler [message_loop.cc:db5b6e24f421 : 202 + 0x8] rbx = 0x02269190 r12 = 0x8b6bfd56 r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b99cb27 rsp = 0x327e19a0 rbp = 0x327e19b0 Found by: call frame info 25 libxul.so!MessageLoop::Run [message_loop.cc:db5b6e24f421 : 176 + 0x8] rbx = 0x02269190 r12 = 0x8b6bfd56 r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b99cb88 rsp = 0x327e19c0 rbp = 0x327e19f0 Found by: call frame info 26 libxul.so!nsBaseAppShell::Run [nsBaseAppShell.cpp:db5b6e24f421 : 180 + 0xc] rbx = 0x02269190 r12 = 0x8b6bfd56 r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b5f1aa7 rsp = 0x327e1a00 rbp = 0x327e1a20 Found by: call frame info 27 libxul.so!nsAppStartup::Run [nsAppStartup.cpp:db5b6e24f421 : 191 + 0x1b] rbx = 0x02269190 r12 = 0x8b6bfd56 r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8b3540b4 rsp = 0x327e1a30 rbp = 0x327e1a50 Found by: call frame info 28 libxul.so!XRE_main [nsAppRunner.cpp:db5b6e24f421 : 3670 + 0x1a] rbx = 0x02269190 r12 = 0x8b6bfd56 r13 = 0x019e2160 r14 = 0x019e1d90 r15 = 0x00000000 rip = 0x8a33c544 rsp = 0x327e1a60 rbp = 0x327e2400 Found by: call frame info 29 firefox-bin!main [nsBrowserApp.cpp:db5b6e24f421 : 158 + 0x18] rbx = 0x019e0bf0 r12 = 0x8b91fa42 r13 = 0x327e25a0 r14 = 0x00000000 r15 = 0x00000000 rip = 0x00401212 rsp = 0x327e2410 rbp = 0x327e24c0 Found by: call frame info 30 libc-2.11.so + 0x1eb1c rbx = 0x00000000 r12 = 0x00400cf0 r13 = 0x327e25a0 r14 = 0x00000000 r15 = 0x00000000 rip = 0xd2e1eb1d rsp = 0x327e24d0 rbp = 0x00000000 Found by: call frame info 31 firefox-bin!Output [nsBrowserApp.cpp:db5b6e24f421 : 77 + 0x1] rip = 0x00400f22 rsp = 0x327e24f0 Found by: stack scanning
Updated•14 years ago
|
Blocks: 438871
Summary: Intermittent crash in crashtests after brain transplants landed. → Intermittent crash in crashtests after brain transplants landed [@ JSObject::getParent]
Whiteboard: [orange]
Comment 1•14 years ago
|
||
http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286998487.1286998568.29665.gz#err0 Rev3 Fedora 12x64 tracemonkey debug test crashtest on 2010/10/13 12:34:47
Comment 2•14 years ago
|
||
I don't understand this stack. JS_EnterCrossCompartmentCall says: > AutoCompartment *call = new AutoCompartment(cx, target); > if (!call) > return NULL; > if (!call->enter()) { which calls these in order: > AutoCompartment::AutoCompartment(JSContext *cx, JSObject *target) > : context(cx), > origin(cx->compartment), > target(target), > destination(target->getCompartment()), > input(cx), > entered(false) > { > } > bool > AutoCompartment::enter() > { > JS_ASSERT(!entered); > if (origin != destination) { > LeaveTrace(context); > > #ifdef DEBUG > JSCompartment *oldCompartment = context->compartment; > context->resetCompartment(); > wasSane = (context->compartment == oldCompartment); > #endif > > context->compartment = destination; > JSObject *scopeChain = target->getGlobal(); We crash on that last line because target is null. But we should have crashed in the constructor, at target->getCompartment(), which would have read from NULL rather earlier. > JSCompartment * > Cell::compartment() const > { > return arena()->header()->compartment; > } Anyway it doesn't make sense for us to be using JSAutoEnterCompartment here--and probably we shouldn't have it at all.
Comment 3•14 years ago
|
||
This changes two minor things.
Assignee | ||
Updated•14 years ago
|
Attachment #482997 -
Flags: review+
Comment 4•14 years ago
|
||
(Note the above patch won't fix the problem. Just tidying up while we're here. Blake wants to land it on top of the actual fix, which sounds right to me.)
Assignee | ||
Comment 5•14 years ago
|
||
So, the problem here is that we end up doing a GC in the middle of JS_TransplantWrapper. JS_TransplantWrapper has a loop over all compartments, where it does a lookup in each compartment for the object to be rewrapped and then operates on the resulting object, if it exists. If we GC, and the GC happens to collect a compartment, we'll start trying to use deleted compartments. Surprisingly, this mostly works; and in fact, you can successfully look for things in a deleted compartment's crossCompartmentMap. This means, that if we collected a compartment that had just had a cross compartment wrapper to the object being transplanted, we can actually find the old wrapper in the map! We've already lost at that point, but it's definitely possible that the returned object would be null or otherwise invalid. There were a couple of ways to fix this: * Try to deal with the compartment map changing out from under us in JS_TransplantWrapper. * Grab a strong reference to all wrappers to transplant before potentially GCing; keeping all of the compartments alive. I went with the second option, as it's the clearest and easiest to get right. It might keep a compartment alive a little bit longer than strictly necessary, but IMO that's fine.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #483022 -
Flags: review?(jst)
Attachment #483022 -
Flags: review?(jorendorff)
Assignee | ||
Comment 6•14 years ago
|
||
jorendorff, do you think this is valuable enough to check in?
Attachment #483023 -
Flags: review?(jorendorff)
Reporter | ||
Updated•14 years ago
|
Attachment #483022 -
Flags: review?(jst) → review+
Updated•14 years ago
|
Attachment #483022 -
Flags: review?(jorendorff) → review+
Updated•14 years ago
|
Attachment #483023 -
Flags: review?(jorendorff) → review+
Comment 7•14 years ago
|
||
Yes.
Comment 8•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/9cc97697dcef
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Keywords: intermittent-failure
Updated•12 years ago
|
Whiteboard: [orange]
You need to log in
before you can comment on or make changes to this bug.
Description
•