If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Intermittent crash in crashtests after brain transplants landed [@ JSObject::getParent]

RESOLVED FIXED

Status

()

Core
XPConnect
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: jst, Assigned: mrbkap)

Tracking

({intermittent-failure})

Trunk
x86_64
Linux
intermittent-failure
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

7 years ago
We're seeing an intermittent crash in crashtests on tinderbox after the brain transplants work landed (bug 580128). The stack looks like this:

Thread 0 (crashed)
 0  libxul.so!JSObject::getParent [jsobj.h : 643 + 0x4]
    rbx = 0x05775290   r12 = 0x0212f440   r13 = 0x8ac20628   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8ac279be   rsp = 0x327e0318   rbp = 0x327e0318
    Found by: given as instruction pointer in context
 1  libxul.so!JSObject::getGlobal [jsobj.cpp:db5b6e24f421 : 6341 + 0x8]
    rbx = 0x05775290   r12 = 0x0212f440   r13 = 0x8ac20628   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8bb82d45   rsp = 0x327e0328   rbp = 0x327e0340
    Found by: call frame info
 2  libxul.so!js::AutoCompartment::enter [jswrapper.cpp:db5b6e24f421 : 346 + 0xc]
    rbx = 0x05775290   r12 = 0x0212f440   r13 = 0x8ac20628   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8bc2a6a4   rsp = 0x327e0350   rbp = 0x327e0380
    Found by: call frame info
 3  libxul.so!JS_EnterCrossCompartmentCall [jsapi.cpp:db5b6e24f421 : 1170 + 0x8]
    rbx = 0x05775290   r12 = 0x0212f440   r13 = 0x8ac20628   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8bad50da   rsp = 0x327e0390   rbp = 0x327e03d0
    Found by: call frame info
 4  libxul.so!JSAutoEnterCompartment::enter [jsapi.cpp:db5b6e24f421 : 1194 + 0xc]
    rbx = 0x056d97f0   r12 = 0x0212f440   r13 = 0x8ac20628   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8bad519a   rsp = 0x327e03e0   rbp = 0x327e0410
    Found by: call frame info
 5  libxul.so!JS_TransplantWrapper [jsapi.cpp:db5b6e24f421 : 1292 + 0x16]
    rbx = 0x027ba370   r12 = 0x0212f440   r13 = 0x8ac20628   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8bad540b   rsp = 0x327e0420   rbp = 0x327e0550
    Found by: call frame info
 6  libxul.so!nsGlobalWindow::SetNewDocument [nsGlobalWindow.cpp:db5b6e24f421 : 1935 + 0x1d]
    rbx = 0x027ba370   r12 = 0x0212f440   r13 = 0x8ac20628   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8ac62faf   rsp = 0x327e0560   rbp = 0x327e0920
    Found by: call frame info
 7  libxul.so!DocumentViewerImpl::InitInternal [nsDocumentViewer.cpp:db5b6e24f421 : 957 + 0x3f]
    rbx = 0x027ba1b0   r12 = 0x8ac61cca   r13 = 0x05783c60   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8a60f940   rsp = 0x327e0930   rbp = 0x327e0a60
    Found by: call frame info
 8  libxul.so!DocumentViewerImpl::Init [nsDocumentViewer.cpp:db5b6e24f421 : 694 + 0x21]
    rbx = 0x05775b40   r12 = 0x8a60fda6   r13 = 0x05783c60   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8a60fddc   rsp = 0x327e0a70   rbp = 0x327e0a90
    Found by: call frame info
 9  libxul.so!nsDocShell::SetupNewViewer [nsDocShell.cpp:db5b6e24f421 : 7582 + 0x3b]
    rbx = 0x05775b40   r12 = 0x8a60fda6   r13 = 0x05783c60   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b27756d   rsp = 0x327e0aa0   rbp = 0x327e0ee0
    Found by: call frame info
10  libxul.so!nsDocShell::Embed [nsDocShell.cpp:db5b6e24f421 : 5685 + 0x19]
    rbx = 0x8b28c220   r12 = 0x8a374f8a   r13 = 0x05783c60   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b28c268   rsp = 0x327e0ef0   rbp = 0x327e0f30
    Found by: call frame info
11  libxul.so!nsDocShell::CreateContentViewer [nsDocShell.cpp:db5b6e24f421 : 7369 + 0x36]
    rbx = 0x8b28c220   r12 = 0x8a374f8a   r13 = 0x05783c60   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b284f68   rsp = 0x327e0f40   rbp = 0x327e10d0
    Found by: call frame info
12  libxul.so!nsDSURIContentListener::DoContent [nsDSURIContentListener.cpp:db5b6e24f421 : 138 + 0x2a]
    rbx = 0x8b29bab6   r12 = 0x05783fb0   r13 = 0x05783c60   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b29bc63   rsp = 0x327e10e0   rbp = 0x327e1180
    Found by: call frame info
13  libxul.so!nsDocumentOpenInfo::TryContentListener [nsURILoader.cpp:db5b6e24f421 : 757 + 0x66]
    rbx = 0x8b29bab6   r12 = 0x05783fb0   r13 = 0x05783c60   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b2a22ee   rsp = 0x327e1190   rbp = 0x327e1280
    Found by: call frame info
14  libxul.so!nsDocumentOpenInfo::DispatchContent [nsURILoader.cpp:db5b6e24f421 : 455 + 0x45]
    rbx = 0x05783c60   r12 = 0x8b2a35dc   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b2a2b12   rsp = 0x327e1290   rbp = 0x327e1650
    Found by: call frame info
15  libxul.so!nsDocumentOpenInfo::OnStartRequest [nsURILoader.cpp:db5b6e24f421 : 295 + 0x10]
    rbx = 0x05783f90   r12 = 0x8b2a35dc   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b2a37cf   rsp = 0x327e1660   rbp = 0x327e16f0
    Found by: call frame info
16  libxul.so!nsBaseChannel::OnStartRequest [nsBaseChannel.cpp:db5b6e24f421 : 712 + 0x3d]
    rbx = 0x05783f90   r12 = 0x8b2a35dc   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8a375cef   rsp = 0x327e1700   rbp = 0x327e1740
    Found by: call frame info
17  libxul.so!nsInputStreamPump::OnStateStart [nsInputStreamPump.cpp:db5b6e24f421 : 441 + 0x33]
    rbx = 0x05783c80   r12 = 0x8a375ba8   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8a3880b2   rsp = 0x327e1750   rbp = 0x327e1780
    Found by: call frame info
18  libxul.so!nsInputStreamPump::OnInputStreamReady [nsInputStreamPump.cpp:db5b6e24f421 : 397 + 0x8]
    rbx = 0x057840c8   r12 = 0x8a388c6a   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8a388cec   rsp = 0x327e1790   rbp = 0x327e17c0
    Found by: call frame info
19  libxul.so!nsInputStreamReadyEvent::Run [nsStreamUtils.cpp:db5b6e24f421 : 112 + 0x2f]
    rbx = 0x057840c8   r12 = 0x8a388c6a   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b90aac5   rsp = 0x327e17d0   rbp = 0x327e17f0
    Found by: call frame info
20  libxul.so!nsThread::ProcessNextEvent [nsThread.cpp:db5b6e24f421 : 547 + 0x17]
    rbx = 0x00000001   r12 = 0x8b6bfd56   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b9341a2   rsp = 0x327e1800   rbp = 0x327e1890
    Found by: call frame info
21  libxul.so!NS_ProcessNextEvent_P [nsThreadUtils.cpp : 250 + 0x1a]
    rbx = 0x00000001   r12 = 0x8b6bfd56   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b8c136a   rsp = 0x327e18a0   rbp = 0x327e18d0
    Found by: call frame info
22  libxul.so!mozilla::ipc::MessagePump::Run [MessagePump.cpp:db5b6e24f421 : 110 + 0x11]
    rbx = 0x00000001   r12 = 0x8b6bfd56   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b750018   rsp = 0x327e18e0   rbp = 0x327e1950
    Found by: call frame info
23  libxul.so!MessageLoop::RunInternal [message_loop.cc:db5b6e24f421 : 219 + 0x22]
    rbx = 0x02269190   r12 = 0x8b6bfd56   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b99cb0f   rsp = 0x327e1960   rbp = 0x327e1990
    Found by: call frame info
24  libxul.so!MessageLoop::RunHandler [message_loop.cc:db5b6e24f421 : 202 + 0x8]
    rbx = 0x02269190   r12 = 0x8b6bfd56   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b99cb27   rsp = 0x327e19a0   rbp = 0x327e19b0
    Found by: call frame info
25  libxul.so!MessageLoop::Run [message_loop.cc:db5b6e24f421 : 176 + 0x8]
    rbx = 0x02269190   r12 = 0x8b6bfd56   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b99cb88   rsp = 0x327e19c0   rbp = 0x327e19f0
    Found by: call frame info
26  libxul.so!nsBaseAppShell::Run [nsBaseAppShell.cpp:db5b6e24f421 : 180 + 0xc]
    rbx = 0x02269190   r12 = 0x8b6bfd56   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b5f1aa7   rsp = 0x327e1a00   rbp = 0x327e1a20
    Found by: call frame info
27  libxul.so!nsAppStartup::Run [nsAppStartup.cpp:db5b6e24f421 : 191 + 0x1b]
    rbx = 0x02269190   r12 = 0x8b6bfd56   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8b3540b4   rsp = 0x327e1a30   rbp = 0x327e1a50
    Found by: call frame info
28  libxul.so!XRE_main [nsAppRunner.cpp:db5b6e24f421 : 3670 + 0x1a]
    rbx = 0x02269190   r12 = 0x8b6bfd56   r13 = 0x019e2160   r14 = 0x019e1d90
    r15 = 0x00000000   rip = 0x8a33c544   rsp = 0x327e1a60   rbp = 0x327e2400
    Found by: call frame info
29  firefox-bin!main [nsBrowserApp.cpp:db5b6e24f421 : 158 + 0x18]
    rbx = 0x019e0bf0   r12 = 0x8b91fa42   r13 = 0x327e25a0   r14 = 0x00000000
    r15 = 0x00000000   rip = 0x00401212   rsp = 0x327e2410   rbp = 0x327e24c0
    Found by: call frame info
30  libc-2.11.so + 0x1eb1c
    rbx = 0x00000000   r12 = 0x00400cf0   r13 = 0x327e25a0   r14 = 0x00000000
    r15 = 0x00000000   rip = 0xd2e1eb1d   rsp = 0x327e24d0   rbp = 0x00000000
    Found by: call frame info
31  firefox-bin!Output [nsBrowserApp.cpp:db5b6e24f421 : 77 + 0x1]
    rip = 0x00400f22   rsp = 0x327e24f0
    Found by: stack scanning

Updated

7 years ago
Blocks: 438871
Summary: Intermittent crash in crashtests after brain transplants landed. → Intermittent crash in crashtests after brain transplants landed [@ JSObject::getParent]
Whiteboard: [orange]
http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1286998487.1286998568.29665.gz#err0
Rev3 Fedora 12x64 tracemonkey debug test crashtest on 2010/10/13 12:34:47
I don't understand this stack.

JS_EnterCrossCompartmentCall says:
>     AutoCompartment *call = new AutoCompartment(cx, target);
>     if (!call)
>         return NULL;
>     if (!call->enter()) {

which calls these in order:
> AutoCompartment::AutoCompartment(JSContext *cx, JSObject *target)
>     : context(cx),
>       origin(cx->compartment),
>       target(target),
>       destination(target->getCompartment()),
>       input(cx),
>       entered(false)
> {
> }

> bool
> AutoCompartment::enter()
> {
>     JS_ASSERT(!entered);
>     if (origin != destination) {
>         LeaveTrace(context);
> 
> #ifdef DEBUG
>         JSCompartment *oldCompartment = context->compartment;
>         context->resetCompartment();
>         wasSane = (context->compartment == oldCompartment);
> #endif
> 
>         context->compartment = destination;
>         JSObject *scopeChain = target->getGlobal();

We crash on that last line because target is null.

But we should have crashed in the constructor, at target->getCompartment(), which would have read from NULL rather earlier.

> JSCompartment *
> Cell::compartment() const
> {
>     return arena()->header()->compartment;
> }

Anyway it doesn't make sense for us to be using JSAutoEnterCompartment here--and probably we shouldn't have it at all.
Created attachment 482997 [details] [diff] [review]
tweak

This changes two minor things.
(Assignee)

Updated

7 years ago
Attachment #482997 - Flags: review+
(Note the above patch won't fix the problem. Just tidying up while we're here. Blake wants to land it on top of the actual fix, which sounds right to me.)
(Assignee)

Comment 5

7 years ago
Created attachment 483022 [details] [diff] [review]
Patch

So, the problem here is that we end up doing a GC in the middle of JS_TransplantWrapper. JS_TransplantWrapper has a loop over all compartments, where it does a lookup in each compartment for the object to be rewrapped and then operates on the resulting object, if it exists. If we GC, and the GC happens to collect a compartment, we'll start trying to use deleted compartments. Surprisingly, this mostly works; and in fact, you can successfully look for things in a deleted compartment's crossCompartmentMap.

This means, that if we collected a compartment that had just had a cross compartment wrapper to the object being transplanted, we can actually find the old wrapper in the map! We've already lost at that point, but it's definitely possible that the returned object would be null or otherwise invalid.

There were a couple of ways to fix this:
  * Try to deal with the compartment map changing out from under us in JS_TransplantWrapper.
  * Grab a strong reference to all wrappers to transplant before potentially GCing; keeping all of the compartments alive.

I went with the second option, as it's the clearest and easiest to get right. It might keep a compartment alive a little bit longer than strictly necessary, but IMO that's fine.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #483022 - Flags: review?(jst)
Attachment #483022 - Flags: review?(jorendorff)
(Assignee)

Comment 6

7 years ago
Created attachment 483023 [details] [diff] [review]
test that shows the problem

jorendorff, do you think this is valuable enough to check in?
Attachment #483023 - Flags: review?(jorendorff)
(Reporter)

Updated

7 years ago
Attachment #483022 - Flags: review?(jst) → review+

Updated

7 years ago
Attachment #483022 - Flags: review?(jorendorff) → review+

Updated

7 years ago
Attachment #483023 - Flags: review?(jorendorff) → review+
Yes.

Comment 8

7 years ago
http://hg.mozilla.org/mozilla-central/rev/9cc97697dcef
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Keywords: intermittent-failure
Whiteboard: [orange]
You need to log in before you can comment on or make changes to this bug.