Closed Bug 609793 Opened 14 years ago Closed 7 years ago

Crash in XPConnect code caused by a seemingly benign code change ([@ XPC_WN_CallMethod], [@ XPC_WN_GetterSetter])

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INACTIVE
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: ehsan.akhgari, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

gdb log
29.89 KB, text/plain
Details
Test changes
2.43 KB, patch
Details | Diff | Splinter Review
Attached file gdb log
This patches causes intermittent crashes in browser-chrome tests: http://hg.mozilla.org/mozilla-central/rev/119ed9cbd3c6 Here are the crash logs: http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1288907394.1288908638.9885.gz&fulltext=1 http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1288909347.1288910085.18324.gz&fulltext=1 http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1288908667.1288910403.19870.gz&fulltext=1 http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1288911180.1288912207.28675.gz&fulltext=1 http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1288905988.1288908421.8895.gz&fulltext=1 http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1288910208.1288911386.24890.gz&fulltext=1 http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1288906850.1288908627.9851.gz&fulltext=1 I've managed to reproduce this crash locally once, and DumpJSStack() pointed me to somewhere around here on the js stack: <http://hg.mozilla.org/mozilla-central/annotate/c0dbdafa583c/browser/base/content/browser.js#l7431> But I'm not certain about this at all, as I've only been able to reproduce this locally once; I'm attaching the gdb log from that one time here. Also, it seems like the "XPConnect is being called on a scope without a 'Components' property" assertion always precedes this crash. Can someone investigate this, please?
Attachment #488375 - Attachment mime type: application/octet-stream → text/plain
I looked at the preprocessed browser.js file, and the crash happens when we try to call setTimeout.
Attached patch Test changesSplinter Review
With this patch applied, if I run |TEST_PATH=toolkit/components/satchel/test/ make -C ff-dbg/ mochitest-plain| and press the Run Tests link while the tests are in flight, the console gets spammed with this error and Firefox sometimes crashes. Without the patch applied, I can't reproduce.
I posted attachment 490446 [details] [diff] [review] to remove the setTimeout call I mentioned in comment 1. This might need to block 2.0 (at least for investigation) because a crash which happens because of a setTimeout call is scary...
blocking2.0: --- → ?
Based on Ehsan's debugging session (attachment), this looks like the JS engine is handing a dead object to XPConnect. Luke agreed that there's no GC hazard in this code that could cause obj to be deleted in XPC_WN_CallMethod(), which suggests to me that obj is already dead when XPConnect gets it. Over to the JS engine.
Assignee: nobody → general
Component: XPConnect → JavaScript Engine
QA Contact: xpconnect → general
There are some crashes on crash-stats with XPC_WN_GetterSetter in their signature (which is where the crash happens now on mozilla-central.
Summary: Crash in XPConnect code caused by a seemingly benign code change ([@ XPC_WN_CallMethod]) → Crash in XPConnect code caused by a seemingly benign code change ([@ XPC_WN_CallMethod], [@ XPC_WN_GetterSetter])
And the crash stats link that I meant to paste is http://bit.ly/aFjfSn.
Assignee: general → nobody
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
Roughly 185 Windows crashes in the last week on the trunk in the @ XPC_WN_CallMethod signature (or variants thereof). For @ XPC_WN_GetterSetter there are roughly 200 crashes in the last week on the trunk with several variant signatures as well. I listed the variants below: XPC_WN_GetterSetter(JSContext*, JSObject*, unsigned int, int*, int*) XPC_WN_GetterSetter(JSContext*, unsigned int, unsigned __int64*) XPC_WN_GetterSetter(JSContext*, JSObject*, unsigned int, long*, long*) XPC_WN_GetterSetter(JSContext*, JSObject*, unsigned int, unsigned __int64*, unsigned __int64*) @0x0 | XPC_WN_GetterSetter(JSContext*, unsigned int, unsigned __int64*) @0x0 | XPC_WN_GetterSetter(JSContext*, JSObject*, unsigned int, int*, int*) XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, int*, int*) XPC_WN_CallMethod(JSContext*, unsigned int, unsigned __int64*) @0x0 | XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, int*, int*) XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*) @0x0 | XPC_WN_CallMethod(JSContext*, unsigned int, unsigned __int64*)
We've fixed bugs in the past where we could end up with an outer window being collected too early, after we've cleared its scope (bug 606709). This sounds very related. Ehsan, do you think there's a faster way to move forward here than to attempt to re-land the patch that triggered this intermittent crash? Given the lack of reliable ways to reproduce this, I don't think we can block on this.
blocking2.0: ? → -
(In reply to comment #9) > We've fixed bugs in the past where we could end up with an outer window being > collected too early, after we've cleared its scope (bug 606709). This sounds > very related. Ehsan, do you think there's a faster way to move forward here > than to attempt to re-land the patch that triggered this intermittent crash? Actually, the patch which triggered this landed a while ago (bug 607482), so it might have been something which is either fixed, or is no longer triggered by that patch. I'd WFM this if I _knew_ that the former case is true, but I'm not sure. The only way that I can think of to investigate this is to update to a cset around the time when when bug 607482 landed for the first or second time, apply the patch, and run under the debugger. > Given the lack of reliable ways to reproduce this, I don't think we can block > on this. Totally agreed!
Crash Signature: [@ XPC_WN_CallMethod] [@ XPC_WN_GetterSetter]
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: