Closed
Bug 643083
Opened 13 years ago
Closed 6 years ago
Crash: [@ JSAutoRequest::~JSAutoRequest]
Categories
(Core :: DOM: Content Processes, defect, P5)
Core
DOM: Content Processes
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: stechz, Unassigned)
Details
(Keywords: crash)
Crash Data
Attachments
(2 files, 1 obsolete file)
5.35 KB,
patch
|
smaug
:
review+
cdleary
:
feedback+
|
Details | Diff | Splinter Review |
896 bytes,
patch
|
cjones
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
In TabParent.cpp:607, it is possible for a JS context to be destroyed during the ReceiveMessage callback (for instance, if a window is closed). This makes ctx a dangling pointer and causes a crash in ~JSAutoRequest. There could be other invariants being violated in this code. I don't know it well enough to say.
Reporter | ||
Comment 1•13 years ago
|
||
This hack fixes the crash for me, but I worry that we may want something more thorough. Need a testcase too.
Reporter | ||
Updated•13 years ago
|
Attachment #520388 -
Flags: feedback?(Olli.Pettay)
Comment 2•13 years ago
|
||
We probably shouldn't be holding the request across the call to ReceiveMessage... That is, scope the request to right around the JS_NewArrayObject call.
Reporter | ||
Comment 3•13 years ago
|
||
The hardest part of this patch was the test! It's not easy to get the window to close on the same event where you receive a message. bz's suggestion fixes the crash, and without the patch the crash occurs with this browser chrome test.
Attachment #520409 -
Flags: review?(Olli.Pettay)
Reporter | ||
Updated•13 years ago
|
Attachment #520388 -
Attachment is obsolete: true
Attachment #520388 -
Flags: feedback?(Olli.Pettay)
Comment 4•13 years ago
|
||
Comment on attachment 520409 [details] [diff] [review] Crash: JSAutoRequest::~JSAutoRequest ># HG changeset patch ># User Benjamin Stover <bstover@mozilla.com> ># Date 1300518693 25200 ># Node ID 1556234b9baf8302670765866dfefb4928faedd1 ># Parent 00a73b6f85e488a78587ffa6d48331cb3959746b >Bug 643083 Crash: JSAutoRequest::~JSAutoRequest > >diff --git a/dom/ipc/TabParent.cpp b/dom/ipc/TabParent.cpp >--- a/dom/ipc/TabParent.cpp >+++ b/dom/ipc/TabParent.cpp >@@ -584,24 +584,30 @@ bool > TabParent::ReceiveMessage(const nsString& aMessage, > PRBool aSync, > const nsString& aJSON, > InfallibleTArray<nsString>* aJSONRetVal) > { > nsRefPtr<nsFrameLoader> frameLoader = GetFrameLoader(); > if (frameLoader && frameLoader->GetFrameMessageManager()) { > nsFrameMessageManager* manager = frameLoader->GetFrameMessageManager(); >- JSContext* ctx = manager->GetJSContext(); >- JSAutoRequest ar(ctx); >- PRUint32 len = 0; //TODO: obtain a real value in bug 572685 >- // Because we want JS messages to have always the same properties, >- // create array even if len == 0. >- JSObject* objectsArray = JS_NewArrayObject(ctx, len, NULL); >- if (!objectsArray) { >- return false; >+ >+ // Context may be gone after calling ReceiveMessage, so scope the >+ // context pointer to prevent dangling. >+ JSObject* objectsArray; >+ { >+ JSContext* ctx = manager->GetJSContext(); >+ JSAutoRequest ar(ctx); >+ PRUint32 len = 0; //TODO: obtain a real value in bug 572685 >+ // Because we want JS messages to have always the same properties, >+ // create array even if len == 0. >+ objectsArray = JS_NewArrayObject(ctx, len, NULL); >+ if (!objectsArray) { >+ return false; >+ } > } I assume objectsArray is kept alive because of conservative GC. Could you ask someone from js team?
Attachment #520409 -
Flags: review?(Olli.Pettay) → review+
Reporter | ||
Comment 5•13 years ago
|
||
Comment on attachment 520409 [details] [diff] [review] Crash: JSAutoRequest::~JSAutoRequest cdleary, do you know? Or who would be a good person to ask?
Attachment #520409 -
Flags: feedback?(cdleary)
Comment 6•13 years ago
|
||
Comment on attachment 520409 [details] [diff] [review] Crash: JSAutoRequest::~JSAutoRequest All JSObject pointers that are present on the machine stack or in registers will be recognized as reachable objects by conservative stack scanning. Hazards usually come into play when you extract some stuff from an object's guts and pass that around without temporarily rooting the containing object (like extracting jschar * from a JSString). Without looking into the details of ReceiveMessage, this looks like it will be okay. + if (!objectsArray) { + return false; + } Should probably be NULL.
Attachment #520409 -
Flags: feedback?(cdleary) → feedback+
Reporter | ||
Comment 7•13 years ago
|
||
Pushed http://hg.mozilla.org/mozilla-central/rev/868be4c08700
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 8•13 years ago
|
||
Backed out due to test crash / leak failures. This probably has something to do with having a remote browser.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Comment 9•13 years ago
|
||
The leak can be found by running the dom browser-tests by themselves: python runtests.py --browser-chrome --test-path=dom/tests/browser I've modified my makefile so just the one test runs. The leaks I'm seeing in the child process: |<----------------Class--------------->|<-----Bytes------>|<----------------Objects---------------->|<--------------References-------------->| Per-Inst Leaked Total Rem Mean StdDev Total Rem Mean StdDev 0 TOTAL 22 776 31048 11 ( 669.64 +/- 855.10) 55933 5 ( 1477.21 +/- 2482.61) 53 PuppetWidget 216 432 2 2 ( 1.50 +/- 0.71) 29 1 ( 4.93 +/- 2.22) 90 gfxASurface 24 24 12 1 ( 4.52 +/- 1.97) 0 0 ( 0.00 +/- 0.00) 115 nsBaseWidget 124 124 1 1 ( 1.00 +/- 0.00) 29 1 ( 4.93 +/- 2.22) 237 nsGTKToolkit 32 32 1 1 ( 1.00 +/- 0.00) 1 1 ( 1.00 +/- 0.00) 326 nsRect 16 48 104 3 ( 24.00 +/- 15.17) 0 0 ( 0.00 +/- 0.00) 342 nsScreenManagerGtk 28 28 1 1 ( 1.00 +/- 0.00) 8 1 ( 2.40 +/- 0.99) 399 nsThebesDeviceContext 84 84 4 1 ( 1.43 +/- 0.53) 37 1 ( 4.12 +/- 2.21) 416 nsVoidArray 4 4 483 1 ( 98.05 +/- 48.00) 0 0 ( 0.00 +/- 0.00) TabChild appears to be cleaning up after itself fine (DestroyWindow is called). nsThebesDeviceContext is getting leaked, but not by an nsCOMPtr according to find-comptr-leakers.
Severity: normal → critical
Keywords: crash
Summary: Crash: JSAutoRequest::~JSAutoRequest → Crash: [@ JSAutoRequest::~JSAutoRequest]
Reporter | ||
Comment 10•13 years ago
|
||
Attachment #522491 -
Flags: review?(jones.chris.g)
Reporter | ||
Updated•13 years ago
|
Attachment #522491 -
Flags: superreview?(roc)
Reporter | ||
Comment 11•13 years ago
|
||
Chris and Roc, Quick catch-up. This followup patch fixes a leak for PuppetWidget that was occurring on mochitests for this bug. Olli suggested this change. I suppose that the test in this bug must be the first test that checks for leaks.
Attachment #522491 -
Flags: superreview?(roc) → superreview+
Comment on attachment 522491 [details] [diff] [review] Test fix: clean up puppet widget properly Seems like maybe BaseWidget::Destroy perhaps ought to be doing this, but if roc is happy I'm happy.
Attachment #522491 -
Flags: review?(jones.chris.g) → review+
Reporter | ||
Comment 13•13 years ago
|
||
Backed out again. Keeping the tabchild cleanup which was pushed here: http://hg.mozilla.org/mozilla-central/rev/4d7a0a6dd613 There's a permaish-orange for mochitest-other on OS X and Windows. :(
Reporter | ||
Comment 14•13 years ago
|
||
In retrospect and now that the builds have fully completed, looking at the tryserver suggests that maybe I just saw a few random oranges happen? I need a second opinion.
Comment 15•13 years ago
|
||
I can look, but which changeset is yours on try? How long ago was this?
Reporter | ||
Comment 16•13 years ago
|
||
bz: the patch got several runs with mochitests before I backed it out, so it was a series of runs last night. I believe it added a new random orange like this one: http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1301446512.1301451126.7332.gz&fulltext=1#err0 smaug and I have talked it over on IRC. This looks to be a problem with a frame script getting loaded late into the shutdown process. One problem was that the test was using |true| with loadFrameScript which is not what we ever want to do for a test run! Another problem is that we shouldn't be receiving messages from the child process so late. Filing a bug for the second one and trying |false| for this patch so we can get this landed!
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ JSAutoRequest::~JSAutoRequest]
Updated•10 years ago
|
Component: IPC → DOM: Content Processes
Comment 17•6 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046 Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5. If you have questions, please contact :mdaly.
Priority: -- → P5
Comment 18•6 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 6 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•