Closed
Bug 769059
Opened 13 years ago
Closed 13 years ago
ASSERTION: scope has non-empty map: '0 == mWrappedNativeMap->Count()' Followed by CRASH in js::gc::ArenaHeader::getThingSize
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 752340
People
(Reporter: johns, Unassigned)
Details
(Keywords: testcase, Whiteboard: [sg:dupe 752340])
Attachments
(1 file)
|
508 bytes,
text/html
|
Details |
Triggering a GC after loading the affected test case results in a browser meltdown. Some poking around looks like we're calling xpc_IsGrayGCThing() on invalid memory.
This test case was originally created to trigger an unrelated assertion in nsObjectLoadingContent, but jst and I spent a while poking at it and it seems to be unrelated to any wrapper-touching done there.
Final Output
================
[New Thread 0x7fffa17fc700 (LWP 27185)]
-134482112[6343b0]: ###!!! ASSERTION: scope has non-empty map: '0 == mWrappedNativeMap->Count()', file /home/johns/moz/moz-git/js/xpconnect/src/XPCWrappedNativeScope.cpp, line 264
###!!! ASSERTION: scope has non-empty map: '0 == mWrappedNativeMap->Count()', file /home/johns/moz/moz-git/js/xpconnect/src/XPCWrappedNativeScope.cpp, line 264
--DOMWINDOW == 15 (0x2fe3d70) [serial = 14] [outer = 0x337a860] [url = about:blank]
--DOMWINDOW == 14 (0x2e145d0) [serial = 12] [outer = 0x2dcd3b0] [url = about:blank]
--DOMWINDOW == 13 (0x14a6d60) [serial = 7] [outer = 0x23e0ad0] [url = about:blank]
--DOMWINDOW == 12 (0x294dce0) [serial = 9] [outer = 0x23e0ad0] [url = about:blank]
Assertion failure: allocated(), at ../../../dist/include/gc/Heap.h:596
Program received signal SIGSEGV, Segmentation fault.
Crash and backtrace
===================
[Switching to Thread 0x7fffe3eea700 (LWP 27158)]
0x00007ffff1858c3a in js::gc::ArenaHeader::getThingSize (this=0x7fffe0457000) at ../../../dist/include/gc/Heap.h:596
596 JS_ASSERT(allocated());
(gdb) bt
#0 0x00007ffff1858c3a in js::gc::ArenaHeader::getThingSize (this=0x7fffe0457000) at ../../../dist/include/gc/Heap.h:596
#1 0x00007ffff38871cf in js::gc::AssertValidColor (thing=0x7fffe04571c0, color=1) at /home/johns/moz/moz-git/js/src/gc/Heap.h:911
#2 0x00007ffff388722c in js::gc::Cell::isMarked (this=0x7fffe04571c0, color=1) at /home/johns/moz/moz-git/js/src/gc/Heap.h:941
#3 0x00007ffff3888a47 in js::GCThingIsMarkedGray (thing=0x7fffe04571c0) at /home/johns/moz/moz-git/js/src/jsfriendapi.cpp:465
#4 0x00007ffff1d56850 in xpc_IsGrayGCThing (thing=0x7fffe04571c0) at ../../../dist/include/xpcpublic.h:139
#5 0x00007ffff1d56885 in nsWrapperCache::IsBlack (this=0x33b9848)
at /home/johns/moz/moz-git/content/base/src/../../../dom/base/nsWrapperCacheInlines.h:24
#6 0x00007ffff1e0aa4a in nsGenericElement::CanSkipInCC (aNode=0x13168e0) at /home/johns/moz/moz-git/content/base/src/nsGenericElement.cpp:3032
#7 0x00007ffff1db196e in nsDocument::cycleCollection::CanSkipInCCImpl (p=0x13168e0)
at /home/johns/moz/moz-git/content/base/src/nsDocument.cpp:1692
#8 0x00007ffff3089346 in nsCycleCollectionParticipant::CanSkipInCC (this=0x7ffff508fb00, p=0x13168e0)
at ../../dist/include/nsCycleCollectionParticipant.h:275
#9 0x00007ffff308c861 in AddPurpleRoot (builder=..., root=0x13168e0) at /home/johns/moz/moz-git/xpcom/base/nsCycleCollector.cpp:1974
#10 0x00007ffff308a58b in nsPurpleBuffer::SelectPointers (this=0x740ee0, aBuilder=...)
at /home/johns/moz/moz-git/xpcom/base/nsCycleCollector.cpp:974
|
Reporter | |
Comment 1•13 years ago
|
||
Note this segfaults in JS_ASSERT(allocated());, and doesn't appear to be a guaranteed crash in non-debug builds
|
||
Comment 2•13 years ago
|
||
The assertion indicates that an object hasn't been properly unregistered from mWrappedNativeMap before the WrappedNativeScope dies. There's another bug around like that, maybe this is related.
|
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
||
Updated•13 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•