Closed Bug 810560 Opened 12 years ago Closed 12 years ago

Intermittent Assertion failure: !thing->compartment()->scheduledForDestruction in test_bug518122.html [@ js::gc::MarkInternal]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla19
Tracking Flags:
Tracking Status
firefox18 --- unaffected

People

(Reporter: philor, Assigned: billm)

References

Details

(Keywords: assertion, intermittent-failure)

Attachments

(1 file)

fix
12.77 KB, patch
luke
: review+
Details | Diff | Splinter Review
https://tbpl.mozilla.org/php/getParsedLog.php?id=16918272&tree=Mozilla-Inbound Rev4 MacOSX Snow Leopard 10.6 mozilla-inbound debug test mochitest-1 on 2012-11-09 20:56:56 PST for push 98e22583895a slave: talos-r4-snow-082 10916 INFO TEST-START | /tests/content/html/content/test/test_bug518122.html ++DOMWINDOW == 96 (0x14e026300) [serial = 2133] [outer = 0x12918d680] Assertion failure: !thing->compartment()->scheduledForDestruction, at ../../../js/src/gc/Marking.cpp:92 [Child 357] WARNING: shutting down early because of crash!: file ../../../dom/ipc/ContentChild.cpp, line 813 [Child 357] WARNING: content process _exit()ing: file ../../../dom/ipc/ContentChild.cpp, line 858 TEST-UNEXPECTED-FAIL | /tests/content/html/content/test/test_bug518122.html | Exited with code 1 during test run INFO | automation.py | Application ran for: 0:20:06.484813 INFO | automation.py | Reading PID log: /var/folders/Hs/HsDn6a9SG8idoIya6p9mtE+++TI/-Tmp-/tmp8wq0rdpidlog Downloading symbols from: http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-inbound-macosx64-debug/1352521172/firefox-19.0a1.en-US.mac64.crashreporter-symbols.zip PROCESS-CRASH | /tests/content/html/content/test/test_bug518122.html | application crashed (minidump found) Crash dump filename: /var/folders/Hs/HsDn6a9SG8idoIya6p9mtE+++TI/-Tmp-/tmpxjqB02/minidumps/CBF78EE0-EAE0-49AE-AC6E-9CA0B95BA210.dmp Operating system: Mac OS X 10.6.8 10K549 CPU: amd64 family 6 model 23 stepping 10 2 CPUs Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS Crash address: 0x0 Thread 0 (crashed) 0 XUL!void js::gc::MarkInternal<JSObject>(JSTracer*, JSObject**) [Marking.cpp : 110 + 0x0] rbx = 0x00007fff701a72f8 r12 = 0x000000010549a2a8 r13 = 0x000000010549a000 r14 = 0x0000000148fd5250 r15 = 0x0000000107b92701 rip = 0x000000010392fec0 rsp = 0x00007fff5fbfad00 rbp = 0x00007fff5fbfad30 Found by: given as instruction pointer in context 1 XUL!js::ObjectImpl::writeBarrierPre(js::ObjectImpl*) [ObjectImpl-inl.h : 438 + 0x16] rbx = 0x0000000148fd5250 r12 = 0x0000000000000000 r13 = 0x000000014c5dbc00 r14 = 0x0000000100c59a00 r15 = 0x0000000107b92701 rip = 0x00000001036c8ca4 rsp = 0x00007fff5fbfad40 rbp = 0x00007fff5fbfad50 Found by: call frame info 2 XUL!js::IncrementalReferenceBarrier(void*) [jsfriendapi.cpp : 912 + 0x7] rbx = 0x0000000148fd5250 r12 = 0x0000000000000000 r13 = 0x000000014c5dbc00 r14 = 0x0000000100c59a00 r15 = 0x0000000107b92701 rip = 0x0000000103717af1 rsp = 0x00007fff5fbfad60 rbp = 0x00007fff5fbfad80 Found by: call frame info 3 XUL!nsNodeSH::PreCreate(nsISupports*, JSContext*, JSObject*, JSObject**) [xpcpublic.h : 152 + 0x7] rbx = 0x00000001462bfc01 r12 = 0x0000000148fd5250 r13 = 0x000000014c5dbc00 r14 = 0x000000014c5dbc08 r15 = 0x0000000107b92740 rip = 0x00000001022e4890 rsp = 0x00007fff5fbfad90 rbp = 0x00007fff5fbfae30 Found by: call frame info 4 XUL!nsElementSH::PreCreate(nsISupports*, JSContext*, JSObject*, JSObject**) [nsDOMClassInfo.cpp : 8144 + 0x4] rbx = 0x00000001462bfca8 r12 = 0x00007fff5fbfb570 r13 = 0x00000001022e5a80 r14 = 0x0000000107b92740 r15 = 0x00007fff5fbfb050 rip = 0x00000001022e55f5 rsp = 0x00007fff5fbfae40 rbp = 0x00007fff5fbfae80 Found by: call frame info 5 XUL!ConstructSlimWrapper(XPCCallContext&, xpcObjectHelper&, XPCWrappedNativeScope*, JS::Value*) [XPCWrappedNative.cpp : 3814 + 0xc] rbx = 0x00000001462bfca8 r12 = 0x00007fff5fbfb570 r13 = 0x00000001022e5a80 r14 = 0x000000010aabb060 r15 = 0x00007fff5fbfb050 rip = 0x0000000102832854 rsp = 0x00007fff5fbfae90 rbp = 0x00007fff5fbfaf40 Found by: call frame info 6 XUL!XPCConvert::NativeInterface2JSObject(XPCLazyCallContext&, JS::Value*, nsIXPConnectJSObjectHolder**, xpcObjectHelper&, nsID const*, XPCNativeInterface**, bool, tag_nsresult*) [XPCConvert.cpp : 875 + 0x15] rbx = 0x0000000000000000 r12 = 0x00007fff5fbfb280 r13 = 0x0000000107b92748 r14 = 0x00007fff5fbfb270
Mmm, PreCreate.
Attached patch fixSplinter Review
I think this should take care of the problem.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #680784 - Flags: review?(luke)
Comment on attachment 680784 [details] [diff] [review] fix Review of attachment 680784 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsapi.cpp @@ +1556,5 @@ > JS_ASSERT(origobj != target); > JS_ASSERT(!IsCrossCompartmentWrapper(origobj)); > JS_ASSERT(!IsCrossCompartmentWrapper(target)); > > + AutoDeadCompartmentGC agc(cx); A "dead compartment GC" sounds like a different thing. How about AutoMaybeTouchDeadCompartments? ::: js/src/jswrapper.h @@ +299,5 @@ > + * This auto class should be used around any code, such as brain transplants, > + * that may touch dead compartments. Brain transplants can cause problems > + * because they operate on all compartments, whether live or dead. A brain > + * transplant can cause a formerly dead object to be "reanimated" by causing a > + * read or write barrier to be invoked on it during the transplant. I would not be opposed to appending: "In this way, a compartment becomes a zombie, kept alive by repeatedly consuming (transplanted) brains." ::: js/xpconnect/src/XPCWrappedNative.cpp @@ +510,5 @@ > mozilla::Maybe<JSAutoCompartment> ac; > > if (sciWrapper.GetFlags().WantPreCreate()) { > + // PreCreate may touch dead compartments. > + js::AutoDeadCompartmentGC agc(parent); It seems like you'd want to scope 'agc' here (and below x2) as narrowly as possible to avoid unintended full GCs. There is a lot of code below PreCreate, so perhaps you could either block-scope it or, if that looks ugly, use Maybe<> and call 'destruct' after.
Attachment #680784 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/a10481c78d8e https://hg.mozilla.org/mozilla-central/rev/866e9c7d656d
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Blocks: 811587
Whiteboard: [orange]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: