Crash in workers/interfaces.worker, causing intermittent /XMLHttpRequest/send-usp.worker and /WebCryptoAPI/import_export/rsa_importKey.worker

[Ms2ger]

(gdb) bt
#0  0x000055555820072a in js::ObjectGroup::compartment (this=0xfffe2b2b2b2b2b2b)
    at /js/src/vm/ObjectGroup.h:127
#1  0x0000555558201677 in JSObject::compartment (this=0x7fffef6faeb0)
    at /js/src/jsobj.h:170
#2  0x0000555558292a70 in JSObject::global (this=0x7fffef6faeb0)
    at /js/src/jsobjinlines.h:427
#3  0x0000555558623ae3 in JSCompartment::wrap (this=0x7fffe6490e00, cx=0x7fffe64dd8c0, obj=..., existingArg=...)
    at /js/src/jscompartment.cpp:408
#4  0x00005555585f735a in JSCompartment::wrap (this=0x7fffe6490e00, cx=0x7fffe64dd8c0, vp=..., existing=...)
    at /js/src/jscompartmentinlines.h:117
#5  0x00005555585beebe in JS_WrapValue (cx=0x7fffe64dd8c0, vp=...)
    at /js/src/jsapi.cpp:819
#6  0x0000555556fdc413 in {{inlined-root}}::to_jsval (self=0x7fffe73f5c68, cx=0x7fffe64dd8c0, rval=...)
    at /src/conversions.rs:169
#7  0x0000555557a20e78 in script::dom::bindings::codegen::Bindings::MessageEventBinding::get_data::{{closure}} ()
    at /Bindings/MessageEventBinding.rs:223
#8  0x0000555557a20e99 in extern$u20$$u22$rust.call$u22$$u20$fn$LP$$u5b$closure$SP$$u2f$...$MessageEventBinding.rs.214.55.$u20$224.22$u20$this.$RF$$BP$const$u20$dom..messageevent..MessageEvent$C$$u20$cx.$RF$$BP$mut$u20$js..jsapi..JSContext$C$$u20$args.$RF$js..jsapi..JSJitGetterCallArgs$u5d$$C$$u20$$LP$$RP$$RP$$u20$.$GT$$u20$bool::once_shim.80345::hc7b5e96d18539594 ()
    at /webrender_traits-aa8db8cbebbc2a47/master/src/lib.rs:429
#9  0x00005555570e62b3 in {{inlined-root}}::call_once<bool,closure> (self=..., _args=0)
    at /libstd/panic.rs:256
#10 0x00005555578c83e4 in std::panicking::try::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h90d724e32708f9ca ()
    at /webrender_traits-aa8db8cbebbc2a47/master/src/lib.rs:429
#11 0x0000555556a23ae5 in {{inlined-root}}::call<closure> (f=0x7fffe73f5f48)
    at /libstd/panicking.rs:272
#12 0x000055555a3c3d37 in __rust_maybe_catch_panic ()
#13 0x00005555578c834e in std::panicking::try::_$u7b$$u7b$closure$u7d$$u7d$::hab4bc5046beba327 ()
    at /webrender_traits-aa8db8cbebbc2a47/master/src/lib.rs:429
#14 0x0000555556abe750 in {{inlined-root}}::with<core::cell::Cell<usize>,closure,core::result::Result<(), Box<Any>>> (self=0x55555bf90cd0 <std::panicking::PANIC_COUNT::hb31a7bdb4c0bf563>, f=...)
    at /libstd/thread/local.rs:245
#15 0x0000555556a09c04 in {{inlined-root}}::try<bool,std::panic::AssertUnwindSafe<closure>> (f=...)
    at /libstd/panicking.rs:235
#16 0x00005555568f93da in {{inlined-root}}::catch_unwind<std::panic::AssertUnwindSafe<closure>,bool> (f=...)
    at /libstd/panic.rs:312
#17 0x00005555573f203c in script::dom::bindings::codegen::Bindings::MessageEventBinding::get_data (cx=0x7fffe64dd8c0, _obj=..., this=0x7fffdf48e680, args=...)
    at /Bindings/MessageEventBinding.rs:214
#18 0x00005555581dbc72 in CallJitGetterOp (info=0x55555bd37c30 <const96774>, cx=0x7fffe64dd8c0, thisObj=..., specializedThis=0x7fffdf48e680, argc=0, vp=0x7fffe73f68a0)
    at src/jsglue.cpp:454
#19 0x0000555557226d41 in script::dom::bindings::utils::generic_call (cx=0x7fffe64dd8c0, argc=0, vp=0x7fffe73f68a0, is_lenient=false, 
    call=0x5555581dbc0d <CallJitGetterOp(JSJitInfo const*, JSContext*, JS::HandleObject, void*, unsigned int, JS::Value*)>)
    at /components/script/dom/bindings/utils.rs:484
#20 0x0000555557226dfc in script::dom::bindings::utils::generic_getter (cx=0x7fffe64dd8c0, argc=0, vp=0x7fffe73f68a0)
    at /components/script/dom/bindings/utils.rs:500
#21 0x000055555850f03a in js::jit::DoCallNativeGetter (cx=0x7fffe64dd8c0, callee=..., obj=..., result=...)
    at /js/src/jit/SharedIC.cpp:3165

[asajeffrey]

Causing an intermittent in /XMLHttpRequest/send-usp.worker:

  ▶ TIMEOUT [expected OK] /XMLHttpRequest/send-usp.worker
  │ 
  │ Stack trace for thread "ScriptThread PipelineId { namespace_id: PipelineNamespaceId(0), index: PipelineIndex(0) }"
  │ frame #0  - 0x000000010fcccc4e - backtrace::backtrace::trace::h1195d62c5d35d60a
  │ frame #1  - 0x000000010fcccf81 - backtrace::capture::Backtrace::new::h42f95930bb8c5ee8
  │ frame #2  - 0x000000010f8092a6 - servo::install_crash_handler::handler::h57fd71c5829cfe7c
  │ frame #3  - 0x00007fff99b3df19 - _sigtramp
  │ frame #4  - 0x0000000110be89bf - 13JSCompartment4wrapEP9JSContextN2JS13MutableHandleIP8JSObjectEENS2_6HandleIS5_E
  │ frame #5  - 0x0000000110bc635d - 13JSCompartment4wrapEP9JSContextN2JS13MutableHandleINS2_5ValueEEENS2_6HandleIP8JSObjectE
  │ frame #6  - 0x0000000110bad844 - _Z12JS_WrapValueP9JSContextN2JS13MutableHandleINS1_5ValueEEE
  │ frame #7  - 0x0000000110032128 - std::panicking::try::call::h13ebe0c801400317
  │ frame #8  - 0x00000001115f3b1a - __rust_maybe_catch_panic
  │ frame #9  - 0x000000011045d9a5 - script::dom::bindings::codegen::Bindings::MessageEventBinding::get_data::hc6d0d41ef0588a57
  │ 
  │ Stack trace for thread "ScriptThread PipelineId { namespace_id: PipelineNamespaceId(0), index: PipelineIndex(0) }"
  │ frame #0  - 0x000000010fcccc4e - backtrace::backtrace::trace::h1195d62c5d35d60a
  │ frame #1  - 0x000000010fcccf81 - backtrace::capture::Backtrace::new::h42f95930bb8c5ee8
  │ frame #2  - 0x000000010f8092a6 - servo::install_crash_handler::handler::h57fd71c5829cfe7c
  │ frame #3  - 0x00007fff99b3df19 - _sigtramp
  │ frame #4  - 0x000000010f809335 - servo::install_crash_handler::handler::h57fd71c5829cfe7c
  │ frame #5  - 0x00007fff99b3df19 - _sigtramp
  │ frame #6  - 0x0000000110be89bf - 13JSCompartment4wrapEP9JSContextN2JS13MutableHandleIP8JSObjectEENS2_6HandleIS5_E
  │ frame #7  - 0x0000000110bc635d - 13JSCompartment4wrapEP9JSContextN2JS13MutableHandleINS2_5ValueEEENS2_6HandleIP8JSObjectE
  │ frame #8  - 0x0000000110bad844 - _Z12JS_WrapValueP9JSContextN2JS13MutableHandleINS1_5ValueEEE
  │ frame #9  - 0x0000000110032128 - std::panicking::try::call::h13ebe0c801400317
  │ frame #10 - 0x00000001115f3b1a - __rust_maybe_catch_panic
  │ frame #11 - 0x000000011045d9a5 - script::dom::bindings::codegen::Bindings::MessageEventBinding::get_data::hc6d0d41ef0588a57

http://build.servo.org/builders/mac-rel-wpt/builds/2351

[jdm]

@Ms2ger You mentioned on IRC once that you had talked to JSAPI people about this; could you add the results of those discussions here?

[Ms2ger]

<jonco> Ms2ger: the '2b' pattern is swept nursery
<jonco> Ms2ger: usually this means a missing postbarrier causing a reachable nursery object to be swept

I don't think anybody looked any deeper than that.

[jdm]

  ▶ TIMEOUT [expected OK] /WebCryptoAPI/import_export/rsa_importKey.worker
  │ 
  │ Stack trace for thread "ScriptThread PipelineId { namespace_id: PipelineNamespaceId(0), index: PipelineIndex(0) }"
  │ stack backtrace:
  │    0:        0x1048e245e - backtrace::backtrace::trace::h0e60ef08c7c34e9f
  │    1:        0x1048e274c - backtrace::capture::Backtrace::new::h8bf319c36d8f5d1b
  │    2:        0x1034dc93c - servo::install_crash_handler::handler::h7801cf2e27f7ace0
  │    3:     0x7fff99b3df19 - _sigtramp
  │    4:        0x1042f40af - 13JSCompartment4wrapEP9JSContextN2JS13MutableHandleIP8JSObjectEENS2_6HandleIS5_E
  │    5:        0x1042d1a4d - 13JSCompartment4wrapEP9JSContextN2JS13MutableHandleINS2_5ValueEEENS2_6HandleIP8JSObjectE
  │    6:        0x1042b80a4 - _Z12JS_WrapValueP9JSContextN2JS13MutableHandleINS1_5ValueEEE
  │    7:        0x103987558 - std::panicking::try::do_call::h98edadb775d1f202
  │    8:        0x104dafc9a - __rust_maybe_catch_panic
  │    9:        0x103e2a957 - script::dom::bindings::codegen::Bindings::MessageEventBinding::MessageEventBinding::get_data::hda09a99032e4c842
  │   10:        0x103b54464 - script::dom::bindings::utils::generic_call::h7fc847546e37e590
  │   11:        0x1042230bd - 2js3jit18DoCallNativeGetterEP9JSContextN2JS6HandleIP10JSFunctionEENS4_IP8JSObjectEENS3_13MutableHandleINS3_5ValueEE
  │ Stack trace for thread "ScriptThread PipelineId { namespace_id: PipelineNamespaceId(0), index: PipelineIndex(0) }"
  │ stack backtrace:
  │    0:        0x1048e245e - backtrace::backtrace::trace::h0e60ef08c7c34e9f
  │    1:        0x1048e274c - backtrace::capture::Backtrace::new::h8bf319c36d8f5d1b
  │    2:        0x1034dc93c - servo::install_crash_handler::handler::h7801cf2e27f7ace0
  │    3:     0x7fff99b3df19 - _sigtramp
  │    4:        0x1034dc9c0 - servo::install_crash_handler::handler::h7801cf2e27f7ace0
  │    5:     0x7fff99b3df19 - _sigtramp
  │    6:        0x1042f40af - 13JSCompartment4wrapEP9JSContextN2JS13MutableHandleIP8JSObjectEENS2_6HandleIS5_E
  │    7:        0x1042d1a4d - 13JSCompartment4wrapEP9JSContextN2JS13MutableHandleINS2_5ValueEEENS2_6HandleIP8JSObjectE
  │    8:        0x1042b80a4 - _Z12JS_WrapValueP9JSContextN2JS13MutableHandleINS1_5ValueEEE
  │    9:        0x103987558 - std::panicking::try::do_call::h98edadb775d1f202
  │   10:        0x104dafc9a - __rust_maybe_catch_panic
  │   11:        0x103e2a957 - script::dom::bindings::codegen::Bindings::MessageEventBinding::MessageEventBinding::get_data::hda09a99032e4c842
  │   12:        0x103b54464 - script::dom::bindings::utils::generic_call::h7fc847546e37e590
  └   13:        0x1042230bd - 2js3jit18DoCallNativeGetterEP9JSContextN2JS6HandleIP10JSFunctionEENS4_IP8JSObjectEENS3_13MutableHandleINS3_5ValueEE

[Ms2ger]

I looked into this for a bit. The value we get out of StructuredCloneData::read in Worker::handle_message is an ObjectValue pointing to a reclaimed object (dereferencing the *mut JSObject yields 0xfffe2b2b2b2b2b2b).

[Ms2ger]

For my reference: https://github.com/Ms2ger/servo/tree/debug-12654

[jdm]

If you can reproduce this, it would be worth seeing whether it's also caused by #13096.