Skip to content

/ servo

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GC crash while reloading a page #22342

Closed
jdm opened this issue Dec 1, 2018 · 3 comments
Closed

GC crash while reloading a page #22342

jdm opened this issue Dec 1, 2018 · 3 comments
Assignees
@jdm
Labels
A-content/bindings I-crash

Comments

@jdm
Copy link
Member

@jdm jdm commented Dec 1, 2018
edited

I can easily trigger a crash in SpiderMonkey when reloading the following page:
./mach run -d data:,hi
@jdm
Copy link
Member Author

@jdm jdm commented Dec 1, 2018 

Stack trace for thread "ScriptThread PipelineId { namespace_id: PipelineNamespaceId(1), index: PipelineIndex(2) }"
stack backtrace:
   0:        0x10d1bdbd4 - __ZN9backtrace9backtrace5trace17hefbd7c3b17ad6e6eE
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.9/src/backtrace/mod.rs:42
   1:        0x10d1b6c7c - __ZN9backtrace7capture9Backtrace14new_unresolved17hfa7d39a5ef5fb84fE
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.9/src/capture.rs:88
   2:        0x10d1b6bde - __ZN9backtrace7capture9Backtrace3new17hb34b0ddcba79179eE
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.9/src/capture.rs:63
   3:        0x10724e35c - __ZN5servo21install_crash_handler7handler17hf778d50a611ede46E
                        at ports/servo/non_android_main.rs:53
   4:     0x7fffd4c74b39 - __sigtramp
   5:        0x10d67e0ab - __ZN2js7AtomizeEP9JSContextPKcmNS_15PinningBehaviorERKN7mozilla5MaybeIjEE
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/mozjs_sys-0.61.5/mozjs/js/src/vm/JSAtom.cpp:584
   6:        0x10d9bf527 - __Z20PropertySpecNameToIdP9JSContextPKcN2JS13MutableHandleI4jsidEEN2js15PinningBehaviorE
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/mozjs_sys-0.61.5/mozjs/js/src/jsapi.cpp:3322
   7:        0x10d9bf67c - __Z19JS_DefinePropertiesP9JSContextN2JS6HandleIP8JSObjectEEPK14JSPropertySpec
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/mozjs_sys-0.61.5/mozjs/js/src/jsapi.cpp:3347
   8:        0x10d5e3d76 - __ZN5mozjs4rust17define_properties17h9ad70722a9c94942E
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/mozjs-0.9.5/src/rust.rs:1003
   9:        0x10825e07d - __ZN6script3dom8bindings9interface25define_guarded_properties17h113c888ae0a60473E
                        at components/script/dom/bindings/interface.rs:341
  10:        0x10825dd0c - __ZN6script3dom8bindings9interface13create_object17h56f91ddf3612e559E
                        at components/script/dom/bindings/interface.rs:303
  11:        0x10825d0f6 - __ZN6script3dom8bindings9interface33create_interface_prototype_object17h96a4d2afef13db54E
                        at components/script/dom/bindings/interface.rs:194
  12:        0x109bd0459 - __ZN6script3dom8bindings7codegen8Bindings23PerformanceEntryBinding23PerformanceEntryBinding22CreateInterfaceObjects17hec621a42cf12570fE
                        at /Users/jdm/src/servo/target/debug/build/script-8d18edbcefa47987/out/Bindings/PerformanceEntryBinding.rs:882
  13:        0x109bcfd95 - __ZN6script3dom8bindings7codegen8Bindings23PerformanceEntryBinding23PerformanceEntryBinding14GetProtoObject17h3100547d108e6a76E
                        at /Users/jdm/src/servo/target/debug/build/script-8d18edbcefa47987/out/Bindings/PerformanceEntryBinding.rs:813
  14:        0x109bd1efb - __ZN6script3dom8bindings7codegen8Bindings32PerformanceResourceTimingBinding32PerformanceResourceTimingBinding22CreateInterfaceObjects17h72f63a5c1792c17dE
                        at /Users/jdm/src/servo/target/debug/build/script-8d18edbcefa47987/out/Bindings/PerformanceResourceTimingBinding.rs:880
  15:        0x109bd19a5 - __ZN6script3dom8bindings7codegen8Bindings32PerformanceResourceTimingBinding32PerformanceResourceTimingBinding14GetProtoObject17hebbf0b774479a731E
                        at /Users/jdm/src/servo/target/debug/build/script-8d18edbcefa47987/out/Bindings/PerformanceResourceTimingBinding.rs:815
  16:        0x109968b0b - __ZN6script3dom8bindings7codegen8Bindings34PerformanceNavigationTimingBinding34PerformanceNavigationTimingBinding22CreateInterfaceObjects17hb45da5fdfb181320E
                        at /Users/jdm/src/servo/target/debug/build/script-8d18edbcefa47987/out/Bindings/PerformanceNavigationTimingBinding.rs:1216
  17:        0x1099687d5 - __ZN6script3dom8bindings7codegen8Bindings34PerformanceNavigationTimingBinding34PerformanceNavigationTimingBinding14GetProtoObject17heefe85ab383cf21cE
                        at /Users/jdm/src/servo/target/debug/build/script-8d18edbcefa47987/out/Bindings/PerformanceNavigationTimingBinding.rs:1169
  18:        0x109968342 - __ZN6script3dom8bindings7codegen8Bindings34PerformanceNavigationTimingBinding34PerformanceNavigationTimingBinding4Wrap17h406b883367340d7cE
                        at /Users/jdm/src/servo/target/debug/build/script-8d18edbcefa47987/out/Bindings/PerformanceNavigationTimingBinding.rs:945
  19:        0x10887c832 - __ZN6script3dom8bindings9reflector18reflect_dom_object17h610cb6ed6b6b0a16E
                        at components/script/dom/bindings/reflector.rs:26
  20:        0x10829b1b5 - __ZN6script3dom27performancenavigationtiming27PerformanceNavigationTiming3new17ha4d10b172b9fc7b1E
                        at components/script/dom/performancenavigationtiming.rs:57
  21:        0x108c19138 - __ZN93_$LT$script..dom..servoparser..ParserContext$u20$as$u20$net_traits..FetchResponseListener$GT$22submit_resource_timing17hfc57cb077b6a7ea9E
                        at components/script/dom/servoparser/mod.rs:857
  22:        0x108c18ecc - __ZN93_$LT$script..dom..servoparser..ParserContext$u20$as$u20$net_traits..FetchResponseListener$GT$20process_response_eof17hb1699d4d5d7091b0E
                        at components/script/dom/servoparser/mod.rs:832
  23:        0x1098de82b - __ZN6script13script_thread12ScriptThread16handle_fetch_eof17h0f27ac29b76b15c9E
                        at components/script/script_thread.rs:3206
  24:        0x1098c6ee5 - __ZN6script13script_thread12ScriptThread29handle_msg_from_constellation17h6cec296911372c5eE
                        at components/script/script_thread.rs:1544
  25:        0x1098c0f13 - __ZN6script13script_thread12ScriptThread11handle_msgs28_$u7b$$u7b$closure$u7d$$u7d$17hdff22780dec7b7fbE
                        at components/script/script_thread.rs:1283
  26:        0x1098c2a50 - __ZN6script13script_thread12ScriptThread13profile_event17h78bfc8ed69360cb1E
                        at components/script/script_thread.rs:1513
  27:        0x1098bf07f - __ZN6script13script_thread12ScriptThread11handle_msgs17hd16990e1f167785dE
                        at components/script/script_thread.rs:1277
  28:        0x1098bc8f4 - __ZN6script13script_thread12ScriptThread5start17h0a677eae40aa531aE
                        at components/script/script_thread.rs:1124
  29:        0x1098b7d94 - __ZN90_$LT$script..script_thread..ScriptThread$u20$as$u20$script_traits..ScriptThreadFactory$GT$6create28_$u7b$$u7b$closure$u7d$$u7d$28_$u7b$$u7b$closure$u7d$$u7d$17h25b37ee605e13e0dE
                        at components/script/script_thread.rs:709
  30:        0x109bf201a - __ZN14profile_traits3mem12ProfilerChan25run_with_memory_reporting17h4133e85715a24447E
                        at /Users/jdm/src/servo/components/profile_traits/mem.rs:88
  31:        0x1098b8388 - __ZN90_$LT$script..script_thread..ScriptThread$u20$as$u20$script_traits..ScriptThreadFactory$GT$6create28_$u7b$$u7b$closure$u7d$$u7d$17h24c5cccf9e4a2192E
                        at components/script/script_thread.rs:707
  32:        0x10832ea94 - __ZN3std10sys_common9backtrace28__rust_begin_short_backtrace17ha006600269679a2eE
                        at libstd/sys_common/backtrace.rs:136
  33:        0x109d09134 - __ZN3std6thread7Builder5spawn28_$u7b$$u7b$closure$u7d$$u7d$28_$u7b$$u7b$closure$u7d$$u7d$17h8bf67215597386bbE
                        at libstd/thread/mod.rs:409
  34:        0x1096c9054 - __ZN101_$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$9call_once17h712446bdca43e382E
                        at libstd/panic.rs:313
  35:        0x107dfe9e4 - __ZN3std9panicking3try7do_call17hfd592731bd9f8976E
                        at libstd/panicking.rs:310
  36:        0x10e514e8e - ___rust_maybe_catch_panic
                        at libpanic_unwind/lib.rs:102
  37:        0x107cdef03 - __ZN3std9panicking3try17h878513f99f3f8326E
                        at libstd/panicking.rs:289
  38:        0x1097ec184 - __ZN3std5panic12catch_unwind17h62b48696e49facdcE
                        at libstd/panic.rs:392
  39:        0x109d08e1e - __ZN3std6thread7Builder5spawn28_$u7b$$u7b$closure$u7d$$u7d$17heed4ee0b592706a7E
                        at libstd/thread/mod.rs:408
  40:        0x109d0ea23 - __ZN50_$LT$F$u20$as$u20$alloc..boxed..FnBox$LT$A$GT$$GT$8call_box17h412d6a419625beb6E
                        at liballoc/boxed.rs:672
  41:        0x10e4ebe2b - __ZN3std3sys4unix6thread6Thread3new12thread_start17hba53abd905cebc29E
                        at libstd/sys_common/thread.rs:24
  42:     0x7fffd4c7e93a - __pthread_body
  43:     0x7fffd4c7e886 - __pthread_start
@jdm
Copy link
Member Author

@jdm jdm commented Dec 1, 2018

With a debug-mozjs build:

Assertion failure: childRuntimeCount == 0, at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/mozjs_sys-0.61.5/mozjs/js/src/vm/Runtime.cpp:276
Stack trace for thread "ScriptThread PipelineId { namespace_id: PipelineNamespaceId(1), index: PipelineIndex(1) }"
stack backtrace:
   0:        0x10922ce44 - __ZN9backtrace9backtrace5trace17hefbd7c3b17ad6e6eE
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.9/src/backtrace/mod.rs:42
   1:        0x109225eec - __ZN9backtrace7capture9Backtrace14new_unresolved17hfa7d39a5ef5fb84fE
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.9/src/capture.rs:88
   2:        0x109225e4e - __ZN9backtrace7capture9Backtrace3new17hb34b0ddcba79179eE
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.9/src/capture.rs:63
   3:        0x1032c34cc - __ZN5servo21install_crash_handler7handler17h3a4267d70177bc5fE
                        at ports/servo/non_android_main.rs:53
   4:     0x7fffd4c74b39 - __sigtramp
   5:        0x10a0aff47 - __ZN9JSRuntime14destroyRuntimeEv
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/mozjs_sys-0.61.5/mozjs/js/src/vm/Runtime.cpp:276
   6:        0x109f9f90f - __ZN2js14DestroyContextEP9JSContext
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/mozjs_sys-0.61.5/mozjs/js/src/vm/JSContext.cpp:252
   7:        0x109dde2c4 - __Z17JS_DestroyContextP9JSContext
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/mozjs_sys-0.61.5/mozjs/js/src/jsapi.cpp:506
   8:        0x109650af3 - __ZN62_$LT$mozjs..rust..Runtime$u20$as$u20$core..ops..drop..Drop$GT$4drop17h380ba2a7c0a1f0acE
                        at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/mozjs-0.9.5/src/rust.rs:263
   9:        0x104856994 - __ZN4core3ptr13drop_in_place17hd01cb7339120f644E
                        at libcore/ptr.rs:194
  10:        0x104811c8b - __ZN4core3ptr13drop_in_place17h687492b4e8d1ff02E
                        at libcore/ptr.rs:194
  11:        0x104810c48 - __ZN4core3ptr13drop_in_place17h66b5fc945ca06bbdE
                        at libcore/ptr.rs:194
  12:        0x1055878f1 - __ZN64_$LT$alloc..rc..Rc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$4drop17h74e35311f7487dcbE
                        at liballoc/rc.rs:841
  13:        0x1047f28c4 - __ZN4core3ptr13drop_in_place17h3b20fc7caad24d38E
                        at libcore/ptr.rs:194
  14:        0x104860fe9 - __ZN4core3ptr13drop_in_place17hdfb379058494ab61E
                        at libcore/ptr.rs:194
  15:        0x10592ad06 - __ZN90_$LT$script..script_thread..ScriptThread$u20$as$u20$script_traits..ScriptThreadFactory$GT$6create28_$u7b$$u7b$closure$u7d$$u7d$17h4280545a8f9099f4E
                        at components/script/script_thread.rs:719
  16:        0x10439e1d4 - __ZN3std10sys_common9backtrace28__rust_begin_short_backtrace17hb43477d1c13044a2E
                        at libstd/sys_common/backtrace.rs:136
  17:        0x105d7b0b4 - __ZN3std6thread7Builder5spawn28_$u7b$$u7b$closure$u7d$$u7d$28_$u7b$$u7b$closure$u7d$$u7d$17h29e3c34dc8840bdbE
                        at libstd/thread/mod.rs:409
  18:        0x105740594 - __ZN101_$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$9call_once17h7ea81546b998119cE
                        at libstd/panic.rs:313
  19:        0x103e318a4 - __ZN3std9panicking3try7do_call17h8aa4ef62b172a4d6E
                        at libstd/panicking.rs:310
  20:        0x10af55e9e - ___rust_maybe_catch_panic
                        at libpanic_unwind/lib.rs:102
  21:        0x103cf46e3 - __ZN3std9panicking3try17h32816a339b88060aE
                        at libstd/panicking.rs:289
  22:        0x1058533c4 - __ZN3std5panic12catch_unwind17h3b17bca39b43628dE
                        at libstd/panic.rs:392
  23:        0x105d7a02e - __ZN3std6thread7Builder5spawn28_$u7b$$u7b$closure$u7d$$u7d$17h8b2e8facfcc5a2a5E
                        at libstd/thread/mod.rs:408
  24:        0x105d80d43 - __ZN50_$LT$F$u20$as$u20$alloc..boxed..FnBox$LT$A$GT$$GT$8call_box17hf372e853973bdef4E
                        at liballoc/boxed.rs:672
  25:        0x10af2ce3b - __ZN3std3sys4unix6thread6Thread3new12thread_start17hba53abd905cebc29E
                        at libstd/sys_common/thread.rs:24
  26:     0x7fffd4c7e93a - __pthread_body
  27:     0x7fffd4c7e886 - __pthread_start
@jdm
Copy link
Member Author

@jdm jdm commented Dec 2, 2018

I suspect this triggers on this testcase in particular because it's a data URL which has a unique origin, so the old script thread is killed off when refreshing.
This was referenced Dec 2, 2018
Merged
Merged
bors-servo added a commit that referenced this issue Dec 2, 2018
@bors-servo
Auto merge of #22353 - jdm:runtime-parent, r=<try>
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
5fe9b42 
Runtime parent

These changes adjust our uses of the rust-mozjs APIs to accommodate the changes in servo/rust-mozjs#450.

---
- [x] `./mach build -d` does not report any errors
- [x] `./mach test-tidy` does not report any errors
- [x] These changes fix #22342.
- [x] There are tests for these changes
@jdm jdm self-assigned this Dec 2, 2018
bors-servo added a commit to servo/rust-mozjs that referenced this issue Jan 14, 2019
@bors-servo
Auto merge of #450 - jdm:parent-refactor, r=asajeffrey
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
35193f1 
Make runtime creation safe

The fundamental problem exposed in servo/servo#22342 is that our concept of a parent runtime did not match reality. Using the first JSContext's runtime as the global parent for all subsequent contexts only makes sense if that JSContext outlives every other context. This is not guaranteed, leading to crashes when trying to use those contexts if the first context (and therefore its runtime) was destroyed.

The new design incorporates several changes for safer, more clear context and runtime management:
* in order to create a new context, either a handle to an initialized JS engine is required or a handle to an existing runtime
* all runtimes track outstanding handles that have been created, and assert if a runtime is destroyed before all of its child runtimes
* overall initialization and shutdown of the engine is controlled by the lifetime of a JSEngine value, so creating a Runtime value is now infallible

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/rust-mozjs/450)
<!-- Reviewable:end -->
bors-servo added a commit to servo/rust-mozjs that referenced this issue Jan 14, 2019
@bors-servo
Auto merge of #450 - jdm:parent-refactor, r=asajeffrey
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
7811094 
Make runtime creation safe

The fundamental problem exposed in servo/servo#22342 is that our concept of a parent runtime did not match reality. Using the first JSContext's runtime as the global parent for all subsequent contexts only makes sense if that JSContext outlives every other context. This is not guaranteed, leading to crashes when trying to use those contexts if the first context (and therefore its runtime) was destroyed.

The new design incorporates several changes for safer, more clear context and runtime management:
* in order to create a new context, either a handle to an initialized JS engine is required or a handle to an existing runtime
* all runtimes track outstanding handles that have been created, and assert if a runtime is destroyed before all of its child runtimes
* overall initialization and shutdown of the engine is controlled by the lifetime of a JSEngine value, so creating a Runtime value is now infallible

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/rust-mozjs/450)
<!-- Reviewable:end -->
bors-servo added a commit that referenced this issue Jan 17, 2019
@bors-servo
Auto merge of #22353 - jdm:runtime-parent, r=nox
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
fb95f9d 
Update rust-mozjs

These changes adjust our uses of the rust-mozjs APIs to accommodate the changes in servo/rust-mozjs#450.

---
- [x] `./mach build -d` does not report any errors
- [x] `./mach test-tidy` does not report any errors
- [x] These changes fix #22342.
- [x] There are tests for these changes

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/22353)
<!-- Reviewable:end -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jdm jdm

Labels
A-content/bindings I-crash
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

Update rust-mozjs
1 participant
@jdm
You can’t perform that action at this time.