Skip to content

/ servo

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SpiderMonkey assertion failure (!IsCrossCompartmentWrapper(obj)) #24914

Open
jdm opened this issue Nov 28, 2019 · 3 comments
Open

SpiderMonkey assertion failure (!IsCrossCompartmentWrapper(obj)) #24914

jdm opened this issue Nov 28, 2019 · 3 comments
Labels
A-content/bindings A-webcompat C-has-manual-testcase I-crash

Comments

@jdm
Copy link
Member

@jdm jdm commented Nov 28, 2019

With a build with --debug-mozjs, I get the following output:

godot:servo jdm$ ./mach run http://themaninblue.com/experiment/AnimationBenchmark/html/?particles=1000
Assertion failure: !IsCrossCompartmentWrapper(obj), at /Users/jdm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/5906588/mozjs/js/src/jsapi.cpp:1095
Stack trace for thread "ScriptThread PipelineId { namespace_id: PipelineNamespaceId(1), index: PipelineIndex(1) }"
stack backtrace:
   0: backtrace::backtrace::libunwind::trace
             at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.38/src/backtrace/libunwind.rs:88
      backtrace::backtrace::trace_unsynchronized
             at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.38/src/backtrace/mod.rs:66
   1: backtrace::backtrace::trace
             at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.38/src/backtrace/mod.rs:53
   2: backtrace::capture::Backtrace::create
             at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.38/src/capture.rs:164
   3: backtrace::capture::Backtrace::new
             at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.38/src/capture.rs:128
   4: servo::install_crash_handler::handler
             at ports/glutin/main2.rs:62
   5: <unknown>
   6: _ZN2JS21GetNonCCWObjectGlobalEP8JSObject
             at /Users/jdm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/5906588/mozjs/js/src/jsapi.cpp:1095
   7: script::dom::globalscope::GlobalScope::from_object
             at components/script/dom/globalscope.rs:794
   8: script::dom::bindings::callback::CallSetup::new
             at components/script/dom/bindings/callback.rs:244
   9: script::dom::bindings::codegen::Bindings::FunctionBinding::Function::Call_
             at target/debug/build/script-2ae75caeb37ba0fc/out/Bindings/FunctionBinding.rs:283
  10: script::timers::JsTimerTask::invoke
             at components/script/timers.rs:526
  11: script::timers::OneshotTimerCallback::invoke
             at components/script/timers.rs:82
  12: script::timers::OneshotTimers::fire_timer
             at components/script/timers.rs:214
  13: script::dom::globalscope::GlobalScope::fire_timer
             at components/script/dom/globalscope.rs:1213
  14: script::dom::window::Window::handle_fire_timer
             at components/script/dom/window.rs:1968
  15: script::script_thread::ScriptThread::handle_timer_event
             at components/script/script_thread.rs:2013
  16: script::script_thread::ScriptThread::handle_msgs::{{closure}}
             at components/script/script_thread.rs:1558
  17: script::script_thread::ScriptThread::profile_event
             at components/script/script_thread.rs:1800
  18: script::script_thread::ScriptThread::handle_msgs
             at components/script/script_thread.rs:1550
  19: script::script_thread::ScriptThread::start
             at components/script/script_thread.rs:1383
  20: <script::script_thread::ScriptThread as script_traits::ScriptThreadFactory>::create::{{closure}}::{{closure}}
             at components/script/script_thread.rs:806
  21: profile_traits::mem::ProfilerChan::run_with_memory_reporting
             at components/profile_traits/mem.rs:88
  22: <script::script_thread::ScriptThread as script_traits::ScriptThreadFactory>::create::{{closure}}
             at components/script/script_thread.rs:804
  23: std::sys_common::backtrace::__rust_begin_short_backtrace
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/sys_common/backtrace.rs:136
  24: std::thread::Builder::spawn_unchecked::{{closure}}::{{closure}}
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/thread/mod.rs:469
  25: <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/panic.rs:316
  26: std::panicking::try::do_call
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/panicking.rs:287
  27: __rust_maybe_catch_panic
             at src/libpanic_unwind/lib.rs:81
  28: std::panicking::try
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/panicking.rs:265
  29: std::panic::catch_unwind
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/panic.rs:395
  30: std::thread::Builder::spawn_unchecked::{{closure}}
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/thread/mod.rs:468
  31: core::ops::function::FnOnce::call_once{{vtable.shim}}
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libcore/ops/function.rs:227
  32: <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/liballoc/boxed.rs:942
  33: <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/liballoc/boxed.rs:942
      std::sys_common::thread::start_thread
             at src/libstd/sys_common/thread.rs:13
      std::sys::unix::thread::Thread::new::thread_start
             at src/libstd/sys/unix/thread.rs:79
  34: <unknown>
  35: <unknown>
@jdm
Copy link
Member Author

@jdm jdm commented Nov 29, 2019
edited

I can reproduce this crash with the following page served from a local HTTP server:

<script type="text/javascript">
  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-2120330-1']);
  _gaq.push(['_trackPageview']);

  (function() {
      var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
      ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
      var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
  })();
</script>
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<ins class="adsbygoogle"
     style="display:block"
     data-ad-client="ca-pub-4265510776914414"
     data-ad-slot="9760224084"
     data-ad-format="auto"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
stack backtrace:
   0: backtrace::backtrace::libunwind::trace
             at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.38/src/backtrace/libunwind.rs:88
      backtrace::backtrace::trace_unsynchronized
             at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.38/src/backtrace/mod.rs:66
   1: backtrace::backtrace::trace
             at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.38/src/backtrace/mod.rs:53
   2: backtrace::capture::Backtrace::create
             at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.38/src/capture.rs:164
   3: backtrace::capture::Backtrace::new
             at /Users/jdm/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.38/src/capture.rs:128
   4: servo::install_crash_handler::handler
             at ports/glutin/main2.rs:62
   5: <unknown>
   6: _ZN2JS21GetNonCCWObjectGlobalEP8JSObject
             at /Users/jdm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/5906588/mozjs/js/src/jsapi.cpp:1095
   7: script::dom::globalscope::GlobalScope::from_object
             at components/script/dom/globalscope.rs:794
   8: script::dom::bindings::callback::CallSetup::new
             at components/script/dom/bindings/callback.rs:244
   9: script::dom::bindings::codegen::Bindings::EventListenerBinding::EventListener::HandleEvent_
             at target/debug/build/script-2ae75caeb37ba0fc/out/Bindings/EventListenerBinding.rs:284
  10: script::dom::eventtarget::CompiledEventListener::call_or_handle_event
             at components/script/dom/eventtarget.rs:163
  11: script::dom::event::inner_invoke
             at components/script/dom/event.rs:584
  12: script::dom::event::invoke
             at components/script/dom/event.rs:554
  13: script::dom::event::dispatch_to_listeners
             at components/script/dom/event.rs:509
  14: script::dom::event::Event::dispatch
             at components/script/dom/event.rs:177
  15: script::dom::eventtarget::EventTarget::dispatch_event
             at components/script/dom/eventtarget.rs:382
  16: script::dom::event::Event::fire
             at components/script/dom/event.rs:246
  17: script::dom::eventtarget::EventTarget::fire_event_with_params
             at components/script/dom/eventtarget.rs:659
  18: script::dom::eventtarget::EventTarget::fire_event
             at components/script/dom/eventtarget.rs:625
  19: script::dom::htmliframeelement::HTMLIFrameElement::iframe_load_event_steps
             at components/script/dom/htmliframeelement.rs:447
  20: script::script_thread::ScriptThread::handle_iframe_load_event
             at components/script/script_thread.rs:3039
  21: script::script_thread::ScriptThread::handle_msg_from_constellation
             at components/script/script_thread.rs:1927
  22: script::script_thread::ScriptThread::handle_msgs::{{closure}}
             at components/script/script_thread.rs:1556
  23: script::script_thread::ScriptThread::profile_event
             at components/script/script_thread.rs:1800
  24: script::script_thread::ScriptThread::handle_msgs
             at components/script/script_thread.rs:1550
  25: script::script_thread::ScriptThread::start
             at components/script/script_thread.rs:1383
  26: <script::script_thread::ScriptThread as script_traits::ScriptThreadFactory>::create::{{closure}}::{{closure}}
             at components/script/script_thread.rs:806
  27: profile_traits::mem::ProfilerChan::run_with_memory_reporting
             at components/profile_traits/mem.rs:88
  28: <script::script_thread::ScriptThread as script_traits::ScriptThreadFactory>::create::{{closure}}
             at components/script/script_thread.rs:804
  29: std::sys_common::backtrace::__rust_begin_short_backtrace
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/sys_common/backtrace.rs:136
  30: std::thread::Builder::spawn_unchecked::{{closure}}::{{closure}}
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/thread/mod.rs:469
  31: <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/panic.rs:316
  32: std::panicking::try::do_call
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/panicking.rs:287
  33: __rust_maybe_catch_panic
             at src/libpanic_unwind/lib.rs:81
  34: std::panicking::try
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/panicking.rs:265
  35: std::panic::catch_unwind
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/panic.rs:395
  36: std::thread::Builder::spawn_unchecked::{{closure}}
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libstd/thread/mod.rs:468
  37: core::ops::function::FnOnce::call_once{{vtable.shim}}
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/libcore/ops/function.rs:227
  38: <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/liballoc/boxed.rs:942
  39: <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once
             at /rustc/1bd30ce2aac40c7698aa4a1b9520aa649ff2d1c5/src/liballoc/boxed.rs:942
      std::sys_common::thread::start_thread
             at src/libstd/sys_common/thread.rs:13
      std::sys::unix::thread::Thread::new::thread_start
             at src/libstd/sys/unix/thread.rs:79
  40: <unknown>
  41: <unknown>
@jdm
Copy link
Member Author

@jdm jdm commented Nov 29, 2019

Same crash:

<iframe srcdoc='<script>frameElement.onload=()=>{console.log("hi")}</script>'></iframe>

When an iframe runs script that creates a callback object which will be invoked by the parent, we end up with a cross-compartment wrapper. The following is another way of triggering the same problem:

<iframe></iframe>
<script>document.querySelector('iframe').contentWindow.setTimeout(()=>{}, 0)</script>
@jdm
Copy link
Member Author

@jdm jdm commented Nov 29, 2019

We should look into Gecko's CallSetup implementation, which is more complex than Servo's. There are subtleties in which JS object we use (unwrapped or not unwrapped) to obtain a GlobalScope as well as for entering a JS realm.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-content/bindings A-webcompat C-has-manual-testcase I-crash
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
@jdm
You can’t perform that action at this time.