Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic with Windowproxy traced while being transplanted #23959

Open
gterzian opened this issue Aug 13, 2019 · 16 comments · May be fixed by #24069
Open

Panic with Windowproxy traced while being transplanted #23959

gterzian opened this issue Aug 13, 2019 · 16 comments · May be fixed by #24069
Labels
A-content/script Related to the script thread I-panic Servo encounters a panic. L-javascript Javascript is required

Comments

@gterzian
Copy link
Member

cc @asajeffrey

$ ./mach run --release -z --webdriver=7002 --resolution=400x300                                                                                                                                                              [90/1785]



assertion failed: self.is_double() (thread ScriptThread PipelineId { namespace_id: PipelineNamespaceId(2), index: PipelineIndex(2) }, at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/src/jsval.rs:439)
stack backtrace:
   0: servo::main::{{closure}}::h60525228e0a9f42a (0x55c4763597cf)
   1: std::panicking::rust_panic_with_hook::h0529069ab88f357a (0x55c4795b0455)
             at src/libstd/panicking.rs:481
   2: std::panicking::begin_panic::h8a8ec1e1f80328f5 (0x55c477504ad4)
   3: script::dom::windowproxy::trace::h562b81e7ed033c33 (0x55c477081108)
   4: _ZNK2js5Class7doTraceEP8JSTracerP8JSObject (0x55c477b326c6)
             at /data/joelm/personal/UTA/dissertation/servo/servo-20190724.git/target/release/build/mozjs_sys-f383b7e9a63fc67f/out/dist/include/js/Class.h:872
      _ZL13CallTraceHookIZN2js14TenuringTracer11traceObjectEP8JSObjectE4$_11EPNS0_12NativeObjectEOT_P8JSTracerS3_15CheckGeneration
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Marking.cpp:1545
      _ZN2js14TenuringTracer11traceObjectEP8JSObject
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Marking.cpp:2907
   5: _ZL14TraceWholeCellRN2js14TenuringTracerEP8JSObject (0x55c477b324bb)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Marking.cpp:2798
      _ZL18TraceBufferedCellsI8JSObjectEvRN2js14TenuringTracerEPNS1_2gc5ArenaEPNS4_12ArenaCellSetE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Marking.cpp:2835
      _ZN2js2gc11StoreBuffer15WholeCellBuffer5traceERNS_14TenuringTracerE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Marking.cpp:2852
   6: _ZN2js2gc11StoreBuffer15traceWholeCellsERNS_14TenuringTracerE (0x55c477b49575)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/StoreBuffer.h:479
      _ZN2js7Nursery12doCollectionEN2JS8GCReasonERNS_2gc16TenureCountCacheE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Nursery.cpp:946
   7: _ZN2js7Nursery7collectEN2JS8GCReasonE (0x55c477b48805)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Nursery.cpp:783
   8: _ZN2js2gc9GCRuntime7minorGCEN2JS8GCReasonENS_7gcstats9PhaseKindE (0x55c477b29de3)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/GC.cpp:7787
   9: _ZN2js2gc9GCRuntime13gcIfRequestedEv (0x55c477b0d3d4)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/GC.cpp:7846
  10: _ZN2js2gc9GCRuntime22gcIfNeededAtAllocationEP9JSContext (0x55c477b0999c)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Allocator.cpp:343
      _ZN2js2gc9GCRuntime19checkAllocatorStateILNS_7AllowGCE1EEEbP9JSContextNS0_9AllocKindE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Allocator.cpp:300
      _ZN2js14AllocateObjectILNS_7AllowGCE1EEEP8JSObjectP9JSContextNS_2gc9AllocKindEmNS6_11InitialHeapEPKNS_5ClassE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Allocator.cpp:55
  11: _ZN2js11ProxyObject6createEP9JSContextPKNS_5ClassEN2JS6HandleINS_11TaggedProtoEEENS_2gc9AllocKindENS_13NewObjectKindE (0x55c4778da99f)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/vm/ProxyObject.cpp:199
  12: _ZN2js11ProxyObject3NewEP9JSContextPKNS_16BaseProxyHandlerEN2JS6HandleINS6_5ValueEEENS_11TaggedProtoERKNS_12ProxyOptionsE (0x55c4778da444)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/vm/ProxyObject.cpp:100
  13: _ZN2js14NewProxyObjectEP9JSContextPKNS_16BaseProxyHandlerEN2JS6HandleINS5_5ValueEEEP8JSObjectRKNS_12ProxyOptionsE (0x55c477a4cb01)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/proxy/Proxy.cpp:779
      _ZN2js7Wrapper3NewEP9JSContextP8JSObjectPKS0_RKNS_14WrapperOptionsE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/proxy/Wrapper.cpp:282
  14: WrapperNew (0x55c47777a737)
  15: _ZN2JS11Compartment18getOrCreateWrapperEP9JSContextNS_6HandleIP8JSObjectEENS_13MutableHandleIS5_EE (0x55c47780a87c)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/vm/Compartment.cpp:268
  16: _ZN2JS11Compartment6rewrapEP9JSContextNS_13MutableHandleIP8JSObjectEENS_6HandleIS5_EE (0x55c47780ac61)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/vm/Compartment.cpp:357
  17: _ZN2js12RemapWrapperEP9JSContextP8JSObjectS3_ (0x55c477a3c26e)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/proxy/CrossCompartmentWrapper.cpp:582
  18: _ZN2js25RemapAllWrappersForObjectEP9JSContextP8JSObjectS3_ (0x55c477a3c7c2)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/proxy/CrossCompartmentWrapper.cpp:633
  19: _Z19JS_TransplantObjectP9JSContextN2JS6HandleIP8JSObjectEES5_ (0x55c477a0dffc)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/jsapi.cpp:731
  20: _ZN6script3dom11windowproxy11WindowProxy10set_window17h7e22b4eb25e69698E.llvm.14539727287563764700 (0x55c47707f3b3)
  21: script::dom::window::Window::resume::h463e05b98e601c21 (0x55c476a8311d)
  22: script::script_thread::ScriptThread::load::h840f42e218b48e42 (0x55c476f72344)
  23: script::script_thread::ScriptThread::handle_page_headers_available::hc7e938eff32254e6 (0x55c476f6dd42)
  24: std::thread::local::LocalKey<T>::with::h242cf5a3248d4b16 (0x55c476df4a9d)
  25: <script::dom::servoparser::ParserContext as net_traits::FetchResponseListener>::process_response::hfea17b04486e1186 (0x55c476f1bc2d)
  26: script::script_thread::ScriptThread::handle_msg_from_constellation::hb6598e64e0108a83 (0x55c476f5ce4f)
  27: _ZN6script13script_thread12ScriptThread11handle_msgs17h5e27f5d6a2fa27a7E.llvm.9809419130639410203 (0x55c476f5753c)
  28: profile_traits::mem::ProfilerChan::run_with_memory_reporting::hd3dc945019b6cd59 (0x55c4770d70e7)
  29: std::sys_common::backtrace::__rust_begin_short_backtrace::he8d3dd1d346dafa0 (0x55c4774163b0)
  30: _ZN3std9panicking3try7do_call17h8ff058ddb9dca993E.llvm.11103976371393050535 (0x55c4775336e3)
  31: __rust_maybe_catch_panic (0x55c4795ba109)
             at src/libpanic_unwind/lib.rs:82
  32: core::ops::function::FnOnce::call_once{{vtable.shim}}::hde4c9792015a3419 (0x55c476a34392)
  33: <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h10faab75e4737451 (0x55c47959ec3e)
             at /rustc/273f42b5964c29dda2c5a349dd4655529767b07f/src/liballoc/boxed.rs:766
  34: <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h1aad66e3be56d28c (0x55c4795b942f)
             at /rustc/273f42b5964c29dda2c5a349dd4655529767b07f/src/liballoc/boxed.rs:766
      std::sys_common::thread::start_thread::h9a8131af389e9a10
             at src/libstd/sys_common/thread.rs:13
      std::sys::unix::thread::Thread::new::thread_start::h5c5575a5d923977b
             at src/libstd/sys/unix/thread.rs:79
  35: start_thread (0x7f2c7eb0b6b9)
  36: clone (0x7f2c7d3a741c)
  37: <unknown> (0x0)
[2019-08-12T18:08:11Z ERROR servo] assertion failed: self.is_double()
Stack trace for thread "ScriptThread PipelineId { namespace_id: PipelineNamespaceId(2), index: PipelineIndex(2) }"
stack backtrace:
   0: servo::install_crash_handler::handler::h5aff865ed5432d52 (0x55c476358a3a)
   1: _ZL15WasmTrapHandleriP9siginfo_tPv (0x55c477e564ee)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/wasm/WasmSignalHandlers.cpp:967
   2: <unknown> (0x7f2c7eb1538f)
   3: script::dom::windowproxy::trace::h562b81e7ed033c33 (0x55c477081125)
   4: _ZNK2js5Class7doTraceEP8JSTracerP8JSObject (0x55c477b326c6)
             at /data/joelm/personal/UTA/dissertation/servo/servo-20190724.git/target/release/build/mozjs_sys-f383b7e9a63fc67f/out/dist/include/js/Class.h:872
      _ZL13CallTraceHookIZN2js14TenuringTracer11traceObjectEP8JSObjectE4$_11EPNS0_12NativeObjectEOT_P8JSTracerS3_15CheckGeneration
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Marking.cpp:1545
      _ZN2js14TenuringTracer11traceObjectEP8JSObject
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Marking.cpp:2907
   5: _ZL14TraceWholeCellRN2js14TenuringTracerEP8JSObject (0x55c477b324bb)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Marking.cpp:2798
      _ZL18TraceBufferedCellsI8JSObjectEvRN2js14TenuringTracerEPNS1_2gc5ArenaEPNS4_12ArenaCellSetE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Marking.cpp:2835
      _ZN2js2gc11StoreBuffer15WholeCellBuffer5traceERNS_14TenuringTracerE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Marking.cpp:2852
   6: _ZN2js2gc11StoreBuffer15traceWholeCellsERNS_14TenuringTracerE (0x55c477b49575)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/StoreBuffer.h:479
      _ZN2js7Nursery12doCollectionEN2JS8GCReasonERNS_2gc16TenureCountCacheE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Nursery.cpp:946
   7: _ZN2js7Nursery7collectEN2JS8GCReasonE (0x55c477b48805)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Nursery.cpp:783
   8: _ZN2js2gc9GCRuntime7minorGCEN2JS8GCReasonENS_7gcstats9PhaseKindE (0x55c477b29de3)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/GC.cpp:7787
   9: _ZN2js2gc9GCRuntime13gcIfRequestedEv (0x55c477b0d3d4)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/GC.cpp:7846
  10: _ZN2js2gc9GCRuntime22gcIfNeededAtAllocationEP9JSContext (0x55c477b0999c)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Allocator.cpp:343
      _ZN2js2gc9GCRuntime19checkAllocatorStateILNS_7AllowGCE1EEEbP9JSContextNS0_9AllocKindE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Allocator.cpp:300
      _ZN2js14AllocateObjectILNS_7AllowGCE1EEEP8JSObjectP9JSContextNS_2gc9AllocKindEmNS6_11InitialHeapEPKNS_5ClassE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/gc/Allocator.cpp:55
  11: _ZN2js11ProxyObject6createEP9JSContextPKNS_5ClassEN2JS6HandleINS_11TaggedProtoEEENS_2gc9AllocKindENS_13NewObjectKindE (0x55c4778da99f)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/vm/ProxyObject.cpp:199
  12: _ZN2js11ProxyObject3NewEP9JSContextPKNS_16BaseProxyHandlerEN2JS6HandleINS6_5ValueEEENS_11TaggedProtoERKNS_12ProxyOptionsE (0x55c4778da444)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/vm/ProxyObject.cpp:100
  13: _ZN2js14NewProxyObjectEP9JSContextPKNS_16BaseProxyHandlerEN2JS6HandleINS5_5ValueEEEP8JSObjectRKNS_12ProxyOptionsE (0x55c477a4cb01)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/proxy/Proxy.cpp:779
      _ZN2js7Wrapper3NewEP9JSContextP8JSObjectPKS0_RKNS_14WrapperOptionsE
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/proxy/Wrapper.cpp:282
  14: WrapperNew (0x55c47777a737)
  15: _ZN2JS11Compartment18getOrCreateWrapperEP9JSContextNS_6HandleIP8JSObjectEENS_13MutableHandleIS5_EE (0x55c47780a87c)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/vm/Compartment.cpp:268
  16: _ZN2JS11Compartment6rewrapEP9JSContextNS_13MutableHandleIP8JSObjectEENS_6HandleIS5_EE (0x55c47780ac61)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/vm/Compartment.cpp:357
  17: _ZN2js12RemapWrapperEP9JSContextP8JSObjectS3_ (0x55c477a3c26e)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/proxy/CrossCompartmentWrapper.cpp:582
  18: _ZN2js25RemapAllWrappersForObjectEP9JSContextP8JSObjectS3_ (0x55c477a3c7c2)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/proxy/CrossCompartmentWrapper.cpp:633
  19: _Z19JS_TransplantObjectP9JSContextN2JS6HandleIP8JSObjectEES5_ (0x55c477a0dffc)
             at /home/joelm/.cargo/git/checkouts/mozjs-fa11ffc7d4f1cc2d/6dff104/mozjs/js/src/jsapi.cpp:731
  20: _ZN6script3dom11windowproxy11WindowProxy10set_window17h7e22b4eb25e69698E.llvm.14539727287563764700 (0x55c47707f3b3)
  21: script::dom::window::Window::resume::h463e05b98e601c21 (0x55c476a8311d)
  22: script::script_thread::ScriptThread::load::h840f42e218b48e42 (0x55c476f72344)
  23: script::script_thread::ScriptThread::handle_page_headers_available::hc7e938eff32254e6 (0x55c476f6dd42)
  24: std::thread::local::LocalKey<T>::with::h242cf5a3248d4b16 (0x55c476df4a9d)
  25: <script::dom::servoparser::ParserContext as net_traits::FetchResponseListener>::process_response::hfea17b04486e1186 (0x55c476f1bc2d)
  26: script::script_thread::ScriptThread::handle_msg_from_constellation::hb6598e64e0108a83 (0x55c476f5ce4f)
  27: _ZN6script13script_thread12ScriptThread11handle_msgs17h5e27f5d6a2fa27a7E.llvm.9809419130639410203 (0x55c476f5753c)
  28: profile_traits::mem::ProfilerChan::run_with_memory_reporting::hd3dc945019b6cd59 (0x55c4770d70e7)
  29: std::sys_common::backtrace::__rust_begin_short_backtrace::he8d3dd1d346dafa0 (0x55c4774163b0)
  30: _ZN3std9panicking3try7do_call17h8ff058ddb9dca993E.llvm.11103976371393050535 (0x55c4775336e3)
  31: __rust_maybe_catch_panic (0x55c4795ba109)
             at src/libpanic_unwind/lib.rs:82
  32: core::ops::function::FnOnce::call_once{{vtable.shim}}::hde4c9792015a3419 (0x55c476a34392)
  33: <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h10faab75e4737451 (0x55c47959ec3e)
             at /rustc/273f42b5964c29dda2c5a349dd4655529767b07f/src/liballoc/boxed.rs:766
  34: <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h1aad66e3be56d28c (0x55c4795b942f)
             at /rustc/273f42b5964c29dda2c5a349dd4655529767b07f/src/liballoc/boxed.rs:766
      std::sys_common::thread::start_thread::h9a8131af389e9a10
             at src/libstd/sys_common/thread.rs:13
      std::sys::unix::thread::Thread::new::thread_start::h5c5575a5d923977b
             at src/libstd/sys/unix/thread.rs:79
  35: start_thread (0x7f2c7eb0b6b9)
  36: clone (0x7f2c7d3a741c)
  37: <unknown> (0x0)
Servo exited with return value 4

Originally posted by @kanaka in #23905 (comment)

@gterzian gterzian added A-content/script Related to the script thread I-panic Servo encounters a panic. L-javascript Javascript is required labels Aug 13, 2019
@gterzian gterzian changed the title Windowproxy traced while being transplanted and crashes Panic with Windowproxy traced while being transplanted Aug 13, 2019
@asajeffrey
Copy link
Member

My guess is we're not rooting enough in set_window.

@kanaka
Copy link
Contributor

kanaka commented Aug 13, 2019

This gist has the simple script and HTML/CSS files that I used to trigger this: https://gist.github.com/kanaka/119f5ed9841e23e35d07e8944cca6aa7

@kanaka
Copy link
Contributor

kanaka commented Aug 13, 2019

I updated to ffb9e33 and reran the test and got the same stack trace on the 819th load so it seems consistent even across a build with a code change.

@asajeffrey
Copy link
Member

That bit of code hasn't changed much in the last three years, so I don't think any recent changes will have affected it. It needs a very specific set of circumstances to trigger it, I'm a bit surprised we're able to reproduce it!

@kanaka
Copy link
Contributor

kanaka commented Aug 13, 2019

My interpretation of the stack trace is that it's GC related in mozjs. Is that correct? If so, an interesting data-point is that there is no user JS code in the test page. Just a bunch of imported CSS stylesheets (actually just 10 copies of two files), one inline style on the body tag, and a bit of HTML.

Another data-point (that I noted in the original issue #23905) is that the resident memory size of the servo process is increasing by about 57MB for every 100 loads of this test page.

Any changes you would like me to make to the test page or the build to help debug this?

@asajeffrey
Copy link
Member

Yes, it's caused by GC in spidermonkey being triggered in the middle of set_window. We're creating a bunch of JS objects for things like DOM nodes, so GC can get triggered even if there's no JS on the page.

My current guess is that the window proxy needs rooted during set_window. Can you try adding:

            let _rooted_self = DomRoot::from_ref(self);

to the beginning of set_window and see if that helps?

@kanaka
Copy link
Contributor

kanaka commented Aug 13, 2019

I applied this patch and rebuilt and still got the same crash at 819 page loads:

--- a/components/script/dom/windowproxy.rs
+++ b/components/script/dom/windowproxy.rs
@@ -552,6 +552,7 @@ impl WindowProxy {
     fn set_window(&self, window: &GlobalScope, traps: &ProxyTraps) {
         unsafe {
             debug!("Setting window of {:p}.", self);
+            let _rooted_self = DomRoot::from_ref(self);
             let handler = CreateWrapperProxyHandler(traps);
             assert!(!handler.is_null());
 

@asajeffrey
Copy link
Member

Oh rats. I'll see if I can come up with something else...

@gterzian
Copy link
Member Author

gterzian commented Aug 14, 2019

Ok what did caught my attention is that we seem to be doing some redundant transplanting, and with that fixed it appears the issue goes away(or at least I wasn't able to reproduce it, altough I didn't try yet without the fix).

@asajeffrey Perhaps you want to review it at #23967 ?

We probably should keep this one open if the above fix doesn't exclude the possibility of not enough rooting taking place, as a separate problem exposed by the other?

@kanaka maybe you want to try locally as well and see if it fixes it? You can use the branch at #23909 which contains the additional commit.

@kanaka
Copy link
Contributor

kanaka commented Aug 14, 2019

@gterzian building it now.

@asajeffrey
Copy link
Member

Hmm, this is just papering over the cracks though, the GC panic is still there waiting to be triggered.

@kanaka
Copy link
Contributor

kanaka commented Aug 14, 2019

Crash on load 1237 (compared to 819 previously). Still growing at consistent 56-57MB per page load. Different stack trace (unfortunately no labels again):

$ ./mach run --release -z --webdriver=7002 --resolution=400x300                             



index out of bounds: the len is 0 but the index is 0 (thread FontCacheThread, at /rustc/273f42b5964c29dda2c5a349dd4655529767b07f/src/libcore/slice/mod.rs:2687)
stack backtrace:
   0: <no info> (0x5627453c670f)
   1: <no info> (0x56274861d135)
   2: <no info> (0x56274861cbd1)
   3: <no info> (0x56274861cab5)
   4: <no info> (0x56274863f81c)
   5: <no info> (0x56274863f7d4)
   6: <no info> (0x5627475561b0)
   7: <no info> (0x5627475375a9)
   8: <no info> (0x562747595eaa)
   9: <no info> (0x56274757be89)
  10: <no info> (0x56274753f2d7)
  11: <no info> (0x5627475562cd)
  12: <no info> (0x56274753722d)
  13: <no info> (0x5627475746e4)
  14: <no info> (0x56274752f6a5)
  15: <no info> (0x56274753e974)
  16: <no info> (0x562748626de9)
  17: <no info> (0x56274753ea29)
  18: <no info> (0x56274860b91e)
  19: <no info> (0x56274862610f)
  20: <no info> (0x7fbab81826b9)
  21: <no info> (0x7fbab6a1e41c)
  22: <no info> (0x0)
[2019-08-14T14:56:16Z ERROR servo] index out of bounds: the len is 0 but the index is 0
called `Result::unwrap()` on an `Err` value: Io(Os { code: 104, kind: ConnectionReset, message: "Connection reset by peer" }) (thread <unnamed>, at src/libcore/result.rs:1051)
stack backtrace:
   0: <no info> (0x5627453c670f)
   1: <no info> (0x56274861d135)
   2: <no info> (0x56274861cbd1)
   3: <no info> (0x56274861cab5)
   4: <no info> (0x56274863f81c)
   5: <no info> (0x56274863f916)
   6: <no info> (0x562747578ab7)
   7: <no info> (0x562747bff7e5)
   8: <no info> (0x5627485e8ff3)
   9: <no info> (0x5627485ead16)
  10: <no info> (0x5627485ec77b)
  11: <no info> (0x562748626de9)
  12: <no info> (0x5627485eb2ae)
  13: <no info> (0x56274860b91e)
  14: <no info> (0x56274862610f)
  15: <no info> (0x7fbab81826b9)
  16: <no info> (0x7fbab6a1e41c)
  17: <no info> (0x0)
[2019-08-14T14:56:16Z ERROR servo] called `Result::unwrap()` on an `Err` value: Io(Os { code: 104, kind: ConnectionReset, message: "Connection reset by peer" })
Unexpected layout channel panic in constellation: RecvError (thread Constellation, at src/libcore/result.rs:1051)
stack backtrace:
   0: <no info> (0x5627453c670f)
   1: <no info> (0x56274861d135)
   2: <no info> (0x56274861cbd1)
   3: <no info> (0x56274861cab5)
   4: <no info> (0x56274863f81c)
   5: <no info> (0x56274863f916)
   6: <no info> (0x5627455845e5)
   7: <no info> (0x562745484465)
   8: <no info> (0x562745488d35)
   9: <no info> (0x562748626de9)
  10: <no info> (0x5627454890d5)
  11: <no info> (0x56274860b91e)
  12: <no info> (0x56274862610f)
  13: <no info> (0x7fbab81826b9)
  14: <no info> (0x7fbab6a1e41c)
  15: <no info> (0x0)
[2019-08-14T14:56:16Z ERROR servo] Unexpected layout channel panic in constellation: RecvError
^CServo exited with return value -2

@asajeffrey
Copy link
Member

That looks like you're back to running out of fds again (or something else is triggering weird low-level fd-adjacent errors in ipc).

@kanaka
Copy link
Contributor

kanaka commented Aug 14, 2019

I'm experimenting with making the test case larger to try and reduce the amount of time needed to run the test. My first experiment was adding a bunch of lorem ipsum text to the test case. This increased the memory resident growth rate (108MB per load). However, the test still crashed at exactly 1273 loads as before. However, this time I got a better stack trace:

$ ./mach run --release -z --webdriver=7002 --resolution=400x300



index out of bounds: the len is 0 but the index is 0 (thread FontCacheThread, at /rustc/273f42b5964c29dda2c5a349dd4655529767b07f/src/libcore/slice/mod.rs:2687)
stack backtrace:
   0: servo::main::{{closure}}::h60525228e0a9f42a (0x55e83ba9b70f)
   1: std::panicking::rust_panic_with_hook::h0529069ab88f357a (0x55e83ecf2135)
             at src/libstd/panicking.rs:481
   2: std::panicking::continue_panic_fmt::h6a820a3cd2914e74 (0x55e83ecf1bd1)
             at src/libstd/panicking.rs:384
   3: rust_begin_unwind (0x55e83ecf1ab5)
             at src/libstd/panicking.rs:311
   4: core::panicking::panic_fmt::he00cfaca5555542a (0x55e83ed1481c)
             at src/libcore/panicking.rs:85
   5: core::panicking::panic_bounds_check::h3334a903dc8fe229 (0x55e83ed147d4)
             at src/libcore/panicking.rs:61
   6: std::thread::local::LocalKey<T>::with::h7e68e1aef667dd8c (0x55e83dc2b1b0)
   7: _ZN11ipc_channel3ipc25deserialize_os_ipc_sender17hb93c845a1ccecf09E.llvm.15359812201817383968 (0x55e83dc0c5a9)
   8: <&mut bincode::de::Deserializer<R,O> as serde::de::VariantAccess>::tuple_variant::hb3ea552309d411b6 (0x55e83dc6aeaa)
   9: <gfx::font_cache_thread::_IMPL_DESERIALIZE_FOR_Command::<impl serde::de::Deserialize for gfx::font_cache_thread::Command>::deserialize::__Visitor as serde::de::Visitor>::visit_enum::h76b38db0cc975890 (0x55e83dc50e89)
  10: bincode::deserialize::he738282d38e18dcd (0x55e83dc142d7)
  11: std::thread::local::LocalKey<T>::with::hb36f88408bc774e8 (0x55e83dc2b2cd)
  12: ipc_channel::ipc::IpcReceiver<T>::recv::he4170025608adad8 (0x55e83dc0c22d)
  13: gfx::font_cache_thread::FontCache::run::h097efedd8dbdbe23 (0x55e83dc496e4)
  14: std::sys_common::backtrace::__rust_begin_short_backtrace::h0b5b51c7cd8fa7ba (0x55e83dc046a5)
  15: _ZN3std9panicking3try7do_call17h8f79c11b9595428eE.llvm.8811983947423459304 (0x55e83dc13974)
  16: __rust_maybe_catch_panic (0x55e83ecfbde9)
             at src/libpanic_unwind/lib.rs:82
  17: core::ops::function::FnOnce::call_once{{vtable.shim}}::hecf6ea68b5a7a379 (0x55e83dc13a29)
  18: <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h10faab75e4737451 (0x55e83ece091e)
             at /rustc/273f42b5964c29dda2c5a349dd4655529767b07f/src/liballoc/boxed.rs:766
  19: <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once::h1aad66e3be56d28c (0x55e83ecfb10f)
             at /rustc/273f42b5964c29dda2c5a349dd4655529767b07f/src/liballoc/boxed.rs:766
      std::sys_common::thread::start_thread::h9a8131af389e9a10
             at src/libstd/sys_common/thread.rs:13
      std::sys::unix::thread::Thread::new::thread_start::h5c5575a5d923977b
             at src/libstd/sys/unix/thread.rs:79
  20: start_thread (0x7efd0be0f6b9)
  21: clone (0x7efd0a6ab41c)
  22: <unknown> (0x0)
[2019-08-14T15:38:48Z ERROR servo] index out of bounds: the len is 0 but the index is 0
^CServo exited with return value -2

@kanaka
Copy link
Contributor

kanaka commented Aug 14, 2019

I increased the size one of the repeated CSS files that is included and got a trace (after 1236 loads) that is definitely more related to #23905 so I'll post the stack there.

@gterzian
Copy link
Member Author

Here is a branch that represents the state of the tree that seemed to reliably trigger the GC crash: https://github.com/gterzian/servo/tree/trigger_windowproxy_trace_crash

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-content/script Related to the script thread I-panic Servo encounters a panic. L-javascript Javascript is required
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants