This bug was filed from the Socorro interface and is report bp-ce5afb61-12c2-4e05-94a8-75e6f0180515. ============================================================= Top 10 frames of crashing thread: 0 libxul.so StructuredCloneCallbacksFreeTransfer dom/base/StructuredCloneHolder.cpp:123 1 libxul.so JSStructuredCloneData::discardTransferables [clone .cold.677] 2 libxul.so JSAutoStructuredCloneBuffer::clear 3 libxul.so mozilla::DefaultDelete<JSAutoStructuredCloneBuffer>::operator const [clone .isra.249] 4 libxul.so mozilla::dom::StructuredCloneHolder::~StructuredCloneHolder 5 libxul.so SendMessageEventRunnable::~SendMessageEventRunnable dom/serviceworkers/ServiceWorkerPrivate.cpp:523 6 libxul.so SendMessageEventRunnable::~SendMessageEventRunnable dom/serviceworkers/ServiceWorkerPrivate.cpp:523 7 libxul.so mozilla::dom::WorkerRunnable::Release dom/workers/WorkerRunnable.cpp:212 8 libxul.so nsThread::ProcessNextEvent 9 libxul.so NS_ProcessPendingEvents ============================================================= There are 26 crashes (from 6 installations) in nightly 62 starting with buildid 20180514220126. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1456986. [1] https://hg.mozilla.org/mozilla-central/rev?node=ee57d9bde7cb

Basically the same as bug 1459443. I guess my changes did not fix it.

I think maybe the StructuredCloneHolder's move constructor is buggy if there are transferrables. There is a bare closure pointer passed to the JS code that is not updated, AFAICT.

I'm going to change the code to not use the move constructor for now. If that fixes the crash I'll file a follow-up bug to fix StructuredCloneHolder.

Comment on attachment 8975823 [details] [diff] [review] P1 Don't use StructuredCloneHolder's move constructor in ServiceWorkerPrivate. r=baku Andrea, this reverts some of my previous changes and makes SendMessageEventRunnable extend StructuredCloneHolder again. The goal here is to avoid using the StructuredCloneHolder move constructor.

Comment on attachment 8975825 [details] [diff] [review] P2 Remove StructuredCloneHolder's move constructor. r=baku This removes the StructuredCloneHolder move constructor. AFAICT this constructor is not safe. When the holder base creates its mBuffer it passes `this` in as a callback closure. The move constructor does not update this closure raw pointer at all. Maybe this can be fixed, but for now lets just remove this footgun.

Comment on attachment 8975825 [details] [diff] [review] P2 Remove StructuredCloneHolder's move constructor. r=baku Review of attachment 8975825 [details] [diff] [review]: ----------------------------------------------------------------- Perfect!

Pushed by bkelly@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/385e459e6de9 P1 Don't use StructuredCloneHolder's move constructor in ServiceWorkerPrivate. r=baku https://hg.mozilla.org/integration/mozilla-inbound/rev/649abcecc3f5 P2 Remove StructuredCloneHolder's move constructor. r=baku

https://hg.mozilla.org/mozilla-central/rev/385e459e6de9 https://hg.mozilla.org/mozilla-central/rev/649abcecc3f5