254633 2023-03-28 17:12:12 -0700 REGRESSION(261993@main): JSC: Crash under JSC::MarkedBlock::aboutToMark 2023-03-31 05:27:11 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED DUPLICATE 254752 https://bugs.webkit.org/show_bug.cgi?id=254242 https://www.reddit.com/ P2 Normal --- 1 fujii webkit-unassigned cgarcia kdwkleung mark.lam mcatanzaro ysuzuki oldest_to_newest 1944806 0 fujii 2023-03-28 17:12:12 -0700 REGRESSION: JSC: Crash under JSC::MarkedBlock::aboutToMark WinCairo Release MiniBrowser is crashihng or freezing just by loading https://news.yahoo.co.jp/articles/c5dbf98ce2bd908c9d05b55f413a2bcd11892c64 today. 262131@main: Bad 261847@main: Good Exception thrown at 0x00007FFA6EF30757 (JavaScriptCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation writing location 0x00007F0041C80038. > [Inline Frame] JavaScriptCore.dll!std::_Atomic_storage<unsigned char,1>::compare_exchange_strong(unsigned char &) Line 756 C++ [Inline Frame] JavaScriptCore.dll!std::atomic<unsigned char>::compare_exchange_weak(unsigned char &) Line 2207 C++ [Inline Frame] JavaScriptCore.dll!WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char) Line 89 C++ [Inline Frame] JavaScriptCore.dll!WTF::LockAlgorithm<unsigned char,1,2,WTF::EmptyLockHooks<unsigned char>>::lockFastAssumingZero(WTF::Atomic<unsigned char> &) Line 53 C++ [Inline Frame] JavaScriptCore.dll!WTF::Lock::lock() Line 65 C++ [Inline Frame] JavaScriptCore.dll!WTF::Locker<WTF::Lock>::{ctor}(WTF::Lock &) Line 158 C++ JavaScriptCore.dll!JSC::MarkedBlock::aboutToMarkSlow(unsigned int markingVersion) Line 207 C++ [Inline Frame] JavaScriptCore.dll!JSC::MarkedBlock::aboutToMark(unsigned int markingVersion) Line 586 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSCell *) Line 57 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSValue value) Line 70 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::append(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> &) Line 110 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendValues(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> *) Line 139 C++ JavaScriptCore.dll!JSC::JSBoundFunction::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 384 C++ [Inline Frame] JavaScriptCore.dll!JSC::MethodTable::visitChildren(JSC::JSCell *) Line 115 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::visitChildren(const JSC::JSCell *) Line 394 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain::__l9::<lambda_1>::operator()(JSC::MarkStackArray & stack) Line 504 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::forEachMarkStack(const JSC::SlotVisitor::drain::__l9::<lambda_1> &) Line 184 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain(WTF::MonotonicTime timeout) Line 494 C++ JavaScriptCore.dll!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode, WTF::MonotonicTime timeout) Line 694 C++ JavaScriptCore.dll!JSC::Heap::runBeginPhase::__l2::<lambda_2>::operator()() Line 1400 C++ WTF.dll!WTF::ParallelHelperClient::runTask(const WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::RawPtrTraits<WTF::SharedTask<void __cdecl(void)>>,WTF::DefaultRefDerefTraits<WTF::SharedTask<void __cdecl(void)>>> & task) Line 113 C++ WTF.dll!WTF::ParallelHelperPool::Thread::work() Line 203 C++ WTF.dll!WTF::AutomaticThread::start::__l2::<lambda_1>::operator()() Line 230 C++ [Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 82 C++ WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250 C++ WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151 C++ ucrtbase.dll!00007ffaf1f61bb2() Unknown kernel32.dll!00007ffaf30e7614() Unknown ntdll.dll!00007ffaf45026a1() Unknown Exception thrown at 0x00007FFA6EF3074F (JavaScriptCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation reading location 0x0000000000000018. > JavaScriptCore.dll!JSC::MarkedBlock::aboutToMarkSlow(unsigned int markingVersion) Line 204 C++ [Inline Frame] JavaScriptCore.dll!JSC::MarkedBlock::aboutToMark(unsigned int markingVersion) Line 586 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSCell *) Line 57 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSValue value) Line 70 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::append(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> &) Line 110 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendValues(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> *) Line 139 C++ JavaScriptCore.dll!JSC::JSBoundFunction::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 384 C++ [Inline Frame] JavaScriptCore.dll!JSC::MethodTable::visitChildren(JSC::JSCell *) Line 115 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::visitChildren(const JSC::JSCell *) Line 394 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain::__l9::<lambda_1>::operator()(JSC::MarkStackArray & stack) Line 504 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::forEachMarkStack(const JSC::SlotVisitor::drain::__l9::<lambda_1> &) Line 184 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain(WTF::MonotonicTime timeout) Line 494 C++ JavaScriptCore.dll!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode, WTF::MonotonicTime timeout) Line 694 C++ JavaScriptCore.dll!JSC::Heap::runBeginPhase::__l2::<lambda_2>::operator()() Line 1400 C++ WTF.dll!WTF::ParallelHelperClient::runTask(const WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::RawPtrTraits<WTF::SharedTask<void __cdecl(void)>>,WTF::DefaultRefDerefTraits<WTF::SharedTask<void __cdecl(void)>>> & task) Line 113 C++ WTF.dll!WTF::ParallelHelperPool::Thread::work() Line 203 C++ WTF.dll!WTF::AutomaticThread::start::__l2::<lambda_1>::operator()() Line 230 C++ [Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 82 C++ WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250 C++ WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151 C++ ucrtbase.dll!00007ffaf1f61bb2() Unknown kernel32.dll!00007ffaf30e7614() Unknown ntdll.dll!00007ffaf45026a1() Unknown 1944812 1 fujii 2023-03-28 17:37:46 -0700 Backtrace of WinCairo Debug MiniBrowser 262233@main: Exception thrown at 0x00007FFA42E6A001 (JavaScriptCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF. JavaScriptCore.dll!std::_Atomic_storage<unsigned char,1>::compare_exchange_strong(unsigned char & _Expected, const unsigned char _Desired, const std::memory_order _Order) Line 756 C++ JavaScriptCore.dll!std::atomic<unsigned char>::compare_exchange_weak(unsigned char & _Expected, const unsigned char _Desired, const std::memory_order _Order) Line 2208 C++ JavaScriptCore.dll!WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char expected, unsigned char desired, std::memory_order order) Line 90 C++ JavaScriptCore.dll!WTF::LockAlgorithm<unsigned char,1,2,WTF::EmptyLockHooks<unsigned char>>::lockFastAssumingZero(WTF::Atomic<unsigned char> & lock) Line 54 C++ JavaScriptCore.dll!WTF::Lock::lock() Line 65 C++ JavaScriptCore.dll!WTF::Locker<WTF::Lock>::Locker<WTF::Lock>(WTF::Lock & lock) Line 159 C++ JavaScriptCore.dll!JSC::MarkedBlock::aboutToMarkSlow(unsigned int markingVersion) Line 207 C++ JavaScriptCore.dll!JSC::MarkedBlock::aboutToMark(unsigned int markingVersion) Line 587 C++ JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSCell * cell) Line 57 C++ JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSValue value) Line 71 C++ JavaScriptCore.dll!JSC::SlotVisitor::append<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>>(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> & slot) Line 111 C++ JavaScriptCore.dll!JSC::SlotVisitor::appendValues(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> * barriers, unsigned __int64 count) Line 139 C++ JavaScriptCore.dll!JSC::JSBoundFunction::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 403 C++ JavaScriptCore.dll!JSC::JSBoundFunction::visitChildren(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 406 C++ JavaScriptCore.dll!JSC::MethodTable::visitChildren(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 115 C++ JavaScriptCore.dll!JSC::SlotVisitor::visitChildren(const JSC::JSCell * cell) Line 398 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain::__l11::<lambda_1>::operator()(JSC::MarkStackArray & stack) Line 504 C++ JavaScriptCore.dll!JSC::SlotVisitor::forEachMarkStack<`JSC::SlotVisitor::drain'::`11'::<lambda_1>>(const JSC::SlotVisitor::drain::__l11::<lambda_1> & func) Line 184 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain(WTF::MonotonicTime timeout) Line 494 C++ JavaScriptCore.dll!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode, WTF::MonotonicTime timeout) Line 697 C++ JavaScriptCore.dll!JSC::Heap::runBeginPhase::__l2::<lambda_2>::operator()() Line 1400 C++ JavaScriptCore.dll!WTF::SharedTaskFunctor<void __cdecl(void),`JSC::Heap::runBeginPhase'::`2'::<lambda_2>>::run() Line 92 C++ WTF.dll!WTF::ParallelHelperClient::runTask(const WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::RawPtrTraits<WTF::SharedTask<void __cdecl(void)>>,WTF::DefaultRefDerefTraits<WTF::SharedTask<void __cdecl(void)>>> & task) Line 113 C++ WTF.dll!WTF::ParallelHelperPool::Thread::work() Line 202 C++ WTF.dll!WTF::AutomaticThread::start::__l2::<lambda_1>::operator()() Line 229 C++ WTF.dll!WTF::Detail::CallableWrapper<`WTF::AutomaticThread::start'::`2'::<lambda_1>,void>::call() Line 53 C++ WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 83 C++ WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250 C++ WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151 C++ ucrtbase.dll!00007ffaf1f61bb2() Unknown kernel32.dll!00007ffaf30e7614() Unknown ntdll.dll!00007ffaf45026a1() Unknown 1944832 2 fujii 2023-03-28 19:01:33 -0700 Since 261993@main. 1944884 3 fujii 2023-03-29 00:13:09 -0700 Looks like similar crashes? bug#164989 bug#182396 bug#200863 1945029 4 mcatanzaro 2023-03-29 10:05:35 -0700 Hey Fujii, this is bug #254622 1945030 5 mcatanzaro 2023-03-29 10:06:43 -0700 (In reply to Michael Catanzaro from comment #4) > Hey Fujii, this is bug #254622 Er, sorry, it looks like I posted this comment by mistake even after noticing that I had the wrong bug link. I meant bug #254325 (crash on reddit.com), not bug #254622. Anyway, I'll mark bug #254325 as a duplicate of this one. 1945032 6 mcatanzaro 2023-03-29 10:06:53 -0700 *** Bug 254325 has been marked as a duplicate of this bug. *** 1945084 7 fujii 2023-03-29 12:59:53 -0700 Good to know. WinCairo Debug MiniBrowser (262233@main) also crashing just by loading https://www.reddit.com/ with the same backtrace (comment#1). 1945113 8 fujii 2023-03-29 14:29:05 -0700 WinCairo Debug MiniBrowser (262233@main) crashes https://ima.hatenablog.jp/entry/2023/03/27/210000 with the same backtrace. 1945126 9 fujii 2023-03-29 14:49:16 -0700 I checked 30 web pages from https://news.ycombinator.com/ . Tow more pages crash. https://www.prusa3d.com/product/original-prusa-mk4-2/ https://twitter.com/debarghya_das/status/1640892791923572737 1945324 10 mcatanzaro 2023-03-30 06:45:27 -0700 Hi Yusuke, do you want us to revert this, or do you want more time to investigate? Unfortunately WebKitGTK 2.41.1 just got released with this bug. :( 1945588 11 fujii 2023-03-30 21:20:15 -0700 I can't reproduce the same crash with WinCairo Debug MiniBrowser (262385@main). Maybe, I should close this as WORKSFORME. 1945590 12 fujii 2023-03-30 21:31:34 -0700 I confirmed WinCairo Debug MiniBrowser (262384@main) still reproduced the crash. 262385@main affected this. 1945600 13 mark.lam 2023-03-30 22:43:45 -0700 By "262385@main affected this", I think Fujii meant that it appears to be fixed. Duping. *** This bug has been marked as a duplicate of bug 254752 *** 1945653 14 mcatanzaro 2023-03-31 05:27:11 -0700 262385@main fixed the crashes on Linux too, despite the Windows-related commit message. Thanks Yusuke!