265435 2023-11-27 22:54:50 -0800 REGRESSION(271184@main): [Win] crash under JSC::PolymorphicCallNode::unlinkImpl 2023-11-28 18:48:15 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED DUPLICATE 265475 https://bugs.webkit.org/show_bug.cgi?id=265361 P2 Normal --- 1 fujii webkit-unassigned ysuzuki oldest_to_newest 1995192 0 fujii 2023-11-27 22:54:50 -0800 Windows Release becomes crashy. Buildbot: builder WinCairo-64-bit-Release-Tests build 2839 : 271179@main https://build.webkit.org/#/builders/728/builds/2839 Regressions: Unexpected crashes (5) http/tests/security/mixedContent/insecure-basic-auth-image.https.html [ Crash ] webgl/2.0.0/conformance2/glsl3/vector-dynamic-indexing.html [ Crash ] webgl/2.0.0/conformance2/textures/misc/tex-new-formats.html [ Crash ] webgl/2.0.y/conformance/ogles/GL/operators/operators_009_to_016.html [ Crash ] webgl/2.0.y/conformance2/textures/canvas/tex-2d-rgb565-rgb-unsigned_short_5_6_5.html [ Crash ] https://build.webkit.org/results/WinCairo-64-bit-Release-Tests/271184@main%20(2840)/CrashLog_1f14_2023-11-28_04-26-21-641.txt . 0 Id: 2de4.41ec Suspend: 1 Teb: 000000c8`251e1000 Unfrozen # Child-SP RetAddr Call Site 00 (Inline Function) --------`-------- JavaScriptCore!WTF::BasicRawSentinelNode<JSC::CallLinkInfoBase,WTF::PackedPtrTraits<JSC::CallLinkInfoBase> >::setNext [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\SentinelLinkedList.h @ 61] 01 (Inline Function) --------`-------- JavaScriptCore!WTF::SentinelLinkedList<JSC::CallLinkInfoBase,WTF::BasicRawSentinelNode<JSC::CallLinkInfoBase,WTF::PackedPtrTraits<JSC::CallLinkInfoBase> > >::remove+0x6 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\SentinelLinkedList.h @ 240] 02 (Inline Function) --------`-------- JavaScriptCore!WTF::BasicRawSentinelNode<JSC::CallLinkInfoBase,WTF::PackedPtrTraits<JSC::CallLinkInfoBase> >::remove+0x6 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\SentinelLinkedList.h @ 164] 03 000000c8`24ffdf50 00007ff8`e857af05 JavaScriptCore!JSC::PolymorphicCallNode::unlinkImpl(class JSC::VM * vm = <Value unavailable error>)+0x1c2 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\jit\PolymorphicCallStubRoutine.cpp @ 49] 04 (Inline Function) --------`-------- JavaScriptCore!JSC::CallLinkInfoBase::unlink+0x5 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\bytecode\CallLinkInfoBase.cpp @ 43] 05 (Inline Function) --------`-------- JavaScriptCore!JSC::CodeBlock::unlinkIncomingCalls+0x14 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\bytecode\CodeBlock.cpp @ 2106] 06 000000c8`24ffdfc0 00007ff8`e8a118d3 JavaScriptCore!JSC::CodeBlock::~CodeBlock(void)+0x115 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\bytecode\CodeBlock.cpp @ 866] 07 (Inline Function) --------`-------- JavaScriptCore!JSC::DefaultDestroyFunc::operator()+0x18 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\HeapCellType.cpp @ 46] 08 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedBlock::Handle::specializedSweep<1,1,0,1,0,1,1,JSC::DefaultDestroyFunc>::<lambda_1>::operator()+0x20 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 282] 09 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedBlock::Handle::specializedSweep<1,1,0,1,0,1,1,JSC::DefaultDestroyFunc>::<lambda_3>::operator()+0x24 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 352] 0a 000000c8`24ffe020 00007ff8`e8a0fd1e JavaScriptCore!JSC::MarkedBlock::Handle::specializedSweep<1,1,0,1,0,1,1,JSC::DefaultDestroyFunc>(class JSC::FreeList * freeList = <Value unavailable error>, JSC::MarkedBlock::Handle::EmptyMode emptyMode = <Value unavailable error>, JSC::MarkedBlock::Handle::SweepMode sweepMode = <Value unavailable error>, JSC::MarkedBlock::Handle::SweepDestructionMode destructionMode = <Value unavailable error>, JSC::MarkedBlock::Handle::ScribbleMode scribbleMode = <Value unavailable error>, JSC::MarkedBlock::Handle::NewlyAllocatedMode newlyAllocatedMode = <Value unavailable error>, JSC::MarkedBlock::Handle::MarksMode marksMode = <Value unavailable error>, struct JSC::DefaultDestroyFunc * destroyFunc = 0x000000c8`24ffe1b8)+0x133 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 401] 0b 000000c8`24ffe070 00007ff8`e8a085c9 JavaScriptCore!JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::DefaultDestroyFunc>::<lambda_1>::operator()(void)+0x11e [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 476] 0c 000000c8`24ffe0c0 00007ff8`e8a08426 JavaScriptCore!JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::DefaultDestroyFunc>(class JSC::FreeList * freeList = <Value unavailable error>, struct JSC::DefaultDestroyFunc * destroyFunc = 0x000000c8`24ffe1b8)+0x189 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 498] 0d 000000c8`24ffe190 00007ff8`e8a1c8b5 JavaScriptCore!JSC::HeapCellType::finishSweep(class JSC::MarkedBlock::Handle * block = <Value unavailable error>, class JSC::FreeList * freeList = <Value unavailable error>)+0x26 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\HeapCellType.cpp @ 61] 0e 000000c8`24ffe1d0 00007ff8`e89d692a JavaScriptCore!JSC::MarkedBlock::Handle::sweep(class JSC::FreeList * freeList = <Value unavailable error>)+0x135 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlock.cpp @ 480] 0f (Inline Function) --------`-------- JavaScriptCore!JSC::BlockDirectory::sweep::<lambda_7>::operator()+0x16 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\BlockDirectory.cpp @ 299] 10 (Inline Function) --------`-------- JavaScriptCore!WTF::FastBitVectorImpl<JSC::BlockDirectoryBits::BlockDirectoryBitVectorWordView<6> >::forEachSetBit+0x68 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\FastBitVector.h @ 348] 11 000000c8`24ffe2c0 00007ff8`e8a1e968 JavaScriptCore!JSC::BlockDirectory::sweep(void)+0x7a [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\BlockDirectory.cpp @ 296] 12 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedSpace::sweepBlocks::<lambda_10>::operator()+0x8 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedSpace.cpp @ 223] 13 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedSpace::forEachDirectory+0x1c [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedSpace.h @ 245] 14 000000c8`24ffe320 00007ff8`e89e161b JavaScriptCore!JSC::MarkedSpace::sweepBlocks(void)+0x38 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedSpace.cpp @ 221] 15 000000c8`24ffe350 00007ff8`e89e1d89 JavaScriptCore!JSC::Heap::sweepSynchronously(void)+0xdb [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1185] 16 000000c8`24ffe3e0 00007ff8`d6249a32 JavaScriptCore!JSC::Heap::collectNow(JSC::Synchronousness synchronousness = <Value unavailable error>, struct JSC::GCRequest * request = 0x00000000`00000101)+0x1d9 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1235] 17 000000c8`24ffe450 00007ff8`d62f2b88 WebCore!WebCore::GCController::garbageCollectNow(void)+0x92 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\GCController.cpp @ 97] 18 (Inline Function) --------`-------- WebCore!WebCore::collectGarbageAfterWindowProxyDestruction+0x4e [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\WindowProxy.cpp @ 52] 19 000000c8`24ffe4a0 00007ff8`d6b2f67f WebCore!WebCore::WindowProxy::detachFromFrame(void)+0x148 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\WindowProxy.cpp @ 87] 1a 000000c8`24ffe500 00007ff8`d6b49d15 WebCore!WebCore::Frame::~Frame(void)+0x1f [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\Frame.cpp @ 58] 1b 000000c8`24ffe540 00007ff8`d6b6b000 WebCore!WebCore::LocalFrame::~LocalFrame(void)+0x275 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\LocalFrame.cpp @ 221] 1c 000000c8`24ffe5c0 00007ff8`d6b5117e WebCore!WebCore::LocalFrame::~LocalFrame(int should_call_delete = 0n1)+0x10 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\LocalFrame.cpp @ 197] 1d (Inline Function) --------`-------- WebCore!WTF::ThreadSafeRefCounted<WebCore::Frame,1>::deref+0x3a [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\ThreadSafeRefCounted.h @ 121] 1e (Inline Function) --------`-------- WebCore!WTF::Ref<WebCore::LocalFrame,WTF::RawPtrTraits<WebCore::LocalFrame> >::~Ref+0x51 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Ref.h @ 61] 1f 000000c8`24ffe600 00007ff8`d6b6b030 WebCore!WebCore::LocalFrameView::~LocalFrameView(void)+0x72e [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\LocalFrameView.cpp @ 257] (..) 1995193 1 fujii 2023-11-27 23:02:30 -0800 (In reply to Fujii Hironori from comment #0) > Windows Release becomes crashy. > > Buildbot: builder WinCairo-64-bit-Release-Tests build 2839 : 271179@main > https://build.webkit.org/#/builders/728/builds/2839 Wrong url and regision. 271179@main is green. Buildbot: builder WinCairo-64-bit-Release-Tests build 2840 : 271184@main https://build.webkit.org/#/builders/728/builds/2840 1995205 2 fujii 2023-11-28 00:28:35 -0800 No reliable way to reproduce the crash. But, the following command is likely reproducing the crash. > python .\Tools\Scripts\run-webkit-tests --release --child=1 --no-retry --exit-after-n-crash=1 --iter=10 webgl/2.0.y/conformance2/textures/canvas 1995206 3 fujii 2023-11-28 00:31:12 -0800 Not only Windows Release build, but also Debug builds are crashy. Buildbot: builder WinCairo-64-bit-Debug-Tests build 21395 : 271184@main https://build.webkit.org/#/builders/727/builds/21395 Regressions: Unexpected crashes (4) webgl/2.0.0/conformance2/textures/image_bitmap_from_blob/tex-3d-rg16f-rg-half_float.html [ Crash ] webgl/2.0.0/conformance2/textures/image_bitmap_from_image_data/tex-3d-rgb565-rgb-unsigned_byte.html [ Crash ] webgl/2.0.y/conformance/ogles/GL/operators/operators_017_to_024.html [ Crash ] webgl/2.0.y/conformance2/textures/canvas/tex-3d-rg8-rg-unsigned_byte.html [ Crash ] 1995207 4 fujii 2023-11-28 00:33:25 -0800 As far as I tryed bisection, 271184@main seems to be the culprit. 1995243 5 ysuzuki 2023-11-28 03:01:35 -0800 I kind of doubt integrity of the builds on WinCairo buildbots. No other ports are reporting this crash. And from the code, I cannot find the path causing this condition. CallLinkInfoBase's destructor is always unregistering itself. So there is no way to have dangling CallLinkInfo in this linked-list. Ross, me, and Fujihiro are looking into it. This requires Windows port's debugging since there is no problems on the other ports. 1995502 6 fujii 2023-11-28 18:48:15 -0800 *** This bug has been marked as a duplicate of bug 265475 ***