Bug 150342

Summary:	[Win] Access violation in Release build 64-bit JSC
Product:	WebKit	Reporter:	Brent Fulgham <bfulgham>
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED WORKSFORME
Severity:	Normal	CC:	ap, bfulgham, ggaren, mark.lam, msaboff, peavo, pvollan, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	PC
OS:	Windows 10

Description Brent Fulgham 2015-10-19 14:41:00 PDT

Running with a Release 64-bit JavaScriptCore build is frequently hitting the following crash when running the 'fast' WebKit test suite:

>	JavaScriptCore.dll!JSC::MarkedAllocator::reset() Line 215	C++
 	JavaScriptCore.dll!JSC::MarkedSpace::resetAllocators() Line 109	C++
 	JavaScriptCore.dll!JSC::Heap::collectImpl(JSC::HeapOperation collectionType, void * stackOrigin, void * stackTop, _SETJMP_FLOAT128[16] & calleeSavedRegisters) Line 1099	C++
 	JavaScriptCore.dll!JSC::Heap::collect(JSC::HeapOperation collectionType) Line 1026	C++
 	JavaScriptCore.dll!JSC::MarkedAllocator::allocateSlowCase(unsigned __int64 bytes) Line 159	C++
 	WebKit.dll!WebCore::JSDOMWindowShell::setWindow(WTF::PassRefPtr<WebCore::DOMWindow> domWindow) Line 86	C++
 	WebKit.dll!WebCore::JSDOMWindowShell::create(JSC::VM & vm, WTF::PassRefPtr<WebCore::DOMWindow> window, JSC::Structure * structure, WebCore::DOMWrapperWorld & world) Line 57	C++
 	WebKit.dll!WebCore::ScriptController::createWindowShell(WebCore::DOMWrapperWorld & world) Line 133	C++
 	WebKit.dll!WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld & world) Line 252	C++
 	WebKit.dll!WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld & world) Line 91	C++
 	WebKit.dll!WebFrame::globalContext() Line 532	C++
 	DumpRenderTreeLib.dll!resetWebViewToConsistentStateBeforeTesting() Line 917	C++
 	DumpRenderTreeLib.dll!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & inputLine) Line 1175	C++
 	DumpRenderTreeLib.dll!main(int argc, const char * * argv) Line 1494	C++
 	DumpRenderTree.exe!main(int argc, const char * * argv) Line 269	C++
 	[External Code]

Comment 1 Radar WebKit Bug Importer 2015-10-19 14:42:48 PDT

<rdar://problem/23172910>

Comment 2 Brent Fulgham 2015-10-19 14:43:59 PDT

This crash is hit hundreds of times when running the LayoutTests/fast suite on 64-bit Windows (Release).

Comment 3 Brent Fulgham 2015-10-19 14:44:39 PDT

Reproducibly crashing on 'LayoutTests/fast/backgrounds/background-opaque-clipped-gradients.html'

Comment 4 Geoffrey Garen 2015-10-19 14:58:12 PDT

Does this crash go away if you disable concurrent GC?

Comment 5 Mark Lam 2015-10-19 15:21:00 PDT

I just took a look at this with Brent.  Here are some details:

1. The crash does not go away when we disable the concurrent JIT.
2. The crash does not manifest on a debug build.
3. The crash does not manifest when the test page is loaded in MiniBrowser.
4. The test in question doesn't exercise any JS code at all.

At this point, I'm not convinced that this is a JSC issue yet.  Brent is going to play with the optimization flags on VS2015 and see if that gives us any additional clues.

Comment 6 peavo 2015-10-21 11:07:09 PDT

I have not been able to reproduce the crash, yet (WinCairo).

Comment 7 peavo 2015-10-22 00:33:31 PDT

(In reply to comment #4)
> Does this crash go away if you disable concurrent GC?

Have we tried to disable both concurrent GC and concurrent JIT?

Comment 8 Per Arne Vollan 2016-06-10 08:12:12 PDT

I am not able to reproduce this on WebKit revision 201919, when running the test fast/backgrounds/background-opaque-clipped-gradients.html.

Comment 9 Brent Fulgham 2016-06-10 08:25:24 PDT

(In reply to comment #8)
> I am not able to reproduce this on WebKit revision 201919, when running the
> test fast/backgrounds/background-opaque-clipped-gradients.html.

OK! Let's close it, then.