Bug 200266

Summary:

[curl] JSC::SlotVisitor::drain → WTF::StringImpl::costDuringGC → divideRoundedUp → Integer divide-by-zero exception

Product:

WebKit

Reporter:

Fujii Hironori <Hironori.Fujii>

Component:

WebCore Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

takashi.komori

Priority:

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=200378

Attachments:

Description	Flags
no-subprotocol-crash-log.txt	none
pong-crash-log.txt	none
no-subprotocol-crash-log.txt (debug build)	none

Fujii Hironori

Reported 2019-07-29 19:40:27 PDT

[WinCairo] JSC::SlotVisitor::drain → WTF::StringImpl::costDuringGC → divideRoundedUp → Integer divide-by-zero exception "WinCairo 64-bit WKL Release (Tests)" is infrequently crashing by Integer divide-by-zero exception https://build.webkit.org/results/WinCairo%2064-bit%20WKL%20Release%20(Tests)/r247904%20(4650)/results.html http/tests/websocket/tests/hybi/no-subprotocol.html https://build.webkit.org/results/WinCairo%2064-bit%20WKL%20Release%20(Tests)/r247890%20(4639)/results.html http/tests/websocket/tests/hybi/pong.html Callstack: > JavaScriptCore!divideRoundedUp+0x8 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\WebKitBuild\Release\WTF\Headers\wtf\MathExtras.h @ 307] > JavaScriptCore!WTF::StringImpl::costDuringGC(void)+0x69 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\WebKitBuild\Release\WTF\Headers\wtf\text\StringImpl.h @ 1031] > JavaScriptCore!JSC::JSString::visitChildren(class JSC::JSCell * cell = 0x000001d4`f2671600, class JSC::SlotVisitor * visitor = 0x000001d4`f26253b0)+0x1a2 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\runtime\JSString.cpp @ 148] > JavaScriptCore!JSC::SlotVisitor::visitChildren+0x7a [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\SlotVisitor.cpp @ 374] > JavaScriptCore!<lambda_3e016a9e0b54f91598bc5981a39993bb>::operator()(class JSC::MarkStackArray * stack = 0x000001d4`f26253b0)+0x109 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\SlotVisitor.cpp @ 498] > JavaScriptCore!JSC::SlotVisitor::forEachMarkStack+0x20 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\SlotVisitorInlines.h @ 190] > JavaScriptCore!JSC::SlotVisitor::drain(class WTF::MonotonicTime timeout = class WTF::MonotonicTime)+0xa4 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\SlotVisitor.cpp @ 488] > JavaScriptCore!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode = SlaveDrain (0n0), class WTF::MonotonicTime timeout = class WTF::MonotonicTime)+0x559 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\SlotVisitor.cpp @ 691] > JavaScriptCore!<lambda_7434909dfa36dd6f16db939b22739ad3>::operator()(void)+0xcc [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\Heap.cpp @ 1320] > WTF!WTF::ParallelHelperClient::runTask(class WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::DumbPtrTraits<WTF::SharedTask<void __cdecl(void)> > > * task = 0x000001d4`f8996e80)+0x31 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\ParallelHelperPool.cpp @ 115] > WTF!WTF::ParallelHelperPool::Thread::work(void)+0x1a [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\ParallelHelperPool.cpp @ 202] > WTF!<lambda_04ae092c605b9fd3c9763a9cc8e9078a>::operator()(void)+0x140 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\AutomaticThread.cpp @ 224] > WTF!WTF::Function<void __cdecl+0xe [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\Function.h @ 79] > WTF!WTF::Thread::entryPoint(struct WTF::Thread::NewThreadContext * newThreadContext = 0x000001d4`f89a7b20)+0x127 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\Threading.cpp @ 148] > WTF!WTF::wtfThreadEntryPoint(void * data = <Value unavailable error>)+0x9 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\win\ThreadingWin.cpp @ 153] > ucrtbase!thread_start<unsigned int +0x42 > KERNEL32!BaseThreadInitThunk+0x14 > ntdll!RtlUserThreadStart+0x21

Attachments
no-subprotocol-crash-log.txt (78.46 KB, text/plain) 2019-07-29 19:40 PDT, Fujii Hironori	no flags	Details
pong-crash-log.txt (80.81 KB, text/plain) 2019-07-29 19:40 PDT, Fujii Hironori	no flags	Details
no-subprotocol-crash-log.txt (debug build) (90.25 KB, text/plain) 2019-08-01 18:49 PDT, Fujii Hironori	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Fujii Hironori

Comment 1 2019-07-29 19:40:48 PDT

Created attachment 375140 [details] no-subprotocol-crash-log.txt

Fujii Hironori

Comment 2 2019-07-29 19:40:59 PDT

Created attachment 375141 [details] pong-crash-log.txt

Fujii Hironori

Comment 3 2019-07-30 01:52:57 PDT

https://build.webkit.org/results/WinCairo%2064-bit%20WKL%20Release%20(Tests)/r248004%20(4659)/results.html http/tests/websocket/tests/hybi/null-character.html

Fujii Hironori

Comment 4 2019-07-30 18:38:56 PDT

https://build.webkit.org/results/WinCairo%2064-bit%20WKL%20Release%20(Tests)/r248014%20(4663)/results.html http/tests/websocket/tests/hybi/reserved-bits.html

Fujii Hironori

Comment 5 2019-08-01 18:49:32 PDT

Created attachment 375377 [details] no-subprotocol-crash-log.txt (debug build) Debug builds also crashed. https://build.webkit.org/results/WinCairo%2064-bit%20WKL%20Debug%20(Tests)/r248104%20(2106)/results.html http/tests/websocket/tests/hybi/no-subprotocol.html

Fujii Hironori

Comment 6 2019-08-04 18:43:59 PDT

It seems that Buildbot doesn't crash since r248182. Closed as duplicated of Bug 200378. *** This bug has been marked as a duplicate of bug 200378 ***

Note You need to log in before you can comment on or make changes to this bug.