Bug 229594

Summary:

[ Win EWS] js/dfg-int16array.html is a flaky crash under WebCore::LayoutIntegration::LineLayout::constructContent

Product:

WebKit

Reporter:

Robert Jenner <jenner>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

NEW

Severity:

Normal

CC:

ayumi_kojima, bfulgham, ehutchison, simon.fraser, webkit-bot-watchers-bugzilla, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=229626

Attachments:

Description	Flags
Full crashlog from windows EWS	none

Robert Jenner

Reported 2021-08-26 17:27:21 PDT

js/dfg-int16array.html is a flaky crash on Windows EWS, and it looks like it has crashed once on OpenSource. HISTORY: https://results.webkit.org/?suite=layout-tests&test=js%2Fdfg-int16array.html BUILD: https://build.webkit.org/#/builders/50/builds/2089 Unfortunately it doesn't look like any useful data about the OpenSource crash was collected. There is a crashlog from the flaky crashes occurring on EWS. EWS BUILD: https://ews-build.webkit.org/#/builders/10/builds/102590 CRASH URL: https://ews-build.s3-us-west-2.amazonaws.com/Windows-EWS/r436576-102590/js/dfg-int16array-crash-log.txt CRASH TEXT: 05 (Inline Function) --------`-------- WebKit!WTF::Vector<WebCore::LayoutIntegration::Run,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::shrinkCapacity+0x2b [C:\cygwin\home\buildbot\worker\Windows-EWS\build\WebKitBuild\Release\DerivedSources\ForwardingHeaders\wtf\Vector.h @ 1251] 06 (Inline Function) --------`-------- WebKit!WTF::Vector<WebCore::LayoutIntegration::Run,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::shrinkToFit+0x2f [C:\cygwin\home\buildbot\worker\Windows-EWS\build\WebKitBuild\Release\DerivedSources\ForwardingHeaders\wtf\Vector.h @ 769] Full crash log has been attached to this bug.

Attachments
Full crashlog from windows EWS (352.93 KB, text/plain) 2021-08-26 17:28 PDT, Robert Jenner	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Robert Jenner

Comment 1 2021-08-26 17:28:26 PDT

Created attachment 436592 [details] Full crashlog from windows EWS

Robert Jenner

Comment 2 2021-08-26 17:33:44 PDT

Set expectations to [ Pass Crash ] for Windows here: https://trac.webkit.org/changeset/281675/webkit

Radar WebKit Bug Importer

Comment 3 2021-08-26 17:34:55 PDT

<rdar://problem/82414987>

Ryan Haddad

Comment 4 2021-08-27 09:36:28 PDT

Frame[00] Triage Symbol: [WTF!abort+0x35] Frame[01] Triage Symbol: [WTF!WTF::fastMalloc+0x18] Frame[02] Triage Symbol: [WebKit!WebCore::LayoutIntegration::LineLayout::constructContent+0x1c0] Frame[03] Triage Symbol: [WebKit!WebCore::LayoutIntegration::LineLayout::layout+0x14f] Frame[04] Triage Symbol: [WebKit!WebCore::RenderBlockFlow::layoutModernLines+0x347] Frame[05] Triage Symbol: [WebKit!WebCore::RenderBlockFlow::layoutBlock+0x380] Frame[06] Triage Symbol: [WebKit!WebCore::RenderBlock::layout+0x80] Frame[07] Triage Symbol: [WebKit!WebCore::RenderBlockFlow::layoutBlockChild+0x292] Frame[08] Triage Symbol: [WebKit!WebCore::RenderBlockFlow::layoutBlockChildren+0x508] Frame[09] Triage Symbol: [WebKit!WebCore::RenderBlockFlow::layoutBlock+0x43f] Frame[0a] Triage Symbol: [WebKit!WebCore::RenderBlock::layout+0x80] Frame[0b] Triage Symbol: [WebKit!WebCore::RenderBlockFlow::layoutBlockChild+0x292] Frame[0c] Triage Symbol: [WebKit!WebCore::RenderBlockFlow::layoutBlockChildren+0x508] Frame[0d] Triage Symbol: [WebKit!WebCore::RenderBlockFlow::layoutBlock+0x43f] Frame[0e] Triage Symbol: [WebKit!WebCore::RenderBlock::layout+0x80] Frame[0f] Triage Symbol: [WebKit!WebCore::RenderBlockFlow::layoutBlockChild+0x292] Frame[10] Triage Symbol: [WebKit!WebCore::RenderBlockFlow::layoutBlockChildren+0x508] Frame[11] Triage Symbol: [WebKit!WebCore::RenderBlockFlow::layoutBlock+0x43f] Frame[12] Triage Symbol: [WebKit!WebCore::RenderBlock::layout+0x80] Frame[13] Triage Symbol: [WebKit!WebCore::RenderView::layout+0x2ed] Frame[14] Triage Symbol: [WebKit!WebCore::FrameViewLayoutContext::layout+0x5bf] Frame[15] Triage Symbol: [WebKit!WebCore::Document::implicitClose+0x35d] Frame[16] Triage Symbol: [WebKit!WebCore::FrameLoader::checkCompleted+0x13f] Frame[17] Triage Symbol: [WebKit!WebCore::CachedResourceLoader::loadDone+0x80] Frame[18] Triage Symbol: [WebKit!WebCore::SubresourceLoader::notifyDone+0x55] Frame[19] Triage Symbol: [WebKit!WebCore::SubresourceLoader::didFinishLoading+0x163] Frame[1a] Triage Symbol: [WebKit!<lambda_e7e2d454785dfeaf6199132ec807941c>::operator+0xec] Frame[1b] Triage Symbol: [WTF!WTF::RunLoop::performWork+0x23f]

Ryan Haddad

Comment 5 2021-08-27 14:06:09 PDT

Two other affected tests: https://trac.webkit.org/changeset/281719/webkit

Ryan Haddad

Comment 6 2021-08-27 14:06:14 PDT

*** Bug 229626 has been marked as a duplicate of this bug. ***

Eric Hutchison

Comment 7 2021-09-16 16:04:50 PDT

js/dfg-uint8array.html is also crashing on Win EWS and has not appeared on OpenSource. History: https://results.webkit.org/?platform=ios&platform=mac&suite=layout-tests&test=js%2Fdfg-uint8array.html Crash Log: https://ews-build.s3-us-west-2.amazonaws.com/Windows-EWS/r438375-105128/js/dfg-uint8array-crash-log.txt Marked expectations: https://trac.webkit.org/changeset/282614/webkit

Eric Hutchison

Comment 8 2021-09-17 14:26:35 PDT

js/dfg-int32array-overflow-values.html also affected: History: https://results.webkit.org/?suite=layout-tests&test=js/dfg-int32array-overflow-values.html Crash Log: https://ews-build.s3-us-west-2.amazonaws.com/Windows-EWS/r438420-105169/js/dfg-int32array-overflow-values-crash-log.txt Update test expectations: http://trac.webkit.org/changeset/282695/webkit

Eric Hutchison

Comment 9 2021-09-20 13:17:53 PDT

js/dfg-int8array.html https://results.webkit.org/?suite=layout-tests&test=js/dfg-int8array.html also affected: History: https://results.webkit.org/?suite=layout-tests&test=js/dfg-int8array.html Crash Log: https://ews-build.s3-us-west-2.amazonaws.com/Windows-EWS/r438688-105450/js/dfg-int8array-crash-log.txt Update test expectations: https://trac.webkit.org/changeset/282772/webkit

Eric Hutchison

Comment 10 2021-09-20 14:13:00 PDT

js/dfg-uint32array-overflow-values.html is affected. History: https://results.webkit.org/?suite=layout-tests&test=js/dfg-uint32array-overflow-values.html Results: https://ews-build.s3-us-west-2.amazonaws.com/Windows-EWS/r438649-105405/results.html Crash Log: https://ews-build.s3-us-west-2.amazonaws.com/Windows-EWS/r438649-105405/js/dfg-uint32array-overflow-values-crash-log.txt Update test expectations: https://trac.webkit.org/changeset/282781/webkit

Eric Hutchison

Comment 11 2021-09-22 16:41:32 PDT

js/dfg-uint8clampedarray.html is a flaky crash on Win EWS History: https://results.webkit.org/?suite=layout-tests&test=js/dfg-uint8clampedarray.html https://ews-build.webkit.org/#/builders/10/builds/105957 Updated test expectations at https://trac.webkit.org/changeset/282892/webkit

Eric Hutchison

Comment 12 2021-09-23 15:30:17 PDT

js/dfg-float64array.html History: https://results.webkit.org/?suite=layout-tests&test=js/dfg-float64array.html Results: https://ews-build.webkit.org/#/builders/10/builds/106064, https://build.webkit.org/results/Apple-Win-10-Release-Tests/r282870%20(2511)/results.html STDIO: 11:53:48.723 5595 worker/11 worker/11 js/dfg-float64array.html crashed, (no stderr) 11:53:48.725 5595 [26997/29873] js/dfg-float64array.html failed unexpectedly (DumpRenderTree crashed [pid=8348]) 11:53:48.726 5595 worker/11 killing driver 11:53:48.726 5595 worker/11 js/dfg-float64array.html failed: 11:53:48.726 5595 worker/11 DumpRenderTree crashed [pid=8348] Updated test expectations at https://trac.webkit.org/changeset/283015/webkit

Note You need to log in before you can comment on or make changes to this bug.