Bug 270882
| Summary: | [WinCairo] WebKitWebProcess crashes on flutter demo page | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Yury Semikhatsky <yurys> |
| Component: | WebCore JavaScript | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | fujii.hironori, ian.grunert, max |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Windows 10 | ||
Yury Semikhatsky
Steps to reproduce:
1. Download latest WebKit build (https://build.webkit.org/#/builders/731/builds/14972)
2. Run MiniBrowser and navigate to https://flutter.github.io/samples/web/material_3_demo/
Result:
Web Process crashes with the following stack:
ntdll.dll!00007ffecac5c1a9()
ntdll.dll!00007ffecac5c173()
ntdll.dll!00007ffecac6520a()
ntdll.dll!00007ffecac654ea()
ntdll.dll!00007ffecac714e5()
ntdll.dll!00007ffecab8bdfd()
ntdll.dll!00007ffecab8ab11()
ucrtbase.dll!00007ffec87137eb()
[Inline Frame] WebCore.dll!WTF::FastMalloc::free(void * p) Line 272
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\FastMalloc.h(272)
[Inline Frame] WebCore.dll!WTF::VectorBufferBase<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,WTF::FastMalloc>::deallocateBuffer(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> * bufferToDeallocate) Line 361
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(361)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::reserveCapacity(unsigned __int64 newCapacity) Line 1384
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1384)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::expandCapacity(unsigned __int64 newMinCapacity) Line 1220
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1220)
WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::expandCapacity<0>(unsigned __int64 newMinCapacity, std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> * ptr) Line 1245
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1245)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::appendSlowCase(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 1531
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1531)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 1506
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1506)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && u) Line 874
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(874)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 874
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(874)
WebCore.dll!WebCore::MicrotaskQueue::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && task) Line 48
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\Microtasks.cpp(48)
[Inline Frame] WebCore.dll!WebCore::EventLoop::queueMicrotask(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && microtask) Line 247
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\EventLoop.cpp(247)
WebCore.dll!WebCore::EventLoopTaskGroup::queueMicrotask(WTF::Function<void ()> && function) Line 484
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\EventLoop.cpp(484)
WebCore.dll!WebCore::WindowEventLoop::queueMutationObserverCompoundMicrotask() Line 226
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\WindowEventLoop.cpp(226)
WebCore.dll!WebCore::MutationObserver::enqueueMutationRecord(WTF::Ref<WebCore::MutationRecord,WTF::RawPtrTraits<WebCore::MutationRecord>,WTF::DefaultRefDerefTraits<WebCore::MutationRecord>> && mutation) Line 155
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\MutationObserver.cpp(155)
[Inline Frame] WebCore.dll!WTF::Ref<WebCore::MutationRecord,WTF::RawPtrTraits<WebCore::MutationRecord>,WTF::DefaultRefDerefTraits<WebCore::MutationRecord>>::Ref(WebCore::MutationRecord & object) Line 87
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Ref.h(87)
WebCore.dll!WebCore::MutationObserverInterestGroup::enqueueMutationRecord(WTF::Ref<WebCore::MutationRecord,WTF::RawPtrTraits<WebCore::MutationRecord>,WTF::DefaultRefDerefTraits<WebCore::MutationRecord>> && mutation) Line 81
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\MutationObserverInterestGroup.cpp(81)
WebCore.dll!WebCore::ChildListMutationAccumulator::enqueueMutationRecord() Line 128
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ChildListMutationScope.cpp(128)
WebCore.dll!WebCore::ChildListMutationAccumulator::~ChildListMutationAccumulator() Line 59
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ChildListMutationScope.cpp(59)
[Inline Frame] WebCore.dll!std::default_delete<WebCore::ChildListMutationAccumulator>::operator()(WebCore::ChildListMutationAccumulator * _Ptr) Line 3180
at C:\MSVS\VC\Tools\MSVC\14.37.32822\include\memory(3180)
[Inline Frame] WebCore.dll!WTF::RefCounted<WebCore::ChildListMutationAccumulator,std::default_delete<WebCore::ChildListMutationAccumulator>>::deref() Line 220
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\RefCounted.h(220)
[Inline Frame] WebCore.dll!WTF::DefaultRefDerefTraits<WebCore::ChildListMutationAccumulator>::derefIfNotNull(WebCore::ChildListMutationAccumulator * ptr) Line 62
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Ref.h(62)
[Inline Frame] WebCore.dll!WTF::RefPtr<WebCore::ChildListMutationAccumulator,WTF::RawPtrTraits<WebCore::ChildListMutationAccumulator>,WTF::DefaultRefDerefTraits<WebCore::ChildListMutationAccumulator>>::~RefPtr() Line 60
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h(60)
[Inline Frame] WebCore.dll!WebCore::ChildListMutationScope::~ChildListMutationScope() Line 77
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ChildListMutationScope.h(77)
[Inline Frame] WebCore.dll!WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node & childToRemove, WebCore::ContainerNode::ChildChange::Source source) Line 192
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ContainerNode.cpp(192)
WebCore.dll!WebCore::ContainerNode::removeChild(WebCore::Node & oldChild) Line 724
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ContainerNode.cpp(724)
WebCore.dll!WebCore::Node::removeChild(WebCore::Node & oldChild) Line 558
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\Node.cpp(558)
[Inline Frame] WebCore.dll!WebCore::jsNodePrototypeFunction_removeChildBody::<lambda_2>::operator()() Line 913
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WebCore\DerivedSources\JSNode.cpp(913)
[Inline Frame] WebCore.dll!WebCore::invokeFunctorPropagatingExceptionIfNecessary(JSC::JSGlobalObject & lexicalGlobalObject, JSC::ThrowScope & throwScope, WebCore::jsNodePrototypeFunction_removeChildBody::<lambda_2> && functor) Line 96
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\JSDOMExceptionHandling.h(96)
[Inline Frame] WebCore.dll!WebCore::jsNodePrototypeFunction_removeChildBody(JSC::JSGlobalObject * lexicalGlobalObject, JSC::CallFrame * callFrame, WebCore::JSNode * castedThis) Line 913
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WebCore\DerivedSources\JSNode.cpp(913)
[Inline Frame] WebCore.dll!WebCore::IDLOperation<WebCore::JSNode>::call(JSC::JSGlobalObject & lexicalGlobalObject, JSC::CallFrame & callFrame, const char * operationName) Line 63
at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\JSDOMOperation.h(63)
WebCore.dll!WebCore::jsNodePrototypeFunction_removeChild(JSC::JSGlobalObject * lexicalGlobalObject, JSC::CallFrame * callFrame) Line 919
at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WebCore\DerivedSources\JSNode.cpp(919)
[External Code]
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Yury Semikhatsky
Original bug report in Playwright https://github.com/microsoft/playwright/issues/29693
Fujii Hironori
Seems like bug#267686.
Fujii Hironori
You can disable Web Assembly.
$env:JSC_useWebAssembly = 0
However, Flutter doesn't work at all without WASM. I tested with Chrome disabling Wasm.
& "C:\Program Files\Google\Chrome\Application\chrome.exe" --js-flags=--noexpose_wasm
Ian Grunert
The flutter demo page https://flutter.github.io/samples/web/material_3_demo/ loads on MiniBrowser after bug#278878 / pull request https://github.com/WebKit/WebKit/pull/32972.
I don't have the required permission to close this as Resolved Fixed.
Fujii Hironori
Thank you.