Bug 273467

Summary:

REGRESSION(278148@main): random crashes under JSC::WatchpointSet::fireAllWatchpoints

Product:

WebKit

Reporter:

Fujii Hironori <fujii.hironori>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mark.lam, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=273454

Attachments:

Description	Flags
crashlog WinCairo-64-bit-Debug-Tests 278158@main	none

Fujii Hironori

Reported 2024-04-30 00:25:28 PDT

I'm observing random crashes with 278156@main Windows Debug builds. > python .\Tools\Scripts\run-webkit-tests --wincairo --debug --no-retry --iter=100 js/dom/dfg-proto-stub-watchpoint-fire.html > python .\Tools\Scripts\run-webkit-tests --wincairo --debug --no-retry --iter=100 js/dom/delete-syntax.html ASSERTION FAILED: &*m_set.begin() != &watchpoint C:\webkit\wb\Source\JavaScriptCore\bytecode/Watchpoint.cpp(172) : fireAllWatchpoints 1 00007FFDEA701CA9 WTFCrash 2 00007FFDE0AECCED WTFCrashWithInfo 3 00007FFDE0E7C733 JSC::WatchpointSet::fireAllWatchpoints 4 00007FFDE0E7C55D JSC::WatchpointSet::fireAllSlow 5 00007FFDE0E7E473 JSC::WatchpointSet::fireAll<JSC::StringFireDetail> 6 00007FFDE1B19057 JSC::PolymorphicAccessJITStubRoutine::invalidate 7 00007FFDE0E498D4 JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal 8 00007FFDE0E7D344 JSC::Watchpoint::fire::<lambda_1>::operator()<JSC::StructureTransitionStructureStubClearingWatchpoint> 9 00007FFDE0E7C293 JSC::Watchpoint::runWithDowncast<`lambda at C:\webkit\wb\Source\JavaScriptCore\bytecode\Watchpoint.cpp:88:21'> 10 00007FFDE0E7C173 JSC::Watchpoint::fire 11 00007FFDE0E7C7BF JSC::WatchpointSet::fireAllWatchpoints 12 00007FFDE0E7C55D JSC::WatchpointSet::fireAllSlow 13 00007FFDE24309A3 JSC::WatchpointSet::fireAll<JSC::StructureFireDetail> 14 00007FFDE24249B0 JSC::DeferredStructureTransitionWatchpointFire::fireAllSlow 15 00007FFDE0B88566 JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire 16 00007FFDE21E1DCE JSC::JSObject::deleteProperty 17 00007FFDE1BC0FE9 JSC::deleteById 18 00007FFDE1BC088F JSC::deleteByIdOptimize 19 00007FFDE1BC0704 operationDeleteByIdSloppyOptimize 20 000002DC8CCB661A (null) Exception thrown at 0x00007FFDEA701CAE (WTF.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation writing location 0x00000000BBADBEEF. Another assertion failure: ASSERTION FAILED: !!m_prev == !!m_next C:\webkit\wb\WebKitBuild\Debug\WTF\Headers\wtf/SentinelLinkedList.h(68) : isOnList 1 00007FFDEA701CA9 WTFCrash 2 00007FFDE0AECCED WTFCrashWithInfo 3 00007FFDE0C63BEC WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> >::isOnList 4 00007FFDE0E7C653 JSC::WatchpointSet::fireAllWatchpoints 5 00007FFDE0E7C55D JSC::WatchpointSet::fireAllSlow 6 00007FFDE0E7E473 JSC::WatchpointSet::fireAll<JSC::StringFireDetail> 7 00007FFDE1B19057 JSC::PolymorphicAccessJITStubRoutine::invalidate 8 00007FFDE0E498D4 JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal 9 00007FFDE0E7D344 JSC::Watchpoint::fire::<lambda_1>::operator()<JSC::StructureTransitionStructureStubClearingWatchpoint> 10 00007FFDE0E7C293 JSC::Watchpoint::runWithDowncast<`lambda at C:\webkit\wb\Source\JavaScriptCore\bytecode\Watchpoint.cpp:88:21'> 11 00007FFDE0E7C173 JSC::Watchpoint::fire 12 00007FFDE0E7C7BF JSC::WatchpointSet::fireAllWatchpoints 13 00007FFDE0E7C55D JSC::WatchpointSet::fireAllSlow 14 00007FFDE24309A3 JSC::WatchpointSet::fireAll<JSC::StructureFireDetail> 15 00007FFDE24249B0 JSC::DeferredStructureTransitionWatchpointFire::fireAllSlow 16 00007FFDE0B88566 JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire 17 00007FFDE21E1DCE JSC::JSObject::deleteProperty 18 00007FFDE20E143E JSC::JSCell::deleteProperty 19 00007FFDE1C64CBA llint_slow_path_del_by_id 20 00007FFDE29DDF9B llint_entry 21 00007FFDE2B872D7 `string' 22 00007FFD00000483 (null) Exception thrown at 0x00007FFDEA701CAE (WTF.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation writing location 0x00000000BBADBEEF. One more crash log: > JavaScriptCore.dll!WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint>>::setNext(WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint>> * next) Line 61 C++ > JavaScriptCore.dll!WTF::SentinelLinkedList<JSC::Watchpoint,WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint>>>::remove(JSC::Watchpoint * node) Line 241 C++ > JavaScriptCore.dll!WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint>>::remove() Line 165 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAllWatchpoints(JSC::VM & vm, const JSC::FireDetail & detail) Line 172 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAllSlow(JSC::VM & vm, const JSC::FireDetail & detail) Line 127 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAll<JSC::StringFireDetail>(JSC::VM & vm, JSC::StringFireDetail & fireDetails) Line 226 C++ > JavaScriptCore.dll!JSC::PolymorphicAccessJITStubRoutine::invalidate() Line 115 C++ > JavaScriptCore.dll!JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal(JSC::VM & vm, const JSC::FireDetail &) Line 59 C++ > JavaScriptCore.dll!JSC::Watchpoint::fire::<lambda_1>::operator()<JSC::StructureTransitionStructureStubClearingWatchpoint>(JSC::StructureTransitionStructureStubClearingWatchpoint * derived) Line 90 C++ > JavaScriptCore.dll!JSC::Watchpoint::runWithDowncast<`lambda at C:\webkit\wb\Source\JavaScriptCore\bytecode\Watchpoint.cpp:88:21'>(const JSC::Watchpoint::fire::<lambda_1> & func) Line 60 C++ > JavaScriptCore.dll!JSC::Watchpoint::fire(JSC::VM & vm, const JSC::FireDetail & detail) Line 88 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAllWatchpoints(JSC::VM & vm, const JSC::FireDetail & detail) Line 158 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAllSlow(JSC::VM & vm, const JSC::FireDetail & detail) Line 127 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAll<JSC::StructureFireDetail>(JSC::VM & vm, JSC::StructureFireDetail & fireDetails) Line 226 C++ > JavaScriptCore.dll!JSC::DeferredStructureTransitionWatchpointFire::fireAllSlow() Line 1609 C++ > JavaScriptCore.dll!JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire() Line 91 C++ > JavaScriptCore.dll!JSC::JSObject::deleteProperty(JSC::JSCell * cell, JSC::JSGlobalObject * globalObject, JSC::PropertyName propertyName, JSC::DeletePropertySlot & slot) Line 2268 C++ > JavaScriptCore.dll!JSC::JSCell::deleteProperty(JSC::JSCell * cell, JSC::JSGlobalObject * globalObject, JSC::PropertyName identifier) Line 139 C++ > JavaScriptCore.dll!llint_slow_path_del_by_id(JSC::CallFrame * callFrame, const JSC::BaseInstruction<JSC::JSOpcodeTraits> * pc) Line 1129 C++ > [External Code]

Attachments
crashlog WinCairo-64-bit-Debug-Tests 278158@main (84.90 KB, text/plain) 2024-04-30 14:16 PDT, Fujii Hironori	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Fujii Hironori

Comment 1 2024-04-30 14:16:34 PDT

Created attachment 471228 [details] crashlog WinCairo-64-bit-Debug-Tests 278158@main Buildbot: builder WinCairo-64-bit-Debug-Tests build 22553 : 278158@main https://build.webkit.org/#/builders/727/builds/22553 Regressions: Unexpected crashes (2) js/dom/dfg-patchable-get-by-id-after-watchpoint.html [ Crash ] js/promises-tests/promises-tests-2-3-3.html [ Crash ] https://build.webkit.org/results/WinCairo-64-bit-Debug-Tests/278158@main%20(22553)/CrashLog_209c_2024-04-30_09-29-29-190.txt https://build.webkit.org/results/WinCairo-64-bit-Debug-Tests/278158@main%20(22553)/CrashLog_2e94_2024-04-30_09-24-56-460.txt . 0 Id: 2f74.394 Suspend: 1 Teb: 00000087`88716000 Unfrozen # Child-SP RetAddr Call Site 00 00000087`888fd5b8 00007ff8`dbc3d7eb JavaScriptCore!WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> >::setNext(class WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> > * next = 0xf0000000`00000000)+0x16 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\SentinelLinkedList.h @ 61] 01 00000087`888fd5d0 00007ff8`dbc23473 JavaScriptCore!WTF::SentinelLinkedList<JSC::Watchpoint,WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> > >::remove(class JSC::Watchpoint * node = 0x0000026f`d8f52801)+0x15b [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\SentinelLinkedList.h @ 241] 02 00000087`888fd610 00007ff8`dbe3c6b7 JavaScriptCore!WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> >::remove(void)+0x13 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\SentinelLinkedList.h @ 165] 03 00000087`888fd640 00007ff8`dbe3c55d JavaScriptCore!JSC::WatchpointSet::fireAllWatchpoints(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x00000087`888fd780)+0x147 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 172] 04 00000087`888fd6b0 00007ff8`dbe3e473 JavaScriptCore!JSC::WatchpointSet::fireAllSlow(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x00000087`888fd780)+0x9d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 127] 05 00000087`888fd700 00007ff8`dcad9077 JavaScriptCore!JSC::WatchpointSet::fireAll<JSC::StringFireDetail>(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::StringFireDetail * fireDetails = 0x00000087`888fd780)+0x43 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 226] 06 00000087`888fd750 00007ff8`dbe098d4 JavaScriptCore!JSC::PolymorphicAccessJITStubRoutine::invalidate(void)+0x57 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\GCAwareJITStubRoutine.cpp @ 115] 07 00000087`888fd7a0 00007ff8`dbe3d254 JavaScriptCore!JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal(class JSC::VM * vm = 0x0000026f`d1c2acd0)+0x64 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\StructureStubClearingWatchpoint.cpp @ 59] 08 00000087`888fd7f0 00007ff8`dbe3c293 JavaScriptCore!JSC::Watchpoint::fire::<lambda_1>::operator()<JSC::StructureTransitionStructureStubClearingWatchpoint>(class JSC::StructureTransitionStructureStubClearingWatchpoint * derived = 0x0000026f`d8c02e40)+0x24 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 90] 09 00000087`888fd830 00007ff8`dbe3c173 JavaScriptCore!JSC::Watchpoint::runWithDowncast<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp:88:21'>(class JSC::Watchpoint::fire::<lambda_1> * func = 0x00000087`888fd8c0)+0x103 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 60] 0a 00000087`888fd880 00007ff8`dbe3c7bf JavaScriptCore!JSC::Watchpoint::fire(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0xb3 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 88] 0b 00000087`888fd8e0 00007ff8`dbe3c55d JavaScriptCore!JSC::WatchpointSet::fireAllWatchpoints(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x24f [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 158] 0c 00000087`888fd950 00007ff8`dbce40b3 JavaScriptCore!JSC::WatchpointSet::fireAllSlow(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x9d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 127] 0d 00000087`888fd9a0 00007ff8`dbccd662 JavaScriptCore!JSC::WatchpointSet::fireAll<const JSC::FireDetail>(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * fireDetails = 0x0000026f`d8f71ce8)+0x43 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 226] 0e 00000087`888fd9f0 00007ff8`dbdf5cbb JavaScriptCore!JSC::WatchpointSet::invalidate(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x42 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 245] 0f 00000087`888fda40 00007ff8`dbdf5c54 JavaScriptCore!JSC::InlineWatchpointSet::invalidate(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x4b [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 366] 10 00000087`888fda90 00007ff8`dbdeaf6d JavaScriptCore!JSC::AccessGenerationResult::fireWatchpoints(class JSC::VM * vm = 0x0000026f`d1c2acd0)+0xd4 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\InlineCacheCompiler.h @ 105] 11 00000087`888fdaf0 00007ff8`dbddb9df JavaScriptCore!JSC::fireWatchpointsAndClearStubIfNeeded(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328, class JSC::CodeBlock * codeBlock = 0x0000026f`d7ed4c40, class JSC::AccessGenerationResult * result = 0x00000087`888fe058)+0x4d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Repatch.cpp @ 217] 12 00000087`888fdb60 00007ff8`dbdd9520 JavaScriptCore!JSC::tryCacheGetBy(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::CodeBlock * codeBlock = 0x0000026f`d7ed4c40, class JSC::JSValue baseValue = class JSC::JSValue, class JSC::CacheableIdentifier propertyName = class JSC::CacheableIdentifier, class JSC::PropertySlot * slot = 0x00000087`888fe430, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328, JSC::GetByKind kind = ById (0n0))+0x22ef [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Repatch.cpp @ 528] 13 00000087`888fe0d0 00007ff8`dcb8a1fb JavaScriptCore!JSC::repatchGetBy(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::CodeBlock * codeBlock = 0x0000026f`d7ed4c40, class JSC::JSValue baseValue = class JSC::JSValue, class JSC::CacheableIdentifier propertyName = class JSC::CacheableIdentifier, class JSC::PropertySlot * slot = 0x00000087`888fe430, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328, JSC::GetByKind kind = ById (0n0))+0xc0 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Repatch.cpp @ 537] 14 00000087`888fe190 00007ff8`dcb89fe8 JavaScriptCore!operationGetByIdOptimize::<lambda_0>::operator()(bool found = true, class JSC::PropertySlot * slot = 0x00000087`888fe430)+0x1db [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp @ 543] 15 00000087`888fe280 00007ff8`dcb67460 JavaScriptCore!JSC::JSValue::getPropertySlot<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp:536:75'>(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::PropertyName propertyName = class JSC::PropertyName, class JSC::PropertySlot * slot = 0x00000087`888fe430, class operationGetByIdOptimize::<lambda_0> * callback = 0x00000087`888fe3f0)+0x218 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\JSCJSValueInlines.h @ 1056] 16 00000087`888fe380 00007ff8`dcb67334 JavaScriptCore!JSC::JSValue::getPropertySlot<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp:536:75'>(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::PropertyName propertyName = class JSC::PropertyName, class operationGetByIdOptimize::<lambda_0> * callback = 0x00000087`888fe4f0)+0xd0 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\JSCJSValueInlines.h @ 1048] 17 00000087`888fe4a0 0000026f`8000395a JavaScriptCore!operationGetByIdOptimize(int64 base = 0n2679328938624, class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328)+0x164 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp @ 536] 18 00000087`888fe580 00005d64`00000004 0x0000026f`8000395a 19 00000087`888fe588 00000087`888fe600 0x00005d64`00000004

Fujii Hironori

Comment 2 2024-04-30 18:56:27 PDT

Setting a env var JSC_useJIT=0 works around the crash, but other env vars JSC_useDFGJIT=0, JSC_useRegExpJIT=0, JSC_useDOMJIT=0 have no effect.

Radar WebKit Bug Importer

Comment 3 2024-05-01 00:42:22 PDT

<rdar://problem/127346958>

Yusuke Suzuki

Comment 4 2024-05-01 00:44:14 PDT

Pull request: https://github.com/WebKit/WebKit/pull/27972

EWS

Comment 5 2024-05-01 13:00:16 PDT

Committed 278223@main (1d96c3185c84): <https://commits.webkit.org/278223@main> Reviewed commits have been landed. Closing PR #27972 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.