Bug 273703
| Summary: | Crash on WebCore::FrameLoader::effectiveReferrerPolicy() after 274396@main on ARM64 with GCC -O3 | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Carlos Alberto Lopez Perez <clopez> |
| Component: | WPE WebKit | Assignee: | Carlos Alberto Lopez Perez <clopez> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | achristensen, bugs-noreply, pascoe |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: |
https://bugs.webkit.org/show_bug.cgi?id=268704 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115135 |
||
Carlos Alberto Lopez Perez
The WPE performance test bots running on RPi4 boards (ARM 64-bits) started to crash all the tests after 274396@main
The bots are here: https://build.webkit.org/#/builders/895
I manually bisected this and I confirm that everything was working before 274396@main but after 274396@main and later the browser always crashes as soon as it starts, is not able to even load a very basic page.
The backtrace looks like this:
#0 0x0000007fb24e5c48 in WebCore::FrameLoader::effectiveReferrerPolicy() const () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#1 0x0000007fb1f15b1c in WebCore::Document::initSecurityContext() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#2 0x0000007fb1f1c994 in WebCore::Document::Document(WebCore::LocalFrame*, WebCore::Settings const&, WTF::URL const&, WTF::OptionSet<WebCore::Document::DocumentClass>, WTF::OptionSet<WebCore::Document::ConstructionFlag>, WebCore::ProcessQualified<WTF::UUID>) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#3 0x0000007fb217adf0 in WebCore::HTMLDocument::HTMLDocument(WebCore::LocalFrame*, WebCore::Settings const&, WTF::URL const&, WebCore::ProcessQualified<WTF::UUID>, WTF::OptionSet<WebCore::Document::DocumentClass>, WTF::OptionSet<WebCore::Document::ConstructionFlag>) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#4 0x0000007fb1ee16c4 in WebCore::DOMImplementation::createDocument(WTF::String const&, WebCore::LocalFrame*, WebCore::Settings const&, WTF::URL const&, WebCore::ProcessQualified<WTF::UUID>) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#5 0x0000007fb24b7150 in WebCore::DocumentWriter::createDocument(WTF::URL const&, WebCore::ProcessQualified<WTF::UUID>) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#6 0x0000007fb24cfcf4 in WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*, WebCore::ProcessQualified<WTF::UUID>, WebCore::NavigationAction const*) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#7 0x0000007fb24d0d94 in WebCore::DocumentLoader::commitData(WebCore::SharedBuffer const&) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#8 0x0000007fb24d17f4 in WebCore::DocumentLoader::finishedLoading() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#9 0x0000007fb24d1ef8 in WebCore::DocumentLoader::maybeLoadEmpty() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#10 0x0000007fb24d5838 in WebCore::DocumentLoader::startLoadingMainResource() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#11 0x0000007fb24ecd88 in WebCore::FrameLoader::init() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#12 0x0000007fb2611a48 in WebCore::LocalFrame::init() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#13 0x0000007faf5379e8 in WebKit::WebPage::WebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#14 0x0000007faf538908 in WebKit::WebPage::create(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#15 0x0000007faf42b76c in WebKit::WebProcess::createWebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#16 0x0000007faef4b6b4 in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#17 0x0000007faf1b1480 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#18 0x0000007faf1b282c in IPC::Connection::dispatchOneIncomingMessage() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#19 0x0000007fb0a7b59c in WTF::RunLoop::performWork() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#20 0x0000007fb0af5190 in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#21 0x0000007fb0af609c in WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#22 0x0000007fae0b9c7c in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#23 0x0000007fae0ba070 in ?? () from /usr/lib/libglib-2.0.so.0
#24 0x0000007fae0ba3f8 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#25 0x0000007fb0af629c in WTF::RunLoop::run() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#26 0x0000007faf5683f8 in WebKit::WebProcessMain(int, char**) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1
#27 0x0000007fad8f6e38 in __libc_start_call_main (main=main@entry=0x55578c0840 <main>, argc=argc@entry=3, argv=argv@entry=0x7fd849a888) at /usr/src/debug/glibc/2.37-r1/sysdeps/nptl/libc_start_call_main.h:58
#28 0x0000007fad8f6f1c in __libc_start_main_impl (main=0x55578c0840 <main>, argc=3, argv=0x7fd849a888, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>) at /usr/src/debug/glibc/2.37-r1/csu/libc-start.c:360
#29 0x00000055578c08b0 in _start () at ../sysdeps/aarch64/start.S:98
And I'm not able to get a better backtrace because if I try to build a Debug build then the crash not longer happens.
The crash also doesn't happen if you build Release with -O2, only happens with -O3 which is the default for developer release builds.
I compared all the compiler switches that are enabled at -O2 vs -O3 for GCC 12.3.0 and this is the one causing the crash is --param=early-inlining-insns
-O3 enables early-inlining-insns=14 and -O2 enables early-inlining-insns=6
The file causing the crash is Source/WebCore/page/Page.cpp
* If it gets built with --param=early-inlining-insns=9 or lower it is fine
* If it gets built with --param=early-inlining-insns=10 or higher it crashes
However that is for a release build. If I build Debug and I set --param=early-inlining-insns=16 on that file then it doesn't crash anymore.. 🤷
So i'm not sure if this is a compiler bug, or is because some undefined behaviour or there is a valid bug somewhere that only triggers due to very specific timings caused by a race condition or similar.
But the issue is 100% reproducible when it happens.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Carlos Alberto Lopez Perez
Some info about the crash that I debugged with a few printfs ...
- On the backtrace above, the crash inside the function "WebCore::FrameLoader::effectiveReferrerPolicy()" happens exactly when doing the downcast of m_frame->opener()
In this line exactly:
RefPtr opener = dynamicDowncast<LocalFrame>(m_frame->opener()))
Note: "m_frame->opener()" is not null (I checked it)
If I comment out that code and simply return "ReferrerPolicy::Default" there then the same crash happens later at WebCore::Document::initSecurityContext()
exactly here:
// If we do not obtain a meaningful origin from the URL, then we try to
// find one via the frame hierarchy.
RefPtr parentFrame = m_frame->tree().parent();
RefPtr openerFrame = dynamicDowncast<LocalFrame>(m_frame->opener()); // <--- here crashes, again when trying to call "dynamicDowncast<LocalFrame>(m_frame->opener())" which is basically the same crash than previously (note: I checked that "m_frame->opener()" is not null)
RefPtr ownerFrame = dynamicDowncast<LocalFrame>(parentFrame.get());
So not sure what is going on and/or if this is a valid bug or a crash caused by a bug on the compiler itself.
I have a workaround that is ensuring this file does not build with a value of "early-inlining-insns" higher than what its enabled for -O2 ... so I will propose that patch for now
Carlos Alberto Lopez Perez
Pull request: https://github.com/WebKit/WebKit/pull/28117
Carlos Alberto Lopez Perez
In the end I managed to create a simplified test case and reported a bug to GCC here: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115135
This looks to me like a bug on GCC and not an issue on the WebKit code.
It happens also with newer versions of GCC (13 and 14 tested and affected).
EWS
Committed 279066@main (bc889156b6fb): <https://commits.webkit.org/279066@main>
Reviewed commits have been landed. Closing PR #28117 and removing active labels.