Bug 150342 - [Win] Access violation in Release build 64-bit JSC
Summary: [Win] Access violation in Release build 64-bit JSC
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Windows 10
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-10-19 14:41 PDT by Brent Fulgham
Modified: 2016-06-10 08:25 PDT (History)
8 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2015-10-19 14:41:00 PDT 
Running with a Release 64-bit JavaScriptCore build is frequently hitting the following crash when running the 'fast' WebKit test suite:

>	JavaScriptCore.dll!JSC::MarkedAllocator::reset() Line 215	C++
 	JavaScriptCore.dll!JSC::MarkedSpace::resetAllocators() Line 109	C++
 	JavaScriptCore.dll!JSC::Heap::collectImpl(JSC::HeapOperation collectionType, void * stackOrigin, void * stackTop, _SETJMP_FLOAT128[16] & calleeSavedRegisters) Line 1099	C++
 	JavaScriptCore.dll!JSC::Heap::collect(JSC::HeapOperation collectionType) Line 1026	C++
 	JavaScriptCore.dll!JSC::MarkedAllocator::allocateSlowCase(unsigned __int64 bytes) Line 159	C++
 	WebKit.dll!WebCore::JSDOMWindowShell::setWindow(WTF::PassRefPtr<WebCore::DOMWindow> domWindow) Line 86	C++
 	WebKit.dll!WebCore::JSDOMWindowShell::create(JSC::VM & vm, WTF::PassRefPtr<WebCore::DOMWindow> window, JSC::Structure * structure, WebCore::DOMWrapperWorld & world) Line 57	C++
 	WebKit.dll!WebCore::ScriptController::createWindowShell(WebCore::DOMWrapperWorld & world) Line 133	C++
 	WebKit.dll!WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld & world) Line 252	C++
 	WebKit.dll!WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld & world) Line 91	C++
 	WebKit.dll!WebFrame::globalContext() Line 532	C++
 	DumpRenderTreeLib.dll!resetWebViewToConsistentStateBeforeTesting() Line 917	C++
 	DumpRenderTreeLib.dll!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & inputLine) Line 1175	C++
 	DumpRenderTreeLib.dll!main(int argc, const char * * argv) Line 1494	C++
 	DumpRenderTree.exe!main(int argc, const char * * argv) Line 269	C++
 	[External Code]
Comment 1 Radar WebKit Bug Importer 2015-10-19 14:42:48 PDT 
<rdar://problem/23172910>
Comment 2 Brent Fulgham 2015-10-19 14:43:59 PDT 
This crash is hit hundreds of times when running the LayoutTests/fast suite on 64-bit Windows (Release).
Comment 3 Brent Fulgham 2015-10-19 14:44:39 PDT 
Reproducibly crashing on 'LayoutTests/fast/backgrounds/background-opaque-clipped-gradients.html'
Comment 4 Geoffrey Garen 2015-10-19 14:58:12 PDT 
Does this crash go away if you disable concurrent GC?
Comment 5 Mark Lam 2015-10-19 15:21:00 PDT 
I just took a look at this with Brent.  Here are some details:

1. The crash does not go away when we disable the concurrent JIT.
2. The crash does not manifest on a debug build.
3. The crash does not manifest when the test page is loaded in MiniBrowser.
4. The test in question doesn't exercise any JS code at all.

At this point, I'm not convinced that this is a JSC issue yet.  Brent is going to play with the optimization flags on VS2015 and see if that gives us any additional clues.
Comment 6 peavo 2015-10-21 11:07:09 PDT 
I have not been able to reproduce the crash, yet (WinCairo).
Comment 7 peavo 2015-10-22 00:33:31 PDT 
(In reply to comment #4)
> Does this crash go away if you disable concurrent GC?

Have we tried to disable both concurrent GC and concurrent JIT?
Comment 8 Per Arne Vollan 2016-06-10 08:12:12 PDT 
I am not able to reproduce this on WebKit revision 201919, when running the test fast/backgrounds/background-opaque-clipped-gradients.html.
Comment 9 Brent Fulgham 2016-06-10 08:25:24 PDT 
(In reply to comment #8)
> I am not able to reproduce this on WebKit revision 201919, when running the
> test fast/backgrounds/background-opaque-clipped-gradients.html.

OK! Let's close it, then.