200266 – [curl] JSC::SlotVisitor::drain → WTF::StringImpl::costDuringGC → divideRoundedUp → Integer divide-by-zero exception

Bug 200266 - [curl] JSC::SlotVisitor::drain → WTF::StringImpl::costDuringGC → divideRoundedUp → Integer divide-by-zero exception

Summary: [curl] JSC::SlotVisitor::drain → WTF::StringImpl::costDuringGC → divideRounde...

Status:	RESOLVED DUPLICATE of bug 200378

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-07-29 19:40 PDT by Fujii Hironori
Modified:	2019-08-04 18:43 PDT (History)
CC List:	1 user (show)

See Also:	200378

Attachments
no-subprotocol-crash-log.txt (78.46 KB, text/plain) 2019-07-29 19:40 PDT, Fujii Hironori	no flags	Details
pong-crash-log.txt (80.81 KB, text/plain) 2019-07-29 19:40 PDT, Fujii Hironori	no flags	Details
no-subprotocol-crash-log.txt (debug build) (90.25 KB, text/plain) 2019-08-01 18:49 PDT, Fujii Hironori	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fujii Hironori 2019-07-29 19:40:27 PDT

[WinCairo] JSC::SlotVisitor::drain → WTF::StringImpl::costDuringGC → divideRoundedUp → Integer divide-by-zero exception

"WinCairo 64-bit WKL Release (Tests)" is infrequently crashing by Integer divide-by-zero exception

https://build.webkit.org/results/WinCairo%2064-bit%20WKL%20Release%20(Tests)/r247904%20(4650)/results.html
http/tests/websocket/tests/hybi/no-subprotocol.html

https://build.webkit.org/results/WinCairo%2064-bit%20WKL%20Release%20(Tests)/r247890%20(4639)/results.html
http/tests/websocket/tests/hybi/pong.html


Callstack:

> JavaScriptCore!divideRoundedUp+0x8 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\WebKitBuild\Release\WTF\Headers\wtf\MathExtras.h @ 307]
> JavaScriptCore!WTF::StringImpl::costDuringGC(void)+0x69 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\WebKitBuild\Release\WTF\Headers\wtf\text\StringImpl.h @ 1031]
> JavaScriptCore!JSC::JSString::visitChildren(class JSC::JSCell * cell = 0x000001d4`f2671600, class JSC::SlotVisitor * visitor = 0x000001d4`f26253b0)+0x1a2 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\runtime\JSString.cpp @ 148]
> JavaScriptCore!JSC::SlotVisitor::visitChildren+0x7a [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\SlotVisitor.cpp @ 374]
> JavaScriptCore!<lambda_3e016a9e0b54f91598bc5981a39993bb>::operator()(class JSC::MarkStackArray * stack = 0x000001d4`f26253b0)+0x109 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\SlotVisitor.cpp @ 498]
> JavaScriptCore!JSC::SlotVisitor::forEachMarkStack+0x20 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\SlotVisitorInlines.h @ 190]
> JavaScriptCore!JSC::SlotVisitor::drain(class WTF::MonotonicTime timeout = class WTF::MonotonicTime)+0xa4 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\SlotVisitor.cpp @ 488]
> JavaScriptCore!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode = SlaveDrain (0n0), class WTF::MonotonicTime timeout = class WTF::MonotonicTime)+0x559 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\SlotVisitor.cpp @ 691]
> JavaScriptCore!<lambda_7434909dfa36dd6f16db939b22739ad3>::operator()(void)+0xcc [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\JavaScriptCore\heap\Heap.cpp @ 1320]
> WTF!WTF::ParallelHelperClient::runTask(class WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::DumbPtrTraits<WTF::SharedTask<void __cdecl(void)> > > * task = 0x000001d4`f8996e80)+0x31 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\ParallelHelperPool.cpp @ 115]
> WTF!WTF::ParallelHelperPool::Thread::work(void)+0x1a [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\ParallelHelperPool.cpp @ 202]
> WTF!<lambda_04ae092c605b9fd3c9763a9cc8e9078a>::operator()(void)+0x140 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\AutomaticThread.cpp @ 224]
> WTF!WTF::Function<void __cdecl+0xe [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\Function.h @ 79]
> WTF!WTF::Thread::entryPoint(struct WTF::Thread::NewThreadContext * newThreadContext = 0x000001d4`f89a7b20)+0x127 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\Threading.cpp @ 148]
> WTF!WTF::wtfThreadEntryPoint(void * data = <Value unavailable error>)+0x9 [C:\WebKit-BuildWorker\wincairo-wkl-release\build\Source\WTF\wtf\win\ThreadingWin.cpp @ 153]
> ucrtbase!thread_start<unsigned int +0x42
> KERNEL32!BaseThreadInitThunk+0x14
> ntdll!RtlUserThreadStart+0x21

Comment 1 Fujii Hironori 2019-07-29 19:40:48 PDT

Created attachment 375140 [details]
no-subprotocol-crash-log.txt

Comment 2 Fujii Hironori 2019-07-29 19:40:59 PDT

Created attachment 375141 [details]
pong-crash-log.txt

Comment 3 Fujii Hironori 2019-07-30 01:52:57 PDT

https://build.webkit.org/results/WinCairo%2064-bit%20WKL%20Release%20(Tests)/r248004%20(4659)/results.html
http/tests/websocket/tests/hybi/null-character.html

Comment 4 Fujii Hironori 2019-07-30 18:38:56 PDT

https://build.webkit.org/results/WinCairo%2064-bit%20WKL%20Release%20(Tests)/r248014%20(4663)/results.html
http/tests/websocket/tests/hybi/reserved-bits.html

Comment 5 Fujii Hironori 2019-08-01 18:49:32 PDT

Created attachment 375377 [details]
no-subprotocol-crash-log.txt (debug build)

Debug builds also crashed.
https://build.webkit.org/results/WinCairo%2064-bit%20WKL%20Debug%20(Tests)/r248104%20(2106)/results.html
http/tests/websocket/tests/hybi/no-subprotocol.html

Comment 6 Fujii Hironori 2019-08-04 18:43:59 PDT

It seems that Buildbot doesn't crash since r248182. Closed as duplicated of Bug 200378.

*** This bug has been marked as a duplicate of bug 200378 ***