RESOLVED DUPLICATE of bug 254752 254633
REGRESSION(261993@main): JSC: Crash under JSC::MarkedBlock::aboutToMark 
https://bugs.webkit.org/show_bug.cgi?id=254633
Summary REGRESSION(261993@main): JSC: Crash under JSC::MarkedBlock::aboutToMark
Fujii Hironori
Reported 2023-03-28 17:12:12 PDT
REGRESSION: JSC: Crash under JSC::MarkedBlock::aboutToMark WinCairo Release MiniBrowser is crashihng or freezing just by loading https://news.yahoo.co.jp/articles/c5dbf98ce2bd908c9d05b55f413a2bcd11892c64 today. 262131@main: Bad 261847@main: Good Exception thrown at 0x00007FFA6EF30757 (JavaScriptCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation writing location 0x00007F0041C80038. > [Inline Frame] JavaScriptCore.dll!std::_Atomic_storage<unsigned char,1>::compare_exchange_strong(unsigned char &) Line 756 C++ [Inline Frame] JavaScriptCore.dll!std::atomic<unsigned char>::compare_exchange_weak(unsigned char &) Line 2207 C++ [Inline Frame] JavaScriptCore.dll!WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char) Line 89 C++ [Inline Frame] JavaScriptCore.dll!WTF::LockAlgorithm<unsigned char,1,2,WTF::EmptyLockHooks<unsigned char>>::lockFastAssumingZero(WTF::Atomic<unsigned char> &) Line 53 C++ [Inline Frame] JavaScriptCore.dll!WTF::Lock::lock() Line 65 C++ [Inline Frame] JavaScriptCore.dll!WTF::Locker<WTF::Lock>::{ctor}(WTF::Lock &) Line 158 C++ JavaScriptCore.dll!JSC::MarkedBlock::aboutToMarkSlow(unsigned int markingVersion) Line 207 C++ [Inline Frame] JavaScriptCore.dll!JSC::MarkedBlock::aboutToMark(unsigned int markingVersion) Line 586 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSCell *) Line 57 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSValue value) Line 70 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::append(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> &) Line 110 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendValues(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> *) Line 139 C++ JavaScriptCore.dll!JSC::JSBoundFunction::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 384 C++ [Inline Frame] JavaScriptCore.dll!JSC::MethodTable::visitChildren(JSC::JSCell *) Line 115 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::visitChildren(const JSC::JSCell *) Line 394 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain::__l9::<lambda_1>::operator()(JSC::MarkStackArray & stack) Line 504 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::forEachMarkStack(const JSC::SlotVisitor::drain::__l9::<lambda_1> &) Line 184 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain(WTF::MonotonicTime timeout) Line 494 C++ JavaScriptCore.dll!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode, WTF::MonotonicTime timeout) Line 694 C++ JavaScriptCore.dll!JSC::Heap::runBeginPhase::__l2::<lambda_2>::operator()() Line 1400 C++ WTF.dll!WTF::ParallelHelperClient::runTask(const WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::RawPtrTraits<WTF::SharedTask<void __cdecl(void)>>,WTF::DefaultRefDerefTraits<WTF::SharedTask<void __cdecl(void)>>> & task) Line 113 C++ WTF.dll!WTF::ParallelHelperPool::Thread::work() Line 203 C++ WTF.dll!WTF::AutomaticThread::start::__l2::<lambda_1>::operator()() Line 230 C++ [Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 82 C++ WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250 C++ WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151 C++ ucrtbase.dll!00007ffaf1f61bb2() Unknown kernel32.dll!00007ffaf30e7614() Unknown ntdll.dll!00007ffaf45026a1() Unknown Exception thrown at 0x00007FFA6EF3074F (JavaScriptCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation reading location 0x0000000000000018. > JavaScriptCore.dll!JSC::MarkedBlock::aboutToMarkSlow(unsigned int markingVersion) Line 204 C++ [Inline Frame] JavaScriptCore.dll!JSC::MarkedBlock::aboutToMark(unsigned int markingVersion) Line 586 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSCell *) Line 57 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSValue value) Line 70 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::append(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> &) Line 110 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendValues(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> *) Line 139 C++ JavaScriptCore.dll!JSC::JSBoundFunction::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 384 C++ [Inline Frame] JavaScriptCore.dll!JSC::MethodTable::visitChildren(JSC::JSCell *) Line 115 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::visitChildren(const JSC::JSCell *) Line 394 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain::__l9::<lambda_1>::operator()(JSC::MarkStackArray & stack) Line 504 C++ [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::forEachMarkStack(const JSC::SlotVisitor::drain::__l9::<lambda_1> &) Line 184 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain(WTF::MonotonicTime timeout) Line 494 C++ JavaScriptCore.dll!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode, WTF::MonotonicTime timeout) Line 694 C++ JavaScriptCore.dll!JSC::Heap::runBeginPhase::__l2::<lambda_2>::operator()() Line 1400 C++ WTF.dll!WTF::ParallelHelperClient::runTask(const WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::RawPtrTraits<WTF::SharedTask<void __cdecl(void)>>,WTF::DefaultRefDerefTraits<WTF::SharedTask<void __cdecl(void)>>> & task) Line 113 C++ WTF.dll!WTF::ParallelHelperPool::Thread::work() Line 203 C++ WTF.dll!WTF::AutomaticThread::start::__l2::<lambda_1>::operator()() Line 230 C++ [Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 82 C++ WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250 C++ WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151 C++ ucrtbase.dll!00007ffaf1f61bb2() Unknown kernel32.dll!00007ffaf30e7614() Unknown ntdll.dll!00007ffaf45026a1() Unknown
Attachments
Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2023-03-28 17:37:46 PDT
Backtrace of WinCairo Debug MiniBrowser 262233@main: Exception thrown at 0x00007FFA42E6A001 (JavaScriptCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF. JavaScriptCore.dll!std::_Atomic_storage<unsigned char,1>::compare_exchange_strong(unsigned char & _Expected, const unsigned char _Desired, const std::memory_order _Order) Line 756 C++ JavaScriptCore.dll!std::atomic<unsigned char>::compare_exchange_weak(unsigned char & _Expected, const unsigned char _Desired, const std::memory_order _Order) Line 2208 C++ JavaScriptCore.dll!WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char expected, unsigned char desired, std::memory_order order) Line 90 C++ JavaScriptCore.dll!WTF::LockAlgorithm<unsigned char,1,2,WTF::EmptyLockHooks<unsigned char>>::lockFastAssumingZero(WTF::Atomic<unsigned char> & lock) Line 54 C++ JavaScriptCore.dll!WTF::Lock::lock() Line 65 C++ JavaScriptCore.dll!WTF::Locker<WTF::Lock>::Locker<WTF::Lock>(WTF::Lock & lock) Line 159 C++ JavaScriptCore.dll!JSC::MarkedBlock::aboutToMarkSlow(unsigned int markingVersion) Line 207 C++ JavaScriptCore.dll!JSC::MarkedBlock::aboutToMark(unsigned int markingVersion) Line 587 C++ JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSCell * cell) Line 57 C++ JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSValue value) Line 71 C++ JavaScriptCore.dll!JSC::SlotVisitor::append<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>>(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> & slot) Line 111 C++ JavaScriptCore.dll!JSC::SlotVisitor::appendValues(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> * barriers, unsigned __int64 count) Line 139 C++ JavaScriptCore.dll!JSC::JSBoundFunction::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 403 C++ JavaScriptCore.dll!JSC::JSBoundFunction::visitChildren(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 406 C++ JavaScriptCore.dll!JSC::MethodTable::visitChildren(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 115 C++ JavaScriptCore.dll!JSC::SlotVisitor::visitChildren(const JSC::JSCell * cell) Line 398 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain::__l11::<lambda_1>::operator()(JSC::MarkStackArray & stack) Line 504 C++ JavaScriptCore.dll!JSC::SlotVisitor::forEachMarkStack<`JSC::SlotVisitor::drain'::`11'::<lambda_1>>(const JSC::SlotVisitor::drain::__l11::<lambda_1> & func) Line 184 C++ JavaScriptCore.dll!JSC::SlotVisitor::drain(WTF::MonotonicTime timeout) Line 494 C++ JavaScriptCore.dll!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode, WTF::MonotonicTime timeout) Line 697 C++ JavaScriptCore.dll!JSC::Heap::runBeginPhase::__l2::<lambda_2>::operator()() Line 1400 C++ JavaScriptCore.dll!WTF::SharedTaskFunctor<void __cdecl(void),`JSC::Heap::runBeginPhase'::`2'::<lambda_2>>::run() Line 92 C++ WTF.dll!WTF::ParallelHelperClient::runTask(const WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::RawPtrTraits<WTF::SharedTask<void __cdecl(void)>>,WTF::DefaultRefDerefTraits<WTF::SharedTask<void __cdecl(void)>>> & task) Line 113 C++ WTF.dll!WTF::ParallelHelperPool::Thread::work() Line 202 C++ WTF.dll!WTF::AutomaticThread::start::__l2::<lambda_1>::operator()() Line 229 C++ WTF.dll!WTF::Detail::CallableWrapper<`WTF::AutomaticThread::start'::`2'::<lambda_1>,void>::call() Line 53 C++ WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 83 C++ WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250 C++ WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151 C++ ucrtbase.dll!00007ffaf1f61bb2() Unknown kernel32.dll!00007ffaf30e7614() Unknown ntdll.dll!00007ffaf45026a1() Unknown
Fujii Hironori
Comment 2 2023-03-28 19:01:33 PDT
Since 261993@main.
Fujii Hironori
Comment 3 2023-03-29 00:13:09 PDT
Looks like similar crashes? bug#164989 bug#182396 bug#200863
Michael Catanzaro
Comment 4 2023-03-29 10:05:35 PDT Comment hidden (obsolete)
Michael Catanzaro
Comment 5 2023-03-29 10:06:43 PDT
(In reply to Michael Catanzaro from comment #4) > Hey Fujii, this is bug #254622 Er, sorry, it looks like I posted this comment by mistake even after noticing that I had the wrong bug link. I meant bug #254325 (crash on reddit.com), not bug #254622. Anyway, I'll mark bug #254325 as a duplicate of this one.
Michael Catanzaro
Comment 6 2023-03-29 10:06:53 PDT
*** Bug 254325 has been marked as a duplicate of this bug. ***
Fujii Hironori
Comment 7 2023-03-29 12:59:53 PDT
Good to know. WinCairo Debug MiniBrowser (262233@main) also crashing just by loading https://www.reddit.com/ with the same backtrace (comment#1).
Fujii Hironori
Comment 8 2023-03-29 14:29:05 PDT
WinCairo Debug MiniBrowser (262233@main) crashes https://ima.hatenablog.jp/entry/2023/03/27/210000 with the same backtrace.
Michael Catanzaro
Comment 10 2023-03-30 06:45:27 PDT
Hi Yusuke, do you want us to revert this, or do you want more time to investigate? Unfortunately WebKitGTK 2.41.1 just got released with this bug. :(
Fujii Hironori
Comment 11 2023-03-30 21:20:15 PDT
I can't reproduce the same crash with WinCairo Debug MiniBrowser (262385@main). Maybe, I should close this as WORKSFORME.
Fujii Hironori
Comment 12 2023-03-30 21:31:34 PDT
I confirmed WinCairo Debug MiniBrowser (262384@main) still reproduced the crash. 262385@main affected this.
Mark Lam
Comment 13 2023-03-30 22:43:45 PDT
By "262385@main affected this", I think Fujii meant that it appears to be fixed. Duping. *** This bug has been marked as a duplicate of bug 254752 ***
Michael Catanzaro
Comment 14 2023-03-31 05:27:11 PDT
262385@main fixed the crashes on Linux too, despite the Windows-related commit message. Thanks Yusuke!
Note You need to log in before you can comment on or make changes to this bug.