265538 – REGRESSION(271265@main): [Win][WebGL] heap corruption crash while destructing WebGLMultiDraw

RESOLVED FIXED 265538

REGRESSION(271265@main): [Win][WebGL] heap corruption crash while destructing WebGLMultiDraw

https://bugs.webkit.org/show_bug.cgi?id=265538

Summary REGRESSION(271265@main): [Win][WebGL] heap corruption crash while destructing...

Fujii Hironori

Reported 2023-11-29 12:38:28 PST

271263@main good 271266@main bad Buildbot: builder WinCairo-64-bit-Release-Tests build 2853 : 271266@main https://build.webkit.org/#/builders/728/builds/2853 Regressions: Unexpected crashes (5) webgl/2.0.y/conformance/extensions/oes-texture-float-linear.html [ Crash ] webgl/2.0.y/conformance2/extensions/webgl-multi-draw-instanced-base-vertex-base-instance.html [ Crash ] webgl/webgl-draft-extensions-flag-off.html [ Crash ] webgl/webgl-ext-norm16-texture-texsubimage-nocrash.html [ Crash ] webgl/webgl-vertex-array-object-defined.html [ Crash ]

Attachments
Add attachment proposed patch, testcase, etc.

Fujii Hironori

Comment 1 2023-11-29 12:38:37 PST

https://build.webkit.org/results/WinCairo-64-bit-Debug-Tests/271268@main%20(21403)/CrashLog_3100_2023-11-29_15-58-50-997.txt . 0 Id: 33a0.2130 Suspend: 1 Teb: 00000083`5f2c2000 Unfrozen # Child-SP RetAddr Call Site 00 00000083`5f1dd410 00007ff9`154a4913 ntdll!RtlIsZeroMemory+0x119 01 00000083`5f1dd460 00007ff9`154ad71a ntdll!RtlIsZeroMemory+0xe3 02 00000083`5f1dd550 00007ff9`154ad9fa ntdll!_misaligned_access+0x41a 03 00000083`5f1dd580 00007ff9`154b8079 ntdll!_misaligned_access+0x6fa 04 00000083`5f1dd5b0 00007ff9`153bb519 ntdll!_misaligned_access+0xad79 05 00000083`5f1dd5e0 00007ff9`153ba8c1 ntdll!RtlGetCurrentServiceSessionId+0xbb9 06 00000083`5f1dd6a0 00007ff8`ffba208b ntdll!RtlFreeHeap+0x51 07 00000083`5f1dd6e0 00007ff8`f5e21984 ucrtbase!free_base+0x1b 08 00000083`5f1dd710 00007ff8`e04b8d34 WTF!WTF::fastFree(void * p = 0x00000247`ce7b0968)+0x14 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\FastMalloc.cpp @ 268] 09 00000083`5f1dd740 00007ff8`e04b8cf6 WebCore!WTF::RefCounted<WebCore::WebGLExtensionBase,std::default_delete<WebCore::WebGLExtensionBase> >::operator delete(void * p = 0x00000247`ce7b0968)+0x14 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\RefCounted.h @ 185] 0a 00000083`5f1dd770 00007ff8`e04b8c73 WebCore!std::default_delete<WebCore::WebGLExtensionBase>::operator()(class WebCore::WebGLExtensionBase * _Ptr = 0x00000247`ce7b0968)+0x36 [C:\MSVS\VC\Tools\MSVC\14.37.32822\include\memory @ 3181] 0b 00000083`5f1dd7b0 00007ff8`e1a1718f WebCore!WTF::RefCounted<WebCore::WebGLExtensionBase,std::default_delete<WebCore::WebGLExtensionBase> >::deref(void)+0x43 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\RefCounted.h @ 191] 0c 00000083`5f1dd800 00007ff8`e1a17137 WebCore!WTF::Ref<WebCore::WebGLMultiDraw,WTF::RawPtrTraits<WebCore::WebGLMultiDraw> >::~Ref(void)+0x4f [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Ref.h @ 62] 0d 00000083`5f1dd850 00007ff8`e1a13c83 WebCore!WebCore::JSDOMWrapper<WebCore::WebGLMultiDraw,WTF::RawPtrTraits<WebCore::WebGLMultiDraw> >::~JSDOMWrapper(void)+0x17 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\bindings\js\JSDOMWrapper.h @ 74] 0e 00000083`5f1dd880 00007ff8`e1a03c8d WebCore!WebCore::JSWebGLMultiDraw::~JSWebGLMultiDraw(void)+0x13 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WebCore\DerivedSources\JSWebGLMultiDraw.h @ 31] 0f 00000083`5f1dd8b0 00007ff8`dd671988 WebCore!WebCore::JSWebGLMultiDraw::destroy(class JSC::JSCell * cell = 0x00000247`ce1f4178)+0x1d [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WebCore\DerivedSources\JSWebGLMultiDraw.cpp @ 141] 10 00000083`5f1dd8f0 00007ff8`dd66f776 JavaScriptCore!JSC::JSDestructibleObjectDestroyFunc::operator()(class JSC::JSCell * cell = 0x00000247`ce1f4178)+0x28 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\JSDestructibleObjectHeapCellType.cpp @ 39] 11 00000083`5f1dd930 00007ff8`dcf2a51c JavaScriptCore!JSC::JSDestructibleObjectHeapCellType::destroy(class JSC::VM * vm = 0x00000247`878bad80, class JSC::JSCell * cell = 0x00000247`ce1f4178)+0x36 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\JSDestructibleObjectHeapCellType.cpp @ 58] 12 00000083`5f1dd980 00007ff8`dcf1ec89 JavaScriptCore!JSC::Subspace::destroy(class JSC::VM * vm = 0x00000247`878bad80, class JSC::JSCell * cell = 0x00000247`ce1f4178)+0x2c [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Subspace.cpp @ 66] 13 00000083`5f1dd9c0 00007ff8`dcf02e03 JavaScriptCore!JSC::PreciseAllocation::sweep(void)+0x89 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\PreciseAllocation.cpp @ 237] 14 00000083`5f1dda10 00007ff8`dce4924f JavaScriptCore!JSC::MarkedSpace::sweepPreciseAllocations(void)+0x103 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\MarkedSpace.cpp @ 236] 15 00000083`5f1dda90 00007ff8`dce48e5a JavaScriptCore!JSC::Heap::sweepInFinalize(void)+0x1f [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 2284] 16 00000083`5f1ddad0 00007ff8`dce4869b JavaScriptCore!JSC::Heap::finalize(void)+0xba [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 2218] 17 00000083`5f1ddbb0 00007ff8`dce479c5 JavaScriptCore!JSC::Heap::handleNeedFinalize(unsigned int oldState = 0xd)+0x12b [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 2155] 18 00000083`5f1ddbf0 00007ff8`dce44403 JavaScriptCore!JSC::Heap::handleNeedFinalize(void)+0x35 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 2166] 19 00000083`5f1ddc30 00007ff8`dce45bd9 JavaScriptCore!JSC::Heap::finishChangingPhase(JSC::GCConductor conn = Mutator (0n0))+0x133 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1763] 1a 00000083`5f1ddc80 00007ff8`dce45b5d JavaScriptCore!JSC::Heap::changePhase(JSC::GCConductor conn = Mutator (0n0), JSC::CollectorPhase nextPhase = NotRunning (0n0))+0x49 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1736] 1b 00000083`5f1ddcc0 00007ff8`dce43d8e JavaScriptCore!JSC::Heap::runEndPhase(JSC::GCConductor conn = Mutator (0n0))+0x69d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1726] 1c 00000083`5f1dddf0 00007ff8`dce5f9fe JavaScriptCore!JSC::Heap::runCurrentPhase(JSC::GCConductor conn = Mutator (0n0), struct JSC::CurrentThreadState * currentThreadState = 0x00000083`5f1ddf58)+0x16e [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1376] 1d 00000083`5f1dde50 00007ff8`dce5f9c1 JavaScriptCore!JSC::Heap::collectInMutatorThread::<lambda_0>::operator()(struct JSC::CurrentThreadState * state = 0x00000083`5f1ddf58)+0x2e [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1993] 1e 00000083`5f1ddea0 00007ff8`dcf0f921 JavaScriptCore!WTF::ScopedLambdaFunctor<void (void * argument = 0x00000083`5f1de0d0, struct JSC::CurrentThreadState * arguments = 0x00000083`5f1ddf58)+0x21 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\ScopedLambda.h @ 106] 1f 00000083`5f1ddee0 00007ff8`dcefecb1 JavaScriptCore!WTF::ScopedLambda<void (struct JSC::CurrentThreadState * arguments = 0x00000083`5f1ddf58)+0x21 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\ScopedLambda.h @ 58] 20 00000083`5f1ddf20 00007ff8`dce48791 JavaScriptCore!JSC::callWithCurrentThreadState(class WTF::ScopedLambda<void (JSC::CurrentThreadState &)> * lambda = 0x00000083`5f1de0d0)+0x71 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\MachineStackMarker.cpp @ 225] 21 00000083`5f1de090 00007ff8`dce48552 JavaScriptCore!JSC::Heap::collectInMutatorThread(void)+0xc1 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 2005] 22 00000083`5f1de110 00007ff8`dce49331 JavaScriptCore!JSC::Heap::stopIfNecessarySlow(unsigned int oldState = 0x15)+0x122 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1976] 23 00000083`5f1de150 00007ff8`dce439eb JavaScriptCore!JSC::Heap::waitForCollector<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap/Heap.cpp:2277:9'>(class JSC::Heap::waitForCollection::<lambda_41> * func = 0x00000083`5f1de1e8)+0xa1 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 2031] 24 00000083`5f1de1c0 00007ff8`dce4345e JavaScriptCore!JSC::Heap::waitForCollection(unsigned int64 ticket = 0x58d)+0x3b [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 2276] 25 00000083`5f1de210 00007ff8`dce43568 JavaScriptCore!JSC::Heap::collectSync(struct JSC::GCRequest * request = 0x00000083`5f1de2d0)+0x9e [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1284] 26 00000083`5f1de270 00007ff8`e238155c JavaScriptCore!JSC::Heap::collectNow(JSC::Synchronousness synchronousness = Sync (0n1), struct JSC::GCRequest * request = 0x00000083`5f1de338)+0xd8 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1225] 27 00000083`5f1de300 00007ff8`e23814d3 WebCore!WebCore::GCController::garbageCollectNow(void)+0x7c [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\bindings\js\GCController.cpp @ 97] 28 00000083`5f1de360 00007ff8`e24e192e WebCore!WebCore::GCController::garbageCollectSoon(void)+0x13 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\bindings\js\GCController.cpp @ 79] 29 00000083`5f1de390 00007ff8`e24e1811 WebCore!WebCore::collectGarbageAfterWindowProxyDestruction(void)+0x3e [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\bindings\js\WindowProxy.cpp @ 53] 2a 00000083`5f1de3c0 00007ff8`e3888b71 WebCore!WebCore::WindowProxy::detachFromFrame(void)+0x181 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\bindings\js\WindowProxy.cpp @ 87] 2b 00000083`5f1de440 00007ff8`e38aed19 WebCore!WebCore::Frame::~Frame(void)+0x31 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\page\Frame.cpp @ 57] 2c 00000083`5f1de480 00007ff8`e38ec979 WebCore!WebCore::LocalFrame::~LocalFrame(void)+0x239 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\page\LocalFrame.cpp @ 221] 2d 00000083`5f1de510 00007ff8`e1cf5153 WebCore!WebCore::LocalFrame::~LocalFrame(int should_call_delete = 0n1)+0x29 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\page\LocalFrame.cpp @ 197] 2e 00000083`5f1de560 00007ff8`e1cf50f7 WebCore!WTF::ThreadSafeRefCounted<WebCore::Frame,1>::deref::<lambda_1>::operator()(void)+0x33 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\ThreadSafeRefCounted.h @ 116] 2f 00000083`5f1de5a0 00007ff8`f5e07d84 WebCore!WTF::Detail::CallableWrapper<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf/ThreadSafeRefCounted.h:114:27',void>::call(void)+0x17 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53] 30 00000083`5f1de5d0 00007ff8`f5e5df05 WTF!WTF::Function<void (void)+0x84 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\Function.h @ 82] 31 00000083`5f1de610 00007ff8`e1cf4e38 WTF!WTF::ensureOnMainThread(class WTF::Function<void ()> * function = 0x00000083`5f1de670)+0x25 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\MainThread.cpp @ 95] 32 00000083`5f1de640 00007ff8`e1cf4dd3 WebCore!WTF::ThreadSafeRefCounted<WebCore::Frame,1>::deref(void)+0x58 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\ThreadSafeRefCounted.h @ 121] 33 00000083`5f1de690 00007ff8`e1ce7748 WebCore!WTF::DefaultRefDerefTraits<WebCore::LocalFrame>::derefIfNotNull(class WebCore::LocalFrame * ptr = 0x00000247`cdc79b20)+0x23 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\RefPtr.h @ 44] 34 00000083`5f1de6c0 00007ff8`e3647353 WebCore!WTF::RefPtr<WebCore::LocalFrame,WTF::RawPtrTraits<WebCore::LocalFrame>,WTF::DefaultRefDerefTraits<WebCore::LocalFrame> >::~RefPtr(void)+0x38 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\RefPtr.h @ 75] 35 00000083`5f1de700 00007ff8`e3648c7c WebCore!WebCore::DocumentLoader::commitLoad(class WebCore::SharedBuffer * data = 0x00000247`cdd47890)+0x123 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\DocumentLoader.cpp @ 1232] 36 00000083`5f1de770 00007ff8`e36489cb WebCore!WebCore::DocumentLoader::dataReceived(class WebCore::SharedBuffer * buffer = 0x00000247`cdd47890)+0x29c [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\DocumentLoader.cpp @ 1396] 37 00000083`5f1de7e0 00007ff8`e37ac741 WebCore!WebCore::DocumentLoader::dataReceived(class WebCore::CachedResource * resource = 0x00000247`cc1a1d00, class WebCore::SharedBuffer * buffer = 0x00000247`cdd47890)+0x9b [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\DocumentLoader.cpp @ 1370] 38 00000083`5f1de830 00007ff8`e37ac52e WebCore!WebCore::CachedRawResource::notifyClientsDataWasReceived(class WebCore::SharedBuffer * buffer = 0x00000247`cdd47890)+0x91 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\cache\CachedRawResource.cpp @ 143] 39 00000083`5f1de8a0 00007ff8`e3735dd5 WebCore!WebCore::CachedRawResource::updateBuffer(class WebCore::FragmentedSharedBuffer * data = 0x00000247`cdd47690)+0x18e [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\cache\CachedRawResource.cpp @ 80] 3a 00000083`5f1de9d0 00007ff8`e371c075 WebCore!WebCore::SubresourceLoader::didReceiveBuffer(class WebCore::FragmentedSharedBuffer * buffer = 0x00000247`cdd46f90, int64 encodedDataLength = 0n3256, WebCore::DataPayloadType dataPayloadType = DataPayloadBytes (0n1))+0x2c5 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\SubresourceLoader.cpp @ 571] 3b 00000083`5f1dea60 00007ff8`e962a3a4 WebCore!WebCore::ResourceLoader::didReceiveData(class WebCore::SharedBuffer * buffer = 0x00000247`cdd46f90, int64 encodedDataLength = 0n3256, WebCore::DataPayloadType dataPayloadType = DataPayloadBytes (0n1))+0x35 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\ResourceLoader.cpp @ 590] 3c 00000083`5f1deab0 00007ff8`e84312cd WebKit2!WebKit::WebResourceLoader::didReceiveData(class IPC::SharedBufferReference * data = 0x00000083`5f1ded90, unsigned int64 encodedDataLength = 0xcb8)+0x2d4 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\Network\WebResourceLoader.cpp @ 244] 3d 00000083`5f1deba0 00007ff8`e8431287 WebKit2!IPC::callMemberFunction<WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (class IPC::SharedBufferReference * args = 0x00000083`5f1ded90, unsigned int64 * args = 0x00000083`5f1ded88)+0x3d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\HandleMessage.h @ 137] 3e 00000083`5f1debe0 00007ff8`e843124e WebKit2!std::invoke<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\HandleMessage.h:135:9',IPC::SharedBufferReference,unsigned long long>(class IPC::callMemberFunction<WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (IPC::SharedBufferReference &&, unsigned long long),std::tuple<IPC::SharedBufferReference,unsigned long long> >::<lambda_1> * _Obj = 0x00000083`5f1decd8, class IPC::SharedBufferReference * _Arg1 = 0x00000083`5f1ded90, unsigned int64 * _Args2 = 0x00000083`5f1ded88)+0x27 [C:\MSVS\VC\Tools\MSVC\14.37.32822\include\type_traits @ 1762] 3f 00000083`5f1dec20 00007ff8`e8431202 WebKit2!std::_Apply_impl<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\HandleMessage.h:135:9',std::tuple<IPC::SharedBufferReference,unsigned long long>,0,1>(class IPC::callMemberFunction<WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (IPC::SharedBufferReference &&, unsigned long long),std::tuple<IPC::SharedBufferReference,unsigned long long> >::<lambda_1> * _Obj = 0x00000083`5f1decd8, class std::tuple<IPC::SharedBufferReference,unsigned long long> * _Tpl = 0x00000083`5f1ded88)+0x3e [C:\MSVS\VC\Tools\MSVC\14.37.32822\include\tuple @ 1079] 40 00000083`5f1dec70 00007ff8`e843107f WebKit2!std::apply<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\HandleMessage.h:135:9',std::tuple<IPC::SharedBufferReference,unsigned long long> >(class IPC::callMemberFunction<WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (IPC::SharedBufferReference &&, unsigned long long),std::tuple<IPC::SharedBufferReference,unsigned long long> >::<lambda_1> * _Obj = 0x00000083`5f1decd8, class std::tuple<IPC::SharedBufferReference,unsigned long long> * _Tpl = 0x00000083`5f1ded88)+0x22 [C:\MSVS\VC\Tools\MSVC\14.37.32822\include\tuple @ 1090] 41 00000083`5f1decb0 00007ff8`e842c67f WebKit2!IPC::callMemberFunction<WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (class WebKit::WebResourceLoader * object = 0x00000247`cdb549e0, <function> * function = 0x00007ff8`e962a0d0, class std::tuple<IPC::SharedBufferReference,unsigned long long> * tuple = 0x00000083`5f1ded88)+0x4f [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\HandleMessage.h @ 134] 42 00000083`5f1ded10 00007ff8`e842bcbb WebKit2!IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData,WebKit::WebResourceLoader,WebKit::WebResourceLoader,void (class IPC::Connection * connection = 0x00000247`878b3770, class IPC::Decoder * decoder = 0x00000247`cde64650, class WebKit::WebResourceLoader * object = 0x00000247`cdb549e0, <function> * function = 0x00007ff8`e962a0d0)+0xcf [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\HandleMessage.h @ 237] 43 00000083`5f1dedc0 00007ff8`e9621487 WebKit2!WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(class IPC::Connection * connection = 0x00000247`878b3770, class IPC::Decoder * decoder = 0x00000247`cde64650)+0x25b [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WebKit\DerivedSources\WebResourceLoaderMessageReceiver.cpp @ 76] 44 00000083`5f1def20 00007ff8`e8e203fa WebKit2!WebKit::NetworkProcessConnection::didReceiveMessage(class IPC::Connection * connection = 0x00000247`878b3770, class IPC::Decoder * decoder = 0x00000247`cde64650)+0xd7 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\Network\NetworkProcessConnection.cpp @ 103] 45 00000083`5f1df010 00007ff8`e8e20663 WebKit2!IPC::Connection::dispatchMessage(class IPC::Decoder * decoder = 0x00000247`cde64650)+0x16a [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1233] 46 00000083`5f1df080 00007ff8`e8e20954 WebKit2!IPC::Connection::dispatchMessage(class std::unique_ptr<IPC::Decoder,std::default_delete<IPC::Decoder> > * message = 0x00000083`5f1df148)+0x253 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1282] 47 00000083`5f1df110 00007ff8`e8e24aeb WebKit2!IPC::Connection::dispatchOneIncomingMessage(void)+0xd4 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1346] 48 00000083`5f1df180 00007ff8`e8e24a87 WebKit2!IPC::Connection::enqueueIncomingMessage::<lambda_9>::operator()(void)+0x1b [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1195] 49 00000083`5f1df1b0 00007ff8`f5e07d84 WebKit2!WTF::Detail::CallableWrapper<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform/IPC/Connection.cpp:1193:31',void>::call(void)+0x17 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53] 4a 00000083`5f1df1e0 00007ff8`f5e8ac3a WTF!WTF::Function<void (void)+0x84 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\Function.h @ 82] 4b 00000083`5f1df220 00007ff8`f5f5f370 WTF!WTF::RunLoop::performWork(void)+0x14a [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\RunLoop.cpp @ 148] 4c 00000083`5f1df2e0 00007ff8`f5f5f2a7 WTF!WTF::RunLoop::wndProc(struct HWND__ * hWnd = 0x00000000`618d006a, unsigned int message = 0x401, unsigned int64 wParam = 0x00000247`87880d30, int64 lParam = 0n0)+0x60 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 57] 4d 00000083`5f1df340 00007ff9`04240089 WTF!WTF::RunLoop::RunLoopWndProc(struct HWND__ * hWnd = 0x00000000`618d006a, unsigned int message = 0x401, unsigned int64 wParam = 0x00000247`87880d30, int64 lParam = 0n0)+0x57 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 39] 4e 00000083`5f1df3b0 00007ff9`0423fa02 USER32!CallWindowProcW+0x419 4f 00000083`5f1df540 00007ff8`f5f5f53d USER32!DispatchMessageW+0x1e2 50 00000083`5f1df5c0 00007ff8`e8025c93 WTF!WTF::RunLoop::run(void)+0x5d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 69] 51 00000083`5f1df630 00007ff8`e8025b47 WebKit2!WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess,1>::run(int argc = 0n8, char ** argv = 0x00000247`87874530)+0x83 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 72] 52 00000083`5f1df680 00007ff8`e8025a23 WebKit2!WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWin>(int argc = 0n8, char ** argv = 0x00000247`87874530)+0x47 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 98] 53 00000083`5f1df720 00007ff7`33fe124c WebKit2!WebKit::WebProcessMain(int argc = 0n8, char ** argv = 0x00000247`87874530)+0x83 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\win\WebProcessMainWin.cpp @ 57] 54 00000083`5f1df760 00007ff7`33fe18bc WebKitWebProcess!main(int argc = 0n8, char ** argv = 0x00000247`87874530)+0x1c [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\EntryPoint\win\WebProcessMain.cpp @ 35] 55 (Inline Function) --------`-------- WebKitWebProcess!invoke_main+0x22 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 56 00000083`5f1df7a0 00007ff9`04ef4de0 WebKitWebProcess!__scrt_common_main_seh(void)+0x10c [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 57 00000083`5f1df7e0 00007ff9`1541ec4b KERNEL32!BaseThreadInitThunk+0x10 58 00000083`5f1df810 00000000`00000000 ntdll!RtlUserThreadStart+0x2b

Fujii Hironori

Comment 2 2023-11-29 16:37:04 PST

This is reproducible on my PC. > python .\Tools\Scripts\run-webkit-tests --debug --no-retry --iter=2 -v webgl/webgl-draft-extensions-flag-default.html

Fujii Hironori

Comment 3 2023-11-29 16:59:51 PST

~WebGLMultiDraw should be non-virutal.

Fujii Hironori

Comment 4 2023-11-29 17:05:52 PST

Pull request: https://github.com/WebKit/WebKit/pull/21086

EWS

Comment 5 2023-11-29 17:15:48 PST

Committed 271315@main (48c1a4c6572c): <https://commits.webkit.org/271315@main> Reviewed commits have been landed. Closing PR #21086 and removing active labels.

Radar WebKit Bug Importer

Comment 6 2023-11-29 17:16:15 PST

<rdar://problem/118958640>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebGL

Assignee

Fujii Hironori

Reported

2023-11-29 12:38 PST

Modified

2023-11-29 17:16 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks