RESOLVED FIXED 267686
[Windows] WebCore::MicrotaskQueue::append Crash 
https://bugs.webkit.org/show_bug.cgi?id=267686
Summary [Windows] WebCore::MicrotaskQueue::append Crash
Max Schmitt
Reported 2024-01-18 03:41:46 PST
Created attachment 469440 [details] test.html When navigating to the html file attached (with the JS attached) WebKit is crashing. Make sure to serve the HTML file from a http server (e.g. npx http-server .) otherwise the JS won't load. Stack: ``` ntdll.dll!00007ffa605abe8d() ntdll.dll!00007ffa605aab11() ucrtbase.dll!00007ffa5d8c37eb() [Inline Frame] WebCore.dll!WTF::FastMalloc::free(void * p) Line 272 at C:\Users\maxschmitt\webkit\WebKitBuild\Release\WTF\Headers\wtf\FastMalloc.h(272) [Inline Frame] WebCore.dll!WTF::VectorBufferBase<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,WTF::FastMalloc>::deallocateBuffer(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> * bufferToDeallocate) Line 361 at C:\Users\maxschmitt\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(361) [Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::reserveCapacity(unsigned __int64 newCapacity) Line 1375 at C:\Users\maxschmitt\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1375) [Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::expandCapacity(unsigned __int64 newMinCapacity) Line 1211 at C:\Users\maxschmitt\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1211) WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::expandCapacity<0>(unsigned __int64 newMinCapacity, std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> * ptr) Line 1236 at C:\Users\maxschmitt\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1236) [Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::appendSlowCase(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 1522 at C:\Users\maxschmitt\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1522) [Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 1497 at C:\Users\maxschmitt\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1497) [Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && u) Line 866 at C:\Users\maxschmitt\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(866) [Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 866 at C:\Users\maxschmitt\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(866) WebCore.dll!WebCore::MicrotaskQueue::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && task) Line 48 at C:\Users\maxschmitt\webkit\Source\WebCore\dom\Microtasks.cpp(48) [Inline Frame] WebCore.dll!WebCore::EventLoop::queueMicrotask(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && microtask) Line 247 at C:\Users\maxschmitt\webkit\Source\WebCore\dom\EventLoop.cpp(247) WebCore.dll!WebCore::EventLoopTaskGroup::queueMicrotask(WTF::Function<void ()> && function) Line 484 at C:\Users\maxschmitt\webkit\Source\WebCore\dom\EventLoop.cpp(484) WebCore.dll!WebCore::JSDOMWindowBase::queueMicrotaskToEventLoop(JSC::JSGlobalObject & object, WTF::Ref<JSC::Microtask,WTF::RawPtrTraits<JSC::Microtask>> && task) Line 249 at C:\Users\maxschmitt\webkit\Source\WebCore\bindings\js\JSDOMWindowBase.cpp(249) [Inline Frame] JavaScriptCore.dll!JSC::JSGlobalObject::queueMicrotask(WTF::Ref<JSC::Microtask,WTF::RawPtrTraits<JSC::Microtask>> && task) Line 3100 at C:\Users\maxschmitt\webkit\Source\JavaScriptCore\runtime\JSGlobalObject.cpp(3100) JavaScriptCore.dll!JSC::JSGlobalObject::queueMicrotask(JSC::JSValue job, JSC::JSValue argument0, JSC::JSValue argument1, JSC::JSValue argument2, JSC::JSValue argument3) Line 3109 at C:\Users\maxschmitt\webkit\Source\JavaScriptCore\runtime\JSGlobalObject.cpp(3109) JavaScriptCore.dll!JSC::enqueueJob(JSC::JSGlobalObject * globalObject, JSC::CallFrame * callFrame) Line 676 at C:\Users\maxschmitt\webkit\Source\JavaScriptCore\runtime\JSGlobalObject.cpp(676) [External Code] JavaScriptCore.dll!JSC::NumericStrings::addJSString(JSC::VM & vm, int i) Line 505 at C:\Users\maxschmitt\webkit\Source\JavaScriptCore\runtime\NumberPrototype.cpp(505) [External Code] ``` Downstream code: https://github.com/microsoft/playwright/issues/29025
Attachments
test.html (985 bytes, text/html)
2024-01-18 03:41 PST, Max Schmitt 		no flags
Details
hsw.js (for the test.html) (498.93 KB, text/javascript)
2024-01-18 03:42 PST, Max Schmitt 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Max Schmitt
Comment 1 2024-01-18 03:42:12 PST
Created attachment 469441 [details] hsw.js (for the test.html)
Fujii Hironori
Comment 2 2024-01-22 00:24:11 PST
The backtrace looks like bug#263965. I confirmed the WIP patch attachment#469050 [details] works around the crash for this too.
Radar WebKit Bug Importer
Comment 3 2024-01-25 03:42:13 PST
<rdar://problem/121590185>
Ian Grunert
Comment 4 2024-10-03 08:46:13 PDT
I believe this is fixed - I'm not observing the crash. WebAssembly on Windows changed substantially since this initial report, and bug#263965 was also resolved. I don't have the required permission to close this as Resolved Fixed.
Max Schmitt
Comment 5 2024-10-03 09:09:18 PDT
Looks fixed, appreciate the work Ian!
Note You need to log in before you can comment on or make changes to this bug.