Bug 270882 - [WinCairo] WebKitWebProcess crashes on flutter demo page
Summary: [WinCairo] WebKitWebProcess crashes on flutter demo page
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Windows 10
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-12 17:07 PDT by Yury Semikhatsky
Modified: 2024-03-23 14:41 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yury Semikhatsky 2024-03-12 17:07:34 PDT 
Steps to reproduce:
1. Download latest WebKit build  (https://build.webkit.org/#/builders/731/builds/14972)
2. Run MiniBrowser and navigate to https://flutter.github.io/samples/web/material_3_demo/

Result:

Web Process crashes with the following stack:


ntdll.dll!00007ffecac5c1a9()
ntdll.dll!00007ffecac5c173()
ntdll.dll!00007ffecac6520a()
ntdll.dll!00007ffecac654ea()
ntdll.dll!00007ffecac714e5()
ntdll.dll!00007ffecab8bdfd()
ntdll.dll!00007ffecab8ab11()
ucrtbase.dll!00007ffec87137eb()
[Inline Frame] WebCore.dll!WTF::FastMalloc::free(void * p) Line 272
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\FastMalloc.h(272)
[Inline Frame] WebCore.dll!WTF::VectorBufferBase<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,WTF::FastMalloc>::deallocateBuffer(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> * bufferToDeallocate) Line 361
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(361)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::reserveCapacity(unsigned __int64 newCapacity) Line 1384
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1384)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::expandCapacity(unsigned __int64 newMinCapacity) Line 1220
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1220)
WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::expandCapacity<0>(unsigned __int64 newMinCapacity, std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> * ptr) Line 1245
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1245)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::appendSlowCase(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 1531
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1531)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 1506
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1506)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && u) Line 874
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(874)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 874
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(874)
WebCore.dll!WebCore::MicrotaskQueue::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && task) Line 48
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\Microtasks.cpp(48)
[Inline Frame] WebCore.dll!WebCore::EventLoop::queueMicrotask(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && microtask) Line 247
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\EventLoop.cpp(247)
WebCore.dll!WebCore::EventLoopTaskGroup::queueMicrotask(WTF::Function<void ()> && function) Line 484
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\EventLoop.cpp(484)
WebCore.dll!WebCore::WindowEventLoop::queueMutationObserverCompoundMicrotask() Line 226
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\WindowEventLoop.cpp(226)
WebCore.dll!WebCore::MutationObserver::enqueueMutationRecord(WTF::Ref<WebCore::MutationRecord,WTF::RawPtrTraits<WebCore::MutationRecord>,WTF::DefaultRefDerefTraits<WebCore::MutationRecord>> && mutation) Line 155
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\MutationObserver.cpp(155)
[Inline Frame] WebCore.dll!WTF::Ref<WebCore::MutationRecord,WTF::RawPtrTraits<WebCore::MutationRecord>,WTF::DefaultRefDerefTraits<WebCore::MutationRecord>>::Ref(WebCore::MutationRecord & object) Line 87
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Ref.h(87)
WebCore.dll!WebCore::MutationObserverInterestGroup::enqueueMutationRecord(WTF::Ref<WebCore::MutationRecord,WTF::RawPtrTraits<WebCore::MutationRecord>,WTF::DefaultRefDerefTraits<WebCore::MutationRecord>> && mutation) Line 81
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\MutationObserverInterestGroup.cpp(81)
WebCore.dll!WebCore::ChildListMutationAccumulator::enqueueMutationRecord() Line 128
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ChildListMutationScope.cpp(128)
WebCore.dll!WebCore::ChildListMutationAccumulator::~ChildListMutationAccumulator() Line 59
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ChildListMutationScope.cpp(59)
[Inline Frame] WebCore.dll!std::default_delete<WebCore::ChildListMutationAccumulator>::operator()(WebCore::ChildListMutationAccumulator * _Ptr) Line 3180
	at C:\MSVS\VC\Tools\MSVC\14.37.32822\include\memory(3180)
[Inline Frame] WebCore.dll!WTF::RefCounted<WebCore::ChildListMutationAccumulator,std::default_delete<WebCore::ChildListMutationAccumulator>>::deref() Line 220
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\RefCounted.h(220)
[Inline Frame] WebCore.dll!WTF::DefaultRefDerefTraits<WebCore::ChildListMutationAccumulator>::derefIfNotNull(WebCore::ChildListMutationAccumulator * ptr) Line 62
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Ref.h(62)
[Inline Frame] WebCore.dll!WTF::RefPtr<WebCore::ChildListMutationAccumulator,WTF::RawPtrTraits<WebCore::ChildListMutationAccumulator>,WTF::DefaultRefDerefTraits<WebCore::ChildListMutationAccumulator>>::~RefPtr() Line 60
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h(60)
[Inline Frame] WebCore.dll!WebCore::ChildListMutationScope::~ChildListMutationScope() Line 77
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ChildListMutationScope.h(77)
[Inline Frame] WebCore.dll!WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node & childToRemove, WebCore::ContainerNode::ChildChange::Source source) Line 192
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ContainerNode.cpp(192)
WebCore.dll!WebCore::ContainerNode::removeChild(WebCore::Node & oldChild) Line 724
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ContainerNode.cpp(724)
WebCore.dll!WebCore::Node::removeChild(WebCore::Node & oldChild) Line 558
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\Node.cpp(558)
[Inline Frame] WebCore.dll!WebCore::jsNodePrototypeFunction_removeChildBody::<lambda_2>::operator()() Line 913
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WebCore\DerivedSources\JSNode.cpp(913)
[Inline Frame] WebCore.dll!WebCore::invokeFunctorPropagatingExceptionIfNecessary(JSC::JSGlobalObject & lexicalGlobalObject, JSC::ThrowScope & throwScope, WebCore::jsNodePrototypeFunction_removeChildBody::<lambda_2> && functor) Line 96
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\JSDOMExceptionHandling.h(96)
[Inline Frame] WebCore.dll!WebCore::jsNodePrototypeFunction_removeChildBody(JSC::JSGlobalObject * lexicalGlobalObject, JSC::CallFrame * callFrame, WebCore::JSNode * castedThis) Line 913
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WebCore\DerivedSources\JSNode.cpp(913)
[Inline Frame] WebCore.dll!WebCore::IDLOperation<WebCore::JSNode>::call(JSC::JSGlobalObject & lexicalGlobalObject, JSC::CallFrame & callFrame, const char * operationName) Line 63
	at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\JSDOMOperation.h(63)
WebCore.dll!WebCore::jsNodePrototypeFunction_removeChild(JSC::JSGlobalObject * lexicalGlobalObject, JSC::CallFrame * callFrame) Line 919
	at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WebCore\DerivedSources\JSNode.cpp(919)
[External Code]
Comment 1 Yury Semikhatsky 2024-03-12 17:07:58 PDT 
Original bug report in Playwright https://github.com/microsoft/playwright/issues/29693
Comment 2 Fujii Hironori 2024-03-12 17:36:04 PDT 
Seems like bug#267686.
Comment 3 Fujii Hironori 2024-03-13 15:05:33 PDT 
You can disable Web Assembly.
$env:JSC_useWebAssembly = 0

However, Flutter doesn't work at all without WASM. I tested with Chrome disabling Wasm.
& "C:\Program Files\Google\Chrome\Application\chrome.exe" --js-flags=--noexpose_wasm