WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
273467
REGRESSION(
278148@main
): random crashes under JSC::WatchpointSet::fireAllWatchpoints
https://bugs.webkit.org/show_bug.cgi?id=273467
Summary
REGRESSION(278148@main): random crashes under JSC::WatchpointSet::fireAllWatc...
Fujii Hironori
Reported
2024-04-30 00:25:28 PDT
I'm observing random crashes with
278156@main
Windows Debug builds.
> python .\Tools\Scripts\run-webkit-tests --wincairo --debug --no-retry --iter=100 js/dom/dfg-proto-stub-watchpoint-fire.html > python .\Tools\Scripts\run-webkit-tests --wincairo --debug --no-retry --iter=100 js/dom/delete-syntax.html
ASSERTION FAILED: &*m_set.begin() != &watchpoint C:\webkit\wb\Source\JavaScriptCore\bytecode/Watchpoint.cpp(172) : fireAllWatchpoints 1 00007FFDEA701CA9 WTFCrash 2 00007FFDE0AECCED WTFCrashWithInfo 3 00007FFDE0E7C733 JSC::WatchpointSet::fireAllWatchpoints 4 00007FFDE0E7C55D JSC::WatchpointSet::fireAllSlow 5 00007FFDE0E7E473 JSC::WatchpointSet::fireAll<JSC::StringFireDetail> 6 00007FFDE1B19057 JSC::PolymorphicAccessJITStubRoutine::invalidate 7 00007FFDE0E498D4 JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal 8 00007FFDE0E7D344 JSC::Watchpoint::fire::<lambda_1>::operator()<JSC::StructureTransitionStructureStubClearingWatchpoint> 9 00007FFDE0E7C293 JSC::Watchpoint::runWithDowncast<`lambda at C:\webkit\wb\Source\JavaScriptCore\bytecode\Watchpoint.cpp:88:21'> 10 00007FFDE0E7C173 JSC::Watchpoint::fire 11 00007FFDE0E7C7BF JSC::WatchpointSet::fireAllWatchpoints 12 00007FFDE0E7C55D JSC::WatchpointSet::fireAllSlow 13 00007FFDE24309A3 JSC::WatchpointSet::fireAll<JSC::StructureFireDetail> 14 00007FFDE24249B0 JSC::DeferredStructureTransitionWatchpointFire::fireAllSlow 15 00007FFDE0B88566 JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire 16 00007FFDE21E1DCE JSC::JSObject::deleteProperty 17 00007FFDE1BC0FE9 JSC::deleteById 18 00007FFDE1BC088F JSC::deleteByIdOptimize 19 00007FFDE1BC0704 operationDeleteByIdSloppyOptimize 20 000002DC8CCB661A (null) Exception thrown at 0x00007FFDEA701CAE (WTF.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation writing location 0x00000000BBADBEEF. Another assertion failure: ASSERTION FAILED: !!m_prev == !!m_next C:\webkit\wb\WebKitBuild\Debug\WTF\Headers\wtf/SentinelLinkedList.h(68) : isOnList 1 00007FFDEA701CA9 WTFCrash 2 00007FFDE0AECCED WTFCrashWithInfo 3 00007FFDE0C63BEC WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> >::isOnList 4 00007FFDE0E7C653 JSC::WatchpointSet::fireAllWatchpoints 5 00007FFDE0E7C55D JSC::WatchpointSet::fireAllSlow 6 00007FFDE0E7E473 JSC::WatchpointSet::fireAll<JSC::StringFireDetail> 7 00007FFDE1B19057 JSC::PolymorphicAccessJITStubRoutine::invalidate 8 00007FFDE0E498D4 JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal 9 00007FFDE0E7D344 JSC::Watchpoint::fire::<lambda_1>::operator()<JSC::StructureTransitionStructureStubClearingWatchpoint> 10 00007FFDE0E7C293 JSC::Watchpoint::runWithDowncast<`lambda at C:\webkit\wb\Source\JavaScriptCore\bytecode\Watchpoint.cpp:88:21'> 11 00007FFDE0E7C173 JSC::Watchpoint::fire 12 00007FFDE0E7C7BF JSC::WatchpointSet::fireAllWatchpoints 13 00007FFDE0E7C55D JSC::WatchpointSet::fireAllSlow 14 00007FFDE24309A3 JSC::WatchpointSet::fireAll<JSC::StructureFireDetail> 15 00007FFDE24249B0 JSC::DeferredStructureTransitionWatchpointFire::fireAllSlow 16 00007FFDE0B88566 JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire 17 00007FFDE21E1DCE JSC::JSObject::deleteProperty 18 00007FFDE20E143E JSC::JSCell::deleteProperty 19 00007FFDE1C64CBA llint_slow_path_del_by_id 20 00007FFDE29DDF9B llint_entry 21 00007FFDE2B872D7 `string' 22 00007FFD00000483 (null) Exception thrown at 0x00007FFDEA701CAE (WTF.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation writing location 0x00000000BBADBEEF. One more crash log:
> JavaScriptCore.dll!WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint>>::setNext(WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint>> * next) Line 61 C++ > JavaScriptCore.dll!WTF::SentinelLinkedList<JSC::Watchpoint,WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint>>>::remove(JSC::Watchpoint * node) Line 241 C++ > JavaScriptCore.dll!WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint>>::remove() Line 165 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAllWatchpoints(JSC::VM & vm, const JSC::FireDetail & detail) Line 172 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAllSlow(JSC::VM & vm, const JSC::FireDetail & detail) Line 127 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAll<JSC::StringFireDetail>(JSC::VM & vm, JSC::StringFireDetail & fireDetails) Line 226 C++ > JavaScriptCore.dll!JSC::PolymorphicAccessJITStubRoutine::invalidate() Line 115 C++ > JavaScriptCore.dll!JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal(JSC::VM & vm, const JSC::FireDetail &) Line 59 C++ > JavaScriptCore.dll!JSC::Watchpoint::fire::<lambda_1>::operator()<JSC::StructureTransitionStructureStubClearingWatchpoint>(JSC::StructureTransitionStructureStubClearingWatchpoint * derived) Line 90 C++ > JavaScriptCore.dll!JSC::Watchpoint::runWithDowncast<`lambda at C:\webkit\wb\Source\JavaScriptCore\bytecode\Watchpoint.cpp:88:21'>(const JSC::Watchpoint::fire::<lambda_1> & func) Line 60 C++ > JavaScriptCore.dll!JSC::Watchpoint::fire(JSC::VM & vm, const JSC::FireDetail & detail) Line 88 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAllWatchpoints(JSC::VM & vm, const JSC::FireDetail & detail) Line 158 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAllSlow(JSC::VM & vm, const JSC::FireDetail & detail) Line 127 C++ > JavaScriptCore.dll!JSC::WatchpointSet::fireAll<JSC::StructureFireDetail>(JSC::VM & vm, JSC::StructureFireDetail & fireDetails) Line 226 C++ > JavaScriptCore.dll!JSC::DeferredStructureTransitionWatchpointFire::fireAllSlow() Line 1609 C++ > JavaScriptCore.dll!JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire() Line 91 C++ > JavaScriptCore.dll!JSC::JSObject::deleteProperty(JSC::JSCell * cell, JSC::JSGlobalObject * globalObject, JSC::PropertyName propertyName, JSC::DeletePropertySlot & slot) Line 2268 C++ > JavaScriptCore.dll!JSC::JSCell::deleteProperty(JSC::JSCell * cell, JSC::JSGlobalObject * globalObject, JSC::PropertyName identifier) Line 139 C++ > JavaScriptCore.dll!llint_slow_path_del_by_id(JSC::CallFrame * callFrame, const JSC::BaseInstruction<JSC::JSOpcodeTraits> * pc) Line 1129 C++ > [External Code]
Attachments
crashlog WinCairo-64-bit-Debug-Tests 278158@main
(84.90 KB, text/plain)
2024-04-30 14:16 PDT
,
Fujii Hironori
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Fujii Hironori
Comment 1
2024-04-30 14:16:34 PDT
Created
attachment 471228
[details]
crashlog WinCairo-64-bit-Debug-Tests
278158@main
Buildbot: builder WinCairo-64-bit-Debug-Tests build 22553 :
278158@main
https://build.webkit.org/#/builders/727/builds/22553
Regressions: Unexpected crashes (2) js/dom/dfg-patchable-get-by-id-after-watchpoint.html [ Crash ] js/promises-tests/promises-tests-2-3-3.html [ Crash ]
https://build.webkit.org/results/WinCairo-64-bit-Debug-Tests/278158@main%20(22553)/CrashLog_209c_2024-04-30_09-29-29-190.txt
https://build.webkit.org/results/WinCairo-64-bit-Debug-Tests/278158@main%20(22553)/CrashLog_2e94_2024-04-30_09-24-56-460.txt
. 0 Id: 2f74.394 Suspend: 1 Teb: 00000087`88716000 Unfrozen # Child-SP RetAddr Call Site 00 00000087`888fd5b8 00007ff8`dbc3d7eb JavaScriptCore!WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> >::setNext(class WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> > * next = 0xf0000000`00000000)+0x16 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\SentinelLinkedList.h @ 61] 01 00000087`888fd5d0 00007ff8`dbc23473 JavaScriptCore!WTF::SentinelLinkedList<JSC::Watchpoint,WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> > >::remove(class JSC::Watchpoint * node = 0x0000026f`d8f52801)+0x15b [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\SentinelLinkedList.h @ 241] 02 00000087`888fd610 00007ff8`dbe3c6b7 JavaScriptCore!WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> >::remove(void)+0x13 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\SentinelLinkedList.h @ 165] 03 00000087`888fd640 00007ff8`dbe3c55d JavaScriptCore!JSC::WatchpointSet::fireAllWatchpoints(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x00000087`888fd780)+0x147 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 172] 04 00000087`888fd6b0 00007ff8`dbe3e473 JavaScriptCore!JSC::WatchpointSet::fireAllSlow(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x00000087`888fd780)+0x9d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 127] 05 00000087`888fd700 00007ff8`dcad9077 JavaScriptCore!JSC::WatchpointSet::fireAll<JSC::StringFireDetail>(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::StringFireDetail * fireDetails = 0x00000087`888fd780)+0x43 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 226] 06 00000087`888fd750 00007ff8`dbe098d4 JavaScriptCore!JSC::PolymorphicAccessJITStubRoutine::invalidate(void)+0x57 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\GCAwareJITStubRoutine.cpp @ 115] 07 00000087`888fd7a0 00007ff8`dbe3d254 JavaScriptCore!JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal(class JSC::VM * vm = 0x0000026f`d1c2acd0)+0x64 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\StructureStubClearingWatchpoint.cpp @ 59] 08 00000087`888fd7f0 00007ff8`dbe3c293 JavaScriptCore!JSC::Watchpoint::fire::<lambda_1>::operator()<JSC::StructureTransitionStructureStubClearingWatchpoint>(class JSC::StructureTransitionStructureStubClearingWatchpoint * derived = 0x0000026f`d8c02e40)+0x24 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 90] 09 00000087`888fd830 00007ff8`dbe3c173 JavaScriptCore!JSC::Watchpoint::runWithDowncast<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp:88:21'>(class JSC::Watchpoint::fire::<lambda_1> * func = 0x00000087`888fd8c0)+0x103 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 60] 0a 00000087`888fd880 00007ff8`dbe3c7bf JavaScriptCore!JSC::Watchpoint::fire(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0xb3 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 88] 0b 00000087`888fd8e0 00007ff8`dbe3c55d JavaScriptCore!JSC::WatchpointSet::fireAllWatchpoints(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x24f [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 158] 0c 00000087`888fd950 00007ff8`dbce40b3 JavaScriptCore!JSC::WatchpointSet::fireAllSlow(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x9d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 127] 0d 00000087`888fd9a0 00007ff8`dbccd662 JavaScriptCore!JSC::WatchpointSet::fireAll<const JSC::FireDetail>(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * fireDetails = 0x0000026f`d8f71ce8)+0x43 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 226] 0e 00000087`888fd9f0 00007ff8`dbdf5cbb JavaScriptCore!JSC::WatchpointSet::invalidate(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x42 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 245] 0f 00000087`888fda40 00007ff8`dbdf5c54 JavaScriptCore!JSC::InlineWatchpointSet::invalidate(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x4b [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 366] 10 00000087`888fda90 00007ff8`dbdeaf6d JavaScriptCore!JSC::AccessGenerationResult::fireWatchpoints(class JSC::VM * vm = 0x0000026f`d1c2acd0)+0xd4 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\InlineCacheCompiler.h @ 105] 11 00000087`888fdaf0 00007ff8`dbddb9df JavaScriptCore!JSC::fireWatchpointsAndClearStubIfNeeded(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328, class JSC::CodeBlock * codeBlock = 0x0000026f`d7ed4c40, class JSC::AccessGenerationResult * result = 0x00000087`888fe058)+0x4d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Repatch.cpp @ 217] 12 00000087`888fdb60 00007ff8`dbdd9520 JavaScriptCore!JSC::tryCacheGetBy(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::CodeBlock * codeBlock = 0x0000026f`d7ed4c40, class JSC::JSValue baseValue = class JSC::JSValue, class JSC::CacheableIdentifier propertyName = class JSC::CacheableIdentifier, class JSC::PropertySlot * slot = 0x00000087`888fe430, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328, JSC::GetByKind kind = ById (0n0))+0x22ef [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Repatch.cpp @ 528] 13 00000087`888fe0d0 00007ff8`dcb8a1fb JavaScriptCore!JSC::repatchGetBy(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::CodeBlock * codeBlock = 0x0000026f`d7ed4c40, class JSC::JSValue baseValue = class JSC::JSValue, class JSC::CacheableIdentifier propertyName = class JSC::CacheableIdentifier, class JSC::PropertySlot * slot = 0x00000087`888fe430, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328, JSC::GetByKind kind = ById (0n0))+0xc0 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Repatch.cpp @ 537] 14 00000087`888fe190 00007ff8`dcb89fe8 JavaScriptCore!operationGetByIdOptimize::<lambda_0>::operator()(bool found = true, class JSC::PropertySlot * slot = 0x00000087`888fe430)+0x1db [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp @ 543] 15 00000087`888fe280 00007ff8`dcb67460 JavaScriptCore!JSC::JSValue::getPropertySlot<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp:536:75'>(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::PropertyName propertyName = class JSC::PropertyName, class JSC::PropertySlot * slot = 0x00000087`888fe430, class operationGetByIdOptimize::<lambda_0> * callback = 0x00000087`888fe3f0)+0x218 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\JSCJSValueInlines.h @ 1056] 16 00000087`888fe380 00007ff8`dcb67334 JavaScriptCore!JSC::JSValue::getPropertySlot<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp:536:75'>(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::PropertyName propertyName = class JSC::PropertyName, class operationGetByIdOptimize::<lambda_0> * callback = 0x00000087`888fe4f0)+0xd0 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\JSCJSValueInlines.h @ 1048] 17 00000087`888fe4a0 0000026f`8000395a JavaScriptCore!operationGetByIdOptimize(int64 base = 0n2679328938624, class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328)+0x164 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp @ 536] 18 00000087`888fe580 00005d64`00000004 0x0000026f`8000395a 19 00000087`888fe588 00000087`888fe600 0x00005d64`00000004
Fujii Hironori
Comment 2
2024-04-30 18:56:27 PDT
Setting a env var JSC_useJIT=0 works around the crash, but other env vars JSC_useDFGJIT=0, JSC_useRegExpJIT=0, JSC_useDOMJIT=0 have no effect.
Radar WebKit Bug Importer
Comment 3
2024-05-01 00:42:22 PDT
<
rdar://problem/127346958
>
Yusuke Suzuki
Comment 4
2024-05-01 00:44:14 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/27972
EWS
Comment 5
2024-05-01 13:00:16 PDT
Committed
278223@main
(1d96c3185c84): <
https://commits.webkit.org/278223@main
> Reviewed commits have been landed. Closing PR #27972 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug