RESOLVED FIXED 273703
Crash on WebCore::FrameLoader::effectiveReferrerPolicy() after 274396@main on ARM64 with GCC -O3 
https://bugs.webkit.org/show_bug.cgi?id=273703
Summary Crash on WebCore::FrameLoader::effectiveReferrerPolicy() after 274396@main on...
Carlos Alberto Lopez Perez
Reported 2024-05-03 12:05:26 PDT
The WPE performance test bots running on RPi4 boards (ARM 64-bits) started to crash all the tests after 274396@main The bots are here: https://build.webkit.org/#/builders/895 I manually bisected this and I confirm that everything was working before 274396@main but after 274396@main and later the browser always crashes as soon as it starts, is not able to even load a very basic page. The backtrace looks like this: #0 0x0000007fb24e5c48 in WebCore::FrameLoader::effectiveReferrerPolicy() const () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #1 0x0000007fb1f15b1c in WebCore::Document::initSecurityContext() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #2 0x0000007fb1f1c994 in WebCore::Document::Document(WebCore::LocalFrame*, WebCore::Settings const&, WTF::URL const&, WTF::OptionSet<WebCore::Document::DocumentClass>, WTF::OptionSet<WebCore::Document::ConstructionFlag>, WebCore::ProcessQualified<WTF::UUID>) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #3 0x0000007fb217adf0 in WebCore::HTMLDocument::HTMLDocument(WebCore::LocalFrame*, WebCore::Settings const&, WTF::URL const&, WebCore::ProcessQualified<WTF::UUID>, WTF::OptionSet<WebCore::Document::DocumentClass>, WTF::OptionSet<WebCore::Document::ConstructionFlag>) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #4 0x0000007fb1ee16c4 in WebCore::DOMImplementation::createDocument(WTF::String const&, WebCore::LocalFrame*, WebCore::Settings const&, WTF::URL const&, WebCore::ProcessQualified<WTF::UUID>) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #5 0x0000007fb24b7150 in WebCore::DocumentWriter::createDocument(WTF::URL const&, WebCore::ProcessQualified<WTF::UUID>) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #6 0x0000007fb24cfcf4 in WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*, WebCore::ProcessQualified<WTF::UUID>, WebCore::NavigationAction const*) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #7 0x0000007fb24d0d94 in WebCore::DocumentLoader::commitData(WebCore::SharedBuffer const&) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #8 0x0000007fb24d17f4 in WebCore::DocumentLoader::finishedLoading() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #9 0x0000007fb24d1ef8 in WebCore::DocumentLoader::maybeLoadEmpty() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #10 0x0000007fb24d5838 in WebCore::DocumentLoader::startLoadingMainResource() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #11 0x0000007fb24ecd88 in WebCore::FrameLoader::init() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #12 0x0000007fb2611a48 in WebCore::LocalFrame::init() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #13 0x0000007faf5379e8 in WebKit::WebPage::WebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #14 0x0000007faf538908 in WebKit::WebPage::create(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #15 0x0000007faf42b76c in WebKit::WebProcess::createWebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #16 0x0000007faef4b6b4 in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #17 0x0000007faf1b1480 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #18 0x0000007faf1b282c in IPC::Connection::dispatchOneIncomingMessage() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #19 0x0000007fb0a7b59c in WTF::RunLoop::performWork() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #20 0x0000007fb0af5190 in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #21 0x0000007fb0af609c in WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #22 0x0000007fae0b9c7c in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #23 0x0000007fae0ba070 in ?? () from /usr/lib/libglib-2.0.so.0 #24 0x0000007fae0ba3f8 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #25 0x0000007fb0af629c in WTF::RunLoop::run() () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #26 0x0000007faf5683f8 in WebKit::WebProcessMain(int, char**) () from /home/root/webkit/WebKitBuild/WPE/Release/lib/libWPEWebKit-2.0.so.1 #27 0x0000007fad8f6e38 in __libc_start_call_main (main=main@entry=0x55578c0840 <main>, argc=argc@entry=3, argv=argv@entry=0x7fd849a888) at /usr/src/debug/glibc/2.37-r1/sysdeps/nptl/libc_start_call_main.h:58 #28 0x0000007fad8f6f1c in __libc_start_main_impl (main=0x55578c0840 <main>, argc=3, argv=0x7fd849a888, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=<optimized out>) at /usr/src/debug/glibc/2.37-r1/csu/libc-start.c:360 #29 0x00000055578c08b0 in _start () at ../sysdeps/aarch64/start.S:98 And I'm not able to get a better backtrace because if I try to build a Debug build then the crash not longer happens. The crash also doesn't happen if you build Release with -O2, only happens with -O3 which is the default for developer release builds. I compared all the compiler switches that are enabled at -O2 vs -O3 for GCC 12.3.0 and this is the one causing the crash is --param=early-inlining-insns -O3 enables early-inlining-insns=14 and -O2 enables early-inlining-insns=6 The file causing the crash is Source/WebCore/page/Page.cpp * If it gets built with --param=early-inlining-insns=9 or lower it is fine * If it gets built with --param=early-inlining-insns=10 or higher it crashes However that is for a release build. If I build Debug and I set --param=early-inlining-insns=16 on that file then it doesn't crash anymore.. 🤷 So i'm not sure if this is a compiler bug, or is because some undefined behaviour or there is a valid bug somewhere that only triggers due to very specific timings caused by a race condition or similar. But the issue is 100% reproducible when it happens.
Attachments
Add attachment proposed patch, testcase, etc.
Carlos Alberto Lopez Perez
Comment 1 2024-05-03 12:14:09 PDT
Some info about the crash that I debugged with a few printfs ... - On the backtrace above, the crash inside the function "WebCore::FrameLoader::effectiveReferrerPolicy()" happens exactly when doing the downcast of m_frame->opener() In this line exactly: RefPtr opener = dynamicDowncast<LocalFrame>(m_frame->opener())) Note: "m_frame->opener()" is not null (I checked it) If I comment out that code and simply return "ReferrerPolicy::Default" there then the same crash happens later at WebCore::Document::initSecurityContext() exactly here: // If we do not obtain a meaningful origin from the URL, then we try to // find one via the frame hierarchy. RefPtr parentFrame = m_frame->tree().parent(); RefPtr openerFrame = dynamicDowncast<LocalFrame>(m_frame->opener()); // <--- here crashes, again when trying to call "dynamicDowncast<LocalFrame>(m_frame->opener())" which is basically the same crash than previously (note: I checked that "m_frame->opener()" is not null) RefPtr ownerFrame = dynamicDowncast<LocalFrame>(parentFrame.get()); So not sure what is going on and/or if this is a valid bug or a crash caused by a bug on the compiler itself. I have a workaround that is ensuring this file does not build with a value of "early-inlining-insns" higher than what its enabled for -O2 ... so I will propose that patch for now
Carlos Alberto Lopez Perez
Comment 2 2024-05-03 12:28:40 PDT
Pull request: https://github.com/WebKit/WebKit/pull/28117
Carlos Alberto Lopez Perez
Comment 3 2024-05-17 09:58:28 PDT
In the end I managed to create a simplified test case and reported a bug to GCC here: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115135 This looks to me like a bug on GCC and not an issue on the WebKit code. It happens also with newer versions of GCC (13 and 14 tested and affected).
EWS
Comment 4 2024-05-21 11:23:49 PDT
Committed 279066@main (bc889156b6fb): <https://commits.webkit.org/279066@main> Reviewed commits have been landed. Closing PR #28117 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.