Created attachment 471436 [details] crash log of WinCairo-64-bit-Release-Tests 278960@main https://build.webkit.org/results/WinCairo-64-bit-Release-Tests/278960@main%20(4669)/CrashLog_25dc_2024-05-18_22-02-29-558.txt . 0 Id: 2978.96c Suspend: 1 Teb: 000000b1`a70c8000 Unfrozen # Child-SP RetAddr Call Site 00 (Inline Function) --------`-------- WebCore!WTF::RefCountedBase::refAllowingPartiallyDestroyed [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\RefCounted.h @ 50] 01 (Inline Function) --------`-------- WebCore!WTF::RefCountedBase::ref [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\RefCounted.h @ 58] 02 (Inline Function) --------`-------- WebCore!WTF::DefaultRefDerefTraits<WebCore::HistoryItem>::ref [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Ref.h @ 55] 03 (Inline Function) --------`-------- WebCore!WTF::Ref<WebCore::HistoryItem,WTF::RawPtrTraits<WebCore::HistoryItem>,WTF::DefaultRefDerefTraits<WebCore::HistoryItem> >::Ref [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Ref.h @ 87] 04 000000b1`a72fd540 00007ff8`da9a4067 WebCore!WebCore::CachedPage::restore(class WebCore::Page * page = 0x000002b0`09a25590)+0x28c [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\history\CachedPage.cpp @ 187] 05 000000b1`a72fd610 00007ff8`da9a996c WebCore!WebCore::FrameLoader::commitProvisionalLoad(void)+0x4a7 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 2281] 06 000000b1`a72fd920 00007ff8`da9a1e87 WebCore!WebCore::FrameLoader::loadProvisionalItemFromCachedPage(void)+0x7c [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 4123] 07 000000b1`a72fd970 00007ff8`da9b1609 WebCore!WebCore::FrameLoader::continueLoadAfterNavigationPolicy(class WebCore::ResourceRequest * request = <Value unavailable error>, class WebCore::FormState * formState = <Value unavailable error>, WebCore::NavigationPolicyDecision navigationPolicyDecision = <Value unavailable error>, WebCore::AllowNavigationToInvalidURL allowNavigationToInvalidURL = <Value unavailable error>)+0x5d7 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 3969] 08 (Inline Function) --------`-------- WebCore!WebCore::FrameLoader::loadWithDocumentLoader::<lambda_8>::operator()+0x3c [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 1818] 09 000000b1`a72fdd30 00007ff8`da9d8ca5 WebCore!WTF::Detail::CallableWrapper<`lambda at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\loader\FrameLoader.cpp:1817:152',void,WebCore::ResourceRequest &&,WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl,WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl> > &&,WebCore::NavigationPolicyDecision>::call(class WebCore::ResourceRequest * in = <Value unavailable error>, class WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl,WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl> > * in = <Value unavailable error>, WebCore::NavigationPolicyDecision in = <Value unavailable error>)+0x49 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Function.h @ 53] 0a (Inline Function) --------`-------- WebCore!WTF::Function<void +0x11 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Function.h @ 82] 0b (Inline Function) --------`-------- WebCore!WTF::CompletionHandler<void +0x1d [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\CompletionHandler.h @ 78] 0c (Inline Function) --------`-------- WebCore!WebCore::PolicyChecker::checkNavigationPolicy::<lambda_0>::operator()+0x3d0 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\loader\PolicyChecker.cpp @ 262] 0d 000000b1`a72fdd70 00007ff8`dcad6135 WebCore!WTF::Detail::CallableWrapper<`lambda at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\loader\PolicyChecker.cpp:219:43',void,WebCore::PolicyAction>::call(WebCore::PolicyAction in = <Value unavailable error>)+0x3f5 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Function.h @ 53] 0e (Inline Function) --------`-------- WebKit2!WTF::Function<void +0x9 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Function.h @ 82] 0f (Inline Function) --------`-------- WebKit2!WTF::CompletionHandler<void +0x9 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\CompletionHandler.h @ 78] 10 000000b1`a72fded0 00007ff8`dcab2dcd WebKit2!WebKit::WebFrame::didReceivePolicyDecision(unsigned int64 listenerID = <Value unavailable error>, struct WebKit::PolicyDecision * policyDecision = 0x000000b1`a72fdfb0)+0x2b5 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebKit\WebProcess\WebPage\WebFrame.cpp @ 575] 11 (Inline Function) --------`-------- WebKit2!WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction::<lambda_15>::operator()+0x12 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebKit\WebProcess\WebCoreSupport\WebFrameLoaderClient.cpp @ 200] 12 (Inline Function) --------`-------- WebKit2!std::invoke+0x12 [C:\MSVS\VC\Tools\MSVC\14.39.33519\include\type_traits @ 1739] 13 (Inline Function) --------`-------- WebKit2!std::_Apply_impl+0x12 [C:\MSVS\VC\Tools\MSVC\14.39.33519\include\tuple @ 1077] 14 (Inline Function) --------`-------- WebKit2!std::apply+0x12 [C:\MSVS\VC\Tools\MSVC\14.39.33519\include\tuple @ 1088] 15 (Inline Function) --------`-------- WebKit2!IPC::Connection::callReply+0x29 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebKit\Platform\IPC\Connection.h @ 857] 16 (Inline Function) --------`-------- WebKit2!IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPageProxy::DecidePolicyForNavigationActionAsync,`lambda at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebKit\WebProcess\WebCoreSupport\WebFrameLoaderClient.cpp:194:118'>::<lambda_1>::operator()+0x3f [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebKit\Platform\IPC\Connection.h @ 785] 17 000000b1`a72fdf90 00007ff8`dc7e512d WebKit2!WTF::Detail::CallableWrapper<`lambda at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebKit\Platform\IPC\Connection.h:783:9',void,IPC::Decoder *>::call(class IPC::Decoder * in = 0x000002b0`09bb0a80)+0x5d [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Function.h @ 53] 18 (Inline Function) --------`-------- WebKit2!WTF::Function<void +0xc [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Function.h @ 82] 19 (Inline Function) --------`-------- WebKit2!WTF::CompletionHandler<void +0x15 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\CompletionHandler.h @ 78] 1a 000000b1`a72fe0a0 00007ff8`dc7e52d5 WebKit2!IPC::Connection::dispatchMessage(class IPC::Decoder * decoder = 0x000002b0`09bb0a80)+0x8d [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1308] 1b 000000b1`a72fe100 00007ff8`dc7e545c WebKit2!IPC::Connection::dispatchMessage(class WTF::UniqueRef<IPC::Decoder> message = class WTF::UniqueRef<IPC::Decoder>)+0xf5 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1376] 1c 000000b1`a72fe150 00007ff8`e5e81a3e WebKit2!IPC::Connection::dispatchOneIncomingMessage(void)+0xec [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1440] 1d (Inline Function) --------`-------- WTF!WTF::Function<void +0x9 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WTF\wtf\Function.h @ 82] 1e 000000b1`a72fe1b0 00007ff8`e5eefa88 WTF!WTF::RunLoop::performWork(void)+0x19e [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WTF\wtf\RunLoop.cpp @ 148] 1f (Inline Function) --------`-------- WTF!WTF::RunLoop::wndProc+0x18 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 56] 20 000000b1`a72fe200 00007ff8`f2d20089 WTF!WTF::RunLoop::RunLoopWndProc(struct HWND__ * hWnd = 0x00000000`2b020182, unsigned int message = 0x401, unsigned int64 wParam = 0x000002b0`03f42870, int64 lParam = 0n0)+0x38 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 39] 21 000000b1`a72fe250 00007ff8`f2d1fa02 USER32!CallWindowProcW+0x419 22 000000b1`a72fe3e0 00007ff8`e5eefbff USER32!DispatchMessageW+0x1e2 23 000000b1`a72fe460 00007ff8`dcaf73da WTF!WTF::RunLoop::run(void)+0x5f [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 73] 24 000000b1`a72fe4e0 00007ff8`dca96154 WebKit2!WebKit::WebPage::runModal(void)+0x9a [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebKit\WebProcess\WebPage\WebPage.cpp @ 6642] 25 000000b1`a72fe540 00007ff8`daa51d83 WebKit2!WebKit::WebChromeClient::runModal(void)+0x24 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebKit\WebProcess\WebCoreSupport\WebChromeClient.cpp @ 394] 26 000000b1`a72fe570 00007ff8`daac6539 WebCore!WebCore::Chrome::runModal(void)+0x93 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\Chrome.cpp @ 244] 27 000000b1`a72fe660 00007ff8`da13d75e WebCore!WebCore::LocalDOMWindow::showModalDialog(class WTF::String * urlString = <Value unavailable error>, class WTF::String * dialogFeaturesString = <Value unavailable error>, class WebCore::LocalDOMWindow * activeWindow = 0x000002b0`068468c0, class WebCore::LocalDOMWindow * firstWindow = 0x000002b0`068468c0, class WTF::Function<void (WebCore::LocalDOMWindow &)> * prepareDialogFunction = 0x000000b1`a72fe7f0)+0x509 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\LocalDOMWindow.cpp @ 2750] 28 000000b1`a72fe780 00007ff8`d8ab4d9b WebCore!WebCore::showModalDialog(class JSC::JSGlobalObject * lexicalGlobalObjectPtr = 0x000002b0`0685a718, class JSC::CallFrame * callFramePtr = <Value unavailable error>)+0x29e [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\JSDOMWindowCustom.cpp @ 582] 29 000000b1`a72fe830 000000b1`a72fe8c0 JavaScriptCore!llint_entry+0x23b73 2a 000000b1`a72fe838 00007ff8`d8ab1f21 0x000000b1`a72fe8c0 2b 000000b1`a72fe840 00007ff8`d8ab4d63 JavaScriptCore!llint_entry+0x20cf9 2c 000000b1`a72fe848 00000000`00000000 JavaScriptCore!llint_entry+0x23b3b

278960@main changed CachedPage.cpp line#187. It seems to be a culprit.

This crash is highly reproducible on Windows port layout test EWS. But, not reproducible on my PC with Windows port Debug and Relase builds so far.

Win-Tests-EWS reported http/tests/security/no-javascript-location-percent-escaped.html crashed with the same callstack. Buildbot: builder Win-Tests-EWS build 1839 https://ews-build.webkit.org/#/builders/60/builds/1839 Regressions: Unexpected crashes (1) http/tests/security/no-javascript-location-percent-escaped.html [ Crash ]

<rdar://problem/128551183>

Neiter http/tests/security/no-indexeddb-from-sandbox.html nor http/tests/security/no-javascript-location-percent-escaped.html is a cause. http/tests/security/navigate-when-restoring-cached-page.html makes a subsequent test crash. 279101@main skips the test for WinCairo. However, still I don't know how to reproduce the crash on my PC.

I was able to reproduce the crash on macOS with the following: run-webkit-tests --child-processes 1 --iterations 10 --exit-after-n-crashes-or-timeouts 1 http/tests/security/navigate-when-restoring-cached-page.html http/tests/security/no-indexeddb-from-sandbox.html It crashed within the first few iterations.

Pull request: https://github.com/WebKit/WebKit/pull/28993

Committed 279218@main (0f1a31523d4a): <https://commits.webkit.org/279218@main> Reviewed commits have been landed. Closing PR #28993 and removing active labels.