Bug 254633

Summary:	REGRESSION(261993@main): JSC: Crash under JSC::MarkedBlock::aboutToMark
Product:	WebKit	Reporter:	Fujii Hironori <Hironori.Fujii>
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED DUPLICATE
Severity:	Normal	CC:	cgarcia, kdwkleung, mark.lam, mcatanzaro, ysuzuki
Priority:	P2
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified
URL:	https://www.reddit.com/
See Also:	https://bugs.webkit.org/show_bug.cgi?id=254242

Description Fujii Hironori 2023-03-28 17:12:12 PDT

REGRESSION: JSC: Crash under JSC::MarkedBlock::aboutToMark

WinCairo Release MiniBrowser is crashihng or freezing just by loading
https://news.yahoo.co.jp/articles/c5dbf98ce2bd908c9d05b55f413a2bcd11892c64 today.

262131@main: Bad
261847@main: Good

Exception thrown at 0x00007FFA6EF30757 (JavaScriptCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation writing location 0x00007F0041C80038.

>	[Inline Frame] JavaScriptCore.dll!std::_Atomic_storage<unsigned char,1>::compare_exchange_strong(unsigned char &) Line 756	C++
 	[Inline Frame] JavaScriptCore.dll!std::atomic<unsigned char>::compare_exchange_weak(unsigned char &) Line 2207	C++
 	[Inline Frame] JavaScriptCore.dll!WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char) Line 89	C++
 	[Inline Frame] JavaScriptCore.dll!WTF::LockAlgorithm<unsigned char,1,2,WTF::EmptyLockHooks<unsigned char>>::lockFastAssumingZero(WTF::Atomic<unsigned char> &) Line 53	C++
 	[Inline Frame] JavaScriptCore.dll!WTF::Lock::lock() Line 65	C++
 	[Inline Frame] JavaScriptCore.dll!WTF::Locker<WTF::Lock>::{ctor}(WTF::Lock &) Line 158	C++
 	JavaScriptCore.dll!JSC::MarkedBlock::aboutToMarkSlow(unsigned int markingVersion) Line 207	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::MarkedBlock::aboutToMark(unsigned int markingVersion) Line 586	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSCell *) Line 57	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSValue value) Line 70	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::append(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> &) Line 110	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendValues(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> *) Line 139	C++
 	JavaScriptCore.dll!JSC::JSBoundFunction::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 384	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::MethodTable::visitChildren(JSC::JSCell *) Line 115	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::visitChildren(const JSC::JSCell *) Line 394	C++
 	JavaScriptCore.dll!JSC::SlotVisitor::drain::__l9::<lambda_1>::operator()(JSC::MarkStackArray & stack) Line 504	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::forEachMarkStack(const JSC::SlotVisitor::drain::__l9::<lambda_1> &) Line 184	C++
 	JavaScriptCore.dll!JSC::SlotVisitor::drain(WTF::MonotonicTime timeout) Line 494	C++
 	JavaScriptCore.dll!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode, WTF::MonotonicTime timeout) Line 694	C++
 	JavaScriptCore.dll!JSC::Heap::runBeginPhase::__l2::<lambda_2>::operator()() Line 1400	C++
 	WTF.dll!WTF::ParallelHelperClient::runTask(const WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::RawPtrTraits<WTF::SharedTask<void __cdecl(void)>>,WTF::DefaultRefDerefTraits<WTF::SharedTask<void __cdecl(void)>>> & task) Line 113	C++
 	WTF.dll!WTF::ParallelHelperPool::Thread::work() Line 203	C++
 	WTF.dll!WTF::AutomaticThread::start::__l2::<lambda_1>::operator()() Line 230	C++
 	[Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 82	C++
 	WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250	C++
 	WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151	C++
 	ucrtbase.dll!00007ffaf1f61bb2()	Unknown
 	kernel32.dll!00007ffaf30e7614()	Unknown
 	ntdll.dll!00007ffaf45026a1()	Unknown

Exception thrown at 0x00007FFA6EF3074F (JavaScriptCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation reading location 0x0000000000000018.

>	JavaScriptCore.dll!JSC::MarkedBlock::aboutToMarkSlow(unsigned int markingVersion) Line 204	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::MarkedBlock::aboutToMark(unsigned int markingVersion) Line 586	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSCell *) Line 57	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSValue value) Line 70	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::append(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> &) Line 110	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendValues(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> *) Line 139	C++
 	JavaScriptCore.dll!JSC::JSBoundFunction::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 384	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::MethodTable::visitChildren(JSC::JSCell *) Line 115	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::visitChildren(const JSC::JSCell *) Line 394	C++
 	JavaScriptCore.dll!JSC::SlotVisitor::drain::__l9::<lambda_1>::operator()(JSC::MarkStackArray & stack) Line 504	C++
 	[Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::forEachMarkStack(const JSC::SlotVisitor::drain::__l9::<lambda_1> &) Line 184	C++
 	JavaScriptCore.dll!JSC::SlotVisitor::drain(WTF::MonotonicTime timeout) Line 494	C++
 	JavaScriptCore.dll!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode, WTF::MonotonicTime timeout) Line 694	C++
 	JavaScriptCore.dll!JSC::Heap::runBeginPhase::__l2::<lambda_2>::operator()() Line 1400	C++
 	WTF.dll!WTF::ParallelHelperClient::runTask(const WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::RawPtrTraits<WTF::SharedTask<void __cdecl(void)>>,WTF::DefaultRefDerefTraits<WTF::SharedTask<void __cdecl(void)>>> & task) Line 113	C++
 	WTF.dll!WTF::ParallelHelperPool::Thread::work() Line 203	C++
 	WTF.dll!WTF::AutomaticThread::start::__l2::<lambda_1>::operator()() Line 230	C++
 	[Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 82	C++
 	WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250	C++
 	WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151	C++
 	ucrtbase.dll!00007ffaf1f61bb2()	Unknown
 	kernel32.dll!00007ffaf30e7614()	Unknown
 	ntdll.dll!00007ffaf45026a1()	Unknown

Comment 1 Fujii Hironori 2023-03-28 17:37:46 PDT

Backtrace of WinCairo Debug MiniBrowser 262233@main:

Exception thrown at 0x00007FFA42E6A001 (JavaScriptCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF.

JavaScriptCore.dll!std::_Atomic_storage<unsigned char,1>::compare_exchange_strong(unsigned char & _Expected, const unsigned char _Desired, const std::memory_order _Order) Line 756	C++
JavaScriptCore.dll!std::atomic<unsigned char>::compare_exchange_weak(unsigned char & _Expected, const unsigned char _Desired, const std::memory_order _Order) Line 2208	C++
JavaScriptCore.dll!WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char expected, unsigned char desired, std::memory_order order) Line 90	C++
JavaScriptCore.dll!WTF::LockAlgorithm<unsigned char,1,2,WTF::EmptyLockHooks<unsigned char>>::lockFastAssumingZero(WTF::Atomic<unsigned char> & lock) Line 54	C++
JavaScriptCore.dll!WTF::Lock::lock() Line 65	C++
JavaScriptCore.dll!WTF::Locker<WTF::Lock>::Locker<WTF::Lock>(WTF::Lock & lock) Line 159	C++
JavaScriptCore.dll!JSC::MarkedBlock::aboutToMarkSlow(unsigned int markingVersion) Line 207	C++
JavaScriptCore.dll!JSC::MarkedBlock::aboutToMark(unsigned int markingVersion) Line 587	C++
JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSCell * cell) Line 57	C++
JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSValue value) Line 71	C++
JavaScriptCore.dll!JSC::SlotVisitor::append<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>>(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> & slot) Line 111	C++
JavaScriptCore.dll!JSC::SlotVisitor::appendValues(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> * barriers, unsigned __int64 count) Line 139	C++
JavaScriptCore.dll!JSC::JSBoundFunction::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 403	C++
JavaScriptCore.dll!JSC::JSBoundFunction::visitChildren(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 406	C++
JavaScriptCore.dll!JSC::MethodTable::visitChildren(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 115	C++
JavaScriptCore.dll!JSC::SlotVisitor::visitChildren(const JSC::JSCell * cell) Line 398	C++
JavaScriptCore.dll!JSC::SlotVisitor::drain::__l11::<lambda_1>::operator()(JSC::MarkStackArray & stack) Line 504	C++
JavaScriptCore.dll!JSC::SlotVisitor::forEachMarkStack<`JSC::SlotVisitor::drain'::`11'::<lambda_1>>(const JSC::SlotVisitor::drain::__l11::<lambda_1> & func) Line 184	C++
JavaScriptCore.dll!JSC::SlotVisitor::drain(WTF::MonotonicTime timeout) Line 494	C++
JavaScriptCore.dll!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode, WTF::MonotonicTime timeout) Line 697	C++
JavaScriptCore.dll!JSC::Heap::runBeginPhase::__l2::<lambda_2>::operator()() Line 1400	C++
JavaScriptCore.dll!WTF::SharedTaskFunctor<void __cdecl(void),`JSC::Heap::runBeginPhase'::`2'::<lambda_2>>::run() Line 92	C++
WTF.dll!WTF::ParallelHelperClient::runTask(const WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::RawPtrTraits<WTF::SharedTask<void __cdecl(void)>>,WTF::DefaultRefDerefTraits<WTF::SharedTask<void __cdecl(void)>>> & task) Line 113	C++
WTF.dll!WTF::ParallelHelperPool::Thread::work() Line 202	C++
WTF.dll!WTF::AutomaticThread::start::__l2::<lambda_1>::operator()() Line 229	C++
WTF.dll!WTF::Detail::CallableWrapper<`WTF::AutomaticThread::start'::`2'::<lambda_1>,void>::call() Line 53	C++
WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 83	C++
WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250	C++
WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151	C++
ucrtbase.dll!00007ffaf1f61bb2()	Unknown
kernel32.dll!00007ffaf30e7614()	Unknown
ntdll.dll!00007ffaf45026a1()	Unknown

Comment 2 Fujii Hironori 2023-03-28 19:01:33 PDT

Since 261993@main.

Comment 3 Fujii Hironori 2023-03-29 00:13:09 PDT

Looks like similar crashes? bug#164989 bug#182396 bug#200863

Comment 4 Michael Catanzaro 2023-03-29 10:05:35 PDT Comment hidden (obsolete)

Hey Fujii, this is bug #254622

Comment 5 Michael Catanzaro 2023-03-29 10:06:43 PDT

(In reply to Michael Catanzaro from comment #4)
> Hey Fujii, this is bug #254622

Er, sorry, it looks like I posted this comment by mistake even after noticing that I had the wrong bug link. I meant bug #254325 (crash on reddit.com), not bug #254622. Anyway, I'll mark bug #254325 as a duplicate of this one.

Comment 6 Michael Catanzaro 2023-03-29 10:06:53 PDT

*** Bug 254325 has been marked as a duplicate of this bug. ***

Comment 7 Fujii Hironori 2023-03-29 12:59:53 PDT

Good to know. WinCairo Debug MiniBrowser (262233@main) also crashing just by loading https://www.reddit.com/ with the same backtrace (comment#1).

Comment 8 Fujii Hironori 2023-03-29 14:29:05 PDT

WinCairo Debug MiniBrowser (262233@main) crashes https://ima.hatenablog.jp/entry/2023/03/27/210000 with the same backtrace.

Comment 9 Fujii Hironori 2023-03-29 14:49:16 PDT

I checked 30 web pages from https://news.ycombinator.com/ .
Tow more pages crash.
https://www.prusa3d.com/product/original-prusa-mk4-2/
https://twitter.com/debarghya_das/status/1640892791923572737

Comment 10 Michael Catanzaro 2023-03-30 06:45:27 PDT

Hi Yusuke, do you want us to revert this, or do you want more time to investigate?

Unfortunately WebKitGTK 2.41.1 just got released with this bug. :(

Comment 11 Fujii Hironori 2023-03-30 21:20:15 PDT

I can't reproduce the same crash with WinCairo Debug MiniBrowser (262385@main). Maybe, I should close this as WORKSFORME.

Comment 12 Fujii Hironori 2023-03-30 21:31:34 PDT

I confirmed WinCairo Debug MiniBrowser (262384@main) still reproduced the crash.
262385@main affected this.

Comment 13 Mark Lam 2023-03-30 22:43:45 PDT

By "262385@main affected this", I think Fujii meant that it appears to be fixed.  Duping.

*** This bug has been marked as a duplicate of bug 254752 ***

Comment 14 Michael Catanzaro 2023-03-31 05:27:11 PDT

262385@main fixed the crashes on Linux too, despite the Windows-related commit message. Thanks Yusuke!