Bug 265435

Summary: REGRESSION(271184@main): [Win] crash under JSC::PolymorphicCallNode::unlinkImpl
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=265361

Description Fujii Hironori 2023-11-27 22:54:50 PST 
Windows Release becomes crashy.

Buildbot: builder WinCairo-64-bit-Release-Tests build 2839 : 271179@main
https://build.webkit.org/#/builders/728/builds/2839

Regressions: Unexpected crashes (5)
  http/tests/security/mixedContent/insecure-basic-auth-image.https.html [ Crash ]
  webgl/2.0.0/conformance2/glsl3/vector-dynamic-indexing.html [ Crash ]
  webgl/2.0.0/conformance2/textures/misc/tex-new-formats.html [ Crash ]
  webgl/2.0.y/conformance/ogles/GL/operators/operators_009_to_016.html [ Crash ]
  webgl/2.0.y/conformance2/textures/canvas/tex-2d-rgb565-rgb-unsigned_short_5_6_5.html [ Crash ]

https://build.webkit.org/results/WinCairo-64-bit-Release-Tests/271184@main%20(2840)/CrashLog_1f14_2023-11-28_04-26-21-641.txt

.  0  Id: 2de4.41ec Suspend: 1 Teb: 000000c8`251e1000 Unfrozen
 # Child-SP          RetAddr           Call Site
00 (Inline Function) --------`-------- JavaScriptCore!WTF::BasicRawSentinelNode<JSC::CallLinkInfoBase,WTF::PackedPtrTraits<JSC::CallLinkInfoBase> >::setNext [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\SentinelLinkedList.h @ 61]
01 (Inline Function) --------`-------- JavaScriptCore!WTF::SentinelLinkedList<JSC::CallLinkInfoBase,WTF::BasicRawSentinelNode<JSC::CallLinkInfoBase,WTF::PackedPtrTraits<JSC::CallLinkInfoBase> > >::remove+0x6 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\SentinelLinkedList.h @ 240]
02 (Inline Function) --------`-------- JavaScriptCore!WTF::BasicRawSentinelNode<JSC::CallLinkInfoBase,WTF::PackedPtrTraits<JSC::CallLinkInfoBase> >::remove+0x6 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\SentinelLinkedList.h @ 164]
03 000000c8`24ffdf50 00007ff8`e857af05 JavaScriptCore!JSC::PolymorphicCallNode::unlinkImpl(class JSC::VM * vm = <Value unavailable error>)+0x1c2 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\jit\PolymorphicCallStubRoutine.cpp @ 49]
04 (Inline Function) --------`-------- JavaScriptCore!JSC::CallLinkInfoBase::unlink+0x5 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\bytecode\CallLinkInfoBase.cpp @ 43]
05 (Inline Function) --------`-------- JavaScriptCore!JSC::CodeBlock::unlinkIncomingCalls+0x14 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\bytecode\CodeBlock.cpp @ 2106]
06 000000c8`24ffdfc0 00007ff8`e8a118d3 JavaScriptCore!JSC::CodeBlock::~CodeBlock(void)+0x115 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\bytecode\CodeBlock.cpp @ 866]
07 (Inline Function) --------`-------- JavaScriptCore!JSC::DefaultDestroyFunc::operator()+0x18 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\HeapCellType.cpp @ 46]
08 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedBlock::Handle::specializedSweep<1,1,0,1,0,1,1,JSC::DefaultDestroyFunc>::<lambda_1>::operator()+0x20 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 282]
09 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedBlock::Handle::specializedSweep<1,1,0,1,0,1,1,JSC::DefaultDestroyFunc>::<lambda_3>::operator()+0x24 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 352]
0a 000000c8`24ffe020 00007ff8`e8a0fd1e JavaScriptCore!JSC::MarkedBlock::Handle::specializedSweep<1,1,0,1,0,1,1,JSC::DefaultDestroyFunc>(class JSC::FreeList * freeList = <Value unavailable error>, JSC::MarkedBlock::Handle::EmptyMode emptyMode = <Value unavailable error>, JSC::MarkedBlock::Handle::SweepMode sweepMode = <Value unavailable error>, JSC::MarkedBlock::Handle::SweepDestructionMode destructionMode = <Value unavailable error>, JSC::MarkedBlock::Handle::ScribbleMode scribbleMode = <Value unavailable error>, JSC::MarkedBlock::Handle::NewlyAllocatedMode newlyAllocatedMode = <Value unavailable error>, JSC::MarkedBlock::Handle::MarksMode marksMode = <Value unavailable error>, struct JSC::DefaultDestroyFunc * destroyFunc = 0x000000c8`24ffe1b8)+0x133 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 401]
0b 000000c8`24ffe070 00007ff8`e8a085c9 JavaScriptCore!JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::DefaultDestroyFunc>::<lambda_1>::operator()(void)+0x11e [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 476]
0c 000000c8`24ffe0c0 00007ff8`e8a08426 JavaScriptCore!JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::DefaultDestroyFunc>(class JSC::FreeList * freeList = <Value unavailable error>, struct JSC::DefaultDestroyFunc * destroyFunc = 0x000000c8`24ffe1b8)+0x189 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 498]
0d 000000c8`24ffe190 00007ff8`e8a1c8b5 JavaScriptCore!JSC::HeapCellType::finishSweep(class JSC::MarkedBlock::Handle * block = <Value unavailable error>, class JSC::FreeList * freeList = <Value unavailable error>)+0x26 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\HeapCellType.cpp @ 61]
0e 000000c8`24ffe1d0 00007ff8`e89d692a JavaScriptCore!JSC::MarkedBlock::Handle::sweep(class JSC::FreeList * freeList = <Value unavailable error>)+0x135 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlock.cpp @ 480]
0f (Inline Function) --------`-------- JavaScriptCore!JSC::BlockDirectory::sweep::<lambda_7>::operator()+0x16 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\BlockDirectory.cpp @ 299]
10 (Inline Function) --------`-------- JavaScriptCore!WTF::FastBitVectorImpl<JSC::BlockDirectoryBits::BlockDirectoryBitVectorWordView<6> >::forEachSetBit+0x68 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\FastBitVector.h @ 348]
11 000000c8`24ffe2c0 00007ff8`e8a1e968 JavaScriptCore!JSC::BlockDirectory::sweep(void)+0x7a [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\BlockDirectory.cpp @ 296]
12 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedSpace::sweepBlocks::<lambda_10>::operator()+0x8 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedSpace.cpp @ 223]
13 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedSpace::forEachDirectory+0x1c [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedSpace.h @ 245]
14 000000c8`24ffe320 00007ff8`e89e161b JavaScriptCore!JSC::MarkedSpace::sweepBlocks(void)+0x38 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedSpace.cpp @ 221]
15 000000c8`24ffe350 00007ff8`e89e1d89 JavaScriptCore!JSC::Heap::sweepSynchronously(void)+0xdb [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1185]
16 000000c8`24ffe3e0 00007ff8`d6249a32 JavaScriptCore!JSC::Heap::collectNow(JSC::Synchronousness synchronousness = <Value unavailable error>, struct JSC::GCRequest * request = 0x00000000`00000101)+0x1d9 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1235]
17 000000c8`24ffe450 00007ff8`d62f2b88 WebCore!WebCore::GCController::garbageCollectNow(void)+0x92 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\GCController.cpp @ 97]
18 (Inline Function) --------`-------- WebCore!WebCore::collectGarbageAfterWindowProxyDestruction+0x4e [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\WindowProxy.cpp @ 52]
19 000000c8`24ffe4a0 00007ff8`d6b2f67f WebCore!WebCore::WindowProxy::detachFromFrame(void)+0x148 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\WindowProxy.cpp @ 87]
1a 000000c8`24ffe500 00007ff8`d6b49d15 WebCore!WebCore::Frame::~Frame(void)+0x1f [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\Frame.cpp @ 58]
1b 000000c8`24ffe540 00007ff8`d6b6b000 WebCore!WebCore::LocalFrame::~LocalFrame(void)+0x275 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\LocalFrame.cpp @ 221]
1c 000000c8`24ffe5c0 00007ff8`d6b5117e WebCore!WebCore::LocalFrame::~LocalFrame(int should_call_delete = 0n1)+0x10 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\LocalFrame.cpp @ 197]
1d (Inline Function) --------`-------- WebCore!WTF::ThreadSafeRefCounted<WebCore::Frame,1>::deref+0x3a [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\ThreadSafeRefCounted.h @ 121]
1e (Inline Function) --------`-------- WebCore!WTF::Ref<WebCore::LocalFrame,WTF::RawPtrTraits<WebCore::LocalFrame> >::~Ref+0x51 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Ref.h @ 61]
1f 000000c8`24ffe600 00007ff8`d6b6b030 WebCore!WebCore::LocalFrameView::~LocalFrameView(void)+0x72e [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\LocalFrameView.cpp @ 257]
(..)
Comment 1 Fujii Hironori 2023-11-27 23:02:30 PST 
(In reply to Fujii Hironori from comment #0)
> Windows Release becomes crashy.
> 
> Buildbot: builder WinCairo-64-bit-Release-Tests build 2839 : 271179@main
> https://build.webkit.org/#/builders/728/builds/2839

Wrong url and regision. 271179@main is green.

Buildbot: builder WinCairo-64-bit-Release-Tests build 2840 : 271184@main
https://build.webkit.org/#/builders/728/builds/2840
Comment 2 Fujii Hironori 2023-11-28 00:28:35 PST 
No reliable way to reproduce the crash. But, the following command is likely reproducing the crash.

> python .\Tools\Scripts\run-webkit-tests --release --child=1 --no-retry --exit-after-n-crash=1 --iter=10 webgl/2.0.y/conformance2/textures/canvas
Comment 3 Fujii Hironori 2023-11-28 00:31:12 PST 
Not only Windows Release build, but also Debug builds are crashy.

Buildbot: builder WinCairo-64-bit-Debug-Tests build 21395 : 271184@main
https://build.webkit.org/#/builders/727/builds/21395

Regressions: Unexpected crashes (4)
  webgl/2.0.0/conformance2/textures/image_bitmap_from_blob/tex-3d-rg16f-rg-half_float.html [ Crash ]
  webgl/2.0.0/conformance2/textures/image_bitmap_from_image_data/tex-3d-rgb565-rgb-unsigned_byte.html [ Crash ]
  webgl/2.0.y/conformance/ogles/GL/operators/operators_017_to_024.html [ Crash ]
  webgl/2.0.y/conformance2/textures/canvas/tex-3d-rg8-rg-unsigned_byte.html [ Crash ]
Comment 4 Fujii Hironori 2023-11-28 00:33:25 PST 
As far as I tryed bisection, 271184@main seems to be the culprit.
Comment 5 Yusuke Suzuki 2023-11-28 03:01:35 PST 
I kind of doubt integrity of the builds on WinCairo buildbots. No other ports are reporting this crash. And from the code, I cannot find the path causing this condition. CallLinkInfoBase's destructor is always unregistering itself. So there is no way to have dangling CallLinkInfo in this linked-list.

Ross, me, and Fujihiro are looking into it. This requires Windows port's debugging since there is no problems on the other ports.
Comment 6 Fujii Hironori 2023-11-28 18:48:15 PST 

*** This bug has been marked as a duplicate of bug 265475 ***