[Webkit-unassigned] [Bug 209847] [WinCairo][WK2] random crashes by 0xC0000374 (STATUS_HEAP_CORRUPTION) in UI process

Thu Apr 16 14:12:10 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=209847

--- Comment #23 from Fujii Hironori <Hironori.Fujii at sony.com> ---
Created attachment 396697

  --> https://bugs.webkit.org/attachment.cgi?id=396697&action=review

crash logs.zip

It's easy to get the crash by turning mimalloc secure feature on (MI_SECURE=4).
The free list was broken. buffer overrun or use-after-free?

> #  6  Id: 3c50.20a0 Suspend: 1 Teb: 000000b8`5e65c000 Unfrozen
>  # Child-SP          RetAddr           Call Site
> 00 000000b8`5eefede0 00007ffc`25776326 ucrtbase!abort+0x4e
> 01 (Inline Function) --------`-------- WTF!mi_error_default+0xb [C:\work\mimalloc\src\options.c @ 348]
> 02 000000b8`5eefee10 00007ffc`25778f9f WTF!_mi_error_message(int err = 0n14, char * fmt = 0x00007ffc`25784e78 "corrupted free list entry of size %zub at %p: value 0x%zx.")+0x186 [C:\work\mimalloc\src\options.c @ 369]
> 03 (Inline Function) --------`-------- WTF!mi_block_next+0xaf [C:\work\mimalloc\include\mimalloc-internal.h @ 613]
> 04 (Inline Function) --------`-------- WTF!_mi_page_thread_free_collect+0xef [C:\work\mimalloc\src\page.c @ 173]
> 05 000000b8`5eeff080 00007ffc`2577570a WTF!_mi_page_free_collect(struct mi_page_s * page = 0x00000646`d0000488, bool force = false)+0x11f [C:\work\mimalloc\src\page.c @ 196]
> 06 000000b8`5eeff0f0 00007ffc`25778bfd WTF!_mi_free_delayed_block(struct mi_block_s * block = 0x00000646`d00dd700)+0x4a [C:\work\mimalloc\src\alloc.c @ 466]
> 07 (Inline Function) --------`-------- WTF!_mi_heap_delayed_free+0x5a [C:\work\mimalloc\src\page.c @ 286]
> 08 000000b8`5eeff120 00007ffc`2577526e WTF!_mi_malloc_generic(struct mi_heap_s * heap = 0x000001c6`cabf0000, unsigned int64 size = 0x60)+0xed [C:\work\mimalloc\src\page.c @ 793]
> 09 (Inline Function) --------`-------- WTF!_mi_page_malloc+0xe [C:\work\mimalloc\src\alloc.c @ 28]
> 0a (Inline Function) --------`-------- WTF!mi_heap_malloc_small+0x1b [C:\work\mimalloc\src\alloc.c @ 66]
> 0b 000000b8`5eeff170 00007ffc`25709149 WTF!mi_heap_malloc(struct mi_heap_s * heap = <Value unavailable error>, unsigned int64 size = <Value unavailable error>)+0x2e [C:\work\mimalloc\src\alloc.c @ 84]
> 0c 000000b8`5eeff1a0 00007ffc`18ac531c WTF!WTF::fastMalloc(unsigned int64 n = <Value unavailable error>)+0x9 [S:\gb\Source\WTF\wtf\FastMalloc.cpp @ 202]
> 0d (Inline Function) --------`-------- WebKit2!IPC::Decoder::operator new+0x17 [S:\gb\Source\WebKit\Platform\IPC\Decoder.h @ 45]
> 0e (Inline Function) --------`-------- WebKit2!std::make_unique+0x17 [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.25.28610\include\memory @ 2064]
> 0f (Inline Function) --------`-------- WebKit2!WTF::makeUnique+0x17 [S:\gb\WebKitBuild\Release\WTF\Headers\wtf\StdLibExtras.h @ 483]
> 10 000000b8`5eeff1d0 00007ffc`25773e1e WebKit2!IPC::Connection::readEventHandler(void)+0xcc [S:\gb\Source\WebKit\Platform\IPC\win\ConnectionWin.cpp @ 143]
> 11 (Inline Function) --------`-------- WTF!WTF::Function<void __cdecl+0x9 [S:\gb\Source\WTF\wtf\Function.h @ 84]
> 12 (Inline Function) --------`-------- WTF!WTF::WorkQueue::performWorkOnRegisteredWorkThread+0x7a [S:\gb\Source\WTF\wtf\win\WorkQueueWin.cpp @ 62]
> 13 000000b8`5eeff260 00007ffc`5c70f655 WTF!WTF::WorkQueue::workThreadCallback(void * context = 0x00000646`cec267b0)+0x9e [S:\gb\Source\WTF\wtf\win\WorkQueueWin.cpp @ 42]
> 14 000000b8`5eeff2c0 00007ffc`5c7145b4 ntdll!RtlpTpWorkCallback+0x165
> 15 000000b8`5eeff3a0 00007ffc`5b597bd4 ntdll!TppWorkerThread+0x8d4
> 16 000000b8`5eeff760 00007ffc`5c74ce51 KERNEL32!BaseThreadInitThunk+0x14
> 17 000000b8`5eeff790 00000000`00000000 ntdll!RtlUserThreadStart+0x21

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200416/df2a433b/attachment.htm>