[Webkit-unassigned] [Bug 209847] [WinCairo][WK2] random crashes by heap corruption

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 31 22:11:33 PDT 2020


https://bugs.webkit.org/show_bug.cgi?id=209847

--- Comment #4 from Fujii Hironori <Hironori.Fujii at sony.com> ---
backtraces from the log

CrashLog_0a48_2020-03-31_15-40-57-287.txt

.  0  Id: 4f8.1a48 Suspend: 1 Teb: 00000093`a6d5c000 Unfrozen
 # Child-SP          RetAddr           Call Site
00 00000093`a6efa370 00007ffc`fe479273 ntdll!RtlIsNonEmptyDirectoryReparsePointAllowed+0xe9
01 00000093`a6efa3c0 00007ffc`fe481662 ntdll!RtlIsNonEmptyDirectoryReparsePointAllowed+0xb3
02 00000093`a6efa4b0 00007ffc`fe48196a ntdll!RtlpNtMakeTemporaryKey+0x492
03 00000093`a6efa4e0 00007ffc`fe48a929 ntdll!RtlpNtMakeTemporaryKey+0x79a
04 00000093`a6efa510 00007ffc`fe3be511 ntdll!RtlpNtMakeTemporaryKey+0x9759
05 00000093`a6efa540 00007ffc`fe3bbabb ntdll!RtlAllocateHeap+0x2ca1
06 00000093`a6efa720 00007ffc`fe3dc02c ntdll!RtlAllocateHeap+0x24b
07 00000093`a6efa830 00007ffc`fe3dbd97 ntdll!RtlCreateProcessParametersWithTemplate+0x39c
08 00000093`a6efa8e0 00007ffc`fb66d078 ntdll!RtlCreateProcessParametersWithTemplate+0x107
09 00000093`a6efa960 00007ffc`fb66f1dd KERNELBASE!IsProcessInJob+0x258
0a 00000093`a6efae30 00007ffc`fb66bdc6 KERNELBASE!CreateProcessInternalW+0x1d2d
0b 00000093`a6efbf80 00007ffc`fdbdbe93 KERNELBASE!CreateProcessW+0x66
0c 00000093`a6efbff0 00007ffc`dadecc79 KERNEL32!CreateProcessW+0x53
0d 00000093`a6efc050 00007ffc`db096fcb WebKit2!WebKit::ProcessLauncher::launchProcess(void)+0x499 [C:\jenkins_slave\WinCairo-master\Source\WebKit\UIProcess\Launcher\win\ProcessLauncherWin.cpp @ 105]
0e 00000093`a6efc3d0 00007ffc`dafff52d WebKit2!WebKit::ProcessLauncher::ProcessLauncher(class WebKit::ProcessLauncher::Client * client = <Value unavailable error>, struct WebKit::ProcessLauncher::LaunchOptions * launchOptions = <Value unavailable error>)+0x6b [C:\jenkins_slave\WinCairo-master\Source\WebKit\UIProcess\Launcher\ProcessLauncher.cpp @ 41]
0f (Inline Function) --------`-------- WebKit2!WebKit::ProcessLauncher::create+0x1c [C:\jenkins_slave\WinCairo-master\Source\WebKit\UIProcess\Launcher\ProcessLauncher.h @ 92]
10 00000093`a6efc400 00007ffc`db09ae62 WebKit2!WebKit::AuxiliaryProcessProxy::connect(void)+0x5d [C:\jenkins_slave\WinCairo-master\Source\WebKit\UIProcess\AuxiliaryProcessProxy.cpp @ 97]
11 00000093`a6efc480 00007ffc`db04e45b WebKit2!WebKit::NetworkProcessProxy::NetworkProcessProxy(class WebKit::WebProcessPool * processPool = 0x00000282`4c739ab0)+0xb2 [C:\jenkins_slave\WinCairo-master\Source\WebKit\UIProcess\Network\NetworkProcessProxy.cpp @ 95]
12 (Inline Function) --------`-------- WebKit2!std::make_unique+0x19 [C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Tools\MSVC\14.24.28314\include\memory @ 2055]
13 (Inline Function) --------`-------- WebKit2!WTF::makeUnique+0x19 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\StdLibExtras.h @ 483]
14 00000093`a6efc500 00007ffc`db0b93db WebKit2!WebKit::WebProcessPool::ensureNetworkProcess(class WebKit::WebsiteDataStore * withWebsiteDataStore = 0x00000282`49f9fed0)+0x13b [C:\jenkins_slave\WinCairo-master\Source\WebKit\UIProcess\WebProcessPool.cpp @ 505]
15 00000093`a6efc960 00007ffc`db08c6bd WebKit2!WebKit::WebsiteDataStore::removeData(class WTF::OptionSet<WebKit::WebsiteDataType> dataTypes = <Value unavailable error>, class WTF::WallTime modifiedSince = class WTF::WallTime, class WTF::Function<void ()> * completionHandler = <Value unavailable error>)+0x28b [C:\jenkins_slave\WinCairo-master\Source\WebKit\UIProcess\WebsiteData\WebsiteDataStore.cpp @ 726]
16 00000093`a6efca30 00007ffc`e462681c WebKit2!WKWebsiteDataStoreRemoveAllServiceWorkerRegistrations(struct OpaqueWKWebsiteDataStore * dataStoreRef = <Value unavailable error>, void * context = 0x00000093`a6efcae8, <function> * callback = 0x00007ffc`e4631a30)+0x5d [C:\jenkins_slave\WinCairo-master\Source\WebKit\UIProcess\API\C\WKWebsiteDataStoreRef.cpp @ 662]
17 (Inline Function) --------`-------- WebKitTestRunnerLib!WTR::TestController::clearServiceWorkerRegistrations+0x29 [C:\jenkins_slave\WinCairo-master\Tools\WebKitTestRunner\TestController.cpp @ 3172]
18 00000093`a6efca80 00007ffc`e46261c9 WebKitTestRunnerLib!WTR::TestController::resetStateToConsistentValues(struct WTR::TestOptions * options = 0x00000093`a6efcb88, WTR::TestController::ResetStage resetStage = BeforeTest (0n0))+0x2dc [C:\jenkins_slave\WinCairo-master\Tools\WebKitTestRunner\TestController.cpp @ 1033]
19 00000093`a6efcb50 00007ffc`e462b421 WebKitTestRunnerLib!WTR::TestController::ensureViewSupportsOptionsForTest(class WTR::TestInvocation * test = <Value unavailable error>)+0x189 [C:\jenkins_slave\WinCairo-master\Tools\WebKitTestRunner\TestController.cpp @ 822]
1a 00000093`a6efcc80 00007ffc`e4640ccd WebKitTestRunnerLib!WTR::TestController::configureViewForTest(class WTR::TestInvocation * test = 0x00000282`4c763510)+0x11 [C:\jenkins_slave\WinCairo-master\Tools\WebKitTestRunner\TestController.cpp @ 1561]
1b 00000093`a6efccc0 00007ffc`e462c22f WebKitTestRunnerLib!WTR::TestInvocation::invoke(void)+0x2d [C:\jenkins_slave\WinCairo-master\Tools\WebKitTestRunner\TestInvocation.cpp @ 161]
1c 00000093`a6efcd20 00007ffc`e462c72c WebKitTestRunnerLib!WTR::TestController::runTest(char * inputLine = <Value unavailable error>)+0xb6f [C:\jenkins_slave\WinCairo-master\Tools\WebKitTestRunner\TestController.cpp @ 1781]
1d 00000093`a6efcff0 00007ffc`e46220ea WebKitTestRunnerLib!WTR::TestController::runTestingServerLoop(void)+0x9c [C:\jenkins_slave\WinCairo-master\Tools\WebKitTestRunner\TestController.cpp @ 1815]
1e (Inline Function) --------`-------- WebKitTestRunnerLib!WTR::TestController::run+0xe [C:\jenkins_slave\WinCairo-master\Tools\WebKitTestRunner\TestController.cpp @ 1834]
1f 00000093`a6efd840 00007ffc`e465b40c WebKitTestRunnerLib!WTR::TestController::TestController(int argc = <Value unavailable error>, char ** argv = <Value unavailable error>)+0x12a [C:\jenkins_slave\WinCairo-master\Tools\WebKitTestRunner\TestController.cpp @ 167]
20 00000093`a6efd890 00007ff7`8cf31734 WebKitTestRunnerLib!dllLauncherEntryPoint(int argc = <Value unavailable error>, char ** argv = <Value unavailable error>)+0x2c [C:\jenkins_slave\WinCairo-master\Tools\WebKitTestRunner\win\main.cpp @ 34]
21 00000093`a6efda50 00007ff7`8cf3321c WebKitTestRunner!main(int argc = 0n2, char ** argv = 0x00000282`49f96ac0)+0x734 [C:\jenkins_slave\WinCairo-master\Tools\win\DLLLauncher\DLLLauncherMain.cpp @ 218]
22 (Inline Function) --------`-------- WebKitTestRunner!invoke_main+0x22 [d:\agent\_work\5\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78]
23 00000093`a6effdb0 00007ffc`fdbd7bd4 WebKitTestRunner!__scrt_common_main_seh(void)+0x10c [d:\agent\_work\5\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
24 00000093`a6effdf0 00007ffc`fe3eced1 KERNEL32!BaseThreadInitThunk+0x14
25 00000093`a6effe20 00000000`00000000 ntdll!RtlUserThreadStart+0x21

CrashLog_13dc_2020-03-31_16-32-33-206.txt

#  2  Id: 1810.102c Suspend: 1 Teb: 000000ce`9fba2000 Unfrozen
 # Child-SP          RetAddr           Call Site
00 000000ce`a00ff220 00007ffc`fe479273 ntdll!RtlIsNonEmptyDirectoryReparsePointAllowed+0xe9
01 000000ce`a00ff270 00007ffc`fe481662 ntdll!RtlIsNonEmptyDirectoryReparsePointAllowed+0xb3
02 000000ce`a00ff360 00007ffc`fe48196a ntdll!RtlpNtMakeTemporaryKey+0x492
03 000000ce`a00ff390 00007ffc`fe48a929 ntdll!RtlpNtMakeTemporaryKey+0x79a
04 000000ce`a00ff3c0 00007ffc`fe3be511 ntdll!RtlpNtMakeTemporaryKey+0x9759
05 000000ce`a00ff3f0 00007ffc`fe3bbabb ntdll!RtlAllocateHeap+0x2ca1
06 000000ce`a00ff5d0 00007ffc`fb982596 ntdll!RtlAllocateHeap+0x24b
07 000000ce`a00ff6e0 00007ffc`e44d9b7a ucrtbase!malloc_base+0x36
08 000000ce`a00ff710 00007ffc`dafc4a5f WTF!WTF::fastMalloc(unsigned int64 n = <Value unavailable error>)+0xa [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\FastMalloc.cpp @ 202]
09 (Inline Function) --------`-------- WebKit2!IPC::copyBuffer+0x9 [C:\jenkins_slave\WinCairo-master\Source\WebKit\Platform\IPC\Decoder.cpp @ 41]
0a 000000ce`a00ff740 00007ffc`dade6941 WebKit2!IPC::Decoder::Decoder(unsigned char * buffer = 0x000001e2`cdf91f00 "", unsigned int64 bufferSize = 0x4e4, <function> * bufferDeallocator = 0x00000000`00000000, class WTF::Vector<IPC::Attachment,0,WTF::CrashOnOverflow,16,WTF::FastMalloc> * attachments = 0x000000ce`a00ff7e0)+0x2f [C:\jenkins_slave\WinCairo-master\Source\WebKit\Platform\IPC\Decoder.cpp @ 53]
0b (Inline Function) --------`-------- WebKit2!std::make_unique+0x24 [C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Tools\MSVC\14.24.28314\include\memory @ 2055]
0c (Inline Function) --------`-------- WebKit2!WTF::makeUnique+0x24 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\StdLibExtras.h @ 483]
0d 000000ce`a00ff7a0 00007ffc`e455242a WebKit2!IPC::Connection::readEventHandler(void)+0xe1 [C:\jenkins_slave\WinCairo-master\Source\WebKit\Platform\IPC\win\ConnectionWin.cpp @ 144]
0e (Inline Function) --------`-------- WTF!WTF::Function<void +0x1e [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\Function.h @ 84]
0f 000000ce`a00ff860 00007ffc`e455236e WTF!WTF::WorkQueue::performWorkOnRegisteredWorkThread(void)+0x8a [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\win\WorkQueueWin.cpp @ 61]
10 000000ce`a00ff8e0 00007ffc`fe3af6d5 WTF!WTF::WorkQueue::workThreadCallback(void * context = 0x000001e2`ce95d650)+0x1e [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\win\WorkQueueWin.cpp @ 44]
11 000000ce`a00ff910 00007ffc`fe3b4634 ntdll!LdrUnloadDll+0x325
12 000000ce`a00ff9f0 00007ffc`fdbd7bd4 ntdll!RtlInitializeResource+0xce4
13 000000ce`a00ffdb0 00007ffc`fe3eced1 KERNEL32!BaseThreadInitThunk+0x14
14 000000ce`a00ffde0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

CrashLog_1518_2020-03-31_16-30-30-093.txt

#  2  Id: 15fc.1b50 Suspend: 1 Teb: 0000006c`30e3b000 Unfrozen
 # Child-SP          RetAddr           Call Site
00 0000006c`313ff0a0 00007ffc`fe479273 ntdll!RtlIsNonEmptyDirectoryReparsePointAllowed+0xe9
01 0000006c`313ff0f0 00007ffc`fe481662 ntdll!RtlIsNonEmptyDirectoryReparsePointAllowed+0xb3
02 0000006c`313ff1e0 00007ffc`fe48196a ntdll!RtlpNtMakeTemporaryKey+0x492
03 0000006c`313ff210 00007ffc`fe48a929 ntdll!RtlpNtMakeTemporaryKey+0x79a
04 0000006c`313ff240 00007ffc`fe3be511 ntdll!RtlpNtMakeTemporaryKey+0x9759
05 0000006c`313ff270 00007ffc`fe3bbabb ntdll!RtlAllocateHeap+0x2ca1
06 0000006c`313ff450 00007ffc`fb982596 ntdll!RtlAllocateHeap+0x24b
07 0000006c`313ff560 00007ffc`e44d9b7a ucrtbase!malloc_base+0x36
08 0000006c`313ff590 00007ffc`dade6be4 WTF!WTF::fastMalloc(unsigned int64 n = <Value unavailable error>)+0xa [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\FastMalloc.cpp @ 202]
09 (Inline Function) --------`-------- WebKit2!WTF::FastMalloc::malloc+0x6 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\FastMalloc.h @ 195]
0a (Inline Function) --------`-------- WebKit2!WTF::VectorBufferBase<unsigned char,WTF::FastMalloc>::allocateBuffer+0x20 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 292]
0b (Inline Function) --------`-------- WebKit2!WTF::Vector<unsigned char,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::reserveCapacity+0x25 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 1189]
0c (Inline Function) --------`-------- WebKit2!WTF::Vector<unsigned char,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::expandCapacity+0x174 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 1047]
0d (Inline Function) --------`-------- WebKit2!WTF::Vector<unsigned char,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::grow+0x18c [C:\jenkins_slave\WinCairo-master\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 1128]
0e 0000006c`313ff5c0 00007ffc`e455242a WebKit2!IPC::Connection::readEventHandler(void)+0x384 [C:\jenkins_slave\WinCairo-master\Source\WebKit\Platform\IPC\win\ConnectionWin.cpp @ 124]
0f (Inline Function) --------`-------- WTF!WTF::Function<void +0x1e [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\Function.h @ 84]
10 0000006c`313ff680 00007ffc`e455236e WTF!WTF::WorkQueue::performWorkOnRegisteredWorkThread(void)+0x8a [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\win\WorkQueueWin.cpp @ 61]
11 0000006c`313ff700 00007ffc`fe3af6d5 WTF!WTF::WorkQueue::workThreadCallback(void * context = 0x00000236`4ab6e390)+0x1e [C:\jenkins_slave\WinCairo-master\Source\WTF\wtf\win\WorkQueueWin.cpp @ 44]
12 0000006c`313ff730 00007ffc`fe3b4634 ntdll!LdrUnloadDll+0x325
13 0000006c`313ff810 00007ffc`fdbd7bd4 ntdll!RtlInitializeResource+0xce4
14 0000006c`313ffbd0 00007ffc`fe3eced1 KERNEL32!BaseThreadInitThunk+0x14
15 0000006c`313ffc00 00000000`00000000 ntdll!RtlUserThreadStart+0x21

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200401/1aa309c9/attachment-0001.htm>


More information about the webkit-unassigned mailing list