[Webkit-unassigned] [Bug 254633] New: REGRESSION: JSC: Crash under JSC::MarkedBlock::aboutToMark

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 28 17:12:12 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=254633

            Bug ID: 254633
           Summary: REGRESSION: JSC: Crash under
                    JSC::MarkedBlock::aboutToMark
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: Hironori.Fujii at sony.com

REGRESSION: JSC: Crash under JSC::MarkedBlock::aboutToMark

WinCairo Release MiniBrowser is crashihng or freezing just by loading
https://news.yahoo.co.jp/articles/c5dbf98ce2bd908c9d05b55f413a2bcd11892c64 today.

262131 at main: Bad
261847 at main: Good

Exception thrown at 0x00007FFA6EF30757 (JavaScriptCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation writing location 0x00007F0041C80038.

>	[Inline Frame] JavaScriptCore.dll!std::_Atomic_storage<unsigned char,1>::compare_exchange_strong(unsigned char &) Line 756	C++
        [Inline Frame] JavaScriptCore.dll!std::atomic<unsigned char>::compare_exchange_weak(unsigned char &) Line 2207  C++
        [Inline Frame] JavaScriptCore.dll!WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char) Line 89        C++
        [Inline Frame] JavaScriptCore.dll!WTF::LockAlgorithm<unsigned char,1,2,WTF::EmptyLockHooks<unsigned char>>::lockFastAssumingZero(WTF::Atomic<unsigned char> &) Line 53  C++
        [Inline Frame] JavaScriptCore.dll!WTF::Lock::lock() Line 65     C++
        [Inline Frame] JavaScriptCore.dll!WTF::Locker<WTF::Lock>::{ctor}(WTF::Lock &) Line 158  C++
        JavaScriptCore.dll!JSC::MarkedBlock::aboutToMarkSlow(unsigned int markingVersion) Line 207      C++
        [Inline Frame] JavaScriptCore.dll!JSC::MarkedBlock::aboutToMark(unsigned int markingVersion) Line 586   C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSCell *) Line 57    C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSValue value) Line 70       C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::append(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> &) Line 110    C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendValues(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> *) Line 139      C++
        JavaScriptCore.dll!JSC::JSBoundFunction::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 384   C++
        [Inline Frame] JavaScriptCore.dll!JSC::MethodTable::visitChildren(JSC::JSCell *) Line 115       C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::visitChildren(const JSC::JSCell *) Line 394 C++
        JavaScriptCore.dll!JSC::SlotVisitor::drain::__l9::<lambda_1>::operator()(JSC::MarkStackArray & stack) Line 504  C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::forEachMarkStack(const JSC::SlotVisitor::drain::__l9::<lambda_1> &) Line 184        C++
        JavaScriptCore.dll!JSC::SlotVisitor::drain(WTF::MonotonicTime timeout) Line 494 C++
        JavaScriptCore.dll!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode, WTF::MonotonicTime timeout) Line 694    C++
        JavaScriptCore.dll!JSC::Heap::runBeginPhase::__l2::<lambda_2>::operator()() Line 1400   C++
        WTF.dll!WTF::ParallelHelperClient::runTask(const WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::RawPtrTraits<WTF::SharedTask<void __cdecl(void)>>,WTF::DefaultRefDerefTraits<WTF::SharedTask<void __cdecl(void)>>> & task) Line 113       C++
        WTF.dll!WTF::ParallelHelperPool::Thread::work() Line 203        C++
        WTF.dll!WTF::AutomaticThread::start::__l2::<lambda_1>::operator()() Line 230    C++
        [Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 82  C++
        WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250      C++
        WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151  C++
        ucrtbase.dll!00007ffaf1f61bb2() Unknown
        kernel32.dll!00007ffaf30e7614() Unknown
        ntdll.dll!00007ffaf45026a1()    Unknown

Exception thrown at 0x00007FFA6EF3074F (JavaScriptCore.dll) in WebKitWebProcess.exe: 0xC0000005: Access violation reading location 0x0000000000000018.

>	JavaScriptCore.dll!JSC::MarkedBlock::aboutToMarkSlow(unsigned int markingVersion) Line 204	C++
        [Inline Frame] JavaScriptCore.dll!JSC::MarkedBlock::aboutToMark(unsigned int markingVersion) Line 586   C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSCell *) Line 57    C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendUnbarriered(JSC::JSValue value) Line 70       C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::append(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> &) Line 110    C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::appendValues(const JSC::WriteBarrierBase<enum JSC::Unknown,WTF::RawValueTraits<enum JSC::Unknown>> *) Line 139      C++
        JavaScriptCore.dll!JSC::JSBoundFunction::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell * cell, JSC::SlotVisitor & visitor) Line 384   C++
        [Inline Frame] JavaScriptCore.dll!JSC::MethodTable::visitChildren(JSC::JSCell *) Line 115       C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::visitChildren(const JSC::JSCell *) Line 394 C++
        JavaScriptCore.dll!JSC::SlotVisitor::drain::__l9::<lambda_1>::operator()(JSC::MarkStackArray & stack) Line 504  C++
        [Inline Frame] JavaScriptCore.dll!JSC::SlotVisitor::forEachMarkStack(const JSC::SlotVisitor::drain::__l9::<lambda_1> &) Line 184        C++
        JavaScriptCore.dll!JSC::SlotVisitor::drain(WTF::MonotonicTime timeout) Line 494 C++
        JavaScriptCore.dll!JSC::SlotVisitor::drainFromShared(JSC::SlotVisitor::SharedDrainMode sharedDrainMode, WTF::MonotonicTime timeout) Line 694    C++
        JavaScriptCore.dll!JSC::Heap::runBeginPhase::__l2::<lambda_2>::operator()() Line 1400   C++
        WTF.dll!WTF::ParallelHelperClient::runTask(const WTF::RefPtr<WTF::SharedTask<void __cdecl(void)>,WTF::RawPtrTraits<WTF::SharedTask<void __cdecl(void)>>,WTF::DefaultRefDerefTraits<WTF::SharedTask<void __cdecl(void)>>> & task) Line 113       C++
        WTF.dll!WTF::ParallelHelperPool::Thread::work() Line 203        C++
        WTF.dll!WTF::AutomaticThread::start::__l2::<lambda_1>::operator()() Line 230    C++
        [Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 82  C++
        WTF.dll!WTF::Thread::entryPoint(WTF::Thread::NewThreadContext * newThreadContext) Line 250      C++
        WTF.dll!WTF::wtfThreadEntryPoint(void * data) Line 151  C++
        ucrtbase.dll!00007ffaf1f61bb2() Unknown
        kernel32.dll!00007ffaf30e7614() Unknown
        ntdll.dll!00007ffaf45026a1()    Unknown

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230329/76005de9/attachment.htm>

More information about the webkit-unassigned mailing list