[Webkit-unassigned] [Bug 265435] New: REGRESSION: [Win] crash under JSC::PolymorphicCallNode::unlinkImpl

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Nov 27 22:54:50 PST 2023 

https://bugs.webkit.org/show_bug.cgi?id=265435

            Bug ID: 265435
           Summary: REGRESSION: [Win] crash under
                    JSC::PolymorphicCallNode::unlinkImpl
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: Hironori.Fujii at sony.com

Windows Release becomes crashy.

Buildbot: builder WinCairo-64-bit-Release-Tests build 2839 : 271179 at main
https://build.webkit.org/#/builders/728/builds/2839

Regressions: Unexpected crashes (5)
  http/tests/security/mixedContent/insecure-basic-auth-image.https.html [ Crash ]
  webgl/2.0.0/conformance2/glsl3/vector-dynamic-indexing.html [ Crash ]
  webgl/2.0.0/conformance2/textures/misc/tex-new-formats.html [ Crash ]
  webgl/2.0.y/conformance/ogles/GL/operators/operators_009_to_016.html [ Crash ]
  webgl/2.0.y/conformance2/textures/canvas/tex-2d-rgb565-rgb-unsigned_short_5_6_5.html [ Crash ]

https://build.webkit.org/results/WinCairo-64-bit-Release-Tests/271184@main%20(2840)/CrashLog_1f14_2023-11-28_04-26-21-641.txt

.  0  Id: 2de4.41ec Suspend: 1 Teb: 000000c8`251e1000 Unfrozen
 # Child-SP          RetAddr           Call Site
00 (Inline Function) --------`-------- JavaScriptCore!WTF::BasicRawSentinelNode<JSC::CallLinkInfoBase,WTF::PackedPtrTraits<JSC::CallLinkInfoBase> >::setNext [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\SentinelLinkedList.h @ 61]
01 (Inline Function) --------`-------- JavaScriptCore!WTF::SentinelLinkedList<JSC::CallLinkInfoBase,WTF::BasicRawSentinelNode<JSC::CallLinkInfoBase,WTF::PackedPtrTraits<JSC::CallLinkInfoBase> > >::remove+0x6 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\SentinelLinkedList.h @ 240]
02 (Inline Function) --------`-------- JavaScriptCore!WTF::BasicRawSentinelNode<JSC::CallLinkInfoBase,WTF::PackedPtrTraits<JSC::CallLinkInfoBase> >::remove+0x6 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\SentinelLinkedList.h @ 164]
03 000000c8`24ffdf50 00007ff8`e857af05 JavaScriptCore!JSC::PolymorphicCallNode::unlinkImpl(class JSC::VM * vm = <Value unavailable error>)+0x1c2 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\jit\PolymorphicCallStubRoutine.cpp @ 49]
04 (Inline Function) --------`-------- JavaScriptCore!JSC::CallLinkInfoBase::unlink+0x5 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\bytecode\CallLinkInfoBase.cpp @ 43]
05 (Inline Function) --------`-------- JavaScriptCore!JSC::CodeBlock::unlinkIncomingCalls+0x14 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\bytecode\CodeBlock.cpp @ 2106]
06 000000c8`24ffdfc0 00007ff8`e8a118d3 JavaScriptCore!JSC::CodeBlock::~CodeBlock(void)+0x115 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\bytecode\CodeBlock.cpp @ 866]
07 (Inline Function) --------`-------- JavaScriptCore!JSC::DefaultDestroyFunc::operator()+0x18 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\HeapCellType.cpp @ 46]
08 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedBlock::Handle::specializedSweep<1,1,0,1,0,1,1,JSC::DefaultDestroyFunc>::<lambda_1>::operator()+0x20 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 282]
09 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedBlock::Handle::specializedSweep<1,1,0,1,0,1,1,JSC::DefaultDestroyFunc>::<lambda_3>::operator()+0x24 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 352]
0a 000000c8`24ffe020 00007ff8`e8a0fd1e JavaScriptCore!JSC::MarkedBlock::Handle::specializedSweep<1,1,0,1,0,1,1,JSC::DefaultDestroyFunc>(class JSC::FreeList * freeList = <Value unavailable error>, JSC::MarkedBlock::Handle::EmptyMode emptyMode = <Value unavailable error>, JSC::MarkedBlock::Handle::SweepMode sweepMode = <Value unavailable error>, JSC::MarkedBlock::Handle::SweepDestructionMode destructionMode = <Value unavailable error>, JSC::MarkedBlock::Handle::ScribbleMode scribbleMode = <Value unavailable error>, JSC::MarkedBlock::Handle::NewlyAllocatedMode newlyAllocatedMode = <Value unavailable error>, JSC::MarkedBlock::Handle::MarksMode marksMode = <Value unavailable error>, struct JSC::DefaultDestroyFunc * destroyFunc = 0x000000c8`24ffe1b8)+0x133 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 401]
0b 000000c8`24ffe070 00007ff8`e8a085c9 JavaScriptCore!JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::DefaultDestroyFunc>::<lambda_1>::operator()(void)+0x11e [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 476]
0c 000000c8`24ffe0c0 00007ff8`e8a08426 JavaScriptCore!JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::DefaultDestroyFunc>(class JSC::FreeList * freeList = <Value unavailable error>, struct JSC::DefaultDestroyFunc * destroyFunc = 0x000000c8`24ffe1b8)+0x189 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlockInlines.h @ 498]
0d 000000c8`24ffe190 00007ff8`e8a1c8b5 JavaScriptCore!JSC::HeapCellType::finishSweep(class JSC::MarkedBlock::Handle * block = <Value unavailable error>, class JSC::FreeList * freeList = <Value unavailable error>)+0x26 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\HeapCellType.cpp @ 61]
0e 000000c8`24ffe1d0 00007ff8`e89d692a JavaScriptCore!JSC::MarkedBlock::Handle::sweep(class JSC::FreeList * freeList = <Value unavailable error>)+0x135 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedBlock.cpp @ 480]
0f (Inline Function) --------`-------- JavaScriptCore!JSC::BlockDirectory::sweep::<lambda_7>::operator()+0x16 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\BlockDirectory.cpp @ 299]
10 (Inline Function) --------`-------- JavaScriptCore!WTF::FastBitVectorImpl<JSC::BlockDirectoryBits::BlockDirectoryBitVectorWordView<6> >::forEachSetBit+0x68 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\FastBitVector.h @ 348]
11 000000c8`24ffe2c0 00007ff8`e8a1e968 JavaScriptCore!JSC::BlockDirectory::sweep(void)+0x7a [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\BlockDirectory.cpp @ 296]
12 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedSpace::sweepBlocks::<lambda_10>::operator()+0x8 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedSpace.cpp @ 223]
13 (Inline Function) --------`-------- JavaScriptCore!JSC::MarkedSpace::forEachDirectory+0x1c [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedSpace.h @ 245]
14 000000c8`24ffe320 00007ff8`e89e161b JavaScriptCore!JSC::MarkedSpace::sweepBlocks(void)+0x38 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\MarkedSpace.cpp @ 221]
15 000000c8`24ffe350 00007ff8`e89e1d89 JavaScriptCore!JSC::Heap::sweepSynchronously(void)+0xdb [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1185]
16 000000c8`24ffe3e0 00007ff8`d6249a32 JavaScriptCore!JSC::Heap::collectNow(JSC::Synchronousness synchronousness = <Value unavailable error>, struct JSC::GCRequest * request = 0x00000000`00000101)+0x1d9 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\JavaScriptCore\heap\Heap.cpp @ 1235]
17 000000c8`24ffe450 00007ff8`d62f2b88 WebCore!WebCore::GCController::garbageCollectNow(void)+0x92 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\GCController.cpp @ 97]
18 (Inline Function) --------`-------- WebCore!WebCore::collectGarbageAfterWindowProxyDestruction+0x4e [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\WindowProxy.cpp @ 52]
19 000000c8`24ffe4a0 00007ff8`d6b2f67f WebCore!WebCore::WindowProxy::detachFromFrame(void)+0x148 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\WindowProxy.cpp @ 87]
1a 000000c8`24ffe500 00007ff8`d6b49d15 WebCore!WebCore::Frame::~Frame(void)+0x1f [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\Frame.cpp @ 58]
1b 000000c8`24ffe540 00007ff8`d6b6b000 WebCore!WebCore::LocalFrame::~LocalFrame(void)+0x275 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\LocalFrame.cpp @ 221]
1c 000000c8`24ffe5c0 00007ff8`d6b5117e WebCore!WebCore::LocalFrame::~LocalFrame(int should_call_delete = 0n1)+0x10 [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\LocalFrame.cpp @ 197]
1d (Inline Function) --------`-------- WebCore!WTF::ThreadSafeRefCounted<WebCore::Frame,1>::deref+0x3a [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\ThreadSafeRefCounted.h @ 121]
1e (Inline Function) --------`-------- WebCore!WTF::Ref<WebCore::LocalFrame,WTF::RawPtrTraits<WebCore::LocalFrame> >::~Ref+0x51 [C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Ref.h @ 61]
1f 000000c8`24ffe600 00007ff8`d6b6b030 WebCore!WebCore::LocalFrameView::~LocalFrameView(void)+0x72e [C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\page\LocalFrameView.cpp @ 257]
(..)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231128/9adaeed8/attachment-0001.htm>

More information about the webkit-unassigned mailing list