[Webkit-unassigned] [Bug 273467] random crashes under JSC::PolymorphicAccessJITStubRoutine::invalidate
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Apr 30 14:16:34 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=273467
--- Comment #1 from Fujii Hironori <Hironori.Fujii at sony.com> ---
Created attachment 471228
--> https://bugs.webkit.org/attachment.cgi?id=471228&action=review
crashlog WinCairo-64-bit-Debug-Tests 278158 at main
Buildbot: builder WinCairo-64-bit-Debug-Tests build 22553 : 278158 at main
https://build.webkit.org/#/builders/727/builds/22553
Regressions: Unexpected crashes (2)
js/dom/dfg-patchable-get-by-id-after-watchpoint.html [ Crash ]
js/promises-tests/promises-tests-2-3-3.html [ Crash ]
https://build.webkit.org/results/WinCairo-64-bit-Debug-Tests/278158@main%20(22553)/CrashLog_209c_2024-04-30_09-29-29-190.txt
https://build.webkit.org/results/WinCairo-64-bit-Debug-Tests/278158@main%20(22553)/CrashLog_2e94_2024-04-30_09-24-56-460.txt
. 0 Id: 2f74.394 Suspend: 1 Teb: 00000087`88716000 Unfrozen
# Child-SP RetAddr Call Site
00 00000087`888fd5b8 00007ff8`dbc3d7eb JavaScriptCore!WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> >::setNext(class WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> > * next = 0xf0000000`00000000)+0x16 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\SentinelLinkedList.h @ 61]
01 00000087`888fd5d0 00007ff8`dbc23473 JavaScriptCore!WTF::SentinelLinkedList<JSC::Watchpoint,WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> > >::remove(class JSC::Watchpoint * node = 0x0000026f`d8f52801)+0x15b [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\SentinelLinkedList.h @ 241]
02 00000087`888fd610 00007ff8`dbe3c6b7 JavaScriptCore!WTF::BasicRawSentinelNode<JSC::Watchpoint,WTF::RawPtrTraits<JSC::Watchpoint> >::remove(void)+0x13 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\SentinelLinkedList.h @ 165]
03 00000087`888fd640 00007ff8`dbe3c55d JavaScriptCore!JSC::WatchpointSet::fireAllWatchpoints(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x00000087`888fd780)+0x147 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 172]
04 00000087`888fd6b0 00007ff8`dbe3e473 JavaScriptCore!JSC::WatchpointSet::fireAllSlow(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x00000087`888fd780)+0x9d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 127]
05 00000087`888fd700 00007ff8`dcad9077 JavaScriptCore!JSC::WatchpointSet::fireAll<JSC::StringFireDetail>(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::StringFireDetail * fireDetails = 0x00000087`888fd780)+0x43 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 226]
06 00000087`888fd750 00007ff8`dbe098d4 JavaScriptCore!JSC::PolymorphicAccessJITStubRoutine::invalidate(void)+0x57 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\GCAwareJITStubRoutine.cpp @ 115]
07 00000087`888fd7a0 00007ff8`dbe3d254 JavaScriptCore!JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal(class JSC::VM * vm = 0x0000026f`d1c2acd0)+0x64 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\StructureStubClearingWatchpoint.cpp @ 59]
08 00000087`888fd7f0 00007ff8`dbe3c293 JavaScriptCore!JSC::Watchpoint::fire::<lambda_1>::operator()<JSC::StructureTransitionStructureStubClearingWatchpoint>(class JSC::StructureTransitionStructureStubClearingWatchpoint * derived = 0x0000026f`d8c02e40)+0x24 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 90]
09 00000087`888fd830 00007ff8`dbe3c173 JavaScriptCore!JSC::Watchpoint::runWithDowncast<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp:88:21'>(class JSC::Watchpoint::fire::<lambda_1> * func = 0x00000087`888fd8c0)+0x103 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 60]
0a 00000087`888fd880 00007ff8`dbe3c7bf JavaScriptCore!JSC::Watchpoint::fire(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0xb3 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 88]
0b 00000087`888fd8e0 00007ff8`dbe3c55d JavaScriptCore!JSC::WatchpointSet::fireAllWatchpoints(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x24f [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 158]
0c 00000087`888fd950 00007ff8`dbce40b3 JavaScriptCore!JSC::WatchpointSet::fireAllSlow(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x9d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.cpp @ 127]
0d 00000087`888fd9a0 00007ff8`dbccd662 JavaScriptCore!JSC::WatchpointSet::fireAll<const JSC::FireDetail>(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * fireDetails = 0x0000026f`d8f71ce8)+0x43 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 226]
0e 00000087`888fd9f0 00007ff8`dbdf5cbb JavaScriptCore!JSC::WatchpointSet::invalidate(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x42 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 245]
0f 00000087`888fda40 00007ff8`dbdf5c54 JavaScriptCore!JSC::InlineWatchpointSet::invalidate(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::FireDetail * detail = 0x0000026f`d8f71ce8)+0x4b [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Watchpoint.h @ 366]
10 00000087`888fda90 00007ff8`dbdeaf6d JavaScriptCore!JSC::AccessGenerationResult::fireWatchpoints(class JSC::VM * vm = 0x0000026f`d1c2acd0)+0xd4 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\InlineCacheCompiler.h @ 105]
11 00000087`888fdaf0 00007ff8`dbddb9df JavaScriptCore!JSC::fireWatchpointsAndClearStubIfNeeded(class JSC::VM * vm = 0x0000026f`d1c2acd0, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328, class JSC::CodeBlock * codeBlock = 0x0000026f`d7ed4c40, class JSC::AccessGenerationResult * result = 0x00000087`888fe058)+0x4d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Repatch.cpp @ 217]
12 00000087`888fdb60 00007ff8`dbdd9520 JavaScriptCore!JSC::tryCacheGetBy(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::CodeBlock * codeBlock = 0x0000026f`d7ed4c40, class JSC::JSValue baseValue = class JSC::JSValue, class JSC::CacheableIdentifier propertyName = class JSC::CacheableIdentifier, class JSC::PropertySlot * slot = 0x00000087`888fe430, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328, JSC::GetByKind kind = ById (0n0))+0x22ef [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Repatch.cpp @ 528]
13 00000087`888fe0d0 00007ff8`dcb8a1fb JavaScriptCore!JSC::repatchGetBy(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::CodeBlock * codeBlock = 0x0000026f`d7ed4c40, class JSC::JSValue baseValue = class JSC::JSValue, class JSC::CacheableIdentifier propertyName = class JSC::CacheableIdentifier, class JSC::PropertySlot * slot = 0x00000087`888fe430, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328, JSC::GetByKind kind = ById (0n0))+0xc0 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\bytecode\Repatch.cpp @ 537]
14 00000087`888fe190 00007ff8`dcb89fe8 JavaScriptCore!operationGetByIdOptimize::<lambda_0>::operator()(bool found = true, class JSC::PropertySlot * slot = 0x00000087`888fe430)+0x1db [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp @ 543]
15 00000087`888fe280 00007ff8`dcb67460 JavaScriptCore!JSC::JSValue::getPropertySlot<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp:536:75'>(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::PropertyName propertyName = class JSC::PropertyName, class JSC::PropertySlot * slot = 0x00000087`888fe430, class operationGetByIdOptimize::<lambda_0> * callback = 0x00000087`888fe3f0)+0x218 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\JSCJSValueInlines.h @ 1056]
16 00000087`888fe380 00007ff8`dcb67334 JavaScriptCore!JSC::JSValue::getPropertySlot<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp:536:75'>(class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::PropertyName propertyName = class JSC::PropertyName, class operationGetByIdOptimize::<lambda_0> * callback = 0x00000087`888fe4f0)+0xd0 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\runtime\JSCJSValueInlines.h @ 1048]
17 00000087`888fe4a0 0000026f`8000395a JavaScriptCore!operationGetByIdOptimize(int64 base = 0n2679328938624, class JSC::JSGlobalObject * globalObject = 0x0000026f`d46e0058, class JSC::StructureStubInfo * stubInfo = 0x0000026f`d8d84328)+0x164 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\JavaScriptCore\jit\JITOperations.cpp @ 536]
18 00000087`888fe580 00005d64`00000004 0x0000026f`8000395a
19 00000087`888fe588 00000087`888fe600 0x00005d64`00000004
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240430/f4a95e23/attachment-0001.htm>
More information about the webkit-unassigned
mailing list