[Webkit-unassigned] [Bug 270882] New: [WinCairo] WebKitWebProcess crashes on flutter demo page

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 12 17:07:34 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=270882

            Bug ID: 270882
           Summary: [WinCairo] WebKitWebProcess crashes on flutter demo
                    page
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Windows 10
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: yurys at chromium.org

Steps to reproduce:
1. Download latest WebKit build  (https://build.webkit.org/#/builders/731/builds/14972)
2. Run MiniBrowser and navigate to https://flutter.github.io/samples/web/material_3_demo/

Result:

Web Process crashes with the following stack:


ntdll.dll!00007ffecac5c1a9()
ntdll.dll!00007ffecac5c173()
ntdll.dll!00007ffecac6520a()
ntdll.dll!00007ffecac654ea()
ntdll.dll!00007ffecac714e5()
ntdll.dll!00007ffecab8bdfd()
ntdll.dll!00007ffecab8ab11()
ucrtbase.dll!00007ffec87137eb()
[Inline Frame] WebCore.dll!WTF::FastMalloc::free(void * p) Line 272
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\FastMalloc.h(272)
[Inline Frame] WebCore.dll!WTF::VectorBufferBase<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,WTF::FastMalloc>::deallocateBuffer(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> * bufferToDeallocate) Line 361
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(361)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::reserveCapacity(unsigned __int64 newCapacity) Line 1384
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1384)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::expandCapacity(unsigned __int64 newMinCapacity) Line 1220
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1220)
WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::expandCapacity<0>(unsigned __int64 newMinCapacity, std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> * ptr) Line 1245
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1245)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::appendSlowCase(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 1531
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1531)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 1506
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(1506)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && u) Line 874
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(874)
[Inline Frame] WebCore.dll!WTF::Vector<std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && value) Line 874
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Vector.h(874)
WebCore.dll!WebCore::MicrotaskQueue::append(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && task) Line 48
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\Microtasks.cpp(48)
[Inline Frame] WebCore.dll!WebCore::EventLoop::queueMicrotask(std::unique_ptr<WebCore::EventLoopTask,std::default_delete<WebCore::EventLoopTask>> && microtask) Line 247
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\EventLoop.cpp(247)
WebCore.dll!WebCore::EventLoopTaskGroup::queueMicrotask(WTF::Function<void ()> && function) Line 484
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\EventLoop.cpp(484)
WebCore.dll!WebCore::WindowEventLoop::queueMutationObserverCompoundMicrotask() Line 226
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\WindowEventLoop.cpp(226)
WebCore.dll!WebCore::MutationObserver::enqueueMutationRecord(WTF::Ref<WebCore::MutationRecord,WTF::RawPtrTraits<WebCore::MutationRecord>,WTF::DefaultRefDerefTraits<WebCore::MutationRecord>> && mutation) Line 155
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\MutationObserver.cpp(155)
[Inline Frame] WebCore.dll!WTF::Ref<WebCore::MutationRecord,WTF::RawPtrTraits<WebCore::MutationRecord>,WTF::DefaultRefDerefTraits<WebCore::MutationRecord>>::Ref(WebCore::MutationRecord & object) Line 87
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Ref.h(87)
WebCore.dll!WebCore::MutationObserverInterestGroup::enqueueMutationRecord(WTF::Ref<WebCore::MutationRecord,WTF::RawPtrTraits<WebCore::MutationRecord>,WTF::DefaultRefDerefTraits<WebCore::MutationRecord>> && mutation) Line 81
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\MutationObserverInterestGroup.cpp(81)
WebCore.dll!WebCore::ChildListMutationAccumulator::enqueueMutationRecord() Line 128
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ChildListMutationScope.cpp(128)
WebCore.dll!WebCore::ChildListMutationAccumulator::~ChildListMutationAccumulator() Line 59
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ChildListMutationScope.cpp(59)
[Inline Frame] WebCore.dll!std::default_delete<WebCore::ChildListMutationAccumulator>::operator()(WebCore::ChildListMutationAccumulator * _Ptr) Line 3180
        at C:\MSVS\VC\Tools\MSVC\14.37.32822\include\memory(3180)
[Inline Frame] WebCore.dll!WTF::RefCounted<WebCore::ChildListMutationAccumulator,std::default_delete<WebCore::ChildListMutationAccumulator>>::deref() Line 220
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\RefCounted.h(220)
[Inline Frame] WebCore.dll!WTF::DefaultRefDerefTraits<WebCore::ChildListMutationAccumulator>::derefIfNotNull(WebCore::ChildListMutationAccumulator * ptr) Line 62
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\Ref.h(62)
[Inline Frame] WebCore.dll!WTF::RefPtr<WebCore::ChildListMutationAccumulator,WTF::RawPtrTraits<WebCore::ChildListMutationAccumulator>,WTF::DefaultRefDerefTraits<WebCore::ChildListMutationAccumulator>>::~RefPtr() Line 60
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h(60)
[Inline Frame] WebCore.dll!WebCore::ChildListMutationScope::~ChildListMutationScope() Line 77
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ChildListMutationScope.h(77)
[Inline Frame] WebCore.dll!WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node & childToRemove, WebCore::ContainerNode::ChildChange::Source source) Line 192
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ContainerNode.cpp(192)
WebCore.dll!WebCore::ContainerNode::removeChild(WebCore::Node & oldChild) Line 724
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\ContainerNode.cpp(724)
WebCore.dll!WebCore::Node::removeChild(WebCore::Node & oldChild) Line 558
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\dom\Node.cpp(558)
[Inline Frame] WebCore.dll!WebCore::jsNodePrototypeFunction_removeChildBody::<lambda_2>::operator()() Line 913
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WebCore\DerivedSources\JSNode.cpp(913)
[Inline Frame] WebCore.dll!WebCore::invokeFunctorPropagatingExceptionIfNecessary(JSC::JSGlobalObject & lexicalGlobalObject, JSC::ThrowScope & throwScope, WebCore::jsNodePrototypeFunction_removeChildBody::<lambda_2> && functor) Line 96
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\JSDOMExceptionHandling.h(96)
[Inline Frame] WebCore.dll!WebCore::jsNodePrototypeFunction_removeChildBody(JSC::JSGlobalObject * lexicalGlobalObject, JSC::CallFrame * callFrame, WebCore::JSNode * castedThis) Line 913
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WebCore\DerivedSources\JSNode.cpp(913)
[Inline Frame] WebCore.dll!WebCore::IDLOperation<WebCore::JSNode>::call(JSC::JSGlobalObject & lexicalGlobalObject, JSC::CallFrame & callFrame, const char * operationName) Line 63
        at C:\BW\WinCairo-64-bit-Release-Build\build\Source\WebCore\bindings\js\JSDOMOperation.h(63)
WebCore.dll!WebCore::jsNodePrototypeFunction_removeChild(JSC::JSGlobalObject * lexicalGlobalObject, JSC::CallFrame * callFrame) Line 919
        at C:\BW\WinCairo-64-bit-Release-Build\build\WebKitBuild\Release\WebCore\DerivedSources\JSNode.cpp(919)
[External Code]

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240313/67ddea66/attachment-0001.htm>

More information about the webkit-unassigned mailing list