Bug 211258

Summary: [WinCairo][WebKit2] Flaky crash in WebCore::Layout::ContainerBox::firstChild while running some of fast/layoutformattingcontext tests
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: Layout and RenderingAssignee: zalan <zalan>
Status: NEW ---    
Severity: Normal CC: bfulgham, koivisto, simon.fraser, zalan
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
crash log
none
a screenshot of the debugger none

Description Fujii Hironori 2020-04-30 15:10:56 PDT 
[WinCairo][WebKit2] Flaky crash in WebCore::Layout::ContainerBox::firstChild while running some of fast/layoutformattingcontext tests

fast/layoutformattingcontext/block-only/block-replaced-with-vertical-margins.html
fast/layoutformattingcontext/table-basic-row-baseline-align.html
fast/layoutformattingcontext/table-basic-row-vertical-align-baseline.html

> python ./Tools/Scripts/run-webkit-tests --debug --no-new-test-results --no-retry-failures --wincairo  fast/layoutformattingcontext/table-basic-row-baseline-align.html --no-timeout --iterations=10

Callstack:

> .  0  Id: 13528.1812c Suspend: 1 Teb: 000000c6`14200000 Unfrozen
>  # Child-SP          RetAddr           Call Site
> 00 000000c6`144fde20 00007ffb`f7b897ac WebKit2!WebCore::Layout::ContainerBox::firstChild(void)+0xb [S:\gc\Source\WebCore\layout\layouttree\LayoutContainerBox.h @ 44]
> 01 000000c6`144fde30 00007ffb`f7b4b76c WebKit2!WebCore::Display::Painter::paint(class WebCore::Layout::LayoutState * layoutState = 0x00000272`d2a84040, class WebCore::GraphicsContext * context = 0x00000272`d29758a0, class WebCore::IntRect * dirtyRect = 0x000000c6`144fe1a8)+0x5c [S:\gc\Source\WebCore\layout\displaytree\DisplayPainter.cpp @ 269]
> 02 000000c6`144fdf70 00007ffb`f7e5f41f WebKit2!WebCore::Layout::LayoutContext::paint(class WebCore::Layout::LayoutState * layoutState = 0x00000272`d2a84040, class WebCore::GraphicsContext * context = 0x00000272`d29758a0, class WebCore::IntRect * dirtyRect = 0x000000c6`144fe1a8)+0x3c [S:\gc\Source\WebCore\layout\LayoutContext.cpp @ 141]
> 03 000000c6`144fdfa0 00007ffb`f80843d5 WebKit2!WebCore::FrameView::paintContents(class WebCore::GraphicsContext * context = 0x00000272`d29758a0, class WebCore::IntRect * dirtyRect = 0x000000c6`144fe1a8, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy = AnyOrigin (0n0), class WebCore::EventRegionContext * eventRegionContext = 0x00000000`00000000)+0x29f [S:\gc\Source\WebCore\page\FrameView.cpp @ 4260]
> 04 000000c6`144fe170 00007ffb`f4e964e5 WebKit2!WebCore::ScrollView::paint(class WebCore::GraphicsContext * context = 0x00000272`d29758a0, class WebCore::IntRect * rect = 0x000000c6`144fe568, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy = AnyOrigin (0n0), class WebCore::EventRegionContext * eventRegionContext = 0x00000000`00000000)+0x395 [S:\gc\Source\WebCore\platform\ScrollView.cpp @ 1272]
> 05 000000c6`144fe430 00007ffb`f3d9043a WebKit2!WebKit::WebPage::drawRect(class WebCore::GraphicsContext * graphicsContext = 0x00000272`d29758a0, class WebCore::IntRect * rect = 0x000000c6`144fe568)+0xc5 [S:\gc\Source\WebKit\WebProcess\WebPage\WebPage.cpp @ 1813]
> 06 000000c6`144fe4c0 00007ffb`f3d8fd25 WebKit2!WebKit::DrawingAreaCoordinatedGraphics::display(class WebKit::UpdateInfo * updateInfo = 0x000000c6`144fe6d0)+0x66a [S:\gc\Source\WebKit\WebProcess\WebPage\CoordinatedGraphics\DrawingAreaCoordinatedGraphics.cpp @ 797]
> 07 000000c6`144fe6a0 00007ffb`f3d8dd8f WebKit2!WebKit::DrawingAreaCoordinatedGraphics::display(void)+0x1e5 [S:\gc\Source\WebKit\WebProcess\WebPage\CoordinatedGraphics\DrawingAreaCoordinatedGraphics.cpp @ 712]
> 08 000000c6`144fe790 00007ffb`f4e9fcf4 WebKit2!WebKit::DrawingAreaCoordinatedGraphics::forceRepaint(void)+0xcf [S:\gc\Source\WebKit\WebProcess\WebPage\CoordinatedGraphics\DrawingAreaCoordinatedGraphics.cpp @ 187]
> 09 000000c6`144fe800 00007ffb`f4cef3c0 WebKit2!WebKit::WebPage::forceRepaintWithoutCallback(void)+0x44 [S:\gc\Source\WebKit\WebProcess\WebPage\WebPage.cpp @ 3597]
> 0a 000000c6`144fe840 00007ffb`edbd8482 WebKit2!WKBundlePageForceRepaint(struct OpaqueWKBundlePage * page = 0x00000272`8e76e280)+0x30 [S:\gc\Source\WebKit\WebProcess\InjectedBundle\API\c\WKBundlePage.cpp @ 554]
> 0b 000000c6`144fe870 00007ffb`edbde9b5 TestRunnerInjectedBundle!WTR::InjectedBundlePage::dump(void)+0xc2 [S:\gc\Tools\WebKitTestRunner\InjectedBundle\InjectedBundlePage.cpp @ 893]
> 0c 000000c6`144fea80 00007ffb`edbd9a59 TestRunnerInjectedBundle!WTR::InjectedBundlePage::frameDidChangeLocation(struct OpaqueWKBundleFrame * frame = 0x00000272`8e730de0)+0xa5 [S:\gc\Tools\WebKitTestRunner\InjectedBundle\InjectedBundlePage.cpp @ 1972]
> 0d 000000c6`144feac0 00007ffb`edbd8f9c TestRunnerInjectedBundle!WTR::InjectedBundlePage::didFinishLoadForFrame(struct OpaqueWKBundleFrame * frame = 0x00000272`8e730de0)+0x79 [S:\gc\Tools\WebKitTestRunner\InjectedBundle\InjectedBundlePage.cpp @ 969]
> 0e 000000c6`144feb00 00007ffb`f4ccd52a TestRunnerInjectedBundle!WTR::InjectedBundlePage::didFinishLoadForFrame(struct OpaqueWKBundlePage * page = 0x00000272`8e76e280, struct OpaqueWKBundleFrame * frame = 0x00000272`8e730de0, void ** __formal = 0x000000c6`144feb58, void * clientInfo = 0x00000272`d2030840)+0x3c [S:\gc\Tools\WebKitTestRunner\InjectedBundle\InjectedBundlePage.cpp @ 585]
> 0f 000000c6`144feb30 00007ffb`f4e27a64 WebKit2!WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(class WebKit::WebPage * page = 0x00000272`8e76e280, class WebKit::WebFrame * frame = 0x00000272`8e730de0, class WTF::RefPtr<API::Object,WTF::DumbPtrTraits<API::Object> > * userData = 0x000000c6`144febf8)+0xba [S:\gc\Source\WebKit\WebProcess\InjectedBundle\InjectedBundlePageLoaderClient.cpp @ 141]
> 10 000000c6`144febb0 00007ffb`f7c72249 WebKit2!WebKit::WebFrameLoaderClient::dispatchDidFinishLoad(void)+0x114 [S:\gc\Source\WebKit\WebProcess\WebCoreSupport\WebFrameLoaderClient.cpp @ 662]
> 11 000000c6`144fee00 00007ffb`f7c69250 WebKit2!WebCore::FrameLoader::checkLoadCompleteForThisFrame(void)+0x769 [S:\gc\Source\WebCore\loader\FrameLoader.cpp @ 2609]
> 12 000000c6`144fef80 00007ffb`f7c6b663 WebKit2!WebCore::FrameLoader::checkLoadComplete(void)+0x1f0 [S:\gc\Source\WebCore\loader\FrameLoader.cpp @ 2766]
> 13 000000c6`144ff0a0 00007ffb`f7c6dee0 WebKit2!WebCore::FrameLoader::checkCompleted(void)+0x203 [S:\gc\Source\WebCore\loader\FrameLoader.cpp @ 913]
> 14 000000c6`144ff110 00007ffb`f7c6de38 WebKit2!WebCore::FrameLoader::checkCompletenessNow(void)+0x90 [S:\gc\Source\WebCore\loader\FrameLoader.cpp @ 930]
> 15 000000c6`144ff170 00007ffb`f7c887b4 WebKit2!WebCore::FrameLoader::checkTimerFired(void)+0x28 [S:\gc\Source\WebCore\loader\FrameLoader.cpp @ 918]
> 16 000000c6`144ff1a0 00007ffb`f7c8c5a3 WebKit2!std::_Invoker_pmf_pointer::_Call<void (<function> * _Pmf = 0x00007ffb`f7c6de10, class WebCore::FrameLoader ** _Arg1 = 0x00000272`d1fff480)+0x34 [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.25.28610\include\type_traits @ 1610]
> 17 000000c6`144ff1d0 00007ffb`f7c886d0 WebKit2!std::invoke<void (<function> ** _Obj = 0x00000272`d1fff478, class WebCore::FrameLoader ** <_Args_0> = 0x00000272`d1fff480)+0x53 [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.25.28610\include\type_traits @ 1610]
> 18 000000c6`144ff210 00007ffb`f7c888d5 WebKit2!std::_Invoker_ret<std::_Unforced,0>::_Call<void (<function> ** <_Vals_0> = 0x00000272`d1fff478, class WebCore::FrameLoader ** <_Vals_1> = 0x00000272`d1fff480)+0x50 [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.25.28610\include\type_traits @ 1646]
> 19 000000c6`144ff250 00007ffb`f7c8845d WebKit2!std::_Call_binder<std::_Unforced,0,void (struct std::_Invoker_ret<std::_Unforced,0> __formal = struct std::_Invoker_ret<std::_Unforced,0>, struct std::integer_sequence<unsigned __int64,0> __formal = struct std::integer_sequence<unsigned __int64,0>, <function> ** _Obj = 0x00000272`d1fff478, class std::tuple<WebCore::FrameLoader *> * _Tpl = 0x00000272`d1fff480 {...}, class std::tuple<> * _Ut = 0x000000c6`144ff2c0)+0x65 [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.25.28610\include\functional @ 1433]
> 1a 000000c6`144ff290 00007ffb`f7c98b7f WebKit2!std::_Binder<std::_Unforced,void (void)+0x8d [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.25.28610\include\functional @ 1473]
> 1b 000000c6`144ff2f0 00007ffb`f3d16ab8 WebKit2!WTF::Detail::CallableWrapper<std::_Binder<std::_Unforced,void (void)+0x2f [S:\gc\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 52]
> 1c 000000c6`144ff320 00007ffb`f43a1cff WebKit2!WTF::Function<void __cdecl(void)+0xa8 [S:\gc\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 85]
> 1d 000000c6`144ff360 00007ffb`f80992fe WebKit2!WebCore::Timer::fired(void)+0x2f [S:\gc\WebKitBuild\Debug\WebCore\PrivateHeaders\WebCore\Timer.h @ 127]
> 1e 000000c6`144ff390 00007ffb`f80a1be3 WebKit2!WebCore::ThreadTimers::sharedTimerFiredInternal(void)+0x2fe [S:\gc\Source\WebCore\platform\ThreadTimers.cpp @ 130]
> 1f 000000c6`144ff490 00007ffb`f80a285f WebKit2!<lambda_73423c14f3856b0e7ddfcc42c2cdf132>::operator()(void)+0x33 [S:\gc\Source\WebCore\platform\ThreadTimers.cpp @ 67]
> 20 000000c6`144ff4c0 00007ffb`f3d16ab8 WebKit2!WTF::Detail::CallableWrapper<<lambda_73423c14f3856b0e7ddfcc42c2cdf132>,void>::call(void)+0x2f [S:\gc\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 52]
> 21 000000c6`144ff4f0 00007ffb`f8065f5b WebKit2!WTF::Function<void __cdecl(void)+0xa8 [S:\gc\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 85]
> 22 000000c6`144ff530 00007ffb`f533d76e WebKit2!WebCore::MainThreadSharedTimer::fired(void)+0x9b [S:\gc\Source\WebCore\platform\MainThreadSharedTimer.cpp @ 84]
> 23 000000c6`144ff560 00007ffc`5b375c0d WebKit2!WebCore::TimerWindowWndProc(struct HWND__ * hWnd = 0x00000000`0286ec9c, unsigned int message = 0xc34c, unsigned int64 wParam = 0, int64 lParam = 0n0)+0xbe [S:\gc\Source\WebCore\platform\win\MainThreadSharedTimerWin.cpp @ 89]
> 24 000000c6`144ff590 00007ffc`5b375602 USER32!UserCallWinProcCheckWow+0x2bd
> 25 000000c6`144ff720 00007ffc`27706574 USER32!DispatchMessageWorker+0x1e2
> 26 000000c6`144ff7a0 00007ffb`f3d99f60 WTF!WTF::RunLoop::run(void)+0x64 [S:\gc\Source\WTF\wtf\win\RunLoopWin.cpp @ 74]
> 27 000000c6`144ff830 00007ffb`f3d99e88 WebKit2!WebKit::AuxiliaryProcessMain<WebKit::WebProcess,WebKit::WebProcessMainWin>(int argc = 0n8, char ** argv = 0x00000272`8e705c60)+0xd0 [S:\gc\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 69]
> 28 000000c6`144ff8f0 00007ff6`fc6b1030 WebKit2!WebKit::WebProcessMain(int argc = 0n8, char ** argv = 0x00000272`8e705c60)+0x98 [S:\gc\Source\WebKit\WebProcess\win\WebProcessMainWin.cpp @ 50]
> 29 000000c6`144ff930 00007ff6`fc6b1270 WebKitWebProcess!main(int argc = 0n8, char ** argv = 0x00000272`8e705c60)+0x30 [S:\gc\Source\WebKit\WebProcess\EntryPoint\win\WebProcessMain.cpp @ 35]
> 2a (Inline Function) --------`-------- WebKitWebProcess!invoke_main+0x22 [d:\agent\_work\4\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78]
> 2b 000000c6`144ff960 00007ffc`5b597bd4 WebKitWebProcess!__scrt_common_main_seh(void)+0x10c [d:\agent\_work\4\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
> 2c 000000c6`144ff9a0 00007ffc`5c74ce51 KERNEL32!BaseThreadInitThunk+0x14
> 2d 000000c6`144ff9d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21


WinCairo WebKit1 doesn't seem to crash.
> python ./Tools/Scripts/run-webkit-tests --debug --no-new-test-results --no-retry-failures --wincairo  fast/layoutformattingcontext/table-basic-row-baseline-align.html --no-timeout --iterations=10
Comment 1 Fujii Hironori 2020-04-30 15:11:33 PDT 
Created attachment 398099 [details]
crash log
Comment 2 Fujii Hironori 2020-04-30 19:08:39 PDT 
Created attachment 398140 [details]
a screenshot of the debugger

a WeakPtr m_rootContainer of layoutState was null in Painter::paint.
Was it destructed?
Comment 3 zalan 2020-04-30 19:11:29 PDT 
Yeah it is destructed. This painting code is not supposed to be running (and it is not running on macOS/iOS.) in this configuration. I am going to look into it over the weekend. You can skip them in WinCairo for now if it causes issues with testing.