211258 – [WinCairo][WebKit2] Flaky crash in WebCore::Layout::ContainerBox::firstChild while running some of fast/layoutformattingcontext tests

Bug 211258 - [WinCairo][WebKit2] Flaky crash in WebCore::Layout::ContainerBox::firstChild while running some of fast/layoutformattingcontext tests

Summary: [WinCairo][WebKit2] Flaky crash in WebCore::Layout::ContainerBox::firstChild ...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	zalan

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-30 15:10 PDT by Fujii Hironori
Modified:	2020-04-30 19:17 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
crash log (79.10 KB, text/plain) 2020-04-30 15:11 PDT, Fujii Hironori	no flags	Details
a screenshot of the debugger (171.46 KB, image/png) 2020-04-30 19:08 PDT, Fujii Hironori	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fujii Hironori 2020-04-30 15:10:56 PDT

[WinCairo][WebKit2] Flaky crash in WebCore::Layout::ContainerBox::firstChild while running some of fast/layoutformattingcontext tests

fast/layoutformattingcontext/block-only/block-replaced-with-vertical-margins.html
fast/layoutformattingcontext/table-basic-row-baseline-align.html
fast/layoutformattingcontext/table-basic-row-vertical-align-baseline.html

> python ./Tools/Scripts/run-webkit-tests --debug --no-new-test-results --no-retry-failures --wincairo  fast/layoutformattingcontext/table-basic-row-baseline-align.html --no-timeout --iterations=10

Callstack:

> .  0  Id: 13528.1812c Suspend: 1 Teb: 000000c6`14200000 Unfrozen
>  # Child-SP          RetAddr           Call Site
> 00 000000c6`144fde20 00007ffb`f7b897ac WebKit2!WebCore::Layout::ContainerBox::firstChild(void)+0xb [S:\gc\Source\WebCore\layout\layouttree\LayoutContainerBox.h @ 44]
> 01 000000c6`144fde30 00007ffb`f7b4b76c WebKit2!WebCore::Display::Painter::paint(class WebCore::Layout::LayoutState * layoutState = 0x00000272`d2a84040, class WebCore::GraphicsContext * context = 0x00000272`d29758a0, class WebCore::IntRect * dirtyRect = 0x000000c6`144fe1a8)+0x5c [S:\gc\Source\WebCore\layout\displaytree\DisplayPainter.cpp @ 269]
> 02 000000c6`144fdf70 00007ffb`f7e5f41f WebKit2!WebCore::Layout::LayoutContext::paint(class WebCore::Layout::LayoutState * layoutState = 0x00000272`d2a84040, class WebCore::GraphicsContext * context = 0x00000272`d29758a0, class WebCore::IntRect * dirtyRect = 0x000000c6`144fe1a8)+0x3c [S:\gc\Source\WebCore\layout\LayoutContext.cpp @ 141]
> 03 000000c6`144fdfa0 00007ffb`f80843d5 WebKit2!WebCore::FrameView::paintContents(class WebCore::GraphicsContext * context = 0x00000272`d29758a0, class WebCore::IntRect * dirtyRect = 0x000000c6`144fe1a8, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy = AnyOrigin (0n0), class WebCore::EventRegionContext * eventRegionContext = 0x00000000`00000000)+0x29f [S:\gc\Source\WebCore\page\FrameView.cpp @ 4260]
> 04 000000c6`144fe170 00007ffb`f4e964e5 WebKit2!WebCore::ScrollView::paint(class WebCore::GraphicsContext * context = 0x00000272`d29758a0, class WebCore::IntRect * rect = 0x000000c6`144fe568, WebCore::Widget::SecurityOriginPaintPolicy securityOriginPaintPolicy = AnyOrigin (0n0), class WebCore::EventRegionContext * eventRegionContext = 0x00000000`00000000)+0x395 [S:\gc\Source\WebCore\platform\ScrollView.cpp @ 1272]
> 05 000000c6`144fe430 00007ffb`f3d9043a WebKit2!WebKit::WebPage::drawRect(class WebCore::GraphicsContext * graphicsContext = 0x00000272`d29758a0, class WebCore::IntRect * rect = 0x000000c6`144fe568)+0xc5 [S:\gc\Source\WebKit\WebProcess\WebPage\WebPage.cpp @ 1813]
> 06 000000c6`144fe4c0 00007ffb`f3d8fd25 WebKit2!WebKit::DrawingAreaCoordinatedGraphics::display(class WebKit::UpdateInfo * updateInfo = 0x000000c6`144fe6d0)+0x66a [S:\gc\Source\WebKit\WebProcess\WebPage\CoordinatedGraphics\DrawingAreaCoordinatedGraphics.cpp @ 797]
> 07 000000c6`144fe6a0 00007ffb`f3d8dd8f WebKit2!WebKit::DrawingAreaCoordinatedGraphics::display(void)+0x1e5 [S:\gc\Source\WebKit\WebProcess\WebPage\CoordinatedGraphics\DrawingAreaCoordinatedGraphics.cpp @ 712]
> 08 000000c6`144fe790 00007ffb`f4e9fcf4 WebKit2!WebKit::DrawingAreaCoordinatedGraphics::forceRepaint(void)+0xcf [S:\gc\Source\WebKit\WebProcess\WebPage\CoordinatedGraphics\DrawingAreaCoordinatedGraphics.cpp @ 187]
> 09 000000c6`144fe800 00007ffb`f4cef3c0 WebKit2!WebKit::WebPage::forceRepaintWithoutCallback(void)+0x44 [S:\gc\Source\WebKit\WebProcess\WebPage\WebPage.cpp @ 3597]
> 0a 000000c6`144fe840 00007ffb`edbd8482 WebKit2!WKBundlePageForceRepaint(struct OpaqueWKBundlePage * page = 0x00000272`8e76e280)+0x30 [S:\gc\Source\WebKit\WebProcess\InjectedBundle\API\c\WKBundlePage.cpp @ 554]
> 0b 000000c6`144fe870 00007ffb`edbde9b5 TestRunnerInjectedBundle!WTR::InjectedBundlePage::dump(void)+0xc2 [S:\gc\Tools\WebKitTestRunner\InjectedBundle\InjectedBundlePage.cpp @ 893]
> 0c 000000c6`144fea80 00007ffb`edbd9a59 TestRunnerInjectedBundle!WTR::InjectedBundlePage::frameDidChangeLocation(struct OpaqueWKBundleFrame * frame = 0x00000272`8e730de0)+0xa5 [S:\gc\Tools\WebKitTestRunner\InjectedBundle\InjectedBundlePage.cpp @ 1972]
> 0d 000000c6`144feac0 00007ffb`edbd8f9c TestRunnerInjectedBundle!WTR::InjectedBundlePage::didFinishLoadForFrame(struct OpaqueWKBundleFrame * frame = 0x00000272`8e730de0)+0x79 [S:\gc\Tools\WebKitTestRunner\InjectedBundle\InjectedBundlePage.cpp @ 969]
> 0e 000000c6`144feb00 00007ffb`f4ccd52a TestRunnerInjectedBundle!WTR::InjectedBundlePage::didFinishLoadForFrame(struct OpaqueWKBundlePage * page = 0x00000272`8e76e280, struct OpaqueWKBundleFrame * frame = 0x00000272`8e730de0, void ** __formal = 0x000000c6`144feb58, void * clientInfo = 0x00000272`d2030840)+0x3c [S:\gc\Tools\WebKitTestRunner\InjectedBundle\InjectedBundlePage.cpp @ 585]
> 0f 000000c6`144feb30 00007ffb`f4e27a64 WebKit2!WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(class WebKit::WebPage * page = 0x00000272`8e76e280, class WebKit::WebFrame * frame = 0x00000272`8e730de0, class WTF::RefPtr<API::Object,WTF::DumbPtrTraits<API::Object> > * userData = 0x000000c6`144febf8)+0xba [S:\gc\Source\WebKit\WebProcess\InjectedBundle\InjectedBundlePageLoaderClient.cpp @ 141]
> 10 000000c6`144febb0 00007ffb`f7c72249 WebKit2!WebKit::WebFrameLoaderClient::dispatchDidFinishLoad(void)+0x114 [S:\gc\Source\WebKit\WebProcess\WebCoreSupport\WebFrameLoaderClient.cpp @ 662]
> 11 000000c6`144fee00 00007ffb`f7c69250 WebKit2!WebCore::FrameLoader::checkLoadCompleteForThisFrame(void)+0x769 [S:\gc\Source\WebCore\loader\FrameLoader.cpp @ 2609]
> 12 000000c6`144fef80 00007ffb`f7c6b663 WebKit2!WebCore::FrameLoader::checkLoadComplete(void)+0x1f0 [S:\gc\Source\WebCore\loader\FrameLoader.cpp @ 2766]
> 13 000000c6`144ff0a0 00007ffb`f7c6dee0 WebKit2!WebCore::FrameLoader::checkCompleted(void)+0x203 [S:\gc\Source\WebCore\loader\FrameLoader.cpp @ 913]
> 14 000000c6`144ff110 00007ffb`f7c6de38 WebKit2!WebCore::FrameLoader::checkCompletenessNow(void)+0x90 [S:\gc\Source\WebCore\loader\FrameLoader.cpp @ 930]
> 15 000000c6`144ff170 00007ffb`f7c887b4 WebKit2!WebCore::FrameLoader::checkTimerFired(void)+0x28 [S:\gc\Source\WebCore\loader\FrameLoader.cpp @ 918]
> 16 000000c6`144ff1a0 00007ffb`f7c8c5a3 WebKit2!std::_Invoker_pmf_pointer::_Call<void (<function> * _Pmf = 0x00007ffb`f7c6de10, class WebCore::FrameLoader ** _Arg1 = 0x00000272`d1fff480)+0x34 [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.25.28610\include\type_traits @ 1610]
> 17 000000c6`144ff1d0 00007ffb`f7c886d0 WebKit2!std::invoke<void (<function> ** _Obj = 0x00000272`d1fff478, class WebCore::FrameLoader ** <_Args_0> = 0x00000272`d1fff480)+0x53 [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.25.28610\include\type_traits @ 1610]
> 18 000000c6`144ff210 00007ffb`f7c888d5 WebKit2!std::_Invoker_ret<std::_Unforced,0>::_Call<void (<function> ** <_Vals_0> = 0x00000272`d1fff478, class WebCore::FrameLoader ** <_Vals_1> = 0x00000272`d1fff480)+0x50 [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.25.28610\include\type_traits @ 1646]
> 19 000000c6`144ff250 00007ffb`f7c8845d WebKit2!std::_Call_binder<std::_Unforced,0,void (struct std::_Invoker_ret<std::_Unforced,0> __formal = struct std::_Invoker_ret<std::_Unforced,0>, struct std::integer_sequence<unsigned __int64,0> __formal = struct std::integer_sequence<unsigned __int64,0>, <function> ** _Obj = 0x00000272`d1fff478, class std::tuple<WebCore::FrameLoader *> * _Tpl = 0x00000272`d1fff480 {...}, class std::tuple<> * _Ut = 0x000000c6`144ff2c0)+0x65 [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.25.28610\include\functional @ 1433]
> 1a 000000c6`144ff290 00007ffb`f7c98b7f WebKit2!std::_Binder<std::_Unforced,void (void)+0x8d [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.25.28610\include\functional @ 1473]
> 1b 000000c6`144ff2f0 00007ffb`f3d16ab8 WebKit2!WTF::Detail::CallableWrapper<std::_Binder<std::_Unforced,void (void)+0x2f [S:\gc\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 52]
> 1c 000000c6`144ff320 00007ffb`f43a1cff WebKit2!WTF::Function<void __cdecl(void)+0xa8 [S:\gc\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 85]
> 1d 000000c6`144ff360 00007ffb`f80992fe WebKit2!WebCore::Timer::fired(void)+0x2f [S:\gc\WebKitBuild\Debug\WebCore\PrivateHeaders\WebCore\Timer.h @ 127]
> 1e 000000c6`144ff390 00007ffb`f80a1be3 WebKit2!WebCore::ThreadTimers::sharedTimerFiredInternal(void)+0x2fe [S:\gc\Source\WebCore\platform\ThreadTimers.cpp @ 130]
> 1f 000000c6`144ff490 00007ffb`f80a285f WebKit2!<lambda_73423c14f3856b0e7ddfcc42c2cdf132>::operator()(void)+0x33 [S:\gc\Source\WebCore\platform\ThreadTimers.cpp @ 67]
> 20 000000c6`144ff4c0 00007ffb`f3d16ab8 WebKit2!WTF::Detail::CallableWrapper<<lambda_73423c14f3856b0e7ddfcc42c2cdf132>,void>::call(void)+0x2f [S:\gc\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 52]
> 21 000000c6`144ff4f0 00007ffb`f8065f5b WebKit2!WTF::Function<void __cdecl(void)+0xa8 [S:\gc\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 85]
> 22 000000c6`144ff530 00007ffb`f533d76e WebKit2!WebCore::MainThreadSharedTimer::fired(void)+0x9b [S:\gc\Source\WebCore\platform\MainThreadSharedTimer.cpp @ 84]
> 23 000000c6`144ff560 00007ffc`5b375c0d WebKit2!WebCore::TimerWindowWndProc(struct HWND__ * hWnd = 0x00000000`0286ec9c, unsigned int message = 0xc34c, unsigned int64 wParam = 0, int64 lParam = 0n0)+0xbe [S:\gc\Source\WebCore\platform\win\MainThreadSharedTimerWin.cpp @ 89]
> 24 000000c6`144ff590 00007ffc`5b375602 USER32!UserCallWinProcCheckWow+0x2bd
> 25 000000c6`144ff720 00007ffc`27706574 USER32!DispatchMessageWorker+0x1e2
> 26 000000c6`144ff7a0 00007ffb`f3d99f60 WTF!WTF::RunLoop::run(void)+0x64 [S:\gc\Source\WTF\wtf\win\RunLoopWin.cpp @ 74]
> 27 000000c6`144ff830 00007ffb`f3d99e88 WebKit2!WebKit::AuxiliaryProcessMain<WebKit::WebProcess,WebKit::WebProcessMainWin>(int argc = 0n8, char ** argv = 0x00000272`8e705c60)+0xd0 [S:\gc\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 69]
> 28 000000c6`144ff8f0 00007ff6`fc6b1030 WebKit2!WebKit::WebProcessMain(int argc = 0n8, char ** argv = 0x00000272`8e705c60)+0x98 [S:\gc\Source\WebKit\WebProcess\win\WebProcessMainWin.cpp @ 50]
> 29 000000c6`144ff930 00007ff6`fc6b1270 WebKitWebProcess!main(int argc = 0n8, char ** argv = 0x00000272`8e705c60)+0x30 [S:\gc\Source\WebKit\WebProcess\EntryPoint\win\WebProcessMain.cpp @ 35]
> 2a (Inline Function) --------`-------- WebKitWebProcess!invoke_main+0x22 [d:\agent\_work\4\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78]
> 2b 000000c6`144ff960 00007ffc`5b597bd4 WebKitWebProcess!__scrt_common_main_seh(void)+0x10c [d:\agent\_work\4\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
> 2c 000000c6`144ff9a0 00007ffc`5c74ce51 KERNEL32!BaseThreadInitThunk+0x14
> 2d 000000c6`144ff9d0 00000000`00000000 ntdll!RtlUserThreadStart+0x21


WinCairo WebKit1 doesn't seem to crash.
> python ./Tools/Scripts/run-webkit-tests --debug --no-new-test-results --no-retry-failures --wincairo  fast/layoutformattingcontext/table-basic-row-baseline-align.html --no-timeout --iterations=10

Comment 1 Fujii Hironori 2020-04-30 15:11:33 PDT

Created attachment 398099 [details]
crash log

Comment 2 Fujii Hironori 2020-04-30 19:08:39 PDT

Created attachment 398140 [details]
a screenshot of the debugger

a WeakPtr m_rootContainer of layoutState was null in Painter::paint.
Was it destructed?

Comment 3 zalan 2020-04-30 19:11:29 PDT

Yeah it is destructed. This painting code is not supposed to be running (and it is not running on macOS/iOS.) in this configuration. I am going to look into it over the weekend. You can skip them in WinCairo for now if it causes issues with testing.