Bug 21459

Summary:

REGRESSION (r37324): Safari crashes inside JavaScriptCore while browsing hulu.com

Product:

WebKit

Reporter:

Brandon Petersen <anaknipedro>

Component:

Plug-ins

Assignee:

Cameron Zwarich (cpst) <zwarich>

Status:

RESOLVED FIXED

Severity:

Major

CC:

cameowood, daniel.samuels1, michael, mrowe, zwarich

Priority:

Keywords:

InRadar, NeedsReduction

Version:

528+ (Nightly build)

Hardware:

Mac (Intel)

OS:

OS X 10.4

URL:

http://hulu.com/tv

Attachments:

Description	Flags
Crash Report	none
Reduction	none
Proposed patch	oliver: review+
Crash Report r37442	none

Brandon Petersen

Reported 2008-10-07 21:06:20 PDT

Visiting hulu.com/tv with the latest version of flash plugin installed causes a crash in safari 4 beta using webkit build r37381. This is reproducible on the windows version with build r37382. Disable flash plugin and the webpage does not cause a crash.

Attachments
Crash Report (20.05 KB, text/rtf) 2008-10-07 21:31 PDT, Brandon Petersen	no flags	Details
Reduction (190 bytes, text/html) 2008-10-08 20:48 PDT, Cameron Zwarich (cpst)	no flags	Details
Proposed patch (3.43 KB, patch) 2008-10-09 14:41 PDT, Cameron Zwarich (cpst)	oliver: review+	Details Formatted Diff Diff
Crash Report r37442 (27.85 KB, text/rtf) 2008-10-09 14:46 PDT, Hayden	no flags	Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Mark Rowe (bdash)

Comment 1 2008-10-07 21:16:42 PDT

Please provide a crash log <http://webkit.org/quality/crashlogs.html>.

Brandon Petersen

Comment 2 2008-10-07 21:31:23 PDT

Created attachment 24184 [details] Crash Report

Mark Rowe (bdash)

Comment 3 2008-10-07 21:46:35 PDT

I can reproduce this with the latest nightly and with a debug build of TOT. The crash trace from the debug build is no better, which suggests something is going AWOL in JITd code.

Mark Rowe (bdash)

Comment 4 2008-10-08 00:05:15 PDT

<rdar://problem/6277287>

Oliver Hunt

Comment 5 2008-10-08 00:19:23 PDT

Appears to be due to r37324

Cameron Zwarich (cpst)

Comment 6 2008-10-08 11:44:54 PDT

I can no longer reproduce this. Can anyone else?

Brandon Petersen

Comment 7 2008-10-08 18:43:31 PDT

(In reply to comment #6) > I can no longer reproduce this. Can anyone else? > I can still reproduce this in Safari 4 beta for OS X. But not on Safari 4 beta in Windows.

Mark Rowe (bdash)

Comment 8 2008-10-08 19:01:39 PDT

Which build of WebKit are you using Brandon?

Cameron Zwarich (cpst)

Comment 9 2008-10-08 19:42:55 PDT

I can thankfully now reproduce this fine on other hulu.com pages. GDB seems to indicate that this is a garbage collection bug, because it is calling getOwnPropertySlot() on a JSObject with a bad vptr in op_get_by_id.

Brandon Petersen

Comment 10 2008-10-08 19:46:36 PDT

I am using r37381 in OS X and 37382 in Windows.

Cameron Zwarich (cpst)

Comment 11 2008-10-08 20:48:38 PDT

Created attachment 24221 [details] Reduction

Cameron Zwarich (cpst)

Comment 12 2008-10-08 20:50:50 PDT

This is not a regression in r37324, because I can reproduce it with r37323. The JavaScript on Hulu uses the Prototype framework, which uses a lot of 'arguments' and activation objects, so it is likely that random changes to memory layout caused this problem to become a crasher in Release builds after that revision.

Cameron Zwarich (cpst)

Comment 13 2008-10-08 20:57:28 PDT

Oops, I meant to say that it works fine on r37323 and r37324. I actually can't seem to reproduce it with any archived builds, because my local tree has CTI off for debugging purposes, which is probably affecting memory layout. I will have to revert and build.

Cameron Zwarich (cpst)

Comment 14 2008-10-08 21:40:26 PDT

I can't even seem to reproduce this with CTI off on r37400. I am just going to try to fix it on ToT.

Cameron Zwarich (cpst)

Comment 15 2008-10-08 22:43:16 PDT

Thanks to bug 21497, most of what I have said in this bug is wrong.

Cameron Zwarich (cpst)

Comment 16 2008-10-08 22:58:30 PDT

Now that I can actually test this properly, I can confirm that r37324 is the culprit. A specific URL that reproduces it for me every time is http://www.hulu.com/watch/36665/saturday-night-live-reliable-investments#s-p1-st-i2 It seems that this may be the same as bug 21494.

Cameron Zwarich (cpst)

Comment 17 2008-10-09 14:38:45 PDT

*** Bug 21507 has been marked as a duplicate of this bug. ***

Cameron Zwarich (cpst)

Comment 18 2008-10-09 14:40:50 PDT

*** Bug 21494 has been marked as a duplicate of this bug. ***

Cameron Zwarich (cpst)

Comment 19 2008-10-09 14:41:33 PDT

Created attachment 24236 [details] Proposed patch

Hayden

Comment 20 2008-10-09 14:46:33 PDT

Created attachment 24238 [details] Crash Report r37442

Cameron Zwarich (cpst)

Comment 21 2008-10-09 15:03:01 PDT

Landed in r37450.

Cameron Zwarich (cpst)

Comment 22 2008-10-09 17:32:07 PDT

*** Bug 21474 has been marked as a duplicate of this bug. ***

Cameron Zwarich (cpst)

Comment 23 2008-10-09 19:22:55 PDT

*** Bug 21481 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.