|Product:||WebKit||Reporter:||Brandon Petersen <anaknipedro>|
|Component:||Plug-ins||Assignee:||Cameron Zwarich (cpst) <zwarich>|
|Severity:||Major||CC:||cameo.wood, daniel.samuels1, michael, mrowe, zwarich|
|Priority:||P1||Keywords:||InRadar, NeedsReduction, ReviewedForRadar|
|Version:||528+ (Nightly build)|
|OS:||OS X 10.4|
Description Brandon Petersen 2008-10-07 21:06:20 PDT
Visiting hulu.com/tv with the latest version of flash plugin installed causes a crash in safari 4 beta using webkit build r37381. This is reproducible on the windows version with build r37382. Disable flash plugin and the webpage does not cause a crash.
Comment 1 Mark Rowe (bdash) 2008-10-07 21:16:42 PDT
Please provide a crash log <http://webkit.org/quality/crashlogs.html>.
Comment 3 Mark Rowe (bdash) 2008-10-07 21:46:35 PDT
I can reproduce this with the latest nightly and with a debug build of TOT. The crash trace from the debug build is no better, which suggests something is going AWOL in JITd code.
Comment 4 Mark Rowe (bdash) 2008-10-08 00:05:15 PDT
Comment 5 Oliver Hunt 2008-10-08 00:19:23 PDT
Appears to be due to r37324
Comment 6 Cameron Zwarich (cpst) 2008-10-08 11:44:54 PDT
I can no longer reproduce this. Can anyone else?
Comment 7 Brandon Petersen 2008-10-08 18:43:31 PDT
(In reply to comment #6) > I can no longer reproduce this. Can anyone else? > I can still reproduce this in Safari 4 beta for OS X. But not on Safari 4 beta in Windows.
Comment 8 Mark Rowe (bdash) 2008-10-08 19:01:39 PDT
Which build of WebKit are you using Brandon?
Comment 9 Cameron Zwarich (cpst) 2008-10-08 19:42:55 PDT
I can thankfully now reproduce this fine on other hulu.com pages. GDB seems to indicate that this is a garbage collection bug, because it is calling getOwnPropertySlot() on a JSObject with a bad vptr in op_get_by_id.
Comment 10 Brandon Petersen 2008-10-08 19:46:36 PDT
I am using r37381 in OS X and 37382 in Windows.
Comment 11 Cameron Zwarich (cpst) 2008-10-08 20:48:38 PDT
Created attachment 24221 [details] Reduction
Comment 12 Cameron Zwarich (cpst) 2008-10-08 20:50:50 PDT
Comment 13 Cameron Zwarich (cpst) 2008-10-08 20:57:28 PDT
Oops, I meant to say that it works fine on r37323 and r37324. I actually can't seem to reproduce it with any archived builds, because my local tree has CTI off for debugging purposes, which is probably affecting memory layout. I will have to revert and build.
Comment 14 Cameron Zwarich (cpst) 2008-10-08 21:40:26 PDT
I can't even seem to reproduce this with CTI off on r37400. I am just going to try to fix it on ToT.
Comment 15 Cameron Zwarich (cpst) 2008-10-08 22:43:16 PDT
Thanks to bug 21497, most of what I have said in this bug is wrong.
Comment 16 Cameron Zwarich (cpst) 2008-10-08 22:58:30 PDT
Now that I can actually test this properly, I can confirm that r37324 is the culprit. A specific URL that reproduces it for me every time is http://www.hulu.com/watch/36665/saturday-night-live-reliable-investments#s-p1-st-i2 It seems that this may be the same as bug 21494.
Comment 17 Cameron Zwarich (cpst) 2008-10-09 14:38:45 PDT
*** Bug 21507 has been marked as a duplicate of this bug. ***
Comment 18 Cameron Zwarich (cpst) 2008-10-09 14:40:50 PDT
*** Bug 21494 has been marked as a duplicate of this bug. ***
Comment 19 Cameron Zwarich (cpst) 2008-10-09 14:41:33 PDT
Created attachment 24236 [details] Proposed patch
Comment 21 Cameron Zwarich (cpst) 2008-10-09 15:03:01 PDT
Landed in r37450.
Comment 22 Cameron Zwarich (cpst) 2008-10-09 17:32:07 PDT
*** Bug 21474 has been marked as a duplicate of this bug. ***