Summary: | REGRESSION (r37324): Safari crashes inside JavaScriptCore while browsing hulu.com | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Brandon Petersen <anaknipedro> | ||||||||||
Component: | Plug-ins | Assignee: | Cameron Zwarich (cpst) <zwarich> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | Major | CC: | cameowood, daniel.samuels1, michael, mrowe, zwarich | ||||||||||
Priority: | P1 | Keywords: | InRadar, NeedsReduction | ||||||||||
Version: | 528+ (Nightly build) | ||||||||||||
Hardware: | Mac (Intel) | ||||||||||||
OS: | OS X 10.4 | ||||||||||||
URL: | http://hulu.com/tv | ||||||||||||
Attachments: |
|
Description
Brandon Petersen
2008-10-07 21:06:20 PDT
Please provide a crash log <http://webkit.org/quality/crashlogs.html>. Created attachment 24184 [details]
Crash Report
I can reproduce this with the latest nightly and with a debug build of TOT. The crash trace from the debug build is no better, which suggests something is going AWOL in JITd code. I can no longer reproduce this. Can anyone else? (In reply to comment #6) > I can no longer reproduce this. Can anyone else? > I can still reproduce this in Safari 4 beta for OS X. But not on Safari 4 beta in Windows. Which build of WebKit are you using Brandon? I can thankfully now reproduce this fine on other hulu.com pages. GDB seems to indicate that this is a garbage collection bug, because it is calling getOwnPropertySlot() on a JSObject with a bad vptr in op_get_by_id. I am using r37381 in OS X and 37382 in Windows. Created attachment 24221 [details]
Reduction
This is not a regression in r37324, because I can reproduce it with r37323. The JavaScript on Hulu uses the Prototype framework, which uses a lot of 'arguments' and activation objects, so it is likely that random changes to memory layout caused this problem to become a crasher in Release builds after that revision. Oops, I meant to say that it works fine on r37323 and r37324. I actually can't seem to reproduce it with any archived builds, because my local tree has CTI off for debugging purposes, which is probably affecting memory layout. I will have to revert and build. I can't even seem to reproduce this with CTI off on r37400. I am just going to try to fix it on ToT. Thanks to bug 21497, most of what I have said in this bug is wrong. Now that I can actually test this properly, I can confirm that r37324 is the culprit. A specific URL that reproduces it for me every time is http://www.hulu.com/watch/36665/saturday-night-live-reliable-investments#s-p1-st-i2 It seems that this may be the same as bug 21494. *** Bug 21507 has been marked as a duplicate of this bug. *** *** Bug 21494 has been marked as a duplicate of this bug. *** Created attachment 24236 [details]
Proposed patch
Created attachment 24238 [details] Crash Report r37442 Landed in r37450. *** Bug 21474 has been marked as a duplicate of this bug. *** *** Bug 21481 has been marked as a duplicate of this bug. *** |