Bug 21459

Summary: REGRESSION (r37324): Safari crashes inside JavaScriptCore while browsing hulu.com
Product: WebKit Reporter: Brandon Petersen <anaknipedro@gmail.com>
Component: Plug-insAssignee: Cameron Zwarich (cpst) <zwarich@apple.com>
Severity: Major CC: cameo.wood@gmail.com, daniel.samuels1@gmail.com, michael@jerome.net, mrowe@apple.com, zwarich@apple.com
Priority: P1 Keywords: InRadar, NeedsReduction, ReviewedForRadar
Version: 528+ (Nightly build)   
Hardware: Macintosh Intel   
OS: Mac OS X 10.4   
URL: http://hulu.com/tv
Description Flags
Crash Report
Proposed patch
oliver: review+
Crash Report r37442 none

Description From 2008-10-07 21:06:20 PST
Visiting hulu.com/tv with the latest version of flash plugin installed causes a crash in safari 4 beta using webkit build r37381. This is reproducible on the windows version with build r37382. Disable flash plugin and the webpage does not cause a crash.
------- Comment #1 From 2008-10-07 21:16:42 PST -------
Please provide a crash log <http://webkit.org/quality/crashlogs.html>.
------- Comment #2 From 2008-10-07 21:31:23 PST -------
Created an attachment (id=24184) [details]
Crash Report
------- Comment #3 From 2008-10-07 21:46:35 PST -------
I can reproduce this with the latest nightly and with a debug build of TOT.  The crash trace from the debug build is no better, which suggests something is going AWOL in JITd code.
------- Comment #4 From 2008-10-08 00:05:15 PST -------
------- Comment #5 From 2008-10-08 00:19:23 PST -------
Appears to be due to r37324
------- Comment #6 From 2008-10-08 11:44:54 PST -------
I can no longer reproduce this. Can anyone else?
------- Comment #7 From 2008-10-08 18:43:31 PST -------
(In reply to comment #6)
> I can no longer reproduce this. Can anyone else?

I can still reproduce this in Safari 4 beta for OS X. But not on Safari 4 beta in Windows.
------- Comment #8 From 2008-10-08 19:01:39 PST -------
Which build of WebKit are you using Brandon?
------- Comment #9 From 2008-10-08 19:42:55 PST -------
I can thankfully now reproduce this fine on other hulu.com pages. GDB seems to indicate that this is a garbage collection bug, because it is calling getOwnPropertySlot() on a JSObject with a bad vptr in op_get_by_id.
------- Comment #10 From 2008-10-08 19:46:36 PST -------
I am using r37381 in OS X and 37382 in Windows.
------- Comment #11 From 2008-10-08 20:48:38 PST -------
Created an attachment (id=24221) [details]
------- Comment #12 From 2008-10-08 20:50:50 PST -------
This is not a regression in r37324, because I can reproduce it with r37323. The JavaScript on Hulu uses the Prototype framework, which uses a lot of 'arguments' and activation objects, so it is likely that random changes to memory layout caused this problem to become a crasher in Release builds after that revision.
------- Comment #13 From 2008-10-08 20:57:28 PST -------
Oops, I meant to say that it works fine on r37323 and r37324. I actually can't seem to reproduce it with any archived builds, because my local tree has CTI off for debugging purposes, which is probably affecting memory layout. I will have to revert and build.
------- Comment #14 From 2008-10-08 21:40:26 PST -------
I can't even seem to reproduce this with CTI off on r37400. I am just going to try to fix it on ToT.
------- Comment #15 From 2008-10-08 22:43:16 PST -------
Thanks to bug 21497, most of what I have said in this bug is wrong.
------- Comment #16 From 2008-10-08 22:58:30 PST -------
Now that I can actually test this properly, I can confirm that r37324 is the culprit. A specific URL that reproduces it for me every time is


It seems that this may be the same as bug 21494.
------- Comment #17 From 2008-10-09 14:38:45 PST -------
*** Bug 21507 has been marked as a duplicate of this bug. ***
------- Comment #18 From 2008-10-09 14:40:50 PST -------
*** Bug 21494 has been marked as a duplicate of this bug. ***
------- Comment #19 From 2008-10-09 14:41:33 PST -------
Created an attachment (id=24236) [details]
Proposed patch
------- Comment #20 From 2008-10-09 14:46:33 PST -------
Created an attachment (id=24238) [details]
Crash Report r37442
------- Comment #21 From 2008-10-09 15:03:01 PST -------
Landed in r37450.
------- Comment #22 From 2008-10-09 17:32:07 PST -------
*** Bug 21474 has been marked as a duplicate of this bug. ***
------- Comment #23 From 2008-10-09 19:22:55 PST -------
*** Bug 21481 has been marked as a duplicate of this bug. ***