Bug 21459

Summary: REGRESSION (r37324): Safari crashes inside JavaScriptCore while browsing hulu.com
Product: WebKit Reporter: Brandon Petersen <anaknipedro>
Component: Plug-insAssignee: Cameron Zwarich (cpst) <zwarich>
Severity: Major CC: cameowood, daniel.samuels1, michael, mrowe, zwarich
Priority: P1 Keywords: InRadar, NeedsReduction
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.4   
URL: http://hulu.com/tv
Description Flags
Crash Report
Proposed patch
oliver: review+
Crash Report r37442 none

Description Brandon Petersen 2008-10-07 21:06:20 PDT
Visiting hulu.com/tv with the latest version of flash plugin installed causes a crash in safari 4 beta using webkit build r37381. This is reproducible on the windows version with build r37382. Disable flash plugin and the webpage does not cause a crash.
Comment 1 Mark Rowe (bdash) 2008-10-07 21:16:42 PDT
Please provide a crash log <http://webkit.org/quality/crashlogs.html>.
Comment 2 Brandon Petersen 2008-10-07 21:31:23 PDT
Created attachment 24184 [details]
Crash Report
Comment 3 Mark Rowe (bdash) 2008-10-07 21:46:35 PDT
I can reproduce this with the latest nightly and with a debug build of TOT.  The crash trace from the debug build is no better, which suggests something is going AWOL in JITd code.
Comment 4 Mark Rowe (bdash) 2008-10-08 00:05:15 PDT
Comment 5 Oliver Hunt 2008-10-08 00:19:23 PDT
Appears to be due to r37324
Comment 6 Cameron Zwarich (cpst) 2008-10-08 11:44:54 PDT
I can no longer reproduce this. Can anyone else?
Comment 7 Brandon Petersen 2008-10-08 18:43:31 PDT
(In reply to comment #6)
> I can no longer reproduce this. Can anyone else?

I can still reproduce this in Safari 4 beta for OS X. But not on Safari 4 beta in Windows.
Comment 8 Mark Rowe (bdash) 2008-10-08 19:01:39 PDT
Which build of WebKit are you using Brandon?
Comment 9 Cameron Zwarich (cpst) 2008-10-08 19:42:55 PDT
I can thankfully now reproduce this fine on other hulu.com pages. GDB seems to indicate that this is a garbage collection bug, because it is calling getOwnPropertySlot() on a JSObject with a bad vptr in op_get_by_id.
Comment 10 Brandon Petersen 2008-10-08 19:46:36 PDT
I am using r37381 in OS X and 37382 in Windows.
Comment 11 Cameron Zwarich (cpst) 2008-10-08 20:48:38 PDT
Created attachment 24221 [details]
Comment 12 Cameron Zwarich (cpst) 2008-10-08 20:50:50 PDT
This is not a regression in r37324, because I can reproduce it with r37323. The JavaScript on Hulu uses the Prototype framework, which uses a lot of 'arguments' and activation objects, so it is likely that random changes to memory layout caused this problem to become a crasher in Release builds after that revision.
Comment 13 Cameron Zwarich (cpst) 2008-10-08 20:57:28 PDT
Oops, I meant to say that it works fine on r37323 and r37324. I actually can't seem to reproduce it with any archived builds, because my local tree has CTI off for debugging purposes, which is probably affecting memory layout. I will have to revert and build.
Comment 14 Cameron Zwarich (cpst) 2008-10-08 21:40:26 PDT
I can't even seem to reproduce this with CTI off on r37400. I am just going to try to fix it on ToT.
Comment 15 Cameron Zwarich (cpst) 2008-10-08 22:43:16 PDT
Thanks to bug 21497, most of what I have said in this bug is wrong.
Comment 16 Cameron Zwarich (cpst) 2008-10-08 22:58:30 PDT
Now that I can actually test this properly, I can confirm that r37324 is the culprit. A specific URL that reproduces it for me every time is


It seems that this may be the same as bug 21494.
Comment 17 Cameron Zwarich (cpst) 2008-10-09 14:38:45 PDT
*** Bug 21507 has been marked as a duplicate of this bug. ***
Comment 18 Cameron Zwarich (cpst) 2008-10-09 14:40:50 PDT
*** Bug 21494 has been marked as a duplicate of this bug. ***
Comment 19 Cameron Zwarich (cpst) 2008-10-09 14:41:33 PDT
Created attachment 24236 [details]
Proposed patch
Comment 20 Hayden 2008-10-09 14:46:33 PDT
Created attachment 24238 [details]
Crash Report r37442
Comment 21 Cameron Zwarich (cpst) 2008-10-09 15:03:01 PDT
Landed in r37450.
Comment 22 Cameron Zwarich (cpst) 2008-10-09 17:32:07 PDT
*** Bug 21474 has been marked as a duplicate of this bug. ***
Comment 23 Cameron Zwarich (cpst) 2008-10-09 19:22:55 PDT
*** Bug 21481 has been marked as a duplicate of this bug. ***