Bug 30938

Summary: REGRESSION(r50233): Windows nightlies crash on launch due to changes to IWebFramePrivate vtable ordering
Product: WebKit Reporter: 808caaa4.8ce9.9cd6c799e9f6
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   

Description 808caaa4.8ce9.9cd6c799e9f6 2009-10-29 18:30:02 PDT 
leads crash.

possibly:
IWebFramePrivate::counterValueForElementById inserted near the top of vtable.

[additional notes]
Some XP installations have *only* v8.0.50727.4053 ATL by WU, no updated CRT, specified in dependentAssembly.
If no CRT exists Safari/WebKit cannot boot (before crashing).
Owners may have to install updated vcredist_x86.exe:
http://www.microsoft.com/downloads/details.aspx?FamilyID=766a6af7-ec73-40ff-b072-9112bab119c2

simple check:
run "dir %windir%\WinSxS\*_8.0.50727.4053_*"
CRT exists?
Comment 1 Mark Rowe (bdash) 2009-10-29 18:36:41 PDT 
This is a known issue.  We have the ATL security update installed on our builders so the update is required in order to use the built software.  We have no plans to change this at the moment.
Comment 2 808caaa4.8ce9.9cd6c799e9f6 2009-10-29 19:37:05 PDT 
hmm.. then, how about crashing/vtable..
Comment 3 Mark Rowe (bdash) 2009-10-29 19:43:40 PDT 
Perhaps you’d like to be clearer about what you mean.  What about a vtable?
Comment 4 808caaa4.8ce9.9cd6c799e9f6 2009-10-29 20:53:10 PDT 
For example safari v4.0.3 (531.9.1) + WebKit-r50233, crashes before main window appear.
ntsd said:
---
(c24.ba0): Access violation - code c0000005 (!!! second chance !!!)
eax=1001525a ebx=7fea4a01 ecx=1d74c084 edx=7fc72934 esi=7fea4b10 edi=00ef0483
eip=100658c5 esp=0012f2d8 ebp=7fea4b10 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ...\Safari.dll - 
Safari_10000000+0x658c5:
100658c5 8b5108          mov     edx,dword ptr [ecx+8] ds:0023:1d74c08c=????????
0:000> 
---

// It seems no correspond pdbs for safari.dll found on Apple's symsrv.

With ntsd, safari.dll seems want to call IWebFramePrivate::isFrameSet() around there, 
but since r50233, IWebFramePrivate have counterValueForElementById() at #5 entry in vtable,
so it calls WebFrame::spoolPages().
spoolPages has 4 arguments while isFrameSet has 1 argument, so stack will be broken.

--
100658a5 8b10             mov     edx,[eax]         ds:0023:7fc72934=016bd060
100658a7 8b522c           mov     edx,[edx+0x2c]{WebKit!WebFrame__spoolPages (01206590)} ds:0023:016bd08c=01206590
100658aa 53               push    ebx  ; <- not argument, popped just before retn
100658ab 8d4c240c         lea     ecx,[esp+0xc]     ss:0023:0012f2d8=00000000
100658af 51               push    ecx  ; <- BOOL* result
100658b0 50               push    eax  ; <- this
100658b1 ffd2             call   edx {WebKit!WebFrame__spoolPages (01206590)}
--
Comment 5 Mark Rowe (bdash) 2009-10-29 21:05:01 PDT 
Thanks, that’s much clearer :-)
Comment 6 Mark Rowe (bdash) 2009-10-29 21:07:37 PDT 
Fixed in r50316.
Comment 7 808caaa4.8ce9.9cd6c799e9f6 2009-10-30 05:48:42 PDT 
WebKit-SVN-r50316.zip still have wrong-ordered vtable, so still makes crash.

Should we 'touch' something more?

// and still no pdbs found v4.0.3(531.9.1)...
Comment 8 808caaa4.8ce9.9cd6c799e9f6 2009-11-12 19:03:46 PST 
fixed in r50484(bug 31055)