Bug 30938

Summary: REGRESSION(r50233): Windows nightlies crash on launch due to changes to IWebFramePrivate vtable ordering
Product: WebKit Reporter: 808caaa4.8ce9.9cd6c799e9f6
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   

808caaa4.8ce9.9cd6c799e9f6
Reported 2009-10-29 18:30:02 PDT
leads crash. possibly: IWebFramePrivate::counterValueForElementById inserted near the top of vtable. [additional notes] Some XP installations have *only* v8.0.50727.4053 ATL by WU, no updated CRT, specified in dependentAssembly. If no CRT exists Safari/WebKit cannot boot (before crashing). Owners may have to install updated vcredist_x86.exe: http://www.microsoft.com/downloads/details.aspx?FamilyID=766a6af7-ec73-40ff-b072-9112bab119c2 simple check: run "dir %windir%\WinSxS\*_8.0.50727.4053_*" CRT exists?
Attachments
Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2009-10-29 18:36:41 PDT
This is a known issue. We have the ATL security update installed on our builders so the update is required in order to use the built software. We have no plans to change this at the moment.
808caaa4.8ce9.9cd6c799e9f6
Comment 2 2009-10-29 19:37:05 PDT
hmm.. then, how about crashing/vtable..
Mark Rowe (bdash)
Comment 3 2009-10-29 19:43:40 PDT
Perhaps you’d like to be clearer about what you mean. What about a vtable?
808caaa4.8ce9.9cd6c799e9f6
Comment 4 2009-10-29 20:53:10 PDT
For example safari v4.0.3 (531.9.1) + WebKit-r50233, crashes before main window appear. ntsd said: --- (c24.ba0): Access violation - code c0000005 (!!! second chance !!!) eax=1001525a ebx=7fea4a01 ecx=1d74c084 edx=7fc72934 esi=7fea4b10 edi=00ef0483 eip=100658c5 esp=0012f2d8 ebp=7fea4b10 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ...\Safari.dll - Safari_10000000+0x658c5: 100658c5 8b5108 mov edx,dword ptr [ecx+8] ds:0023:1d74c08c=???????? 0:000> --- // It seems no correspond pdbs for safari.dll found on Apple's symsrv. With ntsd, safari.dll seems want to call IWebFramePrivate::isFrameSet() around there, but since r50233, IWebFramePrivate have counterValueForElementById() at #5 entry in vtable, so it calls WebFrame::spoolPages(). spoolPages has 4 arguments while isFrameSet has 1 argument, so stack will be broken. -- 100658a5 8b10 mov edx,[eax] ds:0023:7fc72934=016bd060 100658a7 8b522c mov edx,[edx+0x2c]{WebKit!WebFrame__spoolPages (01206590)} ds:0023:016bd08c=01206590 100658aa 53 push ebx ; <- not argument, popped just before retn 100658ab 8d4c240c lea ecx,[esp+0xc] ss:0023:0012f2d8=00000000 100658af 51 push ecx ; <- BOOL* result 100658b0 50 push eax ; <- this 100658b1 ffd2 call edx {WebKit!WebFrame__spoolPages (01206590)} --
Mark Rowe (bdash)
Comment 5 2009-10-29 21:05:01 PDT
Thanks, that’s much clearer :-)
Mark Rowe (bdash)
Comment 6 2009-10-29 21:07:37 PDT
Fixed in r50316.
808caaa4.8ce9.9cd6c799e9f6
Comment 7 2009-10-30 05:48:42 PDT
WebKit-SVN-r50316.zip still have wrong-ordered vtable, so still makes crash. Should we 'touch' something more? // and still no pdbs found v4.0.3(531.9.1)...
808caaa4.8ce9.9cd6c799e9f6
Comment 8 2009-11-12 19:03:46 PST
fixed in r50484(bug 31055)
Note You need to log in before you can comment on or make changes to this bug.