Bug 21459 - REGRESSION (r37324): Safari crashes inside JavaScriptCore while browsing hulu.com
Summary: REGRESSION (r37324): Safari crashes inside JavaScriptCore while browsing hulu...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Plug-ins (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac (Intel) OS X 10.4
: P1 Major
Assignee: Cameron Zwarich (cpst)
URL: http://hulu.com/tv
Keywords: InRadar, NeedsReduction
: 21474 21481 21494 21507 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-10-07 21:06 PDT by Brandon Petersen
Modified: 2008-10-09 19:22 PDT (History)
5 users (show)

See Also:

Attachments
Crash Report (20.05 KB, text/rtf)
2008-10-07 21:31 PDT, Brandon Petersen 		no flags Details
Reduction (190 bytes, text/html)
2008-10-08 20:48 PDT, Cameron Zwarich (cpst) 		no flags Details
Proposed patch (3.43 KB, patch)
2008-10-09 14:41 PDT, Cameron Zwarich (cpst) 		oliver: review+
Details | Formatted Diff | Diff
Crash Report r37442 (27.85 KB, text/rtf)
2008-10-09 14:46 PDT, Hayden 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brandon Petersen 2008-10-07 21:06:20 PDT 
Visiting hulu.com/tv with the latest version of flash plugin installed causes a crash in safari 4 beta using webkit build r37381. This is reproducible on the windows version with build r37382. Disable flash plugin and the webpage does not cause a crash.
Comment 1 Mark Rowe (bdash) 2008-10-07 21:16:42 PDT 
Please provide a crash log <http://webkit.org/quality/crashlogs.html>.
Comment 2 Brandon Petersen 2008-10-07 21:31:23 PDT 
Created attachment 24184 [details]
Crash Report
Comment 3 Mark Rowe (bdash) 2008-10-07 21:46:35 PDT 
I can reproduce this with the latest nightly and with a debug build of TOT.  The crash trace from the debug build is no better, which suggests something is going AWOL in JITd code.
Comment 4 Mark Rowe (bdash) 2008-10-08 00:05:15 PDT 
<rdar://problem/6277287>
Comment 5 Oliver Hunt 2008-10-08 00:19:23 PDT 
Appears to be due to r37324
Comment 6 Cameron Zwarich (cpst) 2008-10-08 11:44:54 PDT 
I can no longer reproduce this. Can anyone else?
Comment 7 Brandon Petersen 2008-10-08 18:43:31 PDT 
(In reply to comment #6)
> I can no longer reproduce this. Can anyone else?
> 

I can still reproduce this in Safari 4 beta for OS X. But not on Safari 4 beta in Windows.
Comment 8 Mark Rowe (bdash) 2008-10-08 19:01:39 PDT 
Which build of WebKit are you using Brandon?
Comment 9 Cameron Zwarich (cpst) 2008-10-08 19:42:55 PDT 
I can thankfully now reproduce this fine on other hulu.com pages. GDB seems to indicate that this is a garbage collection bug, because it is calling getOwnPropertySlot() on a JSObject with a bad vptr in op_get_by_id.
Comment 10 Brandon Petersen 2008-10-08 19:46:36 PDT 
I am using r37381 in OS X and 37382 in Windows.
Comment 11 Cameron Zwarich (cpst) 2008-10-08 20:48:38 PDT 
Created attachment 24221 [details]
Reduction
Comment 12 Cameron Zwarich (cpst) 2008-10-08 20:50:50 PDT 
This is not a regression in r37324, because I can reproduce it with r37323. The JavaScript on Hulu uses the Prototype framework, which uses a lot of 'arguments' and activation objects, so it is likely that random changes to memory layout caused this problem to become a crasher in Release builds after that revision.
Comment 13 Cameron Zwarich (cpst) 2008-10-08 20:57:28 PDT 
Oops, I meant to say that it works fine on r37323 and r37324. I actually can't seem to reproduce it with any archived builds, because my local tree has CTI off for debugging purposes, which is probably affecting memory layout. I will have to revert and build.
Comment 14 Cameron Zwarich (cpst) 2008-10-08 21:40:26 PDT 
I can't even seem to reproduce this with CTI off on r37400. I am just going to try to fix it on ToT.
Comment 15 Cameron Zwarich (cpst) 2008-10-08 22:43:16 PDT 
Thanks to bug 21497, most of what I have said in this bug is wrong.
Comment 16 Cameron Zwarich (cpst) 2008-10-08 22:58:30 PDT 
Now that I can actually test this properly, I can confirm that r37324 is the culprit. A specific URL that reproduces it for me every time is

http://www.hulu.com/watch/36665/saturday-night-live-reliable-investments#s-p1-st-i2

It seems that this may be the same as bug 21494.
Comment 17 Cameron Zwarich (cpst) 2008-10-09 14:38:45 PDT 
*** Bug 21507 has been marked as a duplicate of this bug. ***
Comment 18 Cameron Zwarich (cpst) 2008-10-09 14:40:50 PDT 
*** Bug 21494 has been marked as a duplicate of this bug. ***
Comment 19 Cameron Zwarich (cpst) 2008-10-09 14:41:33 PDT 
Created attachment 24236 [details]
Proposed patch
Comment 20 Hayden 2008-10-09 14:46:33 PDT 
Created attachment 24238 [details]
Crash Report r37442
Comment 21 Cameron Zwarich (cpst) 2008-10-09 15:03:01 PDT 
Landed in r37450.
Comment 22 Cameron Zwarich (cpst) 2008-10-09 17:32:07 PDT 
*** Bug 21474 has been marked as a duplicate of this bug. ***
Comment 23 Cameron Zwarich (cpst) 2008-10-09 19:22:55 PDT 
*** Bug 21481 has been marked as a duplicate of this bug. ***