RESOLVED FIXED 21459
REGRESSION (r37324): Safari crashes inside JavaScriptCore while browsing hulu.com 
https://bugs.webkit.org/show_bug.cgi?id=21459
Summary REGRESSION (r37324): Safari crashes inside JavaScriptCore while browsing hulu...
Brandon Petersen
Reported 2008-10-07 21:06:20 PDT
Visiting hulu.com/tv with the latest version of flash plugin installed causes a crash in safari 4 beta using webkit build r37381. This is reproducible on the windows version with build r37382. Disable flash plugin and the webpage does not cause a crash.
Attachments
Crash Report (20.05 KB, text/rtf)
2008-10-07 21:31 PDT, Brandon Petersen 		no flags
Details
Reduction (190 bytes, text/html)
2008-10-08 20:48 PDT, Cameron Zwarich (cpst) 		no flags
Details
Proposed patch (3.43 KB, patch)
2008-10-09 14:41 PDT, Cameron Zwarich (cpst) 		oliver: review+
DetailsFormatted DiffDiff
Crash Report r37442 (27.85 KB, text/rtf)
2008-10-09 14:46 PDT, Hayden 		no flags
Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2008-10-07 21:16:42 PDT
Please provide a crash log <http://webkit.org/quality/crashlogs.html>.
Brandon Petersen
Comment 2 2008-10-07 21:31:23 PDT
Created attachment 24184 [details] Crash Report
Mark Rowe (bdash)
Comment 3 2008-10-07 21:46:35 PDT
I can reproduce this with the latest nightly and with a debug build of TOT. The crash trace from the debug build is no better, which suggests something is going AWOL in JITd code.
Mark Rowe (bdash)
Comment 4 2008-10-08 00:05:15 PDT
<rdar://problem/6277287>
Oliver Hunt
Comment 5 2008-10-08 00:19:23 PDT
Appears to be due to r37324
Cameron Zwarich (cpst)
Comment 6 2008-10-08 11:44:54 PDT
I can no longer reproduce this. Can anyone else?
Brandon Petersen
Comment 7 2008-10-08 18:43:31 PDT
(In reply to comment #6) > I can no longer reproduce this. Can anyone else? > I can still reproduce this in Safari 4 beta for OS X. But not on Safari 4 beta in Windows.
Mark Rowe (bdash)
Comment 8 2008-10-08 19:01:39 PDT
Which build of WebKit are you using Brandon?
Cameron Zwarich (cpst)
Comment 9 2008-10-08 19:42:55 PDT
I can thankfully now reproduce this fine on other hulu.com pages. GDB seems to indicate that this is a garbage collection bug, because it is calling getOwnPropertySlot() on a JSObject with a bad vptr in op_get_by_id.
Brandon Petersen
Comment 10 2008-10-08 19:46:36 PDT
I am using r37381 in OS X and 37382 in Windows.
Cameron Zwarich (cpst)
Comment 11 2008-10-08 20:48:38 PDT
Created attachment 24221 [details] Reduction
Cameron Zwarich (cpst)
Comment 12 2008-10-08 20:50:50 PDT
This is not a regression in r37324, because I can reproduce it with r37323. The JavaScript on Hulu uses the Prototype framework, which uses a lot of 'arguments' and activation objects, so it is likely that random changes to memory layout caused this problem to become a crasher in Release builds after that revision.
Cameron Zwarich (cpst)
Comment 13 2008-10-08 20:57:28 PDT
Oops, I meant to say that it works fine on r37323 and r37324. I actually can't seem to reproduce it with any archived builds, because my local tree has CTI off for debugging purposes, which is probably affecting memory layout. I will have to revert and build.
Cameron Zwarich (cpst)
Comment 14 2008-10-08 21:40:26 PDT
I can't even seem to reproduce this with CTI off on r37400. I am just going to try to fix it on ToT.
Cameron Zwarich (cpst)
Comment 15 2008-10-08 22:43:16 PDT
Thanks to bug 21497, most of what I have said in this bug is wrong.
Cameron Zwarich (cpst)
Comment 16 2008-10-08 22:58:30 PDT
Now that I can actually test this properly, I can confirm that r37324 is the culprit. A specific URL that reproduces it for me every time is http://www.hulu.com/watch/36665/saturday-night-live-reliable-investments#s-p1-st-i2 It seems that this may be the same as bug 21494.
Cameron Zwarich (cpst)
Comment 17 2008-10-09 14:38:45 PDT
*** Bug 21507 has been marked as a duplicate of this bug. ***
Cameron Zwarich (cpst)
Comment 18 2008-10-09 14:40:50 PDT
*** Bug 21494 has been marked as a duplicate of this bug. ***
Cameron Zwarich (cpst)
Comment 19 2008-10-09 14:41:33 PDT
Created attachment 24236 [details] Proposed patch
Hayden
Comment 20 2008-10-09 14:46:33 PDT
Created attachment 24238 [details] Crash Report r37442
Cameron Zwarich (cpst)
Comment 21 2008-10-09 15:03:01 PDT
Landed in r37450.
Cameron Zwarich (cpst)
Comment 22 2008-10-09 17:32:07 PDT
*** Bug 21474 has been marked as a duplicate of this bug. ***
Cameron Zwarich (cpst)
Comment 23 2008-10-09 19:22:55 PDT
*** Bug 21481 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.