RESOLVED INVALID 23064
Always repeatable crash when clicking 'Play Wilhelm Scream' 
https://bugs.webkit.org/show_bug.cgi?id=23064
Summary Always repeatable crash when clicking 'Play Wilhelm Scream'
John Engelhart
Reported 2009-01-01 01:32:04 PST
Used wikipedias 'permanent link' in case the page changes. When clicking on the button to play the 'Wilhelm Scream' audio sample, safari always crashes in the same spot. This happens on the WebKit version I'm using (38826) and the stock Safari (Version 3.2.1 (5525.27.1)). Will attach the full crash report, but it looks like a NULL pointer is being handed to RenderSlider::inDragMode(). When I diff the Safari.app and WebKit.app crash logs, they are nearly identical, but there are slight differences. The two crashes I had with WebKit.app are identical (modulo the normal, expected differences). Here's the top interesting bits: Process: Safari [61339] Path: /Applications/WebKit.app/Contents/MacOS/WebKit Identifier: org.webkit.nightly.WebKit Version: r38826 (38826) Code Type: X86 (Native) Parent Process: launchd [126] Date/Time: 2009-01-01 04:10:15.515 -0500 OS Version: Mac OS X 10.5.6 (9G55) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000050 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.WebCore 0x012d98fc WebCore::RenderSlider::inDragMode() const + 12 1 com.apple.WebCore 0x014429f1 WebCore::MediaControlTimelineElement::defaultEventHandler(WebCore::Event*) + 33 2 com.apple.WebCore 0x00fd242c WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&) + 1004 3 com.apple.WebCore 0x00fd2af9 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&) + 233 4 com.apple.WebCore 0x00fd2cad WebCore::EventTargetNode::dispatchSubtreeModifiedEvent() + 253 5 com.apple.WebCore 0x0124bea5 WebCore::NamedAttrMap::addAttribute(WTF::PassRefPtr<WebCore::Attribute>) + 181 6 com.apple.WebCore 0x00fc0b54 WebCore::Element::setAttribute(WebCore::QualifiedName const&, WebCore::AtomicString const&, int&) + 324 7 com.apple.WebCore 0x00fc0d86 WebCore::Element::setAttribute(WebCore::QualifiedName const&, WebCore::AtomicString const&) + 38 8 com.apple.WebCore 0x014431fd WebCore::MediaControlTimelineElement::MediaControlTimelineElement(WebCore::Document*, WebCore::HTMLMediaElement*) + 173 9 com.apple.WebCore 0x012b8e6f WebCore::RenderMedia::createTimeline() + 63 10 com.apple.WebCore 0x012ba8f0 WebCore::RenderMedia::updateControls() + 976 11 com.apple.WebCore 0x01303512 WebCore::RenderVideo::updateFromElement() + 18 12 com.apple.WebCore 0x0108d1c7 WebCore::HTMLVideoElement::attach() + 23 13 com.apple.WebCore 0x00eb08eb WebCore::ContainerNode::attach() + 43 14 com.apple.WebCore 0x00fc0098 WebCore::Element::attach() + 40 15 com.apple.WebCore 0x00eaffcc WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, int&, bool) + 652 16 com.apple.WebCore 0x01039163 WebCore::replaceChildrenWithFragment(WebCore::HTMLElement*, WTF::PassRefPtr<WebCore::DocumentFragment>, int&) + 115 17 com.apple.WebCore 0x0103a0d1 WebCore::HTMLElement::setInnerHTML(WebCore::String const&, int&) + 65
Attachments
WebKit.app crash log (30.83 KB, text/plain)
2009-01-01 01:33 PST, John Engelhart 		no flags
Details
Safari.app crash log (30.39 KB, text/plain)
2009-01-01 01:35 PST, John Engelhart 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
John Engelhart
Comment 1 2009-01-01 01:33:40 PST
Created attachment 26345 [details] WebKit.app crash log This is a crash log for WebKit.app r38826.
John Engelhart
Comment 2 2009-01-01 01:35:28 PST
Created attachment 26346 [details] Safari.app crash log This is a crash log for Safari.app version 3.2.1 (5525.27.1) / WebBrowser-55252701~1
Alexey Proskuryakov
Comment 3 2009-01-02 02:54:50 PST
I cannot reproduce this as reported. I am seeing an assertion failure on a debug build when switching from native to Java player via "More..." link, and also, the native player doesn't actually play any sound for me, but neither is the problem that you report. Could you please remove AdBlock and try again? We need to figure out why your results are different.
John Engelhart
Comment 4 2009-01-03 20:00:12 PST
(In reply to comment #3) > I cannot reproduce this as reported. I am seeing an assertion failure on a > debug build when switching from native to Java player via "More..." link, and > also, the native player doesn't actually play any sound for me, but neither is > the problem that you report. I'm very glad you mentioned 'Java player', as that's the key. I happen to run my browsers with Java disabled. When I enable Java in safari, it no longer crashes. Disabling Java (preferences > security > Enable Java) tickles the bug and causes the crash.
John Engelhart
Comment 5 2009-01-03 20:09:09 PST
(In reply to comment #4) > > I'm very glad you mentioned 'Java player', as that's the key. I happen to run > my browsers with Java disabled. When I enable Java in safari, it no longer > crashes. Disabling Java (preferences > security > Enable Java) tickles the bug > and causes the crash. > Just to be clear, under Preferences > Security > Web Content: section, the following are enabled: 'Enable plug-ins', 'Enable JavaScript', 'Block pop-up windows'. The following is disabled: 'Enable Java'. These are the settings that recreate the crash. When I enable java, the browser no longer crashes. Let me know if this allows you to recreate the crash, or if we need to hunt a bit more to find out what's different in my set up.
Alexey Proskuryakov
Comment 6 2009-01-05 03:10:16 PST
I cannot reproduce the problem by disabling Java. The player automatically switches to native - which doesn't work for me as mentioned above, but I'm not seeing any crash. Besides AdBlock, which is a major suspect, I see a different version of QuickTime in your crash log (you have 7.5.7 which is only available for the newest Apple hardware as far as I know, and I have 7.5.5). Otherwise, configuration looks the same.
John Engelhart
Comment 7 2009-01-05 14:23:59 PST
Removing Safari Adblock (mv /Library/InputManagers/Saf... /Library/DisabledInputManagers/) and restarting safari clears up the problem, though I'm very curious as to why. Also, I tried this on a powerbook- same crash, but also running Safari Adblock. Looking at the stack trace, there's nothing in there that points to Safari Adblock, it's all deep in javascript land. Digging a little bit more, I set up a dtrace probe on 'RegexKit*:::EndMatch' to see if safari adblock was even 'doing anything'. Nada, zippo, no matches took place between the time the page loaded and I clicked on the button. Not conclusive, but seems like a fair assumption that Safari Adblock code was not executed. I've never once had a problem with safari adblock, and I've poked and prodded it more than most people (I wrote regexkit). Very weird. Weirder still that it only happens with java disabled. Not sure where you want to take this bug. I don't know the webkit code base at all, so I can't realistically dig in to it even though I'd like to know the reason why (having written the regex part of safari adblock).
Alexey Proskuryakov
Comment 8 2009-01-05 14:48:22 PST
I intend to file new bugs for the two issues I'm seeing, and close this one as INVALID. We can't realistically investigate problems that are caused by interaction with 3rd party software that modifies Safari/WebKit code at runtime. Thanks a lot for confirming that this doesn't happen without AdBlock!
Alexey Proskuryakov
Comment 9 2009-01-06 01:51:50 PST
Filed bug 23130, bug 23131, bug 23132.
Note You need to log in before you can comment on or make changes to this bug.