Bug 30938 - REGRESSION(r50233): Windows nightlies crash on launch due to changes to IWebFramePrivate vtable ordering
Summary: REGRESSION(r50233): Windows nightlies crash on launch due to changes to IWebF...
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows XP
: P2 Major
Assignee: Nobody
Depends on:
Reported: 2009-10-29 18:30 PDT by 808caaa4.8ce9.9cd6c799e9f6
Modified: 2009-11-12 19:03 PST (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description 808caaa4.8ce9.9cd6c799e9f6 2009-10-29 18:30:02 PDT
leads crash.

IWebFramePrivate::counterValueForElementById inserted near the top of vtable.

[additional notes]
Some XP installations have *only* v8.0.50727.4053 ATL by WU, no updated CRT, specified in dependentAssembly.
If no CRT exists Safari/WebKit cannot boot (before crashing).
Owners may have to install updated vcredist_x86.exe:

simple check:
run "dir %windir%\WinSxS\*_8.0.50727.4053_*"
CRT exists?
Comment 1 Mark Rowe (bdash) 2009-10-29 18:36:41 PDT
This is a known issue.  We have the ATL security update installed on our builders so the update is required in order to use the built software.  We have no plans to change this at the moment.
Comment 2 808caaa4.8ce9.9cd6c799e9f6 2009-10-29 19:37:05 PDT
hmm.. then, how about crashing/vtable..
Comment 3 Mark Rowe (bdash) 2009-10-29 19:43:40 PDT
Perhaps you’d like to be clearer about what you mean.  What about a vtable?
Comment 4 808caaa4.8ce9.9cd6c799e9f6 2009-10-29 20:53:10 PDT
For example safari v4.0.3 (531.9.1) + WebKit-r50233, crashes before main window appear.
ntsd said:
(c24.ba0): Access violation - code c0000005 (!!! second chance !!!)
eax=1001525a ebx=7fea4a01 ecx=1d74c084 edx=7fc72934 esi=7fea4b10 edi=00ef0483
eip=100658c5 esp=0012f2d8 ebp=7fea4b10 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ...\Safari.dll - 
100658c5 8b5108          mov     edx,dword ptr [ecx+8] ds:0023:1d74c08c=????????

// It seems no correspond pdbs for safari.dll found on Apple's symsrv.

With ntsd, safari.dll seems want to call IWebFramePrivate::isFrameSet() around there, 
but since r50233, IWebFramePrivate have counterValueForElementById() at #5 entry in vtable,
so it calls WebFrame::spoolPages().
spoolPages has 4 arguments while isFrameSet has 1 argument, so stack will be broken.

100658a5 8b10             mov     edx,[eax]         ds:0023:7fc72934=016bd060
100658a7 8b522c           mov     edx,[edx+0x2c]{WebKit!WebFrame__spoolPages (01206590)} ds:0023:016bd08c=01206590
100658aa 53               push    ebx  ; <- not argument, popped just before retn
100658ab 8d4c240c         lea     ecx,[esp+0xc]     ss:0023:0012f2d8=00000000
100658af 51               push    ecx  ; <- BOOL* result
100658b0 50               push    eax  ; <- this
100658b1 ffd2             call   edx {WebKit!WebFrame__spoolPages (01206590)}
Comment 5 Mark Rowe (bdash) 2009-10-29 21:05:01 PDT
Thanks, that’s much clearer :-)
Comment 6 Mark Rowe (bdash) 2009-10-29 21:07:37 PDT
Fixed in r50316.
Comment 7 808caaa4.8ce9.9cd6c799e9f6 2009-10-30 05:48:42 PDT
WebKit-SVN-r50316.zip still have wrong-ordered vtable, so still makes crash.

Should we 'touch' something more?

// and still no pdbs found v4.0.3(531.9.1)...
Comment 8 808caaa4.8ce9.9cd6c799e9f6 2009-11-12 19:03:46 PST
fixed in r50484(bug 31055)