Bug 30085 - REGRESSION (r49091): run-safari crashes in Safari.dll
Summary: REGRESSION (r49091): run-safari crashes in Safari.dll
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P2 Normal
Assignee: Adam Roben (:aroben)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-05 11:29 PDT by Yong Li
Modified: 2009-10-12 11:15 PDT (History)
5 users (show)

See Also:


Attachments
dump file saved by VS2005 (37.74 KB, application/octet-stream)
2009-10-06 09:26 PDT, Yong Li
no flags Details
Safari crash dump (35.65 KB, application/octet-stream)
2009-10-06 09:26 PDT, Alexander Pavlov (apavlov)
no flags Details
Move the new IWebViewPrivate::inspectorPrivate function after all functions that existed when Safari 4.0.3 was released (1.47 KB, patch)
2009-10-08 08:35 PDT, Adam Roben (:aroben)
sullivan: review+
Details | Formatted Diff | Diff
Another similar crash (46.05 KB, application/octet-stream)
2009-10-08 08:38 PDT, anton muhin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Yong Li 2009-10-05 11:29:15 PDT
I got a win32 webkit build. run-safari crashes when launching the browser.

VS2005 debugger shows it crashes in free.c, 

        {
            retval = HeapFree(_crtheap, 0, pBlock);
// Crash here
            if (retval == 0)
            {
                errno = _get_errno_from_oserr(GetLastError());
            }
        }

The stack trace is:

 	7fe99ea0()	
 	Safari.dll!677029c7() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for Safari.dll]	
 	Safari.dll!676fc1b7() 	
 	user32.dll!77450657() 	
 	Safari.dll!676e428d() 	
 	Safari.dll!676e1c68() 	
 	user32.dll!7744f8d2() 	
 	user32.dll!77441912() 	
 	user32.dll!7744f73d() 	
 	user32.dll!77450817() 	
 	user32.dll!774439f7() 	
 	ntdll.dll!77ac99ce() 	
 	user32.dll!77443cf7() 	
 	user32.dll!77443b94() 	
 	user32.dll!7743eb62() 	
 	user32.dll!7744382f() 	
 	user32.dll!7743eb7f() 	
 	user32.dll!7743ebab() 	
 	CoreFoundation.dll!6b847ed2() 	
 	CoreFoundation.dll!6b892ba0() 	
 	CoreFoundation.dll!6b88d60c() 	
 	CoreFoundation.dll!6b89087b() 	
 	CoreFoundation.dll!6b88d30f() 	
 	CoreFoundation.dll!6b88d60c() 	
 	CoreFoundation.dll!6b88dc1a() 	
 	ntdll.dll!77ab429e() 	
 	ntdll.dll!77ab429e() 	
 	ntdll.dll!77ab0e36() 	
 	user32.dll!77443cc3() 	
 	user32.dll!7743d57a() 	
 	user32.dll!7743d63f() 	
 	user32.dll!77443d9a() 	
 	Safari.dll!67728fc2() 	
 	Safari.dll!6775a6b5() 	
 	Safari.dll!67703189() 	
 	Safari.dll!6773dec6() 	
 	Safari.dll!67701942() 	
 	pthreadVC2.dll!73fc32fe() 	
 	Safari.dll!676fc83f() 	
 	CFNetwork.dll!69e761bc() 	
 	Safari.dll!6774d706() 	
 	Safari.dll!6774ddb8() 	
 	Safari.exe!003f1412() 	
 	ntdll.dll!77ad5b87() 	
 	ntdll.dll!77ad8b2c() 	
 	ntdll.dll!77ad8752() 	
 	ntdll.dll!77ad8752() 	
 	ntdll.dll!77ad861f() 	
 	ntdll.dll!77ad8652() 	
 	kernel32.dll!77c3c56f() 	
>	msvcr80.dll!free(void * pBlock=0x01787b38)  Line 110	C
 	msvcr80.dll!_wsetenvp()  Line 139	C
 	msvcr80.dll!__wgetmainargs(int * pargc=0x003f3018, unsigned short * * * pargv=0x003f3020, unsigned short * * * penvp=0x003f301c, int dowildcard=0x00000000, _startupinfo * startinfo=0xaed3d67a)  Line 127 + 0x5 bytes	C
 	Safari.exe!003f146f() 	
 	Safari.exe!003f15d4() 	
 	kernel32.dll!77c34911() 	
 	ntdll.dll!77aae4b6() 	
 	ntdll.dll!77aae489()
Comment 1 Alexander Pavlov (apavlov) 2009-10-06 04:22:04 PDT
Same here, but the pBlock is 0x00000000 for me, and a slightly different stacktrace (running r49162):

>	msvcr80.dll!fastcopy_I(void * dst=0x03fa98c0, void * src=0x01080180, int len=90177568)  + 0x46 bytes	C
 	msvcr80.dll!_VEC_memcpy(void * dst=0x03fa98c0, void * src=0x010801e0, int len=-858993460)  + 0x52 bytes	C
 	WebKit.dll!WebCore::StringImpl::create(const wchar_t * characters=0x03fa98c0, unsigned int length=17301888)  Line 1015 + 0x13 bytes	C++
 	msvcr80.dll!_VEC_memcpy(void * dst=0x03fa98c0, void * src=0x010801e0, int len=-858993460)  + 0x52 bytes	C
 	WebKit.dll!WebCore::StringImpl::create(const wchar_t * characters=0x03fa98c0, unsigned int length=17301984)  Line 1015 + 0x13 bytes	C++
 	WebKit.dll!WebCore::StringImpl::create(const wchar_t * characters=0x03fa98c0, unsigned int length=8650992)  Line 1015 + 0x13 bytes	C++
 	WebKit.dll!WebCore::String::String(const wchar_t * str=0x03fa98c0, unsigned int len=8650992)  Line 53 + 0x11 bytes	C++
 	WebKit.dll!WebView::executeCoreCommandByName(wchar_t * bName=0x03fa98c0, wchar_t * bValue=0x03f0a128)  Line 3083	C++
 	Safari.exe!00423a89() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for Safari.exe]	
 	Safari.exe!0055c61d() 	
 	Safari.exe!00423327() 	
 	Safari.exe!0041c9e9() 	
 	Safari.exe!0040420d() 	
 	Safari.exe!00533598() 	
 	user32.dll!7e418734() 	
 	user32.dll!7e418816() 	
 	user32.dll!7e428ea0() 	
 	user32.dll!7e42ce7c() 	
 	ntdll.dll!7c90e473() 	
 	user32.dll!7e42e389() 	
 	user32.dll!7e42e34f() 	
 	Safari.exe!007e0045() 	
 	Safari.exe!00740069() 	
 	ntdll.dll!7c910385() 	
 	ntdll.dll!7c915239() 	
 	ntdll.dll!7c91542b() 	
 	ntdll.dll!7c9100b8() 	
 	ntdll.dll!7c910041() 	
 	ntdll.dll!7c91005d() 	
 	ntdll.dll!7c9157c1() 	
 	ntdll.dll!7c91534a() 	
 	ntdll.dll!7c915742() 	
 	ntdll.dll!7c9155ed() 	
 	ntdll.dll!7c91005d() 	
 	user32.dll!7e419951() 	
 	ntdll.dll!7c910323() 	
 	ntdll.dll!7c910323() 	
 	user32.dll!7e4199e4() 	
 	user32.dll!7e419a12() 	
 	user32.dll!7e41a303() 	
 	user32.dll!7e419a12() 	
 	user32.dll!7e41a31a() 	
 	user32.dll!7e41a33b() 	
 	Safari.exe!00740069() 	
 	ntdll.dll!7c9100b8() 	
 	ntdll.dll!7c910041() 	
 	ntdll.dll!7c91005d() 	
 	ntdll.dll!7c910323() 	
 	user32.dll!7e42e442() 	
 	ntdll.dll!7c91005d() 	
 	msvcr80.dll!free(void * pBlock=0x00000000)  Line 110	C
 	user32.dll!7e42d0d6() 	
 	Safari.exe!00449542() 	
 	Safari.exe!0047a732() 	
 	Safari.exe!00423c59() 	
 	Safari.exe!0045e3f5() 	
 	Safari.exe!004222f1() 	
 	pthreadVC2.dll!696032fe() 	
 	Safari.exe!0041d06f() 	
 	CFNetwork.dll!6a52611f() 	
 	Safari.exe!0046dab6() 	
 	Safari.exe!00424304() 	
 	Safari.exe!0065ef57() 	
 	kernel32.dll!7c817077() 	
 	Safari.exe!00740061() 	
 	Safari.exe!00740069() 	
 	Safari.exe!006f0073() 	
 	Safari.exe!0065004e() 	
 	Safari.exe!0065004e() 	
 	Safari.exe!006f0073() 	
 	Safari.exe!0065004e() 	
 	Safari.exe!0065004e() 	
 	Safari.exe!0065004e() 	
 	Safari.exe!0065004e() 	
 	Safari.exe!006f0073() 	
 	Safari.exe!0065004e() 	
 	Safari.exe!0065004e() 	
 	Safari.exe!0065004e() 	
 	Safari.exe!0065004e() 	
 	Safari.exe!006f0073() 	
 	Safari.exe!0065004e() 	
 	Safari.exe!0065004e()
Comment 2 Adam Roben (:aroben) 2009-10-06 09:01:19 PDT
Yong or apavlov, can either of you upload a .dmp file from your crash? http://webkit.org/quality/crashlogs.html has instructions, and you can also save a .dmp from within Visual Studio by choosing Debug > Save Dump As...
Comment 3 Yong Li 2009-10-06 09:26:19 PDT
Created attachment 40725 [details]
dump file saved by VS2005

I'm using vista, which doesn't include Dr. Waston.
Comment 4 Alexander Pavlov (apavlov) 2009-10-06 09:26:55 PDT
Created attachment 40726 [details]
Safari crash dump
Comment 5 Alexander Pavlov (apavlov) 2009-10-06 09:27:49 PDT
(In reply to comment #2)

Visual Studio 2005 dump attached.
Comment 6 Adam Roben (:aroben) 2009-10-08 08:24:40 PDT
Here's a better backtrace:

 	msvcr80.dll!_memcpy()  + 0x1e0 bytes	
>	WebKit.dll!WebCore::StringImpl::create(const wchar_t * characters=0x04f93940, unsigned int length=17564594)  Line 971 + 0x13 bytes	C++
 	WebKit.dll!WebCore::String::String(const wchar_t * str=0x04f93940, unsigned int len=17564594)  Line 53 + 0x11 bytes	C++
 	WebKit.dll!WebView::executeCoreCommandByName(wchar_t * bName=0x04f93940, wchar_t * bValue=0x047b7798)  Line 3083	C++
 	Safari.dll!SafariView::attachToSafariWindow()  + 0x59 bytes	
 	Safari.dll!TabbedBrowsingBarBase::newTabWithView()  + 0x9d bytes	
 	Safari.dll!SafariWindow::createTabWithFrameName()  + 0x47 bytes	
 	Safari.dll!SafariWindow::onCreate()  + 0x8b7 bytes	
 	Safari.dll!SafariWindow::ProcessWindowMessage()  + 0x3d bytes	
 	Safari.dll!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<101646336,0> >::WindowProc()  + 0x58 bytes	
 	user32.dll!_InternalCallWinProc@20()  + 0x28 bytes	
 	user32.dll!_UserCallWinProcCheckWow@32()  + 0x13692 bytes	
 	user32.dll!_DispatchClientMessage@20()  + 0x4d bytes	
 	user32.dll!___fnINLPCREATESTRUCT@4()  + 0x56 bytes	
 	ntdll.dll!_KiUserCallbackDispatcher@12()  + 0x13 bytes	
 	user32.dll!_NtUserCreateWindowEx@60()  + 0xc bytes	
 	user32.dll!__CreateWindowEx@52()  + 0xb1 bytes	
 	user32.dll!_CreateWindowExW@48()  + 0x33 bytes	
 	Safari.dll!WTL::CFrameWindowImplBase<ATL::CWindow,ATL::CWinTraits<101646336,0> >::Create()  + 0x82 bytes	
 	Safari.dll!SafariWindow::create()  + 0x75 bytes	
 	Safari.dll!SafariWindow::createInstance()  + 0xa9 bytes	
 	Safari.dll!Safari::Application::showWelcomePageIfNeeded()  + 0xc6 bytes	
 	pthreadVC2.dll!pthread_mutex_unlock(pthread_mutex_t_ * * mutex=0x00000001)  Line 89 + 0x14 bytes	C
 	Safari.dll!run()  + 0xef bytes	
 	Safari.dll!BonjourDB::startBrowsing()  + 0x89 bytes	
 	Safari.dll!safariMain()  + 0x596 bytes	
 	Safari.dll!_safariDLLMain@16()  + 0x38 bytes	
 	Safari.exe!_wWinMain@16()  + 0x152 bytes	
 	Safari.exe!@__security_check_cookie@4()  + 0x1aa bytes	
 	kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes
Comment 7 Adam Roben (:aroben) 2009-10-08 08:25:56 PDT
My guess is that someone has messed up the vtable for IWebView or some other similar interface. It doesn't make sense for SafariView::attachToSafariWindow to be calling WebView:: executeCoreCommandByName.
Comment 8 Adam Roben (:aroben) 2009-10-08 08:27:26 PDT
attachToSafariWindow calls windowAncestryDidChange, which is the next IWebViewPrivate member after executeCoreCommandByName. So my guess is that someone added an IWebViewPrivate member above that point.
Comment 9 Adam Roben (:aroben) 2009-10-08 08:29:11 PDT
Looks like r49091 did this. http://trac.webkit.org/changeset/49091#file7
Comment 10 Adam Roben (:aroben) 2009-10-08 08:35:01 PDT
Created attachment 40873 [details]
Move the new IWebViewPrivate::inspectorPrivate function after all functions that existed when Safari 4.0.3 was released
Comment 11 anton muhin 2009-10-08 08:38:30 PDT
Created attachment 40874 [details]
Another similar crash

WebKit after clean build.  git pulled at

commit 597a1d3006745f287ae2aba32edd7d3e353ed0d7
Author: barraclough@apple.com
<barraclough@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Oct 8 09:18:21 2009 +0000

   Fix for JIT'ed op_call instructions (evals, constructs, etc.)
   when !ENABLE(JIT_OPTIMIZE_CALL) && USE(JSVALUE32_64)

   Patch by Zoltan Herczeg <zherczeg@inf.u-szeged.hu> on 2009-10-08
   Reviewed by Gavin Barraclough.

   https://bugs.webkit.org/show_bug.cgi?id=30201

   * jit/JITCall.cpp:
   (JSC::JIT::compileOpCall):
Comment 12 Adam Roben (:aroben) 2009-10-08 08:40:10 PDT
Committed r49304: <http://trac.webkit.org/changeset/49304>
Comment 13 anton muhin 2009-10-08 10:35:07 PDT
(In reply to comment #12)
> Committed r49304: <http://trac.webkit.org/changeset/49304>

Thanks a lot, Adam.

I am current at git-svn-id: http://svn.webkit.org/repository/webkit/trunk@49305 268f45cc-cd09-0410-ab3c-d52691b4dbfc and Safari starts fine.
Comment 14 Yong Li 2009-10-12 10:58:33 PDT
I was trying a new build based on latest code. but it says out-of-memory when linking webkit dll. I have 3GB physical memory installed on my pc.
Comment 15 Steve Falkenburg 2009-10-12 11:15:48 PDT
If you're building release, use an x64 variant of Windows. The linker is out of address space.