Bug 40598

Summary:

[Qt] QtWebkit Crashes on loading CelticKane Standard tests

Product:

WebKit

Reporter:

Viatcheslav Ostapenko <ostap73>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ademar, ap, commit-queue, ggaren, hausmann, jukka.jokiniva, koshuin, laszlo.gombos, oliver

Priority:

Keywords:

Qt, QtTriaged

Version:

528+ (Nightly build)

Hardware:

S60 Hardware

OS:

S60 3rd edition

Attachments:

Description	Flags
Move big allocation from stack to heap.	ggaren: review-
Benchmark (test_page.html)	none
Symbian only patch	none
Added comment about symbian stack	none

Viatcheslav Ostapenko

Reported 2010-06-14 16:16:31 PDT

Crash in JavaScriptCore on S60 running popular Javascript benchmark case. Caused by stack overflow. The related call stack . -------------------------------------------------- 68 JSC::arrayProtoFuncToString() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\ArrayPrototype.cpp:180 0x4987601a 67 JSC::call() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\CallData.cpp:36 0x4987c96d 66 JSC::callDefaultValueFunction() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\JSObject.cpp:245 0x4989a110 65 JSC::JSObject::defaultValue() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\JSObject.cpp:266 0x49899f30 64 JSC::JSObject::toPrimitive() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\JSObject.h:590 0x497f32b7 63 JSC::JSObject::toString() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\JSObject.cpp:487 0x4989ad53 62 JSC::JSValue::toString() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\JSString.h:275 0x49802c32 61 JSC::arrayProtoFuncToString() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\ArrayPrototype.cpp:181 0x4987602f 60 JSC::call() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\CallData.cpp:36 0x4987c96d 59 JSC::callDefaultValueFunction() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\JSObject.cpp:245 0x4989a110 58 JSC::JSObject::defaultValue() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\JSObject.cpp:266 0x49899f30 57 JSC::JSObject::toPrimitive() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\JSObject.h:590 0x497f32b7 56 JSC::JSObject::toString() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\JSObject.cpp:487 0x4989ad53 55 JSC::JSValue::toString() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\JSString.h:275 0x49802c32 54 JSC::JSArray::sort() Y:\qt\src\3rdparty\webkit\JavaScriptCore\runtime\JSArray.cpp:701 0x498920bd ------------------------------------------------------------- arrayProtoFuncToString() function allocates quite big object on stack.

Attachments
Move big allocation from stack to heap. (1.32 KB, patch) 2010-06-14 16:55 PDT, Viatcheslav Ostapenko	ggaren: review-	Details Formatted Diff Diff
Benchmark (test_page.html) (707 bytes, text/html) 2010-06-15 11:10 PDT, Viatcheslav Ostapenko	no flags	Details
Symbian only patch (1.35 KB, patch) 2010-07-22 07:45 PDT, Viatcheslav Ostapenko	no flags	Details Formatted Diff Diff
Added comment about symbian stack (1.72 KB, patch) 2010-09-16 12:47 PDT, Viatcheslav Ostapenko	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Viatcheslav Ostapenko

Comment 1 2010-06-14 16:55:32 PDT

Created attachment 58728 [details] Move big allocation from stack to heap.

Alexey Proskuryakov

Comment 2 2010-06-15 10:53:23 PDT

I don't know if the inline capacity was added here based on actual measurements, but this change may negatively affect performance.

Viatcheslav Ostapenko

Comment 3 2010-06-15 11:09:34 PDT

(In reply to comment #2) > I don't know if the inline capacity was added here based on actual measurements, but this change may negatively affect performance. We've done some benchmarking (test_page.html): linux Vector on stack, buffer on stack: 43 - 44 ms Vector on heap, buffer on heap: 44 - 45 ms Vector on stack, buffer on heap: 43.5 - 44 ms Windows XP Vector on stack, buffer on stack: 83 - 84 ms Vector on heap, buffer on heap: 94 - 95 ms Vector on stack, buffer on heap: 88 - 89 ms Yes, it affects performance, but it seems the difference is not big. This code could be called recursively and 1k buffer on stack is not right.

Viatcheslav Ostapenko

Comment 4 2010-06-15 11:10:45 PDT

Created attachment 58798 [details] Benchmark (test_page.html)

Oliver Hunt

Comment 5 2010-07-04 20:21:40 PDT

(In reply to comment #3) > (In reply to comment #2) > > I don't know if the inline capacity was added here based on actual measurements, but this change may negatively affect performance. > > We've done some benchmarking (test_page.html): > > linux > Vector on stack, buffer on stack: 43 - 44 ms > Vector on heap, buffer on heap: 44 - 45 ms > Vector on stack, buffer on heap: 43.5 - 44 ms > > Windows XP > Vector on stack, buffer on stack: 83 - 84 ms > Vector on heap, buffer on heap: 94 - 95 ms > Vector on stack, buffer on heap: 88 - 89 ms > > Yes, it affects performance, but it seems the difference is not big. > This code could be called recursively and 1k buffer on stack is not right. Can we get sunspider numbers?

Geoffrey Garen

Comment 6 2010-07-06 10:08:38 PDT

Comment on attachment 58728 [details] Move big allocation from stack to heap. Even if this is the right approach (and, without any SunSpider numbers, I'm not convinced that it is), I don't think the inline capacity should go all the way to 0. How about 16? How much stack does S60 have? If S60's stack space is truly pathologically small, maybe the best solution is just to conditionally disable all Vector inline capacity on S60. Should be pretty easy to make that change in wtf/Vector.h.

Viatcheslav Ostapenko

Comment 7 2010-07-22 07:45:40 PDT

Created attachment 62296 [details] Symbian only patch

Viatcheslav Ostapenko

Comment 8 2010-07-22 07:48:00 PDT

> If S60's stack space is truly pathologically small, maybe the best solution is just to conditionally disable all Vector inline capacity on S60. Should be pretty easy to make that change in wtf/Vector.h. Disabling inline i Vector.h is not right, because vectors could be inlined in structures that are not on stack.

Geoffrey Garen

Comment 9 2010-07-22 14:25:00 PDT

> Disabling inline i Vector.h is not right, because vectors could be inlined in structures that are not on stack. Yes, there would be collateral damage from this change. But if S60's stack is so small, what alternative do we have to ensure that the stack-allocated vectors we use don't cause stack overflow?

Viatcheslav Ostapenko

Comment 10 2010-07-22 14:53:33 PDT

(In reply to comment #9) > > Disabling inline i Vector.h is not right, because vectors could be inlined in structures that are not on stack. > > Yes, there would be collateral damage from this change. > > But if S60's stack is so small, what alternative do we have to ensure that the stack-allocated vectors we use don't cause stack overflow? I've checked. There is not very much stack allocations of inlined vectors. And more important, those functions wouldn't be called recursively. The problem here in recursive allocation of 1k object on stack.

Simon Hausmann

Comment 11 2010-08-04 12:54:49 PDT

What about increasing the stack size of the application, using EPOCSTACKSIZE?

Viatcheslav Ostapenko

Comment 12 2010-08-04 13:08:32 PDT

(In reply to comment #11) > What about increasing the stack size of the application, using EPOCSTACKSIZE? How big should it be? I've tried increasing stack size to 512kb and it still was crashing. Should it be set bigger? Is it practical for mobile platform?

Janne Koskinen

Comment 13 2010-09-03 01:04:21 PDT

(In reply to comment #12) > (In reply to comment #11) > > What about increasing the stack size of the application, using EPOCSTACKSIZE? > > How big should it be? > I've tried increasing stack size to 512kb and it still was crashing. > Should it be set bigger? Is it practical for mobile platform? Qt already sets the stack to maximum of 80kB for main thread (with EPOCSTACKSIZE). This value is hardcoded in kernel and cannot be increased any further. If this is not run in the main thread then you can increase it up to 80kB from the default of 8kB. BTW: I have succesfully ran Celtikane tests with QtWebkit before so this can be considered as regression if that makes any difference.

Andreas Kling

Comment 14 2010-09-16 04:11:42 PDT

Comment on attachment 62296 [details] Symbian only patch Since we cannot increase the stack size beyond 80kB on Symbian, this looks like a reasonable solution to me.

Alexey Proskuryakov

Comment 15 2010-09-16 08:17:40 PDT

Comment on attachment 62296 [details] Symbian only patch Please at least add a comment explaining why SYMBIAN is different here.

Viatcheslav Ostapenko

Comment 16 2010-09-16 12:47:59 PDT

Created attachment 67831 [details] Added comment about symbian stack

Andreas Kling

Comment 17 2010-09-16 13:08:54 PDT

Comment on attachment 67831 [details] Added comment about symbian stack Good call, AP.

Eric Seidel (no email)

Comment 18 2010-09-18 03:19:48 PDT

Comment on attachment 62296 [details] Symbian only patch Cleared Andreas Kling's review+ from obsolete attachment 62296 [details] so that this bug does not appear in http://webkit.org/pending-commit.

WebKit Commit Bot

Comment 19 2010-10-01 07:56:30 PDT

Comment on attachment 67831 [details] Added comment about symbian stack Clearing flags on attachment: 67831 Committed r68890: <http://trac.webkit.org/changeset/68890>

WebKit Commit Bot

Comment 20 2010-10-01 07:56:37 PDT

All reviewed patches have been landed. Closing bug.

Ademar Reis

Comment 21 2010-10-05 03:02:41 PDT

Revision r68890 cherry-picked into qtwebkit-2.1 with commit 1254672 <http://gitorious.org/webkit/qtwebkit/commit/1254672>

Note You need to log in before you can comment on or make changes to this bug.