Bug 46978
| Summary: | [Qt] The scrolling benchmark crashes on Maemo 5 with QtWebKit 2.1 | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Benjamin Poulain <benjamin> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Blocker | CC: | ademar, benjamin, hausmann, kevin.simons, loki, tonikitoo |
| Priority: | P2 | Keywords: | Qt, QtTriaged |
| Version: | 528+ (Nightly build) | ||
| Hardware: | Other | ||
| OS: | Linux | ||
Benjamin Poulain
With QtWebKit 2.1, the scrolling benchmark never finish.
Glibc output the follow error: "*** glibc detected *** ./tst_scrolling: malloc(): memory corruption: 0x003b14f8 ***"
The backtrace is the following:
#0 0x428ae548 in raise () from /lib/libc.so.6
#1 0x428afb6c in abort () from /lib/libc.so.6
#2 0x428e6344 in __libc_message () from /lib/libc.so.6
#3 0x428ec23c in malloc_printerr () from /lib/libc.so.6
#4 0x428ee208 in _int_malloc () from /lib/libc.so.6
#5 0x428ef878 in malloc () from /lib/libc.so.6
#6 0x427cf2fc in operator new(unsigned int) () from /usr/lib/libstdc++.so.6
#7 0x40f5463c in WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, int, int) const () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#8 0x40ef6a30 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#9 0x40efc86c in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#10 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#11 0x40eecfb8 in WebCore::RenderBlock::paintFloats(WebCore::PaintInfo&, int, int, bool) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#12 0x40efc890 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#13 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#14 0x40ef684c in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#15 0x40ef6a10 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#16 0x40efc86c in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#17 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#18 0x40eecf70 in WebCore::RenderBlock::paintFloats(WebCore::PaintInfo&, int, int, bool) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#19 0x40efc890 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#20 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#21 0x40ef684c in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#22 0x40ef6a10 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#23 0x40efc86c in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#24 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#25 0x40f53224 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#26 0x40f52724 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0u>*, WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ()
from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#27 0x40f52c9c in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#28 0x40f5398c in WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#29 0x40e39bd8 in WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#30 0x41042154 in QWebFramePrivate::renderRelativeCoords(WebCore::GraphicsContext*, QWebFrame::RenderLayer, QRegion const&) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#31 0x00000000 in ?? ()
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Benjamin Poulain
Update: the crash cannot be reproduced on desktop.
Benjamin Poulain
Update: the crash happen on the mirrored website http://www.msn.com/
It is the row20 in the top_50 database. To reproduce it:
./tst_scrolling -graphicssystem raster -database bpoulains-webkit_test_datasets/top_50_january/crawl_db.db scroll:row20
It does not seems to be an out of memory problem, the device still has plenty of ram available when it is crashing.
Benjamin Poulain
Updates:
-the same crash happen with trunk
-valgrind reported issues with neon, this is not the problem
Benjamin Poulain
Update: It also crashes without the JIT. But valgrind is still not reporting anything useful :(
valgrind: the 'impossible' happened:
Killed by fatal signal
Benjamin Poulain
I finally solved this thing. The problem was in Qt, the patch is in the commit 4d974ff0a748b22e668a4cb7ef38101122c85b3b
To summarize what was going on:
-the gif plugin decode a frame
-the gif plugin keep a reference to this frame for future usage
-because of the bug, in-place conversion took place on the image returned by the plugin, which is also the one kept by the plugin
-because the color space is 16 bits on device, the in-place conversion half the memory allocated
-when WebKit need the next image, the gif plugin reuse the cached image, and write out of the memor since the conversion reduced it.
-after some time writing outside the memory bounds, the memory is so messed up we end up with random crashes in WebCore.
Simon Hausmann
(In reply to comment #5)
> I finally solved this thing. The problem was in Qt, the patch is in the commit 4d974ff0a748b22e668a4cb7ef38101122c85b3b
>
> To summarize what was going on:
> -the gif plugin decode a frame
> -the gif plugin keep a reference to this frame for future usage
> -because of the bug, in-place conversion took place on the image returned by the plugin, which is also the one kept by the plugin
> -because the color space is 16 bits on device, the in-place conversion half the memory allocated
> -when WebKit need the next image, the gif plugin reuse the cached image, and write out of the memor since the conversion reduced it.
>
> -after some time writing outside the memory bounds, the memory is so messed up we end up with random crashes in WebCore.
Excellent!
Kevin, this _could've_ been the same crash with gifs that you've seen... maybe.
Benjamin Poulain
(In reply to comment #6)
> Kevin, this _could've_ been the same crash with gifs that you've seen... maybe.
Good point. I am gonna check that.
Benjamin Poulain
*** Bug 46970 has been marked as a duplicate of this bug. ***
Ademar Reis
Fixed in Qt (included in the qt-4.7 branch). No need to block the qtwebkit-2.1 release anymore.