Summary: | [Qt] The scrolling benchmark crashes on Maemo 5 with QtWebKit 2.1 | ||
---|---|---|---|
Product: | WebKit | Reporter: | Benjamin Poulain <benjamin> |
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | Blocker | CC: | ademar, benjamin, hausmann, kevin.simons, loki, tonikitoo |
Priority: | P2 | Keywords: | Qt, QtTriaged |
Version: | 528+ (Nightly build) | ||
Hardware: | Other | ||
OS: | Linux |
Description
Benjamin Poulain
2010-10-01 05:22:35 PDT
Update: the crash cannot be reproduced on desktop. Update: the crash happen on the mirrored website http://www.msn.com/ It is the row20 in the top_50 database. To reproduce it: ./tst_scrolling -graphicssystem raster -database bpoulains-webkit_test_datasets/top_50_january/crawl_db.db scroll:row20 It does not seems to be an out of memory problem, the device still has plenty of ram available when it is crashing. Updates: -the same crash happen with trunk -valgrind reported issues with neon, this is not the problem Update: It also crashes without the JIT. But valgrind is still not reporting anything useful :( valgrind: the 'impossible' happened: Killed by fatal signal I finally solved this thing. The problem was in Qt, the patch is in the commit 4d974ff0a748b22e668a4cb7ef38101122c85b3b To summarize what was going on: -the gif plugin decode a frame -the gif plugin keep a reference to this frame for future usage -because of the bug, in-place conversion took place on the image returned by the plugin, which is also the one kept by the plugin -because the color space is 16 bits on device, the in-place conversion half the memory allocated -when WebKit need the next image, the gif plugin reuse the cached image, and write out of the memor since the conversion reduced it. -after some time writing outside the memory bounds, the memory is so messed up we end up with random crashes in WebCore. (In reply to comment #5) > I finally solved this thing. The problem was in Qt, the patch is in the commit 4d974ff0a748b22e668a4cb7ef38101122c85b3b > > To summarize what was going on: > -the gif plugin decode a frame > -the gif plugin keep a reference to this frame for future usage > -because of the bug, in-place conversion took place on the image returned by the plugin, which is also the one kept by the plugin > -because the color space is 16 bits on device, the in-place conversion half the memory allocated > -when WebKit need the next image, the gif plugin reuse the cached image, and write out of the memor since the conversion reduced it. > > -after some time writing outside the memory bounds, the memory is so messed up we end up with random crashes in WebCore. Excellent! Kevin, this _could've_ been the same crash with gifs that you've seen... maybe. (In reply to comment #6) > Kevin, this _could've_ been the same crash with gifs that you've seen... maybe. Good point. I am gonna check that. *** Bug 46970 has been marked as a duplicate of this bug. *** Fixed in Qt (included in the qt-4.7 branch). No need to block the qtwebkit-2.1 release anymore. |