Bug 46978

Summary: [Qt] The scrolling benchmark crashes on Maemo 5 with QtWebKit 2.1
Product: WebKit Reporter: Benjamin Poulain <benjamin>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Blocker CC: ademar, benjamin, hausmann, kevin.simons, loki, tonikitoo
Priority: P2 Keywords: Qt, QtTriaged
Version: 528+ (Nightly build)   
Hardware: Other   
OS: Linux   

Description Benjamin Poulain 2010-10-01 05:22:35 PDT 
With QtWebKit 2.1, the scrolling benchmark never finish.

Glibc output the follow error: "*** glibc detected *** ./tst_scrolling: malloc(): memory corruption: 0x003b14f8 ***"

The backtrace is the following:

#0  0x428ae548 in raise () from /lib/libc.so.6
#1  0x428afb6c in abort () from /lib/libc.so.6
#2  0x428e6344 in __libc_message () from /lib/libc.so.6
#3  0x428ec23c in malloc_printerr () from /lib/libc.so.6
#4  0x428ee208 in _int_malloc () from /lib/libc.so.6
#5  0x428ef878 in malloc () from /lib/libc.so.6
#6  0x427cf2fc in operator new(unsigned int) () from /usr/lib/libstdc++.so.6
#7  0x40f5463c in WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, int, int) const () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#8  0x40ef6a30 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#9  0x40efc86c in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#10 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#11 0x40eecfb8 in WebCore::RenderBlock::paintFloats(WebCore::PaintInfo&, int, int, bool) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#12 0x40efc890 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#13 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#14 0x40ef684c in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#15 0x40ef6a10 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#16 0x40efc86c in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#17 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#18 0x40eecf70 in WebCore::RenderBlock::paintFloats(WebCore::PaintInfo&, int, int, bool) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#19 0x40efc890 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#20 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#21 0x40ef684c in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#22 0x40ef6a10 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#23 0x40efc86c in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#24 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#25 0x40f53224 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#26 0x40f52724 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0u>*, WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ()
   from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#27 0x40f52c9c in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#28 0x40f5398c in WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#29 0x40e39bd8 in WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#30 0x41042154 in QWebFramePrivate::renderRelativeCoords(WebCore::GraphicsContext*, QWebFrame::RenderLayer, QRegion const&) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4
#31 0x00000000 in ?? ()
Comment 1 Benjamin Poulain 2010-10-01 06:26:55 PDT 
Update: the crash cannot be reproduced on desktop.
Comment 2 Benjamin Poulain 2010-10-01 08:07:10 PDT 
Update: the crash happen on the mirrored website http://www.msn.com/
It is the row20 in the top_50 database. To reproduce it: 

./tst_scrolling  -graphicssystem raster -database bpoulains-webkit_test_datasets/top_50_january/crawl_db.db scroll:row20

It does not seems to be an out of memory problem, the device still has plenty of ram available when it is crashing.
Comment 3 Benjamin Poulain 2010-10-06 10:11:04 PDT 
Updates:
-the same crash happen with trunk
-valgrind reported issues with neon, this is not the problem
Comment 4 Benjamin Poulain 2010-10-07 03:02:14 PDT 
Update: It also crashes without the JIT. But valgrind is still not reporting anything useful :(

valgrind: the 'impossible' happened:
   Killed by fatal signal
Comment 5 Benjamin Poulain 2010-10-08 05:58:31 PDT 
I finally solved this thing. The problem was in Qt, the patch is in the commit 4d974ff0a748b22e668a4cb7ef38101122c85b3b

To summarize what was going on:
-the gif plugin decode a frame
-the gif plugin keep a reference to this frame for future usage
-because of the bug, in-place conversion took place on the image returned by the plugin, which is also the one kept by the plugin
-because the color space is 16 bits on device, the in-place conversion half the memory allocated
-when WebKit need the next image, the gif plugin reuse the cached image, and write out of the memor since the conversion reduced it.

-after some time writing outside the memory bounds, the memory is so messed up we end up with random crashes in WebCore.
Comment 6 Simon Hausmann 2010-10-08 07:24:06 PDT 
(In reply to comment #5)
> I finally solved this thing. The problem was in Qt, the patch is in the commit 4d974ff0a748b22e668a4cb7ef38101122c85b3b
> 
> To summarize what was going on:
> -the gif plugin decode a frame
> -the gif plugin keep a reference to this frame for future usage
> -because of the bug, in-place conversion took place on the image returned by the plugin, which is also the one kept by the plugin
> -because the color space is 16 bits on device, the in-place conversion half the memory allocated
> -when WebKit need the next image, the gif plugin reuse the cached image, and write out of the memor since the conversion reduced it.
> 
> -after some time writing outside the memory bounds, the memory is so messed up we end up with random crashes in WebCore.

Excellent!

Kevin, this _could've_ been the same crash with gifs that you've seen... maybe.
Comment 7 Benjamin Poulain 2010-10-08 07:29:10 PDT 
(In reply to comment #6)
> Kevin, this _could've_ been the same crash with gifs that you've seen... maybe.

Good point. I am gonna check that.
Comment 8 Benjamin Poulain 2010-10-08 10:04:21 PDT 
*** Bug 46970 has been marked as a duplicate of this bug. ***
Comment 9 Ademar Reis 2010-10-19 10:37:52 PDT 
Fixed in Qt (included in the qt-4.7 branch). No need to block the qtwebkit-2.1 release anymore.