Bug 106521 - [WinCE][V8]document.write(i) broken on 3rd loop on WebKit's WinCE port integrated with V8 JIT engine
Summary: [WinCE][V8]document.write(i) broken on 3rd loop on WebKit's WinCE port integr...
Status: RESOLVED WONTFIX
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Other Other
: P5 Blocker
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-09 19:37 PST by Chen Zhixiang
Modified: 2013-04-06 08:24 PDT (History)
1 user (show)

See Also:

Attachments
V8 dissemable log for test case (56.47 KB, text/plain)
2013-01-09 19:37 PST, Chen Zhixiang 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chen Zhixiang 2013-01-09 19:37:38 PST 
Created attachment 182049 [details]
V8 dissemable log for test case

I'm doing WebKit's WinCE(arm) port,
using VS2005, WinCE 6.0
and port v8 engine into it

However, i wrote a simple html test file:
<body>
<script>
for(var =0; i<5; i++)
  document.write(i);
</script>
</body>

It should output 01234, but when I testes it on WinCE device simulator, It only output 01 and then crashed. That's to say, it can successfully run the first 2 loop, but fails at 3rd loop.

The crash breakpoint is:

v8\include\v8.h:
Local<Object> Arguments::Holder() const {
    return Local<Object>(reinterpret_cast<Object*>(
>       &implicit_args_[kHolderIndex]));
}

Source\WebCore\bindings\v8\custom\V8HTMLDocumentCustom.cpp:
v8::Handle<v8::Value> V8HTMLDocument::writelnCallback(const v8::Arguments& args)
{
    INC_STATS("DOM.HTMLDocument.writeln()");
>    HTMLDocument* htmlDocument = V8HTMLDocument::toNative(args.Holder());
    htmlDocument->writeln(writeHelperGetString(args), activeDOMWindow(BindingState::instance())->document());
    return v8::Undefined();
}

I can not provide the full call stack, this 2 nearest stack trace is only deferred from crash log.

Can't figure out Why, for i cannot debug on WinCE simulator.

Attachment is V8 dissemble log for this test html.

The key point is:
1、Using loop, for/while, or even recursion like this:
  function test(i){ if(i==4) return; document.write(i); test(++i); }
  test(0);
2、WinCE simulator run will be broken at exactly the 3rd loop run!
3、I'm using the V8 trunk code

I hesitated if it's V8 doesn't support old WinCE 6.0 port, since VS2005 arm compiler generated code may be in-consistent with V8-arm's JIT engine?

If I Enable USE_SIMULATOR, that is to say, Running WebKit-WinCE-launcher-with-V8 on VS2005 WinCE 6.0 Simulator, but the V8 JIT-ed code is not directly run by simulator, but interpreted by the v8's arm-simulator, which is C++ code running on WinCE simulator,

This settings compiled app runs OK, nothing wrong.

So, where does the difference stands between the 2 situation?
Comment 1 Patrick R. Gansterer 2013-01-28 10:01:46 PST 
Do you know if it is a V8 or WebKit problem? Does the same code work in the v8 shell?
Comment 2 Chen Zhixiang 2013-01-28 18:22:22 PST 
We now doubt it's the `OEMCacheRangeFlush` problem. JIT engine always accquires this API, but we are now using `FlushInstructionCache` from winbase.h.

Don't know if WinCE 6.0 emulator implements the same behavior in `OEMCacheRangeFlush` and `FlushInstructionCache`.

V8 Shell has no such problem, for it can't use `document.write`. If it is a webkit problem, why does the first 2 loop `document.write` success? I've used 3 kinds of loop: for、while、tail-recursive-call, all the same result.

We are using a customed PB build for which we can't link to `OEMCacheRangeFlush` API, so I hesitate this may be the reason of problem.
Comment 3 Chen Zhixiang 2013-03-20 02:00:16 PDT 
QtWebKit guys recently seems to having solved this problem, By disable inline cache fast path?

https://codereview.qt-project.org/#change,45152
Comment 4 Patrick R. Gansterer 2013-04-06 08:24:15 PDT 
Closing since V8 won't be supported with WebKit any more.