RESOLVED FIXED 46978
[Qt] The scrolling benchmark crashes on Maemo 5 with QtWebKit 2.1 
https://bugs.webkit.org/show_bug.cgi?id=46978
Summary [Qt] The scrolling benchmark crashes on Maemo 5 with QtWebKit 2.1
Benjamin Poulain
Reported 2010-10-01 05:22:35 PDT
With QtWebKit 2.1, the scrolling benchmark never finish. Glibc output the follow error: "*** glibc detected *** ./tst_scrolling: malloc(): memory corruption: 0x003b14f8 ***" The backtrace is the following: #0 0x428ae548 in raise () from /lib/libc.so.6 #1 0x428afb6c in abort () from /lib/libc.so.6 #2 0x428e6344 in __libc_message () from /lib/libc.so.6 #3 0x428ec23c in malloc_printerr () from /lib/libc.so.6 #4 0x428ee208 in _int_malloc () from /lib/libc.so.6 #5 0x428ef878 in malloc () from /lib/libc.so.6 #6 0x427cf2fc in operator new(unsigned int) () from /usr/lib/libstdc++.so.6 #7 0x40f5463c in WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, int, int) const () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #8 0x40ef6a30 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #9 0x40efc86c in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #10 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #11 0x40eecfb8 in WebCore::RenderBlock::paintFloats(WebCore::PaintInfo&, int, int, bool) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #12 0x40efc890 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #13 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #14 0x40ef684c in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #15 0x40ef6a10 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #16 0x40efc86c in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #17 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #18 0x40eecf70 in WebCore::RenderBlock::paintFloats(WebCore::PaintInfo&, int, int, bool) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #19 0x40efc890 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #20 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #21 0x40ef684c in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #22 0x40ef6a10 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #23 0x40efc86c in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #24 0x40ef1208 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, int, int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #25 0x40f53224 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #26 0x40f52724 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0u>*, WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #27 0x40f52c9c in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #28 0x40f5398c in WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #29 0x40e39bd8 in WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #30 0x41042154 in QWebFramePrivate::renderRelativeCoords(WebCore::GraphicsContext*, QWebFrame::RenderLayer, QRegion const&) () from /home/ikipou/qt_build/lib/libQtWebKit.so.4 #31 0x00000000 in ?? ()
Attachments
Add attachment proposed patch, testcase, etc.
Benjamin Poulain
Comment 1 2010-10-01 06:26:55 PDT
Update: the crash cannot be reproduced on desktop.
Benjamin Poulain
Comment 2 2010-10-01 08:07:10 PDT
Update: the crash happen on the mirrored website http://www.msn.com/ It is the row20 in the top_50 database. To reproduce it: ./tst_scrolling -graphicssystem raster -database bpoulains-webkit_test_datasets/top_50_january/crawl_db.db scroll:row20 It does not seems to be an out of memory problem, the device still has plenty of ram available when it is crashing.
Benjamin Poulain
Comment 3 2010-10-06 10:11:04 PDT
Updates: -the same crash happen with trunk -valgrind reported issues with neon, this is not the problem
Benjamin Poulain
Comment 4 2010-10-07 03:02:14 PDT
Update: It also crashes without the JIT. But valgrind is still not reporting anything useful :( valgrind: the 'impossible' happened: Killed by fatal signal
Benjamin Poulain
Comment 5 2010-10-08 05:58:31 PDT
I finally solved this thing. The problem was in Qt, the patch is in the commit 4d974ff0a748b22e668a4cb7ef38101122c85b3b To summarize what was going on: -the gif plugin decode a frame -the gif plugin keep a reference to this frame for future usage -because of the bug, in-place conversion took place on the image returned by the plugin, which is also the one kept by the plugin -because the color space is 16 bits on device, the in-place conversion half the memory allocated -when WebKit need the next image, the gif plugin reuse the cached image, and write out of the memor since the conversion reduced it. -after some time writing outside the memory bounds, the memory is so messed up we end up with random crashes in WebCore.
Simon Hausmann
Comment 6 2010-10-08 07:24:06 PDT
(In reply to comment #5) > I finally solved this thing. The problem was in Qt, the patch is in the commit 4d974ff0a748b22e668a4cb7ef38101122c85b3b > > To summarize what was going on: > -the gif plugin decode a frame > -the gif plugin keep a reference to this frame for future usage > -because of the bug, in-place conversion took place on the image returned by the plugin, which is also the one kept by the plugin > -because the color space is 16 bits on device, the in-place conversion half the memory allocated > -when WebKit need the next image, the gif plugin reuse the cached image, and write out of the memor since the conversion reduced it. > > -after some time writing outside the memory bounds, the memory is so messed up we end up with random crashes in WebCore. Excellent! Kevin, this _could've_ been the same crash with gifs that you've seen... maybe.
Benjamin Poulain
Comment 7 2010-10-08 07:29:10 PDT
(In reply to comment #6) > Kevin, this _could've_ been the same crash with gifs that you've seen... maybe. Good point. I am gonna check that.
Benjamin Poulain
Comment 8 2010-10-08 10:04:21 PDT
*** Bug 46970 has been marked as a duplicate of this bug. ***
Ademar Reis
Comment 9 2010-10-19 10:37:52 PDT
Fixed in Qt (included in the qt-4.7 branch). No need to block the qtwebkit-2.1 release anymore.
Note You need to log in before you can comment on or make changes to this bug.