47328 – [Qt] Crash in accelerated compositing code

Bug 47328 - [Qt] Crash in accelerated compositing code

Summary: [Qt] Crash in accelerated compositing code

Status:	RESOLVED WONTFIX

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P3 Minor
Assignee:	Nobody

URL:
Keywords:	Qt, QtTriaged

Depends on:
Blocks:

Reported:	2010-10-07 01:11 PDT by Simon Hausmann
Modified:	2011-12-05 23:49 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Simon Hausmann 2010-10-07 01:11:42 PDT

There's an internal report of a crash that happens when changing the AC state. It looks like it could be caused by r68761 or at least might be related. The internal bug URL with additional information is https://qtrequirements.europe.nokia.com/browse/QT-4081 . The backtrace is below. The this=0x0 and layer=0x0 look suspicious ;-)

The crash happens in:
#0 QGraphicsScene::removeItem (this=0x0, item=0x6cae98) at
graphicsview/qgraphicsscene.cpp:2948
#1 0x40dfae84 in WebCore::PageClientQGraphicsWidget::setRootGraphicsLayer
(this=0x41be08, layer=0x0) at
../../../WebKit/qt/WebCoreSupport/PageClientQt.cpp:175
#2 0x40ddecf0 in WebCore::ChromeClientQt::attachRootGraphicsLayer (this=<value
optimized out>, frame=<value optimized out>, graphicsLayer=0x0)
at ../../../WebKit/qt/WebCoreSupport/ChromeClientQt.cpp:549
#3 0x40fcefd4 in WebCore::RenderLayerCompositor::detachRootPlatformLayer
(this=0x414540) at ../../../WebCore/rendering/RenderLayerCompositor.cpp:1390
#4 0x40fd08c0 in WebCore::RenderLayerCompositor::destroyRootPlatformLayer
(this=0x0) at ../../../WebCore/rendering/RenderLayerCompositor.cpp:1324
#5 0x40fd0dc8 in WebCore::RenderLayerCompositor::enableCompositingMode
(this=0x0, enable=152) at
../../../WebCore/rendering/RenderLayerCompositor.cpp:121
#6 0x40fd1c2c in
WebCore::RenderLayerCompositor::computeCompositingRequirements (this=0x414540,
layer=0x4586a4e4, overlapMap=0x0, compositingState=..., 
layersChanged=@0xbea9cfff) at
../../../WebCore/rendering/RenderLayerCompositor.cpp:643
#7 0x40fd1e10 in WebCore::RenderLayerCompositor::updateCompositingLayers
(this=0x414540, updateType=<value optimized out>, updateRoot=0x4586a4e4)
at ../../../WebCore/rendering/RenderLayerCompositor.cpp:216
#8 0x40c458e4 in WebCore::FrameView::updateCompositingLayers (this=<value
optimized out>) at ../../../WebCore/page/FrameView.cpp:480
#9 0x40c4947c in WebCore::FrameView::layout (this=0x4583ca00,
allowSubtree=<value optimized out>) at ../../../WebCore/page/FrameView.cpp:791
#10 0x409d9a5c in WebCore::Document::updateLayout (this=0x45883000) at
../../../WebCore/dom/Document.cpp:1518
#11 0x409eec80 in WebCore::Document::updateLayoutIgnorePendingStylesheets
(this=0x45883000) at ../../../WebCore/dom/Document.cpp:1549
#12 0x409fb5bc in WebCore::Element::setScrollTop (this=0x48b86400,
newTop=7122584) at ../../../WebCore/dom/Element.cpp:430
#13 0x405ac718 in WebCore::setJSElementScrollTop (exec=<value optimized out>,
thisObject=<value optimized out>, value=...) at generated/JSElement.cpp:1137
#14 0x405b0b4c in lookupPut<WebCore::JSElement> (this=0x46b39640,
exec=0x45f5c32c, propertyName=..., value=..., slot=...)
at ../../../JavaScriptCore/runtime/Lookup.h:318
#15 lookupPut<WebCore::JSElement, WebCore::JSNode> (this=0x46b39640,
exec=0x45f5c32c, propertyName=..., value=..., slot=...)
at ../../../JavaScriptCore/runtime/Lookup.h:332
#16 WebCore::JSElement::put (this=0x46b39640, exec=0x45f5c32c,
propertyName=..., value=..., slot=...) at generated/JSElement.cpp:1123
#17 0x4065416c in lookupPut<WebCore::JSHTMLElement, WebCore::JSElement>
(this=0x46b39640, exec=0x45f5c32c, propertyName=..., value=..., slot=...)
at ../../../JavaScriptCore/runtime/Lookup.h:333
#18 WebCore::JSHTMLElement::put (this=0x46b39640, exec=0x45f5c32c,
propertyName=..., value=..., slot=...) at generated/JSHTMLElement.cpp:318
#19 0x4064be20 in lookupPut<WebCore::JSHTMLDivElement, WebCore::JSHTMLElement>
(this=0x46b39640, exec=0x45f5c32c, propertyName=..., value=..., slot=...)
at ../../../JavaScriptCore/runtime/Lookup.h:333
#20 WebCore::JSHTMLDivElement::put (this=0x46b39640, exec=0x45f5c32c,
propertyName=..., value=..., slot=...) at generated/JSHTMLDivElement.cpp:159
#21 0x40fee428 in JSC::JSValue::put (args=<value optimized out>) at
../../../JavaScriptCore/runtime/JSObject.h:698
#22 JITStubThunked_op_put_by_id_generic (args=<value optimized out>) at
../../../JavaScriptCore/jit/JITStubs.cpp:1308
#23 0x40fe990c in cti_op_put_by_id_generic () from /usr/lib/libQtWebKit.so.4
#24 0x40fe990c in cti_op_put_by_id_generic () from /usr/lib/libQtWebKit.so.4
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Comment 1 Benjamin Poulain 2010-10-07 02:59:51 PDT

> It looks like it could be caused by r68761 or at least might be related.

The report is one month old, I don't think r68761 is related.

> The this=0x0 and layer=0x0 look suspicious

The layer=0x0 is possible because of this ():
    if (platformPageClient())
        platformPageClient()->setRootGraphicsLayer(graphicsLayer ? graphicsLayer->nativeLayer() : 0);

The scene=0x0 is more mysterious. Is the execution done on a QGraphicsWebView that is not in a scene? Can we get a reduction?

Comment 2 Simon Hausmann 2010-10-08 09:28:04 PDT

Not a blocker anymore, workaround is in place and it's a corner-case in the originating application it seems.

Comment 3 Jarmo Backlund 2010-10-11 04:50:11 PDT

What was exactly the workaround and who need to do it ?

Comment 4 Simon Hausmann 2010-10-11 07:19:55 PDT

(In reply to comment #3)
> What was exactly the workaround and who need to do it ?

The problem only appeared when using QGraphicsWebView with ItemCoordinateCache as cache mode.

Comment 5 Simon Hausmann 2011-12-05 23:49:21 PST

Not much going to happen here :)