[Webkit-unassigned] [Bug 106521] New: [WinCE][V8]document.write(i) broken on 3rd loop on WebKit's WinCE port integrated with V8 JIT engine

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 9 19:35:45 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=106521

           Summary: [WinCE][V8]document.write(i) broken on 3rd loop on
                    WebKit's WinCE port integrated with V8 JIT engine
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Other
        OS/Version: Other
            Status: UNCONFIRMED
          Severity: Blocker
          Priority: P5
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: chenzx at cn.fujitsu.com


Created an attachment (id=182049)
 --> (https://bugs.webkit.org/attachment.cgi?id=182049&action=review)
V8 dissemable log for test case

I'm doing WebKit's WinCE(arm) port,
using VS2005, WinCE 6.0
and port v8 engine into it

However, i wrote a simple html test file:
<body>
<script>
for(var =0; i<5; i++)
  document.write(i);
</script>
</body>

It should output 01234, but when I testes it on WinCE device simulator, It only output 01 and then crashed. That's to say, it can successfully run the first 2 loop, but fails at 3rd loop.

The crash breakpoint is:

v8\include\v8.h:
Local<Object> Arguments::Holder() const {
    return Local<Object>(reinterpret_cast<Object*>(
>       &implicit_args_[kHolderIndex]));
}

Source\WebCore\bindings\v8\custom\V8HTMLDocumentCustom.cpp:
v8::Handle<v8::Value> V8HTMLDocument::writelnCallback(const v8::Arguments& args)
{
    INC_STATS("DOM.HTMLDocument.writeln()");
>    HTMLDocument* htmlDocument = V8HTMLDocument::toNative(args.Holder());
    htmlDocument->writeln(writeHelperGetString(args), activeDOMWindow(BindingState::instance())->document());
    return v8::Undefined();
}

I can not provide the full call stack, this 2 nearest stack trace is only deferred from crash log.

Can't figure out Why, for i cannot debug on WinCE simulator.

Attachment is V8 dissemble log for this test html.

The key point is:
1、Using loop, for/while, or even recursion like this:
  function test(i){ if(i==4) return; document.write(i); test(++i); }
  test(0);
2、WinCE simulator run will be broken at exactly the 3rd loop run!
3、I'm using the V8 trunk code

I hesitated if it's V8 doesn't support old WinCE 6.0 port, since VS2005 arm compiler generated code may be in-consistent with V8-arm's JIT engine?

If I Enable USE_SIMULATOR, that is to say, Running WebKit-WinCE-launcher-with-V8 on VS2005 WinCE 6.0 Simulator, but the V8 JIT-ed code is not directly run by simulator, but interpreted by the v8's arm-simulator, which is C++ code running on WinCE simulator,

This settings compiled app runs OK, nothing wrong.

So, where does the difference stands between the 2 situation?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list