102192 2012-11-14 01:06:29 -0800 [Qt] Crash in PasteboardQt.cpp Pasteboard::writeSelection 2013-01-22 07:04:49 -0800 1 1 1 Unclassified WebKit Platform 528+ (Nightly build) PC Linux RESOLVED FIXED P2 Normal --- 0 fabien.vallee allan.jensen hausmann jturcotte webkit.review.bot oldest_to_newest 766590 0 fabien.vallee 2012-11-14 01:06:29 -0800 Tested with Qt 4.8. Running layoutTests with child-processes=4, pasteboard related tests (e.g. editing/pasteboard/4944770-2.html) crash (randomly) in Pasteboard::writeSelection. (it happens when several tests access simultaneously the clipboard). The crash is at the line : md->setData(QLatin1String("application/vnd.qtwebkit.smartpaste"), QByteArray()); ( Source/WebCore/platform/qt/PasteboardQt.cpp@134566 ) I believe there is a bug in Pasteboard::writeSelection. The function logic is : 1) creates a new QMimeData object (raw pointer) 2) set its content (setHtml, ...) 3) gives the QMimeData raw pointer to the QGuiApplication::clipboard() ( QGuiApplication::clipboard()->setMimeData). 4) set the QMimeData data for smartpaste on the raw pointer Pasteboard::writeSelection lost the ownership on the QMimeData object in step 3), therefore it should not access the object in 4). Step 4) shall be done before step 3) The following fix should be enough to fix the issue : --- a/Source/WebCore/platform/qt/PasteboardQt.cpp +++ b/Source/WebCore/platform/qt/PasteboardQt.cpp @@ -74,11 +74,11 @@ void Pasteboard::writeSelection(Range* selectedRange, bool canSmartCopyOrDelete, md->setHtml(markup); #endif + if (canSmartCopyOrDelete) + md->setData(QLatin1String("application/vnd.qtwebkit.smartpaste"), QByteArray()); #ifndef QT_NO_CLIPBOARD QGuiApplication::clipboard()->setMimeData(md, m_selectionMode ? QClipboard::Selection : QClipboard::Clipboard); #endif - if (canSmartCopyOrDelete) - md->setData(QLatin1String("application/vnd.qtwebkit.smartpaste"), QByteArray()); } 812216 1 allan.jensen 2013-01-21 09:19:38 -0800 I can not trigger the crash, but we have transfered ownership, so the current order must be wrong. 812218 2 183797 allan.jensen 2013-01-21 09:25:36 -0800 Created attachment 183797 Patch 812871 3 183797 jturcotte 2013-01-22 03:26:40 -0800 Comment on attachment 183797 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=183797&action=review Could you do the same modification in Pasteboard::writePlainText as well? > Source/WebCore/ChangeLog:9 > + QClipboard::setData transfers ownership of QMimeData to the clipboard, QClipboard::setMimeData 812962 4 183972 allan.jensen 2013-01-22 05:40:33 -0800 Created attachment 183972 Patch 813002 5 183972 jturcotte 2013-01-22 06:28:12 -0800 Comment on attachment 183972 Patch Overall comments 813016 6 183972 webkit.review.bot 2013-01-22 07:04:43 -0800 Comment on attachment 183972 Patch Clearing flags on attachment: 183972 Committed r140423: <http://trac.webkit.org/changeset/140423> 813017 7 webkit.review.bot 2013-01-22 07:04:49 -0800 All reviewed patches have been landed. Closing bug. 183797 2013-01-21 09:25:36 -0800 2013-01-22 05:40:29 -0800 Patch bug-102192-20130121182153.patch text/plain 1741 allan.jensen U3VidmVyc2lvbiBSZXZpc2lvbjogMTQwMzM5CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNWU4MTBhZjg3ZGIzYjU1 MWViYTVlMmZjMjg4M2NlZjg2MWQxMWJkMC4uYmI0YWM1ZTNhM2VkMWUyN2M0NjI1YTMyODBlMGZl ZmJiZDM3ZTQ2YiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE3IEBACisyMDEzLTAxLTIxICBBbGxh biBTYW5kZmVsZCBKZW5zZW4gIDxhbGxhbi5qZW5zZW5AZGlnaWEuY29tPgorCisgICAgICAgIFtR dF0gQ3Jhc2ggaW4gUGFzdGVib2FyZFF0LmNwcCBQYXN0ZWJvYXJkOjp3cml0ZVNlbGVjdGlvbgor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTAyMTkyCisK KyAgICAgICAgUGF0Y2ggYnkgRmFiaWVuIFZhbMOpZQorICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBRQ2xpcGJvYXJkOjpzZXREYXRhIHRyYW5zZmVycyBvd25l cnNoaXAgb2YgUU1pbWVEYXRhIHRvIHRoZSBjbGlwYm9hcmQsCisgICAgICAgIHNvIHdlIHNob3Vs ZCBub3QgYWNjZXNzIGl0IGFmdGVyd2FyZHMuCisKKyAgICAgICAgKiBwbGF0Zm9ybS9xdC9QYXN0 ZWJvYXJkUXQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6UGFzdGVib2FyZDo6d3JpdGVTZWxlY3Rp b24pOgorCiAyMDEzLTAxLTIxICBIYWx0b24gSHVvICA8aGFsdG9uLmh1b0BpbnRlbC5jb20+CiAK ICAgICAgICAgW0dUS10gVm9sdW1lIGJ1dHRvbiBzaG91bGQgbm90IGJlIHNob3duIGZvciB2aWRl b3Mgd2l0aG91dCBhdWRpbwpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vcXQv UGFzdGVib2FyZFF0LmNwcCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL3F0L1Bhc3RlYm9hcmRR dC5jcHAKaW5kZXggOGIxYThkM2NiYmM3NzE1OTliYTI3MzY0YWMxOTFjYTVlMTBjODdlZC4uNzEw MjhjMjcyMDBkNzExNmQ1ZjFjOTBmNzJkYjUzMTJhZTM4MGVkZSAxMDA2NDQKLS0tIGEvU291cmNl L1dlYkNvcmUvcGxhdGZvcm0vcXQvUGFzdGVib2FyZFF0LmNwcAorKysgYi9Tb3VyY2UvV2ViQ29y ZS9wbGF0Zm9ybS9xdC9QYXN0ZWJvYXJkUXQuY3BwCkBAIC03NCwxMSArNzQsMTEgQEAgdm9pZCBQ YXN0ZWJvYXJkOjp3cml0ZVNlbGVjdGlvbihSYW5nZSogc2VsZWN0ZWRSYW5nZSwgYm9vbCBjYW5T bWFydENvcHlPckRlbGV0ZSwKICAgICBtZC0+c2V0SHRtbChtYXJrdXApOwogI2VuZGlmCiAKKyAg ICBpZiAoY2FuU21hcnRDb3B5T3JEZWxldGUpCisgICAgICAgIG1kLT5zZXREYXRhKFFMYXRpbjFT dHJpbmcoImFwcGxpY2F0aW9uL3ZuZC5xdHdlYmtpdC5zbWFydHBhc3RlIiksIFFCeXRlQXJyYXko KSk7CiAjaWZuZGVmIFFUX05PX0NMSVBCT0FSRAogICAgIFFHdWlBcHBsaWNhdGlvbjo6Y2xpcGJv YXJkKCktPnNldE1pbWVEYXRhKG1kLCBtX3NlbGVjdGlvbk1vZGUgPyBRQ2xpcGJvYXJkOjpTZWxl Y3Rpb24gOiBRQ2xpcGJvYXJkOjpDbGlwYm9hcmQpOwogI2VuZGlmCi0gICAgaWYgKGNhblNtYXJ0 Q29weU9yRGVsZXRlKQotICAgICAgICBtZC0+c2V0RGF0YShRTGF0aW4xU3RyaW5nKCJhcHBsaWNh dGlvbi92bmQucXR3ZWJraXQuc21hcnRwYXN0ZSIpLCBRQnl0ZUFycmF5KCkpOwogfQogCiBib29s IFBhc3RlYm9hcmQ6OmNhblNtYXJ0UmVwbGFjZSgpCg== 183972 2013-01-22 05:40:33 -0800 2013-01-22 07:04:43 -0800 Patch bug-102192-20130122143649.patch text/plain 2358 allan.jensen U3VidmVyc2lvbiBSZXZpc2lvbjogMTQwNDE3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZDA5OTY3NGIwMDJkZGMy ODM5NDFhMzIyNDcwN2QwNzk1Y2NmNmI3NS4uYzg1NzMxNDI5YTYwMTY0NzgyYzdkMWM2MjY3Yjk4 NTJhODRhYmJmOSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE4IEBACisyMDEzLTAxLTIyICBBbGxh biBTYW5kZmVsZCBKZW5zZW4gIDxhbGxhbi5qZW5zZW5AZGlnaWEuY29tPgorCisgICAgICAgIFtR dF0gQ3Jhc2ggaW4gUGFzdGVib2FyZFF0LmNwcCBQYXN0ZWJvYXJkOjp3cml0ZVNlbGVjdGlvbgor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTAyMTkyCisK KyAgICAgICAgUGF0Y2ggYnkgRmFiaWVuIFZhbMOpZQorICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBRQ2xpcGJvYXJkOjpzZXRNaW1lRGF0YSB0cmFuc2ZlcnMg b3duZXJzaGlwIG9mIFFNaW1lRGF0YSB0byB0aGUgY2xpcGJvYXJkLAorICAgICAgICBzbyB3ZSBz aG91bGQgbm90IGFjY2VzcyBpdCBhZnRlcndhcmRzLgorCisgICAgICAgICogcGxhdGZvcm0vcXQv UGFzdGVib2FyZFF0LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OlBhc3RlYm9hcmQ6OndyaXRlU2Vs ZWN0aW9uKToKKyAgICAgICAgKFdlYkNvcmU6OlBhc3RlYm9hcmQ6OndyaXRlUGxhaW5UZXh0KToK KwogMjAxMy0wMS0yMiAgU2hlcmlmZiBCb3QgIDx3ZWJraXQucmV2aWV3LmJvdEBnbWFpbC5jb20+ CiAKICAgICAgICAgVW5yZXZpZXdlZCwgcm9sbGluZyBvdXQgcjE0MDQxMi4KZGlmZiAtLWdpdCBh L1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL3F0L1Bhc3RlYm9hcmRRdC5jcHAgYi9Tb3VyY2UvV2Vi Q29yZS9wbGF0Zm9ybS9xdC9QYXN0ZWJvYXJkUXQuY3BwCmluZGV4IDhiMWE4ZDNjYmJjNzcxNTk5 YmEyNzM2NGFjMTkxY2E1ZTEwYzg3ZWQuLmI0NGFhODJjZWQ1NDliZjM3NzVkZWJlOTAzZWUyODc3 N2JmMTU2YTggMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL3F0L1Bhc3RlYm9h cmRRdC5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vcXQvUGFzdGVib2FyZFF0LmNw cApAQCAtNzQsMTEgKzc0LDExIEBAIHZvaWQgUGFzdGVib2FyZDo6d3JpdGVTZWxlY3Rpb24oUmFu Z2UqIHNlbGVjdGVkUmFuZ2UsIGJvb2wgY2FuU21hcnRDb3B5T3JEZWxldGUsCiAgICAgbWQtPnNl dEh0bWwobWFya3VwKTsKICNlbmRpZgogCisgICAgaWYgKGNhblNtYXJ0Q29weU9yRGVsZXRlKQor ICAgICAgICBtZC0+c2V0RGF0YShRTGF0aW4xU3RyaW5nKCJhcHBsaWNhdGlvbi92bmQucXR3ZWJr aXQuc21hcnRwYXN0ZSIpLCBRQnl0ZUFycmF5KCkpOwogI2lmbmRlZiBRVF9OT19DTElQQk9BUkQK ICAgICBRR3VpQXBwbGljYXRpb246OmNsaXBib2FyZCgpLT5zZXRNaW1lRGF0YShtZCwgbV9zZWxl Y3Rpb25Nb2RlID8gUUNsaXBib2FyZDo6U2VsZWN0aW9uIDogUUNsaXBib2FyZDo6Q2xpcGJvYXJk KTsKICNlbmRpZgotICAgIGlmIChjYW5TbWFydENvcHlPckRlbGV0ZSkKLSAgICAgICAgbWQtPnNl dERhdGEoUUxhdGluMVN0cmluZygiYXBwbGljYXRpb24vdm5kLnF0d2Via2l0LnNtYXJ0cGFzdGUi KSwgUUJ5dGVBcnJheSgpKTsKIH0KIAogYm9vbCBQYXN0ZWJvYXJkOjpjYW5TbWFydFJlcGxhY2Uo KQpAQCAtMTM0LDkgKzEzNCw5IEBAIHZvaWQgUGFzdGVib2FyZDo6d3JpdGVQbGFpblRleHQoY29u c3QgU3RyaW5nJiB0ZXh0LCBTbWFydFJlcGxhY2VPcHRpb24gc21hcnRSZXBsCiAgICAgUVN0cmlu ZyBxdGV4dCA9IHRleHQ7CiAgICAgcXRleHQucmVwbGFjZShRQ2hhcigweGEwKSwgUUxhdGluMUNo YXIoJyAnKSk7CiAgICAgbWQtPnNldFRleHQocXRleHQpOwotICAgIFFHdWlBcHBsaWNhdGlvbjo6 Y2xpcGJvYXJkKCktPnNldE1pbWVEYXRhKG1kLCBtX3NlbGVjdGlvbk1vZGUgPyBRQ2xpcGJvYXJk OjpTZWxlY3Rpb24gOiBRQ2xpcGJvYXJkOjpDbGlwYm9hcmQpOwogICAgIGlmIChzbWFydFJlcGxh Y2VPcHRpb24gPT0gQ2FuU21hcnRSZXBsYWNlKQogICAgICAgICBtZC0+c2V0RGF0YShRTGF0aW4x U3RyaW5nKCJhcHBsaWNhdGlvbi92bmQucXR3ZWJraXQuc21hcnRwYXN0ZSIpLCBRQnl0ZUFycmF5 KCkpOworICAgIFFHdWlBcHBsaWNhdGlvbjo6Y2xpcGJvYXJkKCktPnNldE1pbWVEYXRhKG1kLCBt X3NlbGVjdGlvbk1vZGUgPyBRQ2xpcGJvYXJkOjpTZWxlY3Rpb24gOiBRQ2xpcGJvYXJkOjpDbGlw Ym9hcmQpOwogI2VuZGlmCiB9CiAK