49216 2010-11-08 15:49:09 -0800 [Qt] Crash when calling QWebFrame::setUrl() while a previous load has pending requests 2011-03-01 07:41:51 -0800 1 1 1 Unclassified WebKit WebKit Qt 528+ (Nightly build) All All RESOLVED FIXED Qt, QtTriaged P1 Critical --- 1 vog kling benjamin kling koivisto markus mihaip stawel webkit oldest_to_newest 306420 0 vog 2010-11-08 15:49:09 -0800 Under certain circumstances, calling setHtml() and then setUrl() on a QWebFrame instance causes a segmentation fault! More specifically, this always happens if the HTML provided to setHtml() contains an image (<img> tag). It doesn't matter whether the image acually exists. No GUI (QWebView) needs to be involved. The following 3 lines of code are sufficient to reproduce this strange bug: QWebPage *page = new QWebPage(); page->mainFrame()->setHtml("<img src=\"dummy:\">"); page->mainFrame()->setUrl(QUrl("about:blank")); 306661 1 markus 2010-11-09 01:15:39 -0800 Do you have a backtrace of the segfault? 306662 2 markus 2010-11-09 01:16:04 -0800 (In case this is a Qt bug, we can re-open http://bugreports.qt.nokia.com/browse/QTBUG-15122 ) 307298 3 73487 vog 2010-11-10 04:55:54 -0800 Created attachment 73487 minimal Qt application to reproduce the segmentation fault Unfortunately, the stack trace doesn't provide much information on my system: (gdb) bt #0 0xb6d960b0 in ?? () from /home/vog/work/rentapacs/qt/lib/libQtWebKit.so.4 #1 0xb6be2a4e in ?? () from /home/vog/work/rentapacs/qt/lib/libQtWebKit.so.4 #2 0xb6cf20b2 in ?? () from /home/vog/work/rentapacs/qt/lib/libQtWebKit.so.4 #3 0xb6bdde65 in ?? () from /home/vog/work/rentapacs/qt/lib/libQtWebKit.so.4 #4 0xb6e1891f in ?? () from /home/vog/work/rentapacs/qt/lib/libQtWebKit.so.4 #5 0xb6da718e in ?? () from /home/vog/work/rentapacs/qt/lib/libQtWebKit.so.4 #6 0xb6daf07f in ?? () from /home/vog/work/rentapacs/qt/lib/libQtWebKit.so.4 #7 0xb6fe68e4 in QWebFrame::setUrl () from /home/vog/work/rentapacs/qt/lib/libQtWebKit.so.4 #8 0x08048b38 in main (argc=-1269742464, argv=0x0) at main.cpp:11 That's why I attached a minimal Qt application that contains the mentioned 3 lines of code. That way, anyone interested can reproduce this issue and get a stack trace without any effort - just unpack, qmake, make and run. 352156 4 kling 2011-02-16 10:08:42 -0800 What happens here is that when replacing the Document in Frame::setDocument(), the old Document is destroyed, which calls CachedResourceLoader::cancelRequests(), which in turn calls didFail() on all pending requests. CachedResourceRequests::didFail() creates a RefPtr to protect its loader's Document temporarily, but since the Document is already being destroyed, its ref-count is already 0, causing ~RefPtr to double-delete the Document. Bug 23180 introduced the protector RefPtr. 352248 5 koivisto 2011-02-16 12:10:34 -0800 Simply clearing the document pointer in CachedResourceLoader destructor before canceling might fix this. 352451 6 82721 kling 2011-02-16 16:33:20 -0800 Created attachment 82721 Proposed patch 352469 7 kling 2011-02-16 17:02:16 -0800 *** Bug 39670 has been marked as a duplicate of this bug. *** 352732 8 82721 koivisto 2011-02-17 03:42:35 -0800 Comment on attachment 82721 Proposed patch r=me 352775 9 82721 kling 2011-02-17 05:38:18 -0800 Comment on attachment 82721 Proposed patch Clearing flags on attachment: 82721 Committed r78816: <http://trac.webkit.org/changeset/78816> 352776 10 kling 2011-02-17 05:38:26 -0800 All reviewed patches have been landed. Closing bug. 359888 11 kling 2011-03-01 07:41:51 -0800 *** Bug 55467 has been marked as a duplicate of this bug. *** 73487 2010-11-10 04:55:54 -0800 2010-11-10 04:55:54 -0800 minimal Qt application to reproduce the segmentation fault Qt-Webkit-Bug-49216.tar.gz application/gzip 438 vog H4sIAO2U2kwCA+3Vz0/bMBQH8Jz9V1jZJYWljdP80IBWYoiWadIgpYgD7OCmVvBI0ih1YNO0/302 pahIUC6saOj7OcSR30ti5fkliXLPxeRaKvdzk7nBJ59FHeuVeVrseWZkcfhoXLIYC6IoZH63G1ke 8/2uZ9HQ2oBmrnhNqXUzy9bmvRT/TyVP1L/gsmynVfWa9Y/W1D/04kX9A70DoljXvxvFoUU91P+f +yDLNG+mgu4latjITrJfVblMuZKzsk9Wo3qbfJWqk+hxUPNCPBs94ZkOElkqanaSY054naUfaXql X/WWPr+5+N4ivwnVVh9IubNINCmtXbJIuL8l3arMsUdLcfsw6egsk2RCbt887m5tTsvtz4U6UkXu 2HuyyOi8TnuX9rQpil87l3bfXnvdWZ07iTnYfDJr1M4k5+W13VquqBaqqfVi2+KnSM0K/pB31f9V PfshUtXW40b6n7Ho4fvP/FD3fxCwAP2/CeP90fBwrLvqiY1AkjHd7tHbu2lyenw2Ojg8NTPLHwQ5 OP42+DI0U1MxaTJiAQAAAAAAAAAAAAAAAAAAwBv4C+nvfKgAKAAA 82721 2011-02-16 16:33:20 -0800 2011-02-17 05:38:18 -0800 Proposed patch bug-49216.diff text/plain 3375 kling ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCBmOWMzMzNjLi5iNWMzN2ZlIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29y ZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTkg QEAKKzIwMTEtMDItMTYgIEFuZHJlYXMgS2xpbmcgIDxrbGluZ0B3ZWJraXQub3JnPgorCisgICAg ICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFtRdF0gQ3Jhc2ggd2hl biBjYWxsaW5nIFFXZWJGcmFtZTo6c2V0VXJsKCkgd2hpbGUgYSBwcmV2aW91cyBsb2FkIGhhcyBw ZW5kaW5nIHJlcXVlc3RzCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD00OTIxNgorCisgICAgICAgIENhY2hlZFJlc291cmNlUmVxdWVzdDo6ZGlkRmFpbCgp IHdpbGwgcHJvdGVjdCB0aGUgQ2FjaGVkUmVzb3VyY2VMb2FkZXIncworICAgICAgICBkb2N1bWVu dCgpIHdoaWxlIGl0IHJ1bnMsIGJ1dCBpZiB3ZSdyZSBiZWluZyBjYWxsZWQgZnJvbSB0aGUgRG9j dW1lbnQgZGVzdHJ1Y3RvciwKKyAgICAgICAgdGhlIHByb3RlY3RpbmcgUmVmUHRyPERvY3VtZW50 PiB3aWxsIGNhdXNlIGEgZG91YmxlLWRlbGV0ZSBpbnN0ZWFkLgorCisgICAgICAgICogbG9hZGVy L2NhY2hlL0NhY2hlZFJlc291cmNlTG9hZGVyLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkNhY2hl ZFJlc291cmNlTG9hZGVyOjp+Q2FjaGVkUmVzb3VyY2VMb2FkZXIpOiBDbGVhciB0aGUgbV9kb2N1 bWVudAorICAgICAgICBwb2ludGVyIHNvIENhY2hlZFJlc291cmNlUmVxdWVzdDo6ZGlkRmFpbCgp IHdvbid0IHRyeSB0byBwcm90ZWN0IGl0LgorICAgICAgICAoV2ViQ29yZTo6Q2FjaGVkUmVzb3Vy Y2VMb2FkZXI6OmZyYW1lKTogQWRkIG51bGwtY2hlY2sgZm9yIG1fZG9jdW1lbnQuCisKIDIwMTEt MDItMTUgIEdhdmluIEJhcnJhY2xvdWdoICA8YmFycmFjbG91Z2hAYXBwbGUuY29tPgogCiAgICAg ICAgIFJldmlld2VkIGJ5IEdlb2ZmIEdhcmVuLgpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUv bG9hZGVyL2NhY2hlL0NhY2hlZFJlc291cmNlTG9hZGVyLmNwcCBiL1NvdXJjZS9XZWJDb3JlL2xv YWRlci9jYWNoZS9DYWNoZWRSZXNvdXJjZUxvYWRlci5jcHAKaW5kZXggYjdiODVkYi4uOTQ0NTQ1 MSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvbG9hZGVyL2NhY2hlL0NhY2hlZFJlc291cmNl TG9hZGVyLmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvY2FjaGUvQ2FjaGVkUmVzb3Vy Y2VMb2FkZXIuY3BwCkBAIC05Niw2ICs5Niw5IEBAIENhY2hlZFJlc291cmNlTG9hZGVyOjp+Q2Fj aGVkUmVzb3VyY2VMb2FkZXIoKQogICAgIC8vIEZJWE1FOiBSZW1vdmUgdGhpcyBhbmQgdGhlIHJl bGF0ZWQgY29kZSB3aGVuIGl0IGhhcyBzZXJ2ZWQgaXRzIHB1cnBvc2UuCiAgICAgaWYgKG1faXNJ bk1ldGhvZCkKICAgICAgICAgQ1JBU0goKTsKKworICAgIG1fZG9jdW1lbnQgPSAwOworCiAgICAg Y2FuY2VsUmVxdWVzdHMoKTsKICAgICBjbGVhclByZWxvYWRzKCk7CiAgICAgRG9jdW1lbnRSZXNv dXJjZU1hcDo6aXRlcmF0b3IgZW5kID0gbV9kb2N1bWVudFJlc291cmNlcy5lbmQoKTsKQEAgLTEy MCw3ICsxMjMsNyBAQCBDYWNoZWRSZXNvdXJjZSogQ2FjaGVkUmVzb3VyY2VMb2FkZXI6OmNhY2hl ZFJlc291cmNlKGNvbnN0IEtVUkwmIHJlc291cmNlVVJMKSBjbwogCiBGcmFtZSogQ2FjaGVkUmVz b3VyY2VMb2FkZXI6OmZyYW1lKCkgY29uc3QKIHsKLSAgICByZXR1cm4gbV9kb2N1bWVudC0+ZnJh bWUoKTsKKyAgICByZXR1cm4gbV9kb2N1bWVudCA/IG1fZG9jdW1lbnQtPmZyYW1lKCkgOiAwOwog fQogCiBDYWNoZWRJbWFnZSogQ2FjaGVkUmVzb3VyY2VMb2FkZXI6OnJlcXVlc3RJbWFnZShjb25z dCBTdHJpbmcmIHVybCkKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQvcXQvQ2hhbmdlTG9nIGIv U291cmNlL1dlYktpdC9xdC9DaGFuZ2VMb2cKaW5kZXggM2I2NmU4OS4uZjQzOTdhYSAxMDA2NDQK LS0tIGEvU291cmNlL1dlYktpdC9xdC9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYktpdC9xdC9D aGFuZ2VMb2cKQEAgLTEsMyArMSwxMiBAQAorMjAxMS0wMi0xNiAgQW5kcmVhcyBLbGluZyAgPGts aW5nQHdlYmtpdC5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisK KyAgICAgICAgW1F0XSBDcmFzaCB3aGVuIGNhbGxpbmcgUVdlYkZyYW1lOjpzZXRVcmwoKSB3aGls ZSBhIHByZXZpb3VzIGxvYWQgaGFzIHBlbmRpbmcgcmVxdWVzdHMKKyAgICAgICAgaHR0cHM6Ly9i dWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTQ5MjE2CisKKyAgICAgICAgKiB0ZXN0cy9x d2ViZnJhbWUvdHN0X3F3ZWJmcmFtZS5jcHA6CisKIDIwMTEtMDItMTYgIEFwYXJuYSBOYW5keWFs ICA8YXBhcm5hLm5hbmRAd2lwcm8uY29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5IEFuZHJlYXMg S2xpbmcuCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L3F0L3Rlc3RzL3F3ZWJmcmFtZS90c3Rf cXdlYmZyYW1lLmNwcCBiL1NvdXJjZS9XZWJLaXQvcXQvdGVzdHMvcXdlYmZyYW1lL3RzdF9xd2Vi ZnJhbWUuY3BwCmluZGV4IDNjNDdkMWMuLjJlMmRlZjQgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJL aXQvcXQvdGVzdHMvcXdlYmZyYW1lL3RzdF9xd2ViZnJhbWUuY3BwCisrKyBiL1NvdXJjZS9XZWJL aXQvcXQvdGVzdHMvcXdlYmZyYW1lL3RzdF9xd2ViZnJhbWUuY3BwCkBAIC02NDcsNiArNjQ3LDcg QEAgcHJpdmF0ZSBzbG90czoKICAgICB2b2lkIHNldENvbnRlbnRfZGF0YSgpOwogICAgIHZvaWQg c2V0Q29udGVudCgpOwogICAgIHZvaWQgc2V0Q2FjaGVMb2FkQ29udHJvbEF0dHJpYnV0ZSgpOwor ICAgIHZvaWQgc2V0VXJsV2l0aFBlbmRpbmdMb2FkcygpOwogCiBwcml2YXRlOgogICAgIFFTdHJp bmcgIGV2YWxKUyhjb25zdCBRU3RyaW5nJnMpIHsKQEAgLTMyODcsNSArMzI4OCwxMiBAQCB2b2lk IHRzdF9RV2ViRnJhbWU6OndlYkVsZW1lbnRTbG90T25seSgpCiAgICAgUUNPTVBBUkUoZXZhbEpT KCJteVdlYkVsZW1lbnRTbG90T2JqZWN0LnRhZ05hbWUiKSwgUVN0cmluZygiQk9EWSIpKTsKIH0K IAordm9pZCB0c3RfUVdlYkZyYW1lOjpzZXRVcmxXaXRoUGVuZGluZ0xvYWRzKCkKK3sKKyAgICBR V2ViUGFnZSBwYWdlOworICAgIHBhZ2UubWFpbkZyYW1lKCktPnNldEh0bWwoIjxpbWcgc3JjPSdk dW1teTonLz4iKTsKKyAgICBwYWdlLm1haW5GcmFtZSgpLT5zZXRVcmwoUVVybCgiYWJvdXQ6Ymxh bmsiKSk7Cit9CisKIFFURVNUX01BSU4odHN0X1FXZWJGcmFtZSkKICNpbmNsdWRlICJ0c3RfcXdl YmZyYW1lLm1vYyIK