71035 2011-10-27 10:53:10 -0700 crash near WebCore::QtFallbackWebPopupCombo::hidePopup when dismissing a <select> before it is fully rendered (Mac only) 2015-05-28 03:34:18 -0700 1 1 1 Unclassified WebKit WebKit Qt 528+ (Nightly build) Mac OS X 10.6 RESOLVED FIXED P2 Normal --- 0 sturm webkit-unassigned allan.jensen s.dorigotti sturm oldest_to_newest 491717 0 sturm 2011-10-27 10:53:10 -0700 I can consistently cause a crash by rapidly opening/dismissing a "select" (combo box) element. I have only seen this on Mac OS X. I have seen it on all recent versions, OS X 10.4 through 10.7. Steps: 1. launch "fancybrowser.app" (one of the examples that ships with Qt -- /Developer/Examples/Qt/webkit/fancybrowser) 2. go to http://www.tizag.com/htmlT/htmlselect.php (or basically any webpage that has a "select") 3. rapidly open and dismiss one of the select's (I do this by clicking to open it, and then hitting esc to dismiss it, over and over as quick as possible) 4. Crash!! I do believe the crash happens if you dismiss the popup before it is done rendering. So it's a timing issue and can be difficult to reproduce. You have to go real fast. The more items in the select the better -- you have a longer timeframe to cause the problem. I also suspect that if you got fancy CSS styling going on, it may give you a longer timeframe in which to cause the problem. Anyhow, here are two crash reports. The middle bits are a little different, but it always filters back down into WebCore::QtFallbackWebPopupCombo::hidePopup. -------- 8< --------- Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000040422f58 VM Regions Near 0x40422f58: JS garbage collector 000000000cb40000-000000000cbc0000 [ 512K] rw-/rw- SM=PRV --> __TEXT 000000008febd000-000000008fef0000 [ 204K] r-x/rwx SM=COW /usr/lib/dyld Application Specific Information: objc[18026]: garbage collection is OFF Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 QtGui 0x019562b9 QWidget::style() const + 9 1 QtGui 0x01cc822b QComboBox::hidePopup() + 267 2 QtWebKit 0x00960e7e WebCore::QtFallbackWebPopupCombo::hidePopup() + 46 3 QtGui 0x01cc3225 QComboBoxPrivateContainer::eventFilter(QObject*, QEvent*) + 501 4 QtCore 0x0252434f QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) + 143 5 QtGui 0x01910463 QApplicationPrivate::notify_helper(QObject*, QEvent*) + 147 6 QtGui 0x01919006 QApplication::notify(QObject*, QEvent*) + 7638 7 QtCore 0x02435b5c QCoreApplication::notifyInternal(QObject*, QEvent*) + 108 8 QtGui 0x01949c9c QShortcutMap::tryShortcutEvent(QObject*, QKeyEvent*) + 108 9 QtGui 0x019190b0 QApplication::notify(QObject*, QEvent*) + 7808 10 QtCore 0x02435b5c QCoreApplication::notifyInternal(QObject*, QEvent*) + 108 11 QtGui 0x019111fc qt_sendSpontaneousEvent(QObject*, QEvent*) + 60 12 QtGui 0x0198a377 QKeyMapper::sendKeyEvent(QWidget*, bool, QEvent::Type, int, QFlags<Qt::KeyboardModifier>, QString const&, bool, int, unsigned int, unsigned int, unsigned int, bool*) + 167 13 QtGui 0x0198b1c6 QKeyMapperPrivate::translateKeyEvent(QWidget*, OpaqueEventHandlerCallRef*, OpaqueEventRef*, void*, bool) + 742 14 QtGui 0x018c35fc qt_dispatchKeyEvent(void*, QWidget*) + 236 15 QtGui 0x018b664f -[QCocoaView keyDown:] + 335 16 com.apple.AppKit 0x926e54cf -[NSWindow sendEvent:] + 10891 17 QtGui 0x018bc22b -[QCocoaWindow sendEvent:] + 267 18 com.apple.AppKit 0x9267c6ff -[NSApplication sendEvent:] + 4788 19 QtGui 0x018bf9dd -[QNSApplication sendEvent:] + 93 20 com.apple.AppKit 0x9260dc82 -[NSApplication run] + 1007 21 QtGui 0x018c9a51 QEventDispatcherMac::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 1505 22 QtCore 0x025239c1 QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 65 23 QtCore 0x02523d0a QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 170 24 QtCore 0x02525166 QCoreApplication::exec() + 182 25 com.yourcompany.fancybrowser 0x00004a41 main + 435 (main.cpp:54) 26 com.yourcompany.fancybrowser 0x000045f1 _start + 208 27 com.yourcompany.fancybrowser 0x00004520 start + 40 -------- 8< --------- Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000030b9b7fc VM Regions Near 0x30b9b7fc: MALLOC_TINY 000000000d500000-000000000d600000 [ 1024K] rw-/rwx SM=PRV --> __TEXT 000000008fe53000-000000008fe86000 [ 204K] r-x/rwx SM=COW /usr/lib/dyld Application Specific Information: objc[18122]: garbage collection is OFF Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 QtGui 0x019562b9 QWidget::style() const + 9 1 QtGui 0x01cc822b QComboBox::hidePopup() + 267 2 QtWebKit 0x00960e7e WebCore::QtFallbackWebPopupCombo::hidePopup() + 46 3 QtGui 0x01ccb40f QComboBoxPrivateContainer::mousePressEvent(QMouseEvent*) + 191 4 QtGui 0x0196509f QWidget::event(QEvent*) + 2351 5 QtGui 0x01cf3c28 QFrame::event(QEvent*) + 40 6 QtGui 0x0191048c QApplicationPrivate::notify_helper(QObject*, QEvent*) + 188 7 QtGui 0x019194bd QApplication::notify(QObject*, QEvent*) + 8845 8 QtCore 0x02435b5c QCoreApplication::notifyInternal(QObject*, QEvent*) + 108 9 QtGui 0x019111fc qt_sendSpontaneousEvent(QObject*, QEvent*) + 60 10 QtGui 0x018c5623 qt_mac_handleMouseEvent(void*, void*, QEvent::Type, Qt::MouseButton) + 2019 11 QtGui 0x018b55a0 -[QCocoaView mouseDown:] + 64 12 com.apple.AppKit 0x926e47b1 -[NSWindow sendEvent:] + 7533 13 QtGui 0x018b353b -[QCocoaPanel sendEvent:] + 267 14 com.apple.AppKit 0x9267c6ff -[NSApplication sendEvent:] + 4788 15 QtGui 0x018bf9dd -[QNSApplication sendEvent:] + 93 16 com.apple.AppKit 0x9260dc82 -[NSApplication run] + 1007 17 QtGui 0x018c9a51 QEventDispatcherMac::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 1505 18 QtCore 0x025239c1 QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 65 19 QtCore 0x02523d0a QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 170 20 QtCore 0x02525166 QCoreApplication::exec() + 182 21 com.yourcompany.fancybrowser 0x00004a41 main + 435 (main.cpp:54) 22 com.yourcompany.fancybrowser 0x000045f1 _start + 208 23 com.yourcompany.fancybrowser 0x00004520 start + 40 -------- 8< --------- 511787 1 sturm 2011-11-30 08:55:42 -0800 I fixed this in qt/WebCoreSupport/QtFallbackWebPopup.cpp: void QtFallbackWebPopupCombo::hidePopup() { ... QComboBox::hidePopup(); // move this line ... if (!m_ownerPopup.m_popupVisible) return; m_ownerPopup.m_popupVisible = false; // ... to here m_ownerPopup.popupDidHide(); m_ownerPopup.destroyPopup(); } The problem was that hidePopup() was sometimes being called twice (due to the vagaries of the OS X event loop). The first time through, the popup was closed and then destroyed. The second time through, the popup (which had been destroyed) was getting closed again – thus accessing memory that had been freed. 1086314 2 s.dorigotti 2015-04-17 07:20:58 -0700 I can confirm both the bug and the solution provided by Paul Sturm. It doesn't seem to have noticeable side effects. cheers, Steven ps: this is the patch I apply to Qt 4.8.6: --- qt.orig/qt-everywhere-opensource-src-4.8.6/src/3rdparty/webkit/Source/WebKit/qt/WebCoreSupport/QtFallbackWebPopup.cpp +++ qt/qt-everywhere-opensource-src-4.8.6/src/3rdparty/webkit/Source/WebKit/qt/WebCoreSupport/QtFallbackWebPopup.cpp @@ -66,12 +66,11 @@ } #endif // QT_NO_IM - QComboBox::hidePopup(); - if (!m_ownerPopup.m_popupVisible) return; m_ownerPopup.m_popupVisible = false; + QComboBox::hidePopup(); emit m_ownerPopup.didHide(); m_ownerPopup.destroyPopup(); } 1097877 3 allan.jensen 2015-05-28 03:34:18 -0700 Fixed in Qt 5 already, and QtWebKit is no longer upstream.