Bug 114162

Summary:

[Qt] qtwebkit 2.3 crashes upon closing a onmouseover alert (may need several tries)

Product:

WebKit

Reporter:

Сковорода Никита <chalkerx>

Component:

WebKit Qt

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED INVALID

Severity:

Critical

CC:

allan.jensen, hausmann

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Linux

URL:

http://oserv.org/bugs/qtwebkit-crash/2.3.html

Bug Depends on:

Bug Blocks:

88186

Attachments:

Description	Flags
The testcase v2.3.	none

Description Сковорода Никита 2013-04-08 02:54:10 PDT

Created attachment 196843 [details]
The testcase v2.3.

See http://oserv.org/bugs/qtwebkit-crash/2.3.html, http://oserv.org/bugs/qtwebkit-crash/2.2.html, http://oserv.org/bugs/qtwebkit-crash/2.1.html (that's not qtwebkit version numbers, that's the testcase version numbers).

It crashes konqueror+kwebkitpart, adiumthemeview, rekonq on closing a first-second alert (for the 2.3.html testcase).
Arora and designer-qt4 + qwebview + ctrl-r needs a little more tries for me, but then it hangs and consumes large amount of memory before finally crashing.

Does not seem to happen in Qt5 for me.

Have not tested qtwebkit versions prior to 2.3.

Comment 1 Allan Sandfeld Jensen 2013-04-10 05:44:19 PDT

I can not get this to crash on my workstation anymore. So there might be fixed in Qt interfering, but I got it on my 32bit VM. 

Here is the first part of the backtrace. I am not going to post it all since it is 600038 calls deep:#0  0xb24e2550 in QApplicationPrivate::enterModal_sys(QWidget*) () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#1  0xb2468120 in QApplicationPrivate::enterModal(QWidget*) () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#2  0xb24c334a in QWidgetPrivate::show_helper() () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#3  0xb24c35c1 in QWidget::setVisible(bool) () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#4  0xb29b9564 in QDialog::setVisible(bool) () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#5  0xb29b8087 in QDialog::exec() () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#6  0xb4c1ea2a in QWebPage::javaScriptAlert () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#7  0xb4c4ee70 in WebCore::ChromeClientQt::runJavaScriptAlert ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#8  0xb550f979 in WebCore::Chrome::runJavaScriptAlert ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#9  0xb5536d04 in WebCore::DOMWindow::alert () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#10 0xb600d315 in WebCore::jsDOMWindowPrototypeFunctionAlert ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#11 0xabbe3fcf in ?? ()
#12 0xb64ce785 in JSC::JITCode::execute () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#13 0xb64cc3a8 in JSC::Interpreter::executeCall () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#14 0xb65a3d4d in JSC::call () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#15 0xb4cff113 in WebCore::JSMainThreadExecState::call ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#16 0xb4d35f4e in WebCore::JSEventListener::handleEvent ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#17 0xb507e4a6 in WebCore::EventTarget::fireEventListeners ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#18 0xb507e2d5 in WebCore::EventTarget::fireEventListeners ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#19 0xb50afc0a in WebCore::Node::handleLocalEvents () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#20 0xb507081d in WebCore::EventContext::handleLocalEvents ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#21 0xb50733b8 in WebCore::EventDispatcher::dispatchEventAtTarget ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#22 0xb5072fbf in WebCore::EventDispatcher::dispatchEvent ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#23 0xb5090426 in WebCore::MouseEventDispatchMediator::dispatchEvent ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#24 0xb5071dbc in WebCore::EventDispatcher::dispatchEvent ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#25 0xb50b0791 in WebCore::Node::dispatchMouseEvent () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#26 0xb5551605 in WebCore::EventHandler::updateMouseEventTargetNode ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#27 0xb55516f4 in WebCore::EventHandler::dispatchMouseEvent ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#28 0xb554f81a in WebCore::EventHandler::handleMouseMoveEvent ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#29 0xb554efd6 in WebCore::EventHandler::mouseMoved () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#30 0xb4c275df in QWebPagePrivate::mouseMoveEvent<QMouseEvent> ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#31 0xb4c1abeb in QWebPagePrivate::leaveEvent () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#32 0xb4c23c23 in QWebPage::event () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#33 0xb4c30243 in QWebView::event () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#34 0xb2465ed4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
   from /usr/lib/i386-linux-gnu/libQtGui.so.4
#35 0xb246b3a2 in QApplication::notify(QObject*, QEvent*) () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#36 0xb207d97e in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
   from /usr/lib/i386-linux-gnu/libQtCore.so.4
#37 0xb24664b2 in QApplicationPrivate::dispatchEnterLeave(QWidget*, QWidget*) ()
   from /usr/lib/i386-linux-gnu/libQtGui.so.4
#38 0xb24e254e in QApplicationPrivate::enterModal_sys(QWidget*) () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#39 0xb2468120 in QApplicationPrivate::enterModal(QWidget*) () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#40 0xb24c334a in QWidgetPrivate::show_helper() () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#41 0xb24c35c1 in QWidget::setVisible(bool) () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#42 0xb29b9564 in QDialog::setVisible(bool) () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#43 0xb29b8087 in QDialog::exec() () from /usr/lib/i386-linux-gnu/libQtGui.so.4
#44 0xb4c1ea2a in QWebPage::javaScriptAlert () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#45 0xb4c4ee70 in WebCore::ChromeClientQt::runJavaScriptAlert ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#46 0xb550f979 in WebCore::Chrome::runJavaScriptAlert ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#47 0xb5536d04 in WebCore::DOMWindow::alert () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#48 0xb600d315 in WebCore::jsDOMWindowPrototypeFunctionAlert ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#49 0xabbe3fcf in ?? ()
#50 0xb64ce785 in JSC::JITCode::execute () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#51 0xb64cc3a8 in JSC::Interpreter::executeCall () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#52 0xb65a3d4d in JSC::call () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#53 0xb4cff113 in WebCore::JSMainThreadExecState::call ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#54 0xb4d35f4e in WebCore::JSEventListener::handleEvent ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#55 0xb507e4a6 in WebCore::EventTarget::fireEventListeners ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#56 0xb507e2d5 in WebCore::EventTarget::fireEventListeners ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#57 0xb50afc0a in WebCore::Node::handleLocalEvents () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#58 0xb507081d in WebCore::EventContext::handleLocalEvents ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#59 0xb50733b8 in WebCore::EventDispatcher::dispatchEventAtTarget ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#60 0xb5072fbf in WebCore::EventDispatcher::dispatchEvent ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#61 0xb5090426 in WebCore::MouseEventDispatchMediator::dispatchEvent ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#62 0xb5071dbc in WebCore::EventDispatcher::dispatchEvent ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#63 0xb50b0791 in WebCore::Node::dispatchMouseEvent () from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#64 0xb5551605 in WebCore::EventHandler::updateMouseEventTargetNode ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4
#65 0xb55516f4 in WebCore::EventHandler::dispatchMouseEvent ()
   from /src/qtwebkit-23/WebKitBuild/Debug/lib/libQtWebKit.so.4

Comment 2 Allan Sandfeld Jensen 2013-04-10 08:48:43 PDT

This looks like a combination of several different bugs/quirks.

In short, because the cursor is were the modal dialog appears, the webview get a mouse leave event, which causes it to send a mouse move event to webcore with an invalid position. WebCore has a quirk that means it will always consider any position as inside so that it can track drags. This causes it to think the mouse has moved to the body, which causes a mouseover which triggers a new modal dialog under the cursor which causes an infinite recursion because none of the methods are protected against reintrance.

Comment 3 Jocelyn Turcotte 2014-02-03 03:25:37 PST

=== Bulk closing of Qt bugs ===

If you believe that this bug report is still relevant for a non-Qt port of webkit.org, please re-open it and remove [Qt] from the summary.

If you believe that this is still an important QtWebKit bug, please fill a new report at https://bugreports.qt-project.org and add a link to this issue. See http://qt-project.org/wiki/ReportingBugsInQt for additional guidelines.