Bug 77546

Summary: [Qt][WK2] Loading cuttherope.ie results in segfault
Product: WebKit Reporter: zalan <zalan>
Component: WebKit2Assignee: zalan <zalan>
Status: RESOLVED FIXED    
Severity: Normal CC: menard, webkit.review.bot, zoltan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://cuttherope.ie
Attachments:
Description Flags
Patch none

zalan
Reported 2012-02-01 05:20:11 PST
#0 0x00007ffff38f4e6d in convert_ARGB_PM_to_ARGB (dest=0x7fffa0007d70, src=0x7fffa0009610) at image/qimage.cpp:2072 #1 0x00007ffff38f7f49 in convert_ARGB_PM_to_Indexed8 (dst=0x7fffa0009970, src=0x7fffa0009610, flags=...) at image/qimage.cpp:2726 #2 0x00007ffff38f92d1 in QImage::convertToFormat (this=0x7fffffffc610, format=QImage::Format_Indexed8, flags=...) at image/qimage.cpp:3386 #3 0x00007ffff38bd439 in QCursor::QCursor (this=0x7fffa0007820, pixmap=..., hotX=0, hotY=0) at kernel/qcursor.cpp:314 #4 0x00007ffff5dcdc5a in WebCore::createCustomCursor (image=0x7fffa000a460, hotSpot=...) at ../../../../Source/WebCore/platform/qt/CursorQt.cpp:81 #5 0x00007ffff5dce762 in WebCore::Cursor::ensurePlatformCursor (this=0x7fffffffcb30) at ../../../../Source/WebCore/platform/qt/CursorQt.cpp:201 #6 0x00007ffff5dc62c8 in WebCore::Cursor::platformCursor (this=0x7fffffffcb30) at ../../../../Source/WebCore/platform/Cursor.cpp:167 #7 0x00007ffff52430d0 in QtPageClient::setCursor (this=0x4ff9b8, cursor=...) at ../../../../Source/WebKit2/UIProcess/qt/QtPageClient.cpp:129 #8 0x00007ffff51eb7a2 in WebKit::WebPageProxy::setCursor (this=0x7fff98001930, cursor=...) at ../../../../Source/WebKit2/UIProcess/WebPageProxy.cpp:2829 #9 0x00007ffff5350934 in CoreIPC::callMemberFunction<WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WebCore::Cursor const&), WebCore::Cursor> (args=..., object=0x7fff98001930, function= (void (WebKit::WebPageProxy::*)(WebKit::WebPageProxy * const, const WebCore::Cursor &)) 0x7ffff51eb76a <WebKit::WebPageProxy::setCursor(WebCore::Cursor const&)>) at ../../../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:19 #10 0x00007ffff534bdb8 in CoreIPC::handleMessage<Messages::WebPageProxy::SetCursor, WebKit::WebPageProxy, void (WebKit::WebPageProxy::*)(WebCore::Cursor const&)> (argumentDecoder=0x7fff980097d0, object=0x7fff98001930, function= (void (WebKit::WebPageProxy::*)(WebKit::WebPageProxy * const, const WebCore::Cursor &)) 0x7ffff51eb76a <WebKit::WebPageProxy::setCursor(WebCore::Cursor const&)>) at ../../../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:290 #11 0x00007ffff534974c in WebKit::WebPageProxy::didReceiveWebPageProxyMessage (this=0x7fff98001930, messageID=..., arguments=0x7fff980097d0) at generated/WebPageProxyMessageReceiver.cpp:111 #12 0x00007ffff51e5390 in WebKit::WebPageProxy::didReceiveMessage (this=0x7fff98001930, connection=0x8b6c00, messageID=..., arguments=0x7fff980097d0) at ../../../../Source/WebKit2/UIProcess/WebPageProxy.cpp:1545 #13 0x00007ffff5218b68 in WebKit::WebProcessProxy::didReceiveMessage (this=0x508a20, connection=0x8b6c00, messageID=..., arguments=0x7fff980097d0) at ../../../../Source/WebKit2/UIProcess/WebProcessProxy.cpp:321 #14 0x00007ffff51b00a6 in WebKit::WebConnectionToWebProcess::didReceiveMessage (this=0x8a0100, connection=0x8b6c00, messageID=..., arguments=0x7fff980097d0) at ../../../../Source/WebKit2/UIProcess/WebConnectionToWebProcess.cpp:92 #15 0x00007ffff511b54f in CoreIPC::Connection::dispatchMessage (this=0x8b6c00, message=...) at ../../../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:692 #16 0x00007ffff511b729 in CoreIPC::Connection::dispatchMessages (this=0x8b6c00) at ../../../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:719 #17 0x00007ffff512566c in WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>::operator() (this=0x7fff98008e30, c=0x8b6c00) at ../../../../Source/JavaScriptCore/wtf/Functional.h:172 #18 0x00007ffff512542a in WTF::BoundFunctionImpl<WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>, void (CoreIPC::Connection*)>::operator()() (this=0x7fff98008e20) at ../../../../Source/JavaScriptCore/wtf/Functional.h:372 #19 0x00007ffff5333f8a in WTF::Function<void ()>::operator()() const (this=0x7fff9800b580) at ../../../../Source/JavaScriptCore/wtf/Functional.h:580 #20 0x00007ffff5b58ea4 in WebCore::RunLoop::performWork (this=0x505eb0) at ../../../../Source/WebCore/platform/RunLoop.cpp:67 #21 0x00007ffff5dd1204 in WebCore::RunLoop::TimerObject::performWork (this=0x505f70) at ../../../../Source/WebCore/platform/qt/RunLoopQt.cpp:48 #22 0x00007ffff5dd1d13 in WebCore::RunLoop::TimerObject::qt_static_metacall (_o=0x505f70, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x7fff98006d50) at moc/RunLoopQt.moc:49 #23 0x00007ffff358c353 in QMetaCallEvent::placeMetaCall (this=0x7fff9800a430, object=0x505f70) at kernel/qobject.cpp:436 #24 0x00007ffff358d138 in QObject::event (this=0x505f70, e=0x7fff9800a430) at kernel/qobject.cpp:1014 #25 0x00007ffff3e67fb8 in QApplicationPrivate::notify_helper (this=0x434240, receiver=0x505f70, e=0x7fff9800a430) at kernel/qapplication.cpp:4052 #26 0x00007ffff3e65702 in QApplication::notify (this=0x7fffffffe410, receiver=0x505f70, e=0x7fff9800a430) at kernel/qapplication.cpp:3469 #27 0x000000000040a3a4 in MiniBrowserApplication::notify (this=0x7fffffffe410, target=0x505f70, event=0x7fff9800a430) at /home/zbujtas/WebKit/Tools/MiniBrowser/qt/MiniBrowserApplication.cpp:86 #28 0x00007ffff3562f48 in QCoreApplication::notifyInternal (this=0x7fffffffe410, receiver=0x505f70, event=0x7fff9800a430) at kernel/qcoreapplication.cpp:784 #29 0x00007ffff35669ab in QCoreApplication::sendEvent (receiver=0x505f70, event=0x7fff9800a430) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:210 #30 0x00007ffff3563ec6 in QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x4343b0) at kernel/qcoreapplication.cpp:1420 #31 0x00007ffff3563a9d in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at kernel/qcoreapplication.cpp:1281 #32 0x00007ffff35c1373 in QCoreApplication::sendPostedEvents () at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215 #33 0x00007ffff35c035a in postEventSourceDispatch (s=0x445170) at kernel/qeventdispatcher_glib.cpp:279 #34 0x00007ffff0f31a5d in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #35 0x00007ffff0f32258 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #36 0x00007ffff0f32429 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #37 0x00007ffff35c0c1b in QEventDispatcherGlib::processEvents (this=0x442a60, flags=...) at kernel/qeventdispatcher_glib.cpp:424 #38 0x00007ffff3560824 in QEventLoop::processEvents (this=0x7fffffffe2e0, flags=...) at kernel/qeventloop.cpp:144 #39 0x00007ffff3560ab7 in QEventLoop::exec (this=0x7fffffffe2e0, flags=...) at kernel/qeventloop.cpp:220 #40 0x00007ffff35634e8 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1036 #41 0x00007ffff38b058f in QGuiApplication::exec () at kernel/qguiapplication.cpp:523 #42 0x00007ffff3e652ec in QApplication::exec () at kernel/qapplication.cpp:3355 #43 0x00000000004090dd in main (argc=2, argv=0x7fffffffe658) at /home/zbujtas/WebKit/Tools/MiniBrowser/qt/main.cpp:71
Attachments
Patch (2.32 KB, patch)
2012-02-13 03:57 PST, zalan
no flags
zalan
Comment 1 2012-02-01 05:41:24 PST
ShareableBitmap lacks an additional ref() when (Qt)ShareableBitmap::createImage() is called. ShareableBitmap gets destroyed early because of this missing ref. Both Cairo and CG have this ref(), which is balanced at when the associated (shared) data is being freed. see ShareableBitmap::createCairoSurface(). Fix: QImage c'tor needs a callback function parameter, which gets called when the associated data is being freed. It enables Qt's ShareableBitmap to introduce ref()/deref() pair similar to Cairo/CG.
zalan
Comment 2 2012-02-13 03:57:50 PST
WebKit Review Bot
Comment 3 2012-02-13 07:05:32 PST
Comment on attachment 126749 [details] Patch Clearing flags on attachment: 126749 Committed r107571: <http://trac.webkit.org/changeset/107571>
WebKit Review Bot
Comment 4 2012-02-13 07:05:37 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.