33149 – WebCore::RenderObject crash when showing QWebView

Bug 33149 - WebCore::RenderObject crash when showing QWebView

Summary: WebCore::RenderObject crash when showing QWebView

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Qt (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Windows Vista

Importance:	P2 Critical
Assignee:	Nobody

URL:
Keywords:	Qt

Depends on:
Blocks:

Reported:	2010-01-04 07:07 PST by pete.usergroups
Modified:	2010-03-16 08:39 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description pete.usergroups 2010-01-04 07:07:32 PST

The following crash is semi-reproducible and seems to happen we show a webpage which contains an embedded QT widget.
It is possible that the widget is being torn down by the javascript on the page.

The crash occurs in the webkit version shipped with QT4.5.2 Sorry, I was unable to work out what this was.

QtWebKitd4.dll!WebCore::RenderObject::clientHeight() Line 608 + 0x3 bytes	C++
QtWebKitd4.dll!WebCore::RenderObject::contentHeight() Line 571 + 0x10 bytes	C++
QtWebKitd4.dll!WebCore::RenderObject::containingBlockHeight() Line 860	C++
QtWebKitd4.dll!WebCore::RenderBox::relativePositionOffsetY() Line 1306 + 0x12 bytes	C++
QtWebKitd4.dll!WebCore::RenderLayer::updateLayerPosition() Line 407 + 0xb bytes	C++
QtWebKitd4.dll!WebCore::MouseRelatedEvent::receivedTarget() Line 153	C++
QtWebKitd4.dll!WebCore::Event::setTarget(WTF::PassRefPtr<WebCore::EventTarget> target={...}) Line 175	C++
QtWebKitd4.dll!WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event> e={...}, int & ec=0) Line 272	C++
QtWebKitd4.dll!WebCore::EventTargetNode::dispatchMouseEvent(const WebCore::AtomicString & eventType={...}, int button=-1, int detail=0, int pageX=420, int pageY=270, int screenX=446, int screenY=329, bool ctrlKey=false, bool altKey=false, bool shiftKey=false, bool metaKey=false, bool isSimulated=false, WebCore::Node * relatedTargetArg=0x0f4f6a90, WTF::PassRefPtr<WebCore::Event> underlyingEvent={...}) Line 581 C++
QtWebKitd4.dll!WebCore::EventTargetNode::dispatchMouseEvent(const WebCore::PlatformMouseEvent & event={...}, const WebCore::AtomicString & eventType={...}, int detail=0, WebCore::Node * relatedTarget=0x0f4f6a90) Line 489 + 0x93 bytes	C++
QtWebKitd4.dll!WebCore::EventHandler::updateMouseEventTargetNode(WebCore::Node * targetNode=0x0f536670, const WebCore::PlatformMouseEvent & mouseEvent={...}, bool fireMouseOverOut=true) Line 1512	C++
QtWebKitd4.dll!WebCore::EventHandler::dispatchMouseEvent(const WebCore::AtomicString & eventType={...}, WebCore::Node * targetNode=0x0f536670, bool __formal=false, int clickCount=0, const WebCore::PlatformMouseEvent & mouseEvent={...}, bool setUnder=true) Line 1526	C++
QtWebKitd4.dll!WebCore::EventHandler::handleMouseMoveEvent(const WebCore::PlatformMouseEvent & mouseEvent={...}, WebCore::HitTestResult * hoveredNode=0x000f9b4c) Line 1246 + 0x29 bytes	C++
QtWebKitd4.dll!WebCore::EventHandler::mouseMoved(const WebCore::PlatformMouseEvent & event={...}) Line 1149 + 0x10 bytes	C++
QtWebKitd4.dll!QWebPagePrivate::mouseMoveEvent(QMouseEvent * ev=0x000fa268) Line 555 + 0x1e bytes	C++
QtWebKitd4.dll!QWebPage::event(QEvent * ev=0x000fa268) Line 1872	C++
QtWebKitd4.dll!QWebView::mouseMoveEvent(QMouseEvent * ev=0x000fa268) Line 711	C++
QtGuid4.dll!QWidget::event(QEvent * event=0x000fa268) Line 7535	C++
QtWebKitd4.dll!QWebView::event(QEvent * e=0x000fa268) Line 590	C++
QtGuid4.dll!QApplicationPrivate::notify_helper(QObject * receiver=0x09c3d100, QEvent * e=0x000fa268) Line 4056 + 0x11 bytes	C++
QtGuid4.dll!QApplication::notify(QObject * receiver=0x09c3d100, QEvent * e=0x000fa268) Line 3758 + 0x2f bytes	C++
ccApp.dll!CCApplication::notify(QObject * receiver=0x09c3d100, QEvent * event=0x000fa268) Line 17 + 0x11 bytes	C++
QtCored4.dll!QCoreApplication::notifyInternal(QObject * receiver=0x09c3d100, QEvent * event=0x000fa268) Line 610 + 0x15 bytes	C++
QtCored4.dll!QCoreApplication::sendSpontaneousEvent(QObject * receiver=0x09c3d100, QEvent * event=0x000fa268) Line 216 + 0x38 bytes C++
QtGuid4.dll!QApplicationPrivate::sendMouseEvent(QWidget * receiver=0x09c3d100, QMouseEvent * event=0x000fa268, QWidget * alienWidget=0x00000000, QWidget * nativeWidget=0x000ff6ec, QWidget * * buttonDown=0x65af57d4, QPointer<QWidget> & lastMouseReceiver={...}) Line 2924 + 0xe bytes	C++
QtGuid4.dll!QApplicationPrivate::sendSyntheticEnterLeave(QWidget * widget=0x0f6f3b70) Line 3006 + 0x1f bytes	C++
QtGuid4.dll!QWidgetPrivate::hideChildren(bool spontaneous=false) Line 7096	C++
QtGuid4.dll!QWidgetPrivate::hideChildren(bool spontaneous=false) Line 7080	C++
QtGuid4.dll!QWidgetPrivate::hideChildren(bool spontaneous=false) Line 7080	C++
QtGuid4.dll!QWidgetPrivate::hideChildren(bool spontaneous=false) Line 7080	C++
QtGuid4.dll!QWidgetPrivate::hide_helper() Line 6847	C++
QtGuid4.dll!QWidget::setVisible(bool visible=false) Line 7015	C++
QtGuid4.dll!QWidget::hide() Line 477 + 0x16 bytes	C++
QtWebKitd4.dll!WebCore::Widget::hide() Line 99	C++
QtWebKitd4.dll!WebCore::ScrollView::platformRemoveChild(WebCore::Widget * child=0x10044110) Line 58	C++
QtWebKitd4.dll!WebCore::ScrollView::removeChild(WebCore::Widget * child=0x10044110) Line 78	C++
QtWebKitd4.dll!WebCore::RenderWidget::destroy() Line 86	C++
QtWebKitd4.dll!WebCore::Node::detach() Line 1061	C++
QtWebKitd4.dll!WebCore::ContainerNode::detach() Line 596	C++
QtWebKitd4.dll!WebCore::Element::detach() Line 664	C++
QtWebKitd4.dll!WebCore::HTMLPlugInElement::detach() Line 72	C++
QtWebKitd4.dll!WebCore::HTMLObjectElement::detach() Line 186	C++
QtWebKitd4.dll!WebCore::ContainerNode::detach() Line 593 + 0x10 bytes	C++
QtWebKitd4.dll!WebCore::Element::detach() Line 664	C++
QtWebKitd4.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 688	C++
QtWebKitd4.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 748	C++
QtWebKitd4.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 748	C++
QtWebKitd4.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 748	C++
QtWebKitd4.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 748	C++
QtWebKitd4.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 748	C++
QtWebKitd4.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 748	C++
QtWebKitd4.dll!WebCore::Document::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1165	C++
QtWebKitd4.dll!WebCore::FrameView::layout(bool allowSubtree=true) Line 490	C++
QtWebKitd4.dll!WebCore::FrameView::layoutIfNeededRecursive() Line 1291	C++
QtWebKitd4.dll!QWebFrame::render(QPainter * painter=0x000faa0c, const QRegion & clip={...}) Line 765	C++
QtWebKitd4.dll!QWebView::paintEvent(QPaintEvent * ev=0x000fb108) Line 690	C++
QtGuid4.dll!QWidget::event(QEvent * event=0x000fb108) Line 7688	C++
QtWebKitd4.dll!QWebView::event(QEvent * e=0x000fb108) Line 590	C++
QtGuid4.dll!QApplicationPrivate::notify_helper(QObject * receiver=0x09c3d100, QEvent * e=0x000fb108) Line 4056 + 0x11 bytes	C++
QtGuid4.dll!QApplication::notify(QObject * receiver=0x09c3d100, QEvent * e=0x000fb108) Line 4021 + 0x10 bytes	C++
ccApp.dll!CCApplication::notify(QObject * receiver=0x09c3d100, QEvent * event=0x000fb108) Line 17 + 0x11 bytes	C++
QtCored4.dll!QCoreApplication::notifyInternal(QObject * receiver=0x09c3d100, QEvent * event=0x000fb108) Line 610 + 0x15 bytes	C++
QtCored4.dll!QCoreApplication::sendSpontaneousEvent(QObject * receiver=0x09c3d100, QEvent * event=0x000fb108) Line 216 + 0x38 bytes C++
QtGuid4.dll!QWidgetPrivate::drawWidget(QPaintDevice * pdev=0x0f450d50, const QRegion & rgn={...}, const QPoint & offset={...}, int flags=4, QPainter * sharedPainter=0x00000000, QWidgetBackingStore * backingStore=0x09c3bf10) Line 5079 + 0xe bytes	C++
QtGuid4.dll!QWidgetPrivate::paintSiblingsRecursive(QPaintDevice * pdev=0x0f450d50, const QList<QObject *> & siblings={...}, int index=0, const QRegion & rgn={...}, const QPoint & offset={...}, int flags=4, QPainter * sharedPainter=0x00000000, QWidgetBackingStore * backingStore=0x09c3bf10) Line 5190	C++
QtGuid4.dll!QWidgetPrivate::drawWidget(QPaintDevice * pdev=0x0f450d50, const QRegion & rgn={...}, const QPoint & offset={...}, int flags=4, QPainter * sharedPainter=0x00000000, QWidgetBackingStore * backingStore=0x09c3bf10) Line 5130	C++
QtGuid4.dll!QWidgetPrivate::paintSiblingsRecursive(QPaintDevice * pdev=0x0f450d50, const QList<QObject *> & siblings={...}, int index=2, const QRegion & rgn={...}, const QPoint & offset={...}, int flags=4, QPainter * sharedPainter=0x00000000, QWidgetBackingStore * backingStore=0x09c3bf10) Line 5190	C++
QtGuid4.dll!QWidgetPrivate::drawWidget(QPaintDevice * pdev=0x0f450d50, const QRegion & rgn={...}, const QPoint & offset={...}, int flags=4, QPainter * sharedPainter=0x00000000, QWidgetBackingStore * backingStore=0x09c3bf10) Line 5130	C++
QtGuid4.dll!QWidgetPrivate::paintSiblingsRecursive(QPaintDevice * pdev=0x0f450d50, const QList<QObject *> & siblings={...}, int index=1, const QRegion & rgn={...}, const QPoint & offset={...}, int flags=4, QPainter * sharedPainter=0x00000000, QWidgetBackingStore * backingStore=0x09c3bf10) Line 5190	C++
QtGuid4.dll!QWidgetPrivate::drawWidget(QPaintDevice * pdev=0x0f450d50, const QRegion & rgn={...}, const QPoint & offset={...}, int flags=5, QPainter * sharedPainter=0x00000000, QWidgetBackingStore * backingStore=0x09c3bf10) Line 5130	C++
QtGuid4.dll!QWidgetBackingStore::sync() Line 1272	C++
QtGuid4.dll!QWidgetBackingStore::sync(QWidget * exposedWidget=0x09c47b60, const QRegion & exposedRegion={...}) Line 1075	C++
QtGuid4.dll!QWidgetPrivate::syncBackingStore(const QRegion & region={...}) Line 1613	C++
QtGuid4.dll!QETWidget::translatePaintEvent(const tagMSG & msg={...}) Line 3635 + 0x4f bytes	C++
QtGuid4.dll!QtWndProc(HWND__ * hwnd=0x0006115c, unsigned int message=15, unsigned int wParam=0, long lParam=0) Line 2031 + 0xc bytes	C++
user32.dll!7e418734()

Comment 1 Tor Arne Vestbø 2010-03-10 06:19:23 PST

Please follow the QtWebKit bug reporting guidelines when reporting bugs.

See http://trac.webkit.org/wiki/QtWebKitBugs

Specifically:

  - The 'QtWebKit' component should only be used for bugs/features in the
    public QtWebKit API layer, not to signify that the bug is specific to
    the Qt port of WebKit

      http://trac.webkit.org/wiki/QtWebKitBugs#Component

  - Add the keyword 'Qt' to signal that it's a Qt-related bug

      http://trac.webkit.org/wiki/QtWebKitBugs#Keywords

Comment 2 Jocelyn Turcotte 2010-03-16 07:24:36 PDT

Is it possible to get a test case that you can get to reproduce the crash?

Something like a minimal cpp file that loads an html file with the embedded widget in a QWebView?

Comment 3 pete.usergroups 2010-03-16 07:59:50 PDT

Sorry, we haven't had time to produce a simple test app. However, we did find a patch for webkit shipped with QT 4.5.2.

The patch seems pretty fair given that containingBlock() may return NULL.

I think a similar crash is occurring with QT 4.6 but haven't even got a good stack for that one as it only happens in the release build.

C:\Qt\4.5.2\src\3rdparty\webkit\WebCore\rendering>diff RenderObject.cpp.orig RenderObject.cpp 
852,853c852,861 
< // FIXME ? 
< return containingBlock()->availableWidth(); 
--- 
> // FIXME ? PO - I've tried :) 
> RenderBlock* block = containingBlock(); 
> if ( block ) 
> { 
> return block->availableWidth(); 
> } 
> else 
> { 
> return 0; 
> } 
858,859c866,875 
< // FIXME ? 
< return containingBlock()->contentHeight(); 
--- 
> // FIXME ? PO - I've tried :) 
> RenderBlock* block = containingBlock(); 
> if ( block ) 
> { 
> return block->contentHeight(); 
> } 
> else 
> { 
> return 0; 
> }

(In reply to comment #2)
> Is it possible to get a test case that you can get to reproduce the crash?
> 
> Something like a minimal cpp file that loads an html file with the embedded
> widget in a QWebView?

Comment 4 Jocelyn Turcotte 2010-03-16 08:39:24 PDT

(In reply to comment #3)
> I think a similar crash is occurring with QT 4.6 but haven't even got a good
> stack for that one as it only happens in the release build.
> 
> C:\Qt\4.5.2\src\3rdparty\webkit\WebCore\rendering>diff RenderObject.cpp.orig
> RenderObject.cpp 
> 852,853c852,861 
> < // FIXME ? 
> < return containingBlock()->availableWidth(); 
> --- 
> > // FIXME ? PO - I've tried :) 
> > RenderBlock* block = containingBlock(); 
> > if ( block ) 
> > { 
> > return block->availableWidth(); 
> > } 
> > else 
> > { 
> > return 0; 
> > } 

The patch applies to RenderObject::containingBlockWidth() and RenderObject::containingBlockHeight() which logic was changed and moved to RenderBox in 4.6 and trunk since then.

I'm marking this bug as fixed since 4.5, but if you can get a test case that would allow us to try reproducing it in 4.6 and trunk that would be awesome and we'll re-open this bug.