RESOLVED WORKSFORME Bug 44048
[Qt] Crash when loading EMBED tag without SRC attribute 
https://bugs.webkit.org/show_bug.cgi?id=44048
Summary [Qt] Crash when loading EMBED tag without SRC attribute
Pierre-Nicolas Rigal
Reported 2010-08-16 01:35:56 PDT
Created attachment 64477 [details] html + svg files that crash QWebKit The issue has been initially reported here: http://bugreports.qt.nokia.com/browse/QTWEBKIT-233 When loading a page with a specific svg file with Qt 4.6.3 and QtWebKit the application crashes. Steps to reproduce: 1. Unzip attachment 2. run Qt "browser" demo, File, Open, select file "kite.html" from attachment => crash. Hereafter the stack trace with VC 2008 SP1: > QtWebKitd4.dll!WebCore::StringImpl::hash() Line 104 + 0xa bytes C++ QtWebKitd4.dll!WebCore::StringHash::hash(const WebCore::String & key={...}) Line 82 + 0x12 bytes C++ QtWebKitd4.dll!WTF::IdentityHashTranslator<WebCore::String,WebCore::String,WebCore::StringHash>::hash(const WebCore::String & key={...}) Line 277 + 0xc bytes C++ QtWebKitd4.dll!WTF::HashTable<WebCore::String,WebCore::String,WTF::IdentityExtractor<WebCore::String>,WebCore::StringHash,WTF::HashTraits<WebCore::String>,WTF::HashTraits<WebCore::String> >::add<WebCore::String,WebCore::String,WTF::IdentityHashTranslator<WebCore::String,WebCore::String,WebCore::StringHash> >(const WebCore::String & key={...}, const WebCore::String & extra={...}) Line 634 + 0x9 bytes C++ QtWebKitd4.dll!WTF::HashTable<WebCore::String,WebCore::String,WTF::IdentityExtractor<WebCore::String>,WebCore::StringHash,WTF::HashTraits<WebCore::String>,WTF::HashTraits<WebCore::String> >::add(const WebCore::String & value={...}) Line 315 + 0x24 bytes C++ QtWebKitd4.dll!WTF::HashSet<WebCore::String,WebCore::StringHash,WTF::HashTraits<WebCore::String> >::add(const WebCore::String & value={...}) Line 210 + 0x10 bytes C++ QtWebKitd4.dll!WebCore::DocumentLoader::didTellClientAboutLoad(const WebCore::String & url={...}) Line 197 + 0x1f bytes C++ QtWebKitd4.dll!WebCore::ResourceLoadNotifier::dispatchWillSendRequest(WebCore::DocumentLoader * loader=0x036010d8, unsigned long identifier=4, WebCore::ResourceRequest & request={...}, const WebCore::ResourceResponse & redirectResponse={...}) Line 121 C++ QtWebKitd4.dll!WebCore::ResourceLoadNotifier::willSendRequest(WebCore::ResourceLoader * loader=0x03602690, WebCore::ResourceRequest & clientRequest={...}, const WebCore::ResourceResponse & redirectResponse={...}) Line 65 C++ QtWebKitd4.dll!WebCore::ResourceLoader::willSendRequest(WebCore::ResourceRequest & request={...}, const WebCore::ResourceResponse & redirectResponse={...}) Line 212 C++ QtWebKitd4.dll!WebCore::MainResourceLoader::willSendRequest(WebCore::ResourceRequest & newRequest={...}, const WebCore::ResourceResponse & redirectResponse={...}) Line 173 C++ QtWebKitd4.dll!WebCore::MainResourceLoader::loadNow(WebCore::ResourceRequest & r={...}) Line 475 + 0x42 bytes C++ QtWebKitd4.dll!WebCore::MainResourceLoader::load(const WebCore::ResourceRequest & r={...}, const WebCore::SubstituteData & substituteData={...}) Line 517 + 0x12 bytes C++ QtWebKitd4.dll!WebCore::DocumentLoader::startLoadingMainResource(unsigned long identifier=4) Line 790 + 0x2f bytes C++ QtWebKitd4.dll!WebCore::FrameLoader::continueLoadAfterWillSubmitForm() Line 2979 + 0x19 bytes C++ QtWebKitd4.dll!WebCore::FrameLoader::continueLoadAfterNavigationPolicy(const WebCore::ResourceRequest & __formal={...}, WTF::PassRefPtr<WebCore::FormState> formState={...}, bool shouldContinue=true) Line 3476 C++ QtWebKitd4.dll!WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void * argument=0x035fa288, const WebCore::ResourceRequest & request={...}, WTF::PassRefPtr<WebCore::FormState> formState={...}, bool shouldContinue=true) Line 3407 C++ QtWebKitd4.dll!WebCore::PolicyCallback::call(bool shouldContinue=true) Line 101 + 0x3b bytes C++ QtWebKitd4.dll!WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction policy=PolicyUse) Line 161 C++ QtWebKitd4.dll!WebCore::FrameLoaderClientQt::callPolicyFunction(void (WebCore::PolicyAction)* function=0x10071ed1, WebCore::PolicyAction action=PolicyUse) Line 192 C++ QtWebKitd4.dll!WebCore::FrameLoaderClientQt::dispatchDecidePolicyForNavigationAction(void (WebCore::PolicyAction)* function=0x10071ed1, const WebCore::NavigationAction & action={...}, const WebCore::ResourceRequest & request={...}, WTF::PassRefPtr<WebCore::FormState> __formal={...}) Line 1000 C++ QtWebKitd4.dll!WebCore::PolicyChecker::checkNavigationPolicy(const WebCore::ResourceRequest & request={...}, WebCore::DocumentLoader * loader=0x036010d8, WTF::PassRefPtr<WebCore::FormState> formState={...}, void (void , const WebCore::ResourceRequest &, WTF::PassRefPtr<WebCore::FormState>, bool) function=0x10050871, void * argument=0x035fa288) Line 89 C++ QtWebKitd4.dll!WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader * loader=0x036010d8, WebCore::FrameLoadType type=FrameLoadTypeRedirectWithLockedBackForwardList, WTF::PassRefPtr<WebCore::FormState> prpFormState={...}) Line 2043 C++ QtWebKitd4.dll!WebCore::FrameLoader::loadWithNavigationAction(const WebCore::ResourceRequest & request={...}, const WebCore::NavigationAction & action={...}, bool lockHistory=false, WebCore::FrameLoadType type=FrameLoadTypeRedirectWithLockedBackForwardList, WTF::PassRefPtr<WebCore::FormState> formState={...}) Line 1966 C++ QtWebKitd4.dll!WebCore::FrameLoader::loadURL(const WebCore::KURL & newURL={...}, const WebCore::String & referrer={...}, const WebCore::String & frameName={...}, bool lockHistory=false, WebCore::FrameLoadType newLoadType=FrameLoadTypeRedirectWithLockedBackForwardList, WTF::PassRefPtr<WebCore::Event> event={...}, WTF::PassRefPtr<WebCore::FormState> prpFormState={...}) Line 1909 C++ QtWebKitd4.dll!WebCore::FrameLoader::loadURLIntoChildFrame(const WebCore::KURL & url={...}, const WebCore::String & referer={...}, WebCore::Frame * childFrame=0x035fa260) Line 1203 + 0x95 bytes C++ QtWebKitd4.dll!WebCore::FrameLoaderClientQt::createFrame(const WebCore::KURL & url={...}, const WebCore::String & name={...}, WebCore::HTMLFrameOwnerElement * ownerElement=0x035ee4a8, const WebCore::String & referrer={...}, bool allowsScrolling=true, int marginWidth=-1, int marginHeight=-1) Line 1045 C++ QtWebKitd4.dll!WebCore::FrameLoader::loadSubframe(WebCore::HTMLFrameOwnerElement * ownerElement=0x035ee4a8, const WebCore::KURL & url={...}, const WebCore::String & name={...}, const WebCore::String & referrer={...}) Line 394 + 0x74 bytes C++ QtWebKitd4.dll!WebCore::FrameLoader::requestFrame(WebCore::HTMLFrameOwnerElement * ownerElement=0x035ee4a8, const WebCore::String & urlString={...}, const WebCore::AtomicString & frameName={...}) Line 365 + 0x28 bytes C++ QtWebKitd4.dll!WebCore::FrameLoader::requestObject(WebCore::RenderPart * renderer=0x03534164, const WebCore::String & url={...}, const WebCore::AtomicString & frameName={...}, const WebCore::String & mimeType={...}, const WTF::Vector<WebCore::String,0> & paramNames={...}, const WTF::Vector<WebCore::String,0> & paramValues={...}) Line 1267 + 0x19 bytes C++ QtWebKitd4.dll!WebCore::RenderPartObject::updateWidget(bool onlyCreateNonNetscapePlugins=true) Line 316 C++ QtWebKitd4.dll!WebCore::HTMLEmbedElement::updateWidget() Line 187 C++ QtWebKitd4.dll!WebCore::HTMLPlugInElement::updateWidgetCallback(WebCore::Node * n=0x035ee4a8) Line 181 C++ QtWebKitd4.dll!WebCore::ContainerNode::dispatchPostAttachCallbacks() Line 573 + 0x7 bytes C++ QtWebKitd4.dll!WebCore::ContainerNode::resumePostAttachCallbacks() Line 546 C++ QtWebKitd4.dll!WebCore::Element::attach() Line 747 C++ QtWebKitd4.dll!WebCore::HTMLEmbedElement::attach() Line 172 C++ QtWebKitd4.dll!WebCore::HTMLParser::insertNode(WebCore::Node * n=0x035ee4a8, bool flat=false) Line 379 C++ QtWebKitd4.dll!WebCore::HTMLParser::parseToken(WebCore::Token * t=0x03536214) Line 274 + 0x19 bytes C++ QtWebKitd4.dll!WebCore::HTMLTokenizer::processToken() Line 1947 + 0x20 bytes C++ QtWebKitd4.dll!WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString & src={...}, WebCore::HTMLTokenizer::State state={...}) Line 1517 + 0x12 bytes C++ QtWebKitd4.dll!WebCore::HTMLTokenizer::write(const WebCore::SegmentedString & str={...}, bool appendData=false) Line 1770 + 0x23 bytes C++ QtWebKitd4.dll!WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource * __formal=0x0356d488) Line 2093 C++ QtWebKitd4.dll!WebCore::CachedScript::checkNotify() Line 105 + 0x11 bytes C++ QtWebKitd4.dll!WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer> data={...}, bool allDataReceived=true) Line 96 C++ QtWebKitd4.dll!WebCore::Loader::Host::didFinishLoading(WebCore::SubresourceLoader * loader=0x0356e018) Line 368 C++ QtWebKitd4.dll!WebCore::SubresourceLoader::didFinishLoading() Line 186 C++ QtWebKitd4.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x0356d908) Line 404 C++ QtWebKitd4.dll!WebCore::QNetworkReplyHandler::finish() Line 238 C++ QtWebKitd4.dll!WebCore::QNetworkReplyHandler::qt_metacall(QMetaObject::Call _c=InvokeMetaMethod, int _id=1, void * * _a=0x03536e00) Line 82 + 0x8 bytes C++ QtCored4.dll!QMetaObject::metacall(QObject * object=0x0356e5e8, QMetaObject::Call cl=InvokeMetaMethod, int idx=5, void * * argv=0x03536e00) Line 238 C++ QtCored4.dll!QMetaCallEvent::placeMetaCall(QObject * object=0x0356e5e8) Line 561 + 0x19 bytes C++ QtCored4.dll!QObject::event(QEvent * e=0x035706f8) Line 1240 + 0x14 bytes C++ QtGuid4.dll!QApplicationPrivate::notify_helper(QObject * receiver=0x0356e5e8, QEvent * e=0x035706f8) Line 4302 + 0x11 bytes C++ QtGuid4.dll!QApplication::notify(QObject * receiver=0x0356e5e8, QEvent * e=0x035706f8) Line 3706 + 0x10 bytes C++ QtCored4.dll!QCoreApplication::notifyInternal(QObject * receiver=0x0356e5e8, QEvent * event=0x035706f8) Line 726 + 0x15 bytes C++ QtCored4.dll!QCoreApplication::sendEvent(QObject * receiver=0x0356e5e8, QEvent * event=0x035706f8) Line 215 + 0x39 bytes C++ QtCored4.dll!QCoreApplicationPrivate::sendPostedEvents(QObject * receiver=0x00000000, int event_type=0, QThreadData * data=0x0219fd20) Line 1368 + 0xd bytes C++ QtCored4.dll!qt_internal_proc(HWND__ * hwnd=0x000a1c58, unsigned int message=1025, unsigned int wp=0, long lp=0) Line 490 + 0x10 bytes C++ user32.dll!75916238() [Frames below may be incorrect and/or missing, no symbols loaded for user32.dll] user32.dll!759168ea() user32.dll!75916899() user32.dll!75917d31() user32.dll!75917dfa() QtCored4.dll!QEventDispatcherWin32::processEvents(QFlags<enum QEventLoop::ProcessEventsFlag> flags={...}) Line 781 C++ QtGuid4.dll!QGuiEventDispatcherWin32::processEvents(QFlags<enum QEventLoop::ProcessEventsFlag> flags={...}) Line 1151 + 0x15 bytes C++ QtCored4.dll!QEventLoop::processEvents(QFlags<enum QEventLoop::ProcessEventsFlag> flags={...}) Line 150 C++ QtCored4.dll!QEventLoop::exec(QFlags<enum QEventLoop::ProcessEventsFlag> flags={...}) Line 201 + 0x2d bytes C++ QtCored4.dll!QCoreApplication::exec() Line 1003 + 0x15 bytes C++ QtGuid4.dll!QApplication::exec() Line 3582 C++ browser.exe!main(int argc=1, char * * argv=0x0219e8b0) Line 51 + 0x6 bytes C++ browser.exe!WinMain(HINSTANCE__ * instance=0x00980000, HINSTANCE__ * prevInstance=0x00000000, char * __formal=0x0055fba6, int cmdShow=1) Line 131 + 0x12 bytes C++ browser.exe!__tmainCRTStartup() Line 574 + 0x35 bytes C browser.exe!WinMainCRTStartup() Line 399 C kernel32.dll!74d63677() ntdll.dll!771b9d42() ntdll.dll!771b9d15()
Attachments
html + svg files that crash QWebKit (24.35 KB, application/x-zip)
2010-08-16 01:35 PDT, Pierre-Nicolas Rigal 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Pierre-Nicolas Rigal
Comment 1 2010-08-23 05:45:48 PDT
Actually, it crashes when there is an <EMBED> tag without src attribute. SVG is not related.
Enrico Ros
Comment 2 2010-08-30 18:15:20 PDT
Cannot reproduce with WebKit ToT. Cannot reproduce with QtWebkit 4.7. Can reproduce with QtWebkit 4.6.git.
Matěj Laitl
Comment 3 2010-11-13 02:10:55 PST
I can reproduce this with QtWebKit 4.7.1. Not on attached example, but for example hitting "send" button in GMail interface always triggers a crash. There are many users facing this, at least these rekonq bugs relate to the same crash in QtWebKit: https://bugs.kde.org/show_bug.cgi?id=251171 https://bugs.kde.org/show_bug.cgi?id=253285 https://bugs.kde.org/show_bug.cgi?id=256062 https://bugs.kde.org/show_bug.cgi?id=249354 https://bugs.kde.org/show_bug.cgi?id=249958 -- Backtrace (Reduced): #7 WebCore::StringImpl::existingHash (family=...) at platform/text/StringImpl.h:173 #8 WebCore::AtomicStringHash::hash (family=...) at platform/text/AtomicStringHash.h:40 #9 WTF::IdentityHashTranslator<WebCore::AtomicString, WebCore::AtomicString, WebCore::AtomicStringHash>::hash (family=...) at ../JavaScriptCore/wtf/HashTable.h:279 #10 lookup<WebCore::AtomicString, WTF::IdentityHashTranslator<WebCore::AtomicString, WebCore::AtomicString, WebCore::AtomicStringHash> > (family=...) at ../JavaScriptCore/wtf/HashTable.h:483 #11 contains<WebCore::AtomicString, WTF::IdentityHashTranslator<WebCore::AtomicString, WebCore::AtomicString, WebCore::AtomicStringHash> > (family=...) at ../JavaScriptCore/wtf/HashTable.h:803 Using Gentoo Linux x86_32 userland on x86_64 kernel, Qt 4.7.1, KDE 4.5.3, rekoq 0.5.0.
Srikumar B
Comment 4 2010-12-13 16:06:09 PST
I failed to reproduce the issue with the attachment & by clicking "Send" on gmail composer. I have tested with Qtwebkit 4.7.
Benjamin Poulain
Comment 5 2011-01-30 06:10:03 PST
Please follow http://trac.webkit.org/wiki/QtWebKitBugs when reporing bugs here. There is a template for reporting bugs for Qt: http://webkit.org/new-qtwebkit-bug If not used, some Qt bug are lost in the infinite mass of WebKit bugs ;) I cannot reproduce the bug with WebKit trunk on Mac (nor with the attached example, neither on gmail). Do you have an other use case I could try?
Note You need to log in before you can comment on or make changes to this bug.