RESOLVED FIXED 51453
[Qt] crash in QNetworkReplyHandler::sendResponseIfNeeded() 
https://bugs.webkit.org/show_bug.cgi?id=51453
Summary [Qt] crash in QNetworkReplyHandler::sendResponseIfNeeded()
vasily
Reported 2010-12-22 00:17:06 PST
While working with a 3rd-party html/js widget loaded into QWebView, I've experienced a crash in QNetworkReplyHandler::sendResponseIfNeeded(). The crash happens when this method tries to call m_reply->error(), while m_reply value is NULL. (Qt 4.6: qnetworkreplyhandler.cpp line 262) (WebKit Trac (Dec 22nd 2010): qnetworkreplyhandler.cpp line 352) Please find full call stack (Qt 4.6 opensource) attached. The problem was initially reproduced on Qt 4.6, later - confirmed on Qt 4.7, but is likely to be present also in latest qnetworkreplyhandler.cpp version retrieved on 22.12.2010 via WebKit Trac (http://trac.webkit.org/browser/trunk/WebCore/platform/network/qt/QNetworkReplyHandler.cpp). Steps to reproduce are not available, unfortunately, as I'm not authorized to upload the problematic widget here. Anyway, the crash can be fixed by adding a check whether m_reply value is NULL, prior to performing any actions on the pointer.
Attachments
Call stack for the crash (3.19 KB, text/plain)
2010-12-22 00:18 PST, vasily 		no flags
Details
Patch (2.96 KB, patch)
2011-01-05 16:59 PST, Jan Erik Hanssen 		no flags
DetailsFormatted DiffDiff
Patch (3.44 KB, patch)
2011-01-06 06:52 PST, Jan Erik Hanssen 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
vasily
Comment 1 2010-12-22 00:18:21 PST
Created attachment 77193 [details] Call stack for the crash
Jan Erik Hanssen
Comment 2 2011-01-05 16:59:34 PST
Created attachment 78068 [details] Patch Check if m_reply is NULL before using as suggested by the reporter
Jan Erik Hanssen
Comment 3 2011-01-06 05:45:00 PST
Comment on attachment 78068 [details] Patch Appears to need more investigation, clearing flags.
Jan Erik Hanssen
Comment 4 2011-01-06 06:52:59 PST
Created attachment 78114 [details] Patch The problem encountered with the manual test in this case is that emitting processQueuedItems() may cause the ResourceHandle that owns the current QNetworkReplyHandler to be destroyed, setting m_reply to 0. This patch checks if m_reply is 0 before using. This may be related to bug 51641
Andreas Kling
Comment 5 2011-01-06 07:35:04 PST
Comment on attachment 78114 [details] Patch r=me, and thanks for digging into this! :)
WebKit Commit Bot
Comment 6 2011-01-06 08:32:00 PST
Comment on attachment 78114 [details] Patch Clearing flags on attachment: 78114 Committed r75157: <http://trac.webkit.org/changeset/75157>
WebKit Commit Bot
Comment 7 2011-01-06 08:32:06 PST
All reviewed patches have been landed. Closing bug.
WebKit Review Bot
Comment 8 2011-01-06 09:35:17 PST
http://trac.webkit.org/changeset/75157 might have broken Leopard Intel Debug (Tests)
Note You need to log in before you can comment on or make changes to this bug.