Bug 57411 - [Qt] application crashes performing findFirst(":focus") with QtWebKit 2.0
Summary: [Qt] application crashes performing findFirst(":focus") with QtWebKit 2.0
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Qt (show other bugs)
Version: 420+
Hardware: PC Windows XP
: P3 Major
Assignee: Nobody
URL:
Keywords: Qt, QtTriaged
Depends on:
Blocks:
 
Reported: 2011-03-29 18:02 PDT by Oleksandr Tymoshenko
Modified: 2014-01-28 20:42 PST (History)
4 users (show)

See Also:

Attachments
CSS selector crash testcase (2.04 KB, application/x-gzip)
2011-03-30 11:17 PDT, Oleksandr Tymoshenko 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Oleksandr Tymoshenko 2011-03-29 18:02:14 PDT 
Sometimes application crashes while performing findFirst(":focus") in microFocusChanged signal handler. Mostly it happens when GoBack action is triggered for page

Code that causes crash looks like: 

return page()->currentFrame()->documentElement().findFirst(":focus");

backtrace:
 	QtWebKitd4.dll!WebCore::SelectionController::isFocusedAndActive()  Line 1346 + 0x3 bytes	C++
 	QtWebKitd4.dll!WebCore::CSSStyleSelector::SelectorChecker::checkOneSelector(WebCore::CSSSelector * sel=0x04733e08, WebCore::Element * e=0x0471d798, WTF::HashSet<WebCore::AtomicStringImpl *,WTF::PtrHash<WebCore::AtomicStringImpl *>,WTF::HashTraits<WebCore::AtomicStringImpl *> > * selectorAttrs=0x00000000, WebCore::PseudoId & dynamicPseudo=NOPSEUDO, bool isAncestor=true, bool isSubSelector=false, WebCore::RenderStyle * elementStyle=0x00000000, WebCore::RenderStyle * elementParentStyle=0x00000000)  Line 2384 + 0x32 bytes	C++
 	QtWebKitd4.dll!WebCore::CSSStyleSelector::SelectorChecker::checkSelector(WebCore::CSSSelector * sel=0x04733e08, WebCore::Element * e=0x0471d798, WTF::HashSet<WebCore::AtomicStringImpl *,WTF::PtrHash<WebCore::AtomicStringImpl *>,WTF::HashTraits<WebCore::AtomicStringImpl *> > * selectorAttrs=0x00000000, WebCore::PseudoId & dynamicPseudo=NOPSEUDO, bool isAncestor=true, bool isSubSelector=false, WebCore::RenderStyle * elementStyle=0x00000000, WebCore::RenderStyle * elementParentStyle=0x00000000)  Line 1792 + 0x28 bytes	C++
 	QtWebKitd4.dll!WebCore::CSSStyleSelector::SelectorChecker::checkSelector(WebCore::CSSSelector * sel=0x04733e08, WebCore::Element * element=0x0471d798)  Line 929 + 0x1e bytes	C++
 	QtWebKitd4.dll!WebCore::Node::querySelector(const WebCore::String & selectors={...}, int & ec=0)  Line 1666 + 0x19 bytes	C++
 	QtWebKitd4.dll!QWebElement::findFirst(const QString & selectorQuery={...})  Line 245 + 0x2a bytes	C++


Qt version is 4.7.1
Most likely the problem is in 
src\3rdparty\webkit\webcore\css\cssstyleselector.cpp:2384 

this in isFocusedAndActive is 0x000002f0
I'll try to write isolated test case if you need one.
Comment 1 Benjamin Poulain 2011-03-30 04:43:47 PDT 
Please attach a test case and explain the best way to reproduce with the test case.

Setting as P1 since it is a crash.
Comment 2 Oleksandr Tymoshenko 2011-03-30 11:17:17 PDT 
Created attachment 87577 [details]
CSS selector crash testcase

In order to reproduce bug, build attached project, run it, wait for google page to appear, click "Images" (or any other link), then when new page is loaded, click "back" button. Application will crash. tested with QtWebKit shipped with Qt 4.7.1
Comment 3 Benjamin Poulain 2011-03-31 05:02:43 PDT 
I can reproduce with WebKit 2.0 (on Linux). I cannot reproduce with WebKit trunk (and valgrind's memcheck does not complain at all).

I downgrade to P3 since it is for the previous version of WebKit. I let Ademar decide the faith of this.

If you want, you can try WebKit trunk yourself. Here are the instructions to build it: http://trac.webkit.org/wiki/BuildingQtOnWindows

If you can reproduce the bug on WebKit trunk, please comment so I raise the priority back to P1.