71035 – crash near WebCore::QtFallbackWebPopupCombo::hidePopup when dismissing a <select> before it is fully rendered (Mac only)

Bug 71035 - crash near WebCore::QtFallbackWebPopupCombo::hidePopup when dismissing a <select> before it is fully rendered (Mac only)

Summary: crash near WebCore::QtFallbackWebPopupCombo::hidePopup when dismissing a <sel...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Qt (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.6

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-10-27 10:53 PDT by Paul Sturm
Modified:	2015-05-28 03:34 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paul Sturm 2011-10-27 10:53:10 PDT

I can consistently cause a crash by rapidly opening/dismissing a "select" (combo box) element.

I have only seen this on Mac OS X.  I have seen it on all recent versions, OS X 10.4 through 10.7.

Steps:
1. launch "fancybrowser.app" (one of the examples that ships with Qt -- /Developer/Examples/Qt/webkit/fancybrowser)
2. go to http://www.tizag.com/htmlT/htmlselect.php (or basically any webpage that has a "select")
3. rapidly open and dismiss one of the select's (I do this by clicking to open it, and then hitting esc to dismiss it, over and over as quick as possible)
4. Crash!!

I do believe the crash happens if you dismiss the popup before it is done rendering.  So it's a timing issue and can be difficult to reproduce.  You have to go real fast.  The more items in the select the better -- you have a longer timeframe to cause the problem.  I also suspect that if you got fancy CSS styling going on, it may give you a longer timeframe in which to cause the problem.

Anyhow, here are two crash reports.  The middle bits are a little different, but it always filters back down into WebCore::QtFallbackWebPopupCombo::hidePopup.


-------- 8< ---------
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000040422f58

VM Regions Near 0x40422f58:
    JS garbage collector   000000000cb40000-000000000cbc0000 [  512K] rw-/rw- SM=PRV  
--> 
    __TEXT                 000000008febd000-000000008fef0000 [  204K] r-x/rwx SM=COW  /usr/lib/dyld

Application Specific Information:
objc[18026]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   QtGui                         	0x019562b9 QWidget::style() const + 9
1   QtGui                         	0x01cc822b QComboBox::hidePopup() + 267
2   QtWebKit                      	0x00960e7e WebCore::QtFallbackWebPopupCombo::hidePopup() + 46
3   QtGui                         	0x01cc3225 QComboBoxPrivateContainer::eventFilter(QObject*, QEvent*) + 501
4   QtCore                        	0x0252434f QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) + 143
5   QtGui                         	0x01910463 QApplicationPrivate::notify_helper(QObject*, QEvent*) + 147
6   QtGui                         	0x01919006 QApplication::notify(QObject*, QEvent*) + 7638
7   QtCore                        	0x02435b5c QCoreApplication::notifyInternal(QObject*, QEvent*) + 108
8   QtGui                         	0x01949c9c QShortcutMap::tryShortcutEvent(QObject*, QKeyEvent*) + 108
9   QtGui                         	0x019190b0 QApplication::notify(QObject*, QEvent*) + 7808
10  QtCore                        	0x02435b5c QCoreApplication::notifyInternal(QObject*, QEvent*) + 108
11  QtGui                         	0x019111fc qt_sendSpontaneousEvent(QObject*, QEvent*) + 60
12  QtGui                         	0x0198a377 QKeyMapper::sendKeyEvent(QWidget*, bool, QEvent::Type, int, QFlags<Qt::KeyboardModifier>, QString const&, bool, int, unsigned int, unsigned int, unsigned int, bool*) + 167
13  QtGui                         	0x0198b1c6 QKeyMapperPrivate::translateKeyEvent(QWidget*, OpaqueEventHandlerCallRef*, OpaqueEventRef*, void*, bool) + 742
14  QtGui                         	0x018c35fc qt_dispatchKeyEvent(void*, QWidget*) + 236
15  QtGui                         	0x018b664f -[QCocoaView keyDown:] + 335
16  com.apple.AppKit              	0x926e54cf -[NSWindow sendEvent:] + 10891
17  QtGui                         	0x018bc22b -[QCocoaWindow sendEvent:] + 267
18  com.apple.AppKit              	0x9267c6ff -[NSApplication sendEvent:] + 4788
19  QtGui                         	0x018bf9dd -[QNSApplication sendEvent:] + 93
20  com.apple.AppKit              	0x9260dc82 -[NSApplication run] + 1007
21  QtGui                         	0x018c9a51 QEventDispatcherMac::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 1505
22  QtCore                        	0x025239c1 QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 65
23  QtCore                        	0x02523d0a QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 170
24  QtCore                        	0x02525166 QCoreApplication::exec() + 182
25  com.yourcompany.fancybrowser  	0x00004a41 main + 435 (main.cpp:54)
26  com.yourcompany.fancybrowser  	0x000045f1 _start + 208
27  com.yourcompany.fancybrowser  	0x00004520 start + 40
-------- 8< ---------
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000030b9b7fc

VM Regions Near 0x30b9b7fc:
    MALLOC_TINY            000000000d500000-000000000d600000 [ 1024K] rw-/rwx SM=PRV  
--> 
    __TEXT                 000000008fe53000-000000008fe86000 [  204K] r-x/rwx SM=COW  /usr/lib/dyld

Application Specific Information:
objc[18122]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   QtGui                         	0x019562b9 QWidget::style() const + 9
1   QtGui                         	0x01cc822b QComboBox::hidePopup() + 267
2   QtWebKit                      	0x00960e7e WebCore::QtFallbackWebPopupCombo::hidePopup() + 46
3   QtGui                         	0x01ccb40f QComboBoxPrivateContainer::mousePressEvent(QMouseEvent*) + 191
4   QtGui                         	0x0196509f QWidget::event(QEvent*) + 2351
5   QtGui                         	0x01cf3c28 QFrame::event(QEvent*) + 40
6   QtGui                         	0x0191048c QApplicationPrivate::notify_helper(QObject*, QEvent*) + 188
7   QtGui                         	0x019194bd QApplication::notify(QObject*, QEvent*) + 8845
8   QtCore                        	0x02435b5c QCoreApplication::notifyInternal(QObject*, QEvent*) + 108
9   QtGui                         	0x019111fc qt_sendSpontaneousEvent(QObject*, QEvent*) + 60
10  QtGui                         	0x018c5623 qt_mac_handleMouseEvent(void*, void*, QEvent::Type, Qt::MouseButton) + 2019
11  QtGui                         	0x018b55a0 -[QCocoaView mouseDown:] + 64
12  com.apple.AppKit              	0x926e47b1 -[NSWindow sendEvent:] + 7533
13  QtGui                         	0x018b353b -[QCocoaPanel sendEvent:] + 267
14  com.apple.AppKit              	0x9267c6ff -[NSApplication sendEvent:] + 4788
15  QtGui                         	0x018bf9dd -[QNSApplication sendEvent:] + 93
16  com.apple.AppKit              	0x9260dc82 -[NSApplication run] + 1007
17  QtGui                         	0x018c9a51 QEventDispatcherMac::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 1505
18  QtCore                        	0x025239c1 QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 65
19  QtCore                        	0x02523d0a QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 170
20  QtCore                        	0x02525166 QCoreApplication::exec() + 182
21  com.yourcompany.fancybrowser  	0x00004a41 main + 435 (main.cpp:54)
22  com.yourcompany.fancybrowser  	0x000045f1 _start + 208
23  com.yourcompany.fancybrowser  	0x00004520 start + 40
-------- 8< ---------

Comment 1 Paul Sturm 2011-11-30 08:55:42 PST

I fixed this in qt/WebCoreSupport/QtFallbackWebPopup.cpp:

void QtFallbackWebPopupCombo::hidePopup()
{
...

    QComboBox::hidePopup(); // move this line ...

    if (!m_ownerPopup.m_popupVisible)
        return;

    m_ownerPopup.m_popupVisible = false;
// ... to here
    m_ownerPopup.popupDidHide();
    m_ownerPopup.destroyPopup();
}

The problem was that hidePopup() was sometimes being called twice (due to the vagaries of the OS X event loop). The first time through, the popup was closed and then destroyed. The second time through, the popup (which had been destroyed) was getting closed again – thus accessing memory that had been freed.

Comment 2 Steven Dorigotti 2015-04-17 07:20:58 PDT

I can confirm both the bug and the solution provided by Paul Sturm. It doesn't seem to have noticeable side effects.

cheers,
Steven

ps: this is the patch I apply to Qt 4.8.6:

--- qt.orig/qt-everywhere-opensource-src-4.8.6/src/3rdparty/webkit/Source/WebKit/qt/WebCoreSupport/QtFallbackWebPopup.cpp
+++ qt/qt-everywhere-opensource-src-4.8.6/src/3rdparty/webkit/Source/WebKit/qt/WebCoreSupport/QtFallbackWebPopup.cpp
@@ -66,12 +66,11 @@
     }
 #endif // QT_NO_IM
 
-    QComboBox::hidePopup();
-
     if (!m_ownerPopup.m_popupVisible)
         return;
 
     m_ownerPopup.m_popupVisible = false;
+    QComboBox::hidePopup();
     emit m_ownerPopup.didHide();
     m_ownerPopup.destroyPopup();
 }

Comment 3 Allan Sandfeld Jensen 2015-05-28 03:34:18 PDT

Fixed in Qt 5 already, and QtWebKit is no longer upstream.