Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-118157

[REG 6.5 -> 6.6] Crash in `GetServiceWorkerExtendedLifetimeOrigins` on Google Meet

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P1: Critical
    • 6.6.1
    • 6.6.0
    • WebEngine
    • None
    • df00334b4 (6.6)

    Description

      When visiting https://meet.google.com/new e.g. in simplebrowser, it immediately segfaults in:

      Thread 1 "simplebrowser" received signal SIGSEGV, Segmentation fault.
base::Value::GetList () at ./../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/values.cc:321
321	 return absl::get<List>(data_);                                                                                                                                                                                                      
(gdb) bt
#0  base::Value::GetList() const () at ./../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/values.cc:321
#1  0x00007ffff1d83a93 in GetServiceWorkerExtendedLifetimeOrigins () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/extensions/browser/api/messaging/message_service.cc:164
#2  extensions::MessageService::OpenChannelImpl(content::BrowserContext*, std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, extensions::Extension const*, bool) () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/extensions/browser/api/messaging/message_service.cc:719
#3  0x00007ffff1d84e9e in extensions::MessageService::PendingLazyContextOpenChannel(std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >) ()
    at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/extensions/browser/api/messaging/message_service.cc:1043
#4  0x00007ffff1d80ece in base::internal::FunctorTraits<void (extensions::MessageService::*)(std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >), void>::Invoke<void (extensions::MessageService::*)(std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >), base::WeakPtr<extensions::MessageService>, std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> > >(void (extensions::MessageService::*)(std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >), base::WeakPtr<extensions::MessageService>&&, std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >&&, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >&&) ()
    at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/functional/bind_internal.h:764
#5  base::internal::InvokeHelper<true, void, 0ul, 1ul>::MakeItSo<void (extensions::MessageService::*)(std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >), std::tuple<base::WeakPtr<extensions::MessageService>, std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> > >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> > >(void (extensions::MessageService::*&&)(std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >), std::tuple<base::WeakPtr<extensions::MessageService>, std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> > >&&, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >&&) ()
    at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/functional/bind_internal.h:966
#6  base::internal::Invoker<base::internal::BindState<void (extensions::MessageService::*)(std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >), base::WeakPtr<extensions::MessageService>, std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> > >, void (std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >)>::RunImpl<void (extensions::MessageService::*)(std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >), std::tuple<base::WeakPtr<extensions::MessageService>, std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> > >, 0ul, 1ul>(void (extensions::MessageService::*&&)(std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >), std::tuple<base::WeakPtr<extensions::MessageService>, std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> > >&&, std::integer_sequence<unsigned long, 0ul, 1ul>, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >&&) ()
    at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/functional/bind_internal.h:1038
#7  base::internal::Invoker<base::internal::BindState<void (extensions::MessageService::*)(std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> >, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >), base::WeakPtr<extensions::MessageService>, std::unique_ptr<extensions::MessageService::OpenChannelParams, std::default_delete<extensions::MessageService::OpenChannelParams> > >, void (std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >)>::RunOnce(base::internal::BindStateBase*, std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >&&) ()
    at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/functional/bind_internal.h:989
#8  0x00007ffff1d0bfb9 in base::OnceCallback<void (std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >)>::Run(std::unique_ptr<extensions::LazyContextTaskQueue::ContextInfo, std::default_delete<extensions::LazyContextTaskQueue::ContextInfo> >) && () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/functional/callback.h:152
#9  extensions::LazyBackgroundTaskQueue::ProcessPendingTasks(extensions::ExtensionHost*, content::BrowserContext*, extensions::Extension const*) ()
    at ./../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/extensions/browser/lazy_background_task_queue.cc:136
#10 0x00007ffff1cccd25 in extensions::ExtensionHostRegistry::ExtensionHostCompletedFirstLoad(extensions::ExtensionHost*) ()
    at ./../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/extensions/browser/extension_host_registry.cc:120
#11 0x00007ffff1cccddc in extensions::ExtensionHost::DidStopLoading() () at ./../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/extensions/browser/extension_host.cc:271
#12 0x00007ffff14edb53 in content::WebContentsImpl::WebContentsObserverList::NotifyObservers<void (content::WebContentsObserver::*)()>(void (content::WebContentsObserver::*)()) ()
    at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.h:1549
#13 0x00007ffff1519dad in content::WebContentsImpl::LoadingStateChanged(bool, content::LoadNotificationDetails*) ()
--Type <RET> for more, q to quit, c to continue without paging--
    at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc:6872
#14 0x00007ffff151a617 in content::WebContentsImpl::LoadingStateChanged(bool, content::LoadNotificationDetails*) () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc:6838
#15 content::WebContentsImpl::DidStopLoading() () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc:7641
#16 0x00007ffff11dc593 in content::FrameTreeNode::DidStopLoading() () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/content/browser/renderer_host/frame_tree_node.cc:664
#17 0x00007ffff12ebd65 in content::RenderFrameHostImpl::DidStopLoading() () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/content/browser/renderer_host/render_frame_host_impl.cc:7526
#18 0x00007ffff0a8b09c in content::mojom::FrameHostStubDispatch::Accept(content::mojom::FrameHost*, mojo::Message*) () at gen/content/common/frame.mojom.cc:5529
#19 0x00007ffff2b302a3 in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:1000
#20 0x00007ffff2b31307 in mojo::MessageDispatcher::Accept(mojo::Message*) () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/mojo/public/cpp/bindings/lib/message_dispatcher.cc:48
#21 0x00007ffff2b2fcce in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:694
#22 0x00007ffff2d89402 in AcceptOnEndpointThread() () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/ipc/ipc_mojo_bootstrap.cc:1075
#23 0x00007ffff2d860e9 in Invoke<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, mojo::Message> () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/functional/bind_internal.h:764
#24 MakeItSo<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), std::tuple<scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, mojo::Message> > () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/functional/bind_internal.h:943
#25 RunImpl<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), std::tuple<scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, mojo::Message>, 0, 1> () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/functional/bind_internal.h:1038
#26 RunOnce() () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/functional/bind_internal.h:989
#27 0x00007ffff22f0d1e in base::OnceCallback<void ()>::Run() && () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/functional/callback.h:152
#28 base::TaskAnnotator::RunTaskImpl(base::PendingTask&) () at ./../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/task/common/task_annotator.cc:162
#29 0x00007ffff2309819 in RunTask<base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*)::<lambda(perfetto::EventContext&)> > () at ../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/task/common/task_annotator.h:88
#30 base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::LazyNow*) () at ./../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:490
#31 0x00007ffff230a266 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() () at ./../../../../../qtwebengine-everywhere-src-6.6.0/src/3rdparty/chromium/base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:340
#32 0x00007fffee750192 in QtWebEngineCore::MessagePumpForUIQt::handleScheduledWork() () at /usr/src/debug/qt6-webengine/qtwebengine-everywhere-src-6.6.0/src/core/browser_main_parts_qt.cpp:197
#33 0x00007fffeb5a4fe6 in QObject::event(QEvent*) (this=0x5555559855b0, e=0x555556064970) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.0/src/corelib/kernel/qobject.cpp:1414
#34 0x00007fffec57318b in QApplicationPrivate::notify_helper(QObject*, QEvent*) (this=<optimized out>, receiver=0x5555559855b0, e=0x555556064970) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.0/src/widgets/kernel/qapplication.cpp:3290
#35 0x00007fffeb5626d8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (receiver=0x5555559855b0, event=event@entry=0x555556064970) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.0/src/corelib/kernel/qcoreapplication.cpp:1118
#36 0x00007fffeb562a5b in QCoreApplication::sendEvent(QObject*, QEvent*) (event=0x555556064970, receiver=<optimized out>) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.0/src/corelib/kernel/qcoreapplication.cpp:1536
#37 QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (receiver=0x0, event_type=0, data=0x555555608c00) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.0/src/corelib/kernel/qcoreapplication.cpp:1898
#38 0x00007fffeb799d24 in QCoreApplication::sendPostedEvents(QObject*, int) (receiver=0x0, event_type=0) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.0/src/corelib/kernel/qcoreapplication.cpp:1757
#39 postEventSourceDispatch(GSource*, GSourceFunc, gpointer) (s=0x555555656410) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.0/src/corelib/kernel/qeventdispatcher_glib.cpp:243
#40 0x00007fffea50df19 in g_main_dispatch (context=0x7fffd0000ef0) at ../glib/glib/gmain.c:3476
#41 0x00007fffea56c2b7 in g_main_context_dispatch_unlocked (context=0x7fffd0000ef0) at ../glib/glib/gmain.c:4284
#42 g_main_context_iterate_unlocked.isra.0 (context=context@entry=0x7fffd0000ef0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/glib/gmain.c:4349
#43 0x00007fffea50c112 in g_main_context_iteration (context=0x7fffd0000ef0, may_block=1) at ../glib/glib/gmain.c:4414
#44 0x00007fffeb797934 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x555555665040, flags=...) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.0/src/corelib/kernel/qeventdispatcher_glib.cpp:393
#45 0x00007fffeb56cc5e in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (flags=..., this=0x7fffffffc870) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.0/src/corelib/kernel/qeventloop.cpp:100
#46 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7fffffffc870, flags=...) at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.0/src/corelib/kernel/qeventloop.cpp:182
#47 0x00007fffeb565178 in QCoreApplication::exec() () at /usr/src/debug/qt6-base/qtbase-everywhere-src-6.6.0/src/corelib/global/qflags.h:74
#48 0x0000555555582d24 in main ()

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            qt_webengine_team Qt WebEngine Team
            the compiler Florian Bruhin
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes