Loading...

Type: Bug
Resolution: Fixed
Priority: P1: Critical
Fix Version/s: 6.10.0 RC
Affects Version/s: 6.9.1
Component/s: WebEngine
Labels:
None
Environment:
Arch Linux

Platform/s:

Linux/X11
Commits:
68a4908a6 (134-based), 35738530f (130-based)

Sometimes qutebrowser will crash when closing a page. Looking at the stack, I believe this crash is entirely inside QtWebEngine, not the python wrapper or the qutebrowser code. Here is the stack trace from the crash:

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007ffff76a7813 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:89
#2  0x00007ffff764ddc0 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff763557a in __GI_abort () at abort.c:73
#4  0x00007ffff4e9a421 in std::__glibcxx_assert_fail (file=<optimized out>, line=<optimized out>, function=<optimized out>, condition=<optimized out>) at /usr/src/debug/gcc/gcc/libstdc++-v3/src/c++11/assert_fail.cc:41
#5  0x00007fffe3d17313 in std::optional<content::DocumentAssociatedData>::operator-> () at /usr/include/c++/15.1.1/optional:1172
#6  0x00007fffe3d17607 in std::optional<content::DocumentAssociatedData>::operator-> () at /usr/lib/libQt6WebEngineCore.so.6
#7  content::RenderFrameHostImpl::GetPage () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/renderer_host/render_frame_host_impl.cc:2580
#8  0x00007fffe7826f23 in content::FederatedAuthRequestImpl::CompleteRequest () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/webid/federated_auth_request_impl.cc:2787
#9  0x00007fffe7827a2b in content::FederatedAuthRequestImpl::CompleteRequestWithError () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/webid/federated_auth_request_impl.cc:2719
#10 0x00007fffe7827c21 in content::FederatedAuthRequestImpl::~FederatedAuthRequestImpl () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/webid/federated_auth_request_impl.cc:583
#11 0x00007fffe78284f1 in content::FederatedAuthRequestImpl::~FederatedAuthRequestImpl () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/webid/federated_auth_request_impl.cc:607
#12 0x00007fffe73d6cd3 in content::DocumentAssociatedData::~DocumentAssociatedData () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/renderer_host/document_associated_data.cc:62
#13 0x00007fffe753e4b9 in std::_Optional_payload_base<content::DocumentAssociatedData>::_M_destroy () at /usr/include/c++/15.1.1/optional:307
#14 std::_Optional_payload_base<content::DocumentAssociatedData>::_M_reset () at /usr/include/c++/15.1.1/optional:338
#15 std::_Optional_base<content::DocumentAssociatedData, false, false>::_M_reset () at /usr/include/c++/15.1.1/optional:560
#16 std::optional<content::DocumentAssociatedData>::reset () at /usr/include/c++/15.1.1/optional:1402
#17 content::RenderFrameHostImpl::~RenderFrameHostImpl () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/renderer_host/render_frame_host_impl.cc:2279
#18 0x00007fffe753eb51 in content::RenderFrameHostImpl::~RenderFrameHostImpl () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/renderer_host/render_frame_host_impl.cc:2388
#19 0x00007fffe754a031 in std::default_delete<content::RenderFrameHostImpl>::operator() () at /usr/include/c++/15.1.1/bits/unique_ptr.h:93
#20 std::unique_ptr<content::RenderFrameHostImpl, std::default_delete<content::RenderFrameHostImpl> >::~unique_ptr () at /usr/include/c++/15.1.1/bits/unique_ptr.h:399
#21 content::RenderFrameHostManager::~RenderFrameHostManager () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/renderer_host/render_frame_host_manager.cc:568
#22 0x00007fffe73e7db7 in content::FrameTreeNode::~FrameTreeNode () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/renderer_host/frame_tree_node.cc:305
#23 0x00007fffe73e04ba in content::FrameTree::~FrameTree () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/renderer_host/frame_tree.cc:229
#24 0x00007fffe77e7107 in content::WebContentsImpl::~WebContentsImpl () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc:1418
#25 0x00007fffe77e7731 in content::WebContentsImpl::~WebContentsImpl () at ../../../../../qtwebengine/src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc:1418
#26 0x00007fffe3ebac73 in std::default_delete<content::WebContents>::operator() () at /usr/include/c++/15.1.1/bits/unique_ptr.h:93
#27 std::unique_ptr<content::WebContents, std::default_delete<content::WebContents> >::~unique_ptr () at /usr/include/c++/15.1.1/bits/unique_ptr.h:399
#28 QtWebEngineCore::WebContentsAdapter::~WebContentsAdapter () at /usr/src/debug/qt6-webengine/qtwebengine/src/core/web_contents_adapter.cpp:438
#29 0x00007fffe886a3da in QtSharedPointer::ExternalRefCountData::destroy (this=0x55555ba98df0) at /usr/include/qt6/QtCore/qsharedpointer_impl.h:124
#30 QSharedPointer<QtWebEngineCore::CertificateErrorController>::deref(QtSharedPointer::ExternalRefCountData*) [clone .part.0] [clone .lto_priv.0] (dd=0x55555ba98df0) at /usr/include/qt6/QtCore/qsharedpointer_impl.h:515
#31 0x00007fffe888505e in QWebEnginePagePrivate::~QWebEnginePagePrivate (this=0x55555ae02920, this=<optimized out>) at /usr/src/debug/qt6-webengine/qtwebengine/src/core/api/qwebenginepage.cpp:129
#32 QScopedPointerDeleter<QWebEnginePagePrivate>::cleanup (pointer=0x55555ae02920) at /usr/include/qt6/QtCore/qscopedpointer.h:24
#33 QScopedPointer<QWebEnginePagePrivate, QScopedPointerDeleter<QWebEnginePagePrivate> >::~QScopedPointer (this=<optimized out>, this=<optimized out>) at /usr/include/qt6/QtCore/qscopedpointer.h:81
#34 QWebEnginePage::~QWebEnginePage (this=this@entry=0x55555de00220, this=<optimized out>) at /usr/src/debug/qt6-webengine/qtwebengine/src/core/api/qwebenginepage.cpp:1065
#35 0x00007fffd2bb5705 in sipQWebEnginePage::~sipQWebEnginePage (this=0x55555de00220, this=<optimized out>) at /usr/src/debug/pyqt6-webengine/pyqt6_webengine-6.9.0/build/QtWebEngineCore/sipQtWebEngineCoreQWebEnginePage.cpp:248
#36 sipQWebEnginePage::~sipQWebEnginePage (this=0x55555de00220, this=<optimized out>) at /usr/src/debug/pyqt6-webengine/pyqt6_webengine-6.9.0/build/QtWebEngineCore/sipQtWebEngineCoreQWebEnginePage.cpp:248
#37 0x00007ffff53b8fe2 in QObjectPrivate::deleteChildren (this=this@entry=0x55555d91aec0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:2223
#38 0x00007ffff19444b1 in QWidget::~QWidget (this=this@entry=0x55555dd0f410, this=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qwidget.cpp:1569
#39 0x00007ffff0c907b4 in QWebEngineView::~QWebEngineView (this=this@entry=0x55555dd0f410, this=<optimized out>) at /usr/src/debug/qt6-webengine/qtwebengine/src/webenginewidgets/api/qwebengineview.cpp:1040
#40 0x00007ffff24c431f in sipQWebEngineView::~sipQWebEngineView (this=0x55555dd0f410, this=<optimized out>) at /usr/src/debug/pyqt6-webengine/pyqt6_webengine-6.9.0/build/QtWebEngineWidgets/sipQtWebEngineWidgetsQWebEngineView.cpp:389
#41 sipQWebEngineView::~sipQWebEngineView (this=0x55555dd0f410, this=<optimized out>) at /usr/src/debug/pyqt6-webengine/pyqt6_webengine-6.9.0/build/QtWebEngineWidgets/sipQtWebEngineWidgetsQWebEngineView.cpp:389
#42 0x00007ffff53b8fe2 in QObjectPrivate::deleteChildren (this=this@entry=0x55555a88df80) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:2223
#43 0x00007ffff19444b1 in QWidget::~QWidget (this=0x555559aab8c0, this=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qwidget.cpp:1569
#44 0x00007ffff21353df in sipQSplitter::~sipQSplitter (this=0x555559aab8c0, this=<optimized out>) at /usr/src/debug/pyqt6/pyqt6-6.9.1/build/QtWidgets/sipQtWidgetsQSplitter.cpp:352
#45 sipQSplitter::~sipQSplitter (this=0x555559aab8c0, this=<optimized out>) at /usr/src/debug/pyqt6/pyqt6-6.9.1/build/QtWidgets/sipQtWidgetsQSplitter.cpp:352
#46 0x00007ffff53b8fe2 in QObjectPrivate::deleteChildren (this=this@entry=0x55555a7ee000) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:2223
#47 0x00007ffff19444b1 in QWidget::~QWidget (this=this@entry=0x55555aec35b0, this=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qwidget.cpp:1569
#48 0x00007ffff22e931f in sipQWidget::~sipQWidget (this=0x55555aec35b0, this=<optimized out>) at /usr/src/debug/pyqt6/pyqt6-6.9.1/build/QtWidgets/sipQtWidgetsQWidget.cpp:369
#49 sipQWidget::~sipQWidget (this=0x55555aec35b0, this=<optimized out>) at /usr/src/debug/pyqt6/pyqt6-6.9.1/build/QtWidgets/sipQtWidgetsQWidget.cpp:369
#50 0x00007ffff53c0d3c in QObject::event (this=this@entry=0x55555aec35b0, e=e@entry=0x5555595c9b10) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:1416
#51 0x00007ffff195ab50 in QWidget::event (this=this@entry=0x55555aec35b0, event=event@entry=0x5555595c9b10) at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qwidget.cpp:9426
#52 0x00007ffff22f1c9c in sipQWidget::event (this=0x55555aec35b0, a0=0x5555595c9b10) at /usr/src/debug/pyqt6/pyqt6-6.9.1/build/QtWidgets/sipQtWidgetsQWidget.cpp:1077
#53 0x00007ffff1901c70 in QApplicationPrivate::notify_helper (this=this@entry=0x5555556ed948, receiver=0x55555aec35b0, e=0x5555595c9b10) at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qapplication.cpp:3303
#54 0x00007ffff1904f83 in QApplication::notify (this=this@entry=0x555555ef4040, receiver=receiver@entry=0x55555aec35b0, e=e@entry=0x5555595c9b10) at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qapplication.cpp:3064
#55 0x00007ffff22c5c37 in sipQApplication::notify (this=0x555555ef4040, a0=0x55555aec35b0, a1=0x5555595c9b10) at /usr/src/debug/pyqt6/pyqt6-6.9.1/build/QtWidgets/sipQtWidgetsQApplication.cpp:249
#56 0x00007ffff5368118 in QCoreApplication::notifyInternal2 (receiver=0x55555aec35b0, event=event@entry=0x5555595c9b10) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1106
#57 0x00007ffff53684fb in QCoreApplication::sendEvent (receiver=<optimized out>, event=0x5555595c9b10) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1546
#58 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x5555556ed900) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1879
#59 0x00007ffff563fcf8 in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1733
#60 postEventSourceDispatch (s=0x555555f76ce0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:246
#61 0x00007ffff5fde87d in g_main_dispatch (context=0x7fffcc000fb0) at ../glib/glib/gmain.c:3398
#62 0x00007ffff5fdfcd7 in g_main_context_dispatch_unlocked (context=0x7fffcc000fb0) at ../glib/glib/gmain.c:4249
#63 g_main_context_iterate_unlocked (context=context@entry=0x7fffcc000fb0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/glib/gmain.c:4314
#64 0x00007ffff5fdfee5 in g_main_context_iteration (context=0x7fffcc000fb0, may_block=1) at ../glib/glib/gmain.c:4379
#65 0x00007ffff563c5e2 in QEventDispatcherGlib::processEvents (this=0x555555f725a0, flags=...) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:399
#66 0x00007ffff53744b6 in QEventLoop::processEvents (this=0x7fffffffdf90, flags=...) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventloop.cpp:104
#67 QEventLoop::exec (this=0x7fffffffdf90, flags=...) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventloop.cpp:186
#68 0x00007ffff536c7c1 in QCoreApplication::exec () at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1449
#69 0x00007ffff18fc6aa in QApplication::exec () at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qapplication.cpp:2570
#70 0x00007ffff22c20ac in meth_QApplication_exec (sipSelf=<optimized out>, sipArgs=<optimized out>) at /usr/src/debug/pyqt6/pyqt6-6.9.1/build/QtWidgets/sipQtWidgetsQApplication.cpp:1289
#71 0x00007ffff7994c03 in cfunction_call (func=0x7fffa41a6ac0, args=0x7ffff7d01548 <_PyRuntime+88296>, kwargs=0x0) at Objects/methodobject.c:551
#72 0x00007ffff7960e3b in _PyObject_MakeTpCall (tstate=0x7ffff7d30df0 <_PyRuntime+283024>, callable=0x7fffa41a6ac0, args=0x7ffff7e51210, nargs=<optimized out>, keywords=<optimized out>) at Objects/call.c:242
#73 0x00007ffff79752be in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:813
#74 0x00007ffff7a4c8b9 in PyEval_EvalCode (co=0x55555561e9e0, globals=<optimized out>, locals=0x7ffff6e30380) at Python/ceval.c:604
#75 0x00007ffff7a8af5c in run_eval_code_obj (tstate=tstate@entry=0x7ffff7d30df0 <_PyRuntime+283024>, co=co@entry=0x55555561e9e0, globals=globals@entry=0x7ffff6e30380, locals=locals@entry=0x7ffff6e30380) at Python/pythonrun.c:1381
#76 0x00007ffff7a8801b in run_mod (mod=mod@entry=0x5555556850a8, filename=filename@entry=0x7ffff6e304b0, globals=globals@entry=0x7ffff6e30380, locals=locals@entry=0x7ffff6e30380, flags=flags@entry=0x7fffffffe518, arena=arena@entry=0x7ffff6f1bd50, interactive_src=0x0, generate_new_source=0) at Python/pythonrun.c:1466
#77 0x00007ffff7a85718 in pyrun_file (fp=fp@entry=0x5555555a97f0, filename=filename@entry=0x7ffff6e304b0, start=start@entry=257, globals=globals@entry=0x7ffff6e30380, locals=locals@entry=0x7ffff6e30380, closeit=closeit@entry=1, flags=0x7fffffffe518) at Python/pythonrun.c:1295
#78 0x00007ffff7a849d2 in _PyRun_SimpleFileObject (fp=fp@entry=0x5555555a97f0, filename=filename@entry=0x7ffff6e304b0, closeit=closeit@entry=1, flags=flags@entry=0x7fffffffe518) at Python/pythonrun.c:517
#79 0x00007ffff7a84343 in _PyRun_AnyFileObject (fp=fp@entry=0x5555555a97f0, filename=filename@entry=0x7ffff6e304b0, closeit=closeit@entry=1, flags=flags@entry=0x7fffffffe518) at Python/pythonrun.c:77
#80 0x00007ffff7a8248b in pymain_run_file_obj (program_name=0x7ffff6e304f0, filename=0x7ffff6e304b0, skip_source_first_line=0) at Modules/main.c:410
#81 pymain_run_file (config=0x7ffff7d034e8 <_PyRuntime+96392>) at Modules/main.c:429
#82 pymain_run_python (exitcode=0x7fffffffe50c) at Modules/main.c:696
#83 Py_RunMain () at Modules/main.c:775
#84 0x00007ffff7a39dcb in Py_BytesMain (argc=<optimized out>, argv=<optimized out>) at Modules/main.c:829
#85 0x00007ffff76376b5 in __libc_start_call_main (main=main@entry=0x555555555120, argc=argc@entry=4, argv=argv@entry=0x7fffffffe778) at ../sysdeps/nptl/libc_start_call_main.h:58
#86 0x00007ffff7637769 in __libc_start_main_impl (main=0x555555555120, argc=4, argv=0x7fffffffe778, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe768) at ../csu/libc-start.c:360

The relevant part starts at frame 17, where ~RenderFrameHostImpl calls document_associated_data_.reset(). This eventually calls ~DocumentAssociatedData (frame 12). This destroys a FederatedAuthRequestImpl instance, which has a valid auth_request_token_callback_. This causes a call to CompleteRequestWithError, which calls CompleteRequest, which calls render_frame_host().GetPage() (frame 7). GetPage tries to call document_associated_data_->owned_page(), but document_associated_data_ was reset in frame 17 and is now empty. This fails a libstdc++ assert, which crashes the program.

The final cause (using document_associated_data_ after it has been reset) is the same as ~~QTBUG-136131~~, but the fix for that bug does not fix this issue, since this crash is not caused by audio logging.

is duplicated by

QTBUG-138908 Crash due to assertion failure when closing tabs (e.g. Unix Stackexchange)

Closed

QTBUG-138885 Crash due to assertion failure when closing tabs (e.g. Unix Stackexchange)

Closed

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

For Gerrit Dashboard: QTBUG-138544
#	Subject	Branch	Project	Status	CR	V
665701,3	Avoid crash or UB on access of data being destroyed	134-based	qt/qtwebengine-chromium	Status: MERGED	+2	0
667675,2	Avoid crash or UB on access of data being destroyed	130-based	qt/qtwebengine-chromium	Status: MERGED	+2	0

Details

Description

Attachments

Issue Links

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews