Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-43725

memory use after free in QWebInspector/QWebPage/QWebView

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • P2: Important
    • None
    • 5.4.0
    • WebKit
    • None
    • Mac OS X Yosemite 10.10.1 Qt 5.4.0 directly from Qt, Mac OS X libGuardMalloc to detect the use of memory after free.

      You may be able to detect the same thing using Valgrind on Linux but I have not tested that configuration.
    • macOS

    Description

      Mac OS X LibGuardMalloc has detected a memory use after free when using a QWebView with external QWebInspector and external QWebPage when closing/deleting the MainWindow (or even just hiding it).

      I have attached sample test code and sample html files that can be used to recreate the issue. Note: Use of libGuardMalloc or maybe valgrind would be needed to detect the problem.

      Using Mac OS X, here are the steps to recreate the issue:

      1. unzip testfiles.zip folder someplace you have write privs

      2. unpack testcase2.zip (the source code) and edit ResourceMgr.cpp constructor to specify the full path to testfiles folder you created in step 1
      [CODE]
      ResourceMgr::ResourceMgr(QObject *parent) :
      QObject(parent),
      m_pathprefix("/Users/kbhend/Desktop/testfiles/")
      {
      }
      [/CODE]

      3. enable debug builds on Mac OS X
      export DYLD_IMAGE_SUFFIX=_debug

      4. rebuild the application using "Qt Creator.app" and Run to create build directory

      5. cd to the build directory created by Qt Creator.app

      6. run resulting testcase2.app inside lldb with Mac OS X libGuardMalloc
      (as below)

      7. once the application launches hit the LoadHTML button

      8. Give it a few seconds for the application to show a Preview window with a QWebInspector (things are very slow using libguardmalloc)

      9. Simply close the MainWindow and observe the following use of memory after free error:

      KevinsiMac:build kbhend$ lldb ./testcase2.app

      (lldb) target create "./testcase2.app"
      Current executable set to './testcase2.app' (x86_64).

      (lldb) env DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib

      (lldb) process launch

      Process 599 launched: '/Users/kbhend/qtprojects/build-testcase2-Desktop_Qt_5_4_0_clang_64bit-Debug/testcase2.app/Contents/MacOS/testcase2' (x86_64)
      GuardMalloc[testcase2-599]: Allocations will be placed on 16 byte boundaries.
      GuardMalloc[testcase2-599]: - Some buffer overruns may not be noticed.
      GuardMalloc[testcase2-599]: - Applications using vector instructions (e.g., SSE) should work.
      GuardMalloc[testcase2-599]: version 104
      Process 599 stopped

      • thread #1: tid = 0x533f, 0x0000000102767992 QtWebKit_debug`WebCore::InspectorFrontendClientQt::inspectorClientDestroyed() + 34, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1ad729ff8)
        frame #0: 0x0000000102767992 QtWebKit_debug`WebCore::InspectorFrontendClientQt::inspectorClientDestroyed() + 34
        QtWebKit_debug`WebCore::InspectorFrontendClientQt::inspectorClientDestroyed() + 34:
        -> 0x102767992: movq $0x0, 0x68(%rdi)
        0x10276799a: movq $0x0, 0x48(%rdi)
        0x1027679a2: addq $0x10, %rsp
        0x1027679a6: popq %rbp
        (lldb) bt
      • thread #1: tid = 0x533f, 0x0000000102767992 QtWebKit_debug`WebCore::InspectorFrontendClientQt::inspectorClientDestroyed() + 34, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1ad729ff8)
      • frame #0: 0x0000000102767992 QtWebKit_debug`WebCore::InspectorFrontendClientQt::inspectorClientDestroyed() + 34
        frame #1: 0x000000010276795f QtWebKit_debug`WebCore::InspectorClientQt::closeInspectorFrontend() + 47
        frame #2: 0x0000000103cc1004 QtWebKit_debug`WebCore::InspectorController::close() + 84
        frame #3: 0x000000010278c5b1 QtWebKit_debug`QWebPageAdapter::didCloseInspector() + 33
        frame #4: 0x000000010005b732 QtWebKitWidgets_debug`QWebInspector::hideEvent(QHideEvent*) + 66
        frame #5: 0x000000010019cd95 QtWidgets_debug`QWidget::event(QEvent*) + 3397
        frame #6: 0x000000010005b608 QtWebKitWidgets_debug`QWebInspector::event(QEvent*) + 40
        frame #7: 0x000000010013971a QtWidgets_debug`QApplicationPrivate::notify_helper(QObject*, QEvent*) + 410
        frame #8: 0x000000010013ec92 QtWidgets_debug`QApplication::notify(QObject*, QEvent*) + 15554
        frame #9: 0x0000000101e7d9e9 QtCore_debug`QCoreApplication::notifyInternal(QObject*, QEvent*) + 201
        frame #10: 0x0000000100116dba QtWidgets_debug`QCoreApplication::sendEvent(QObject*, QEvent*) + 90
        frame #11: 0x000000010019b37b QtWidgets_debug`QWidgetPrivate::hideChildren(bool) + 315
        frame #12: 0x000000010019b33a QtWidgets_debug`QWidgetPrivate::hideChildren(bool) + 250
        frame #13: 0x000000010019b33a QtWidgets_debug`QWidgetPrivate::hideChildren(bool) + 250
        frame #14: 0x000000010019b33a QtWidgets_debug`QWidgetPrivate::hideChildren(bool) + 250
        frame #15: 0x000000010019b33a QtWidgets_debug`QWidgetPrivate::hideChildren(bool) + 250
        frame #16: 0x000000010019b12f QtWidgets_debug`QWidgetPrivate::hide_helper() + 303
        frame #17: 0x000000010019bba9 QtWidgets_debug`QWidget::setVisible(bool) + 1897
        frame #18: 0x000000010019afeb QtWidgets_debug`QWidget::hide() + 27
        frame #19: 0x0000000100188d4d QtWidgets_debug`QWidgetPrivate::close_helper(QWidgetPrivate::CloseMode) + 413
        frame #20: 0x00000001001c7fca QtWidgets_debug`QWidgetWindow::handleCloseEvent(QCloseEvent*) + 42
        frame #21: 0x00000001001c7b7d QtWidgets_debug`QWidgetWindow::event(QEvent*) + 605
        frame #22: 0x000000010013971a QtWidgets_debug`QApplicationPrivate::notify_helper(QObject*, QEvent*) + 410
        frame #23: 0x000000010013b906 QtWidgets_debug`QApplication::notify(QObject*, QEvent*) + 2358
        frame #24: 0x0000000101e7d9e9 QtCore_debug`QCoreApplication::notifyInternal(QObject*, QEvent*) + 201
        frame #25: 0x0000000100ea2e8f QtGui_debug`QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) + 95
        frame #26: 0x0000000100e9d917 QtGui_debug`QGuiApplicationPrivate::processCloseEvent(QWindowSystemInterfacePrivate::CloseEvent*) + 135
        frame #27: 0x0000000100e99cac QtGui_debug`QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) + 444
        frame #28: 0x0000000100e7db0d QtGui_debug`QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 141
        frame #29: 0x0000000100e7be90 QtGui_debug`QWindowSystemInterface::flushWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 352
        frame #30: 0x00000001129ce07b libqcocoa_debug.dylib`QCocoaWindow::windowShouldClose() + 59
        frame #31: 0x00000001129e63f1 libqcocoa_debug.dylib`-[QNSWindowDelegate windowShouldClose:] + 65
        frame #32: 0x00007fff8af9a088 AppKit`__19-[NSWindow __close]_block_invoke + 134
        frame #33: 0x00007fff8af99ff5 AppKit`-[NSWindow __close] + 312
        frame #34: 0x00007fff947b0cd7 libsystem_trace.dylib`_os_activity_initiate + 75
        frame #35: 0x00007fff8af51497 AppKit`-[NSApplication sendAction:to:from:] + 410
        frame #36: 0x00007fff8af512c0 AppKit`-[NSControl sendAction:to:] + 86
        frame #37: 0x00007fff8b125c5f AppKit`__26-[NSCell _sendActionFrom:]_block_invoke + 131
        frame #38: 0x00007fff947b0cd7 libsystem_trace.dylib`_os_activity_initiate + 75
        frame #39: 0x00007fff8af99ddc AppKit`-[NSCell _sendActionFrom:] + 144
        frame #40: 0x00007fff8b10c962 AppKit`-[NSButtonCell _sendActionFrom:] + 39
        frame #41: 0x00007fff947b0cd7 libsystem_trace.dylib`_os_activity_initiate + 75
        frame #42: 0x00007fff8afb4916 AppKit`-[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 2731
        frame #43: 0x00007fff8afb3b71 AppKit`-[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 491
        frame #44: 0x00007fff8afb3139 AppKit`-[NSControl mouseDown:] + 714
        frame #45: 0x00007fff8b43bdbd AppKit`-[_NSThemeWidget mouseDown:] + 315
        frame #46: 0x00007fff8b4acf4f AppKit`-[NSWindow _reallySendEvent:] + 12827
        frame #47: 0x00007fff8af3750c AppKit`-[NSWindow sendEvent:] + 368
        frame #48: 0x00000001129c6439 libqcocoa_debug.dylib`-[QNSWindow superSendEvent:] + 73
        frame #49: 0x00000001129c5939 libqcocoa_debug.dylib`-[QNSWindowHelper handleWindowEvent:] + 601
        frame #50: 0x00000001129c63ea libqcocoa_debug.dylib`-[QNSWindow sendEvent:] + 58
        frame #51: 0x00007fff8aee9096 AppKit`-[NSApplication sendEvent:] + 2238
        frame #52: 0x00000001129efc2d libqcocoa_debug.dylib`-[QNSApplication sendEvent:] + 93
        frame #53: 0x00007fff8ad75e98 AppKit`-[NSApplication run] + 711
        frame #54: 0x00000001129e8f33 libqcocoa_debug.dylib`QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 1155
        frame #55: 0x0000000101e7921a QtCore_debug`QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 122
        frame #56: 0x0000000101e7944e QtCore_debug`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 542
        frame #57: 0x0000000101e7e1b9 QtCore_debug`QCoreApplication::exec() + 393
        frame #58: 0x0000000100e99796 QtGui_debug`QGuiApplication::exec() + 22
        frame #59: 0x000000010013ae89 QtWidgets_debug`QApplication::exec() + 9
        frame #60: 0x0000000100003fd1 testcase2`main(argc=1, argv=0x00007fff5fbff998) + 97 at main.cpp:10
        frame #61: 0x0000000100003f64 testcase2`start + 52
        (lldb)

      Attachments

        1. testcase2.zip
          10 kB
        2. testfiles.zip
          2.39 MB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            annulen Konstantin Tokarev
            kevinhendricks Kevin B. Hendricks
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes