Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.12.9, 5.14.2, 5.15.0
-
Linux/X11
-
82eae6c457c85c9f51d08d5430d58e8359449576 (qt/qtwebengine/5.12)
Description
When scrolling the content of a WebEngineView while it resizes, it is possible to cause the embedding application to crash in the render thread. The stack trace when this occurs is seemingly different based on the website that is being viewed...
This issue can be reproduced with the following QML file. Load this file via qmlscene or your favorite `main.cpp` (I used the one that was created with a default QMake project in Qt Creator), wait for the WebView to load, then scroll up and down vigorously using the scroll bar (the mouse wheel does not trigger a crash):
(Epilepsy warning: depending on the content of the website, this could cause annoying or dangerous flashing as the WebView reflows constantly)
import QtQuick 2.9 import QtQuick.Controls 2.2 import QtWebEngine 1.7 ApplicationWindow { id: root width: 1024 height: 750 visible: true WebEngineView { id: webview anchors.top: parent.top anchors.bottom: root.bottom anchors.left: parent.left anchors.right: parent.right height: 600 url: "https://about.gitlab.com" profile: webViewProfile } property bool up: false property var myTimer: Timer { id: myTimer interval: 30 running: true repeat: true onTriggered: { if (root.up) { webview.height = webview.height + 50; } else { webview.height = webview.height - 50; } root.up = !root.up } } }
Again, the observed stack trace changes based on the site that is being viewed at the time of the crash. For example, when https://github.com is open:
1 ?? 0x555555bab210 2 QSGOpaqueTextureMaterialShader::updateState(QSGMaterialShader::RenderState const&, QSGMaterial *, QSGMaterial *) 0x7fffe83720a6 3 QSGBatchRenderer::Renderer::renderMergedBatch(QSGBatchRenderer::Batch const *) 0x7fffe836180a 4 QSGBatchRenderer::Renderer::renderBatches() 0x7fffe83623b5 5 QSGBatchRenderer::Renderer::render() 0x7fffe8367873 6 QSGRenderer::renderScene(QSGBindable const&) 0x7fffe83583a3 7 QSGRenderer::renderScene(unsigned int) 0x7fffe835886b 8 QSGDefaultRenderContext::renderNextFrame(QSGRenderer *, unsigned int) 0x7fffe839571e 9 QQuickWindowPrivate::renderSceneGraph(QSize const&) 0x7fffe83f2194 10 QSGRenderThread::syncAndRender() 0x7fffe83a124e 11 QSGRenderThread::run() 0x7fffe83a488c 12 QThreadPrivate::start(void *) 0x7ffff69e20b3 13 start_thread pthread_create.c 477 0x7ffff6516609 14 clone clone.S 95 0x7ffff6654103
But when https://secure.endless.horse is open:
1 ?? 0x7fffc9544432 2 ?? 0x7fffc95481de 3 ?? 0x7fffc954d764 4 ?? 0x7fffc9537574 5 QQuickWindowPrivate::updateDirtyNode(QQuickItem *) 0x7fffe83f1340 6 QQuickWindowPrivate::updateDirtyNodes() 0x7fffe83f197d 7 QQuickWindowPrivate::syncSceneGraph() 0x7fffe83f2b22 8 QSGRenderThread::sync(bool) 0x7fffe83a033c 9 QSGRenderThread::syncAndRender() 0x7fffe83a16d0 10 QSGRenderThread::run() 0x7fffe83a488c 11 QThreadPrivate::start(void *) 0x7ffff69e20b3 12 start_thread pthread_create.c 477 0x7ffff6516609 13 clone clone.S 95 0x7ffff6654103
On some sites, it is very difficult to trigger the bug. But with enough attempts, you can most likely get it to occur.
I've triggered this issue with QWE 5.14.2 on top of QtBase 5.9.5 on Ubuntu 16.04, QWE 5.12.8 on Qt 5.12.8 on Ubuntu 20.04, and QWE 5.12.9 on Qt 5.12.9 downloaded with Qt Creator on Ubuntu 20.04. It's been triggered on x86_64 and arm64 platforms.
I've been unable to trigger this issue on any of the following Qt versions, all downloaded from Qt Creator:
- 5.15.0 on Ubuntu 20.04
- 5.14.2 on Ubuntu 20.04
- 5.15.0, 5.14.2, 5.12.9 on macOS Catalina
This is potentially related to https://bugreports.qt.io/browse/QTBUG-76181, at least I have been able to trigger it under a disturbingly similar yet seemingly unrelated scenario: https://github.com/ubports/qtwebengine-opensource-src-packaging/issues/38
Attachments
Issue Links
- relates to
-
-
- Closed
-
- resulted in
-
-
- Closed
-
| For Gerrit Dashboard: QTBUG-85802 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 331620,2 | Match render pass structures check to actual tree traversal loop | 5.12 | qt/qtwebengine | Status: MERGED | +2 | 0 |