Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-94772

Crash in Page's test: openLinkInNewPage:OverridePopup

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 6.2.0 Beta4, 6.3.0 Alpha
    • 6.2.0 Alpha
    • WebEngine
    • None
    • All
    • e04d8c65b350146fc4458ded5576c4a07601d041 (qt/qtwebengine/dev) d590e174e8734ba88748fb60209fbec64a6e6fef (qt/qtwebengine/6.2)

    Description

      WebContestsImpl and delegate inside it removed during the call, since new window is opened in the same page:

      ==3797129==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f000056b40 at pc 0x7fc31aad8f1b bp 0x7ffdbb2b8b30 sp 0x7ffdbb2b8b28
READ of size 8 at 0x61f000056b40 thread T0
    #0 0x7fc31aad8f1a in content::WebContentsImpl::CreateNewWindow(content::RenderFrameHost*, content::mojom::CreateNewWindowParams const&, bool, bool, content::SessionStorageNamespace*) /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc:3686:11
    #1 0x7fc319c67889 in content::RenderFrameHostImpl::CreateNewWindow(mojo::StructPtr<content::mojom::CreateNewWindowParams>, base::OnceCallback<void (content::mojom::CreateNewWindowStatus, mojo::StructPtr<content::mojom::CreateNewWindowReply>)>) /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/content/browser/renderer_host/render_frame_host_impl.cc:5212:18
    #2 0x7fc301e020f6 in content::mojom::FrameHostStubDispatch::AcceptWithResponder(content::mojom::FrameHost*, mojo::Message*, std::unique_ptr<mojo::MessageReceiverWithStatus, std::default_delete<mojo::MessageReceiverWithStatus> >) /b/dev/qtwebengine/src/core/RelWithDebInfo/gen/content/common/frame.mojom.cc:6568:13
    #3 0x7fc319ca46b7 in content::mojom::FrameHostStub<mojo::RawPtrImplRefTraits<content::mojom::FrameHost> >::AcceptWithResponder(mojo::Message*, std::unique_ptr<mojo::MessageReceiverWithStatus, std::default_delete<mojo::MessageReceiverWithStatus> >) /b/dev/qtwebengine/src/core/RelWithDebInfo/gen/content/common/frame.mojom.h:1010:12
    #4 0x7fc30b75707e in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:528:56
    #5 0x7fc30b770f6a in mojo::MessageDispatcher::Accept(mojo::Message*) /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/mojo/public/cpp/bindings/lib/message_dispatcher.cc:46:24
    #6 0x7fc30b75af64 in mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:356:22
    #7 0x7fc30ba3fd06 in IPC::(anonymous namespace)::ChannelAssociatedGroupController::AcceptSyncMessage(unsigned int, unsigned int) /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/ipc/ipc_mojo_bootstrap.cc:982:24
    #8 0x7fc30ba4137c in Invoke<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(unsigned int, unsigned int), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, unsigned int, unsigned int> /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/base/bind_internal.h:498:12
    #9 0x7fc30ba4137c in MakeItSo<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(unsigned int, unsigned int), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, unsigned int, unsigned int> /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/base/bind_internal.h:637:12
    #10 0x7fc30ba4137c in RunImpl<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(unsigned int, unsigned int), std::tuple<scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, unsigned int, unsigned int>, 0, 1, 2> /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/base/bind_internal.h:710:12
    #11 0x7fc30ba4137c in base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(unsigned int, unsigned int), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, unsigned int, unsigned int>, void ()>::RunOnce(base::internal::BindStateBase*) /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/base/bind_internal.h:679:12
    #12 0x7fc30951c3da in Run /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/base/callback.h:101:12
    #13 0x7fc30951c3da in base::TaskAnnotator::RunTask(char const*, base::PendingTask*) /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/base/task/common/task_annotator.cc:163:33
    #14 0x7fc30957aa8d in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::sequence_manager::LazyNow*) /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:357:25
    #15 0x7fc30957a0fe in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() /b/dev/qtwebengine/src/core/RelWithDebInfo/../../../../../../home/user/qt/qtwebengine/src/3rdparty/chromium/base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:268:36
    #16 0x7fc2fdb71b9b in QtWebEngineCore::MessagePumpForUIQt::handleScheduledWork() /home/user/qt/qtwebengine/src/core/browser_main_parts_qt.cpp:215:80
    #17 0x7fc309316fa9 in std::function<void ()>::operator()() const /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/11.1.0/../../../../include/c++/11.1.0/bits/std_function.h:560:9
    #18 0x7fc309316fa9 in QWebEngineMessagePumpScheduler::timerEvent(QTimerEvent*) /home/user/qt/qtwebengine/src/core/api/qwebenginemessagepumpscheduler.cpp:71:5
    #19 0x7fc2e807fe06 in QObject::event(QEvent*) /home/user/qt/qtbase/src/corelib/kernel/qobject.cpp
    #20 0x7fc2eab5f97b in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/user/qt/qtbase/src/widgets/kernel/qapplication.cpp:3396:26
    #21 0x7fc2eab63d56 in QApplication::notify(QObject*, QEvent*) /home/user/qt/qtbase/src/widgets/kernel/qapplication.cpp
    #22 0x7fc2e7f8dd27 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/user/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1061:18
    #23 0x7fc2e7f91fba in QCoreApplication::sendEvent(QObject*, QEvent*) /home/user/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1469:12
    #24 0x7fc2e7f91fba in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/user/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1828:9
    #25 0x7fc2e7f8ff64 in QCoreApplication::sendPostedEvents(QObject*, int) /home/user/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1687:5
    #26 0x7fc2e87b7881 in postEventSourceDispatch(_GSource*, int (*)(void*), void*) /home/user/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:279:5
    #27 0x7fc2e742a02b in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x5402b)

      Technically, exists in 5.15 also, but doesn't crash since web_contents_impl doesn't do anything after the call to delegate. But not anymore in 88-based.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            kiburtse Kirill Burtsev
            kiburtse Kirill Burtsev
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes