[Webkit-unassigned] [Bug 52629] New: [Qt] Crash in WebCore::ScrollView::repaintContentRectangle

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jan 18 08:33:21 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=52629

           Summary: [Qt] Crash in
                    WebCore::ScrollView::repaintContentRectangle
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P3
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: obi at saftware.de


Created an attachment (id=79280)
 --> (https://bugs.webkit.org/attachment.cgi?id=79280&action=review)
Example code to reproduce the crash

Using QWebPage to render a website into a QImage crashes frequently, if Javascript is enabled. See attached sample code and stack trace from Ubuntu natty (Qt 4.7.1) on amd64. The crash depends on the visited website. The sample code uses http://www.heise.de/. http://www.google.com/ does not seem to be affected.

I've been able to reproduce this crash with Qt 4.7.0, 4.7.1 and 4.7.1+QtWebKit-2.2 in several Linux-based environments (Qt/X11 on Ubuntu maverick and natty on i386 and amd64, Qt/Embedded on Linux mipsel 32-bit).

The crash does not occur every time, but very frequently.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff70bfa0b in WebCore::ScrollView::repaintContentRectangle(WebCore::IntRect const&, bool) () from /usr/lib/libQtWebKit.so.4
#0  0x00007ffff70bfa0b in WebCore::ScrollView::repaintContentRectangle(WebCore::IntRect const&, bool) () from /usr/lib/libQtWebKit.so.4
#1  0x00007ffff7055199 in WebCore::FrameView::doDeferredRepaints() () from /usr/lib/libQtWebKit.so.4
#2  0x00007ffff7057be9 in WebCore::FrameView::layout(bool) () from /usr/lib/libQtWebKit.so.4
#3  0x00007ffff70cb3c2 in WebCore::ThreadTimers::sharedTimerFiredInternal() () from /usr/lib/libQtWebKit.so.4
#4  0x00007ffff5507779 in QObject::event (this=0x7ffa20, e=<value optimized out>) at kernel/qobject.cpp:1183
#5  0x00007ffff59e1024 in QApplicationPrivate::notify_helper (this=0x607000, receiver=0x7ffa20, e=0x7fffffffde80) at kernel/qapplication.cpp:4445
#6  0x00007ffff59e595a in QApplication::notify (this=<value optimized out>, receiver=0x7ffa20, e=0x7fffffffde80) at kernel/qapplication.cpp:4324
#7  0x00007ffff54f3aec in QCoreApplication::notifyInternal (this=0x7fffffffe190, receiver=0x7ffa20, event=0x7fffffffde80) at kernel/qcoreapplication.cpp:732
#8  0x00007ffff55214c2 in sendEvent (this=0x60cd50) at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:215
#9  QTimerInfoList::activateTimers (this=0x60cd50) at kernel/qeventdispatcher_unix.cpp:603
#10 0x00007ffff551e2e4 in timerSourceDispatch (source=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:184
#11 0x00007ffff2ea3d0d in g_main_dispatch (context=0x60bc80) at /build/buildd/glib2.0-2.27.91/glib/gmain.c:2440
#12 g_main_context_dispatch (context=0x60bc80) at /build/buildd/glib2.0-2.27.91/glib/gmain.c:3013
#13 0x00007ffff2ea44f8 in g_main_context_iterate (context=0x60bc80, block=<value optimized out>, dispatch=1, self=<value optimized out>) at /build/buildd/glib2.0-2.27.91/glib/gmain.c:3091
#14 0x00007ffff2ea4789 in g_main_context_iteration (context=0x60bc80, may_block=1) at /build/buildd/glib2.0-2.27.91/glib/gmain.c:3154
#15 0x00007ffff551e9cf in QEventDispatcherGlib::processEvents (this=0x609160, flags=<value optimized out>) at kernel/qeventdispatcher_glib.cpp:415
#16 0x00007ffff5a86f9e in QGuiEventDispatcherGlib::processEvents (this=<value optimized out>, flags=<value optimized out>) at kernel/qguieventdispatcher_glib.cpp:204
#17 0x00007ffff54f2ed2 in QEventLoop::processEvents (this=<value optimized out>, flags=...) at kernel/qeventloop.cpp:149
#18 0x00007ffff54f310c in QEventLoop::exec (this=0x7fffffffe0f0, flags=...) at kernel/qeventloop.cpp:201
#19 0x00007ffff54f751b in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1009
#20 0x0000000000401c8e in main (argc=1, argv=<value optimized out>) at main.cpp:11

The crash occurs in this method:

void FrameView::doDeferredRepaints()
{
    ASSERT(!m_deferringRepaints);
    if (isOffscreen() && !shouldUpdateWhileOffscreen()) {
        m_repaintRects.clear();
        m_repaintCount = 0;
        return;
    }
    unsigned size = m_repaintRects.size();
    for (unsigned i = 0; i < size; i++) {
#if ENABLE(TILED_BACKING_STORE)
        if (frame()->tiledBackingStore()) {
            frame()->tiledBackingStore()->invalidate(m_repaintRects[i]);
            continue;
        }
#endif
        ScrollView::repaintContentRectangle(m_repaintRects[i], false);
    }
    m_repaintRects.clear();
    m_repaintCount = 0;

    updateDeferredRepaintDelay();
}

It seems as if ScrollView::repaintContentRectangle() triggered a modification of m_repaintRects, so that m_repaintRects[i] became invalid inside the loop.

Steps to reproduce:
tar -xzf ewebview-0.0.1.tar.gz && cd ewebview-0.0.1 && ./configure && make && ./src/eWebView

I'm unsure which component this bug belongs to (WebCore JavaScript or WebCore Misc.), so I left it at New Bugs.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list