[Webkit-unassigned] [Bug 71035] New: crash near WebCore::QtFallbackWebPopupCombo::hidePopup when dismissing a <select> before it is fully rendered (Mac only)

Thu Oct 27 10:53:09 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=71035

           Summary: crash near WebCore::QtFallbackWebPopupCombo::hidePopup
                    when dismissing a <select> before it is fully rendered
                    (Mac only)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.6
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebKit Qt
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: sturm at branewave.com

I can consistently cause a crash by rapidly opening/dismissing a "select" (combo box) element.

I have only seen this on Mac OS X.  I have seen it on all recent versions, OS X 10.4 through 10.7.

Steps:
1. launch "fancybrowser.app" (one of the examples that ships with Qt -- /Developer/Examples/Qt/webkit/fancybrowser)
2. go to http://www.tizag.com/htmlT/htmlselect.php (or basically any webpage that has a "select")
3. rapidly open and dismiss one of the select's (I do this by clicking to open it, and then hitting esc to dismiss it, over and over as quick as possible)
4. Crash!!

I do believe the crash happens if you dismiss the popup before it is done rendering.  So it's a timing issue and can be difficult to reproduce.  You have to go real fast.  The more items in the select the better -- you have a longer timeframe to cause the problem.  I also suspect that if you got fancy CSS styling going on, it may give you a longer timeframe in which to cause the problem.

Anyhow, here are two crash reports.  The middle bits are a little different, but it always filters back down into WebCore::QtFallbackWebPopupCombo::hidePopup.

-------- 8< ---------
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000040422f58

VM Regions Near 0x40422f58:
    JS garbage collector   000000000cb40000-000000000cbc0000 [  512K] rw-/rw- SM=PRV  
--> 
    __TEXT                 000000008febd000-000000008fef0000 [  204K] r-x/rwx SM=COW  /usr/lib/dyld

Application Specific Information:
objc[18026]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   QtGui                             0x019562b9 QWidget::style() const + 9
1   QtGui                             0x01cc822b QComboBox::hidePopup() + 267
2   QtWebKit                          0x00960e7e WebCore::QtFallbackWebPopupCombo::hidePopup() + 46
3   QtGui                             0x01cc3225 QComboBoxPrivateContainer::eventFilter(QObject*, QEvent*) + 501
4   QtCore                            0x0252434f QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) + 143
5   QtGui                             0x01910463 QApplicationPrivate::notify_helper(QObject*, QEvent*) + 147
6   QtGui                             0x01919006 QApplication::notify(QObject*, QEvent*) + 7638
7   QtCore                            0x02435b5c QCoreApplication::notifyInternal(QObject*, QEvent*) + 108
8   QtGui                             0x01949c9c QShortcutMap::tryShortcutEvent(QObject*, QKeyEvent*) + 108
9   QtGui                             0x019190b0 QApplication::notify(QObject*, QEvent*) + 7808
10  QtCore                            0x02435b5c QCoreApplication::notifyInternal(QObject*, QEvent*) + 108
11  QtGui                             0x019111fc qt_sendSpontaneousEvent(QObject*, QEvent*) + 60
12  QtGui                             0x0198a377 QKeyMapper::sendKeyEvent(QWidget*, bool, QEvent::Type, int, QFlags<Qt::KeyboardModifier>, QString const&, bool, int, unsigned int, unsigned int, unsigned int, bool*) + 167
13  QtGui                             0x0198b1c6 QKeyMapperPrivate::translateKeyEvent(QWidget*, OpaqueEventHandlerCallRef*, OpaqueEventRef*, void*, bool) + 742
14  QtGui                             0x018c35fc qt_dispatchKeyEvent(void*, QWidget*) + 236
15  QtGui                             0x018b664f -[QCocoaView keyDown:] + 335
16  com.apple.AppKit                  0x926e54cf -[NSWindow sendEvent:] + 10891
17  QtGui                             0x018bc22b -[QCocoaWindow sendEvent:] + 267
18  com.apple.AppKit                  0x9267c6ff -[NSApplication sendEvent:] + 4788
19  QtGui                             0x018bf9dd -[QNSApplication sendEvent:] + 93
20  com.apple.AppKit                  0x9260dc82 -[NSApplication run] + 1007
21  QtGui                             0x018c9a51 QEventDispatcherMac::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 1505
22  QtCore                            0x025239c1 QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 65
23  QtCore                            0x02523d0a QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 170
24  QtCore                            0x02525166 QCoreApplication::exec() + 182
25  com.yourcompany.fancybrowser      0x00004a41 main + 435 (main.cpp:54)
26  com.yourcompany.fancybrowser      0x000045f1 _start + 208
27  com.yourcompany.fancybrowser      0x00004520 start + 40
-------- 8< ---------
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000030b9b7fc

VM Regions Near 0x30b9b7fc:
    MALLOC_TINY            000000000d500000-000000000d600000 [ 1024K] rw-/rwx SM=PRV  
--> 
    __TEXT                 000000008fe53000-000000008fe86000 [  204K] r-x/rwx SM=COW  /usr/lib/dyld

Application Specific Information:
objc[18122]: garbage collection is OFF

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   QtGui                             0x019562b9 QWidget::style() const + 9
1   QtGui                             0x01cc822b QComboBox::hidePopup() + 267
2   QtWebKit                          0x00960e7e WebCore::QtFallbackWebPopupCombo::hidePopup() + 46
3   QtGui                             0x01ccb40f QComboBoxPrivateContainer::mousePressEvent(QMouseEvent*) + 191
4   QtGui                             0x0196509f QWidget::event(QEvent*) + 2351
5   QtGui                             0x01cf3c28 QFrame::event(QEvent*) + 40
6   QtGui                             0x0191048c QApplicationPrivate::notify_helper(QObject*, QEvent*) + 188
7   QtGui                             0x019194bd QApplication::notify(QObject*, QEvent*) + 8845
8   QtCore                            0x02435b5c QCoreApplication::notifyInternal(QObject*, QEvent*) + 108
9   QtGui                             0x019111fc qt_sendSpontaneousEvent(QObject*, QEvent*) + 60
10  QtGui                             0x018c5623 qt_mac_handleMouseEvent(void*, void*, QEvent::Type, Qt::MouseButton) + 2019
11  QtGui                             0x018b55a0 -[QCocoaView mouseDown:] + 64
12  com.apple.AppKit                  0x926e47b1 -[NSWindow sendEvent:] + 7533
13  QtGui                             0x018b353b -[QCocoaPanel sendEvent:] + 267
14  com.apple.AppKit                  0x9267c6ff -[NSApplication sendEvent:] + 4788
15  QtGui                             0x018bf9dd -[QNSApplication sendEvent:] + 93
16  com.apple.AppKit                  0x9260dc82 -[NSApplication run] + 1007
17  QtGui                             0x018c9a51 QEventDispatcherMac::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 1505
18  QtCore                            0x025239c1 QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 65
19  QtCore                            0x02523d0a QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 170
20  QtCore                            0x02525166 QCoreApplication::exec() + 182
21  com.yourcompany.fancybrowser      0x00004a41 main + 435 (main.cpp:54)
22  com.yourcompany.fancybrowser      0x000045f1 _start + 208
23  com.yourcompany.fancybrowser      0x00004520 start + 40
-------- 8< ---------

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.