37521 2010-04-13 14:07:30 -0700 [Qt] QtWebKit crash on shutdown 2010-04-19 17:49:10 -0700 1 1 1 Unclassified WebKit WebKit Qt 528+ (Nightly build) PC All RESOLVED DUPLICATE 36832 Qt P2 Normal --- 0 agbakken agbakken hausmann kbalazs koshuin laszlo.gombos yael zherczeg oldest_to_newest 212076 0 53278 agbakken 2010-04-13 14:07:30 -0700 Created attachment 53278 patch that fixes the crash I get the following crash on shutdown of a Qt webkit application: ==8808== Invalid read of size 8 ==8808== at 0x9AF2E90: QObject::thread() const (qobject.cpp:1409) ==8808== by 0x72801BD: WTF::isMainThread() (ThreadingQt.cpp:220) ==8808== by 0x66C7ED5: WebCore::JSDOMWindowBase::commonJSGlobalData() (JSDOMWindowBase.cpp:155) ==8808== by 0x66AF816: WebCore::collect(void*) (GCController.cpp:46) ==8808== by 0x66AFADF: WebCore::GCController::gcTimerFired(WebCore::Timer<WebCore::GCController>*) (GCController.cpp:69) ==8808== by 0x66AFC33: WebCore::Timer<WebCore::GCController>::fired() (Timer.h:98) ==8808== by 0x6CA0A53: WebCore::ThreadTimers::sharedTimerFiredInternal() (ThreadTimers.cpp:112) ==8808== by 0x6CA0986: WebCore::ThreadTimers::sharedTimerFired() (ThreadTimers.cpp:90) ==8808== by 0x6E73E36: WebCore::SharedTimerQt::~SharedTimerQt() (SharedTimerQt.cpp:68) ==8808== by 0x9AF59D6: QObjectPrivate::deleteChildren() (qobject.cpp:1972) ==8808== by 0x9AF8BFB: QObject::~QObject() (qobject.cpp:969) ==8808== by 0x8E7DCB3: QApplication::~QApplication() (qapplication.cpp:1138) ==8808== Address 0x8 is not stack'd, malloc'd or (recently) free'd ==8808== ==8808== ==8808== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==8808== Access not within mapped region at address 0x8 ==8808== at 0x9AF2E90: QObject::thread() const (qobject.cpp:1409) ==8808== by 0x72801BD: WTF::isMainThread() (ThreadingQt.cpp:220) ==8808== by 0x66C7ED5: WebCore::JSDOMWindowBase::commonJSGlobalData() (JSDOMWindowBase.cpp:155) ==8808== by 0x66AF816: WebCore::collect(void*) (GCController.cpp:46) ==8808== by 0x66AFADF: WebCore::GCController::gcTimerFired(WebCore::Timer<WebCore::GCController>*) (GCController.cpp:69) ==8808== by 0x66AFC33: WebCore::Timer<WebCore::GCController>::fired() (Timer.h:98) ==8808== by 0x6CA0A53: WebCore::ThreadTimers::sharedTimerFiredInternal() (ThreadTimers.cpp:112) ==8808== by 0x6CA0986: WebCore::ThreadTimers::sharedTimerFired() (ThreadTimers.cpp:90) ==8808== by 0x6E73E36: WebCore::SharedTimerQt::~SharedTimerQt() (SharedTimerQt.cpp:68) ==8808== by 0x9AF59D6: QObjectPrivate::deleteChildren() (qobject.cpp:1972) ==8808== by 0x9AF8BFB: QObject::~QObject() (qobject.cpp:969) ==8808== by 0x8E7DCB3: QApplication::~QApplication() (qapplication.cpp:1138) It reproduces pretty much every time but the example is rather involved and includes adding some code to WebKit that may or may not be important for reproducing the problem. Let me know if you want to see the example. It seems like the problem is that isMainThread is called after QCoreApplication is deleted. I've attached a patch that fixes it but I am not 100% about the following: Could this thread be called in one thread while QCoreApplication is being deleted in another? If so, one would have to do some more thread-synchronization for this to be safe. Should it return true or false if QCoreApplication doesn't exist? 212809 1 zherczeg 2010-04-15 05:04:15 -0700 Is it a valgrind output? Am I see right that QApplication destructor fires the shared timer system of WebCore? I am wondering the possible side effects of such call. Perhaps it would be better to delete the SharedTimer just before the destructor of QApplication... 212920 2 agbakken 2010-04-15 10:34:12 -0700 (In reply to comment #1) > Is it a valgrind output? > > Am I see right that QApplication destructor fires the shared timer system of > WebCore? I am wondering the possible side effects of such call. Perhaps it > would be better to delete the SharedTimer just before the destructor of > QApplication... Hi Zoltan It is valgrind. I can't get gdb to run against a debug version of WebKit. I have to admit I wouldn't know about your proposed fix. I just saw the error and found a simple way to fix it. Maybe someone who knows the details better could comment. regards Anders 213521 3 hausmann 2010-04-16 17:24:40 -0700 This is technically a duplicate of 36832, but I admit I like Anders' solution 213522 4 hausmann 2010-04-16 17:24:59 -0700 I meant bug 36832 213596 5 zherczeg 2010-04-17 02:35:32 -0700 As far as I see this is an assertion fail, so only debug builds may crash. And the poblem is not there I think. Actually a half destroyed QApplication fires all timers, and a timer can do practically anything in WebKit, like it can also access/changes the members of this QApplication. This is unsafe. I feel this fix hides the issue, not solve it. Anyway it is just my opinion, nothing more. 213695 6 kbalazs 2010-04-17 17:09:09 -0700 (In reply to comment #1) > Is it a valgrind output? > > Am I see right that QApplication destructor fires the shared timer system of > WebCore? I am wondering the possible side effects of such call. Perhaps it > would be better to delete the SharedTimer just before the destructor of > QApplication... Yep, this is exactly what happens here. I think we can achieve the behavior what you mentioned by installing a self-destroying slot for QApplication::aboutToQuit() into the SharedTimerQt instance (and make it independent from the QApplication). I will try it! :) 214384 7 hausmann 2010-04-19 17:45:45 -0700 *** This bug has been marked as a duplicate of bug 36832 *** 214387 8 53278 hausmann 2010-04-19 17:49:10 -0700 Comment on attachment 53278 patch that fixes the crash r- as http://trac.webkit.org/changeset/57818 was landed 53278 2010-04-13 14:07:30 -0700 2010-04-19 17:49:10 -0700 patch that fixes the crash patch text/plain 1082 agbakken SW5kZXg6IEphdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0 Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDU3NTI5KQorKysgSmF2YVNjcmlwdENvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTIgQEAKKzIwMTAtMDQtMTMgIEFuZGVycyBC YWtrZW4gIDxBbmRlcnMgQmFra2VuIDxhZ2Jha2tlbkBnbWFpbC5jb20+PgorCisgICAgICAgIFJl dmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFNhbml0eS1jaGVjayBRQ29yZUFw cGxpYXRpb246Omluc3RhbmNlKCkgaW4gV1RGOjppc01haW5UaHJlYWQoKS4KKworICAgICAgICAq IHd0Zi9xdC9UaHJlYWRpbmdRdC5jcHA6CisgICAgICAgIChXVEY6OmlzTWFpblRocmVhZCk6CisK IDIwMTAtMDQtMTIgIEpvY2VseW4gVHVyY290dGUgIDxqb2NlbHluLnR1cmNvdHRlQG5va2lhLmNv bT4KIAogICAgICAgICBSZXZpZXdlZCBieSBub2JvZHksIGJ1aWxkIGZpeC4KSW5kZXg6IEphdmFT Y3JpcHRDb3JlL3d0Zi9xdC9UaHJlYWRpbmdRdC5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gSmF2YVNjcmlw dENvcmUvd3RmL3F0L1RocmVhZGluZ1F0LmNwcAkocmV2aXNpb24gNTc1MjkpCisrKyBKYXZhU2Ny aXB0Q29yZS93dGYvcXQvVGhyZWFkaW5nUXQuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0yMTcsNyAr MjE3LDcgQEAgVGhyZWFkSWRlbnRpZmllciBjdXJyZW50VGhyZWFkKCkKIAogYm9vbCBpc01haW5U aHJlYWQoKQogewotICAgIHJldHVybiBRVGhyZWFkOjpjdXJyZW50VGhyZWFkKCkgPT0gUUNvcmVB cHBsaWNhdGlvbjo6aW5zdGFuY2UoKS0+dGhyZWFkKCk7CisgICAgcmV0dXJuICFRQ29yZUFwcGxp Y2F0aW9uOjppbnN0YW5jZSgpIHx8IChRVGhyZWFkOjpjdXJyZW50VGhyZWFkKCkgPT0gUUNvcmVB cHBsaWNhdGlvbjo6aW5zdGFuY2UoKS0+dGhyZWFkKCkpOwogfQogCiBNdXRleDo6TXV0ZXgoKQo=