Fix access to deleted memory on QWebEnginePage destruction

Suppose QWebEnginePage is destroyed while there's still a combobox popup
open. We would crash with the following stack trace:

1   QtWebEngineCore::RenderWidgetHostViewQt::dpiScale
2   QtWebEngineCore::RenderWidgetHostViewQt::GetViewBounds
3   content::RenderWidgetHostImpl::SendScreenRects
4   content::RenderWidgetHostImpl::OnRenderViewReady
...
16  base::MessageLoop::DoWork
17  WebEngineContext::destroy
18  `anonymous namespace'::destroyContext
19  qt_call_post_routines
20  QApplication::~QApplication

RenderWidgetHostViewQt still holds a pointer to WebContentsAdapterClient.
To fix this, expose the QObject owning the adapter client, and
hide RenderWidgetHostViewQt when it is destroyed so it won't try to render.

Change-Id: Ide5543197b35038a3e1c7491ceda3f5ad10f6f07
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 5 insertions, 0 deletions

diff --git a/src/core/render_widget_host_view_qt.cpp b/src/core/render_widget_host_view_qt.cpp
index 220761ef3..24b148ca5 100644
--- a/src/core/render_widget_host_view_qt.cpp
+++ b/src/core/render_widget_host_view_qt.cpp
@@ -273,6 +273,7 @@ RenderWidgetHostViewQt::RenderWidgetHostViewQt(content::RenderWidgetHost* widget
 
 RenderWidgetHostViewQt::~RenderWidgetHostViewQt()
 {
+    QObject::disconnect(m_adapterClientDestroyedConnection);
 #ifndef QT_NO_ACCESSIBILITY
     QAccessible::removeActivationObserver(this);
 #endif // QT_NO_ACCESSIBILITY
@@ -288,6 +289,10 @@ void RenderWidgetHostViewQt::setAdapterClient(WebContentsAdapterClient *adapterC
     Q_ASSERT(!m_adapterClient);
 
     m_adapterClient = adapterClient;
+    QObject::disconnect(m_adapterClientDestroyedConnection);
+    m_adapterClientDestroyedConnection = QObject::connect(adapterClient->holdingQObject(),
+                                                          &QObject::destroyed, [this] {
+                                                            m_adapterClient = nullptr; });
     if (m_initPending)
         InitAsChild(0);
 }