diff options
author | Joerg Bornemann <joerg.bornemann@qt.io> | 2016-06-15 10:42:05 +0200 |
---|---|---|
committer | Joerg Bornemann <joerg.bornemann@qt.io> | 2016-06-16 08:44:30 +0000 |
commit | d5cde6f1b4f7a8a2cfd4a9dbdf63cd2e2502c000 (patch) | |
tree | 58f749af3b0ac77e3b51608a502988063904c2ad /src/core/render_widget_host_view_qt.h | |
parent | aaa91ea2551f7df5ff9023c8fa7743e76070bac9 (diff) |
Fix access to deleted memory on QWebEnginePage destruction
Suppose QWebEnginePage is destroyed while there's still a combobox popup
open. We would crash with the following stack trace:
1 QtWebEngineCore::RenderWidgetHostViewQt::dpiScale
2 QtWebEngineCore::RenderWidgetHostViewQt::GetViewBounds
3 content::RenderWidgetHostImpl::SendScreenRects
4 content::RenderWidgetHostImpl::OnRenderViewReady
...
16 base::MessageLoop::DoWork
17 WebEngineContext::destroy
18 `anonymous namespace'::destroyContext
19 qt_call_post_routines
20 QApplication::~QApplication
RenderWidgetHostViewQt still holds a pointer to WebContentsAdapterClient.
To fix this, expose the QObject owning the adapter client, and
hide RenderWidgetHostViewQt when it is destroyed so it won't try to render.
Change-Id: Ide5543197b35038a3e1c7491ceda3f5ad10f6f07
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'src/core/render_widget_host_view_qt.h')
-rw-r--r-- | src/core/render_widget_host_view_qt.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/core/render_widget_host_view_qt.h b/src/core/render_widget_host_view_qt.h index 2a56f61a4..2e6563a67 100644 --- a/src/core/render_widget_host_view_qt.h +++ b/src/core/render_widget_host_view_qt.h @@ -226,6 +226,7 @@ private: bool m_didFirstVisuallyNonEmptyLayout; uint32 m_pendingOutputSurfaceId; + QMetaObject::Connection m_adapterClientDestroyedConnection; WebContentsAdapterClient *m_adapterClient; MultipleMouseClickHelper m_clickHelper; |