diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-11-16 14:36:33 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-05 13:59:35 +0000 |
| commit | 9ef3a8263098c6a32db8b824aabf85587d1f1140 (patch) | |
| tree | 9ef2a62d51287dd676ebada6d63058687144bc2c /src/core/web_engine_context.cpp | |
| parent | 196ae04aa7c9b274880409fb38a050db99197900 (diff) | |
Fix access after free on shutdown
After we keep around the browser-context after the profile is deleted
it was keeping pointers to deleted objects and would sometimes use them
on shutdown.
Change-Id: Ib67d0ee0b27cb1a1b64d9b8b4c348ed418b9bbc3
Reviewed-by: Peter Varga <pvarga@inf.u-szeged.hu>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'src/core/web_engine_context.cpp')
| -rw-r--r-- | src/core/web_engine_context.cpp | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/src/core/web_engine_context.cpp b/src/core/web_engine_context.cpp index 900b82eb9..6a8c8ae73 100644 --- a/src/core/web_engine_context.cpp +++ b/src/core/web_engine_context.cpp @@ -117,7 +117,11 @@ void destroyContext() // Before destroying MessageLoop via destroying BrowserMainRunner destructor // WebEngineContext's pointer is used. sContext->destroy(); - sContext = 0; +#if !defined(NDEBUG) + if (!sContext->HasOneRef()) + qWarning("WebEngineContext leaked on exit, likely due to leaked WebEngine View or Page"); +#endif + sContext = nullptr; s_destroyed = true; } @@ -193,19 +197,26 @@ void WebEngineContext::destroy() { if (m_devtoolsServer) m_devtoolsServer->stop(); - delete m_globalQObject; - m_globalQObject = 0; base::MessagePump::Delegate *delegate = m_runLoop->loop_; // Flush the UI message loop before quitting. while (delegate->DoWork()) { } + + if (m_defaultBrowserContext) + m_defaultBrowserContext->shutdown(); + // Delete the global object and thus custom profiles + delete m_globalQObject; + m_globalQObject = nullptr; + // Handle any events posted by browser-context shutdown. + while (delegate->DoWork()) { } + GLContextHelper::destroy(); - m_devtoolsServer.reset(0); + m_devtoolsServer.reset(); m_runLoop->AfterRun(); // Force to destroy RenderProcessHostImpl by destroying BrowserMainRunner. // RenderProcessHostImpl should be destroyed before WebEngineContext since // default BrowserContext might be used by the RenderprocessHostImpl's destructor. - m_browserRunner.reset(0); + m_browserRunner.reset(); // Drop the false reference. sContext->Release(); |