diff options
author | Joerg Bornemann <joerg.bornemann@qt.io> | 2016-06-15 10:42:05 +0200 |
---|---|---|
committer | Joerg Bornemann <joerg.bornemann@qt.io> | 2016-06-16 08:44:30 +0000 |
commit | d5cde6f1b4f7a8a2cfd4a9dbdf63cd2e2502c000 (patch) | |
tree | 58f749af3b0ac77e3b51608a502988063904c2ad /src/core | |
parent | aaa91ea2551f7df5ff9023c8fa7743e76070bac9 (diff) |
Fix access to deleted memory on QWebEnginePage destruction
Suppose QWebEnginePage is destroyed while there's still a combobox popup
open. We would crash with the following stack trace:
1 QtWebEngineCore::RenderWidgetHostViewQt::dpiScale
2 QtWebEngineCore::RenderWidgetHostViewQt::GetViewBounds
3 content::RenderWidgetHostImpl::SendScreenRects
4 content::RenderWidgetHostImpl::OnRenderViewReady
...
16 base::MessageLoop::DoWork
17 WebEngineContext::destroy
18 `anonymous namespace'::destroyContext
19 qt_call_post_routines
20 QApplication::~QApplication
RenderWidgetHostViewQt still holds a pointer to WebContentsAdapterClient.
To fix this, expose the QObject owning the adapter client, and
hide RenderWidgetHostViewQt when it is destroyed so it won't try to render.
Change-Id: Ide5543197b35038a3e1c7491ceda3f5ad10f6f07
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'src/core')
-rw-r--r-- | src/core/render_widget_host_view_qt.cpp | 5 | ||||
-rw-r--r-- | src/core/render_widget_host_view_qt.h | 1 | ||||
-rw-r--r-- | src/core/web_contents_adapter_client.h | 1 |
3 files changed, 7 insertions, 0 deletions
diff --git a/src/core/render_widget_host_view_qt.cpp b/src/core/render_widget_host_view_qt.cpp index 220761ef3..24b148ca5 100644 --- a/src/core/render_widget_host_view_qt.cpp +++ b/src/core/render_widget_host_view_qt.cpp @@ -273,6 +273,7 @@ RenderWidgetHostViewQt::RenderWidgetHostViewQt(content::RenderWidgetHost* widget RenderWidgetHostViewQt::~RenderWidgetHostViewQt() { + QObject::disconnect(m_adapterClientDestroyedConnection); #ifndef QT_NO_ACCESSIBILITY QAccessible::removeActivationObserver(this); #endif // QT_NO_ACCESSIBILITY @@ -288,6 +289,10 @@ void RenderWidgetHostViewQt::setAdapterClient(WebContentsAdapterClient *adapterC Q_ASSERT(!m_adapterClient); m_adapterClient = adapterClient; + QObject::disconnect(m_adapterClientDestroyedConnection); + m_adapterClientDestroyedConnection = QObject::connect(adapterClient->holdingQObject(), + &QObject::destroyed, [this] { + m_adapterClient = nullptr; }); if (m_initPending) InitAsChild(0); } diff --git a/src/core/render_widget_host_view_qt.h b/src/core/render_widget_host_view_qt.h index 2a56f61a4..2e6563a67 100644 --- a/src/core/render_widget_host_view_qt.h +++ b/src/core/render_widget_host_view_qt.h @@ -226,6 +226,7 @@ private: bool m_didFirstVisuallyNonEmptyLayout; uint32 m_pendingOutputSurfaceId; + QMetaObject::Connection m_adapterClientDestroyedConnection; WebContentsAdapterClient *m_adapterClient; MultipleMouseClickHelper m_clickHelper; diff --git a/src/core/web_contents_adapter_client.h b/src/core/web_contents_adapter_client.h index e6d25a8fb..f0927c9e5 100644 --- a/src/core/web_contents_adapter_client.h +++ b/src/core/web_contents_adapter_client.h @@ -240,6 +240,7 @@ public: virtual void requestGeometryChange(const QRect &geometry) = 0; virtual void allowCertificateError(const QSharedPointer<CertificateErrorController> &errorController) = 0; virtual bool isEnabled() const = 0; + virtual const QObject *holdingQObject() const = 0; virtual QSharedPointer<BrowserContextAdapter> browserContextAdapter() = 0; |