From d5cde6f1b4f7a8a2cfd4a9dbdf63cd2e2502c000 Mon Sep 17 00:00:00 2001 From: Joerg Bornemann Date: Wed, 15 Jun 2016 10:42:05 +0200 Subject: Fix access to deleted memory on QWebEnginePage destruction Suppose QWebEnginePage is destroyed while there's still a combobox popup open. We would crash with the following stack trace: 1 QtWebEngineCore::RenderWidgetHostViewQt::dpiScale 2 QtWebEngineCore::RenderWidgetHostViewQt::GetViewBounds 3 content::RenderWidgetHostImpl::SendScreenRects 4 content::RenderWidgetHostImpl::OnRenderViewReady ... 16 base::MessageLoop::DoWork 17 WebEngineContext::destroy 18 `anonymous namespace'::destroyContext 19 qt_call_post_routines 20 QApplication::~QApplication RenderWidgetHostViewQt still holds a pointer to WebContentsAdapterClient. To fix this, expose the QObject owning the adapter client, and hide RenderWidgetHostViewQt when it is destroyed so it won't try to render. Change-Id: Ide5543197b35038a3e1c7491ceda3f5ad10f6f07 Reviewed-by: Allan Sandfeld Jensen --- src/webenginewidgets/api/qwebenginepage.cpp | 6 ++++++ src/webenginewidgets/api/qwebenginepage_p.h | 1 + 2 files changed, 7 insertions(+) (limited to 'src/webenginewidgets/api') diff --git a/src/webenginewidgets/api/qwebenginepage.cpp b/src/webenginewidgets/api/qwebenginepage.cpp index 2fd026682..0279c9343 100644 --- a/src/webenginewidgets/api/qwebenginepage.cpp +++ b/src/webenginewidgets/api/qwebenginepage.cpp @@ -440,6 +440,12 @@ QSharedPointer QWebEnginePagePrivate::browserContextAdapt return profile->d_ptr->browserContext(); } +const QObject *QWebEnginePagePrivate::holdingQObject() const +{ + Q_Q(const QWebEnginePage); + return q; +} + QWebEnginePage::QWebEnginePage(QObject* parent) : QObject(parent) , d_ptr(new QWebEnginePagePrivate()) diff --git a/src/webenginewidgets/api/qwebenginepage_p.h b/src/webenginewidgets/api/qwebenginepage_p.h index 8e5be51d0..7b16ed667 100644 --- a/src/webenginewidgets/api/qwebenginepage_p.h +++ b/src/webenginewidgets/api/qwebenginepage_p.h @@ -125,6 +125,7 @@ public: int exitCode) Q_DECL_OVERRIDE; virtual void requestGeometryChange(const QRect &geometry) Q_DECL_OVERRIDE; virtual bool isEnabled() const Q_DECL_OVERRIDE; + const QObject *holdingQObject() const Q_DECL_OVERRIDE; virtual QSharedPointer browserContextAdapter() Q_DECL_OVERRIDE; -- cgit v1.2.3