Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wonderwall segfault #37

Open
username227 opened this issue May 26, 2024 · 1 comment · May be fixed by #38
Open

Wonderwall segfault #37

username227 opened this issue May 26, 2024 · 1 comment · May be fixed by #38

Comments

@username227
Copy link

Hi,
I was attempting to start Wonderwall (from the aur) with the qt5-webkit-movableink-git instead of the normal qt5-webkit. I did this by installing the prebuilt package uploaded onto Sourceforge several days ago, and then altering the wonderwall pkgbuild to reflect this dependency instead of qt5-webkit. It did not start, and I got a segfault. The information, including a backtrace, is printed below:

backtrace.txt

The program works with qt5-webkit.
@whitslack
Copy link

I get the same segfault when attempting to view an email in Trojitá using this QtWebkit implementation.

#0  QPainterPath::QPainterPath (this=this@entry=0x7fffffff83f8, other=...)
    at ../../../qtbase-everywhere-src-5.15.13/src/gui/painting/qpainterpath.cpp:561
#1  0x00007ffff17f0727 in WebCore::GraphicsContextQt::fillPath (this=0x7fffffffa8c0, path=...)
    at ../qtwebkit-5.212.9999/Source/WebCore/platform/graphics/qt/GraphicsContextQt.cpp:648
#2  0x00007ffff30357ab in WebCore::BorderPainter::paintSides (this=this@entry=0x7fffffff89e0, sides=...)
    at ../qtwebkit-5.212.9999/Source/WebCore/rendering/BorderPainter.cpp:455
⋮

The crash occurs because WebCore::Path::platformPath() returns a dangling reference to a temporary QPainterPath object returned by WebCore::PathQt::platformPath().

webkit/Source/WebCore/platform/graphics/PlatformPath.h

Line 32 in 2d2b379

typedef QPainterPath PlatformPath;

webkit/Source/WebCore/platform/graphics/PlatformPath.h

Lines 41 to 42 in 2d2b379

/* QPainterPath is valued based */
typedef const PlatformPath& PlatformPathPtr;

webkit/Source/WebCore/platform/graphics/Path.cpp

Lines 412 to 415 in 2d2b379

PlatformPathPtr Path::platformPath() const
{
return const_cast<Path&>(*this).ensurePlatformPathImpl().platformPath();
}

webkit/Source/WebCore/platform/graphics/qt/PathQt.cpp

Lines 113 to 116 in 2d2b379

QPainterPath PathQt::platformPath() const
{
return m_path;
}

The offending commit was 71a469f. WebCore::PathQt::platformPath() was mistakenly declared as returning a QPainterPath. As a point of reference: WebCore::PathCG::platformPath() returns a PlatformPathPtr (typedef'd as struct CGPath*). WebCore::Path::platformPath() expects to be able to return the return value of WebCore::PlatformPathImpl::platformPath() as a PlatformPathPtr without potentially creating a dangling reference. If we redefine WebCore::PathQt::platformPath() as returning a PlatformPathPtr (typedef'd as const QPainterPath&), then we will avoid creating a temporary QPainterPath object, and thus WebCore::Path::platformPath() will not return a dangling reference. When I make this change, I no longer suffer the crash. I will open a PR.

whitslack added a commit to whitslack/movableink-webkit that referenced this issue May 29, 2024
@whitslack
WebCore::PathQt::platformPath(): don't return a temporary object
3297fc5 
`WebCore::Path::platformPath()` expects to be able to return the return
value of `WebCore::PlatformPathImpl::platformPath()` as a
`PlatformPathPtr` without creating a dangling reference. However,
`WebCore::PathQt::platformPath()` is defined as returning a temporary
`QPainterPath` object, which does become a dangling reference when
returned by reference, leading to segfaults at runtime.

This commit changes the return type of `WebCore::PathQt::platformPath()`
to `PlatformPathPtr` (paralleling the definition of
`WebCore::PathCG::platformPath()`), so as to avoid creating a temporary
`QPainterPath` object, thereby avoiding the creation of a dangling
reference when returning from `WebCore::Path::platformPath()`.

Fixes: movableink#37
@whitslack whitslack linked a pull request May 29, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WebCore::PathQt::platformPath(): don't return a temporary object whitslack/movableink-webkit
2 participants
@whitslack @username227