webbrowser-app

[browser] Selecting an option in a dropdown in surveymonkey crashes the web process

Bug #1158358 reported by Olivier Tilloy on 2013-03-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	webbrowser-app	Fix Released	High	Olivier Tilloy
	webbrowser-app (Ubuntu)	Fix Released	High	Unassigned

Bug Description

(reproduced both on Galaxy Nexus and Nexus 10, attaching quantal-ubuntu_stamp from the Galaxy Nexus)
(this is also 100% reproducible on the desktop with this branch: lp:~osomon/webbrowser-app/itemSelector)

Steps to reproduce:
1) Open the browser and point it to http://juju.ubuntu.com/survey (this redirects to http://www.surveymonkey.com/s/ubuntu-juju)
2) Scroll down the page until you see a section with dropdown widgets to rank a number of parameters.
3) Tap on any of the dropdowns, a popover should appear to let you select an option
4) Select any of the options

Expected result: the option is remembered, and the section is updated with the ranks
Current result: the web process crashes, rendering the page unusable

Revision history for this message

Olivier Tilloy (osomon) wrote on 2013-03-21:

quantal-ubuntu_stamp Edit (11.5 KiB, text/plain)

Günter Schwann (schwann) on 2013-03-21

Changed in manhattan:
status:	New → Confirmed

Revision history for this message

Olivier Tilloy (osomon) wrote on 2013-03-21:

Here is the corresponding HTML code from the surveymonkey page for one dropdown:

<div class="RankingOption" index="0" iVal="0" onmousedown="RankingQuestion.Drag(event);" onmouseup="RankingQuestion.Drop(event);" onmouseover="RankingQuestion.OptionMouseOver(event);" onmouseout="RankingQuestion.OptionMouseOut(event);">
    <select class="RankingNum" onchange="RankingQuestion.RankChange(event);" onclick="RankingQuestion.Click(event);">
        <option isNa="false"></option>
        <option isNa="false">1</option>
        <option isNa="false">2</option>
        <option isNa="false">3</option>
        <option isNa="false">4</option>
        <option isNa="false">5</option>
        <option isNa="false">6</option>
        <option isNa="false">7</option>
        <option isNa="false">8</option>
        <option isNa="false">9</option>
        <option isNa="false">10</option>
    </select>
    <span class="AnswerOptionText">Coordination of events</span>
    <label class="select_on" id="input_500927840_61_5824601724_0_lbl" for="input_500927840_61_5824601724_0">
        <input type="hidden" id="input_500927840_61_5824601724_0" name="input_500927840_61_5824601724_0" value="" />
    </label>
</div>

Revision history for this message

Olivier Tilloy (osomon) wrote on 2013-03-21:

And here is the JS code that’s invoked when an option is selected (from http://secure.surveymonkey.com/js/RankingQuestion.js?rv=201303191245):

    RankingQuestion.RankChange = function(e) {
        if (e == null)
            var e = window.event;
        var target = e.target ? e.target : e.srcElement;

        if (target.selectedIndex == 0 || SM_APP.DOM.hasClass(target.options[target.selectedIndex], 'disabledOption')) {
            target.selectedIndex = parseInt(target.getAttribute('oldIdx'));
        } else if (target.options[target.selectedIndex].getAttribute("isNa") == 'true') {
            setTimeout(function() {
                target.parentNode.childNodes[1].checked = true;
                RankingQuestion.ToggleNA(target.parentNode, true);
                RankingQuestion.FadeIn(target.parentNode);
            }, 100);
        } else {
            var opt = target.parentNode;
            var container = opt.parentNode;
            var pos = target.selectedIndex - 1;
            RankingQuestion.MovePlaceHolder(pos, opt);

            setTimeout(function() {
                container.insertBefore(opt, RankingQuestion.PlaceHolder);
                container.removeChild(RankingQuestion.PlaceHolder);
                RankingQuestion.FadeIn(opt);
                RankingQuestion.CalculateRanks(container);
            }, 100);
        }
    };

Revision history for this message

Olivier Tilloy (osomon) wrote on 2013-03-21:

Interestingly, if I use the web inspector to set a breakpoint on the first line of function RankingQuestion.RankChange, and just continue execution when it breaks there, the crash doesn’t happen, and the form works as expected.

Revision history for this message

Olivier Tilloy (osomon) wrote on 2013-03-21:

Download full text (4.3 KiB)

If I install debug symbols for libqt5webkit5 and I attach to the web process before triggering the crash, here is the backtrace I get:

#0 WebKit::WebPage::hidePopupMenu (this=0xae718a00) at WebProcess/WebPage/qt/WebPageQt.cpp:439
#1 0xb5de33ca in callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)()> (function=<optimized out>, object=0xae718a00)
    at Platform/CoreIPC/HandleMessage.h:15
#2 handleMessage<Messages::WebPage::HidePopupMenu, WebKit::WebPage, void (WebKit::WebPage::*)()> (function=<optimized out>,
    object=0xae718a00, decoder=...) at Platform/CoreIPC/HandleMessage.h:322
#3 WebKit::WebPage::didReceiveWebPageMessage (this=0xae718a00, decoder=...) at generated/WebPageMessageReceiver.cpp:476
#4 0xb5d976f6 in WebKit::WebPage::didReceiveMessage (this=0xae718a00, connection=0xae705dc0, messageID=..., decoder=...)
    at WebProcess/WebPage/WebPage.cpp:2922
#5 0xb5c5d365 in CoreIPC::MessageReceiverMap::dispatchMessage (this=0x9eeed74, connection=0xae705dc0, messageID=..., decoder=...)
    at Platform/CoreIPC/MessageReceiverMap.cpp:86
#6 0xb5da08d9 in WebKit::WebProcess::didReceiveMessage (this=0x9eeed40, connection=0xae705dc0, messageID=..., decoder=...)
    at WebProcess/WebProcess.cpp:681
#7 0xb5c5a440 in dispatchMessage (decoder=..., messageID=..., this=0xae705dc0) at Platform/CoreIPC/Connection.cpp:663
#8 CoreIPC::Connection::dispatchMessage (this=this@entry=0xae705dc0, message=...) at Platform/CoreIPC/Connection.cpp:686
#9 0xb5c5a559 in CoreIPC::Connection::dispatchOneMessage (this=0xae705dc0) at Platform/CoreIPC/Connection.cpp:712
#10 0xb5c5971f in operator() (c=<optimized out>, this=0xab03a380) at ../WTF/wtf/Functional.h:173
#11 WTF::BoundFunctionImpl<WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>, void (CoreIPC::Connection*)>::operator()() (
    this=0xab03a378) at ../WTF/wtf/Functional.h:405
#12 0xb61e7106 in operator() (this=<synthetic pointer>) at ../WTF/wtf/Functional.h:613
#13 WebCore::RunLoop::performWork (this=0xae703780) at platform/RunLoop.cpp:87
#14 0xb62a3e16 in performWork (this=<optimized out>) at platform/qt/RunLoopQt.cpp:48
#15 qt_static_metacall (_id=0, _o=0x9eee610, _c=<optimized out>, _a=<optimized out>) at .moc/release-shared/RunLoopQt.moc:68
#16 WebCore::RunLoop::TimerObject::qt_static_metacall (_o=0x9eee610, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0xadd06710)
    at .moc/release-shared/RunLoopQt.moc:63
#17 0xb52917d3 in QMetaCallEvent::placeMetaCall(QObject*) () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#18 0xb52948db in QObject::event(QEvent*) () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#19 0xb556370c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/i386-linux-gnu/libQt5Widgets.so.5
#20 0xb556713b in QApplication::notify(QObject*, QEvent*) () from /usr/lib/i386-linux-gnu/libQt5Widgets.so.5
#21 0xb526b74e in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#22 0xb526d673 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#23 0xb526dd3c in QCoreApplication::sendPostedEvents(QObject*, int) () from /usr/lib/i386-linux-gnu/libQt5...

If I install debug symbols for libqt5webkit5 and I attach to the web process before triggering the crash, here is the backtrace I get:

#0  WebKit::WebPage::hidePopupMenu (this=0xae718a00) at WebProcess/WebPage/qt/WebPageQt.cpp:439
#1  0xb5de33ca in callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)()> (function=<optimized out>, object=0xae718a00)
    at Platform/CoreIPC/HandleMessage.h:15
#2  handleMessage<Messages::WebPage::HidePopupMenu, WebKit::WebPage, void (WebKit::WebPage::*)()> (function=<optimized out>, 
    object=0xae718a00, decoder=...) at Platform/CoreIPC/HandleMessage.h:322
#3  WebKit::WebPage::didReceiveWebPageMessage (this=0xae718a00, decoder=...) at generated/WebPageMessageReceiver.cpp:476
#4  0xb5d976f6 in WebKit::WebPage::didReceiveMessage (this=0xae718a00, connection=0xae705dc0, messageID=..., decoder=...)
    at WebProcess/WebPage/WebPage.cpp:2922
#5  0xb5c5d365 in CoreIPC::MessageReceiverMap::dispatchMessage (this=0x9eeed74, connection=0xae705dc0, messageID=..., decoder=...)
    at Platform/CoreIPC/MessageReceiverMap.cpp:86
#6  0xb5da08d9 in WebKit::WebProcess::didReceiveMessage (this=0x9eeed40, connection=0xae705dc0, messageID=..., decoder=...)
    at WebProcess/WebProcess.cpp:681
#7  0xb5c5a440 in dispatchMessage (decoder=..., messageID=..., this=0xae705dc0) at Platform/CoreIPC/Connection.cpp:663
#8  CoreIPC::Connection::dispatchMessage (this=this@entry=0xae705dc0, message=...) at Platform/CoreIPC/Connection.cpp:686
#9  0xb5c5a559 in CoreIPC::Connection::dispatchOneMessage (this=0xae705dc0) at Platform/CoreIPC/Connection.cpp:712
#10 0xb5c5971f in operator() (c=<optimized out>, this=0xab03a380) at ../WTF/wtf/Functional.h:173
#11 WTF::BoundFunctionImpl<WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>, void (CoreIPC::Connection*)>::operator()() (
    this=0xab03a378) at ../WTF/wtf/Functional.h:405
#12 0xb61e7106 in operator() (this=<synthetic pointer>) at ../WTF/wtf/Functional.h:613
#13 WebCore::RunLoop::performWork (this=0xae703780) at platform/RunLoop.cpp:87
#14 0xb62a3e16 in performWork (this=<optimized out>) at platform/qt/RunLoopQt.cpp:48
#15 qt_static_metacall (_id=0, _o=0x9eee610, _c=<optimized out>, _a=<optimized out>) at .moc/release-shared/RunLoopQt.moc:68
#16 WebCore::RunLoop::TimerObject::qt_static_metacall (_o=0x9eee610, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0xadd06710)
    at .moc/release-shared/RunLoopQt.moc:63
#17 0xb52917d3 in QMetaCallEvent::placeMetaCall(QObject*) () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#18 0xb52948db in QObject::event(QEvent*) () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#19 0xb556370c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/i386-linux-gnu/libQt5Widgets.so.5
#20 0xb556713b in QApplication::notify(QObject*, QEvent*) () from /usr/lib/i386-linux-gnu/libQt5Widgets.so.5
#21 0xb526b74e in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#22 0xb526d673 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#23 0xb526dd3c in QCoreApplication::sendPostedEvents(QObject*, int) () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#24 0xb52b9434 in ?? () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#25 0xb392f9e3 in g_main_context_dispatch () from /lib/i386-linux-gnu/libglib-2.0.so.0
#26 0xb392fd80 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#27 0xb392fe61 in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0
#28 0xb52b95af in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/lib/i386-linux-gnu/libQt5Core.so.5
---Type <return> to continue, or q <return> to quit---
#29 0xafc77d36 in ?? () from /usr/lib/i386-linux-gnu/qt5/plugins/platforms/libqxcb.so
#30 0xb5269fd6 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#31 0xb526a48c in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#32 0xb526dde2 in QCoreApplication::exec() () from /usr/lib/i386-linux-gnu/libQt5Core.so.5
#33 0xb62a3e87 in WebCore::RunLoop::run () at platform/qt/RunLoopQt.cpp:69
#34 0xb5da8545 in WebKit::WebProcessMainQt (app=0x9e79058) at WebProcess/qt/WebProcessMainQt.cpp:195
#35 0x080488b8 in main (argc=2, argv=0xbfa2cb34) at qt/MainQt.cpp:100

Revision history for this message

Olivier Tilloy (osomon) wrote on 2013-03-21:

Here is where the crash is happening:

    void WebPage::hidePopupMenu()
    {
        if (!m_activePopupMenu)
            return;

        m_activePopupMenu->client()->popupDidHide();
        m_activePopupMenu = 0;
    }

m_activePopupMenu->client() returns m_activePopupMenu->m_popupClient, which in this case is null. It looks like the popup client is destroyed too early.

Revision history for this message

Olivier Tilloy (osomon) wrote on 2013-03-21:

I filed https://bugs.webkit.org/show_bug.cgi?id=112933 to track this issue upstream.

Revision history for this message

Olivier Tilloy (osomon) wrote on 2013-03-28:

An update from the upstream bug report: Pierre Rossi (aka elproxy on #qtwebkit, Digia employee) assigned himself the bug, so there is a a good chance he’ll be submitting a patch for it soon.

Alan Pope 🍺🐧🐱 🦄 (popey) on 2013-05-08

information type:	Proprietary → Public
affects:	manhattan → webbrowser-app

Revision history for this message

Bill Filler (bfiller) wrote on 2013-09-21:

unfortunately this still is causing a crash with qt5.1.1 and latest build as of 9.20.13

Changed in webbrowser-app:
importance:	Undecided → High
Changed in webbrowser-app (Ubuntu):
status:	New → Confirmed
importance:	Undecided → High