webbrowser-app

A specific URL in the navigation history database makes the application crash

Bug #1204996 reported by Olivier Tilloy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
webbrowser-app
Fix Released
Critical
Olivier Tilloy
webbrowser-app (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

(originally reported by Günter while reviewing https://code.launchpad.net/~osomon/webbrowser-app/domain-names-chronological/+merge/176900)

If the history navigation database (~/.local/share/webbrowser-app/history.sqlite) contains the following URL:

    http://derstandard.at/1369363282846/Tuerkische-Spezialpolizei-stuermt-Protestcamp-auf-dem-Istanbuler-Taksim-Platz

Then the browser crashes at startup when instantiating the models associated to the timeline view.
I have been able to isolate a bit the issue with a standalone QML test that imports Ubuntu.Components.Extras.Browser and uses a crafted history database, which I’m attaching here.

Not that the crash doesn’t seem to happen on raring, only on saucy.

Related branches

lp:~osomon/webbrowser-app/crash-history-db
Günter Schwann (community): Approve
PS Jenkins bot: Approve (continuous-integration)
Diff: 90 lines (+24/-16)
3 files modified
src/Ubuntu/Components/Extras/Browser/history-domain-model.cpp (+7/-2)
src/Ubuntu/Components/Extras/Browser/history-domain-model.h (+2/-0)
src/Ubuntu/Components/Extras/Browser/history-domainlist-model.cpp (+15/-14)
lp:ubuntu/saucy/webbrowser-app
Revision history for this message
Olivier Tilloy (osomon) wrote :
Revision history for this message
Olivier Tilloy (osomon) wrote :
Revision history for this message
Olivier Tilloy (osomon) wrote :

Looks like the standalone test I attached doesn’t crash on the Galaxy Nexus, however it does crash in a saucy chroot.

Bill Filler (bfiller)
Changed in webbrowser-app:
assignee: nobody → Olivier Tilloy (osomon)
importance: Undecided → Critical
status: New → Confirmed
Revision history for this message
Michael Frey (mfrey) wrote :
Revision history for this message
Olivier Tilloy (osomon) wrote :

I can reproduce the crash with Michael’s history database with the latest trunk compiled on raring.
I am getting various different stack traces depending on the run. Here is one:

#0 0x00007ffff54b4037 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff54b7698 in __GI_abort () at abort.c:90
#2 0x00007ffff54f15ab in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff5604860 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:199
#3 0x00007ffff54fda46 in malloc_printerr (ptr=0xa39860, str=0x7ffff5604990 "double free or corruption (out)", action=3) at malloc.c:4902
#4 _int_free (av=<optimized out>, p=0xa39850, have_lock=0) at malloc.c:3758
#5 0x00007ffff79a54f9 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#6 0x00007ffff79a04e9 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#7 0x00007ffff79a065f in QSortFilterProxyModel::invalidate() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#8 0x00007fffc20e2149 in ensureEntriesUpToDate(HistoryDomainModel*) ()
   from /home/osomon/dev/phablet/browser/webbrowser-app/src/Ubuntu/Components/Extras/Browser/libubuntu-ui-extras-browser-plugin.so
#9 0x00007fffc20e23ad in HistoryDomainListModel::data(QModelIndex const&, int) const ()
   from /home/osomon/dev/phablet/browser/webbrowser-app/src/Ubuntu/Components/Extras/Browser/libubuntu-ui-extras-browser-plugin.so
#10 0x00007ffff799b4b7 in QSortFilterProxyModel::data(QModelIndex const&, int) const () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#11 0x00007ffff6c489b2 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#12 0x00007ffff6c47f35 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#13 0x00007ffff622a5ea in QV8QObjectWrapper::GetProperty(QV8Engine*, QObject*, v8::Handle<v8::Value>*, QHashedV8String const&, QQmlContextData*, QV8QObjectWrapper::RevisionMode) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
#14 0x00007ffff622b8ed in QV8QObjectWrapper::Getter(v8::Local<v8::String>, v8::AccessorInfo const&) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
#15 0x00007ffff357b581 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5V8.so.5

Revision history for this message
Olivier Tilloy (osomon) wrote :

Here is another one:

#0 0x00007ffff54b4037 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff54b7698 in __GI_abort () at abort.c:90
#2 0x00007ffff54f15ab in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff5604860 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:199
#3 0x00007ffff54fda46 in malloc_printerr (ptr=0xa39730, str=0x7ffff5604a00 "free(): invalid next size (fast)", action=3) at malloc.c:4902
#4 _int_free (av=<optimized out>, p=0xa39720, have_lock=0) at malloc.c:3758
#5 0x00007ffff6c46bdf in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#6 0x00007ffff6c4bccc in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#7 0x00007ffff6c57de5 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#8 0x00007ffff6c58dfc in QQuickVisualDataModel::item(int, bool) () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#9 0x00007ffff6c9d687 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#10 0x00007ffff6c4038e in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#11 0x00007ffff6c9bed5 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#12 0x00007ffff6ca13f8 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#13 0x00007ffff61393bc in QQmlVME::complete(QQmlVME::Interrupt const&) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
#14 0x00007ffff6133eb6 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
#15 0x00007ffff61345e6 in QQmlEnginePrivate::incubate(QQmlIncubator&, QQmlContextData*) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
#16 0x00007ffff6c58029 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#17 0x00007ffff6c58dfc in QQuickVisualDataModel::item(int, bool) () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#18 0x00007ffff6c9d687 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#19 0x00007ffff6c4038e in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#20 0x00007ffff6c9c01c in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#21 0x00007ffff6ca13f8 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Quick.so.5
#22 0x00007ffff61393bc in QQmlVME::complete(QQmlVME::Interrupt const&) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
#23 0x00007ffff612ed26 in QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) ()
   from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
#24 0x00007ffff612ee17 in QQmlComponentPrivate::completeCreate() () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
#25 0x00007ffff612ec95 in QQmlComponent::create(QQmlContext*) () from /usr/lib/x86_64-linux-gnu/libQt5Qml.so.5
#26 0x0000000000408570 in WebBrowserApp::initialize() ()
#27 0x00000000004096b3 in main ()

Revision history for this message
Olivier Tilloy (osomon) wrote :

Commenting out the code in ensureEntriesUpToDate(…) (in history-domainlist-model.cpp) makes the crash go away.
However this means that the data returned by HistoryDomainListModel::data(…) for LastVisit and Thumbnail won’t be correct.

Olivier Tilloy (osomon)
Changed in webbrowser-app:
status: Confirmed → In Progress
Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

Fix committed into lp:webbrowser-app at revision 249, scheduled for release in webbrowser-app, milestone ubuntu-13.04-month-5

Changed in webbrowser-app:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webbrowser-app - 0.22+13.10.20130731.1-0ubuntu1

---------------
webbrowser-app (0.22+13.10.20130731.1-0ubuntu1) saucy; urgency=low

  [ Olivier Tilloy ]
  * debian/control: add missing Replaces and Conflicts fields to handle
    gracefully upgrades after packages were re-organized.

  [ Sergio Schvezov ]
  * Adding test xml output and coverage build targets.
  * Adding file filters for test coverage.

  [ Omer Akram ]
  * Autopilot tests: introduce a simpler logic to reveal the chrome.

  [ Olivier Tilloy ]
  * Cleaner separation between the public plugin and the application: -
    only expose QML files that should really be public in the plugin,
    move the others over to the application - ensure the plugin doesn’t
    contain any translatable string, and move translation catalogs to
    the application’s package.
  * Implement "close mode" for all open tabs, toggled by a long press on
    any open tab. (LP: #1197835)
  * Move an asset to where it belongs. (LP: #1197835)
  * Add instructions on how to generate code coverage reports.
  * Ensure the contentOrientation property of the window follows the
    screen’s orientation.
  * Ensure we’re accessing the correct data in a less aggressive, and
    crash-free way. (LP: #1204996)
  * Unskip an autopilot test now that the corresponding bug has been
    fixed in qtubuntu.

  [ Łukasz 'sil2100' Zemczak ]
  * Missing Replaces in webbrowser-app for qtdeclarative5-ubuntu-ui-
    extras-browser-plugin, fixed the replaces for webbrowser-app-assets.

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 255
 -- Ubuntu daily release <email address hidden> Wed, 31 Jul 2013 10:35:29 +0000

Changed in webbrowser-app (Ubuntu):
status: New → Fix Released
Olivier Tilloy (osomon)
Changed in webbrowser-app:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.