Hi ports@ & zhuk@, While working on a Go WebSocket application I encountered a reproducible segmentation fault in Qt5. The bug was discovered from the developer tools in Otter browser but I suspect it might impact any other Qt5 applications.
Tested on: - OpenBSD i386 snapshot from 20 Feb 2015 - qt5-5.3.2p10 (installed) - qt5-mysql-5.3.2p0 (installed) - qt5-postgresql-5.3.2p0 (installed) - qt5-sqlite2-5.3.2p0 (installed) - qt5-tds-5.3.2p0 (installed) - otter-browser-0.9.04 (installed) Appreciated tests: - confirming that the bug is reproducible on other boxes (different arch then i386) - trying out the bug in Firefox & especially Chromium (I don't have it installed) or anything with WebKit - trying with Qt5 debug symbols (my poor i386 box would never survive the compilation) - telling me about a Qt4 app that could be susceptible to a similar bug (I tried quiterss but it blocks developer tools) It looks like I encountered 2 unique crashes, all attempts are listed at the end of this mail. I can't reliably reproduce crash-3 but it happened on an accepted socket. Crashes produced with an internal product - crash-1-3 Crashes produced with the test binary: - crash-4-6 Steps to reproduce: 1. Install go & otter browser 2. Set up your go path and raise limits (go apps eat a bit of ram on startup) mkdir $HOME/go export GOPATH=$HOME/go export PATH=$PATH:$GOPATH/bin ulimit -n 512 ulimit -p 512 ulimit -d 2036792 3. Install the testsocket application I wrote to reproduce the crash reliably go get github.com/mulander/testsocket This will download, compile & place the binary in $GOPATH/bin 4. Run the test app $ testsocket 5. Open otter-browser to http://localhost:7082 - you will see a 404 6. Right click on the page and select 'Inspect element' this will bring up the developer tools 7. Switch to console tab and try the following code samples a) new WebSocket("ws://localhost:7082/ws/pass") b) new WebSocket("ws://localhost:7082/ws/block") c) new WebSocket("ws://localhost:7082/") The browser will crash on each step. URL a) Allows a websocket connection URL b) Responds with a http status code of forbidden URL c) Does not exist in my handler Otter crashes on all 3 addresses. - Trying to connect to a host without WebSockets (ie. "ws://koparo.com") doesn't crash - Trying to connect to a dead port (ie. "ws://localhost:7777") doesn't crash You can also test in Firefox to see that the socket connections work. On URL a) testsocket will print on console: 2015/02/26 16:16:37 Upgrading the socket connection 2015/02/26 16:16:37 Connection upgraded 2015/02/26 16:16:37 Reading socket messages Firefox will say: WebSocket { url: "ws://localhost:7082/", readyState: 0, bufferedAmount: 0, onopen: null, onerror: null, onclose: null, extensions: "", protocol: "", onmessage: null, binaryType: "blob" } On URL b) testsocket will print on console: 2015/02/26 16:16:39 Blocking the socket connection Firefox will say: GET http://localhost:7082/ws/block [HTTP/1.1 403 Forbidden 3ms] Firefox can't establish a connection to the server at ws://localhost:7082/ws/block. On URL c) testsocket won't print anything Firefox will say: Firefox can't establish a connection to the server at ws://localhost:7082/ In all cases, hitting the URLs with Otter won't generate any messages on testsocket console. Here are the stack traces: crash-1 Core was generated by `otter-browser'. Program terminated with signal 11, Segmentation fault. #0 0x0f565cc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 (gdb) bt #0 0x0f565cc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #1 0x0f565160 in WebCore::SocketStreamHandleBase::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #2 0x00000000 in ?? () (gdb) crash-2 Core was generated by `otter-browser'. Program terminated with signal 11, Segmentation fault. #0 0x08851cc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 (gdb) bt #0 0x08851cc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #1 0x08851160 in WebCore::SocketStreamHandleBase::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #2 0x00000000 in ?? () crash-3 (accepted socket) #0 0x07771cc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 (gdb) bt #0 0x07771cc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #1 0x07771160 in WebCore::SocketStreamHandleBase::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #2 0x00007f1d in ?? () #3 0x821698c8 in ?? () #4 0x0000017b in ?? () #5 0x00000019 in ?? () #6 0x00000021 in ?? () #7 0x00000021 in ?? () #8 0x00000021 in ?? () #9 0x07a02bce in WebCore::jsWebGLRenderingContextPrototypeFunctionGetUniformLocation () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 Previous frame inner to this frame (corrupt stack?) crash-4 (hitting a not known handler ws://localhost:7082/ ) Core was generated by `otter-browser'. Program terminated with signal 11, Segmentation fault. #0 0x0953bcc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 (gdb) bt #0 0x0953bcc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #1 0x0953b160 in WebCore::SocketStreamHandleBase::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #2 0x00000000 in ?? () (gdb) crash-5 (hitting new WebSocket("ws://localhost:7082/ws/pass")) Core was generated by `otter-browser'. Program terminated with signal 11, Segmentation fault. #0 0x016e6cc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 (gdb) bt #0 0x016e6cc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #1 0x016e6160 in WebCore::SocketStreamHandleBase::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #2 0x00000000 in ?? () (gdb) crash-6 (hitting new WebSocket("ws://localhost:7082/ws/block")) #0 0x0c1d3cc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 (gdb) bt #0 0x0c1d3cc8 in WebCore::SocketStreamHandlePrivate::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #1 0x0c1d3160 in WebCore::SocketStreamHandleBase::send () from /usr/local/lib/qt5/libQt5WebKit.so.0.0 #2 0x00000000 in ?? () (gdb) Regards, -- Adam Wolk adam.w...@koparo.com
