openwebf/webf

Crash: pointer being freed was not allocated for webf::Event::item

looseyi opened this issue · 0 comments

looseyi commented

Affected version

0.14.2

No same issues found.

  • Yes, I search all issues but not found.

Steps to Reproduce

<bn-view class="bnui-cell bnui-cell_input" catch-move="false" hover-class="none" hover-stop-propagation="false"
  hover-start-time="50" hover-stay-time="400"><bn-view class="bnui-cell__bd" catch-move="false" hover-class="none"
    hover-stop-propagation="false" hover-start-time="50" hover-stay-time="400"><bn-input class="bnui-input"
      data-compname="Input" name="input" bindinput="handleInput" bindfocus="handleFocus" bindblur="handleBlur"
      bindtap="handClick" bindconfirm="handleConfirm" bindkeyboardheightchange="handleKeyboardHeightChange">
      <div type="text"><input type="text" maxlength="140">
        <div class="input-placeholder input-placeholder" style="line-height: 40px;">This is a input box</div>
        <ul style="display: none;"></ul>
      </div>
    </bn-input>
  </bn-view>
</bn-view>
  1. use custom widget element, then touch the input on simple example it works, but when integrate into demo, it crash when touch the input.
  2. then when get the event::item it was fress by the AutoFreeNativeString

Code example

import { defineComponent } from 'vue'
import {
  MPInputInputEvent,
  MPInputFocusEvent,
  MPInputBlurEvent,
  MPInputConfirmEvent,
} from '@mp/types'

export default defineComponent({
  name: 'IDE-Input',
  methods: {
    handleFocus(e: MPInputFocusEvent) {
      e._detail = {
        value: defaultToEmptyString(this._value),
        height: 0,
      }
      e._type = 'focus'
      e._currentTarget = this.$el
      this.$emit('focus', e)

      this._setCursor()
    }
  }
}

Expected results

user touch as expect

Actual results

#0	0x0000000127e43885 in malloc_error_break ()
#1	0x0000000127e507b3 in malloc_vreport ()
#2	0x0000000127e50a3e in malloc_report ()
#3	0x0000000122fb2ef1 in webf::SharedNativeString::_free() const [inlined] at /path/to/webf/bridge/foundation/native_string.cc:34
#4	0x0000000122fb2ee4 in webf::AutoFreeNativeString::~AutoFreeNativeString() [inlined] at /path/to/webf/bridge/foundation/native_string.cc:27
#5	0x0000000122fb2ee4 in webf::AutoFreeNativeString::~AutoFreeNativeString() at /path/to/webf/bridge/foundation/native_string.cc:26
#6	0x0000000122fba702 in std::__1::default_delete<webf::AutoFreeNativeString>::operator()[abi:v15006](webf::AutoFreeNativeString*) const [inlined] at /Applications/Xcode-14.3.1.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator16.4.sdk/usr/include/c++/v1/__memory/unique_ptr.h:48
#7	0x0000000122fba6fa in std::__1::unique_ptr<webf::AutoFreeNativeString, std::__1::default_delete<webf::AutoFreeNativeString> >::reset[abi:v15006](webf::AutoFreeNativeString*) [inlined] at /Applications/Xcode-14.3.1.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator16.4.sdk/usr/include/c++/v1/__memory/unique_ptr.h:305
#8	0x0000000122fba6f8 in std::__1::unique_ptr<webf::AutoFreeNativeString, std::__1::default_delete<webf::AutoFreeNativeString> >::~unique_ptr[abi:v15006]() [inlined] at /Applications/Xcode-14.3.1.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator16.4.sdk/usr/include/c++/v1/__memory/unique_ptr.h:259
#9	0x0000000122fba6f8 in std::__1::unique_ptr<webf::AutoFreeNativeString, std::__1::default_delete<webf::AutoFreeNativeString> >::~unique_ptr[abi:v15006]() [inlined] at /Applications/Xcode-14.3.1.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator16.4.sdk/usr/include/c++/v1/__memory/unique_ptr.h:259
#10	0x0000000122fba6f8 in webf::FromNativeValue(webf::ExecutingContext*, webf::NativeValue const&) at /path/to/webf/bridge/bindings/qjs/script_value.cc:32
#11	0x0000000122fba7f5 in webf::ScriptValue::ScriptValue(JSContext*, webf::NativeValue const&) [inlined] at /path/to/webf/bridge/bindings/qjs/script_value.cc:99
#12	0x0000000122fba7d3 in webf::ScriptValue::ScriptValue(JSContext*, webf::NativeValue const&) at /path/to/webf/bridge/bindings/qjs/script_value.cc:99
#13	0x0000000122fdaa20 in webf::Event::item(webf::AtomicString const&, webf::ExceptionState&) at /path/to/webf/bridge/core/dom/events/event.cc:156
#14	0x000000012301b637 in webf::QJSFocusEvent::StringPropertyGetterCallback(JSContext*, JSValue, unsigned int) at /path/to/webf/bridge/out/qjs_focus_event.cc:94
#15	0x0000000122fb76f4 in webf::HandleJSPropertyGetterCallback(JSContext*, JSValue, unsigned int, JSValue) ()
#16	0x0000000120336351 in JS_GetPropertyInternal at /path/to/webf/bridge/third_party/quickjs/src/core/object.c:502
#17	0x000000012033569e in JS_GetProperty [inlined] at /path/to/webf/bridge/third_party/quickjs/include/quickjs/quickjs.h:746
#18	0x0000000120335682 in JS_GetPropertyValue at /path/to/webf/bridge/third_party/quickjs/src/core/object.c:90
#19	0x00000001203245a3 in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:1749
#20	0x00000001203148fb in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:643
#21	0x00000001203148fb in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:643
#22	0x0000000120310515 in JS_Call at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:2632
#23	0x000000012037a221 in js_function_apply at /path/to/webf/bridge/third_party/quickjs/src/core/builtins/js-function.c:293
#24	0x0000000120310237 in js_call_c_function at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:126
#25	0x00000001203109a8 in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:289
#26	0x0000000120314e9e in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:673
#27	0x0000000120314e9e in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:673
#28	0x0000000120310457 in JS_Call [inlined] at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:2632
#29	0x0000000120310424 in js_call_bound_function at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:206
#30	0x00000001203109a8 in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:289
#31	0x0000000120310515 in JS_Call at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:2632
#32	0x000000012037a221 in js_function_apply at /path/to/webf/bridge/third_party/quickjs/src/core/builtins/js-function.c:293
#33	0x0000000120310237 in js_call_c_function at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:126
#34	0x00000001203109a8 in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:289
#35	0x0000000120314e9e in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:673
#36	0x0000000120310515 in JS_Call at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:2632
#37	0x000000012037a221 in js_function_apply at /path/to/webf/bridge/third_party/quickjs/src/core/builtins/js-function.c:293
#38	0x0000000120315506 in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:712
#39	0x00000001203148fb in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:643
#40	0x00000001203148fb in JS_CallInternal at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:643
#41	0x0000000120310515 in JS_Call at /path/to/webf/bridge/third_party/quickjs/src/core/function.c:2632
#42	0x0000000122fba1ff in webf::QJSFunction::Invoke(JSContext*, webf::ScriptValue const&, int, webf::ScriptValue*) at /path/to/webf/bridge/bindings/qjs/qjs_function.cc:60
#43	0x0000000122fb5dee in webf::JSEventListener::InvokeInternal(webf::EventTarget&, webf::Event&, webf::ExceptionState&) at /path/to/webf/bridge/bindings/qjs/js_event_listener.cc:21
#44	0x0000000122fb50c4 in webf::JSBasedEventListener::Invoke(webf::ExecutingContext*, webf::Event*, webf::ExceptionState&) at /path/to/webf/bridge/bindings/qjs/js_based_event_listener.cc:21
#45	0x0000000122fdcb56 in webf::EventTarget::FireEventListeners(webf::Event&, webf::EventTargetData*, std::__1::vector<webf::RegisteredEventListener, std::__1::allocator<webf::RegisteredEventListener> >&, webf::ExceptionState&) at /path/to/webf/bridge/core/dom/events/event_target.cc:468
#46	0x0000000122fdccae in webf::EventTarget::FireEventListeners(webf::Event&, bool, webf::ExceptionState&) at /path/to/webf/bridge/core/dom/events/event_target.cc:199
#47	0x0000000122fdd4ca in webf::EventTarget::HandleDispatchEventFromDart(int, webf::NativeValue const*, _Dart_Handle*) at /path/to/webf/bridge/core/dom/events/event_target.cc:379
#48	0x0000000122fdd378 in webf::EventTarget::HandleCallFromDartSide(webf::AtomicString const&, int, webf::NativeValue const*, _Dart_Handle*) at /path/to/webf/bridge/core/dom/events/event_target.cc:358
#49	0x0000000122fee8df in webf::WidgetElement::HandleCallFromDartSide(webf::AtomicString const&, int, webf::NativeValue const*, _Dart_Handle*) at /path/to/webf/bridge/core/html/custom/widget_element.cc:55
#50	0x0000000122fdd796 in webf::NativeBindingObject::HandleCallFromDartSide(webf::NativeBindingObject*, webf::NativeValue*, webf::NativeValue*, int, webf::NativeValue*, _Dart_Handle*) at /path/to/webf/bridge/core/binding_object.cc:27
#51	0x0000000163a0634b in 0x163a0634b ()
#52	0x00000001754fb662 in 0x1754fb662 ()
#53	0x00000001754f92b3 in 0x1754f92b3 ()
#54	0x00000001754f8bc7 in 0x1754f8bc7 ()
#55	0x00000001754f8b2c in 0x1754f8b2c ()
#56	0x000000017bc6d6b2 in 0x17bc6d6b2 ()
#57	0x000000017bc6ca60 in 0x17bc6ca60 ()
#58	0x000000017bc6c736 in 0x17bc6c736 ()
#59	0x00000001742804a0 in 0x1742804a0 ()
#60	0x000000016bfecbdf in 0x16bfecbdf ()
#61	0x000000016bfec82e in 0x16bfec82e ()
#62	0x000000016bfec759 in 0x16bfec759 ()
#63	0x0000000163a0300c in 0x163a0300c ()
#64	0x00000001307fc7c8 in dart::DartEntry::InvokeCode(dart::Code const&, unsigned long, dart::Array const&, dart::Array const&, dart::Thread*) ()
#65	0x00000001307fc64d in dart::DartEntry::InvokeFunction(dart::Function const&, dart::Array const&, dart::Array const&, unsigned long) ()
#66	0x00000001307fcdac in dart::DartEntry::InvokeCallable(dart::Thread*, dart::Function const&, dart::Array const&, dart::Array const&) ()
#67	0x0000000130b6b171 in Dart_InvokeClosure ()
#68	0x00000001305ef5bb in tonic::DartMicrotaskQueue::RunMicrotasks() ()
#69	0x00000001304c3815 in fml::MessageLoopImpl::FlushTasks(fml::FlushType) ()
#70	0x00000001304c94be in fml::MessageLoopDarwin::OnTimerFire(__CFRunLoopTimer*, fml::MessageLoopDarwin*) ()
#71	0x000000011ba93353 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ ()
#72	0x000000011ba92eb0 in __CFRunLoopDoTimer ()
#73	0x000000011ba92637 in __CFRunLoopDoTimers ()
#74	0x000000011ba8cec8 in __CFRunLoopRun ()
#75	0x000000011ba8c264 in CFRunLoopRunSpecific ()
#76	0x00000001304c95fb in fml::MessageLoopDarwin::Run() ()
#77	0x00000001304c36f4 in fml::MessageLoopImpl::DoRun() ()
#78	0x00000001304c860d in void* std::_LIBCPP_ABI_NAMESPACE::__thread_proxy[abi:v15000]<std::_LIBCPP_ABI_NAMESPACE::tuple<std::_LIBCPP_ABI_NAMESPACE::unique_ptr<std::_LIBCPP_ABI_NAMESPACE::__thread_struct, std::_LIBCPP_ABI_NAMESPACE::default_delete<std::_LIBCPP_ABI_NAMESPACE::__thread_struct> >, fml::Thread::Thread(std::_LIBCPP_ABI_NAMESPACE::function<void (fml::Thread::ThreadConfig const&)> const&, fml::Thread::ThreadConfig const&)::$_0> >(void*) ()
#79	0x0000000127eeb1d3 in _pthread_start ()
#80	0x0000000127ee6bd3 in thread_start ()

console log:

dispatch event to native side: target: BN-IMAGE Element(969985172) , arguments: [load, Pointer: address=0x7faed3b23d40, false], time: 95us
<BlankViewDetector.swift:127::detectBlankContent(_:insetBy:with:)> Result clearColorCount:43, otherCount:167; 166, 4158
<BlankUIPreventer.swift:117::handleUIPhase1(on:isBlank:refreshAction:)> <Blank UI check> Phase 1 result isBlank: false
Event::item << EVNET GET THIS: 0x7fae94d985a0
Event::item << EVNET GET THIS: 0x7fae94d985a0
dispatch event to native side: target: INPUT Element(957868748) , arguments: [touchstart, Pointer: address=0x7faea3f2ce70, true], time: 2904us
Event::item << EVNET GET THIS: 0x7fae94f0e820
dispatch event to native side: target: INPUT Element(957868748) , arguments: [touchstart, Pointer: address=0x7fae94f0f6a0, false], time: 400us
Event::item << EVNET GET THIS: 0x7fae94d99da0
dispatch event to native side: target: INPUT Element(957868748) , arguments: [touchstart, Pointer: address=0x7fae94d99c00, false], time: 258us
Event::item << EVNET GET THIS: 0x7fae94f14500
dispatch event to native side: target: INPUT Element(957868748) , arguments: [touchstart, Pointer: address=0x7fae938f4ee0, false], time: 333us
Event::item << EVNET GET THIS: 0x7fae94d9af00
dispatch event to native side: target: INPUT Element(957868748) , arguments: [touchstart, Pointer: address=0x7faea3f27fe0, false], time: 265us
Event::item << EVNET GET THIS: 0x7fae94f16070
dispatch event to native side: target: INPUT Element(957868748) , arguments: [touchstart, Pointer: address=0x7fae94f12cb0, false], time: 233us
Event::item << EVNET GET THIS: 0x7fae94d9b2a0
dispatch event to native side: target: INPUT Element(957868748) , arguments: [touchstart, Pointer: address=0x7faea3f29bc0, false], time: 261us
nativePtr: Pointer: address=0x7fae94699e70 type: UICommandType.addEvent args: touchmove nativePtr2: Pointer: address=0x7faed3ef73d0
nativePtr: Pointer: address=0x7fae94699e70 type: UICommandType.addEvent args: touchend nativePtr2: Pointer: address=0x7faed3efcfd0
Event::item << EVNET GET THIS: 0x7fae94cf0520
0x7fae94cf0520Set Event value: 12211 tag: 7 value: 0x20000f97ee0
0x7fae94cf0520Set Event value: 6803 tag: 0 value: 0x7fae949a3d70
0x7fae94cf0520Set Event value: 12289 tag: 7 value: 0x7fae948c2040
Event::item << EVNET GET THIS: 0x7fae94cf0520
Event::item << EVNET GET THIS: 0x7fae94cf0520
Event::item << key: _detail
Event::item << value: [object Object]
Event::item << EVNET GET THIS: 0x7fae94cf0520
Event::item << key: _type
RAW STRING: 0x7fae949a5120 len 5
Event::item << value: focus
Event::item << EVNET GET THIS: 0x7fae94cf0520
Event::item << key: _currentTarget
Event::item << value: [object BN-INPUT]
Main Thread Canton Monitor: Canton over 2.0s
Event::item << EVNET GET THIS: 0x7fae94cf0520
Event::item << key: _detail
Event::item << value: [object Object]
Event::item << EVNET GET THIS: 0x7fae94cf0520
Event::item << key: _type
RAW STRING: 0x100007fae93c3bbd len 3913917714
(lldb)