Ladybird/Qt: Ensure the Inspector widget is deleted before the WebView

According to Qt documentation, destruction of a QObject's children may happen in any order. In our case, the Tab's WebContentView is deleted before its InspectorWidget. The InspectorWidget performs cleanup on that WebContentView in its destructor; this causes use-after-free since it has already been destroyed. From reading Qt threads, if a particular destruction order is required, it is okay to enforce that order with manual `delete`s. This patch does so with the InspectorWidget to ensure it is deleted before the WebContentView. Qt's object ownership is okay with this - it will remove the InspectorWidget from the Tab's children, preventing any double deletion.
Author: https://github.com/trflynn89 Commit: https://github.com/SerenityOS/serenity/commit/c4e2c725ec Pull-request: https://github.com/SerenityOS/serenity/pull/22490 Issue: https://github.com/SerenityOS/serenity/issues/22279 Reviewed-by: https://github.com/ADKaster ✅
2024-11-21 23:20:20 +00:00 · 2023-12-29 09:05:05 -05:00 · 2023-12-29 09:05:05 -05:00 · c4e2c725ec · 2024-07-17 10:08:28 +09:00
commit c4e2c725ec
parent a2bd19fdac
1 changed files with 4 additions and 0 deletions
--- a/Ladybird/Qt/Tab.cpp
+++ b/Ladybird/Qt/Tab.cpp
@ -579,6 +579,10 @@ Tab::Tab(BrowserWindow* window, WebContentOptions const& web_content_options, St
 Tab::~Tab()
 {
    close_sub_widgets();
+
+    // Delete the InspectorWidget explicitly to ensure it is deleted before the WebContentView. Otherwise, Qt
+    // can destroy these objects in any order, which may cause use-after-free in InspectorWidget's destructor.
+    delete m_inspector_widget;
 }

 void Tab::select_dropdown_add_item(QMenu* menu, Web::HTML::SelectItem const& item)