Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-50545

[Mac] QAccessibleWidget::state() crash due to accessing NULL pointer

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 5.6.0
    • 5.6
    • GUI: Accessibility (a11y)
    • None
    • OSX 10.10
    • macOS

    Description

      I'm getting a reproducible crash in my application that's happening when several widgets are being deleted. Coming up with a minimal example outside of our application would be a big challenge, but looking at what's happening, I think the fix is pretty clear.

      The call stack when I get the crash is as follows:

      1	QWidget::testAttribute(Qt::WidgetAttribute) const	qwidget.h	857	0x1098334fd	
2	QAccessibleWidget::state() const	qaccessiblewidget.cpp	480	0x109b6984b	
3	QCocoaAccessible::hasValueAttribute(QAccessibleInterface *)	qcocoaaccessibility.mm	340	0x112fafe8c	
4	-[QMacAccessibilityElement accessibilityAttributeNames]	qcocoaaccessibilityelement.mm	199	0x112fab1e8	
5	NSAccessibilityEntryPointAttributeNames			0x7fff93ae616e	
6	-[NSObject(NSAccessibilityInternal) _accessibilityAttributeNamesClientError:]			0x7fff93b234bf	
7	CopyAttributeNames			0x7fff93b2653a	
8	_AXXMIGCopyAttributeNames			0x7fff979abbde	
9	_XCopyAttributeNames			0x7fff979b40d6	
10	mshMIGPerform			0x7fff97990119	
11	__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__			0x7fff8c35cc79	
12	__CFRunLoopDoSource1			0x7fff8c35cbeb	
13	__CFRunLoopRun			0x7fff8c34e767	
14	CFRunLoopRunSpecific			0x7fff8c34dbd8	
15	RunCurrentEventLoopInMode			0x7fff8917356f	
16	ReceiveNextEventCommon			0x7fff891732ea	
17	_BlockUntilNextEventMatchingListInModeWithFilter			0x7fff8917312b	
18	_DPSNextEvent			0x7fff937448ab	
19	-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]			0x7fff93743e58	
20	-[NSApplication run]			0x7fff93739af3	
21	QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)	qcocoaeventdispatcher.mm	416	0x112f8a686	
22	QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)	qeventloop.cpp	128	0x10bc8e35a	
23	QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)	qeventloop.cpp	204	0x10bc8e576	
24	QCoreApplication::exec()	qcoreapplication.cpp	1283	0x10bc93cc4	
25	QGuiApplication::exec()	qguiapplication.cpp	1593	0x10a8aa706	
26	QApplication::exec()	qapplication.cpp	2971	0x10982c369	
27	main	IgorQtMain.cpp	834	0x1028e61c2	
28	start			0x7fff979855c9

      In the debugger, if I look at QAccessibleWidget::state(), on line 479 the call to widget() returns NULL. On the next line, that NULL pointer is dereferenced, causing a crash.

      Adding a test for w after line 479 seems like it would avoid this particular crash.

      I'm using qtbase 99e25dd7d8bfcb184852110c5f882b89cfb889df from the 5.6 branch (updated on 18-Jan-2016).

      Attachments

        For Gerrit Dashboard: QTBUG-50545
        # Subject Branch Project Status CR V
        147189,3 Accessibility OS X: protect from accessing invalid objects 5.6.0 qt/qtbase Status: MERGED +2 0

        Activity

          People

            frederik Frederik Gladhorn
            aclight Adam Light
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes