Details
-
Bug
-
Resolution: Fixed
-
P2: Important
-
5.12.0
-
None
-
Windows
Description
Deleting a QCamera instance and then returning to the event loop causes a read access violation due to the deferred delete of DirectShowSampleGrabber. The QCamera destructor leads to the immediate release of DSServicePlugin and hence a call to CoUninitialize, however DirectShowSampleGrabber contains a COM pointer that it still thinks is valid, and tries to use in the deferred delete, leading to the read access violation.
Min repro:
int main(int argc, char *argv[]) { QCoreApplication app(argc, argv); // make sure you have at least one camera on the system QCamera *camera = new QCamera(QCameraInfo::defaultCamera()); camera->setCaptureMode(QCamera::CaptureStillImage); camera->start(); QTimer::singleShot(0, [&] { delete camera; }); return app.exec(); }
Violation is raised at line 148 of qtmultimedia/src/plugins/directshow/common/directshowsamplegrabber.cpp once control returns to the event loop after the deletion of the QCamera instance.
The deferred delete event is set up at line 440 of qtmultimedia/src/plugins/directshow/camera/dscamerasession.cpp
Not sure what the best fix would be, perhaps DirectShowSampleGrabber should call addRefCount() and releaseRefCount() from dsserviceplugin.cpp to ensure the plugin lifetime outasts its own lifetime.