Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-105250

Access NULL m_platformWindow in qnsview_complextext.mm

    XMLWordPrintable

Details

    • macOS
    • 441993a9a (dev), ff2dcd861 (6.5), 6116f9591 (tqtc/lts-6.2), 00e1ff6b3 (tqtc/lts-5.15)

    Description

      For some reason, QNSView can be leaking or not deallocated in time. NSTextInputContext holds a weak reference to QNSView. If QCocoaWindow is deleted, QNSView's m_platformWindow will become NULL. But there is still a live NSView there. Then, NSTextInputContext might call into NSView (ComplexText) async later after QCococaWindow is deleted and crash at m_platformWindow->window().

      This caused random crashes. It's hard to reproduce. Please guard NULL m_platformWindow like other mm files.

      Callstack (selectedRange or attributedSubstringForProposedRange)

        4 ...em/libsystem_platform.dylib 0x007fff7136c5fd __sigtramp + 29
  5 ....framework/Versions/5/QtGui 0x0000010c908b74 __ZNK15QPlatformWindow6windowEv + 4
  6 ...s/platforms/libqcocoa.dylib 0x0000013b8f6ee4 -[QNSView(ComplexText) selectedRange] + 52
  7 ...framework/Versions/C/AppKit 0x007fff34bc6db5 -[NSTextInputContext(NSInputContext_WithCompletion) selectedRangeWithCompletionHandler:] + 92
  8 ...framework/Versions/C/AppKit 0x007fff34a82602 -[NSTextInputContext handleTSMEvent:completionHandler:] + 1581
  9 ...framework/Versions/C/AppKit 0x007fff34a81f65 __NSTSMEventHandler + 299
 10 ...mework/Versions/A/HIToolbox 0x007fff361c78ef __ZL23DispatchEventToHandlersP14EventTargetRecP14OpaqueEventRefP14HandlerCallRec + 1254
 11 ...mework/Versions/A/HIToolbox 0x007fff361c6d7d __ZL30SendEventToEventTargetInternalP14OpaqueEventRefP20OpaqueEventTargetRefP14HandlerCallRec + 329
 12 ...mework/Versions/A/HIToolbox 0x007fff361c6c2d _SendEventToEventTargetWithOptions + 45
 13 ...mework/Versions/A/HIToolbox 0x007fff3622391b _SendTSMEvent_WithCompletionHandler + 381
 14 ...mework/Versions/A/HIToolbox 0x007fff363cf186 ___SendTextInputEvent_WithCompletionHandler_block_invoke + 489
 15 ...mework/Versions/A/HIToolbox 0x007fff363cd96f _SendTextInputEvent_WithCompletionHandler + 1126
 16 ...mework/Versions/A/HIToolbox 0x007fff3642e634 -[IMKInputSession _postEvent:completionHandler:] + 156
 17 ...mework/Versions/A/HIToolbox 0x007fff3644180b -[IMKInputSession selectedRange_withCompletionHandler:] + 288
 18 ...mework/Versions/A/HIToolbox 0x007fff3642eee1 ___49-[IMKInputSession imkxpc_selectedRangeWithReply:]_block_invoke + 453
 19 ...k/Versions/A/CoreFoundation 0x007fff375d47fe ___CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12
 20 ...k/Versions/A/CoreFoundation 0x007fff375d4742 ___CFRunLoopDoBlocks + 386
 21 ...k/Versions/A/CoreFoundation 0x007fff375d364e ___CFRunLoopRun + 958
 22 ...k/Versions/A/CoreFoundation 0x007fff375d2c33 _CFRunLoopRunSpecific + 466
 23 ...mework/Versions/A/HIToolbox 0x007fff361eeaad _RunCurrentEventLoopInMode + 292
 24 ...mework/Versions/A/HIToolbox 0x007fff361ee7c5 _ReceiveNextEventCommon + 584
 25 ...mework/Versions/A/HIToolbox 0x007fff361ee569 __BlockUntilNextEventMatchingListInModeWithFilter + 64
 26 ...framework/Versions/C/AppKit 0x007fff348373c9 __DPSNextEvent + 883
 27 ...framework/Versions/C/AppKit 0x007fff34835c10 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1352
 28 ...framework/Versions/C/AppKit 0x007fff3482791e -[NSApplication run] + 658
 29 ...s/platforms/libqcocoa.dylib 0x0000013b8fc62f __ZN21QCocoaEventDispatcher13processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE + 2495
 30 ...framework/Versions/5/QtCore 0x0000010c2af79f __ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE + 431
 31 ...framework/Versions/5/QtCore 0x0000010c2b3d12 __ZN16QCoreApplication4execEv + 130
 32 ...ries/Neutron/NuBase10.dylib 0x00000127d41f56 __ZN13QTApplication4execEv + 18

      Attachments

        For Gerrit Dashboard: QTBUG-105250
        # Subject Branch Project Status CR V
        465845,6 macOS: Guard text input client from destroyed QCocoaWindow dev qt/qtbase Status: MERGED +2 0
        466427,2 macOS: Guard text input client from destroyed QCocoaWindow 6.5 qt/qtbase Status: MERGED +2 0
        466429,2 macOS: Guard text input client from destroyed QCocoaWindow tqtc/lts-6.2 qt/tqtc-qtbase Status: MERGED +2 0
        466430,5 macOS: Guard text input client from destroyed QCocoaWindow tqtc/lts-5.15 qt/tqtc-qtbase Status: MERGED +2 0

        Activity

          People

            vestbo Tor Arne Vestbø
            mingxiang Mingxiang Xu
            Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes