Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 6.4.2, 6.5.0 Beta1
Affects Version/s: 6.3.2
Component/s: Network
Labels:
None

Platform/s:

Windows
Commits:
7898de4258 (qt/qtbase/dev) 7898de4258 (qt/tqtc-qtbase/dev) 21b8d6ae32 (qt/qtbase/6.4) 21b8d6ae32 (qt/tqtc-qtbase/6.4)

Description

Found this while analyzing users crash reports.

0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF.

 	KERNELBASE.dll!RaiseException()	Unknown
 	VCRUNTIME140_1.dll!__FrameHandler4::CxxCallCatchBlock(_EXCEPTION_RECORD * pExcept) Line 1417	C++
 	ntdll.dll!RcConsolidateFrames()	Unknown
>	[Inline Frame] qnetworklistmanager.dll!QNetworkListManagerEvents::start::__l2::<lambda_133c85ad4c1a3336a3359c8b36a06538>::operator()(const winrt::Windows::Foundation::IInspectable) Line 144	C++
 	qnetworklistmanager.dll!winrt::impl::delegate<winrt::Windows::Networking::Connectivity::NetworkStatusChangedEventHandler,<lambda_133c85ad4c1a3336a3359c8b36a06538>>::Invoke(void * sender) Line 795	C++
 	[Inline Frame] Windows.Networking.Connectivity.dll!Microsoft::WRL::Details::CreateAgileHelper::__l2::<lambda_596fb6baab66b9ed4bfb383b84c65e56>::operator()(IInspectable * &&) Line 297	C++
 	Windows.Networking.Connectivity.dll!Microsoft::WRL::Details::DelegateArgTraits<long (__cdecl Windows::Networking::Connectivity::INetworkStatusChangedEventHandler::*)(IInspectable *)>::DelegateInvokeHelper<Microsoft::WRL::Implements<Microsoft::WRL::RuntimeClassFlags<2>,Windows::Networking::Connectivity::INetworkStatusChangedEventHandler,Microsoft::WRL::FtmBase>,<lambda_596fb6baab66b9ed4bfb383b84c65e56>,-1,IInspectable *>::Invoke(IInspectable * <args_0>) Line 245	C++
 	[Inline Frame] Windows.Networking.Connectivity.dll!Microsoft::WRL::EventSource<Windows::Networking::Connectivity::INetworkStatusChangedEventHandler,Microsoft::WRL::InvokeModeOptions<-2>>::InvokeAll::__l2::<lambda_6a8a3d90c3b1ada96158795aae7d83f6>::operator()(Microsoft::WRL::ComPtr<IUnknown> &) Line 820	C++
 	Windows.Networking.Connectivity.dll!Microsoft::WRL::InvokeTraits<-2>::InvokeDelegates<<lambda_6a8a3d90c3b1ada96158795aae7d83f6>,Windows::Networking::Connectivity::INetworkStatusChangedEventHandler>(Microsoft::WRL::EventSource<Windows::Networking::Connectivity::INetworkStatusChangedEventHandler,Microsoft::WRL::InvokeModeOptions<-2>>::InvokeAll::__l2::<lambda_6a8a3d90c3b1ada96158795aae7d83f6> invokeOne, Microsoft::WRL::Details::EventTargetArray * targetArray, Microsoft::WRL::EventSource<Windows::Networking::Connectivity::INetworkStatusChangedEventHandler,Microsoft::WRL::InvokeModeOptions<-2>> * pEvent) Line 119	C++
 	Windows.Networking.Connectivity.dll!Microsoft::WRL::EventSource<Windows::Networking::Connectivity::INetworkStatusChangedEventHandler,Microsoft::WRL::InvokeModeOptions<-2>>::DoInvoke<<lambda_6a8a3d90c3b1ada96158795aae7d83f6>>(Microsoft::WRL::EventSource<Windows::Networking::Connectivity::INetworkStatusChangedEventHandler,Microsoft::WRL::InvokeModeOptions<-2>>::InvokeAll::__l2::<lambda_6a8a3d90c3b1ada96158795aae7d83f6> invokeOne) Line 812	C++
 	[Inline Frame] Windows.Networking.Connectivity.dll!Microsoft::WRL::EventSource<Windows::Networking::Connectivity::INetworkStatusChangedEventHandler,Microsoft::WRL::InvokeModeOptions<-2>>::InvokeAll(void * <args_0>) Line 820	C++
 	[Inline Frame] Windows.Networking.Connectivity.dll!Windows::Networking::Connectivity::CEventDispatcher::_InvokeListeners() Line 276	C++
 	Windows.Networking.Connectivity.dll!Windows::Networking::Connectivity::CEventDispatcher::_InvokeListenersCallback(_TP_CALLBACK_INSTANCE * Instance, void * Context, _TP_WORK * __formal) Line 270	C++
 	ntdll.dll!TppWorkpExecuteCallback()	Unknown
 	ntdll.dll!TppWorkerThread()	Unknown
 	kernel32.dll!BaseThreadInitThunk()	Unknown
 	ntdll.dll!RtlUserThreadStart()	Unknown

It seems that NetworkStatusChanged's callback is called on time when QNetworkListManagerEvents object ("this" captured into lambda) was already destroyed.

Unfortunately I have no reproducer as it never happened for me locally.
But the app do nothing special:
it just initializes QNetworkInformation on the start (in UI thread) to track Internet reachability

    QNetworkInformation::load(QNetworkInformation::Feature::Reachability);
    auto networkInformation = QNetworkInformation::instance();
    if (networkInformation)  {
        connect(networkInformation, &QNetworkInformation::reachabilityChanged, this, [this](const auto newReachability) {
...
        });
    }

and it's destroyed by the Qt itself on exit

 	qnetworklistmanager.dll!QNetworkListManagerEvents::stop() Line 162	C++
 	[Inline Frame] qnetworklistmanager.dll!QNetworkListManagerNetworkInformationBackend::stop() Line 238	C++
 	[Inline Frame] qnetworklistmanager.dll!QNetworkListManagerNetworkInformationBackend::{dtor}() Line 181	C++
 	qnetworklistmanager.dll!QNetworkListManagerNetworkInformationBackend::`scalar deleting destructor'(unsigned int)	C++
 	[Inline Frame] Qt6Network.dll!std::default_delete<QNetworkInformationBackend>::operator()(QNetworkInformationBackend *) Line 3090	C++
 	[Inline Frame] Qt6Network.dll!std::unique_ptr<QNetworkInformationBackend,std::default_delete<QNetworkInformationBackend>>::{dtor}() Line 3198	C++
 	Qt6Network.dll!QNetworkInformationPrivate::`scalar deleting destructor'(unsigned int)	C++
 	[Inline Frame] Qt6Core.dll!QScopedPointerDeleter<QObjectData>::cleanup(QObjectData *) Line 60	C++
 	[Inline Frame] Qt6Core.dll!QScopedPointer<QObjectData,QScopedPointerDeleter<QObjectData>>::{dtor}() Line 116	C++
 	Qt6Core.dll!QObject::~QObject() Line 1114	C++
 	[Inline Frame] Qt6Network.dll!QNetworkInformation::{dtor}() Line 536	C++
 	Qt6Network.dll!QNetworkInformation::`vector deleting destructor'(unsigned int)	C++
 	[Inline Frame] Qt6Network.dll!QNetworkInformationDeleter::operator()(QNetworkInformation *) Line 62	C++
 	[Inline Frame] Qt6Network.dll!std::unique_ptr<QNetworkInformation,QNetworkInformationDeleter>::reset(QNetworkInformation *) Line 3233	C++
>	Qt6Network.dll!networkInfoCleanup() Line 91	C++
 	Qt6Core.dll!qt_call_post_routines() Line 345	C++
 	Qt6Widgets.dll!QApplication::~QApplication() Line 686	C++

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

screenshot-1.png
183 kB
04 Nov '22 16:37

Issue Links

relates to

QTBUG-108156 Unhandled exception on QNetworkInformation::load()

Closed

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

For Gerrit Dashboard: QTBUG-108218
#	Subject	Branch	Project	Status	CR	V
441981,5	QNetworkInformation[Win]: Fix potential use-after/during-free	dev	qt/qtbase	Status: MERGED	+2	0
442519,1	QNetworkInformation[Win]: Fix potential use-after/during-free	6.4.1	qt/qtbase	Status: ABANDONED	0	0
442520,3	QNetworkInformation[Win]: Fix potential use-after/during-free	6.4	qt/qtbase	Status: MERGED	+2	0