Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
6.6.1
-
None
-
Windows
-
f429f12a7 (dev), 2c743bc0c (6.7), bd5b3ac85 (6.6)
Description
This crash was found as we ported our application (MeVisLab) to Qt 6. Our accompanying text editor crashed when restarted in maximized state, obviously because QDockAreaLayoutInfo::apply suddenly operated on deleted memory (the memory pattern is obvious in Debug mode in the Visual Studio runtime).
After some debugging we found that Qt ran into this situation (call stack):
ucrtbased.dll!00007ff9e326fe49() Unknown
ucrtbased.dll!00007ff9e315d070() Unknown
ucrtbased.dll!00007ff9e3160275() Unknown
Qt6Widgets_d.dll!operator delete(void * block) Line 38 C++
Qt6Widgets_d.dll!operator delete(void * block, unsigned __int64 __formal) Line 32 C++
Qt6Widgets_d.dll!QDockAreaLayoutInfo::`scalar deleting destructor'(unsigned int) C++
Qt6Widgets_d.dll!QDockAreaLayoutItem::~QDockAreaLayoutItem() Line 78 C++
[External Code]
Qt6Widgets_d.dll!QtPrivate::QGenericArrayOps<QDockAreaLayoutItem>::destroyAll() Line 398 C++
Qt6Widgets_d.dll!QArrayDataPointer<QDockAreaLayoutItem>::~QArrayDataPointer<QDockAreaLayoutItem>() Line 104 C++
Qt6Widgets_d.dll!QArrayDataPointer<QDockAreaLayoutItem>::operator=(const QArrayDataPointer<QDockAreaLayoutItem> & other) Line 66 C++
[External Code]
Qt6Widgets_d.dll!QMainWindowLayout::setGeometry(const QRect & _r) Line 2045 C++
Qt6Widgets_d.dll!QLayoutPrivate::doResize() Line 508 C++
Qt6Widgets_d.dll!QLayout::activate() Line 1056 C++
Qt6Widgets_d.dll!QMainWindowLayout::getTabBar() Line 1854 C++
Qt6Widgets_d.dll!QDockAreaLayoutInfo::updateTabBar() Line 2106 C++
Qt6Widgets_d.dll!QDockAreaLayoutInfo::tabBarSizeHint() Line 2199 C++
Qt6Widgets_d.dll!QDockAreaLayoutInfo::apply(bool animate) Line 1517 C++
Qt6Widgets_d.dll!QDockAreaLayoutInfo::apply(bool animate) Line 1557 C++
Qt6Widgets_d.dll!QDockAreaLayout::apply(bool animate) Line 3210 C++
Qt6Widgets_d.dll!QMainWindowLayoutState::apply(bool animated) Line 716 C++
Qt6Widgets_d.dll!QMainWindowLayout::applyState(QMainWindowLayoutState & newState, bool animate) Line 2982 C++
Qt6Widgets_d.dll!QMainWindowLayout::setGeometry(const QRect & _r) Line 2066 C++
Qt6Widgets_d.dll!QLayoutPrivate::doResize() Line 508 C++
Qt6Widgets_d.dll!QLayout::activate() Line 1056 C++
Qt6Widgets_d.dll!QWidgetPrivate::setVisible(bool visible) Line 8394 C++
Qt6Widgets_d.dll!QWidget::setVisible(bool visible) Line 8355 C++
MLABTextEditor_d.dll!MLABTextEditor::setVisible(bool visible) Line 503 C++
Qt6Widgets_d.dll!QWidget::show() Line 7981 C++
MLABTextEditor_d.dll!MLABTextEditorPublic::show() Line 64 C++
MATE_d.exe!main(int orig_argc, char * * orig_argv) Line 214 C++
MATE_d.exe!qtEntryPoint() Line 50 C++
MATE_d.exe!WinMain(HINSTANCE__ * {}formal, HINSTANCE{} * __formal, char * __formal, int __formal) Line 60 C++
[External Code]
While applying the new layout state the code manages to recursively run into setGeometry again, which replaces the layout state again - which is the data structure e.g. QDockAreaLayoutInfo::apply is currently working on, and has a pointer stored to.
I guess the crash will be not as visible in Release mode, or on other platforms, where the memory is not overwritten when it is released.
Another important tidbit of information is, that the check in QLayout::activate() - if the "activated" flag is already set - fails in this case because a new tab bar is created during the call, which invalidates the layout and unsets the "activated" flag.
Unfortunately we were not able to condense the crash into a small sample application, as we were missing some secret ingredient.
But we have a patch that fixed the crash for us, which is attached.