Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-38800

Segmentation fault in QFontEngineFT::init when filling a model asynchronously

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • 5.4.0 RC
    • 5.3.0 Beta1, 5.3.0
    • GUI: Font handling, Quick: Core Declarative QML
    • None
    • Kubuntu 13.10
      gcc (Ubuntu/Linaro 4.8.1-10ubuntu9) 4.8.1
      Qt 5.3.0-beta or Qt from git stable on May 5th
    • dd08a22a4e8d7120341a1227e227de3f0628dd2f

    Description

      Attached is a test case that crashes due to what looks like a race condition in QFontEngineFT::init(..).

      There is a number of things that are present in order for this crash to happen:

      • The "label" Text element needs to have an HTML tag at the end (in this case, <tt>)
      • The "codeLine" Text element needs to have the FontLoader included
      • The model is populated asynchronously when we set the "code" property on it (the timer in CodeModel emulates the original application, where we pass the code through a webview)

      The interval on the timer in CodeModel.cpp might need to be modified in order to have it crash. For me, it crashes with an interval between 0 and 45 ms.

      It crashes both with 5.3.0-beta as well as with the stable git branch. The original application also crashes with 5.2.1, although I do not get the test application to do that.

      It does no longer crash if I set the environment variable QSG_RENDER_LOOP to "basic".

      Backtrace (with git stable from May 5th):
      0 main_arena /lib/x86_64-linux-gnu/libc.so.6 0x7ffff59a5d48
      1 FT_Get_PS_Font_Info /usr/lib/x86_64-linux-gnu/libfreetype.so.6 0x7fffefaec83d
      2 QFontEngineFT::init qfontengine_ft.cpp 705 0x7ffff187d715
      3 QFontEngineFT::init qfontengine_ft.cpp 680 0x7ffff187d5b4
      4 QFontconfigDatabase::fontEngine qfontconfigdatabase.cpp 652 0x7ffff1888613
      5 loadSingleEngine qfontdatabase.cpp 825 0x7ffff68c611c
      6 loadEngine qfontdatabase.cpp 847 0x7ffff68c62ae
      7 QFontDatabase::findFont qfontdatabase.cpp 2525 0x7ffff68cb825
      8 QFontDatabase::load qfontdatabase.cpp 2607 0x7ffff68cbdc7
      9 QFontPrivate::engineForScript qfont.cpp 218 0x7ffff689dc43
      10 QTextEngine::fontEngine qtextengine.cpp 1926 0x7ffff68d71f7
      11 QTextEngine::shapeText qtextengine.cpp 924 0x7ffff68d2d63
      12 QTextEngine::shape qtextengine.cpp 1401 0x7ffff68d4c63
      13 QTextLine::layout_helper qtextlayout.cpp 1753 0x7ffff68ece41
      14 QTextLine::setLineWidth qtextlayout.cpp 1537 0x7ffff68ec36d
      15 QTextDocumentLayoutPrivate::layoutBlock qtextdocumentlayout.cpp 2638 0x7ffff6942eea
      16 QTextDocumentLayoutPrivate::layoutFlow qtextdocumentlayout.cpp 2424 0x7ffff69417f2
      17 QTextDocumentLayoutPrivate::layoutFrame qtextdocumentlayout.cpp 2165 0x7ffff693ff74
      18 QTextDocumentLayoutPrivate::layoutFrame qtextdocumentlayout.cpp 2071 0x7ffff693f432
      19 QTextDocumentLayout::doLayout qtextdocumentlayout.cpp 2964 0x7ffff6944f25
      20 QTextDocumentLayoutPrivate::ensureLayoutedByPosition qtextdocumentlayout.cpp 3136 0x7ffff6945c87
      21 QTextDocumentLayoutPrivate::layoutStep qtextdocumentlayout.cpp 3142 0x7ffff6945cde
      22 QTextDocumentLayout::documentChanged qtextdocumentlayout.cpp 2921 0x7ffff6944b65
      23 QTextDocument::setDefaultFont qtextdocument.cpp 1618 0x7ffff690a585
      24 QQuickTextPrivate::updateSize qquicktext.cpp 470 0x7ffff791104e
      25 QQuickText::updatePolish qquicktext.cpp 2263 0x7ffff7917890
      26 QQuickWindowPrivate::polishItems qquickwindow.cpp 271 0x7ffff78bba51
      27 QSGThreadedRenderLoop::polishAndSync qsgthreadedrenderloop.cpp 1150 0x7ffff788eece
      28 QSGThreadedRenderLoop::handleExposure qsgthreadedrenderloop.cpp 986 0x7ffff788e820
      29 QSGThreadedRenderLoop::exposureChanged qsgthreadedrenderloop.cpp 920 0x7ffff788e442
      30 QQuickWindow::exposeEvent qquickwindow.cpp 216 0x7ffff78bb7b0
      31 QWindow::event qwindow.cpp 1956 0x7ffff67e45fc
      32 QQuickWindow::event qquickwindow.cpp 1341 0x7ffff78bf5bd
      33 QCoreApplicationPrivate::notify_helper qcoreapplication.cpp 1052 0x7ffff61e5ebe
      34 QCoreApplication::notify qcoreapplication.cpp 997 0x7ffff61e5b80
      35 QGuiApplication::notify qguiapplication.cpp 1457 0x7ffff67d483c
      36 QCoreApplication::notifyInternal qcoreapplication.cpp 935 0x7ffff61e5a88
      37 QCoreApplication::sendSpontaneousEvent qcoreapplication.h 240 0x7ffff67dbc37
      38 QGuiApplicationPrivate::processExposeEvent qguiapplication.cpp 2528 0x7ffff67d91ab
      39 QGuiApplicationPrivate::processWindowSystemEvent qguiapplication.cpp 1566 0x7ffff67d4af6
      40 QWindowSystemInterface::sendWindowSystemEvents qwindowsysteminterface.cpp 579 0x7ffff67bf1b1
      41 QUnixEventDispatcherQPA::processEvents qunixeventdispatcher.cpp 71 0x7ffff1891cf1
      42 QEventLoop::processEvents qeventloop.cpp 136 0x7ffff61e27b8
      43 QEventLoop::exec qeventloop.cpp 212 0x7ffff61e2a83
      44 QCoreApplication::exec qcoreapplication.cpp 1188 0x7ffff61e616e
      45 QGuiApplication::exec qguiapplication.cpp 1436 0x7ffff67d4764
      46 main main.cpp 24 0x403894

      In the rare case that it actually runs all the way through, at shutdown I get a crash in QFreetypeFace::cleanup instead:
      0 ?? 0x7fff00000003
      1 QFreetypeFace::cleanup qfontengine_ft.cpp 325 0x7ffff187b585
      2 QtFreetypeData::~QtFreetypeData qfontengine_ft.cpp 153 0x7ffff187aa32
      3 qThreadStorage_deleteData<QtFreetypeData> qthreadstorage.h 94 0x7ffff1886b0a
      4 QThreadStorage<QtFreetypeData*>::deleteData qthreadstorage.h 137 0x7ffff18861f6
      5 QThreadStorageData::finish qthreadstorage.cpp 203 0x7ffff5f6f17b
      6 QCoreApplicationPrivate::cleanupThreadData qcoreapplication.cpp 455 0x7ffff61e4a0e
      7 QGuiApplicationPrivate::~QGuiApplicationPrivate qguiapplication.cpp 1303 0x7ffff67d44f7
      8 QGuiApplicationPrivate::~QGuiApplicationPrivate qguiapplication.cpp 1319 0x7ffff67d46bc
      9 QScopedPointerDeleter<QObjectData>::cleanup qscopedpointer.h 62 0x7ffff622dae4
      10 QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer qscopedpointer.h 109 0x7ffff622c015
      11 QObject::~QObject qobject.cpp 880 0x7ffff6221606
      12 QCoreApplication::~QCoreApplication qcoreapplication.cpp 777 0x7ffff61e58d4
      13 QGuiApplication::~QGuiApplication qguiapplication.cpp 550 0x7ffff67d18d8
      14 main main.cpp 24 0x4038ae

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-103269 [Windows] Crash on QFontEngineMulti::ascent()

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          For Gerrit Dashboard: QTBUG-38800
          # Subject Branch Project Status CR V
          96884,3 Fix crash when using QTextEngine from multiple threads 5.4 qt/qtbase Status: ABANDONED -1 0
          97354,4 Invalidate font caches when switching between threads 5.4 qt/qtdeclarative Status: ABANDONED +1 0
          99705,3 Invalidate font caches when switching between threads 5.4.0 qt/qtdeclarative Status: MERGED +2 0

          Activity

            People

              esabraha Eskil Abrahamsen Blomfeldt
              tnatterlund Tobias Nätterlund
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes