Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-45060

Crashed caused by use after free in QQuickPixmap

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Incomplete
    • Icon: P1: Critical P1: Critical
    • None
    • 5.4.0
    • Quick: Core Declarative QML
    • None
    • Windows 7, 64 bit, qt 5.4 msvc 2013.

      Had crash reports coming in from user's with the following stack trace:

      0    QMetaObject::connect    qobject.cpp    3207    0x6631c6e5    
1    QQuickPixmap::connectFinished    qquickpixmapcache.cpp    1363    0x56fa7d    
2    QQuickImageBase::load    qquickimagebase.cpp    235    0x701fe3    
3    QQuickImageBase::componentComplete    qquickimagebase.cpp    300    0x702079    
4    QQmlObjectCreator::finalize    qqmlobjectcreator.cpp    1231    0x65508039    
5    QQmlIncubatorPrivate::incubate    qqmlincubator.cpp    348    0x65476f4a    
6    QQmlEnginePrivate::incubate    qqmlincubator.cpp    89    0x654766e3    
7    QQmlComponent::create    qqmlcomponent.cpp    1069    0x6547066d    
8    QQuickLoaderPrivate::_q_sourceLoaded    qquickloader.cpp    715    0x74a656    
9    QQuickLoaderPrivate::load    qquickloader.cpp    597    0x749c22    
10    QQuickLoader::componentComplete    qquickloader.cpp    807    0x749429    
11    QQmlObjectCreator::finalize    qqmlobjectcreator.cpp    1231    0x65508039    
12    QQmlComponentPrivate::complete    qqmlcomponent.cpp    930    0x65471fec    
13    QQmlComponentPrivate::completeCreate    qqmlcomponent.cpp    964    0x65471ae6    
14    QQmlComponent::completeCreate    qqmlcomponent.cpp    958    0x6547049c    
15    QQmlComponent::create    qqmlcomponent.cpp    792    0x654703ed    
16    QQuickView::continueExecute    qquickview.cpp    476    0x751211    
17    QQuickViewPrivate::execute    qquickview.cpp    125    0x751928    
18    QQuickView::setSource    qquickview.cpp

      After some digging around, I added some more (rough) logging into QDeclarative (see extra_pixmap_logging.patch) and observed the following in my logs (followed by a crash):

      2015-03-17 13.42.54.713 [0x000670] Debug: QQuickPixmapReply destroyed  QQuickPixmapReply(0x2980618)
<snip>
2015-03-17 13.42.55.888 [0x000670] Debug: QQuickPixmap::connectFinished, d:  0xa7d0c30 , reply:  43517464 , o: QQuickImage(0xd7c9338)

      43517464 in hex is 0x2980618.

      The qml view being shown is a few text lines and an image. The image source is a http location. Immediately prior to this view being shown, A similar type of view with the same image source is created and destroyed.

      So, we have 2 views; ImageView.qml & ImageView2.qml, and the image source is the same http location, the app behaviour is:

      1. Create and show ImageView.qml
      2. Destroy ImageView.qml.
      3. Attempt to create and show ImageView2.qml -> crash with the above stack trace

      Unfortunately, I have not managed to get a test case on its own, or even a sample app, i can semi reliably reproduce it within our own app though at the moment. I suspect is might have something to do with Pixmap caching, so i disabled it in the qml file with 'cache: false', under which i have not been able to repeat the crash, but as I can't reliably repeat the crash anyway, this may just be a coincidence.

        1. extra_pixmap_logging.patch
          3 kB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            lagocs Laszlo Agocs
            neil Neil Williams
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes