Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.6.1
-
None
-
Macintosh 10.11.4
Description
One of our users sent us a crash report from our application, running on Macintosh 10.11.4. The relevant part is excerpted below:
Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000028 Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0x28: --> __TEXT 000000010dd75000-0000000113c7e000 [ 95.0M] r-x/rwx SM=COW /Users/USER/*/Igor64.app/Contents/MacOS/Igor64 Global Trace Buffer (reverse chronological seconds): 67.615067 libextension.dylib 0x00007fff91f3d533 tearing down extension request for pid 32803 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 org.qt-project.QtWidgets 0x0000000114c21771 QAccessibleWidget::rect() const + 33 1 org.qt-project.QtGui 0x00000001150376b9 QAccessibleObject::childAt(int, int) const + 73 2 libqcocoa.dylib 0x0000000118d491ef 0x118d12000 + 225775 3 com.apple.AppKit 0x00007fff9b586ca9 -[NSWindow(NSWindowAccessibility) accessibilityHitTest:] + 514 4 com.apple.AppKit 0x00007fff9b1fce40 -[NSApplication(NSApplicationAccessibility) accessibilityHitTest:] + 282 5 com.apple.AppKit 0x00007fff9b1dd64f CopyElementAtPosition + 294 6 com.apple.HIServices 0x00007fff877ffb1b _AXXMIGCopyElementAtPosition + 294 7 com.apple.HIServices 0x00007fff878089fa _XCopyElementAtPosition + 388 8 com.apple.HIServices 0x00007fff877e2012 mshMIGPerform + 199 9 com.apple.CoreFoundation 0x00007fff988d9019 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ + 41 10 com.apple.CoreFoundation 0x00007fff988d8f89 __CFRunLoopDoSource1 + 473 11 com.apple.CoreFoundation 0x00007fff988d09bb __CFRunLoopRun + 2171 12 com.apple.CoreFoundation 0x00007fff988cfed8 CFRunLoopRunSpecific + 296 13 com.apple.HIToolbox 0x00007fff87191935 RunCurrentEventLoopInMode + 235 14 com.apple.HIToolbox 0x00007fff8719176f ReceiveNextEventCommon + 432 15 com.apple.HIToolbox 0x00007fff871915af _BlockUntilNextEventMatchingListInModeWithFilter + 71 16 com.apple.AppKit 0x00007fff9ada5efa _DPSNextEvent + 1067 17 com.apple.AppKit 0x00007fff9ada532a -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 18 com.apple.AppKit 0x00007fff9ad99e84 -[NSApplication run] + 682 19 libqcocoa.dylib 0x0000000118d34e0a 0x118d12000 + 142858 20 org.qt-project.QtCore 0x0000000115806c01 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 401 21 org.qt-project.QtCore 0x000000011580af0a QCoreApplication::exec() + 346 22 com.wavemetrics.igorpromach 0x000000010fa18aca main + 5210 23 libdyld.dylib 0x00007fff8f4ee5ad start + 1
The user has been unable to reproduce the crash so far. I took a look at QAccessibleObject::childAt, and it iterates through the child QAccessibleInterface objects without checking that each QAccessibleInterface object is actually valid. Since QAccessibleInterface has an isValid() method, it seems like it would be a good idea to confirm that the interface is valid before using it.
The same check could also be done in the static topLevelObjects() function in qaccessibleobject.cpp.
I'm using a self-compiled version created from a git checkout of the 5.6 branch from last week (qtbase: 58c23ae1619fb4afaae9c8eb2527c0906baef97b)