Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-80415

segfault in software renderer inside QSGSoftwareInternalImageNode

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P1: Critical
    • None
    • 5.12.4, 5.15.2
    • Quick: 2D Renderer
    • None
    • macOS, Windows

    Description

      We get regular crash reports from outside when our application is run with the software renderer enabled.

      Could it happen that QSGSoftwareInternalImageNode::m_texture can somehow become an invalid pointer? It doesn't look like it's nullptr because that would be handled just fine.

      Last change in this method was for QTBUG-64562.

      const QPixmap &QSGSoftwareInternalImageNode::pixmap() const
{
    // >> crashes in this qobject_cast
    // Either this is invalid (don't think so) or m_texture is
    if (QSGSoftwarePixmapTexture *pt = qobject_cast<QSGSoftwarePixmapTexture*>(m_texture))
        return pt->pixmap();
    if (QSGSoftwareLayer *layer = qobject_cast<QSGSoftwareLayer*>(m_texture))
        return layer->pixmap();
    Q_ASSERT(m_texture == nullptr);
    static const QPixmap nullPixmap;
    return nullPixmap;
}

      Thread 0 (crashed)
 0  0x0
    eip = 0x00000000   esp = 0x01cfca6c   ebp = 0x0f9a8468   ebx = 0x0fadf2a8
    esi = 0x60db4234   edi = 0x0f543e68   eax = 0x0f543e08   ecx = 0x0f543e68
    edx = 0x0fadf2c0   efl = 0x00010202
    Found by: given as instruction pointer in context
 1  Qt5Core.dll!QMetaObject::cast(QObject *) [qmetaobject.cpp : 363 + 0xa]
    eip = 0x5f727d72   esp = 0x01cfca70   ebp = 0x0f9a8468
    Found by: stack scanning
 2  Qt5Quick.dll!QSGSoftwareInternalImageNode::pixmap() [qsgsoftwareinternalimagenode.cpp : 497 + 0x11]
    eip = 0x60c3c4c4   esp = 0x01cfca7c   ebp = 0x0f9a8468
    Found by: call frame info
 3  Qt5Quick.dll!QSGSoftwareRenderableNode::update() [qsgsoftwarerenderablenode.cpp : 155 + 0x8]
    eip = 0x60c432c7   esp = 0x01cfca88   ebp = 0x0f9a8468
    Found by: call frame info
 4  Qt5Quick.dll!QSGSoftwareRenderableNode::setTransform(QTransform const &) [qsgsoftwarerenderablenode.cpp : 368 + 0x7]
    eip = 0x60c43079   esp = 0x01cfcb3c   ebp = 0x0f9a8468
    Found by: call frame info
 5  Qt5Quick.dll!QSGSoftwareRenderableNodeUpdater::visit(QSGInternalImageNode *) [qsgsoftwarerenderablenodeupdater.cpp : 140 + 0x41]
    eip = 0x60c44ee3   esp = 0x01cfcb48   ebp = 0x0f9a8468
    Found by: call frame info
 6  Qt5Quick.dll!QSGInternalImageNode::accept(QSGNodeVisitorEx *) [qsgadaptationlayer_p.h : 170 + 0x12]
    eip = 0x60be4042   esp = 0x01cfcbcc   ebp = 0x0f9a8468
    Found by: call frame info
 7  Qt5Quick.dll!QSGNodeVisitorEx::visitChildren(QSGNode *) [qsgadaptationlayer.cpp : 494 + 0x8]
    eip = 0x60c15c04   esp = 0x01cfcbdc   ebp = 0x0f9a8468
    Found by: call frame info
 8  Qt5Quick.dll!QSGNodeVisitorEx::visitChildren(QSGNode *) [qsgadaptationlayer.cpp : 487 + 0x8]
    eip = 0x60c15be9   esp = 0x01cfcbec   ebp = 0x0f9a8468
    Found by: call frame info
 9  Qt5Quick.dll!QSGNodeVisitorEx::visitChildren(QSGNode *) [qsgadaptationlayer.cpp : 480 + 0x8]
    eip = 0x60c15bc6   esp = 0x01cfcbfc   ebp = 0x0f9a8468
    Found by: call frame info
10  Qt5Quick.dll!QSGNodeVisitorEx::visitChildren(QSGNode *) [qsgadaptationlayer.cpp : 473 + 0x8]
    eip = 0x60c15ba3   esp = 0x01cfcc0c   ebp = 0x0f9a8468
    Found by: call frame info
11  Qt5Quick.dll!QSGNodeVisitorEx::visitChildren(QSGNode *) [qsgadaptationlayer.cpp : 480 + 0x8]
    eip = 0x60c15bc6   esp = 0x01cfcc1c   ebp = 0x0f9a8468
    Found by: call frame info
12  Qt5Quick.dll!QSGNodeVisitorEx::visitChildren(QSGNode *) [qsgadaptationlayer.cpp : 480 + 0x8]
    eip = 0x60c15bc6   esp = 0x01cfcc2c   ebp = 0x0f9a8468
    Found by: call frame info
13  Qt5Quick.dll!QSGSoftwareRenderableNodeUpdater::updateNodes(QSGNode *,bool) [qsgsoftwarerenderablenodeupdater.cpp : 251 + 0x8]
    eip = 0x60c448c8   esp = 0x01cfcc3c   ebp = 0x0f9a8468
    Found by: call frame info
14  Qt5Quick.dll!QSGAbstractSoftwareRenderer::nodeMatrixUpdated(QSGNode *) [qsgabstractsoftwarerenderer.cpp : 323 + 0x11]
    eip = 0x60c3a7af   esp = 0x01cfccc0   ebp = 0x0f9a8468
    Found by: call frame info
15  Qt5Quick.dll!QSGAbstractSoftwareRenderer::nodeChanged(QSGNode *,QFlags<QSGNode::DirtyStateBit>) [qsgabstractsoftwarerenderer.cpp : 104 + 0x8]
    eip = 0x60c3a49f   esp = 0x01cfcce4   ebp = 0x0f9a8468
    Found by: call frame info
16  Qt5Quick.dll!QSGRootNode::notifyNodeChange(QSGNode *,QFlags<QSGNode::DirtyStateBit>) [qsgnode.cpp : 1280 + 0x15]
    eip = 0x60bfb705   esp = 0x01cfccf4   ebp = 0x0f9a8468
    Found by: call frame info
17  Qt5Quick.dll!QSGNode::markDirty(QFlags<QSGNode::DirtyStateBit>) [qsgnode.cpp : 674 + 0xc]
    eip = 0x60bfb6bb   esp = 0x01cfcd0c   ebp = 0x0f9a8468
    Found by: call frame info
18  Qt5Quick.dll!QSGTransformNode::setMatrix(QMatrix4x4 const &) [qsgnode.cpp : 1203 + 0x33]
    eip = 0x60bfbb67   esp = 0x01cfcd24   ebp = 0x0f9a8468
    Found by: call frame info
19  Qt5Quick.dll!QQuickWindowPrivate::updateDirtyNode(QQuickItem *) [qquickwindow.cpp : 3348 + 0x37]
    eip = 0x60c7a6d2   esp = 0x01cfcd2c   ebp = 0x0f9a8468
    Found by: call frame info
20  Qt5Quick.dll!QQuickWindowPrivate::updateDirtyNodes() [qquickwindow.cpp : 3269 + 0xa]
    eip = 0x60c7b1a8   esp = 0x01cfce0c   ebp = 0x0f9a8468
    Found by: call frame info
21  Qt5Quick.dll!QQuickWindowPrivate::syncSceneGraph() [qquickwindow.cpp : 437 + 0x7]
    eip = 0x60c79e70   esp = 0x01cfce54   ebp = 0x0f9a8468
    Found by: call frame info
22  Qt5Quick.dll!QSGSoftwareRenderLoop::renderWindow(QQuickWindow *,bool) [qsgsoftwarerenderloop.cpp : 153 + 0x7]
    eip = 0x60c4621b   esp = 0x01cfce68   ebp = 0x0f9a8468
    Found by: call frame info
23  Qt5Quick.dll!QSGSoftwareRenderLoop::exposureChanged(QQuickWindow *) [qsgsoftwarerenderloop.cpp : 215 + 0x10]
    eip = 0x60c45cce   esp = 0x01cfcf38   ebp = 0x01cfd630
    Found by: call frame info
24  Qt5Gui.dll!QWindow::event(QEvent *) [qwindow.cpp : 2315 + 0x8]
    eip = 0x5fadc105   esp = 0x01cfcf48   ebp = 0x01cfd630
    Found by: call frame info
25  Qt5Quick.dll!QQuickWindow::event(QEvent *) [qquickwindow.cpp : 1687 + 0x9]
    eip = 0x60c742be   esp = 0x01cfcf70   ebp = 0x01cfd630
    Found by: call frame info
26  ctimon.exe!MainWindow::event(QEvent *) [mainwindow.cpp : 966 + 0x9]
    eip = 0x01350272   esp = 0x01cfcfb0   ebp = 0x01cfd630
    Found by: call frame info
27  Qt5Widgets.dll!QApplication::notify(QObject *,QEvent *) [qapplication.cpp : 3692 + 0xb]
    eip = 0x5fff38fe   esp = 0x01cfd008   ebp = 0x01cfcfb8
    Found by: call frame info with scanning

      Attachments

        For Gerrit Dashboard: QTBUG-80415
        # Subject Branch Project Status CR V
        305649,3 Avoid stale QSGTexture pointer accesses dev qt/qtdeclarative Status: MERGED +2 0
        347192,2 Avoid stale QSGTexture pointer accesses 6.0 qt/qtdeclarative Status: MERGED +2 0
        347193,2 Avoid stale QSGTexture pointer accesses 6.1 qt/qtdeclarative Status: MERGED +2 0
        347194,2 Avoid stale QSGTexture pointer accesses tqtc/lts-5.15 qt/tqtc-qtdeclarative Status: MERGED +2 0

        Activity

          People

            janichol Andy Nichols
            njeisecke Nils Jeisecke
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes