Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-80497

Crash in QAbstractSocketEngine::createSocketEngine()

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3: Somewhat important
    • Resolution: Cannot Reproduce
    • Affects Version/s: 4.8.7, 5.13.2
    • Fix Version/s: None
    • Component/s: Network: Sockets
    • Labels:
      None
    • Environment:
      openSUSE Leap 15.1
    • Platform/s:
      Linux/X11

      Description

      Crash (SIGSEGV) in multithreaded app after it called .connectToHost() on a QTcpSocket object.

      Frame 12 was the last piece of non-Qt code. There are then twelve stack frames with Qt until the crash. I don't think the calling code in Frame 12 would be aware of the details of QAbstractSocketEngine::createSocketEngine(), since suspect this is a bug with Qt.

      Looking at the code that crashes:

      In qabstractsocketengine.cpp.

      Frame 2:
      102 QAbstractSocketEngine *QAbstractSocketEngine::createSocketEngine(QAbstractSocket::SocketType socketType, const QNetworkProxy &proxy, QObject *parent)
      103 {
      <snip>
      110 QMutexLocker locker(&socketHandlers()->mutex);

      This will attempt to construct a QMutexLocker, passing in the address of the mutex member of the struct/class returned by socketHandlers().

      Earlier in qabstractsocketengine.cpp:
      55 class QSocketEngineHandlerList : public QList<QSocketEngineHandler*>
      56

      { 57 public: 58 QMutex mutex; 59 }

      ;
      60
      61 Q_GLOBAL_STATIC(QSocketEngineHandlerList, socketHandlers)

      From the corefile on my system, it seems as though socketHandlers() returned NULL and the mutex member was offset 8 bytes into the structure. Hence on frame 1, we see m=0x8. Then on frame 0, the code crashes as "d" can't be dereferenced.

      185 inline void QMutex::lockInline()
      186 {
      187 if (d->recursive) {

      The crash occurred with Qt 4.8.7, however looking on github, it appears the same code is present in the latest Qt.

      https://github.com/qt/qtbase/blob/dev/src/network/socket/qabstractsocketengine.cpp

      Earlier in the same file, I see examples of socketHandlers() return value being checked for NULL before being used. If such checks are appropriate elsewhere, then perhaps they should also be used in createSocketEngine().

      63 QSocketEngineHandler::QSocketEngineHandler()
      64

      { 65 if (!socketHandlers()) 66 return; 67 QMutexLocker locker(&socketHandlers()->mutex); 68 socketHandlers()->prepend(this); 69 }

      Presumably 4.8.7 will not receive a fix. However since the latest Qt code seems to have the same flaw, it would be useful to see if QAbstractSocketEngine::createSocketEngine() should be made more robust by testing the return value of socketHandlers().

      Updating the app to Qt5.13.2 would not currently fix this crash.

      Note, backtrace from core file extracted with gdb attached (qt_createSocketEngine.txt).

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            cnn Qt Core & Network
            Reporter:
            pfee Paul Fee
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes