Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-85706

waitForRendering() crashes the application due to heap corrupton

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P1: Critical
    • None
    • 5.14.2
    • Testing: QuickTest
    • None
    • N/A
    • Windows

    Description

       

      We observe this kind of call stack pretty often in our automated tests:

      ntdll.dll!RtlReportFatalFailure()
ntdll.dll!RtlReportFatalFailure()
ntdll.dll!RtlReportCriticalFailure()
ntdll.dll!RtlpHeapHandleError()
ntdll.dll!RtlpHpHeapHandleError()
ntdll.dll!RtlpLogHeapFailure()
ntdll.dll!RtlpFreeHeapInternal()
ntdll.dll!RtlFreeHeap()
ntdll.dll!RtlpReAllocateHeap()
ntdll.dll!RtlpReAllocateHeapInternal()
ntdll.dll!RtlReAllocateHeap()
ucrtbase.dll!_realloc_base()
Qt5Core.dll!QListData::realloc_grow(int growth) Line 170
Qt5Core.dll!QListData::append(int n) Line 199
[Inline Frame] Qt5QuickTest.dll!QList<QList<QVariant>>::append(const QList<QVariant> &) Line 632
Qt5QuickTest.dll!QSignalSpy::appendArgs(void** a) Line 227
Qt5QuickTest.dll!QSignalSpy::qt_metacall(QMetaObject::Call call, int methodId, void** a) Line 154
Qt5Core.dll!doActivate<0>(QObject* sender, int signal_index, void** argv) Line 3902
[Inline Frame] Qt5Quick.dll!QQuickWindowPrivate::fireFrameSwapped() Line 247
Qt5Quick.dll!QSGRenderThread::syncAndRender(QImage * grabImage) Line 847
Qt5Quick.dll!QSGRenderThread::run() Line 994
Qt5Core.dll!QThreadPrivate::start(void * arg) Line 405
kernel32.dll!BaseThreadInitThunk()
ntdll.dll!RtlUserThreadStart()

      It seemed to me that somewhere in another thread some SignalSpy is destroyed while signal is being processed. Since we do not explicitly use SignalSpy anywhere in our code, I've searched for the occurences of SignalSpy for frameSwapped() signal in Qt codebase. It seems that QuickTestResult::waitForRendering() is creating such object on a stack, but SignalSpy uses Qt::DirectConnection and SGRenderThread that fires frameSwapped() is executing in a different thread to QML that waits for this signal. I think this causes data races and a subsequent heap corruption.

       

      Attachments

        For Gerrit Dashboard: QTBUG-85706
        # Subject Branch Project Status CR V
        352726,4 QSignalSpy: use Qt::AutoConnection for signal connections dev qt/qtbase Status: DEFERRED +1 0

        Activity

          People

            qt.team.quick.subscriptions Qt Quick and Widgets Team
            vladmikhalin Vladislav Mikhalin
            Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes