Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-96871

Crash on calling connect on QAxObject source instance

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P2: Important
    • 5.15.16, 6.5.4, 6.6.1, 6.7.0 FF
    • 5.14.0 RC2, 5.15
    • Active Qt
    • None
    • Windows
    • Windows
    • 690770d8e (dev), c758be532 (6.6), 61365249a (6.5), 2965d36e0 (tqtc/lts-5.15)

    Description

      Actual QT I have: QT 5.14.1

      I have an QAxObject I try to connect a signal to.

      At some point inside QT lib I have (on the crash callstack) the function:

      int QObjectPrivate::signalIndex(const char *signalName,
                                      const QMetaObject **meta) const
      {
          Q_Q(const QObject);
          const QMetaObject *base = q->metaObject();
          Q_ASSERT(QMetaObjectPrivate::get(base)->revision >= 7);
          QArgumentTypeArray types;
          QByteArray name = QMetaObjectPrivate::decodeMethodSignature(signalName, types);
          int relative_index = QMetaObjectPrivate::indexOfSignalRelative(
                  &base, name, types.size(), types.constData());
      

      Inside this frame if I look in debugger/crash dump I see at base->d.data NULL (extradata and stringdata from same level  NULL also) (1)

      On step further along the callstack we have:

      int QMetaObjectPrivate::indexOfSignalRelative(const QMetaObject **baseObject,
                                                    const QByteArray &name, int argc,
                                                    const QArgumentType *types)
      {
          int i = indexOfMethodRelative<MethodSignal>(baseObject, name, argc, types);
      ...

      Inside qmetaobject.cpp where we call indexOfMethodRelative() we have the code:

          for (const QMetaObject *m = *baseObject; m; m = m->d.superdata) {
              Q_ASSERT(priv(m->d.data)->revision >= 7);
              int i = (MethodType == MethodSignal)
                       ? (priv(m->d.data)->signalCount - 1) : (priv(m->d.data)->methodCount - 1);
      

      The passed baseObject is the one mentioned at (1)

      Accessing everything past m->d.data (NULL) pointer causes SEGFAULT.

      I include the partial crash callstack for better overview bellow:

       

      ntdll!WerpWaitForCrashReporting+0xa8 ntdll!RtlReportExceptionHelper+0x33e ntdll!RtlReportException+0x9b combase!SilentlyReportExceptions+0xb2 [onecore\com\combase\dcomrem\excepn.cxx @ 134] combase!ServerExceptionFilter+0x112 [onecore\com\combase\dcomrem\excepn.cxx @ 209] combase!AppInvokeExceptionFilterWithMethodAddress+0x66 [onecore\com\combase\dcomrem\excepn.cxx @ 476] combase!`ObjectMethodExceptionHandlingAction<<lambda_c9f3956a20c9da92a64affc24fdd69ec> >'::`1'::filt$0+0x78 [onecore\com\combase\dcomrem\excepn.hxx @ 89] ucrtbase!_C_specific_handler+0xa0 ntdll!RtlpExecuteHandlerForException+0xf ntdll!RtlDispatchException+0x244 ntdll!KiUserExceptionDispatch+0x2e Qt5Core!priv+0x5 [d:\jenkins\workspace\u_qt5.14_buildx64\qtbase\src\corelib\kernel\qmetaobject.cpp @ 155] Qt5Core!indexOfMethodRelative<4>+0x55 [d:\jenkins\workspace\u_qt5.14_buildx64\qtbase\src\corelib\kernel\qmetaobject.cpp @ 611] Qt5Core!QMetaObjectPrivate::indexOfSignalRelative+0x1f [d:\jenkins\workspace\u_qt5.14_buildx64\qtbase\src\corelib\kernel\qmetaobject.cpp @ 740] Qt5Core!QObjectPrivate::signalIndex+0x105 [d:\jenkins\workspace\u_qt5.14_buildx64\qtbase\src\corelib\kernel\qobject.cpp @ 3975] Qt5Core!QObject::receivers+0x59 [d:\jenkins\workspace\u_qt5.14_buildx64\qtbase\src\corelib\kernel\qobject.cpp @ 2592] userApp!QAxEventSink::signalHasReceivers+0x6e [d:\jenkins\workspace\u_qt5.14_buildx64\qtactiveqt\src\activeqt\container\qaxbase.cpp @ 568] userApp!QAxEventSink::Invoke+0x17d [d:\jenkins\workspace\u_qt5.14_buildx64\qtactiveqt\src\activeqt\container\qaxbase.cpp @ 392] oleaut32!IDispatch_Invoke_Stub+0xd4 oleaut32!IDispatch_RemoteInvoke_Thunk+0x60 rpcrt4!NdrStubCall2+0x36f combase!CStdStubBuffer_Invoke+0xac [onecore\com\combase\ndr\ndrole\stub.cxx @ 1517] oleaut32!CDispStubWrapper::Invoke+0x1bb combase!InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_c9f3956a20c9da92a64affc24fdd69ec>::operator()+0x18 [onecore\com\combase\dcomrem\channelb.cxx @ 1279] combase!ObjectMethodExceptionHandlingAction<<lambda_c9f3956a20c9da92a64affc24fdd69ec> >+0x43 [onecore\com\combase\dcomrem\excepn.hxx @ 87] combase!InvokeStubWithExceptionPolicyAndTracing+0xd0 [onecore\com\combase\dcomrem\channelb.cxx @ 1277] combase!DefaultStubInvoke+0x1ee [onecore\com\combase\dcomrem\channelb.cxx @ 1346] combase!SyncStubCall::Invoke+0x22 [onecore\com\combase\dcomrem\channelb.cxx @ 1403] combase!SyncServerCall::StubInvoke+0x26 [onecore\com\combase\dcomrem\ServerCall.hpp @ 781] combase!StubInvoke+0x23e [onecore\com\combase\dcomrem\channelb.cxx @ 1628] combase!ServerCall::ContextInvoke+0x403 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1423] combase!CServerChannel::ContextInvoke+0x143 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1332] combase!DefaultInvokeInApartment+0x143 [onecore\com\combase\dcomrem\callctrl.cxx @ 3297] combase!ReentrantSTAInvokeInApartment+0x1ad [onecore\com\combase\dcomrem\reentrantsta.cpp @ 113] combase!AppInvoke+0x245 [onecore\com\combase\dcomrem\channelb.cxx @ 1122] combase!ComInvokeWithLockAndIPID+0xaf6 [onecore\com\combase\dcomrem\channelb.cxx @ 2210] combase!ComInvoke+0x1ff [onecore\com\combase\dcomrem\channelb.cxx @ 1697] combase!ThreadDispatch+0x25e [onecore\com\combase\dcomrem\chancont.cxx @ 414] combase!ThreadWndProc+0x40a [onecore\com\combase\dcomrem\chancont.cxx @ 740] user32!UserCallWinProcCheckWow+0x2f8 user32!DispatchMessageWorker+0x249 combase!CCliModalLoop::MyDispatchMessage+0xc [onecore\com\combase\dcomrem\callctrl.cxx @ 2989] combase!CCliModalLoop::PeekRPCAndDDEMessage+0x77 [onecore\com\combase\dcomrem\callctrl.cxx @ 2611] combase!CCliModalLoop::FindMessage+0x46 [onecore\com\combase\dcomrem\callctrl.cxx @ 2706] combase!CCliModalLoop::HandleWakeForMsg+0x57 [onecore\com\combase\dcomrem\callctrl.cxx @ 2302] combase!CCliModalLoop::BlockFn+0x2de [onecore\com\combase\dcomrem\callctrl.cxx @ 2239] combase!ModalLoop+0xa9 [onecore\com\combase\dcomrem\chancont.cxx @ 164] combase!ClassicSTAThreadWaitForCall+0xbb [onecore\com\combase\dcomrem\threadtypespecific.cpp @ 172] combase!ThreadSendReceive+0x84e [onecore\com\combase\dcomrem\channelb.cxx @ 7355] combase!CSyncClientCall::SwitchAptAndDispatchCall+0x8df [onecore\com\combase\dcomrem\channelb.cxx @ 5900] combase!CSyncClientCall::SendReceive2+0x9d6 [onecore\com\combase\dcomrem\channelb.cxx @ 5459] combase!SyncClientCallRetryContext::SendReceiveWithRetry+0x25 [onecore\com\combase\dcomrem\callctrl.cxx @ 1542] combase!CSyncClientCall::SendReceiveInRetryContext+0x25 [onecore\com\combase\dcomrem\callctrl.cxx @ 565] combase!ClassicSTAThreadSendReceive+0xa3 [onecore\com\combase\dcomrem\callctrl.cxx @ 547] combase!CSyncClientCall::SendReceive+0x18b [onecore\com\combase\dcomrem\ctxchnl.cxx @ 783] combase!CClientChannel::SendReceive+0x84 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 655] combase!NdrExtpProxySendReceive+0x4e [onecore\com\combase\ndr\ndrole\proxy.cxx @ 2002] rpcrt4!NdrpClientCall2+0x5d0 rpcrt4!NdrClientCall2+0x1f oleaut32!ITypeInfo_GetFuncDesc_Proxy+0x3e userApp!MetaObjectGenerator::readEventInterface+0x1c1 [d:\jenkins\workspace\u_qt5.14_buildx64\qtactiveqt\src\activeqt\container\qaxbase.cpp @ 2807] userApp!MetaObjectGenerator::readEventInfo+0x495 [d:\jenkins\workspace\u_qt5.14_buildx64\qtactiveqt\src\activeqt\container\qaxbase.cpp @ 2905] userApp!MetaObjectGenerator::metaObject+0xfb [d:\jenkins\workspace\u_qt5.14_buildx64\qtactiveqt\src\activeqt\container\qaxbase.cpp @ 3026] userApp!QAxBase::metaObject+0xb9 [d:\jenkins\workspace\u_qt5.14_buildx64\qtactiveqt\src\activeqt\container\qaxbase.cpp @ 3288] Qt5Core!QObject::connect+0xed [d:\jenkins\workspace\u_qt5.14_buildx64\qtbase\src\corelib\kernel\qobject.cpp @ 2814]

      Attachments

        Issue Links

          For Gerrit Dashboard: QTBUG-96871
          # Subject Branch Project Status CR V

          Activity

            People

              vhilshei Volker Hilsheimer
              ghita Gheorghe Marinca
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes