// disasm of the code as it is in Qt 6.2.4: void QObjectPrivate::addConnection(int signal, Connection *c) { 00007FF9854F2B40 stp x19,x20,[sp,#-0x40]! 00007FF9854F2B44 stp x21,x22,[sp,#0x10] 00007FF9854F2B48 stp x23,x24,[sp,#0x20] 00007FF9854F2B4C stp x25,lr,[sp,#0x30] 00007FF9854F2B50 sub sp,sp,#0x10 <-- alloc stack for ConnectionList 00007FF9854F2B54 mov x19,x0 Q_ASSERT(c->sender == q_ptr); ensureConnectionData(); 00007FF9854F2B58 ldr x8,[x19,#0x60] 00007FF9854F2B5C mov w21,w1 00007FF9854F2B60 mov x23,x2 00007FF9854F2B64 cbnz x8,QObjectPrivate::addConnection+58h (07FF9854F2B98h) 00007FF9854F2B68 mov x0,#0x28 00007FF9854F2B6C bl operator new (07FF985711418h) 00007FF9854F2B70 stp xzr,xzr,[x0] 00007FF9854F2B74 add x10,x0,#4 00007FF9854F2B78 stp xzr,xzr,[x0,#0x10] 00007FF9854F2B7C str xzr,[x0,#0x20] 00007FF9854F2B80 ldaxr w9,[x10] 00007FF9854F2B84 add w9,w9,#1 00007FF9854F2B88 stlxr w8,w9,[x10] 00007FF9854F2B8C cbnz w8,QObjectPrivate::addConnection+40h (07FF9854F2B80h) 00007FF9854F2B90 dmb ish 00007FF9854F2B94 str x0,[x19,#0x60] ConnectionData *cd = connections.loadRelaxed(); 00007FF9854F2B98 ldr x20,[x19,#0x60] cd->resizeSignalVector(signal + 1); 00007FF9854F2B9C add w25,w21,#1 00007FF9854F2BA0 add w9,w21,#1 00007FF9854F2BA4 ldr x21,[x20,#8] 00007FF9854F2BA8 add x19,x21,#8 00007FF9854F2BAC cbz x21,QObjectPrivate::addConnection+7Ch (07FF9854F2BBCh) 00007FF9854F2BB0 ldr x8,[x21,#8] 00007FF9854F2BB4 cmp x8,w9,uxtw #0 00007FF9854F2BB8 bhi QObjectPrivate::addConnection+13Ch (07FF9854F2C7Ch) 00007FF9854F2BBC add w8,w9,#7 00007FF9854F2BC0 and w24,w8,#0xFFFFFFF8 00007FF9854F2BC4 add w9,w24,#1 00007FF9854F2BC8 add x10,x9,#1 00007FF9854F2BCC adrp x9,__imp_DuplicateToken (07FF985726000h) 00007FF9854F2BD0 ldr x8,[x9,#0x8E8] 00007FF9854F2BD4 lsl x0,x10,#4 00007FF9854F2BD8 blr x8 00007FF9854F2BDC mov w11,#-1 00007FF9854F2BE0 mov x22,x0 00007FF9854F2BE4 cbz x21,QObjectPrivate::addConnection+0C0h (07FF9854F2C00h) 00007FF9854F2BE8 ldr x19,[x19] 00007FF9854F2BEC mov x1,x21 00007FF9854F2BF0 add x8,x19,#2 00007FF9854F2BF4 lsl x2,x8,#4 00007FF9854F2BF8 bl memcpy (07FF985712840h) 00007FF9854F2BFC mov w11,w19 00007FF9854F2C00 cmp w11,w24 00007FF9854F2C04 bge QObjectPrivate::addConnection+10Ch (07FF9854F2C4Ch) 00007FF9854F2C08 mov x12,sp <-- the bug is here. this stack space is not initialized 00007FF9854F2C0C add x13,sp,#8 00007FF9854F2C10 add w8,w11,#1 00007FF9854F2C14 mov w11,w8 00007FF9854F2C18 sxtw x8,w8 00007FF9854F2C1C add x9,x8,#1 00007FF9854F2C20 ldr x8,[x12] 00007FF9854F2C24 add x10,x22,x9,lsl #4 00007FF9854F2C28 dmb ish 00007FF9854F2C2C dmb ish 00007FF9854F2C30 str x8,[x10] 00007FF9854F2C34 ldr x9,[x13] 00007FF9854F2C38 dmb ish 00007FF9854F2C3C dmb ish 00007FF9854F2C40 str x9,[x10,#8] <-- the write of the value which later gets read as connectionList.last 00007FF9854F2C44 cmp w11,w24 00007FF9854F2C48 blt QObjectPrivate::addConnection+0D0h (07FF9854F2C10h) 00007FF9854F2C4C stp xzr,x24,[x22] 00007FF9854F2C50 str x22,[x20,#8] 00007FF9854F2C54 cbz x21,QObjectPrivate::addConnection+13Ch (07FF9854F2C7Ch) 00007FF9854F2C58 orr x12,x21,#1 00007FF9854F2C5C ldr x11,[x20,#0x20] 00007FF9854F2C60 add x10,x20,#0x20 00007FF9854F2C64 str x11,[x21] 00007FF9854F2C68 ldaxr x8,[x10] 00007FF9854F2C6C cmp x8,x11 00007FF9854F2C70 bne QObjectPrivate::addConnection+11Ch (07FF9854F2C5Ch) 00007FF9854F2C74 stlxr w9,x12,[x10] 00007FF9854F2C78 cbnz w9,QObjectPrivate::addConnection+128h (07FF9854F2C68h) ConnectionList &connectionList = cd->connectionsForSignal(signal); 00007FF9854F2C7C ldr x8,[x20,#8] 00007FF9854F2C80 add x11,x8,w25,sxtw #4 if (connectionList.last.loadRelaxed()) { 00007FF9854F2C84 mov x8,x23 00007FF9854F2C88 ldr x9,[x11,#0x18] 00007FF9854F2C8C cbz x9,QObjectPrivate::addConnection+158h (07FF9854F2C98h) Q_ASSERT(connectionList.last.loadRelaxed()->receiver.loadRelaxed()); connectionList.last.loadRelaxed()->nextConnectionList.storeRelaxed(c); 00007FF9854F2C90 ldr x9,[x11,#0x18] } else { 00007FF9854F2C94 b QObjectPrivate::addConnection+15Ch (07FF9854F2C9Ch) connectionList.first.storeRelaxed(c); 00007FF9854F2C98 mov x9,x11 } c->id = ++cd->currentConnectionId; 00007FF9854F2C9C str x8,[x9,#0x10] <-- crash occurs here (x9 is a garbage connectionList.last value) 00007FF9854F2CA0 ldaxr w8,[x20] 00007FF9854F2CA4 add w9,w8,#1 00007FF9854F2CA8 stlxr w10,w9,[x20] 00007FF9854F2CAC cbnz w10,QObjectPrivate::addConnection+160h (07FF9854F2CA0h) 00007FF9854F2CB0 dmb ish 00007FF9854F2CB4 add w9,w8,#1 00007FF9854F2CB8 str w9,[x23,#0x4C] c->prevConnectionList = connectionList.last.loadRelaxed(); 00007FF9854F2CBC ldr x10,[x11,#0x18] 00007FF9854F2CC0 str x10,[x23,#0x18] connectionList.last.storeRelaxed(c); 00007FF9854F2CC4 str x23,[x11,#0x18] QObjectPrivate *rd = QObjectPrivate::get(c->receiver.loadRelaxed()); 00007FF9854F2CC8 ldr x8,[x23,#0x28] 00007FF9854F2CCC ldr x19,[x8,#8] rd->ensureConnectionData(); 00007FF9854F2CD0 ldr x9,[x19,#0x60] 00007FF9854F2CD4 cbnz x9,QObjectPrivate::addConnection+1C8h (07FF9854F2D08h) 00007FF9854F2CD8 mov x0,#0x28 00007FF9854F2CDC bl operator new (07FF985711418h) 00007FF9854F2CE0 stp xzr,xzr,[x0] 00007FF9854F2CE4 add x10,x0,#4 00007FF9854F2CE8 stp xzr,xzr,[x0,#0x10] 00007FF9854F2CEC str xzr,[x0,#0x20] 00007FF9854F2CF0 ldaxr w9,[x10] 00007FF9854F2CF4 add w9,w9,#1 00007FF9854F2CF8 stlxr w8,w9,[x10] 00007FF9854F2CFC cbnz w8,QObjectPrivate::addConnection+1B0h (07FF9854F2CF0h) 00007FF9854F2D00 dmb ish 00007FF9854F2D04 str x0,[x19,#0x60] c->prev = &(rd->connections.loadRelaxed()->senders); 00007FF9854F2D08 ldr x8,[x19,#0x60] 00007FF9854F2D0C add x9,x8,#0x10 00007FF9854F2D10 str x9,[x23,#8] c->next = *c->prev; 00007FF9854F2D14 ldr x8,[x9] 00007FF9854F2D18 str x8,[x23] *c->prev = c; 00007FF9854F2D1C str x23,[x9] if (c->next) 00007FF9854F2D20 ldr x10,[x23] 00007FF9854F2D24 cbz x10,QObjectPrivate::addConnection+1ECh (07FF9854F2D2Ch) c->next->prev = &c->next; 00007FF9854F2D28 str x23,[x10,#8] 00007FF9854F2D2C add sp,sp,#0x10 00007FF9854F2D30 ldp x25,lr,[sp,#0x30] 00007FF9854F2D34 ldp x23,x24,[sp,#0x20] 00007FF9854F2D38 ldp x21,x22,[sp,#0x10] 00007FF9854F2D3C ldp x19,x20,[sp],#0x40 00007FF9854F2D40 ret