Important: Please read the Qt Code of Conduct -

Random ~QImageData crash

  • When running automate test against my GUI QT application, I get lot of random crashes all with the same stack trace.

    Few data points regarding the crash:

    1. Happens randomly regardless of what the test is doing or what test is running.
    2. Happens more frequently if i connect to the test machine using VNC.

    I have not able to repro this locally and I suspect there is some concurrency issue going on. I appreciate any pointers in debugging this.

    I do have full crash dumps and i can step through the crash but looks like the crash is happening in the implicit QImageData distructor and I dont know why.

    Below is the stack trace and part of the disassembly. The crash happens at this line in the disassembly
    000007FEDEDF6A97 mov ecx,dword ptr [rax]

    • Qt5Gui.dll!QImageData::~QImageData() Line 182 C++
      Qt5Gui.dll!QImage::~QImage() Line 1011 C++
      Qt5Gui.dll!QRasterPlatformPixmap::~QRasterPlatformPixmap() Line 83 C++
      [External Code]
      Qt5Gui.dll!QPixmap::~QPixmap() Line 268 C++
      [External Code]
      Qt5Gui.dll!QCacheQPixmapCache::Key,QPixmapCacheEntry::remove(const QPixmapCache::Key & key) Line 143 C++
      Qt5Widgets.dll!QWidgetPrivate::setDirtyOpaqueRegion() Line 2054 C++
      Qt5Widgets.dll!QWidget::setGeometry(const QRect & r) Line 7066 C++
      Qt5Widgets.dll!QWidgetItem::setGeometry(const QRect & rect) Line 487 C++
      Qt5Widgets.dll!QBoxLayout::setGeometry(const QRect & r) Line 802 C++
      Qt5Widgets.dll!QLayoutPrivate::doResize(const QSize & r) Line 583 C++
      Qt5Widgets.dll!QLayout::activate() Line 1127 C++
      Qt5Widgets.dll!QLayout::widgetEvent(QEvent * e) Line 630 C++
      Qt5Widgets.dll!QApplicationPrivate::notify_helper(QObject * receiver, QEvent * e) Line 3716 C++
      Qt5Widgets.dll!QApplication::notify(QObject * receiver, QEvent * e) Line 3685 C++
      tabui.dll!TApplication::notify(QObject * receiver, QEvent * event) Line 274 C++
      Qt5Core.dll!QCoreApplication::notifyInternal(QObject * receiver, QEvent * event) Line 935 C++
      Qt5Core.dll!QCoreApplicationPrivate::sendPostedEvents(QObject * receiver, int event_type, QThreadData * data) Line 1552 C++
      qwindows.dll!QWindowsGuiEventDispatcher::sendPostedEvents() Line 82 C++
      Qt5Core.dll!qt_internal_proc(HWND__ * hwnd, unsigned int message, unsigned __int64 wp, int64 lp) Line 414 C++
      [External Code]
      Qt5Core.dll!QEventDispatcherWin32::processEvents(QFlags<enum QEventLoop::ProcessEventsFlag> flags) Line 807 C++
      qwindows.dll!QWindowsGuiEventDispatcher::processEvents(QFlags<enum QEventLoop::ProcessEventsFlag> flags) Line 74 C++
      Qt5Core.dll!QEventLoop::exec(QFlags<enum QEventLoop::ProcessEventsFlag> flags) Line 203 C++
      Qt5Core.dll!QCoreApplication::exec() Line 1188 C++
      tabui.dll!TApplication::LaunchUI() Line 915 C++
      tabui.dll!TApplication::Startup() Line 426 C++
      tableau.exe!main(int argc, char * * argv) Line 281 C++
      * formal, HINSTANCE * __formal, char * __formal, int __formal) Line 112 C++
      [External Code]
      [Frames may be missing, no binary loaded for kernel32.dll]
      kernel32.dll!0000000077275a4d() Unknown

    000007FEDEDF697A ret
    --- No source file -------------------------------------------------------------
    000007FEDEDF697B int 3
    000007FEDEDF697C int 3
    000007FEDEDF697D int 3
    000007FEDEDF697E int 3
    000007FEDEDF697F int 3
    000007FEDEDF6980 push rbx
    000007FEDEDF6982 sub rsp,20h
    000007FEDEDF6986 mov rbx,rcx
    000007FEDEDF6989 add rcx,0D8h
    000007FEDEDF6990 call QList<QString>::~QList<QString> (07FEDEDA1D40h)
    000007FEDEDF6995 mov rcx,rbx
    000007FEDEDF6998 add rsp,20h
    000007FEDEDF699C pop rbx
    000007FEDEDF699D jmp QFontEngineMulti::~QFontEngineMulti (07FEDEE55690h)
    000007FEDEDF69A2 int 3
    000007FEDEDF69A3 int 3
    000007FEDEDF69A4 int 3
    000007FEDEDF69A5 int 3
    000007FEDEDF69A6 int 3
    000007FEDEDF69A7 int 3
    000007FEDEDF69A8 int 3
    000007FEDEDF69A9 int 3
    000007FEDEDF69AA int 3
    000007FEDEDF69AB int 3
    000007FEDEDF69AC int 3
    000007FEDEDF69AD int 3
    000007FEDEDF69AE int 3
    000007FEDEDF69AF int 3
    --- d:\builds\thirdparty\qt\5.4\local\qtbase\src\gui\image\qimage.cpp ----------
    1004: /*!
    1005: Destroys the image and cleans up.
    1006: */
    1008: QImage::~QImage()
    1009: {
    000007FEDEDF69B0 push rbx
    000007FEDEDF69B2 sub rsp,20h
    000007FEDEDF69B6 lea rax,[QImage::`vftable' (07FEDF03B0B8h)]
    000007FEDEDF69BD mov rbx,rcx
    000007FEDEDF69C0 mov qword ptr [rcx],rax
    1010: if (d && !d->ref.deref())
    000007FEDEDF69C3 mov rcx,qword ptr [rcx+18h]
    1010: if (d && !d->ref.deref())
    000007FEDEDF69C7 test rcx,rcx
    000007FEDEDF69CA je QImage::~QImage+44h (07FEDEDF69F4h)
    000007FEDEDF69CC lock dec dword ptr [rcx]
    000007FEDEDF69CF jne QImage::~QImage+44h (07FEDEDF69F4h)
    1011: delete d;
    000007FEDEDF69D1 mov qword ptr [this],rdi
    000007FEDEDF69D6 mov rdi,qword ptr [rbx+18h]
    000007FEDEDF69DA test rdi,rdi
    000007FEDEDF69DD je QImage::~QImage+3Fh (07FEDEDF69EFh)
    000007FEDEDF69DF mov rcx,rdi
    000007FEDEDF69E2 call QImageData::~QImageData (07FEDEDF6A10h)
    000007FEDEDF69E7 mov rcx,rdi
    000007FEDEDF69EA call operator delete (07FEDF035B0Eh)
    000007FEDEDF69EF mov rdi,qword ptr [this]
    1012: }
    000007FEDEDF69F4 mov rcx,rbx
    000007FEDEDF69F7 add rsp,20h
    000007FEDEDF69FB pop rbx
    000007FEDEDF69FC jmp QPaintDevice::~QPaintDevice (07FEDEF4F800h)
    --- No source file -------------------------------------------------------------
    000007FEDEDF6A01 int 3
    000007FEDEDF6A02 int 3
    000007FEDEDF6A03 int 3
    000007FEDEDF6A04 int 3
    000007FEDEDF6A05 int 3
    000007FEDEDF6A06 int 3
    000007FEDEDF6A07 int 3
    000007FEDEDF6A08 int 3
    000007FEDEDF6A09 int 3
    000007FEDEDF6A0A int 3
    000007FEDEDF6A0B int 3
    000007FEDEDF6A0C int 3
    000007FEDEDF6A0D int 3
    000007FEDEDF6A0E int 3
    000007FEDEDF6A0F int 3
    --- d:\builds\thirdparty\qt\5.4\local\qtbase\src\gui\image\qimage.cpp ----------
    172: QImageData::~QImageData()
    173: {
    000007FEDEDF6A10 mov qword ptr [rsp+8],rbx
    000007FEDEDF6A15 push rdi
    000007FEDEDF6A16 sub rsp,20h
    174: if (cleanupFunction)
    000007FEDEDF6A1A mov rax,qword ptr [rcx+60h]
    000007FEDEDF6A1E mov rbx,rcx
    000007FEDEDF6A21 test rax,rax
    000007FEDEDF6A24 je QImageData::~QImageData+1Ch (07FEDEDF6A2Ch)
    175: cleanupFunction(cleanupInfo);
    000007FEDEDF6A26 mov rcx,qword ptr [rcx+68h]
    000007FEDEDF6A2A call rax
    176: if (is_cached)
    000007FEDEDF6A2C test byte ptr [rbx+58h],8
    000007FEDEDF6A30 je QImageData::~QImageData+36h (07FEDEDF6A46h)
    177: QImagePixmapCleanupHooks::executeImageHooks((((qint64) ser_no) << 32) | ((qint64) detach_no));
    000007FEDEDF6A32 movsxd rcx,dword ptr [rbx+38h]
    000007FEDEDF6A36 movsxd rax,dword ptr [rbx+3Ch]
    000007FEDEDF6A3A shl rcx,20h
    000007FEDEDF6A3E or rcx,rax
    000007FEDEDF6A41 call QImagePixmapCleanupHooks::executeImageHooks (07FEDEE24D40h)
    178: delete paintEngine;
    000007FEDEDF6A46 mov rcx,qword ptr [rbx+78h]
    000007FEDEDF6A4A test rcx,rcx
    000007FEDEDF6A4D je QImageData::~QImageData+49h (07FEDEDF6A59h)
    000007FEDEDF6A4F mov rax,qword ptr [rcx]
    000007FEDEDF6A52 mov edx,1
    000007FEDEDF6A57 call qword ptr [rax]
    179: if (data && own_data)
    000007FEDEDF6A59 mov rcx,qword ptr [rbx+28h]
    000007FEDEDF6A5D test rcx,rcx
    000007FEDEDF6A60 je QImageData::~QImageData+5Eh (07FEDEDF6A6Eh)
    000007FEDEDF6A62 test byte ptr [rbx+58h],1
    000007FEDEDF6A66 je QImageData::~QImageData+5Eh (07FEDEDF6A6Eh)
    180: free(data);
    000007FEDEDF6A68 call qword ptr [__imp_free (07FEDF038230h)]
    181: data = 0;
    000007FEDEDF6A6E mov qword ptr [rbx+28h],0
    182: }
    000007FEDEDF6A76 mov rcx,qword ptr [rbx+70h]
    000007FEDEDF6A7A mov eax,dword ptr [rcx]
    000007FEDEDF6A7C test eax,eax
    000007FEDEDF6A7E je QImageData::~QImageData+7Ah (07FEDEDF6A8Ah)
    000007FEDEDF6A80 cmp eax,0FFFFFFFFh
    000007FEDEDF6A83 je QImageData::~QImageData+83h (07FEDEDF6A93h)
    000007FEDEDF6A85 lock dec dword ptr [rcx]
    000007FEDEDF6A88 jne QImageData::~QImageData+83h (07FEDEDF6A93h)
    000007FEDEDF6A8A mov rcx,qword ptr [rbx+70h]
    000007FEDEDF6A8E call QMapData<QString,QString>::destroy (07FEDEDA2CD0h)
    000007FEDEDF6A93 mov rax,qword ptr [rbx+20h]
    000007FEDEDF6A97 mov ecx,dword ptr [rax]
    000007FEDEDF6A99 test ecx,ecx
    000007FEDEDF6A9B je QImageData::~QImageData+97h (07FEDEDF6AA7h)
    000007FEDEDF6A9D cmp ecx,0FFFFFFFFh
    000007FEDEDF6AA0 je QImageData::~QImageData+0BFh (07FEDEDF6ACFh)
    000007FEDEDF6AA2 lock dec dword ptr [rax]
    000007FEDEDF6AA5 jne QImageData::~QImageData+0BFh (07FEDEDF6ACFh)
    000007FEDEDF6AA7 mov rbx,qword ptr [rbx+20h]
    000007FEDEDF6AAB mov rcx,rbx
    000007FEDEDF6AAE call qword ptr [__imp_QArrayData::data (07FEDF0384C8h)]
    000007FEDEDF6AB4 mov rcx,rbx
    000007FEDEDF6AB7 call qword ptr [__imp_QArrayData::data (07FEDF0384C8h)]
    000007FEDEDF6ABD mov edx,4
    000007FEDEDF6AC2 mov rcx,rbx
    000007FEDEDF6AC5 lea r8d,[rdx+4]
    000007FEDEDF6AC9 call qword ptr [__imp_QArrayData::deallocate (07FEDF0384D8h)]
    000007FEDEDF6ACF mov rbx,qword ptr [this]
    000007FEDEDF6AD4 add rsp,20h
    000007FEDEDF6AD8 pop rdi
    000007FEDEDF6AD9 ret
    --- No source file -------------------------------------------------------------

Log in to reply