Random ~QImageData crash

BM_TAB

When running automate test against my GUI QT application, I get lot of random crashes all with the same stack trace.

Few data points regarding the crash:

1. Happens randomly regardless of what the test is doing or what test is running.
2. Happens more frequently if i connect to the test machine using VNC.

I have not able to repro this locally and I suspect there is some concurrency issue going on. I appreciate any pointers in debugging this.

I do have full crash dumps and i can step through the crash but looks like the crash is happening in the implicit QImageData distructor and I dont know why.

Below is the stack trace and part of the disassembly. The crash happens at this line in the disassembly
000007FEDEDF6A97 mov ecx,dword ptr [rax]

• Qt5Gui.dll!QImageData::~QImageData() Line 182 C++
  Qt5Gui.dll!QImage::~QImage() Line 1011 C++
  Qt5Gui.dll!QRasterPlatformPixmap::~QRasterPlatformPixmap() Line 83 C++
  [External Code]
  Qt5Gui.dll!QPixmap::~QPixmap() Line 268 C++
  [External Code]
  Qt5Gui.dll!QCacheQPixmapCache::Key,QPixmapCacheEntry::remove(const QPixmapCache::Key & key) Line 143 C++
  Qt5Widgets.dll!QWidgetPrivate::setDirtyOpaqueRegion() Line 2054 C++
  Qt5Widgets.dll!QWidget::setGeometry(const QRect & r) Line 7066 C++
  Qt5Widgets.dll!QWidgetItem::setGeometry(const QRect & rect) Line 487 C++
  Qt5Widgets.dll!QBoxLayout::setGeometry(const QRect & r) Line 802 C++
  Qt5Widgets.dll!QLayoutPrivate::doResize(const QSize & r) Line 583 C++
  Qt5Widgets.dll!QLayout::activate() Line 1127 C++
  Qt5Widgets.dll!QLayout::widgetEvent(QEvent * e) Line 630 C++
  Qt5Widgets.dll!QApplicationPrivate::notify_helper(QObject * receiver, QEvent * e) Line 3716 C++
  Qt5Widgets.dll!QApplication::notify(QObject * receiver, QEvent * e) Line 3685 C++
  tabui.dll!TApplication::notify(QObject * receiver, QEvent * event) Line 274 C++
  Qt5Core.dll!QCoreApplication::notifyInternal(QObject * receiver, QEvent * event) Line 935 C++
  Qt5Core.dll!QCoreApplicationPrivate::sendPostedEvents(QObject * receiver, int event_type, QThreadData * data) Line 1552 C++
  qwindows.dll!QWindowsGuiEventDispatcher::sendPostedEvents() Line 82 C++
  Qt5Core.dll!qt_internal_proc(HWND__ * hwnd, unsigned int message, unsigned __int64 wp, int64 lp) Line 414 C++
  [External Code]
  Qt5Core.dll!QEventDispatcherWin32::processEvents(QFlags<enum QEventLoop::ProcessEventsFlag> flags) Line 807 C++
  qwindows.dll!QWindowsGuiEventDispatcher::processEvents(QFlags<enum QEventLoop::ProcessEventsFlag> flags) Line 74 C++
  Qt5Core.dll!QEventLoop::exec(QFlags<enum QEventLoop::ProcessEventsFlag> flags) Line 203 C++
  Qt5Core.dll!QCoreApplication::exec() Line 1188 C++
  tabui.dll!TApplication::LaunchUI() Line 915 C++
  tabui.dll!TApplication::Startup() Line 426 C++
  tableau.exe!main(int argc, char * * argv) Line 281 C++
  tableau.exe!WinMain(HINSTANCE * formal, HINSTANCE * __formal, char * __formal, int __formal) Line 112 C++
  [External Code]
  [Frames may be missing, no binary loaded for kernel32.dll]
  kernel32.dll!0000000077275a4d() Unknown

Disassembly:
000007FEDEDF697A ret
--- No source file -------------------------------------------------------------
000007FEDEDF697B int 3
000007FEDEDF697C int 3
000007FEDEDF697D int 3
000007FEDEDF697E int 3
000007FEDEDF697F int 3
000007FEDEDF6980 push rbx
000007FEDEDF6982 sub rsp,20h
000007FEDEDF6986 mov rbx,rcx
000007FEDEDF6989 add rcx,0D8h
000007FEDEDF6990 call QList<QString>::~QList<QString> (07FEDEDA1D40h)
000007FEDEDF6995 mov rcx,rbx
000007FEDEDF6998 add rsp,20h
000007FEDEDF699C pop rbx
000007FEDEDF699D jmp QFontEngineMulti::~QFontEngineMulti (07FEDEE55690h)
000007FEDEDF69A2 int 3
000007FEDEDF69A3 int 3
000007FEDEDF69A4 int 3
000007FEDEDF69A5 int 3
000007FEDEDF69A6 int 3
000007FEDEDF69A7 int 3
000007FEDEDF69A8 int 3
000007FEDEDF69A9 int 3
000007FEDEDF69AA int 3
000007FEDEDF69AB int 3
000007FEDEDF69AC int 3
000007FEDEDF69AD int 3
000007FEDEDF69AE int 3
000007FEDEDF69AF int 3
--- d:\builds\thirdparty\qt\5.4\local\qtbase\src\gui\image\qimage.cpp ----------
1003:
1004: /*!
1005: Destroys the image and cleans up.
1006: */
1007:
1008: QImage::~QImage()
1009: {
000007FEDEDF69B0 push rbx
000007FEDEDF69B2 sub rsp,20h
000007FEDEDF69B6 lea rax,[QImage::`vftable' (07FEDF03B0B8h)]
000007FEDEDF69BD mov rbx,rcx
000007FEDEDF69C0 mov qword ptr [rcx],rax
1010: if (d && !d->ref.deref())
000007FEDEDF69C3 mov rcx,qword ptr [rcx+18h]
1010: if (d && !d->ref.deref())
000007FEDEDF69C7 test rcx,rcx
000007FEDEDF69CA je QImage::~QImage+44h (07FEDEDF69F4h)
000007FEDEDF69CC lock dec dword ptr [rcx]
000007FEDEDF69CF jne QImage::~QImage+44h (07FEDEDF69F4h)
1011: delete d;
000007FEDEDF69D1 mov qword ptr [this],rdi
000007FEDEDF69D6 mov rdi,qword ptr [rbx+18h]
000007FEDEDF69DA test rdi,rdi
000007FEDEDF69DD je QImage::~QImage+3Fh (07FEDEDF69EFh)
000007FEDEDF69DF mov rcx,rdi
000007FEDEDF69E2 call QImageData::~QImageData (07FEDEDF6A10h)
000007FEDEDF69E7 mov rcx,rdi
000007FEDEDF69EA call operator delete (07FEDF035B0Eh)
000007FEDEDF69EF mov rdi,qword ptr [this]
1012: }
000007FEDEDF69F4 mov rcx,rbx
000007FEDEDF69F7 add rsp,20h
000007FEDEDF69FB pop rbx
000007FEDEDF69FC jmp QPaintDevice::~QPaintDevice (07FEDEF4F800h)
--- No source file -------------------------------------------------------------
000007FEDEDF6A01 int 3
000007FEDEDF6A02 int 3
000007FEDEDF6A03 int 3
000007FEDEDF6A04 int 3
000007FEDEDF6A05 int 3
000007FEDEDF6A06 int 3
000007FEDEDF6A07 int 3
000007FEDEDF6A08 int 3
000007FEDEDF6A09 int 3
000007FEDEDF6A0A int 3
000007FEDEDF6A0B int 3
000007FEDEDF6A0C int 3
000007FEDEDF6A0D int 3
000007FEDEDF6A0E int 3
000007FEDEDF6A0F int 3
--- d:\builds\thirdparty\qt\5.4\local\qtbase\src\gui\image\qimage.cpp ----------
171:
172: QImageData::~QImageData()
173: {
000007FEDEDF6A10 mov qword ptr [rsp+8],rbx
000007FEDEDF6A15 push rdi
000007FEDEDF6A16 sub rsp,20h
174: if (cleanupFunction)
000007FEDEDF6A1A mov rax,qword ptr [rcx+60h]
000007FEDEDF6A1E mov rbx,rcx
000007FEDEDF6A21 test rax,rax
000007FEDEDF6A24 je QImageData::~QImageData+1Ch (07FEDEDF6A2Ch)
175: cleanupFunction(cleanupInfo);
000007FEDEDF6A26 mov rcx,qword ptr [rcx+68h]
000007FEDEDF6A2A call rax
176: if (is_cached)
000007FEDEDF6A2C test byte ptr [rbx+58h],8
000007FEDEDF6A30 je QImageData::~QImageData+36h (07FEDEDF6A46h)
177: QImagePixmapCleanupHooks::executeImageHooks((((qint64) ser_no) << 32) | ((qint64) detach_no));
000007FEDEDF6A32 movsxd rcx,dword ptr [rbx+38h]
000007FEDEDF6A36 movsxd rax,dword ptr [rbx+3Ch]
000007FEDEDF6A3A shl rcx,20h
000007FEDEDF6A3E or rcx,rax
000007FEDEDF6A41 call QImagePixmapCleanupHooks::executeImageHooks (07FEDEE24D40h)
178: delete paintEngine;
000007FEDEDF6A46 mov rcx,qword ptr [rbx+78h]
000007FEDEDF6A4A test rcx,rcx
000007FEDEDF6A4D je QImageData::~QImageData+49h (07FEDEDF6A59h)
000007FEDEDF6A4F mov rax,qword ptr [rcx]
000007FEDEDF6A52 mov edx,1
000007FEDEDF6A57 call qword ptr [rax]
179: if (data && own_data)
000007FEDEDF6A59 mov rcx,qword ptr [rbx+28h]
000007FEDEDF6A5D test rcx,rcx
000007FEDEDF6A60 je QImageData::~QImageData+5Eh (07FEDEDF6A6Eh)
000007FEDEDF6A62 test byte ptr [rbx+58h],1
000007FEDEDF6A66 je QImageData::~QImageData+5Eh (07FEDEDF6A6Eh)
180: free(data);
000007FEDEDF6A68 call qword ptr [__imp_free (07FEDF038230h)]
181: data = 0;
000007FEDEDF6A6E mov qword ptr [rbx+28h],0
182: }
000007FEDEDF6A76 mov rcx,qword ptr [rbx+70h]
000007FEDEDF6A7A mov eax,dword ptr [rcx]
000007FEDEDF6A7C test eax,eax
000007FEDEDF6A7E je QImageData::~QImageData+7Ah (07FEDEDF6A8Ah)
000007FEDEDF6A80 cmp eax,0FFFFFFFFh
000007FEDEDF6A83 je QImageData::~QImageData+83h (07FEDEDF6A93h)
000007FEDEDF6A85 lock dec dword ptr [rcx]
000007FEDEDF6A88 jne QImageData::~QImageData+83h (07FEDEDF6A93h)
000007FEDEDF6A8A mov rcx,qword ptr [rbx+70h]
000007FEDEDF6A8E call QMapData<QString,QString>::destroy (07FEDEDA2CD0h)
000007FEDEDF6A93 mov rax,qword ptr [rbx+20h]
000007FEDEDF6A97 mov ecx,dword ptr [rax]
000007FEDEDF6A99 test ecx,ecx
000007FEDEDF6A9B je QImageData::~QImageData+97h (07FEDEDF6AA7h)
000007FEDEDF6A9D cmp ecx,0FFFFFFFFh
000007FEDEDF6AA0 je QImageData::~QImageData+0BFh (07FEDEDF6ACFh)
000007FEDEDF6AA2 lock dec dword ptr [rax]
000007FEDEDF6AA5 jne QImageData::~QImageData+0BFh (07FEDEDF6ACFh)
000007FEDEDF6AA7 mov rbx,qword ptr [rbx+20h]
000007FEDEDF6AAB mov rcx,rbx
000007FEDEDF6AAE call qword ptr [__imp_QArrayData::data (07FEDF0384C8h)]
000007FEDEDF6AB4 mov rcx,rbx
000007FEDEDF6AB7 call qword ptr [__imp_QArrayData::data (07FEDF0384C8h)]
000007FEDEDF6ABD mov edx,4
000007FEDEDF6AC2 mov rcx,rbx
000007FEDEDF6AC5 lea r8d,[rdx+4]
000007FEDEDF6AC9 call qword ptr [__imp_QArrayData::deallocate (07FEDF0384D8h)]
000007FEDEDF6ACF mov rbx,qword ptr [this]
000007FEDEDF6AD4 add rsp,20h
000007FEDEDF6AD8 pop rdi
000007FEDEDF6AD9 ret
--- No source file -------------------------------------------------------------