Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
None
-
5.4.1, 5.5.0
-
None
Description
When a modal dialog is already opened (e.g., a "please wait" dialog) and the application pops another modal dialog on top (e.g., an informative QMessageBox), the application can crash if the user dismisses the QMessageBox using the keyboard.
After investigating, it appears Qt is trying to dereference a (freshly-)deleted QXcbWindow, retrieved from QXcbConnection::focusWindow().
Here is what happens when the QMessageBox gets dismissed:
- QXcbWindow::~QXcbWindow() will be called and, in turn, call QXcbWindow::destroy()
- QXcbWindow::destroy() will call QXcbWindow::doFocusOut()
- QXcbWindow::doFocusOut() will check if the focus is soon to be relayed to another modal window
- if that is the case, QXcbConnection::m_focusWindow is not reset to 0
Now, if a keyrelease event is reported by Xcb before focus has indeed been relayed to the other modal dialog, QXcbConnection::m_focusWindow points to a deleted object, and QXcbKeyboard::handleKeyEvent will use that, leading to a crash.
Although this issue resembles in many ways https://bugreports.qt.io/browse/QTBUG-34612 , I am not certain it is due to exactly the same cause. Apologies in advance if this is indeed a duplicate.
Here's how to reproduce:
- compile & run the attached application
- click on the 'new file' icon. That will cause a dialog to appear, immediately shadowed by a series of QMessageBox calls
- press & hold 'Enter' to dismiss the QMessageBoxes, and after a few of them, the application will (likely) crash.
I could reproduce this on a:
- Ubuntu 10.04
- Debian 7.8
- Ubuntu 15.04
..but since issue is racy by nature, you might fail reproducing it (e.g., I failed reproducing it on 1 machine: a colleague's Ubuntu 14.04 box.)
—
Attached, you'll also find a suggested patch for fixing it. The code is not quite pretty, but the idea is very simple: when calling doFocusOut() from destroy(), force m_focusWindow to be set to 0 (instead of keeping a dangling pointer, that might later be picked up.)
Attachments
Issue Links
- duplicates
-
QTBUG-34612 [Reg 4->5]: Crash when hiding a modal dialog to open another subdialog (from QDialog::exec())
- Closed
- relates to
-
QTBUG-55423 XCB: [REG: 4 -> 5] Crash when using keyboard to accept a dialog
- Closed
-
QTBUG-55197 Crashes in Xcb Code when destroyed window was repeatedly raised
- Closed
For Gerrit Dashboard: QTBUG-48391 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
188320,12 | xcb: prevent dangling pointer when window focus changes | 5.8 | qt/qtbase | Status: MERGED | +2 | 0 |