Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-111736

null pointer dereference in QQuickPlatformMenu::create gtk_menu_shell_insert

    XMLWordPrintable

Details

    • Bug
    • Resolution: Cannot Reproduce
    • P3: Somewhat important
    • None
    • 5.15
    • Quick: Controls 2
    • None
    • NixOS 22.11, xfce environment, Linux x86_64
    • Linux/X11

    Description

      When right clicking on a channel name in nheko (qml application, compiled with qt 5.15) I get a segfault with a 100% qt backtrace:

      #0 0x00007f0e2db68e29 in gtk_menu_shell_insert (menu_shell=<optimized out>, child=<optimized out>, position=<optimized out>) at ../gtk/gtkmenushell.c:550
      #1 0x00007f0e000ba28f in QQuickPlatformMenu::create (this=<optimized out>) at qquickplatformmenu.cpp:271
      #2 0x00007f0e000ba549 in QQuickPlatformMenu::sync (this=<optimized out>) at qquickplatformmenu.cpp:297
      #3 0x00007f0e000be7a9 in QQuickPlatformMenuItem::sync (this=<optimized out>) at qquickplatformmenuitem.cpp:182
      #4 0x00007f0e000befd7 in QQuickPlatformMenuItem::sync (this=<optimized out>) at qquickplatformmenuitem.cpp:198
      #5 0x00007f0e000b9d1c in QQuickPlatformMenu::sync (this=<optimized out>) at qquickplatformmenu.cpp:315
      #6 0x00007f0e000bbf75 in QQuickPlatformMenu::sync (this=<optimized out>) at qquickplatformmenu.cpp:297
      #7 QQuickPlatformMenu::insertItem (this=<optimized out>, index=<optimized out>, item=<optimized out>) at qquickplatformmenu.cpp:666
      #8 0x00007f0e000cadd3 in QQuickPlatformMenu::qt_metacall (this=<optimized out>, _c=<optimized out>, _id=<optimized out>, _a=<optimized out>) at .moc/moc_qquickplatformmenu_p.cpp:544
      #9 0x00007f0e430fb373 in QQmlObjectOrGadget::metacall (this=<optimized out>, type=<optimized out>, index=<optimized out>, argv=<optimized out>) at qml/qqmlobjectorgadget.cpp:51
      {{#10 0x00007f0e42fd65ce in CallMethod (callType=<optimized out>, callArgs=<optimized out>, engine=<optimized out>, argTypes=<optimized out>, argCount=<optimized out>, }}
      returnType=<optimized out>, index=<optimized out>, object=...) at /nix/store/afzfkm5glkxsdxp07incj3qhayn9lqfi-qtbase-5.15.8-dev/include/QtCore/qvarlengtharray.h:189
      #11 CallPrecise (object=..., data=..., engine=<optimized out>, callArgs=<optimized out>, callType=<optimized out>) at jsruntime/qv4qobjectwrapper.cpp:1553
      #12 0x00007f0e42fd882b in CallOverloaded (callType=<optimized out>, propertyCache=<optimized out>, callArgs=<optimized out>, engine=<optimized out>, data=..., object=...)
      at jsruntime/qv4qobjectwrapper.cpp:1629
      #13 QV4::QObjectMethod::callInternal (this=<optimized out>, thisObject=<optimized out>, argv=<optimized out>, argc=<optimized out>) at jsruntime/qv4qobjectwrapper.cpp:2117
      #14 0x00007f0e42ff5016 in QV4::FunctionObject::call (argc=<optimized out>, argv=<optimized out>, thisObject=<optimized out>, this=<optimized out>)
      at ../../include/QtQml/5.15.8/QtQml/private/../../../../../src/qml/jsruntime/qv4functionobject_p.h:202
      #15 QV4::Moth::VME::interpret (frame=0x22b6b30, engine=0x2462740, code=0x416c040 "\020\060\366B\016\177") at jsruntime/qv4vme_moth.cpp:757
      #16 0x00007f0e42ff873f in QV4::Moth::VME::exec (frame=<optimized out>, engine=<optimized out>) at jsruntime/qv4vme_moth.cpp:466
      #17 0x00007f0e42f8aebe in QV4::Function::call (this=<optimized out>, thisObject=<optimized out>, argv=<optimized out>, argc=<optimized out>, context=<optimized out>)
      at jsruntime/qv4function.cpp:69
      #18 0x00007f0e43115d0d in QQmlJavaScriptExpression::evaluate (this=<optimized out>, callData=<optimized out>, isUndefined=<optimized out>) at qml/qqmljavascriptexpression.cpp:212
      #19 0x00007f0e430c6aaf in QQmlBoundSignalExpression::evaluate (this=<optimized out>, a=<optimized out>)
      at ../../include/QtQml/5.15.8/QtQml/private/../../../../../src/qml/jsruntime/qv4jscall_p.h:95
      #20 0x00007f0e430c8218 in QQmlBoundSignal_callback (e=<optimized out>, a=<optimized out>)
      at ../../include/QtQml/5.15.8/QtQml/private/../../../../../src/qml/qml/qqmlboundsignalexpressionpointer_p.h:69
      #21 0x00007f0e430fae55 in QQmlNotifier::emitNotify (endpoint=<optimized out>, a=<optimized out>) at qml/qqmlnotifier.cpp:104
      #22 0x00007f0e41c041ad in doActivate<false> (sender=<optimized out>, signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3815
      #23 0x00007f0e41bfd70f in QMetaObject::activate (sender=<optimized out>, m=<optimized out>, local_signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3983
      #24 0x00007f0e40953e76 in QQmlInstantiator::objectAdded (this=<optimized out>, _t1=<optimized out>, _t2=<optimized out>) at .moc/moc_qqmlinstantiator_p.cpp:365
      #25 0x00007f0e41c046dc in doActivate<false> (sender=<optimized out>, signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3935
      #26 0x00007f0e41bfd70f in QMetaObject::activate (sender=<optimized out>, m=<optimized out>, local_signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3983
      #27 0x00007f0e40957866 in QQmlInstanceModel::createdItem (this=<optimized out>, _t1=<optimized out>, _t2=<optimized out>) at .moc/moc_qqmlobjectmodel_p.cpp:270
      #28 0x00007f0e40983344 in QQmlDelegateModelPrivate::emitCreatedItem (item=<optimized out>, incubationTask=<optimized out>, this=<optimized out>)
      at /build/qtdeclarative-05c3f49/src/qmlmodels/qqmldelegatemodel_p_p.h:280
      #29 QQmlDelegateModelPrivate::incubatorStatusChanged (this=<optimized out>, incubationTask=<optimized out>, status=<optimized out>) at qqmldelegatemodel.cpp:1192
      #30 0x00007f0e430c10f2 in QQmlIncubatorPrivate::incubate (this=<optimized out>, i=...) at qml/qqmlincubator.cpp:384
      #31 0x00007f0e430c14cd in QQmlEnginePrivate::incubate (this=<optimized out>, i=..., forContext=<optimized out>) at qml/qqmlincubator.cpp:89
      #32 0x00007f0e40983d4f in QQmlDelegateModelPrivate::object (this=<optimized out>, group=<optimized out>, index=<optimized out>, incubationMode=<optimized out>)
      at qqmldelegatemodel.cpp:1324
      #33 0x00007f0e40954107 in QQmlInstantiatorPrivate::modelObject (this=<optimized out>, index=<optimized out>, async=<optimized out>) at qqmlinstantiator.cpp:92
      #34 0x00007f0e40954fec in QQmlInstantiatorPrivate::regenerate (this=<optimized out>) at qqmlinstantiator.cpp:115
      #35 0x00007f0e4095523a in QQmlInstantiator::setModel (this=<optimized out>, v=...) at qqmlinstantiator.cpp:445
      #36 0x00007f0e430b67a2 in QQmlPropertyData::writeProperty (flags=..., value=<optimized out>, target=<optimized out>, this=<optimized out>)
      at ../../include/QtQml/5.15.8/QtQml/private/../../../../../src/qml/qml/qqmlpropertydata_p.h:391
      #37 QQmlPropertyPrivate::write (object=<optimized out>, property=..., value=..., context=<optimized out>, flags=...) at qml/qqmlproperty.cpp:1305
      #38 0x00007f0e430b88f2 in QQmlPropertyPrivate::writeValueProperty (object=<optimized out>, core=..., valueTypeData=..., value=..., context=<optimized out>, flags=...)
      at qml/qqmlproperty.cpp:1214
      #39 0x00007f0e4311d63c in QQmlBinding::slowWrite (this=<optimized out>, core=..., valueTypeData=..., result=..., isUndefined=<optimized out>, flags=...) at qml/qqmlbinding.cpp:474
      #40 0x00007f0e4311ea80 in GenericBinding<0>::write (this=<optimized out>, result=..., isUndefined=<optimized out>, flags=...) at qml/qqmlbinding.cpp:335
      #41 0x00007f0e431202de in QQmlNonbindingBinding::doUpdate (this=<optimized out>, watcher=..., flags=..., scope=...) at qml/qqmlbinding.cpp:258
      #42 0x00007f0e4311dcf4 in QQmlBinding::update (this=<optimized out>, flags=...) at qml/qqmlbinding.cpp:194
      #43 0x00007f0e430fae55 in QQmlNotifier::emitNotify (endpoint=<optimized out>, a=<optimized out>) at qml/qqmlnotifier.cpp:104
      #44 0x00007f0e41c041ad in doActivate<false> (sender=<optimized out>, signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3815
      #45 0x00007f0e41bfd90b in QMetaObject::activate (sender=<optimized out>, signalOffset=<optimized out>, local_signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3996
      #46 0x00007f0e430a02a5 in QQmlVMEMetaObject::activate (this=<optimized out>, object=<optimized out>, index=<optimized out>, args=<optimized out>) at qml/qqmlvmemetaobject.cpp:1312
      #47 0x00007f0e430a26dd in QQmlVMEMetaObject::metaCall (this=<optimized out>, o=<optimized out>, c=<optimized out>, _id=<optimized out>, a=<optimized out>) at qml/qqmlvmemetaobject.cpp:880
      #48 0x00007f0e4311fa57 in QQmlPropertyData::writeProperty (flags=..., value=<optimized out>, target=<optimized out>, this=<optimized out>) at ../../include/QtQml/5.15.8/QtQml/private/../../../../../src/qml/qml/qqmlpropertydata_p.h:395
      #49 GenericBinding<10>::doStore<QString> (flags=..., pd=<optimized out>, value=..., this=<optimized out>) at qml/qqmlbinding.cpp:342
      #50 GenericBinding<10>::write (this=<optimized out>, result=..., isUndefined=<optimized out>, flags=...) at qml/qqmlbinding.cpp:323
      #51 0x00007f0e431202de in QQmlNonbindingBinding::doUpdate (this=<optimized out>, watcher=..., flags=..., scope=...) at qml/qqmlbinding.cpp:258
      #52 0x00007f0e4311dcf4 in QQmlBinding::update (this=<optimized out>, flags=...) at qml/qqmlbinding.cpp:194
      #53 0x00007f0e430fae55 in QQmlNotifier::emitNotify (endpoint=<optimized out>, a=<optimized out>) at qml/qqmlnotifier.cpp:104
      #54 0x00007f0e41c041ad in doActivate<false> (sender=<optimized out>, signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3815
      #55 0x00007f0e41bfd90b in QMetaObject::activate (sender=<optimized out>, signalOffset=<optimized out>, local_signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3996
      #56 0x00007f0e430a02a5 in QQmlVMEMetaObject::activate (this=<optimized out>, object=<optimized out>, index=<optimized out>, args=<optimized out>) at qml/qqmlvmemetaobject.cpp:1312
      #57 0x00007f0e430a26dd in QQmlVMEMetaObject::metaCall (this=<optimized out>, o=<optimized out>, c=<optimized out>, _id=<optimized out>, a=<optimized out>) at qml/qqmlvmemetaobject.cpp:880
      #58 0x00007f0e42fd9fab in QV4::QObjectWrapper::setProperty (engine=<optimized out>, object=<optimized out>, property=<optimized out>, value=...) at ../../include/QtQml/5.15.8/QtQml/private/../../../../../src/qml/qml/qqmlpropertydata_p.h:284
      #59 0x00007f0e42fda44b in QV4::QObjectWrapper::setQmlProperty (engine=<optimized out>, qmlContext=<optimized out>, object=<optimized out>, name=<optimized out>, revisionMode=<optimized out>, value=...) at jsruntime/qv4qobjectwrapper.cpp:435
      #60 0x00007f0e42faf1d2 in QV4::QQmlContextWrapper::virtualPut (m=<optimized out>, id=..., value=..., receiver=<optimized out>) at jsruntime/qv4qmlcontext.cpp:425
      #61 0x00007f0e42f6080f in QV4::Object::put (receiver=<optimized out>, v=..., name=<optimized out>, this=<optimized out>) at ../../include/QtQml/5.15.8/QtQml/private/../../../../../src/qml/jsruntime/qv4string_p.h:167
      #62 QV4::ExecutionContext::setProperty (this=<optimized out>, name=<optimized out>, value=...) at jsruntime/qv4context.cpp:313
      #63 0x00007f0e43004ff7 in QV4::Runtime::StoreNameSloppy::call (engine=<optimized out>, nameIndex=<optimized out>, value=...) at jsruntime/qv4runtime.cpp:990
      #64 0x00007f0e42ff344a in QV4::Moth::VME::interpret (frame=0x22b6b30, engine=0x2462740, code=0x1091a24 <QmlCacheGeneratedCode::_qml_RoomList_qml::qmlData+7252> "\026\a0^\260S") at jsruntime/qv4vme_moth.cpp:602
      #65 0x00007f0e42ff873f in QV4::Moth::VME::exec (frame=<optimized out>, engine=<optimized out>) at jsruntime/qv4vme_moth.cpp:466
      #66 0x00007f0e42f8bc38 in QV4::ArrowFunction::virtualCall (fo=<optimized out>, thisObject=<optimized out>, argv=<optimized out>, argc=<optimized out>) at jsruntime/qv4functionobject.cpp:528
      #67 0x00007f0e42ff5016 in QV4::FunctionObject::call (argc=<optimized out>, argv=<optimized out>, thisObject=<optimized out>, this=<optimized out>) at ../../include/QtQml/5.15.8/QtQml/private/../../../../../src/qml/jsruntime/qv4functionobject_p.h:202
      #68 QV4::Moth::VME::interpret (frame=0x22b6b30, engine=0x2462740, code=0x40f4390 "\020\060\366B\016\177") at jsruntime/qv4vme_moth.cpp:757
      #69 0x00007f0e42ff873f in QV4::Moth::VME::exec (frame=<optimized out>, engine=<optimized out>) at jsruntime/qv4vme_moth.cpp:466
      #70 0x00007f0e42f8aebe in QV4::Function::call (this=<optimized out>, thisObject=<optimized out>, argv=<optimized out>, argc=<optimized out>, context=<optimized out>) at jsruntime/qv4function.cpp:69
      #71 0x00007f0e43115d0d in QQmlJavaScriptExpression::evaluate (this=<optimized out>, callData=<optimized out>, isUndefined=<optimized out>) at qml/qqmljavascriptexpression.cpp:212
      #72 0x00007f0e430c6aaf in QQmlBoundSignalExpression::evaluate (this=<optimized out>, a=<optimized out>) at ../../include/QtQml/5.15.8/QtQml/private/../../../../../src/qml/jsruntime/qv4jscall_p.h:95
      #73 0x00007f0e430c8218 in QQmlBoundSignal_callback (e=<optimized out>, a=<optimized out>) at ../../include/QtQml/5.15.8/QtQml/private/../../../../../src/qml/qml/qqmlboundsignalexpressionpointer_p.h:69
      #74 0x00007f0e430fae55 in QQmlNotifier::emitNotify (endpoint=<optimized out>, a=<optimized out>) at qml/qqmlnotifier.cpp:104
      #75 0x00007f0e41c041ad in doActivate<false> (sender=<optimized out>, signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3815
      #76 0x00007f0e41bfd70f in QMetaObject::activate (sender=<optimized out>, m=<optimized out>, local_signal_index=<optimized out>, argv=<optimized out>) at kernel/qobject.cpp:3983
      #77 0x00007f0e436cba02 in QQuickTapHandler::singleTapped (this=<optimized out>, _t1=<optimized out>) at .moc/moc_qquicktaphandler_p.cpp:373
      #78 0x00007f0e436709c4 in QQuickTapHandler::setPressed (point=<optimized out>, cancel=<optimized out>, press=<optimized out>, this=<optimized out>) at handlers/qquicktaphandler.cpp:297
      #79 QQuickTapHandler::setPressed (this=<optimized out>, press=<optimized out>, cancel=<optimized out>, point=<optimized out>) at handlers/qquicktaphandler.cpp:261
      #80 0x00007f0e4366f94e in QQuickSinglePointHandler::handlePointerEventImpl (this=<optimized out>, event=<optimized out>) at handlers/qquicksinglepointhandler.cpp:138
      #81 0x00007f0e4366eb38 in QQuickPointerHandler::handlePointerEvent (this=<optimized out>, event=<optimized out>) at handlers/qquickpointerhandler.cpp:617
      #82 0x00007f0e435300fb in QQuickWindowPrivate::deliverMouseEvent (this=<optimized out>, pointerEvent=<optimized out>) at items/qquickwindow.cpp:2037
      #83 0x00007f0e4353121d in QQuickWindowPrivate::deliverPointerEvent (this=<optimized out>, event=<optimized out>) at items/qquickwindow.cpp:2628
      #84 0x00007f0e42194c15 in QWindow::event (this=<optimized out>, ev=<optimized out>) at kernel/qwindow.cpp:2455
      #85 0x00007f0e42838ffe in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=<optimized out>, e=<optimized out>) at kernel/qapplication.cpp:3640
      #86 0x00007f0e41bcc5c8 in QCoreApplication::notifyInternal2 (receiver=<optimized out>, event=<optimized out>) at kernel/qcoreapplication.cpp:1064
      #87 0x00007f0e42188c4d in QGuiApplicationPrivate::processMouseEvent (e=<optimized out>) at kernel/qguiapplication.cpp:2285
      #88 0x00007f0e4215c03c in QWindowSystemInterface::sendWindowSystemEvents (flags=...) at kernel/qwindowsysteminterface.cpp:1169
      #89 0x00007f0e2f3be21a in xcbSourceDispatch (source=<optimized out>) at qxcbeventdispatcher.cpp:105
      #90 0x00007f0e4163f609 in g_main_context_dispatch () from /nix/store/rcwsvm3zmcpwl71b7r5f9ql599hw6f2b-glib-2.74.5/lib/libglib-2.0.so.0
      #91 0x00007f0e4163f898 in g_main_context_iterate.constprop () from /nix/store/rcwsvm3zmcpwl71b7r5f9ql599hw6f2b-glib-2.74.5/lib/libglib-2.0.so.0
      #92 0x00007f0e4163f92c in g_main_context_iteration () from /nix/store/rcwsvm3zmcpwl71b7r5f9ql599hw6f2b-glib-2.74.5/lib/libglib-2.0.so.0
      #93 0x00007f0e41c24f66 in QEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qeventdispatcher_glib.cpp:423
      #94 0x00007f0e41bcafc3 in QEventLoop::exec (this=<optimized out>, flags=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:69
      #95 0x00007f0e41bd34c6 in QCoreApplication::exec () at ../../include/QtCore/../../src/corelib/global/qflags.h:121
      #96 0x00007f0e4217c50c in QGuiApplication::exec () at kernel/qguiapplication.cpp:1870
      #97 0x00007f0e42838f75 in QApplication::exec () at kernel/qapplication.cpp:2832
      #98 0x0000000000ae2352 in main (argc=<optimized out>, argv=<optimized out>) at /build/source/src/main.cpp:403

      More specifically, the segfault is a null pointer dereference (fault address is 0).
      It happens because gtk_menu_shell_insert is passed a zero second argument by QQuickPlatformMenu::create in qtquickcontrols2. This null pointer comes from QGtk3MenuItem::create() in qgtk3menu.cpp in qtbase.

      Relevant versions:
      "qtbase":

      { "url": "https://invent.kde.org/qt/qt/qtbase.git", "rev": "fa8dee92201448cc4eaa92f222b93d0b044d8ea5", "sha256": "16b0q0anlgmfzbdm0jyakb8cxikrr295pj7avzny26x9609lzqga" }

      ,
      "qtquickcontrols2":

      { "url": "https://invent.kde.org/qt/qt/qtquickcontrols2.git", "rev": "56ce8233382a091a8476c831edd416b5f704ae4f", "sha256": "1h68s2fdgn1pbf5hsk6c8v4icz8c4cpbxv8iirz22yhlzabc3hdm" }

      Attachments

        Activity

          People

            axelspoerl Axel Spoerl
            symphorien Mandatory Field
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: