Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 5.0.0
Affects Version/s: 5.0.0 RC 1
Component/s: Widgets: GraphicsView
Labels:
None
Environment:
Linux, Clang trunk/3.3, -sanitize-address
https://codereview.qt-project.org/#change,41476

Commits:
ed15e4eb07104dd780fe8d72b2792916ce4db098

Description

There is a heap-use-after-free in
tests/auto/widgets/graphicsview/qgraphicsitem

=================================================================
==30327== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fcd70845d48 at pc 0x7fcd7c5a0a0c bp 0x7fff46327fd0 sp 0x7fff46327fc8

WRITE of size 8 at 0x7fcd70845d48 thread T0
    #0 0x7fcd7c5a0a0b in QGraphicsItemPrivate::resetFocusProxy() qgraphicsitem.cpp:5561
    #1 0x7fcd7c71d1ef in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) qgraphicsscene.cpp:616
    #2 0x7fcd7c59f8f1 in ~QGraphicsItem qgraphicsitem.cpp:1458
    #3 0x7fcd7c5fa20e in ~QGraphicsRectItem qgraphicsitem.cpp:8412
    #4 0x60a52f in tst_QGraphicsItem::focusProxyDeletion() tst_qgraphicsitem.cpp:8496
    #5 0x6c6c2a in tst_QGraphicsItem::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qgraphicsitem.moc:964
    #6 0x7fcd772629ba in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2146
    #7 0x7fcd77260533 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qmetaobject.cpp:1462
    #8 0x7fcd7a69f3e6 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qobjectdefs.h:396
    #9 0x7fcd7a678ccc in QTest::qInvokeTestMethodDataEntry(char*) qtestcase.cpp:1651
    #10 0x7fcd7a677187 in QTest::qInvokeTestMethod(char const*, char const*) qtestcase.cpp:1769
    #11 0x7fcd7a668392 in QTest::qInvokeTestMethods(QObject*) qtestcase.cpp:1923
    #12 0x7fcd7a66652c in QTest::qExec(QObject*, int, char**) qtestcase.cpp:2136
    #13 0x6c2b96 in main tst_qgraphicsitem.cpp:11341
    #14 0x7fcd74f9c76c in ?? ??:0
0x7fcd70845d48 is located 264 bytes inside of 416-byte region [0x7fcd70845c40,0x7fcd70845de0)

freed by thread T0 here:
    #0 0x7d193a in operator delete(void*) _asan_rtl_
    #1 0x7fcd7c699d6b in QGraphicsRectItemPrivate::~QGraphicsRectItemPrivate() qgraphicsitem.cpp:8360
    #2 0x7fcd7c6898ab in QScopedPointerDeleter<QGraphicsItemPrivate>::cleanup(QGraphicsItemPrivate*) qscopedpointer.h:63
    #3 0x7fcd7c6896d6 in ~QScopedPointer qscopedpointer.h:99
    #4 0x7fcd7c63bb95 in ~QScopedPointer qscopedpointer.h:97
    #5 0x7fcd7c5a0028 in ~QGraphicsItem qgraphicsitem.cpp:1478
    #6 0x7fcd7c5fa20e in ~QGraphicsRectItem qgraphicsitem.cpp:8412
    #7 0x60a238 in tst_QGraphicsItem::focusProxyDeletion() tst_qgraphicsitem.cpp:8489
    #8 0x6c6c2a in tst_QGraphicsItem::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qgraphicsitem.moc:964
    #9 0x7fcd772629ba in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2146
    #10 0x7fcd77260533 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qmetaobject.cpp:1462
    #11 0x7fcd7a69f3e6 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qobjectdefs.h:396
    #12 0x7fcd7a678ccc in QTest::qInvokeTestMethodDataEntry(char*) qtestcase.cpp:1651
    
previously allocated by thread T0 here:
    #0 0x7d17ba in operator new(unsigned long) _asan_rtl_
    #1 0x7fcd7c5fa04b in QGraphicsRectItem qgraphicsitem.cpp:8405
    #2 0x609bc7 in tst_QGraphicsItem::focusProxyDeletion() tst_qgraphicsitem.cpp:8479
    #3 0x6c6c2a in tst_QGraphicsItem::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qgraphicsitem.moc:964
    #4 0x7fcd772629ba in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2146
    #5 0x7fcd77260533 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qmetaobject.cpp:1462
    #6 0x7fcd7a69f3e6 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qobjectdefs.h:396

Shadow byte and word:
  0x1ff9ae108ba9: fd
  0x1ff9ae108ba8: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff9ae108b88: fd fd fd fd fd fd fd fd
  0x1ff9ae108b90: fd fd fd fd fd fd fd fd
  0x1ff9ae108b98: fd fd fd fd fd fd fd fd
  0x1ff9ae108ba0: fd fd fd fd fd fd fd fd
=>0x1ff9ae108ba8: fd fd fd fd fd fd fd fd
  0x1ff9ae108bb0: fd fd fd fd fd fd fd fd
  0x1ff9ae108bb8: fd fd fd fd fd fd fd fd
  0x1ff9ae108bc0: fa fa fa fa fa fa fa fa
  0x1ff9ae108bc8: fd fd fd fd fd fd fd fd
Stats: 5M malloced (8M for red zones) by 51128 calls
Stats: 0M realloced by 11025 calls
Stats: 3M freed by 36213 calls
Stats: 0M really freed by 0 calls
Stats: 17M (4365 full pages) mmaped in 34 calls
  mmaps   by size class: 7:45045; 8:6141; 9:2046; 10:1022; 11:765; 12:384; 13:128; 14:160; 15:32; 16:8;
  mallocs by size class: 7:42571; 8:5532; 9:909; 10:861; 11:732; 12:279; 13:78; 14:141; 15:19; 16:6;
  frees   by size class: 7:32510; 8:1913; 9:641; 10:565; 11:383; 12:62; 13:29; 14:104; 15:1; 16:5;
  rfrees  by size class:
Stats: malloc large: 25 small slow: 435
==30327== ABORTING

The QGraphicsRectItemPrivate is already deleted when used in QGraphicsItemPrivate::resetFocusProxy(), the used list there is out of date.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Andreas Aardal Hanssen

Reporter:: Peter Kümmel

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 02 Dec '12 11:50

Updated:: 19 Aug '13 18:07

Resolved:: 17 Dec '12 15:30

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

Fix focusproxy-relayed crash in QGraphicsItem destructor.: Gerrit Review: