Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-63383

[REG: 5.6.2->5.6.3] QML double-free crash on exit

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • None
    • 5.6.3
    • QML: Declarative and Javascript Engine
    • None
    • Ubuntu 14.04 Linux desktop
    • 942b7935107f651b62bd77d6ec62adb7fd0fe0d1

    Description

      Simple QML program crashes with double-free on exit. Simply run the program and then exit it. Appears to be due to bindings being torn down during exit... which calls disconnectNotify (maybe due to QTBUG-59500 being fixed in 5.6.3?) Problem does not occur in 5.6.2. See included example program and ASAN stack traces.

      Debugging starts
==19174== Parsed ASAN_OPTIONS: abort_on_error=1,detect_leaks=true,symbolize=1,malloc_context_size=200,verbosity=1,fast_unwind_on_malloc=0
==19174== AddressSanitizer: libc interceptors initialized
|| `[0x10007fff8000, 0x7fffffffffff]` || HighMem    ||
|| `[0x02008fff7000, 0x10007fff7fff]` || HighShadow ||
|| `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap  ||
|| `[0x00007fff8000, 0x00008fff6fff]` || LowShadow  ||
|| `[0x000000000000, 0x00007fff7fff]` || LowMem     ||
MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00 0x02008fff6fff
red_zone=16
malloc_context_size=200
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 7fff8000
==19174== Installed the sigaction for signal 11
==19174== T0: stack [0x7fffff7ff000,0x7ffffffff000) size 0x800000; local=0x7fffffffdfdc
==19174== AddressSanitizer Init done
QML debugging is enabled. Only use this in a safe environment.
==19174== T1: stack [0x7fffeb1a5000,0x7fffeb9a6000) size 0x801000; local=0x7fffeb9a4eac
==19174== T2: stack [0x7fffe4536000,0x7fffe4d37000) size 0x801000; local=0x7fffe4d35eac
==19174== T3: stack [0x7fffe3755000,0x7fffe3f56000) size 0x801000; local=0x7fffe3f54eac
==19174== T4: stack [0x7fffe2c4e000,0x7fffe344f000) size 0x801000; local=0x7fffe344deac
==19174== T5: stack [0x7fffe20e7000,0x7fffe28e8000) size 0x801000; local=0x7fffe28e6eac
==19174== T6: stack [0x7fffe007c000,0x7fffe087d000) size 0x801000; local=0x7fffe087beac
QML Debugger: Waiting for connection on port 46547...
==19174== T7: stack [0x7fffcb549000,0x7fffcbd4a000) size 0x801000; local=0x7fffcbd48eac
==19174== T7 exited
==19174== T7 TSDDtor
=================================================================
==19174== ERROR: AddressSanitizer: attempting double-free on 0x600800069850:
    #0 0x7ffff4e6033a in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a)
    #1 0x7ffff3bf2361 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x2b2361)
    #2 0x7ffff3bedbf8 in QVariant::cmp(QVariant const&) const (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x2adbf8)
    #3 0x7ffff428f638 in QQmlOpenMetaObject::setValue(QByteArray const&, QVariant const&) (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x235638)
    #4 0x7ffff434f562 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f5562)
    #5 0x7ffff4351498 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f7498)
    #6 0x7ffff4351532 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f7532)
    #7 0x7ffff3bd5640 in QObjectData::dynamicMetaObject() const (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x295640)
    #8 0x7ffff429662a in QQmlData::disconnectNotifiers() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x23c62a)
    #9 0x7ffff42969f9 in QQmlData::destroyed(QObject*) (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x23c9f9)
    #10 0x7ffff3bdee05 in QObject::~QObject() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x29ee05)
    #11 0x7ffff3bdf468 in QObject::~QObject() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x29f468)
    #12 0x7ffff4351b53 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f7b53)
    #13 0x7ffff4351cd2 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f7cd2)
    #14 0x7ffff4351d1d (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f7d1d)
    #15 0x7ffff4354148 in QQmlListModel::~QQmlListModel() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2fa148)
    #16 0x7ffff429b78a (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x24178a)
    #17 0x7ffff3bd8153 in QObjectPrivate::deleteChildren() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x298153)
    #18 0x7ffff3bdf16d in QObject::~QObject() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x29f16d)
    #19 0x7fffe0d1c32e in QQuickItem::~QQuickItem() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Quick.so.5+0x19932e)
    #20 0x7fffe0d3af0d (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Quick.so.5+0x1b7f0d)
    #21 0x7ffff3bd8153 in QObjectPrivate::deleteChildren() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x298153)
    #22 0x7ffff3bdf16d in QObject::~QObject() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x29f16d)
    #23 0x7fffe0d27f93 in QQuickWindow::~QQuickWindow() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Quick.so.5+0x1a4f93)
    #24 0x7fffe0e041ec (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Quick.so.5+0x2811ec)
    #25 0x7ffff43111c5 in QQmlApplicationEnginePrivate::cleanUp() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2b71c5)
    #26 0x7ffff431122a in QQmlApplicationEngine::~QQmlApplicationEngine() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2b722a)
    #27 0x40133b in main /home/dwight/build-crash-Desktop_Qt_5_6_3_GCC_64bit2-Debug/../crash/main.cpp:8
    #28 0x7ffff307ef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #29 0x401078 in _start (/home/dwight/build-crash-Desktop_Qt_5_6_3_GCC_64bit2-Debug/crash+0x401078)
0x600800069850 is located 0 bytes inside of 48-byte region [0x600800069850,0x600800069880)
freed by thread T0 here:
    #0 0x7ffff4e6033a in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a)
    #1 0x7ffff4351c01 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f7c01)
    #2 0x7ffff4351cd2 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f7cd2)
    #3 0x7ffff4351d1d (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f7d1d)
    #4 0x7ffff4354148 in QQmlListModel::~QQmlListModel() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2fa148)
    #5 0x7ffff429b78a (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x24178a)
    #6 0x7ffff3bd8153 in QObjectPrivate::deleteChildren() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x298153)
    #7 0x7ffff3bdf16d in QObject::~QObject() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x29f16d)
    #8 0x7fffe0d1c32e in QQuickItem::~QQuickItem() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Quick.so.5+0x19932e)
    #9 0x7fffe0d3af0d (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Quick.so.5+0x1b7f0d)
    #10 0x7ffff3bd8153 in QObjectPrivate::deleteChildren() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x298153)
    #11 0x7ffff3bdf16d in QObject::~QObject() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x29f16d)
    #12 0x7fffe0d27f93 in QQuickWindow::~QQuickWindow() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Quick.so.5+0x1a4f93)
    #13 0x7fffe0e041ec (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Quick.so.5+0x2811ec)
    #14 0x7ffff43111c5 in QQmlApplicationEnginePrivate::cleanUp() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2b71c5)
    #15 0x7ffff431122a in QQmlApplicationEngine::~QQmlApplicationEngine() (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2b722a)
    #16 0x40133b in main /home/dwight/build-crash-Desktop_Qt_5_6_3_GCC_64bit2-Debug/../crash/main.cpp:8
    #17 0x7ffff307ef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #18 0x401078 in _start (/home/dwight/build-crash-Desktop_Qt_5_6_3_GCC_64bit2-Debug/crash+0x401078)
previously allocated by thread T0 here:
    #0 0x7ffff4e6041a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
    #1 0x7ffff39eb5ff in QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0xab5ff)
    #2 0x7ffff3a717b4 in QString::QString(QChar const*, int) (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Core.so.5+0x1317b4)
    #3 0x7ffff4126c8f in QV4::CompiledData::Binding::valueAsString(QV4::CompiledData::Unit const*) const (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0xccc8f)
    #4 0x7ffff4352be7 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f8be7)
    #5 0x7ffff43529bf (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f89bf)
    #6 0x7ffff4352f1e (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2f8f1e)
    #7 0x7ffff431ed1c (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c4d1c)
    #8 0x7ffff431cc43 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c2c43)
    #9 0x7ffff431d9df (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c39df)
    #10 0x7ffff431e3d5 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c43d5)
    #11 0x7ffff431ef31 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c4f31)
    #12 0x7ffff431f899 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c5899)
    #13 0x7ffff431f52c (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c552c)
    #14 0x7ffff431cc43 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c2c43)
    #15 0x7ffff431d9df (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c39df)
    #16 0x7ffff431e3d5 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c43d5)
    #17 0x7ffff431ef31 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c4f31)
    #18 0x7ffff431f899 (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2c5899)
    #19 0x7ffff42ab2e9 in QQmlComponentPrivate::beginCreate(QQmlContextData*) (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2512e9)
    #20 0x7ffff42ab747 in QQmlComponent::create(QQmlContext*) (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x251747)
    #21 0x7ffff4311ce1 in QQmlApplicationEnginePrivate::_q_finishLoad(QObject*) (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2b7ce1)
    #22 0x7ffff4311ed1 in QQmlApplicationEnginePrivate::startLoad(QUrl const&, QByteArray const&, bool) (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2b7ed1)
    #23 0x7ffff4311f0c in QQmlApplicationEngine::load(QUrl const&) (/home/dwight/Qt/5.6.3/gcc_64/lib/libQt5Qml.so.5+0x2b7f0c)
    #24 0x4012c5 in main /home/dwight/build-crash-Desktop_Qt_5_6_3_GCC_64bit2-Debug/../crash/main.cpp:9
    #25 0x7ffff307ef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #26 0x401078 in _start (/home/dwight/build-crash-Desktop_Qt_5_6_3_GCC_64bit2-Debug/crash+0x401078)
SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free
==19174== ABORTING

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-59256 Bugfix for QTBUG-52356 possibly not complete

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          For Gerrit Dashboard: QTBUG-63383
          # Subject Branch Project Status CR V
          220797,2 Fix use-after-free when removing elements from a ListModel 5.6 qt/qtdeclarative Status: ABANDONED 0 0
          220798,3 Fix use-after-free when clear()ing all elements from a ListModel 5.6 qt/qtdeclarative Status: ABANDONED 0 0
          220932,6 Fix 2 use-after-free problems in the ListModel 5.6 qt/qtdeclarative Status: MERGED +2 0

          Activity

            People

              erikv Erik Verbruggen
              dwyco dwight melcher
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes