Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.12
-
None
-
-
1d88e9919ff837d535f9bbde53613b6a6b96fcd8 (qt/qtdeclarative/5.12)
Description
This is with the latest 5.12 (ea725e1b54e5a28fb7c37f23acfdd95e6269624a). Reverting b17091b0006e41c0bb4ddf77dbbc09621d809aea makes the heap-use-after-free go away (though I'm then faced with another crash, but that may be unrelated).
16:30:11: Starting /Users/mitch/dev/qt5.12-fw/qtquickcontrols2/tests/auto/qquickdrawer/tst_qquickdrawer... QML debugging is enabled. Only use this in a safe environment. ********* Start testing of tst_QQuickDrawer ********* Config: Using QtTest library 5.12.0, Qt 5.12.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by Clang 10.0.0 (clang-1000.11.45.2) (Apple)) PASS : tst_QQuickDrawer::Default::initTestCase() ================================================================= ==30815==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000043680 at pc 0x00010ef56c45 bp 0x7ffee7c5a680 sp 0x7ffee7c5a678 READ of size 8 at 0x610000043680 thread T0 #0 0x10ef56c44 in QQmlPrivate::qdeclarativeelement_destructor(QObject*) qqmlengine.cpp:758 #1 0x11d1e7208 in QQmlPrivate::QQmlElement<QQuickDrawer>::~QQmlElement() qqmlprivate.h:102 #2 0x11d1e70e4 in QQmlPrivate::QQmlElement<QQuickDrawer>::~QQmlElement() qqmlprivate.h:101 #3 0x11d1e7108 in QQmlPrivate::QQmlElement<QQuickDrawer>::~QQmlElement() qqmlprivate.h:101 #4 0x10d410af5 in QObjectPrivate::deleteChildren() qobject.cpp:2006 #5 0x10d40ff62 in QObject::~QObject() qobject.cpp:1032 #6 0x108ae16ed in QQuickItem::~QQuickItem() qquickitem.cpp:2443 #7 0x108bc2b64 in QQuickRootItem::~QQuickRootItem() qquickwindow_p.h:87 #8 0x108bbc8f4 in QQuickRootItem::~QQuickRootItem() qquickwindow_p.h:87 #9 0x108bbc918 in QQuickRootItem::~QQuickRootItem() qquickwindow_p.h:87 #10 0x108b8f670 in QQuickWindow::~QQuickWindow() qquickwindow.cpp:1342 #11 0x108f20d6e in QQuickWindowQmlImpl::~QQuickWindowQmlImpl() qquickwindowmodule_p.h:63 #12 0x108f27dad in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:103 #13 0x108f27bf4 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:101 #14 0x108f27c18 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:101 #15 0x107ff5a9e in QScopedPointerDeleter<QObject>::cleanup(QObject*) qscopedpointer.h:60 #16 0x10801127f in QScopedPointer<QObject, QScopedPointerDeleter<QObject> >::~QScopedPointer() qscopedpointer.h:107 #17 0x107fa8814 in QScopedPointer<QObject, QScopedPointerDeleter<QObject> >::~QScopedPointer() qscopedpointer.h:105 #18 0x107fa7e77 in tst_QQuickDrawer::defaults() tst_qquickdrawer.cpp:150 #19 0x107ff2b2b in tst_QQuickDrawer::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qquickdrawer.moc:171 #20 0x10d34a684 in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2288 #21 0x10c6770fb in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.h:122 #22 0x10c67544e in QTest::TestMethods::invokeTestOnData(int) const qtestcase.cpp:915 #23 0x10c678b5a in QTest::TestMethods::invokeTest(int, char const*, QTest::WatchDog*) const qtestcase.cpp:1114 #24 0x10c67ebc1 in QTest::TestMethods::invokeTests(QObject*) const qtestcase.cpp:1456 #25 0x10c6828e4 in QTest::qRun() qtestcase.cpp:1896 #26 0x107ff2775 in runTests(QObject*, int, char**) qtest_quickcontrols.h:68 #27 0x107ff21c7 in main tst_qquickdrawer.cpp:1319 #28 0x7fff5986808c in start (libdyld.dylib:x86_64+0x1708c) 0x610000043680 is located 64 bytes inside of 184-byte region [0x610000043640,0x6100000436f8) freed by thread T0 here: #0 0x110311582 in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x63582) #1 0x10efd36f3 in QQmlContextData::destroy() qqmlcontext.cpp:675 #2 0x10ea175c3 in QQmlContextDataRef::clear() qqmlcontext_p.h:342 #3 0x10eab899e in QQmlContextDataRef::setContextData(QQmlContextData*) qqmlcontext_p.h:326 #4 0x10eaa8cee in QQmlContextDataRef::operator=(QQmlContextData*) qqmlcontext_p.h:349 #5 0x10ef56b56 in QQmlPrivate::qdeclarativeelement_destructor(QObject*) qqmlengine.cpp:754 #6 0x108f27da1 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:102 #7 0x108f27bf4 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:101 #8 0x108f27c18 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:101 #9 0x107ff5a9e in QScopedPointerDeleter<QObject>::cleanup(QObject*) qscopedpointer.h:60 #10 0x10801127f in QScopedPointer<QObject, QScopedPointerDeleter<QObject> >::~QScopedPointer() qscopedpointer.h:107 #11 0x107fa8814 in QScopedPointer<QObject, QScopedPointerDeleter<QObject> >::~QScopedPointer() qscopedpointer.h:105 #12 0x107fa7e77 in tst_QQuickDrawer::defaults() tst_qquickdrawer.cpp:150 #13 0x107ff2b2b in tst_QQuickDrawer::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qquickdrawer.moc:171 #14 0x10d34a684 in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2288 #15 0x10c6770fb in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.h:122 #16 0x10c67544e in QTest::TestMethods::invokeTestOnData(int) const qtestcase.cpp:915 #17 0x10c678b5a in QTest::TestMethods::invokeTest(int, char const*, QTest::WatchDog*) const qtestcase.cpp:1114 #18 0x10c67ebc1 in QTest::TestMethods::invokeTests(QObject*) const qtestcase.cpp:1456 #19 0x10c6828e4 in QTest::qRun() qtestcase.cpp:1896 #20 0x107ff2775 in runTests(QObject*, int, char**) qtest_quickcontrols.h:68 #21 0x107ff21c7 in main tst_qquickdrawer.cpp:1319 #22 0x7fff5986808c in start (libdyld.dylib:x86_64+0x1708c) previously allocated by thread T0 here: #0 0x110310fa2 in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x62fa2) #1 0x10f1e0223 in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) qqmlobjectcreator.cpp:173 #2 0x10efbcdb5 in QQmlComponentPrivate::beginCreate(QQmlContextData*) qqmlcomponent.cpp:871 #3 0x10efbc533 in QQmlComponent::beginCreate(QQmlContext*) qqmlcomponent.cpp:823 #4 0x10efbc35b in QQmlComponent::create(QQmlContext*) qqmlcomponent.cpp:783 #5 0x107fa756a in tst_QQuickDrawer::defaults() tst_qquickdrawer.cpp:142 #6 0x107ff2b2b in tst_QQuickDrawer::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qquickdrawer.moc:171 #7 0x10d34a684 in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2288 #8 0x10c6770fb in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.h:122 #9 0x10c67544e in QTest::TestMethods::invokeTestOnData(int) const qtestcase.cpp:915 #10 0x10c678b5a in QTest::TestMethods::invokeTest(int, char const*, QTest::WatchDog*) const qtestcase.cpp:1114 #11 0x10c67ebc1 in QTest::TestMethods::invokeTests(QObject*) const qtestcase.cpp:1456 #12 0x10c6828e4 in QTest::qRun() qtestcase.cpp:1896 #13 0x107ff2775 in runTests(QObject*, int, char**) qtest_quickcontrols.h:68 #14 0x107ff21c7 in main tst_qquickdrawer.cpp:1319 #15 0x7fff5986808c in start (libdyld.dylib:x86_64+0x1708c) SUMMARY: AddressSanitizer: heap-use-after-free qqmlengine.cpp:758 in QQmlPrivate::qdeclarativeelement_destructor(QObject*) Shadow bytes around the buggy address: 0x1c2000008680: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x1c2000008690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x1c20000086a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x1c20000086b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x1c20000086c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x1c20000086d0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x1c20000086e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x1c20000086f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2000008700: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x1c2000008710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x1c2000008720: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==30815==ABORTING 16:30:15: The program has unexpectedly finished. 16:30:15: The process was ended forcefully. 16:30:15: /Users/mitch/dev/qt5.12-fw/qtquickcontrols2/tests/auto/qquickdrawer/tst_qquickdrawer crashed.
Attachments
For Gerrit Dashboard: QTBUG-72241 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
247341,4 | QML: Fix registering and unregistering of context objects | 5.12 | qt/qtdeclarative | Status: MERGED | -2 | 0 |