Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-100578

Heap-use-after-free is possible with QQuickPixmap::loadAsync()

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P1: Critical
    • None
    • 6.4.0 FF
    • Quick: Core Declarative QML
    • None

    Description

      Encountered while working on https://codereview.qt-project.org/c/qt/qtwebengine/+/389411 with an ASAN build.

      $ cd ~/dev/qt6/qtwebengine/tests/manual/quick/pdf
$ qml pessimizedListView.qml
...then load a large PDF, like a scanned book or something, and scroll back and forth for a while so it starts trying to load and then cancel loading of a lot of pages; eventually this happens:

[    14.799 D] default QQuickPixmapReader::cancel - attempting to cancel; loading? false thread? QQuickPixmapReaderThreadObject(0x60300036c1f0)
[    14.799 D] default QQuickPixmapReader::cancel - attempting to cancel; loading? false thread? QQuickPixmapReaderThreadObject(0x60300036c1f0)
[    14.805 D] qt.imageformat.pdf QPdfIOHandler::load - loading via QPdfFile, reusing document instance QPdfDocument(0x612000027c70)
[    14.805 D] qt.imageformat.pdf QPdfIOHandler::imageCount - imageCount 704
[    14.805 D] qt.imageformat.pdf QPdfIOHandler::jumpToImage - virtual bool QPdfIOHandler::jumpToImage(int) 130
[    14.805 D] qt.imageformat.pdf QPdfIOHandler::imageCount - imageCount 704
[    14.805 D] qt.imageformat.pdf QPdfIOHandler::imageCount - imageCount 704
[    14.805 D] qt.imageformat.pdf QPdfIOHandler::read - virtual bool QPdfIOHandler::read(QImage *) 130 QSize(1836, 2632)
[    14.811 D] qt.pdf.image QQuickPdfPageImage::load - loading page 211 of 0 from "/home/rutledge/doc/1977 ARRL Radio Amateur's Handbook.pdf" status 3
[    14.812 D] default QQuickPixmapReader::cancel - attempting to cancel; loading? false thread? QQuickPixmapReaderThreadObject(0x60300036c1f0)
[    15.438 D] qt.pdf.document QPdfDocument::render - page 130 size QSize(1836, 2632) took 627 ms
[    15.441 D] qt.pdf.image QQuickPdfPageImage::load - loading page 140 of 0 from "/home/rutledge/doc/1977 ARRL Radio Amateur's Handbook.pdf" status 3
[    15.444 D] qt.pdf.image QQuickPdfPageImage::load - loading page 141 of 0 from "/home/rutledge/doc/1977 ARRL Radio Amateur's Handbook.pdf" status 3
[    15.445 D] default QQuickPixmapReader::cancel - attempting to cancel; loading? true thread? QQuickPixmapReaderThreadObject(0x60300036c1f0)
=================================================================
==3556000==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030003f2380 at pc 0x7fa56271ff59 bp 0x7fa537e80300 sp 0x7fa537e802f8
READ of size 8 at 0x6030003f2380 thread T43 (QQuickPixmapRea)
    #0 0x7fa56271ff58 in QMetaObject::cast(QObject const*) const /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qmetaobject.cpp:382:25
    #1 0x7fa563dfa0ec in QMetaObject::cast(QObject*) const /home/rutledge/dev/qt6-asan/qtbase/include/QtCore/../../../../qt6/qtbase/src/corelib/kernel/qobjectdefs.h:169:36
    #2 0x7fa56404a00b in QFile* qobject_cast<QFile*>(QObject*) /home/rutledge/dev/qt6-asan/qtbase/include/QtCore/../../../../qt6/qtbase/src/corelib/kernel/qobject.h:478:53
    #3 0x7fa564043401 in QImageReader::fileName() const /home/rutledge/dev/qt6/qtbase/src/gui/image/qimagereader.cpp:830:19
    #4 0x7fa5640483ad in QImageReader::read(QImage*) /home/rutledge/dev/qt6/qtbase/src/gui/image/qimagereader.cpp:1320:45
    #5 0x7fa53a7a2599 in readImage(QUrl const&, QIODevice*, QImage*, QString*, QSize*, int*, QRect const&, QSize const&, QQuickImageProviderOptions const&, QQuickImageProviderOptions::AutoTransform*, int, double) /home/rutledge/dev/qt6/qtdeclarative/src/quick/util/qquickpixmapcache.cpp:451:15
    #6 0x7fa53a7a7d5e in QQuickPixmapReader::processJob(QQuickPixmapReply*, QUrl const&, QString const&, QQmlImageProviderBase::ImageType, QSharedPointer<QQuickImageProvider> const&) /home/rutledge/dev/qt6/qtdeclarative/src/quick/util/qquickpixmapcache.cpp:904:22
    #7 0x7fa53a7a4233 in QQuickPixmapReader::processJobs() /home/rutledge/dev/qt6/qtdeclarative/src/quick/util/qquickpixmapcache.cpp:759:21
    #8 0x7fa53a7a358d in QQuickPixmapReaderThreadObject::event(QEvent*) /home/rutledge/dev/qt6/qtdeclarative/src/quick/util/qquickpixmapcache.cpp:663:17
    #9 0x7fa5626d076d in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1241:26
    #10 0x7fa5626cfaef in doNotify(QObject*, QEvent*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1170:47
    #11 0x7fa5626cfd03 in QCoreApplication::notify(QObject*, QEvent*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1153:12
    #12 0x7fa56414bd53 in QGuiApplication::notify(QObject*, QEvent*) /home/rutledge/dev/qt6/qtbase/src/gui/kernel/qguiapplication.cpp:1934:30
    #13 0x7fa5626cf7a6 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1074:18
    #14 0x7fa5626d1ac8 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1490:12
    #15 0x7fa5626d40d6 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1854:9
    #16 0x7fa5626d18cc in QCoreApplication::sendPostedEvents(QObject*, int) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1713:5
    #17 0x7fa5633c9580 in postEventSourceDispatch(_GSource*, int (*)(void*), void*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:279:5
    #18 0x7fa5618e7f12 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x54f12)
    #19 0x7fa56193e0d8  (/usr/lib/libglib-2.0.so.0+0xab0d8)
    #20 0x7fa5618e5484 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x52484)
    #21 0x7fa5633c7310 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:429:19
    #22 0x7fa562711a76 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qeventloop.cpp:136:55
    #23 0x7fa5627120c3 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qeventloop.cpp:218:9
    #24 0x7fa562c729b4 in QThread::exec() /home/rutledge/dev/qt6/qtbase/src/corelib/thread/qthread.cpp:564:32
    #25 0x7fa53a7ab547 in QQuickPixmapReader::run() /home/rutledge/dev/qt6/qtdeclarative/src/quick/util/qquickpixmapcache.cpp:1038:5
    #26 0x7fa562ea9757 in QThreadPrivate::start(void*)::$_0::operator()() const /home/rutledge/dev/qt6/qtbase/src/corelib/thread/qthread_unix.cpp:358:14
    #27 0x7fa562ea561c in void (anonymous namespace)::terminate_on_exception<QThreadPrivate::start(void*)::$_0>(QThreadPrivate::start(void*)::$_0&&) /home/rutledge/dev/qt6/qtbase/src/corelib/thread/qthread_unix.cpp:294:9
    #28 0x7fa562ea528b in QThreadPrivate::start(void*) /home/rutledge/dev/qt6/qtbase/src/corelib/thread/qthread_unix.cpp:317:5
    #29 0x7fa561eed258 in start_thread pthread_create.c
    #30 0x7fa561de75e2 in clone (/usr/lib/libc.so.6+0xfe5e2)

0x6030003f2380 is located 0 bytes inside of 24-byte region [0x6030003f2380,0x6030003f2398)
freed by thread T0 here:
    #0 0x563843f522b9 in operator delete(void*) (/home/rutledge/dev/qt6-asan/qtbase/bin/qml+0x1112b9)
    #1 0x7fa53f453091 in QPdfFile::~QPdfFile() /home/rutledge/dev/qt6-asan/qtwebengine/src/pdf/Pdf_autogen/EWIEGA46WW/../../../../../../qt6/qtwebengine/src/pdf/qpdffile_p.h:57:20
    #2 0x7fa53869adc2 in QScopedPointerDeleter<QPdfFile>::cleanup(QPdfFile*) /home/rutledge/dev/qt6-asan/qtbase/include/QtCore/../../../../qt6/qtbase/src/corelib/tools/qscopedpointer.h:60:9
    #3 0x7fa53869ad21 in QScopedPointer<QPdfFile, QScopedPointerDeleter<QPdfFile> >::~QScopedPointer() /home/rutledge/dev/qt6-asan/qtbase/include/QtCore/../../../../qt6/qtbase/src/corelib/tools/qscopedpointer.h:116:9
    #4 0x7fa53869a1fe in QQuickPdfPageImagePrivate::~QQuickPdfPageImagePrivate() /home/rutledge/dev/qt6/qtwebengine/src/pdfquick/qquickpdfpageimage.cpp:62:7
    #5 0x7fa53869a228 in QQuickPdfPageImagePrivate::~QQuickPdfPageImagePrivate() /home/rutledge/dev/qt6/qtwebengine/src/pdfquick/qquickpdfpageimage.cpp:62:7
    #6 0x7fa5628aef12 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) /home/rutledge/dev/qt6-asan/qtbase/include/QtCore/../../../../qt6/qtbase/src/corelib/tools/qscopedpointer.h:60:9
    #7 0x7fa56289aa71 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() /home/rutledge/dev/qt6-asan/qtbase/include/QtCore/../../../../qt6/qtbase/src/corelib/tools/qscopedpointer.h:116:9
    #8 0x7fa562875aa2 in QObject::~QObject() /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qobject.cpp:1116:1
    #9 0x7fa539f0ffb3 in QQuickItem::~QQuickItem() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitem.cpp:2398:1
    #10 0x7fa539efdeb4 in QQuickImplicitSizeItem::~QQuickImplicitSizeItem() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickimplicitsizeitem_p.h:60:30
    #11 0x7fa539ef64c4 in QQuickImageBase::~QQuickImageBase() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickimagebase.cpp:96:1
    #12 0x7fa539ef015f in QQuickImage::~QQuickImage() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickimage.cpp:215:1
    #13 0x7fa538697024 in QQuickPdfPageImage::~QQuickPdfPageImage() /home/rutledge/dev/qt6/qtwebengine/src/pdfquick/qquickpdfpageimage.cpp:84:1
    #14 0x7fa5386cf260 in QQmlPrivate::QQmlElement<QQuickPdfPageImage>::~QQmlElement() /home/rutledge/dev/qt6-asan/qtbase/include/QtQml/../../../../qt6/qtdeclarative/src/qml/qml/qqmlprivate.h:135:9
    #15 0x7fa5386cf288 in QQmlPrivate::QQmlElement<QQuickPdfPageImage>::~QQmlElement() /home/rutledge/dev/qt6-asan/qtbase/include/QtQml/../../../../qt6/qtdeclarative/src/qml/qml/qqmlprivate.h:133:33
    #16 0x7fa562876006 in QObjectPrivate::deleteChildren() /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qobject.cpp:2138:9
    #17 0x7fa5628759a1 in QObject::~QObject() /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qobject.cpp:1107:12
    #18 0x7fa539f0ffb3 in QQuickItem::~QQuickItem() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitem.cpp:2398:1
    #19 0x7fa53a0b9bb4 in QQuickRectangle::~QQuickRectangle() /home/rutledge/dev/qt6-asan/qtdeclarative/src/quick/Quick_autogen/include/../../../../../../qt6/qtdeclarative/src/quick/items/qquickrectangle_p.h:164:30
    #20 0x7fa53ab069d0 in QQmlPrivate::QQmlElement<QQuickRectangle>::~QQmlElement() /home/rutledge/dev/qt6-asan/qtbase/include/QtQml/../../../../qt6/qtdeclarative/src/qml/qml/qqmlprivate.h:135:9
    #21 0x7fa53ab069f8 in QQmlPrivate::QQmlElement<QQuickRectangle>::~QQmlElement() /home/rutledge/dev/qt6-asan/qtbase/include/QtQml/../../../../qt6/qtdeclarative/src/qml/qml/qqmlprivate.h:133:33
    #22 0x7fa5628784c2 in qDeleteInEventHandler(QObject*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qobject.cpp:4825:5
    #23 0x7fa562877bb1 in QObject::event(QEvent*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qobject.cpp:1356:9
    #24 0x7fa539f43e5b in QQuickItem::event(QEvent*) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitem.cpp:8711:25
    #25 0x7fa5626d076d in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1241:26
    #26 0x7fa5626cfaef in doNotify(QObject*, QEvent*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1170:47
    #27 0x7fa5626cfd03 in QCoreApplication::notify(QObject*, QEvent*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1153:12
    #28 0x7fa56414bd53 in QGuiApplication::notify(QObject*, QEvent*) /home/rutledge/dev/qt6/qtbase/src/gui/kernel/qguiapplication.cpp:1934:30
    #29 0x7fa5626cf7a6 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qcoreapplication.cpp:1074:18

previously allocated by thread T0 here:
    #0 0x563843f51899 in operator new(unsigned long) (/home/rutledge/dev/qt6-asan/qtbase/bin/qml+0x110899)
    #1 0x7fa538697509 in QQuickPdfPageImage::setDocument(QQuickPdfDocument*) /home/rutledge/dev/qt6/qtwebengine/src/pdfquick/qquickpdfpageimage.cpp:98:26
    #2 0x7fa53865bf79 in QQuickPdfPageImage::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/rutledge/dev/qt6-asan/qtwebengine/src/pdfquick/PdfQuick_autogen/EWIEGA46WW/moc_qquickpdfpageimage_p.cpp:119:21
    #3 0x7fa5690bc669 in QQmlPropertyData::writeProperty(QObject*, void*, QFlags<QQmlPropertyData::WriteFlag>) const /home/rutledge/dev/qt6-asan/qtbase/include/QtQml/6.4.0/QtQml/private/../../../../../../../qt6/qtdeclarative/src/qml/qml/qqmlpropertydata_p.h:375:13
    #4 0x7fa56910d878 in bool QObjectPointerBinding::compareAndSet<QObjectPointerBinding::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>)::'lambda'()>(QQmlMetaObject const&, QObject*, QQmlPropertyData*, QFlags<QQmlPropertyData::WriteFlag>, QObjectPointerBinding::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>)::'lambda'() const&) const /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlbinding.cpp:897:24
    #5 0x7fa56910bb02 in QObjectPointerBinding::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlbinding.cpp:884:16
    #6 0x7fa5690f5426 in QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlbinding.cpp:285:26
    #7 0x7fa5690d7f34 in QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlbinding.cpp:199:5
    #8 0x7fa5690de08d in QQmlBinding::setEnabled(bool, QFlags<QQmlPropertyData::WriteFlag>) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlbinding.cpp:674:9
    #9 0x7fa5690de2c0 in non-virtual thunk to QQmlBinding::setEnabled(bool, QFlags<QQmlPropertyData::WriteFlag>) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlbinding.cpp
    #10 0x7fa5693aedec in QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1395:12
    #11 0x7fa56929b6f2 in QQmlIncubatorPrivate::incubate(QQmlInstantiationInterrupt&) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlincubator.cpp:365:26
    #12 0x7fa569299cd0 in QQmlEnginePrivate::incubate(QQmlIncubator&, QQmlRefPointer<QQmlContextData> const&) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlincubator.cpp:90:16
    #13 0x7fa56915a3c9 in QQmlComponentPrivate::incubateObject(QQmlIncubator*, QQmlComponent*, QQmlEngine*, QQmlRefPointer<QQmlContextData> const&, QQmlRefPointer<QQmlContextData> const&) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1279:17
    #14 0x7fa53bf39275 in QQmlDelegateModelPrivate::object(QQmlListCompositor::Group, int, QQmlIncubator::IncubationMode) /home/rutledge/dev/qt6/qtdeclarative/src/qmlmodels/qqmldelegatemodel.cpp:1330:13
    #15 0x7fa53bf3a58b in QQmlDelegateModel::object(int, QQmlIncubator::IncubationMode) /home/rutledge/dev/qt6/qtdeclarative/src/qmlmodels/qqmldelegatemodel.cpp:1371:15
    #16 0x7fa53adf82e8 in QQuickItemViewPrivate::createItem(int, QQmlIncubator::IncubationMode) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitemview.cpp:2351:60
    #17 0x7fa53ae4a541 in QQuickListViewPrivate::addVisibleItems(double, double, double, double, bool) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquicklistview.cpp:806:49
    #18 0x7fa53adfa08b in QQuickItemViewPrivate::refill(double, double) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitemview.cpp:1801:22
    #19 0x7fa53addf52c in QQuickItemViewPrivate::refill() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitemview.cpp:1771:9
    #20 0x7fa53adc374c in QQuickItemViewPrivate::refillOrLayout() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitemview_p_p.h:232:13
    #21 0x7fa53ae657de in QQuickListView::viewportMoved(QFlags<Qt::Orientation>) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquicklistview.cpp:3409:8
    #22 0x7fa539ea42c4 in QQuickFlickablePrivate::itemGeometryChanged(QQuickItem*, QQuickGeometryChange, QRectF const&) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickflickable.cpp:345:16
    #23 0x7fa53adefbe3 in QQuickItemViewPrivate::itemGeometryChanged(QQuickItem*, QQuickGeometryChange, QRectF const&) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitemview.cpp:1169:29
    #24 0x7fa53ae59a23 in QQuickListViewPrivate::itemGeometryChanged(QQuickItem*, QQuickGeometryChange, QRectF const&) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquicklistview.cpp:1583:28
    #25 0x7fa53ae5ab1a in non-virtual thunk to QQuickListViewPrivate::itemGeometryChanged(QQuickItem*, QQuickGeometryChange, QRectF const&) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquicklistview.cpp
    #26 0x7fa539f6890c in QQuickItem::geometryChange(QRectF const&, QRectF const&)::$_2::operator()(QQuickItemPrivate::ChangeListener const&) const /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitem.cpp:3795:32
    #27 0x7fa539f22b82 in void QQuickItemPrivate::notifyChangeListeners<QQuickItem::geometryChange(QRectF const&, QRectF const&)::$_2>(QFlags<QQuickItemPrivate::ChangeType>, QQuickItem::geometryChange(QRectF const&, QRectF const&)::$_2&&) /home/rutledge/dev/qt6-asan/qtdeclarative/src/quick/Quick_autogen/include/../../../../../../qt6/qtdeclarative/src/quick/items/qquickitem_p.h:386:17
    #28 0x7fa539f22589 in QQuickItem::geometryChange(QRectF const&, QRectF const&) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitem.cpp:3793:8
    #29 0x7fa539f3a2e5 in QQuickItem::setY(double) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitem.cpp:6962:5

Thread T43 (QQuickPixmapRea) created by T0 here:
    #0 0x563843e88954 in pthread_create (/home/rutledge/dev/qt6-asan/qtbase/bin/qml+0x47954)
    #1 0x7fa562ea709f in QThread::start(QThread::Priority) /home/rutledge/dev/qt6/qtbase/src/corelib/thread/qthread_unix.cpp:744:16
    #2 0x7fa53a79faf5 in QQuickPixmapReader::QQuickPixmapReader(QQmlEngine*) /home/rutledge/dev/qt6/qtdeclarative/src/quick/util/qquickpixmapcache.cpp:523:5
    #3 0x7fa53a7aa42d in QQuickPixmapReader::instance(QQmlEngine*) /home/rutledge/dev/qt6/qtdeclarative/src/quick/util/qquickpixmapcache.cpp:975:22
    #4 0x7fa53a7b6fe2 in QQuickPixmap::loadAsync(QQmlEngine*, QIODevice*, QUrl const&, QRect const&, QSize const&, QQuickImageProviderOptions const&, int, int) /home/rutledge/dev/qt6/qtdeclarative/src/quick/util/qquickpixmapcache.cpp:1782:20
    #5 0x7fa53869853d in QQuickPdfPageImage::load() /home/rutledge/dev/qt6/qtwebengine/src/pdfquick/qquickpdfpageimage.cpp:129:12
    #6 0x7fa539efb4d9 in QQuickImageBase::componentComplete() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickimagebase.cpp:464:9
    #7 0x7fa539efb4f8 in non-virtual thunk to QQuickImageBase::componentComplete() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickimagebase.cpp
    #8 0x7fa5693af57f in QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1436:25
    #9 0x7fa56929b6f2 in QQmlIncubatorPrivate::incubate(QQmlInstantiationInterrupt&) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlincubator.cpp:365:26
    #10 0x7fa569299cd0 in QQmlEnginePrivate::incubate(QQmlIncubator&, QQmlRefPointer<QQmlContextData> const&) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlincubator.cpp:90:16
    #11 0x7fa56915a3c9 in QQmlComponentPrivate::incubateObject(QQmlIncubator*, QQmlComponent*, QQmlEngine*, QQmlRefPointer<QQmlContextData> const&, QQmlRefPointer<QQmlContextData> const&) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1279:17
    #12 0x7fa53bf39275 in QQmlDelegateModelPrivate::object(QQmlListCompositor::Group, int, QQmlIncubator::IncubationMode) /home/rutledge/dev/qt6/qtdeclarative/src/qmlmodels/qqmldelegatemodel.cpp:1330:13
    #13 0x7fa53bf3a58b in QQmlDelegateModel::object(int, QQmlIncubator::IncubationMode) /home/rutledge/dev/qt6/qtdeclarative/src/qmlmodels/qqmldelegatemodel.cpp:1371:15
    #14 0x7fa53adf82e8 in QQuickItemViewPrivate::createItem(int, QQmlIncubator::IncubationMode) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitemview.cpp:2351:60
    #15 0x7fa53ae49e8a in QQuickListViewPrivate::addVisibleItems(double, double, double, double, bool) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquicklistview.cpp:789:49
    #16 0x7fa53adfa08b in QQuickItemViewPrivate::refill(double, double) /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitemview.cpp:1801:22
    #17 0x7fa53addf52c in QQuickItemViewPrivate::refill() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitemview.cpp:1771:9
    #18 0x7fa53adf4656 in QQuickItemView::componentComplete() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitemview.cpp:1496:12
    #19 0x7fa53adf4b98 in non-virtual thunk to QQuickItemView::componentComplete() /home/rutledge/dev/qt6/qtdeclarative/src/quick/items/qquickitemview.cpp
    #20 0x7fa5693af57f in QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1436:25
    #21 0x7fa569157c12 in QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1042:25
    #22 0x7fa569153506 in QQmlComponentPrivate::completeCreate() /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1136:9
    #23 0x7fa569157e91 in QQmlComponent::completeCreate() /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1123:8
    #24 0x7fa569156055 in QQmlComponent::create(QQmlContext*) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:863:9
    #25 0x7fa5690cb380 in QQmlApplicationEnginePrivate::finishLoad(QQmlComponent*) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:155:54
    #26 0x7fa5690cac8c in QQmlApplicationEnginePrivate::startLoad(QUrl const&, QByteArray const&, bool) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:139:9
    #27 0x7fa5690cc56b in QQmlApplicationEngine::load(QUrl const&) /home/rutledge/dev/qt6/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:292:8
    #28 0x563843f653bb in main /home/rutledge/dev/qt6/qtdeclarative/tools/qml/main.cpp:643:11
    #29 0x7fa561d10b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: heap-use-after-free /home/rutledge/dev/qt6/qtbase/src/corelib/kernel/qmetaobject.cpp:382:25 in QMetaObject::cast(QObject const*) const
Shadow bytes around the buggy address:
  0x0c0680076420: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
  0x0c0680076430: 00 fa fa fa 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c0680076440: fa fa fa fa fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c0680076450: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fd fd
  0x0c0680076460: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=>0x0c0680076470:[fd]fd fd fa fa fa fd fd fd fd fa fa 00 00 00 00
  0x0c0680076480: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
  0x0c0680076490: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c06800764a0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c06800764b0: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
  0x0c06800764c0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3556000==ABORTING

      The code in QImageReader is this:

          // successful read; check for "@Nx" file name suffix and set device pixel ratio.
    static bool disableNxImageLoading = !qEnvironmentVariableIsEmpty("QT_HIGHDPI_DISABLE_2X_IMAGE_LOADING");
    if (!disableNxImageLoading) {
        const QByteArray suffix = QFileInfo(fileName()).baseName().right(3).toLatin1();
        if (suffix.length() == 3 && suffix[0] == '@' && suffix[1] >= '2' && suffix[1] <= '9' && suffix[2] == 'x')
            image->setDevicePixelRatio(suffix[1] - '0');
    }

      which of course isn't relevant for PDF pages anyway; but the problem is that it calls fileName():

      QString QImageReader::fileName() const
{
    QFile *file = qobject_cast<QFile *>(d->device); // line 830, crash because d->device is dangling
    return file ? file->fileName() : QString();
}

      where d->device is my new QPdfFile subclass of QFile. That gets deleted along with the rendering job when the ListView deletes its PdfPageImage delegate.

      Perhaps I could come up with a way that it doesn't need to get deleted, though.

      Attachments

        Issue Links

          resulted in

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-102426 race condition when using QQuickPdfPageImage and changing sources too soon

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              srutledg Shawn Rutledge
              srutledg Shawn Rutledge
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes