Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-102327

Address sanitizer caught heap-use-after-free in tst_QWidget::deleteWindowInCloseEvent

XMLWordPrintable

    • Linux/X11
    • 9ab06e6185 (qt/qtbase/dev) b143ad8068 (qt/qtbase/6.3) b143ad8068 (qt/tqtc-qtbase/6.3) 9ab06e6185 (qt/tqtc-qtbase/dev) f9edda4024 (qt/tqtc-qtbase/6.2)

      AsĀ reported in CodeChecker. Unfortunately the reporting format of CodeChecker is not so helpful with ASAN errors, so I append the full log here.

      The error is easily reproducible for me, see below (EDIT: re-uploaded run with more verbosity and deeper stacktraces and broke the output into multiple noformat block for readability).

      $ ASAN_OPTIONS=malloc_context_size=60   tests/auto/widgets/kernel/qwidget/tst_qwidget  -v2 -vs deleteWindowInCloseEvent
********* Start testing of tst_QWidget *********
Config: Using QtTest library 6.4.0, Qt 6.4.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by Clang 13.0.1 ), ubuntu 20.04
INFO   : tst_QWidget::initTestCase() entering
PASS   : tst_QWidget::initTestCase()
INFO   : tst_QWidget::deleteWindowInCloseEvent() entering
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QWidgetWindow(QWidgetClassWindow 608000001aa0) objectNameChanged (QString(QWidgetClassWindow))
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QWidgetWindow(QWidgetClassWindow 608000001aa0) widthChanged (int(640))
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QWidgetWindow(QWidgetClassWindow 608000001aa0) heightChanged (int(480))
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QWidgetWindow(QWidgetClassWindow 608000001aa0) visibleChanged (bool(true))
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QWidgetWindow(QWidgetClassWindow 608000001aa0) visibilityChanged ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QDBusConnectionManager(7fc54d452ee0) connectionRequested ((ConnectionRequestData*)7ffd51f863e0)
INFO   : tst_QWidget::deleteWindowInCloseEvent()     Signal: QDBusConnectionManager(7fc54d452ee0) started ()
INFO   : tst_QWidget::deleteWindowInCloseEvent()     Signal: QEventDispatcherGlib(60200000f010) aboutToBlock ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) awake ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) aboutToBlock ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) awake ()
INFO   : tst_QWidget::deleteWindowInCloseEvent()     Signal: QEventDispatcherGlib(60200000f010) aboutToBlock ()
INFO   : tst_QWidget::deleteWindowInCloseEvent()     Signal: QDBusConnectionPrivate(614000020040) signalNeedsConnecting (QString(NameOwnerChanged:org.freedesktop.DBus), )
INFO   : tst_QWidget::deleteWindowInCloseEvent()     Signal: QEventDispatcherGlib(60200000f010) awake ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) aboutToBlock ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QDBusConnectionPrivate(614000020040) messageNeedsSending ((QDBusPendingCallPrivate*)60d000005f50, (void*)610000018440, int(-1))
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) awake ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) aboutToBlock ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QSocketNotifier(60200000f4f0) activated (QSocketDescriptor(), QSocketNotifier::Type())
INFO   : tst_QWidget::deleteWindowInCloseEvent()     Signal: QDBusConnectionPrivate(614000020040) dispatchStatusChanged ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QSocketNotifier(60200000f4f0) activated (int(8))
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) awake ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) aboutToBlock ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) awake ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) aboutToBlock ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QDBusConnectionManager(7fc54d452ee0) connectionRequested ((ConnectionRequestData*)7ffd51f86500)
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) awake ()
INFO   : tst_QWidget::deleteWindowInCloseEvent()     Signal: DBusConnection(604000019bd0) enabledChanged (bool(true))
INFO   : tst_QWidget::deleteWindowInCloseEvent()     Signal: QEventDispatcherGlib(60200000f010) aboutToBlock ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QXcbGlibEventDispatcher(60700000a890) awake ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QDBusConnectionPrivate(614000020040) dispatchStatusChanged ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) awake ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) aboutToBlock ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) awake ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QEventDispatcherGlib(60200000f010) aboutToBlock ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QWidgetWindow(QWidgetClassWindow 608000001aa0) windowStateChanged ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QApplication(7ffd51f8a950) applicationStateChanged ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QApplication(7ffd51f8a950) focusObjectChanged ((QObject*)604000018d50)
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QApplication(7ffd51f8a950) focusWindowChanged ((QWindow*)608000001aa0)
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QWidgetWindow(QWidgetClassWindow 608000001aa0) activeChanged ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QInputMethod(602000010450) inputItemClipRectangleChanged ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QWidgetWindow(QWidgetClassWindow 608000001aa0) xChanged (int(1670))
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QWidgetWindow(QWidgetClassWindow 608000001aa0) yChanged (int(854))
INFO   : tst_QWidget::deleteWindowInCloseEvent() QVERIFY(QTest::qWaitForWindowExposed(widget))
   Loc: [/home/cc-runs/src/qt/qt5/qtbase/tests/auto/widgets/kernel/qwidget/tst_qwidget.cpp(12573)]
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QXcbGlibEventDispatcher(60700000a890) aboutToBlock ()
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QWidget(604000018d50) destroyed ((QObject*)604000018d50)
INFO   : tst_QWidget::deleteWindowInCloseEvent() Signal: QApplication(7ffd51f8a950) lastWindowClosed ()
=================================================================
==3737029==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000002913 at pc 0x7fc54fc34939 bp 0x7ffd51f82df0 sp 0x7ffd51f82de8

      WRITE of size 1 at 0x613000002913 thread T0
    #0 0x7fc54fc34938 in QBoolBlocker::~QBoolBlocker() /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/6.4.0/QtCore/private/../../../../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobject_p.h:662:36
    #1 0x7fc54fc267eb in QWindow::close() /home/cc-runs/src/qt/qt5/qtbase/src/gui/kernel/qwindow.cpp:2277:1
    #2 0x7fc551c39a38 in QWidgetPrivate::close() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:8519:34
    #3 0x7fc551c77ecc in QWidget::close() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:8504:22
    #4 0x7ca4be in tst_QWidget::deleteWindowInCloseEvent()::$_14::operator()() const /home/cc-runs/src/qt/qt5/qtbase/tests/auto/widgets/kernel/qwidget/tst_qwidget.cpp:12575:17
    #5 0x7ca3d6 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, tst_QWidget::deleteWindowInCloseEvent()::$_14>::call(tst_QWidget::deleteWindowInCloseEvent()::$_14&, void**) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobjectdefs_impl.h:163:13
    #6 0x7ca300 in void QtPrivate::Functor<tst_QWidget::deleteWindowInCloseEvent()::$_14, 0>::call<QtPrivate::List<>, void>(tst_QWidget::deleteWindowInCloseEvent()::$_14&, void*, void**) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobjectdefs_impl.h:277:13
    #7 0x7ca2a0 in QtPrivate::QFunctorSlotObject<tst_QWidget::deleteWindowInCloseEvent()::$_14, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobjectdefs_impl.h:444:17
    #8 0x7fc54e150fea in QtPrivate::QSlotObjectBase::call(QObject*, void**) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobjectdefs_impl.h:399:51
    #9 0x7fc54e27cc51 in QMetaCallEvent::placeMetaCall(QObject*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobject.cpp:634:21
    #10 0x7fc54e28107c in QObject::event(QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobject.cpp:1394:18
    #11 0x7fc551c7e1a6 in QWidget::event(QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:9292:25
    #12 0x7fc551aae660 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3340:26
    #13 0x7fc551ab909e in QApplication::notify(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3287:22
    #14 0x7fc54e0e5bd9 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1070:18
    #15 0x7fc54e0e7d88 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1486:12
    #16 0x7fc54e0ea178 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1850:9
    #17 0x7fc54e0e7b8c in QCoreApplication::sendPostedEvents(QObject*, int) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1709:5
    #18 0x7fc54ede12e0 in postEventSourceDispatch(_GSource*, int (*)(void*), void*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:279:5
    #19 0x7fc54d4a617c in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5217c)
    #20 0x7fc54d4a63ff  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff)
    #21 0x7fc54d4a64a2 in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x524a2)
    #22 0x7fc54eddf200 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:429:19
    #23 0x7fc54872e0d1 in QXcbGlibEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/cc-runs/src/qt/qt5/qtbase/src/plugins/platforms/xcb/qxcbeventdispatcher.cpp:132:34
    #24 0x7fc54e126297 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qeventloop.cpp:136:55
    #25 0x7fc54e12689b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qeventloop.cpp:218:9
    #26 0x7fc54e0e75eb in QCoreApplication::exec() /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1391:32
    #27 0x7fc54fa98545 in QGuiApplication::exec() /home/cc-runs/src/qt/qt5/qtbase/src/gui/kernel/qguiapplication.cpp:1893:12
    #28 0x7fc551ab1a58 in QApplication::exec() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qapplication.cpp:2621:12
    #29 0x7593e2 in tst_QWidget::deleteWindowInCloseEvent() /home/cc-runs/src/qt/qt5/qtbase/tests/auto/widgets/kernel/qwidget/tst_qwidget.cpp:12577:5
    #30 0x75e681 in tst_QWidget::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/tests/auto/widgets/kernel/qwidget/tst_qwidget_autogen/include/tst_qwidget.moc:998:23
    #31 0x7fc54e1408d4 in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qmetaobject.cpp:2393:13
    #32 0x7fc55360c081 in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qmetaobject.h:126:16
    #33 0x7fc5535f4900 in QTest::TestMethods::invokeTestOnData(int) const /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:967:45
    #34 0x7fc5535f6a40 in QTest::TestMethods::invokeTest(int, char const*, QTest::WatchDog*) const /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:1218:17
    #35 0x7fc5535fbe41 in QTest::TestMethods::invokeTests(QObject*) const /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:1560:33
    #36 0x7fc5535fd6e1 in QTest::qRun() /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:2026:14
    #37 0x7fc5535fc7a7 in QTest::qExec(QObject*, int, char**) /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:1928:15
    #38 0x75d8f5 in main /home/cc-runs/src/qt/qt5/qtbase/tests/auto/widgets/kernel/qwidget/tst_qwidget.cpp:12733:1
    #39 0x7fc54d73c0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #40 0x443e0d in _start (/home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/tests/auto/widgets/kernel/qwidget/tst_qwidget+0x443e0d)

      0x613000002913 is located 147 bytes inside of 384-byte region [0x613000002880,0x613000002a00)
freed by thread T0 here:
    #0 0x4f2bdd in operator delete(void*) (/home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/tests/auto/widgets/kernel/qwidget/tst_qwidget+0x4f2bdd)
    #1 0x7fc551d17b81 in QWidgetWindowPrivate::~QWidgetWindowPrivate() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidgetwindow.cpp:69:7
    #2 0x7fc54e2bba02 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/tools/qscopedpointer.h:60:9
    #3 0x7fc54e2a30a1 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/tools/qscopedpointer.h:116:9
    #4 0x7fc54e27eadb in QObject::~QObject() /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobject.cpp:1124:1
    #5 0x7fc54fc12cb1 in QWindow::~QWindow() /home/cc-runs/src/qt/qt5/qtbase/src/gui/kernel/qwindow.cpp:237:1
    #6 0x7fc551d06b6e in QWidgetWindow::~QWidgetWindow() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidgetwindow.cpp:171:1
    #7 0x7fc551d06bb8 in QWidgetWindow::~QWidgetWindow() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidgetwindow.cpp:170:1
    #8 0x7fc551c3a9fe in QWidgetPrivate::deleteTLSysExtra() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:1742:9
    #9 0x7fc551c3a025 in QWidget::destroy(bool, bool) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:12341:16
    #10 0x7fc551c390c2 in QWidget::~QWidget() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:1578:9
    #11 0x858a04 in DeleteOnCloseEventWidget::~DeleteOnCloseEventWidget() /home/cc-runs/src/qt/qt5/qtbase/tests/auto/widgets/kernel/qwidget/tst_qwidget.cpp:12553:7
    #12 0x858a28 in DeleteOnCloseEventWidget::~DeleteOnCloseEventWidget() /home/cc-runs/src/qt/qt5/qtbase/tests/auto/widgets/kernel/qwidget/tst_qwidget.cpp:12553:7
    #13 0x858ac3 in DeleteOnCloseEventWidget::closeEvent(QCloseEvent*) /home/cc-runs/src/qt/qt5/qtbase/tests/auto/widgets/kernel/qwidget/tst_qwidget.cpp:12559:9
    #14 0x7fc551c7c69a in QWidget::event(QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:9030:9
    #15 0x7fc551aae660 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3340:26
    #16 0x7fc551ab909e in QApplication::notify(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3287:22
    #17 0x7fc54e0e5bd9 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1070:18
    #18 0x7fc54e0e7d88 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1486:12
    #19 0x7fc551c79a54 in QWidgetPrivate::handleClose(QWidgetPrivate::CloseMode) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:8458:13
    #20 0x7fc551d153a7 in QWidgetWindow::closeEvent(QCloseEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidgetwindow.cpp:828:41
    #21 0x7fc54fc27812 in QWindow::event(QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/gui/kernel/qwindow.cpp:2488:9
    #22 0x7fc551d074ea in QWidgetWindow::event(QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidgetwindow.cpp:373:21
    #23 0x7fc551aae660 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3340:26
    #24 0x7fc551ab90e2 in QApplication::notify(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3291:18
    #25 0x7fc54e0e5bd9 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1070:18
    #26 0x7fc54e0e7e68 in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1500:12
    #27 0x7fc54faa5462 in QGuiApplicationPrivate::processCloseEvent(QWindowSystemInterfacePrivate::CloseEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/gui/kernel/qguiapplication.cpp:2657:5
    #28 0x7fc54fa99b1f in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/gui/kernel/qguiapplication.cpp:2076:9
    #29 0x7fc54fc71c60 in bool QWindowSystemHelper<QWindowSystemInterface::SynchronousDelivery>::handleEvent<QWindowSystemInterfacePrivate::CloseEvent, QWindow*>(QWindow*) /home/cc-runs/src/qt/qt5/qtbase/src/gui/kernel/qwindowsysteminterface.cpp:135:9
    #30 0x7fc54fc54584 in bool handleWindowSystemEvent<QWindowSystemInterfacePrivate::CloseEvent, QWindowSystemInterface::SynchronousDelivery, QWindow*>(QWindow*) /home/cc-runs/src/qt/qt5/qtbase/src/gui/kernel/qwindowsysteminterface.cpp:167:12
    #31 0x7fc54fc5f0a1 in bool QWindowSystemInterface::handleCloseEvent<QWindowSystemInterface::SynchronousDelivery>(QWindow*) /home/cc-runs/src/qt/qt5/qtbase/src/gui/kernel/qwindowsysteminterface.cpp:374:12
    #32 0x7fc54fbbe9ec in QPlatformWindow::close() /home/cc-runs/src/qt/qt5/qtbase/src/gui/kernel/qplatformwindow.cpp:365:12
NOTE: The heap-use-after-free listed above happens in this frame
    #33 0x7fc54fc267d0 in QWindow::close() /home/cc-runs/src/qt/qt5/qtbase/src/gui/kernel/qwindow.cpp:2276:31
    #34 0x7fc551c39a38 in QWidgetPrivate::close() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:8519:34
    #35 0x7fc551c77ecc in QWidget::close() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:8504:22
    #36 0x7ca4be in tst_QWidget::deleteWindowInCloseEvent()::$_14::operator()() const /home/cc-runs/src/qt/qt5/qtbase/tests/auto/widgets/kernel/qwidget/tst_qwidget.cpp:12575:17
    #37 0x7ca3d6 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, tst_QWidget::deleteWindowInCloseEvent()::$_14>::call(tst_QWidget::deleteWindowInCloseEvent()::$_14&, void**) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobjectdefs_impl.h:163:13
    #38 0x7ca300 in void QtPrivate::Functor<tst_QWidget::deleteWindowInCloseEvent()::$_14, 0>::call<QtPrivate::List<>, void>(tst_QWidget::deleteWindowInCloseEvent()::$_14&, void*, void**) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobjectdefs_impl.h:277:13
    #39 0x7ca2a0 in QtPrivate::QFunctorSlotObject<tst_QWidget::deleteWindowInCloseEvent()::$_14, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobjectdefs_impl.h:444:17
    #40 0x7fc54e150fea in QtPrivate::QSlotObjectBase::call(QObject*, void**) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobjectdefs_impl.h:399:51
    #41 0x7fc54e27cc51 in QMetaCallEvent::placeMetaCall(QObject*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobject.cpp:634:21
    #42 0x7fc54e28107c in QObject::event(QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobject.cpp:1394:18
    #43 0x7fc551c7e1a6 in QWidget::event(QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:9292:25
    #44 0x7fc551aae660 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3340:26
    #45 0x7fc551ab909e in QApplication::notify(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3287:22
    #46 0x7fc54e0e5bd9 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1070:18
    #47 0x7fc54e0e7d88 in QCoreApplication::sendEvent(QObject*, QEvent*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1486:12
    #48 0x7fc54e0ea178 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1850:9
    #49 0x7fc54e0e7b8c in QCoreApplication::sendPostedEvents(QObject*, int) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1709:5
    #50 0x7fc54ede12e0 in postEventSourceDispatch(_GSource*, int (*)(void*), void*) /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:279:5
    #51 0x7fc54d4a617c in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5217c)

      previously allocated by thread T0 here:
    #0 0x4f237d in operator new(unsigned long) (/home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/tests/auto/widgets/kernel/qwidget/tst_qwidget+0x4f237d)
    #1 0x7fc551d06160 in QWidgetWindow::QWidgetWindow(QWidget*) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidgetwindow.cpp:155:16
    #2 0x7fc551c35f16 in QWidgetPrivate::createTLSysExtra() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:1425:39
    #3 0x7fc551c3390e in QWidgetPrivate::create() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:1296:9
    #4 0x7fc551c2fb70 in QWidget::create(unsigned long long, bool, bool) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:1223:8
    #5 0x7fc551c78c7a in QWidgetPrivate::setVisible(bool) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:8260:16
    #6 0x7fc551c789ef in QWidget::setVisible(bool) /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:8241:8
    #7 0x7fc551c76bc7 in QWidget::show() /home/cc-runs/src/qt/qt5/qtbase/src/widgets/kernel/qwidget.cpp:7867:9
    #8 0x759288 in tst_QWidget::deleteWindowInCloseEvent() /home/cc-runs/src/qt/qt5/qtbase/tests/auto/widgets/kernel/qwidget/tst_qwidget.cpp:12572:13
    #9 0x75e681 in tst_QWidget::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/tests/auto/widgets/kernel/qwidget/tst_qwidget_autogen/include/tst_qwidget.moc:998:23
    #10 0x7fc54e1408d4 in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const /home/cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qmetaobject.cpp:2393:13
    #11 0x7fc55360c081 in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qmetaobject.h:126:16
    #12 0x7fc5535f4900 in QTest::TestMethods::invokeTestOnData(int) const /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:967:45
    #13 0x7fc5535f6a40 in QTest::TestMethods::invokeTest(int, char const*, QTest::WatchDog*) const /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:1218:17
    #14 0x7fc5535fbe41 in QTest::TestMethods::invokeTests(QObject*) const /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:1560:33
    #15 0x7fc5535fd6e1 in QTest::qRun() /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:2026:14
    #16 0x7fc5535fc7a7 in QTest::qExec(QObject*, int, char**) /home/cc-runs/src/qt/qt5/qtbase/src/testlib/qtestcase.cpp:1928:15
    #17 0x75d8f5 in main /home/cc-runs/src/qt/qt5/qtbase/tests/auto/widgets/kernel/qwidget/tst_qwidget.cpp:12733:1
    #18 0x7fc54d73c0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

      SUMMARY: AddressSanitizer: heap-use-after-free /home/sanitizer-runs/sanitizer_runs/build/qtbase-asan/include/QtCore/6.4.0/QtCore/private/../../../../../../../../../cc-runs/src/qt/qt5/qtbase/src/corelib/kernel/qobject_p.h:662:36 in QBoolBlocker::~QBoolBlocker()
Shadow bytes around the buggy address:
  0x0c267fff84d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c267fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff84f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff8500: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c267fff8510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c267fff8520: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8540: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c267fff8550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8570: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3737029==ABORTING

      EDIT: I dug a bit into the above stacktraces, and here is the test's source code, annotated by me:

      class DeleteOnCloseEventWidget : public QWidget
{
protected:
    virtual void closeEvent(QCloseEvent *e) override
    {
        e->accept();
        delete this;                                   // 2. Memory allocated at [1] is free'd here: QWidgetWindow free'd here by invoking QWidgetPrivate::deleteTLSysExtra(). This is deep under the same stack as 3.x are.
    }
};

void tst_QWidget::deleteWindowInCloseEvent()
{
#ifdef Q_OS_ANDROID
    QSKIP("This test crashes on Android");
#endif
    QSignalSpy quitSpy(qApp, &QGuiApplication::lastWindowClosed);

    // Closing this widget should not cause a crash
    auto widget = new DeleteOnCloseEventWidget;
    widget->show();                                     // 1. Invokes QWidgetPrivate::createTLSysExtra() which eventually allocates a new QWidgetWindowPrivate
    QVERIFY(QTest::qWaitForWindowExposed(widget));
    QTimer::singleShot(0, widget, [&]{
        widget->close();                                // 3.2 (invoked by 3.1), ends up writing at the space allocated previously by [1], by the BoolBlocker doing d->inClose=true when QWindow::close() returns.
    });
    QApplication::exec();                               // 3.1 WARNING: heap-use-after-free WRITE of size 1

    // It should still result in a single lastWindowClosed emit
    QCOMPARE(quitSpy.count(), 1);
}
      • At stepĀ [1] a memory block is allocated
      • At step [2] it is free'd
      • At step [3] that memory is written

        For Gerrit Dashboard: QTBUG-102327
        # Subject Branch Project Status CR V
        405230,4 Guard against QWindow being deleted during close event dev qt/qtbase Status: MERGED +2 0
        405323,1 Guard against QWindow being deleted during close event 6.2 qt/qtbase Status: ABANDONED -1 0
        405324,2 Guard against QWindow being deleted during close event 6.3 qt/qtbase Status: MERGED +2 0
        407058,2 Guard against QWindow being deleted during close event tqtc/lts-6.2 qt/tqtc-qtbase Status: MERGED -1 0

            qt.team.quick.subscriptions Qt Quick and Widgets Team
            jimis Dimitrios Apostolou
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes